MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Word document containing VBA macros and an embedded PE executable. It exploits CVE-2008-2244, a known vulnerability in Microsoft Word, to execute the embedded payload. The Auto_Close macro and references to LoadLibrary and GetProcAddress APIs indicate the VBA code is designed to load and run the embedded executable, likely to download further malicious content.
Heuristics 9
-
CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
-
ClamAV: Doc.Dropper.Agent-6390464-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6390464-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 331,776 bytes but its declared streams total only 149,297 bytes — 182,479 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
End Sub Sub Auto_Close() Main -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ocsp.verisign.com0 In document text (OLE body)
- https://www.verisign.com/rpaIn document text (OLE body)
- https://www.verisign.com/rpa03In document text (OLE body)
- http://crl.verisign.com/pca3.1.1.crl0In document text (OLE body)
- http://ocsp.verisign.com/ocsp/status0In document text (OLE body)
- https://www.verisign.com/rpa0In document text (OLE body)
- http://crl.verisign.com/Class3CodeSigning2001.crl0DIn document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41645 bytes |
SHA-256: 6695ee4f65ded92dd61c8110078211b8d701bf7b48dc1b9940e834a4ad97544e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AutoExec"
'/*************************************************************************
'*
'* ADOBE CONFIDENTIAL
'* ___________________
'*
'* Copyright 2002 - 2003 Adobe Systems Incorporated
'* All Rights Reserved.
'*
'* NOTICE: All information contained herein is, and remains
'* the property of Adobe Systems Incorporated and its suppliers,
'* if any. The intellectual and technical concepts contained
'* herein are proprietary to Adobe Systems Incorporated and its
'* suppliers and may be covered by U.S. and Foreign Patents,
'* patents in process, and are protected by trade secret or copyright law.
'* Dissemination of this information or reproduction of this material
'* is strictly forbidden unless prior written permission is obtained
'* from Adobe Systems Incorporated.
'**************************************************************************/
Option Explicit
Private Declare Function OpenClipboard Lib "user32" (ByVal hWnd As Long) As Long
Private Declare Function CloseClipboard Lib "user32" () As Long
Private Declare Function GetClipboardData Lib "user32" (ByVal wFormat As Long) As Long
Private Declare Function SetClipboardData Lib "user32" (ByVal wFormat As Long, ByVal hMem As Long) As Long
Private Declare Function EnumClipboardFormats Lib "user32" (ByVal wFormat As Long) As Long
Private Declare Function IsClipboardFormatAvailable Lib "user32" (ByVal wFormat As Long) As Long
Private Declare Function EmptyClipboard Lib "user32" () As Long
Private Declare Function GlobalSize Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GlobalUnlock Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GlobalAlloc Lib "kernel32" (ByVal flags As Long, ByVal size As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
Private Declare Function SetCurrentDirectory Lib "kernel32" Alias "SetCurrentDirectoryA" (ByVal lpDir As String) As Boolean
Public Declare Sub SetAppName Lib "AdobePDFMakerX.dll" (ByVal appName As String)
Type DataArray
bData() As Byte
fID As Long
End Type
Dim nFormats As Long
Dim ClipboardData() As DataArray
Private bLoadedRealMacro As Boolean
Public bPDFMakerInitialized As Boolean
Private bMacroIsLoaded As Boolean
Public pApplicationInfo As AdobePDFMakerX.ApplicationInfo
Public pPDFMaker As AdobePDFMakerX.Word
Public pOptions As AdobePDFMakerX.Options
Public pDistiller As AdobePDFMakerX.Distiller
