ctf-writeup/2020/flare-on/4_-_report/report.txt

olevba 0.55.1 on Python 3.8.5 - http://decalage.info/python/oletools
===============================================================================
FILE: ./report.xls
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: ./report.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_Open()
Sheet1.folderol
End Sub

Sub Auto_Open()
Sheet1.folderol
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: ./report.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Declare Function InternetGetConnectedState Lib "wininet.dll" _
(ByRef dwflags As Long, ByVal dwReserved As Long) As Long

Private Declare PtrSafe Function mciSendString Lib "winmm.dll" Alias _
   "mciSendStringA" (ByVal lpstrCommand As String, ByVal _
   lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
   hwndCallback As Long) As Long

Private Declare Function GetShortPathName Lib "kernel32" Alias "GetShortPathNameA" _
    (ByVal lpszLongPath As String, ByVal lpszShortPath As String, ByVal lBuffer As Long) As Long

Public Function GetInternetConnectedState() As Boolean
  GetInternetConnectedState = InternetGetConnectedState(0&, 0&)
End Function

Function rigmarole(es As String) As String
    Dim furphy As String
    Dim c As Integer
    Dim s As String
    Dim cc As Integer
    furphy = ""

    For i = 1 To Len(es) Step 4
        c = CDec("&H" & Mid(es, i, 2))
        s = CDec("&H" & Mid(es, i + 2, 2))
        cc = c - s
        furphy = furphy + Chr(cc)
    Next i
    rigmarole = furphy
End Function

Function folderol()
    Dim wabbit() As Byte
    Dim fn As Integer: fn = FreeFile
    Dim onzo() As String
    Dim mf As String
    Dim xertz As Variant

    onzo = Split(F.L, ".")

    If GetInternetConnectedState = False Then
        MsgBox "Cannot establish Internet connection.", vbCritical, "Error"
        End
    End If

    Set fudgel = GetObject(rigmarole(onzo(7)))
    Set twattling = fudgel.ExecQuery(rigmarole(onzo(8)), , 48)
    For Each p In twattling
        Dim pos As Integer
        pos = InStr(LCase(p.Name), "vmw") + InStr(LCase(p.Name), "vmt") + InStr(LCase(p.Name), rigmarole(onzo(9)))
        If pos > 0 Then
            MsgBox rigmarole(onzo(4)), vbCritical, rigmarole(onzo(6))
            End
        End If
    Next

    xertz = Array(&H11, &H22, &H33, &H44, &H55, &H66, &H77, &H88, &H99, &HAA, &HBB, &HCC, &HDD, &HEE)

    groke = CreateObject(rigmarole(onzo(10)))
    firkin = groke.UserDomain
    if firkin != rigmarole(onzo(3)) FLARE-ON
    then
      rigmarole(onzo(4)) -> Not supported
      End
    endif

    n = len("FLARE-ON")
    for i in 1 -> n:
      buff[n - i] = chr(ord("FLARE-ON"[i]) + 1)

    for i in range(0x5c21 // 4):
      out[i] = int("0x" + F.T.Text[i*4+2:i*4+2+2], 16) ^ buff[i*4 % len(buff)]

    wabbit = canoodle(F.T.Text, 0, 168667, xertz)
    mf = Environ(rigmarole(onzo(0))) & rigmarole(onzo(1))
    Open mf For Binary Lock Read Write As #fn
      Put #fn, , wabbit
    Close #fn

    mucolerd = mciSendString(rigmarole(onzo(2)) & mf, 0&, 0, 0)
End Function

Function canoodle(panjandrum As String, ardylo As Integer, s As Long, bibble As Variant) As Byte()
    Dim quean As Long
    Dim cattywampus As Long
    Dim kerfuffle() As Byte
    ReDim kerfuffle(s)
    quean = 0

    source = panjandrum
    WOW = [0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE]
    out[i] = int("0x" + source[i:i+2], 16) ^ WOW[i % len(WOW)]

    For cattywampus = 1 To Len(panjandrum) Step 4
        kerfuffle(quean) = CByte("&H" & Mid(panjandrum, cattywampus + ardylo, 2)) Xor bibble(quean Mod (UBound(bibble) + 1))
        quean = quean + 1
        If quean = UBound(kerfuffle) Then
            Exit For
        End If
    Next cattywampus
    canoodle = kerfuffle
End Function

