This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.8.3 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: 38bd9e647609d121621fc817ab2fdb5b58e9a2ac6c2f6640c36bc2164e7d54f1 | |
Type: OpenXML | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisDocument.cls | |
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Private Declare PtrSafe Function ExpandString Lib "kernel32" Alias "ExpandEnvironmentStringsA" (ByVal lpSrc As String, ByVal lpDst As String, ByVal nSize As Long) As Long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sha256 | |
caff2481325d66d93aa9aaa859ac5c6358d45ae29631414cac4212c726f9b822 | |
23f1c8e271c622ed8bd5fdff31cd35e7384288732552b29a34011c429e7bf15d | |
29ef47a455d5c439d7d072f1e1911bc18984d86e5333e06682a6b18b14719a5b | |
85fac93bf6bf6220a9eb753ee8727d9e9661320504efcf5a470f48b0439c36f6 | |
e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5 | |
eebd278919de6536f3e07401f4d6406d327ab069083ffc893dbf55026b766c12 | |
e1833eab2c51dd30d06919cfefd44078a09cd1d8822bb999ba81e528286c11b7 | |
56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753 | |
863f565b676a7170255d30334e4b2b3863cde0ad6d52759464ae2123ff1868a9 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule auto_open_evasion | |
{ | |
meta: | |
reference="https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/" | |
hash="e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5" | |
hash1="bb3c9739de8ffe2e0f375847d41a010463ec19f1d3f578ac053651a51ed69bbc" | |
hash2="56ff65b7f6bf5936883f52b50ca66e768b2088158cc77af681ffab7122be7753" | |
hash3="97243214ac3cad74d60b0648e39d6a9600860edba51c670b5226e058ba658957" | |
hash4 = "9ebf085c05ae94c1b6c4e011001a6c11de3ca754a56ed380314ef501b777e593" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def get_defined_name(self, name, full_match=True): | |
result = [] | |
name = name.lower().replace('[', '') | |
if full_match: | |
if name in self.get_defined_names(): | |
result = self._defined_names[name] | |
else: | |
for defined_name, cell_address in self.get_defined_names().items(): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# -*- coding: utf-8 -*- | |
'Loader (Build Your Own Botnet)' | |
# standard library | |
import imp | |
import sys | |
import logging | |
import contextlib | |
if sys.version_info[0] < 3: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import vt | |
import nest_asyncio | |
nest_asyncio.apply() | |
RULE_NAME = 'MSCOVID19_FEED' | |
def get_ruleset_id(api_key, rule_name): | |
with vt.Client(api_key) as client: | |
obj = client.get_json('/intelligence/hunting_rulesets', | |
params = {'filter':'enabled:true name:%s ' % rule_name, 'limit':1}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: hola3.otm | |
Type: OLE | |
------------------------------------------------------------------------------- | |
VBA MACRO ThisOutlookSession.cls | |
in file: hola3.otm - OLE stream: 'OutlookVbaData/VBA/ThisOutlookSession' | |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
Private Sub Application_Quit() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Sample hash f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3 | |
## Uploaded by @JohnLaTwC | |
#################### VBA Macro ##################### | |
olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools | |
=============================================================================== | |
FILE: f9d64c96a8090b2599bd5329fbfed3a852fce5455ba5f658363abb19075bbab3 | |
Type: OLE | |
------------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
doskey /macros | |
cd c:\Users\All Users\Application Data | |
b 1 | |
cd C:\Windows\System32\ | |
b 2 | |
cd "C:\Program Files" | |
b 3 | |
g 1 | |
g 2 | |
g 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
;= bookmark and GO commands: | |
b=setx _bm$1 "%CD%" 1>nul && set _bm$1="%CD%" 1>nul && @echo Bookmarked %CD% in $1. | |
g=pushd . && cd /d %_bm$1% | |
;= quickly edit the macro file | |
em=start /WAIT notepad %userprofile%\cmd_macros.lst && doskey /macrofile=%userprofile%\cmd_macros.lst | |
;= convenience commands | |
..=cd .. | |
...=cd .. & cd .. |