Public pStrings As AdobePDFMakerX.PDFMakerStrings
Public pPDFWriter As AdobePDFMakerX.Printer
Public pHeadings As AdobePDFMakerX.WordHeadings
Public pReviewers As AdobePDFMakerX.WordReviewers
Dim cModule As New EventModule
Global Const REG_SZ As Long = 1
Global Const REG_BINARY As Long = 3
Global Const REG_DWORD As Long = 4
Global Const HKEY_CURRENT_USER = &H80000001
Global Const HKEY_LOCAL_MACHINE = &H80000002
Global Const ERROR_NONE = 0
Global Const KEY_QUERY_VALUE = &H1
Global Const KEY_ALL_ACCESS = &H3F
Global Const REG_OPTION_NON_VOLATILE = 0
Declare Function RegCloseKey Lib "advapi32.dll" _
(ByVal hKey As Long) As Long
Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias _
"RegCreateKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, _
ByVal Reserved As Long, ByVal lpClass As String, ByVal dwOptions _
As Long, ByVal samDesired As Long, ByVal lpSecurityAttributes _
As Long, phkResult As Long, lpdwDisposition As Long) As Long
Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias _
"RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, _
ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As _
Long) As Long
Declare Function RegQueryValueExLong Lib "advapi32.dll" Alias _
"RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As _
String, ByVal lpReserved As Long, lpType As Long, lpData As _
Long, lpcbData As Long) As Long
Declare Function RegQueryValueExNULL Lib "advapi32.dll" Alias _
"RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As _
String, ByVal lpReserved As Long, lpType As Long, ByVal lpData _
As Long, lpcbData As Long) As Long
Declare Function RegSetValueExString Lib "advapi32.dll" Alias _
"RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, _
ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As _
String, ByVal cbData As Long) As Long
Declare Function RegSetValueExLong Lib "advapi32.dll" Alias _
"RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, _
ByVal Reserved As Long, ByVal dwType As Long, lpValue As Long, _
ByVal cbData As Long) As Long
Public Sub SaveAndEmptyClipboard()
Dim format As Long
Dim hMem As Long
Dim mSize As Long
Dim mPtr As Long
nFormats = 0
OpenClipboard (0)
format = EnumClipboardFormats(0)
If (format <> 0) Then
Do
If IsClipboardFormatAvailable(format) Then
hMem = GetClipboardData(format)
mSize = GlobalSize(hMem)
mPtr = GlobalLock(hMem)
If mSize > 0 Then
nFormats = nFormats + 1
ReDim Preserve ClipboardData(0 To nFormats)
ReDim ClipboardData(nFormats - 1).bData(0 To mSize - 1)
CopyMemory ClipboardData(nFormats - 1).bData(0), ByVal mPtr, mSize
ClipboardData(nFormats - 1).fID = format
End If
GlobalUnlock hMem
End If
format = EnumClipboardFormats(format)
Loop While (format <> 0)
End If
EmptyClipboard
CloseClipboard
End Sub
Public Sub RestoreClipboard()
Dim format As Long
Dim hMem As Long
Dim mSize As Long
Dim mPtr As Long
Dim i As Long
If nFormats <= 0 Then
OpenClipboard (0)
EmptyClipboard
CloseClipboard
Exit Sub
End If
OpenClipboard (0)
For i = 0 To nFormats - 1
mSize = UBound(ClipboardData(i).bData) - LBound(ClipboardData(i).bData) + 1
hMem = GlobalAlloc(0, mSize)
If hMem <> 0 Then
mPtr = GlobalLock(hMem)
CopyMemory ByVal mPtr, ClipboardData(i).bData(0), mSize
GlobalUnlock hMem
SetClipboardData ClipboardData(i).fID, hMem
End If
Next i
CloseClipboard
End Sub
Function InitializePDFMakerDLL()
Dim retVal As Long
Dim lang As Integer
Dim tempPath As String
Dim dllPath As String
Dim appName
InitializePDFMakerDLL = False
On Error GoTo InitializePDFMakerDLLError
'dllPath = GetDistillerFolder()
'dllPath = Left$(dllPath, Len(dllPath) - 9) + "PDFMaker\Common"
'tempPath = ChangeToDir(dllPath)
appName = "w" + Application.Version
'SetAppName appName
'ChangeToDir (tempPath)
Set pApplicationInfo = New AdobePDFMakerX.ApplicationInfo
pApplicationInfo.SetAppName appName
Set pPDFMaker = New AdobePDFMakerX.Word