-------------------------------------------------------------------------------
VBA MACRO F.frm
in file: ./report.xls - OLE stream: '_VBA_PROJECT_CUR/VBA/F'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO VBA_P-code.txt
in file: VBA P-code - OLE stream: 'VBA P-code'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
' Processing file: ./report.xls
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1785 bytes
' Line #0:
' 	FuncDefn (Sub Workbook_Open())
' Line #1:
' 	Ld Sheet1
' 	ArgsMemCall folderol 0x0000
' Line #2:
' 	EndSub
' Line #3:
' Line #4:
' 	FuncDefn (Sub Auto_Open())
' Line #5:
' 	Ld Sheet1
' 	ArgsMemCall folderol 0x0000
' Line #6:
' 	EndSub
' _VBA_PROJECT_CUR/VBA/Sheet1 - 10518 bytes
' Line #0:
' 	LineCont 0x0004 06 00 00 00
' 	FuncDefn (Private Declare Function InternetGetConnectedState Lib "wininet.dll" (ByRef dwflags As Long, ByVal dwReserved As Long) As Long)
' Line #1:
' Line #2:
' 	LineCont 0x000C 08 00 03 00 10 00 03 00 1A 00 03 00
' 	FuncDefn (Private Declare PtrSafe Function mciSendString Lib "winmm.dll" (ByVal lpstrCommand As String, ByVal lpstrReturnString As , ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long)
' Line #3:
' Line #4:
' 	LineCont 0x0004 08 00 04 00
' 	FuncDefn (Private Declare Function GetShortPathName Lib "kernel32" (ByVal lpszLongPath As String, ByVal lpszShortPath As String, ByVal lBuffer As Long) As Long)
' Line #5:
' Line #6:
' 	FuncDefn (Public Function GetInternetConnectedState(id_FFFE As Boolean) As Boolean)
' Line #7:
' 	LitDI4 0x0000 0x0000
' 	LitDI4 0x0000 0x0000
' 	ArgsLd InternetGetConnectedState 0x0002
' 	St GetInternetConnectedState
' Line #8:
' 	EndFunc
' Line #9:
' Line #10:
' 	FuncDefn (Function rigmarole(es As String, id_FFFE As String) As String)
' Line #11:
' 	Dim
' 	VarDefn furphy (As String)
' Line #12:
' 	Dim
' 	VarDefn c (As Integer)
' Line #13:
' 	Dim
' 	VarDefn s (As String)
' Line #14:
' 	Dim
' 	VarDefn cc (As Integer)
' Line #15:
' 	LitStr 0x0000 ""
' 	St furphy
' Line #16:
' 	StartForVariable
' 	Ld i
' 	EndForVariable
' 	LitDI2 0x0001
' 	Ld es
' 	FnLen
' 	LitDI2 0x0004
' 	ForStep
' Line #17:
' 	LitStr 0x0002 "&H"
' 	Ld es
' 	Ld i
' 	LitDI2 0x0002
' 	ArgsLd Mid 0x0003
' 	Concat
' 	ArgsLd CDec 0x0001
' 	St c
' Line #18:
' 	LitStr 0x0002 "&H"
' 	Ld es
' 	Ld i
' 	LitDI2 0x0002
' 	Add
' 	LitDI2 0x0002
' 	ArgsLd Mid 0x0003
' 	Concat
' 	ArgsLd CDec 0x0001
' 	St s
' Line #19:
' 	Ld c
' 	Ld s
' 	Sub
' 	St cc
' Line #20:
' 	Ld furphy
' 	Ld cc
' 	ArgsLd Chr 0x0001
' 	Add
' 	St furphy
' Line #21:
' 	StartForVariable
' 	Ld i
' 	EndForVariable
' 	NextVar
' Line #22:
' 	Ld furphy
' 	St rigmarole
' Line #23:
' 	EndFunc
' Line #24:
' Line #25:
' 	FuncDefn (Function folderol(id_FFFE As Variant))
' Line #26:
' 	Dim
' 	VarDefn wabbit (As Byte)
' Line #27:
' 	Dim
' 	VarDefn fn (As Integer)
' 	BoS 0x0000
' 	Ld FreeFile
' 	St fn
' Line #28:
' 	Dim
' 	VarDefn onzo (As String)
' Line #29:
' 	Dim
' 	VarDefn mf (As String)
' Line #30:
' 	Dim
