Skip to content

Instantly share code, notes, and snippets.

View JohnLaTwC's full-sized avatar

John Lambert JohnLaTwC

631 followers · 1 following
  • Microsoft Corporation
View GitHub Profile
@JohnLaTwC
JohnLaTwC / b92890e6da84c381330319c80ec0112cba70f50ce7f9748f8a438f2c99225cd0
Created March 11, 2020 23:14
maldoc
This file has been truncated, but you can view the full file.
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: b92890e6da84c381330319c80ec0112cba70f50ce7f9748f8a438f2c99225cd0
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: b92890e6da84c381330319c80ec0112cba70f50ce7f9748f8a438f2c99225cd0 - OLE stream: 'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub Document_Open()
Call SadodocLdr
@JohnLaTwC
JohnLaTwC / 9876757cd03dd2e32e3187d55f934541bfe044bdfa18841523c00173f3963eb5
Created March 8, 2020 16:43
maldoc
## uploaded by @JohnLaTwC
## sample hash 9876757cd03dd2e32e3187d55f934541bfe044bdfa18841523c00173f3963eb5
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 9876757cd03dd2e32e3187d55f934541bfe044bdfa18841523c00173f3963eb5
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: xl/vbaProject.bin - OLE stream: 'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@JohnLaTwC
JohnLaTwC / info_03_03.doc
Last active March 7, 2020 20:55
Word maldoc
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: 6f46291b6f2dc2de02fbfaca2cf0aa730f4d7d5b1ade581c7677ac0856bf1292
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: 'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
@JohnLaTwC
JohnLaTwC / b266616fd50a57a4b112708a0f3997fce06bb9c3f14a9ea55900925ffe3e264c
Created March 7, 2020 19:06
XLSM Emoji Updater
## Uploaded by @JohnLaTwC
## b266616fd50a57a4b112708a0f3997fce06bb9c3f14a9ea55900925ffe3e264c
## ===============================================================================
Private Sub Workbook_BeforeClose(Cancel As Boolean)
ThisWorkbook.Worksheets("EmojiUpdate").Visible = True
ThisWorkbook.Worksheets("BlankSheet").Visible = False
Workbooks("AutoUpdate.xlsm").Close False
End Sub
Private Sub Workbook_Open()
@JohnLaTwC
JohnLaTwC / 3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559
Created March 4, 2020 18:29
VBA maldoc chesss
## Uploaded by @JohnLaTwC
## Samples:
## e4d4017495242a377073ba0e52bb39a2d265f2a5f229436d18c2e31980dec523
## cc0e17d7259574e86d72a8faf6cc1f587e90f0a59c1abeb71a417e35a6602133
## a2aee0c149e1b2fdd0977749a4659890087791fbe3e6da388520bfb3067b7156
## c17880affe49d43b44bbd045e2d9e9189520e0232db3f6961d909f99d338b454
## b874b476597f7425a8194cd3274c8523bced4dcae26633b4fe3c1f1e2739228b
## 929e3cf981127de9826976864cfc025082978a3055e22dea1ffacbb757dd5875
## 3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559
@JohnLaTwC
JohnLaTwC / 3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.unp
Created March 4, 2020 18:21
maldoc vba
'The CreatePipe function creates an anonymous pipe,
'and returns handles to the read and write ends of the pipe.
'Structure used by the CreateProcessA function
Public Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
@JohnLaTwC
JohnLaTwC / efd8bde649e0022d83e9a2695353db63bc99bb593c9c6a62d3a26994def428b5
Created February 14, 2020 19:30
VBAStomped MATLAB interpreter malware
## Uploaded by @JohnLaTwC
## VBAStomped MATLAB interpreter malware
## PRE STOMP: efd8bde649e0022d83e9a2695353db63bc99bb593c9c6a62d3a26994def428b5
## POST STOMP: f6094b58e34a7e55d472c79267089b57aef932b08bfbc707fda67d9773b49d59
olevba 0.55.1 on Python 3.7.3 - http://decalage.info/python/oletools
===============================================================================
FILE: efd8bde649e0022d83e9a2695353db63bc99bb593c9c6a62d3a26994def428b5
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
@JohnLaTwC
JohnLaTwC / APIs
Created February 12, 2020 21:00
Short List of APIs seen in VBA
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function Keio2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function VEEAAM2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function wspPush2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Declare Function GetLogicalDrives& Lib "kernel32" ()
Declare Function GetShortPathName Lib "Kernel32.dll" Alias _
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" ( _
Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long
Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
@JohnLaTwC
JohnLaTwC / file list
Last active February 14, 2020 19:15
VBA Stomped files
013e5aea77c2b5369872914cbab59a339ab2287a8af0d15d5f0438397123cf5a
031b486981fb8797ae204b3ff84c9c9d4dc82082f9857d320d3c553f8f61fc6a
0672a2b0f1ae39ef2610d912db864211b182aad0d42d42e0956feb51594674c1
0b1179198541ae23397ebde9399ba82b29393e939598bd019365b5421ceed56d
0fbb1529ff8f83aafca855c0d72f90b0bac25640d15d46176d0a95570556cacb
1491c687c999a072b5668d03b68332c9057d5ca774c13e4a64c52760e3222f43
16474e032c5d2009684edfd1b5e1f10c8b02cd55c119efb74f9e6f89d9e47992
18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e
18931efe3f350606cc1cb6c0942caf37bdb795b5ae685945c1f43f8ac7a1574d
1b3d668fb1c28be80eb6c787159d720c9ff84e986217a02bd3f31b300fb08d3f
@JohnLaTwC
JohnLaTwC / VBAStomped.txt
Created February 7, 2020 03:01
Hashes of VBA Stomped files
013e5aea77c2b5369872914cbab59a339ab2287a8af0d15d5f0438397123cf5a
031b486981fb8797ae204b3ff84c9c9d4dc82082f9857d320d3c553f8f61fc6a
03d535fb04befb425012794b21584d092ac655a9a16bbd0c71367e8b6ce24725
0672a2b0f1ae39ef2610d912db864211b182aad0d42d42e0956feb51594674c1
0b1179198541ae23397ebde9399ba82b29393e939598bd019365b5421ceed56d
0fbb1529ff8f83aafca855c0d72f90b0bac25640d15d46176d0a95570556cacb
1491c687c999a072b5668d03b68332c9057d5ca774c13e4a64c52760e3222f43
16474e032c5d2009684edfd1b5e1f10c8b02cd55c119efb74f9e6f89d9e47992
18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e
18931efe3f350606cc1cb6c0942caf37bdb795b5ae685945c1f43f8ac7a1574d