'pPDFMaker.WordVersion "w", Application.Version
Set pOptions = pPDFMaker.Options
Set pDistiller = pPDFMaker.Distiller
Set pStrings = pPDFMaker.Strings
Set pPDFWriter = pPDFMaker.Printer
Set pHeadings = pOptions.Headings
Set pReviewers = pOptions.reviewers
InitializePDFMakerDLL = True
pPDFMaker.DeletePDFMaker10Stuff
InitializePDFMakerDLLError:
End Function
Sub ShutdownPDFMakerDLL()
On Error Resume Next
Set pHeadings = Nothing
Set pReviewers = Nothing
Set pOptions = Nothing
Set pDistiller = Nothing
Set pStrings = Nothing
Set pPDFWriter = Nothing
Set pPDFMaker = Nothing
bPDFMakerInitialized = False
End Sub
Private Function GetDistillerFolder() As String
Dim sDistillerPath As String
On Error Resume Next
sDistillerPath = Trim(System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\AcroDist.exe", "Path"))
GetDistillerFolder = sDistillerPath
End Function
Public Function EnsureRealMacroIsLoaded() As Boolean
Dim anAddIn As AddIn
Dim sDistillerPath As String
Dim sMacroPath As String
Dim bPDFMakerInitialized As Boolean
Dim product As Integer
On Error GoTo EnsureRealMacroIsLoaded_Error
If (bLoadedRealMacro) Then
EnsureRealMacroIsLoaded = True
Exit Function
End If
EnsureRealMacroIsLoaded = False
On Error GoTo error_condition1
For Each anAddIn In Application.AddIns
If anAddIn.Name = "PDFMakerA.dot" Then
If (Not anAddIn.Installed) Then
anAddIn.Delete
Else
EnsureRealMacroIsLoaded = True
End If
Exit For
End If
Next
error_condition1:
If (Not EnsureRealMacroIsLoaded) Then
sDistillerPath = GetDistillerFolder()
If (Len(sDistillerPath) > 0) Then
sMacroPath = sDistillerPath & "..\PDFMaker\Office\PDFMakerA.dot"
System.Cursor = wdCursorWait
Application.AddIns.Add sMacroPath, True
EnsureRealMacroIsLoaded = True
System.Cursor = wdCursorNormal
Else
bPDFMakerInitialized = InitializePDFMakerDLL
If (bPDFMakerInitialized) Then
product = pOptions.GetProductName()
If (product = 1) Then
MsgBox pStrings.Get(pdfMakerGelatoErrorNoDistillerPrinter), vbExclamation Or vbOKOnly, pStrings.Get(pdfMakerAdobePDFTitle)
Else
MsgBox pStrings.Get(pdfMakerErrorNoDistillerPrinter), vbExclamation Or vbOKOnly, pStrings.Get(pdfMakerAdobePDFTitle)
End If
End If
End If
End If
EnsureRealMacroIsLoaded_Error:
System.Cursor = wdCursorNormal
End Function
Private Sub AddOurMenuItem()
Dim pdfMaker4MenuItem As CommandBarControl
Dim pdfMaker5MenuPopup As CommandBarControl
Dim pdfMaker5MenuItem As CommandBarControl
Dim found As Boolean
Dim foundOld As Boolean
Dim foundNew As Boolean
Dim fileMenu As CommandBar
Dim acrobatMenu As CommandBarControl
Dim t As Template
Dim bMustSave As Boolean
Dim visible As Long
Dim hKey As Long
Dim cch As Long
Dim savedTemplate As Template
Dim product As Integer
Dim count As Integer
On Error Resume Next
'make all deletions of menus in the current context which will be normal.dot
'Set pdfMaker5MenuPopup = CommandBars.FindControl(Tag:="CreateAdobePDF5a")
'If (Not pdfMaker5MenuPopup Is Nothing) Then
' pdfMaker5MenuPopup.Delete
'End If
'get the template for PDFMaker.dot and store it
For Each t In Application.Templates
If UCase(t.Name) = "PDFMAKER.DOT" Then
found = True
Exit For
End If
Next t
'save old customizationcontext and set PDFMaker.dot as new customization context
'make all new menu items in PDFMaker.dot so that when Acrobat is unstalled, the toolbars go away
If (found) Then
Set savedTemplate = CustomizationContext
CustomizationContext = t
End If
foundOld = False
Set fileMenu = CommandBars("File")
Set pdfMaker4MenuItem = fileMenu.FindControl(Tag:="CreateAdobePDF4a")
If (Not pdfMaker4MenuItem Is Nothing) Then
foundOld = True
pdfMaker4MenuItem.Delete (False)
bMustSave = True
End If
Set pdfMaker4MenuItem = fileMenu.FindControl(Tag:="CreateAdobePDF4b")
If (Not pdfMaker4MenuItem Is Nothing) Then
foundOld = True
pdfMaker4MenuItem.Delete (False)
bMustSave = True