' 	VarDefn xertz (As Variant)
' Line #31:
' 	Dim
' 	LitDI2 0x0000
' 	LitDI2 0x0007
' 	VarDefn buff (As Byte)
' Line #32:
' Line #33:
' 	Ld F
' 	MemLd L
' 	LitStr 0x0001 "."
' 	ArgsLd Split 0x0002
' 	St onzo
' Line #34:
' Line #35:
' 	Ld GetInternetConnectedState
' 	LitVarSpecial (False)
' 	Eq
' 	IfBlock
' Line #36:
' 	LitStr 0x0025 "Cannot establish Internet connection."
' 	Ld vbCritical
' 	LitStr 0x0005 "Error"
' 	ArgsCall MsgBox 0x0003
' Line #37:
' 	End
' Line #38:
' 	EndIfBlock
' Line #39:
' Line #40:
' 	SetStmt
' 	LitDI2 0x0007
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ArgsLd GetObject 0x0001
' 	Set fudgel
' Line #41:
' 	SetStmt
' 	LitDI2 0x0008
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ParamOmitted
' 	LitDI2 0x0030
' 	Ld fudgel
' 	ArgsMemLd ExecQuery 0x0003
' 	Set twattling
' Line #42:
' 	StartForVariable
' 	Ld p
' 	EndForVariable
' 	Ld twattling
' 	ForEach
' Line #43:
' 	Dim
' 	VarDefn pos (As Integer)
' Line #44:
' 	Ld p
' 	MemLd Name
' 	ArgsLd LCase 0x0001
' 	LitStr 0x0003 "vmw"
' 	FnInStr
' 	Ld p
' 	MemLd Name
' 	ArgsLd LCase 0x0001
' 	LitStr 0x0003 "vmt"
' 	FnInStr
' 	Add
' 	Ld p
' 	MemLd Name
' 	ArgsLd LCase 0x0001
' 	LitDI2 0x0009
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	FnInStr
' 	Add
' 	St pos
' Line #45:
' 	Ld pos
' 	LitDI2 0x0000
' 	Gt
' 	IfBlock
' Line #46:
' 	LitDI2 0x0004
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	Ld vbCritical
' 	LitDI2 0x0006
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ArgsCall MsgBox 0x0003
' Line #47:
' 	End
' Line #48:
' 	EndIfBlock
' Line #49:
' 	StartForVariable
' 	Next
' Line #50:
' Line #51:
' 	LitHI2 0x0011
' 	LitHI2 0x0022
' 	LitHI2 0x0033
' 	LitHI2 0x0044
' 	LitHI2 0x0055
' 	LitHI2 0x0066
' 	LitHI2 0x0077
' 	LitHI2 0x0088
' 	LitHI2 0x0099
' 	LitHI2 0x00AA
' 	LitHI2 0x00BB
' 	LitHI2 0x00CC
' 	LitHI2 0x00DD
' 	LitHI2 0x00EE
' 	ArgsArray Array 0x000E
' 	St xertz
' Line #52:
' Line #53:
' 	SetStmt
' 	LitDI2 0x000A
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ArgsLd CreateObject 0x0001
' 	Set groke
' Line #54:
' 	Ld groke
' 	MemLd UserDomain
' 	St firkin
' Line #55:
' 	Ld firkin
' 	LitDI2 0x0003
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	Ne
' 	IfBlock
' Line #56:
' 	LitDI2 0x0004
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	Ld vbCritical
' 	LitDI2 0x0006
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ArgsCall MsgBox 0x0003
' Line #57:
' 	End
' Line #58:
' 	EndIfBlock
' Line #59:
' Line #60:
' 	Ld firkin
' 	FnLen
' 	St n
' Line #61:
' 	StartForVariable
' 	Ld i
' 	EndForVariable
' 	LitDI2 0x0001
' 	Ld n
' 	For
' Line #62:
' 	Ld firkin
' 	Ld i
' 	LitDI2 0x0001
' 	ArgsLd Mid$ 0x0003
' 	ArgsLd Asc 0x0001
' 	Ld n
' 	Ld i
' 	Sub
' 	ArgsSt buff 0x0001
' Line #63:
' 	StartForVariable
' 	Next
' Line #64:
' Line #65:
' 	Ld F
' 	MemLd T
' 	MemLd Text
' 	LitDI2 0x0002
' 	LitDI4 0x5C21 0x0004
' 	Ld buff
' 	ArgsLd canoodle 0x0004
' 	St wabbit
' Line #66:
' 	LitDI2 0x0000