End If
'foundNew = False
Set pdfMaker5MenuPopup = CommandBars.FindControl(Tag:="CreateAdobePDF5a")
If (Not pdfMaker5MenuPopup Is Nothing) Then
'foundNew = True
If (pdfMaker5MenuPopup.OLEUsage <> msoControlOLEUsageNeither) Or (pdfMaker5MenuPopup.OLEMenuGroup <> msoOLEMenuGroupNone) Then
pdfMaker5MenuPopup.OLEUsage = msoControlOLEUsageNeither
pdfMaker5MenuPopup.OLEMenuGroup = msoOLEMenuGroupNone
bMustSave = True
End If
count = pdfMaker5MenuPopup.Controls.count
While (count)
pdfMaker5MenuPopup.Controls(count).Delete
count = count - 1
Wend
pdfMaker5MenuPopup.Delete
End If
'If (Not foundNew) Then
If (Not bPDFMakerInitialized) Then
bPDFMakerInitialized = InitializePDFMakerDLL
End If
If (bPDFMakerInitialized) Then
Set pdfMaker5MenuPopup = CommandBars.ActiveMenuBar.Controls.Add(Type:=msoControlPopup, temporary:=True)
product = pOptions.GetProductName()
pdfMaker5MenuPopup.Caption = pStrings.Get(pdfMakerMenuText)
pdfMaker5MenuPopup.Tag = "CreateAdobePDF5a"
Set acrobatMenu = CommandBars.FindControl(Tag:="CreateAdobePDF5a")
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(pdfMenuConvertToPDF)
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "ConvertToPDF"
pdfMaker5MenuItem.Enabled = True
If (pPDFMaker.CopyIconByID(0)) Then
pdfMaker5MenuItem.PasteFace
End If
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(pdfMenuConvertAndEmail)
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "ConvertToPDFandEmail"
pdfMaker5MenuItem.Enabled = True
If (pPDFMaker.CopyIconByID(2)) Then
pdfMaker5MenuItem.PasteFace
End If
If (product = 0) Then
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(pdfMenuConvertAndReview)
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "ConvertToPDFAndSendForReview"
pdfMaker5MenuItem.visible = True
pdfMaker5MenuItem.Enabled = True
If (pPDFMaker.CopyIconByID(3)) Then
pdfMaker5MenuItem.PasteFace
End If
End If
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(pdfMenuChangeSettings)
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "DoPrefsForm"
pdfMaker5MenuItem.BeginGroup = True
acrobatMenu.visible = True
acrobatMenu.OLEUsage = msoControlOLEUsageNeither
acrobatMenu.OLEMenuGroup = msoOLEMenuGroupNone
bMustSave = True
End If
'End If
'If bMustSave Then
t.Saved = True
'End If
CustomizationContext = savedTemplate
End Sub
Public Sub AddOurToolbar()
Dim t As Template
Dim found As Boolean
Dim ourToolbar As CommandBar
Dim aToolbar As CommandBar
Dim alreadyThere As Boolean
Dim setOptions As CommandBarButton
Dim printWithLinks As CommandBarButton
Dim convertAndEmail As CommandBarButton
Dim convertAndReview As CommandBarButton
Dim bMustSave As Boolean
Dim foundNew As Boolean
Dim hKey As Long
Dim cch As Long
Dim leftVal As Long
Dim rowIndex As Long
Dim visible As Long
Dim savedTemplate As Template
Dim product As Integer
Set savedTemplate = CustomizationContext
found = False
If (Not bPDFMakerInitialized) Then
bPDFMakerInitialized = InitializePDFMakerDLL
End If
On Error Resume Next
For Each t In Application.Templates
If UCase(t.Name) = "PDFMAKER.DOT" Then
found = True
Exit For
End If
Next t
CustomizationContext = t
' See if PDFMaker 1.0's toolbar is there. If so, hide it
alreadyThere = False
For Each aToolbar In CommandBars
If aToolbar.Name = "PDFMaker" Then
alreadyThere = True
Exit For
End If
Next aToolbar
If alreadyThere Then
aToolbar.Delete
bMustSave = True
End If
foundNew = False
For Each aToolbar In CommandBars
If aToolbar.Name = pStrings.Get(pdfMakerToolbarName) Then
foundNew = True
Exit For
End If
Next aToolbar
If (Not foundNew) Then
Set ourToolbar = CommandBars.Add(Name:=pStrings.Get(pdfMakerToolbarName), Position:=msoBarTop, temporary:=True)
ourToolbar.visible = False
Set printWithLinks = ourToolbar.Controls.Add(Type:=msoControlButton, temporary:=True)
printWithLinks.OnAction = "ConvertToPDF"
printWithLinks.Style = msoButtonIcon
'printWithLinks.Enabled = True
printWithLinks.TooltipText = pStrings.Get(pdfConvertToPDFToolTip)
If (pPDFMaker.CopyIconByID(0)) Then
printWithLinks.PasteFace
End If
'Also add button for convert and email
Set convertAndEmail = ourToolbar.Controls.Add(Type:=msoControlButton, temporary:=True)
convertAndEmail.OnAction = "ConvertToPDFandEmail"
convertAndEmail.Style = msoButtonIcon
'convertAndEmail.Enabled = True
convertAndEmail.TooltipText = pStrings.Get(pdfConvertToPDFAndEmailToolTip)
If (pPDFMaker.CopyIconByID(2)) Then
convertAndEmail.PasteFace
End If
product = pOptions.GetProductName()
If (product = 0) Then
'Review ToolBar
Set convertAndReview = ourToolbar.Controls.Add(Type:=msoControlButton, temporary:=True)
convertAndReview.OnAction = "ConvertToPDFAndSendForReview"
convertAndReview.Style = msoButtonIcon
'convertAndEmail.Enabled = True
convertAndReview.TooltipText = pStrings.Get(pdfMenuConvertAndReviewToolTip)
If (pPDFMaker.CopyIconByID(3)) Then
convertAndReview.PasteFace
End If
End If
If (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", 0&, KEY_QUERY_VALUE, hKey) = ERROR_NONE) Then
RegQueryValueExNULL hKey, "WDLeft", 0&, REG_DWORD, 0&, cch
If (RegQueryValueExLong(hKey, "WDLeft", 0&, REG_DWORD, leftVal, cch) = ERROR_NONE) Then
ourToolbar.Left = leftVal
End If
If (RegQueryValueExLong(hKey, "WDRowIndex", 0&, REG_DWORD, rowIndex, cch) = ERROR_NONE) Then
ourToolbar.rowIndex = rowIndex
End If
RegCloseKey hKey
End If
visible = True
If (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", 0&, KEY_QUERY_VALUE, hKey) = ERROR_NONE) Then
RegQueryValueExNULL hKey, "WDVisible", 0&, REG_DWORD, 0&, cch
If (RegQueryValueExLong(hKey, "WDVisible", 0&, REG_BINARY, visible, cch) = ERROR_NONE) Then
If (visible = -255) Then
ourToolbar.visible = True
Else
ourToolbar.visible = False
End If
Else
ourToolbar.visible = True
End If
Else
ourToolbar.visible = True
End If
printWithLinks.OLEUsage = msoControlOLEUsageNeither
convertAndEmail.OLEUsage = msoControlOLEUsageNeither
bMustSave = True
End If
If (bMustSave) Then
t.Saved = True
End If
CustomizationContext = savedTemplate
End Sub
Public Sub DoPrefsForm()
On Error GoTo DoPrefsFormExit
If (EnsureRealMacroIsLoaded()) Then
Application.Run "AdobePDFMakerA.AutoExec.DoPrefsForm"
End If
Exit Sub
DoPrefsFormExit:
End Sub
Public Sub ConvertToPDFandEmail()
On Error GoTo ConvertToPDFandEmailExit
If (EnsureRealMacroIsLoaded()) Then
Application.Run "AdobePDFMakerA.AutoExec.ConvertToPDFandEmail"
End If
Exit Sub
ConvertToPDFandEmailExit:
End Sub
Public Sub ConvertToPDF()
On Error GoTo ConvertToPDFExit
If (EnsureRealMacroIsLoaded()) Then
Application.Run "AdobePDFMakerA.AutoExec.ConvertToPDF"
End If
Exit Sub
ConvertToPDFExit:
End Sub
Public Sub ConvertToPDFAndSendForReview()
On Error GoTo ConvertToPDFAndSendForReviewExit
If (EnsureRealMacroIsLoaded()) Then
Application.Run "AdobePDFMakerA.AutoExec.ConvertToPDFAndSendForReview"
End If
Exit Sub
ConvertToPDFAndSendForReviewExit:
End Sub
Public Sub ConvertToGelatoPDFWithParams(pdfPathName As String)
Dim x As Variant
On Error GoTo ConvertToPDFExit
x = pdfPathName
If (EnsureRealMacroIsLoaded()) Then
'Application.Run "AdobePDFMakerA.AutoExec.ConvertToGelatoPDFWithParams", x
End If
Exit Sub
ConvertToPDFExit:
End Sub
Public Sub ConvertToGelatoPDF()
On Error GoTo ConvertToPDFExit
If (EnsureRealMacroIsLoaded()) Then
Application.Run "AdobePDFMakerA.AutoExec.ConvertToGelatoPDF"
End If
Exit Sub
ConvertToPDFExit:
End Sub
Public Sub CreatePDFAndCloseDoc()
Dim currDoc As String
Dim currDocIndex As Integer
Dim numDoc As Integer
Dim bloop As Boolean
On Error Resume Next
currDoc = Application.ActiveDocument.FullName
ConvertToGelatoPDF
currDocIndex = 1
numDoc = Application.Documents.count
bloop = True
If (numDoc > 0) Then
While (bloop)