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	ArgsLd Environ 0x0001
' 	LitDI2 0x000B
' 	ArgsLd onzo 0x0001
' 	ArgsLd rigmarole 0x0001
' 	Concat
' 	St mf
' Line #67:
' 	Ld mf
' 	Ld fn
' 	Sharp
' 	LitDefault
' 	Open (For Binary Lock Read Write)
' Line #68:
' 	Ld fn
' 	Sharp
' 	LitDefault
' 	Ld wabbit
' 	PutRec
' Line #69:
' 	Ld fn
' 	Sharp
' 	Close 0x0001
' Line #70:
' Line #71:
' 	SetStmt
' 	Ld mf
' 	LitVarSpecial (False)
' 	LitVarSpecial (True)
' 	LitDI2 0x000C
' 	LitDI2 0x0016
' 	LitDI2 0x0258
' 	LitDI2 0x0136
' 	Ld Sheet1
' 	MemLd Shapes
' 	ArgsMemLd AddPicture 0x0007
' 	Set panuding
' Line #72:
' 	EndFunc
' Line #73:
' Line #74:
' 	FuncDefn (Function canoodle(panjandrum As String, ardylo As Integer, s As Long, bibble As Variant, id_FFFE As ) As Append)
' Line #75:
' 	Dim
' 	VarDefn quean (As Long)
' Line #76:
' 	Dim
' 	VarDefn cattywampus (As Long)
' Line #77:
' 	Dim
' 	VarDefn kerfuffle (As Byte)
' Line #78:
' 	OptionBase
' 	Ld s
' 	Redim kerfuffle 0x0001 (As Variant)
' Line #79:
' 	LitDI2 0x0000
' 	St quean
' Line #80:
' 	StartForVariable
' 	Ld cattywampus
' 	EndForVariable
' 	LitDI2 0x0001
' 	Ld panjandrum
' 	FnLen
' 	LitDI2 0x0004
' 	ForStep
' Line #81:
' 	LitStr 0x0002 "&H"
' 	Ld panjandrum
' 	Ld cattywampus
' 	Ld ardylo
' 	Add
' 	LitDI2 0x0002
' 	ArgsLd Mid 0x0003
' 	Concat
' 	Coerce (Byte)
' 	Ld quean
' 	Ld bibble
' 	FnUBound 0x0000
' 	LitDI2 0x0001
' 	Add
' 	Paren
' 	Mod
' 	ArgsLd bibble 0x0001
' 	Xor
' 	Ld quean
' 	ArgsSt kerfuffle 0x0001
' Line #82:
' 	Ld quean
' 	LitDI2 0x0001
' 	Add
' 	St quean
' Line #83:
' 	Ld quean
' 	Ld kerfuffle
' 	FnUBound 0x0000
' 	Eq
' 	IfBlock
' Line #84:
' 	ExitFor
' Line #85:
' 	EndIfBlock
' Line #86:
' 	StartForVariable
' 	Ld cattywampus
' 	EndForVariable
' 	NextVar
' Line #87:
' 	Ld kerfuffle
' 	St canoodle
' Line #88:
' 	EndFunc
' Line #89:
' _VBA_PROJECT_CUR/VBA/F - 1388 bytes
-------------------------------------------------------------------------------
VBA FORM STRING IN './report.xls' - OLE stream: '_VBA_PROJECT_CUR/F/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<EFBFBD>9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64
-------------------------------------------------------------------------------
VBA FORM STRING IN './report.xls' - OLE stream: '_VBA_PROJECT_CUR/F/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
H<EFBFBD>,<2C>p
-------------------------------------------------------------------------------
VBA FORM STRING IN './report.xls' - OLE stream: '_VBA_PROJECT_CUR/F/o'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
58c7661f00634702555f664b7756884c864edc4fef2d9c48881bac0911082214334e424f552f661d7752ce41d54deb70e9468949892db745545270fc333c44aa5525634f772d88699970983b8b18fe1eed3aba1d584c763201724431553e66295a2888269941aa20ef72a435b4359d36312b4b6f4048643d3b3b0927034ca846ee36c295da80b8d9fd3b97d37e51577113dc37cb3dd209a60246e43cfd488a42d938a953fd2a82ee7e8b4d9d582c2dc83b7101d057cee978ed008453950be22c89fdbea6548c106d33c344e4552e6ef87782880b9901fa5b95bcecc09e0c81ff75bd