If (Application.Documents(currDocIndex).FullName <> currDoc) Then
currDocIndex = currDocIndex + 1
If (currDocIndex > numDoc) Then
currDocIndex = 0
bloop = False
End If
Else
bloop = False
End If
Wend
If (currDocIndex > 0) Then
currDoc = Application.Documents(currDocIndex).FullName
Application.Documents(currDocIndex).Activate
End If
Application.ActiveDocument.Close
End If
numDoc = Application.Documents.count
If (numDoc = 0) Then
Application.Quit
End If
End Sub
Public Sub CreatePDFAndDoNotCloseApp()
Dim currDoc As String
Dim currDocIndex As Integer
Dim numDoc As Integer
Dim bloop As Boolean
On Error Resume Next
currDoc = Application.ActiveDocument.FullName
ConvertToGelatoPDF
currDocIndex = 1
numDoc = Application.Documents.count
bloop = True
If (numDoc > 0) Then
While (bloop)
If (Application.Documents(currDocIndex).FullName <> currDoc) Then
currDocIndex = currDocIndex + 1
If (currDocIndex > numDoc) Then
currDocIndex = 0
bloop = False
End If
Else
bloop = False
End If
Wend
If (currDocIndex > 0) Then
currDoc = Application.Documents(currDocIndex).FullName
Application.Documents(currDocIndex).Activate
End If
Application.ActiveDocument.Close
End If
End Sub
Public Sub Main()
On Error Resume Next
'don't try to add toolbar and menuitems if the macro is already loaded
'Main could be invoked by Outlook addin, in order to fix the problem where PDFMaker
'toolbar and menu didn't appear if outlook is running with Word as the email editor.
If (Not bMacroIsLoaded) Then
bPDFMakerInitialized = InitializePDFMakerDLL
SaveAndEmptyClipboard
AddOurMenuItem
AddOurToolbar
AddCommentsItem
ShutdownPDFMakerDLL
RestoreClipboard
Set cModule.wApp = Application
bMacroIsLoaded = True
End If
End Sub
Public Function SetValueEx(ByVal hKey As Long, sValueName As String, _
lType As Long, vValue As Variant) As Long
Dim lValue As Long
Dim sValue As String
Select Case lType
Case REG_SZ
sValue = vValue
'SetValueEx = RegSetValueExString(hKey, sValueName, 0&, _
'lType, sValue, Len(sValue))
SetValueEx = RegSetValueExString(hKey, sValueName, 0&, _
lType, sValue, LenB(StrConv(sValue, vbFromUnicode)))
Case REG_BINARY
lValue = vValue
SetValueEx = RegSetValueExLong(hKey, sValueName, 0&, _
lType, lValue, 1)
Case REG_DWORD
lValue = vValue
SetValueEx = RegSetValueExLong(hKey, sValueName, 0&, _
lType, lValue, 4)
End Select
End Function
Public Function SetKeyValue(ByVal hKey As Long, sKeyName As String, _
sValueName As String, vValueSetting As Variant, lValueType As Long) As Long
Dim lRetVal As Long 'result of the SetValueEx function
Dim hOpenKey As Long 'handle of open key
Dim disposition As Long
'open the specified key
' lRetVal = RegOpenKeyEx(hKey, sKeyName, 0, KEY_ALL_ACCESS, hOpenKey)
lRetVal = RegCreateKeyEx(hKey, sKeyName, 0, "", REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, 0, hOpenKey, disposition)
lRetVal = SetValueEx(hOpenKey, sValueName, lValueType, vValueSetting)
RegCloseKey (hOpenKey)
SetKeyValue = lRetVal
End Function
Function ChangeToDir(s As String) As String
ChangeToDir = CurDir
SetCurrentDirectory s
End Function
Attribute VB_Name = "AutoExit"
'/*************************************************************************
'*
'* ADOBE CONFIDENTIAL
'* ___________________
'*
'* Copyright 2002 - 2003 Adobe Systems Incorporated
'* All Rights Reserved.
'*
'* NOTICE: All information contained herein is, and remains
'* the property of Adobe Systems Incorporated and its suppliers,
'* if any. The intellectual and technical concepts contained
'* herein are proprietary to Adobe Systems Incorporated and its
'* suppliers and may be covered by U.S. and Foreign Patents,
'* patents in process, and are protected by trade secret or copyright law.
'* Dissemination of this information or reproduction of this material
'* is strictly forbidden unless prior written permission is obtained
'* from Adobe Systems Incorporated.
'**************************************************************************/
Option Explicit
Sub Main()
On Error Resume Next
'' Don't need to call ShutdownDistMon explicitly, because
'' the DLL has already gotten a call to DLLMain with
'' DLL_PROCESS_DETACH, has done the shutdown, and has, in fact,
'' been unloaded from memory
'''ShutdownDistMon
Dim pdfMaker5Toolbar As CommandBar
If (InitializePDFMakerDLL) Then
Set pdfMaker5Toolbar = CommandBars(pStrings.Get(pdfMakerToolbarName))
'Save toolbar position before quitting so that it can be restored next time.
SetKeyValue HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", "WDLeft", pdfMaker5Toolbar.Left, REG_DWORD
SetKeyValue HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", "WDRowIndex", pdfMaker5Toolbar.rowIndex, REG_DWORD
End If
ShutdownPDFMakerDLL
End Sub
Sub Auto_Close()
Main
End Sub
Attribute VB_Name = "EventModule"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'/*************************************************************************
'*
'* ADOBE CONFIDENTIAL
'* ___________________
'*
'* Copyright 2002 - 2003 Adobe Systems Incorporated
'* All Rights Reserved.
'*
'* NOTICE: All information contained herein is, and remains
'* the property of Adobe Systems Incorporated and its suppliers,
'* if any. The intellectual and technical concepts contained
'* herein are proprietary to Adobe Systems Incorporated and its
'* suppliers and may be covered by U.S. and Foreign Patents,
'* patents in process, and are protected by trade secret or copyright law.
'* Dissemination of this information or reproduction of this material
'* is strictly forbidden unless prior written permission is obtained
'* from Adobe Systems Incorporated.
'**************************************************************************/
Option Explicit
Public WithEvents wApp As Application
Attribute wApp.VB_VarHelpID = -1
Private Sub wApp_DocumentChange()
Dim pdfMaker5Toolbar As CommandBar
Dim attachAsPDFToolbar As CommandBar
Dim t As Template
Dim savedTemplate As Template
Dim acrobatMenu1 As CommandBarControl
Dim acrobatMenu2 As CommandBarControl
Dim wn As Window
Dim envelopeVisible As Boolean
Dim hKey As Long
Dim cch As Long
Dim visible As Long
On Error Resume Next
envelopeVisible = False
visible = -1
'Set wn = ActiveDocument.ActiveWindow
envelopeVisible = ActiveDocument.CommandBars("Envelope").visible
Set savedTemplate = CustomizationContext
If (InitializePDFMakerDLL) Then
Set pdfMaker5Toolbar = CommandBars(pStrings.Get(pdfMakerToolbarName))
If (Not pdfMaker5Toolbar Is Nothing) Then
pdfMaker5Toolbar.visible = Not envelopeVisible
End If
Set attachAsPDFToolbar = CommandBars(pStrings.Get(pdfMakerOutlookToolbarName))
If (Not attachAsPDFToolbar Is Nothing) Then
attachAsPDFToolbar.visible = envelopeVisible
If (envelopeVisible) Then
If (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\6.0\Outlook", 0&, KEY_QUERY_VALUE, hKey) = ERROR_NONE) Then
RegQueryValueExNULL hKey, "OutlVisible", 0&, REG_DWORD, 0&, cch
If (RegQueryValueExLong(hKey, "OutlVisible", 0&, REG_DWORD, visible, cch) = ERROR_NONE) Then
If (visible = 0) Then
attachAsPDFToolbar.visible = False
End If
End If
RegCloseKey hKey
End If
End If
End If
End If
For Each t In Application.Templates
If UCase(t.Name) = "PDFMAKER.DOT" Then
CustomizationContext = t
Exit For
End If
Next t
Set acrobatMenu1 = CommandBars.FindControl(Tag:="CreateAdobePDF5a")
If (Not acrobatMenu1 Is Nothing) Then
acrobatMenu1.visible = Not envelopeVisible
End If
Set acrobatMenu2 = CommandBars.FindControl(Tag:="ImportComments6")
If (Not acrobatMenu2 Is Nothing) Then
acrobatMenu2.visible = Not envelopeVisible
End If
t.Saved = True
CustomizationContext = savedTemplate
ShutdownPDFMakerDLL
End Sub
Private Sub wApp_Quit()
Dim pdfMaker5Toolbar As CommandBar
Dim acrobatMenu As CommandBarControl
Dim t As Template
Dim savedTemplate As Template
On Error Resume Next
Set savedTemplate = CustomizationContext
If (InitializePDFMakerDLL) Then
Set pdfMaker5Toolbar = CommandBars(pStrings.Get(pdfMakerToolbarName))
If (Not pdfMaker5Toolbar Is Nothing) Then
If (pdfMaker5Toolbar.visible = True) Then
SetKeyValue HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", "WDVisible", 1, REG_BINARY
Else
SetKeyValue HKEY_CURRENT_USER, "Software\Adobe\Acrobat\PDFMaker\5.0\", "WDVisible", 0, REG_BINARY
End If
End If
End If
For Each t In Application.Templates
If UCase(t.Name) = "PDFMAKER.DOT" Then
CustomizationContext = t
Exit For
End If
Next t
t.Saved = True
CustomizationContext = savedTemplate
ShutdownPDFMakerDLL
End Sub
Attribute VB_Name = "ImportComments"
'/*************************************************************************
'*
'* ADOBE CONFIDENTIAL
'* ___________________
'*
'* Copyright 2002 - 2003 Adobe Systems Incorporated
'* All Rights Reserved.
'*
'* NOTICE: All information contained herein is, and remains
'* the property of Adobe Systems Incorporated and its suppliers,
'* if any. The intellectual and technical concepts contained
'* herein are proprietary to Adobe Systems Incorporated and its
'* suppliers and may be covered by U.S. and Foreign Patents,
'* patents in process, and are protected by trade secret or copyright law.
'* Dissemination of this information or reproduction of this material
'* is strictly forbidden unless prior written permission is obtained
'* from Adobe Systems Incorporated.
'**************************************************************************/
Option Explicit
Dim reviewingMenuItem As CommandBarControl
Dim thisTemplate As Template
Dim gMenuID As Long
Public Sub AddCommentsItem()
Dim pdfMaker5MenuPopup As CommandBarControl
Dim pdfMaker5MenuItem As CommandBarControl
Dim acrobatMenu As CommandBarControl
Dim t As Template
Dim savedTemplate As Template
Dim found As Boolean
Dim product As Long
On Error Resume Next
'make all deletions of menus in the current context which will be normal.dot
'Set pdfMaker5MenuPopup = CommandBars.FindControl(Tag:="ImportComments6")
'If (Not pdfMaker5MenuPopup Is Nothing) Then
' pdfMaker5MenuPopup.Delete
'End If
'add menu items etc only for Word verion 10 and greater
Dim appVer As Integer
appVer = Val(Application.Version)
If (appVer < 10) Then
Exit Sub
End If
product = pOptions.GetProductName()
If (product = 1) Then ' Gelato
Exit Sub
End If
'get the template for PDFMaker.dot and store it
For Each t In Application.Templates
If UCase(t.Name) = "PDFMAKER.DOT" Then
found = True
Exit For
End If
Next t
'save old customizationcontext and set PDFMaker.dot as new customization context
'make all new menu items in PDFMaker.dot so that when Acrobat is unstalled, the toolbars go away
If (found) Then
Set savedTemplate = CustomizationContext
CustomizationContext = t
Set thisTemplate = t
End If
Set pdfMaker5MenuPopup = CommandBars.ActiveMenuBar.Controls.Add(Type:=msoControlPopup, temporary:=True)
pdfMaker5MenuPopup.Caption = pStrings.Get(impCommAcrobatComments) '"Acrobat &Comments"
pdfMaker5MenuPopup.Tag = "ImportComments6"
Set acrobatMenu = CommandBars.FindControl(Tag:="ImportComments6")
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(impCommImportComments) '"Import Comments from Acrobat..."
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "ImportComments"
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(impCommContinueIntegration) '"Continue Integration Process..."
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "ContinueIntegration"
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(impCommAcceptAllCHanges) '"Accept All Changes in Document"
pdfMaker5MenuItem.Icon = msoIconAlert
pdfMaker5MenuItem.OnAction = "AcceptAllChanges"
pdfMaker5MenuItem.BeginGroup = True
Set pdfMaker5MenuItem = acrobatMenu.Controls.Add(Type:=msoControlButton, temporary:=True)
pdfMaker5MenuItem.Style = msoButtonIconAndCaption
pdfMaker5MenuItem.Caption = pStrings.Get(impCommDeleteAllComments) ' "Delete All Comments In Document"
pdfMaker5MenuItem.Icon = msoIconAlert
…
|
|||
embedded_office_00027000.exe |
embedded-pe | Office MZ+PE at offset 0x27000 | 172032 bytes |
SHA-256: 71ba24873683a7900b311c77c10beac871972d4ee728c9800959d03460eb984f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.