479033d24430558f66fe77b288b39961aabcbb9ccc42ddc5ee33112122e333d944ad55d4666277a78895998faaa6bbc5cca9dd12eeba112e22bf337844d9559066a077c288da998eaa3dbbb4cc38ddb9ee6011f2223233e3443d55f3664a77b2885699d4aa76bb2cccbfddeeeeda118122d0331b44bd552c66bf77af8845997baa32bb92cc7addadeebb11312211339944a855a6669577ec887699b6aab8bb8bccc0dd36ee03116f221833a344b655f366e17750882a9946aa82bbabccbdddb8eeb21152229233ed44de555766af7701888499d4aabbbb85ccb6dd37eebf11d1225833d244bf55ad66e8772e88ca99d3aaf6bb72cc49dd7ceedd1124229733bd443455fd661677b088a699f3aa87bb31ccdaddf2ee06115e221d332844a955a5665377ce88a299a5aafebbfbccdbddb5eeb611c8226a339444ba55fd66c27711882299caaa82bba5cccbddb4ee11111d2277337244fb554566d57713882a99baaab2bb93cca0ddedeef6119122f5339e44d055f2668d77ae880e99e3aabbbbabcc60ddb7eec011b822be33b0448955d16623775a88aa993caab6bbd2cc89dda4ee091107221d33f844f955a366e477b288b8993baaaabb79cc6fddd0eede11bc222c33a0448755fd668b773388df99e1aaa4bbd6cc90ddabee94111422a4338c44a75536662a771c883f9961aa21bb93cc4dddfbeefb11c4222d339744f6552566a877d088fc993eaab0bbc6cc6fddd2ee1f11d4227633d6445455ae66bd771088c49918aab1bbe2cce3dd10eed611ba2284334344ed55e3668677a18824998daa78bb26cceadd17eeff1151223833f044c4559066a277a488b699f0aa23bbc3cc68dd42eea6119822213390448a55aa66827772883a99ebaafebbb7cca0dd31eebd11c622a233df44af551966ae77d4888699b5aafdbb8ccc7fdd42ee4811c422263373440655cc669277a3881a99cbaa0cbbc1cc3bdd3feedb11d3223b3391446055da669677ff883e99b0aa65bb89cc09dd11eedd11cd22d83357444d555266317753882b9963aaf2bbb1cc57dd15eebe11d4227c3320441c55ba668f773388cd99f3aa1ebb8fcc9edd57ee26116c22d133b0443c554b66ca773488869959aac4bbf4cccfddabee5b110e2273338d44c1552066ba775e889f9970aa82bb5acc69dd33eef511ce2282337a443155bf660277a1884099b5aaf5bbeccc21ddbdeed6114722aa338844d1558f66a17795880f9926aacbbb9accf0dddcee6c11432240332044d955c76613776a88389924aa25bbe9cc95dd9aee70116b22d1333d4461559466a377c4883a9952aa63bbd8cc1bdd5fee6c11f72257332d449255e666fe778b88df9939aae8bbf9ccf0dd94eea4114522f433f744d75517662f77fb88fa99fbaa9ebbbacce0dd0bee66116222b833ff44ee55b966ec77bb88789948aa40bb30cc99dd28eeb111a52287335b442c55e1667577b1880d997faa89bb7ccca4dd41eef6119d22f0334444d955db6619777388209987aa94bb1acc19dd2deec81130227233bb44fe558766e8772088f899f0aab2bb6acc37dd44eee311dd2201331344a0558666927702887999adaa5dbb46cc72dd8cee3511bf226b33f94491555b66be774f887e99f1aab0bbbbcca5dd72eef8113422fe333444a85591663477e088fb990caad2bb8bcc94ddf5eee111d322a4336744ff551166ad77c1881499b5aaa5bb76cc8add2bee3e1162226b33ee44a65507665f776c88e699cdaa33bb6bcc7bddf5ee5511a8227f33b7448355da6605770088a599ccaa91bb62cc84dd14ee9e11b62270337044de55c066ca775188a899f5aaaebbb2ccb6dd92eef011d822de339944a855b366a277f988bf9962aadbbb21cc33dd91eea911be22d333be44ae55ec66df77b788999930aab4bb36cceaddbfeeb01166220c33324441557f6653779888e79972aa18bbceccc2dd26ee0b114922e03341449355ea66a077b28876998faad5bbe3ccf9dd2beebb113e22b9333e449055d36678770588f4999caa26bb54ccd7dd26eef111d822f7333a444b55c86637775a883099f5aac1bb92cc84dd10eeb41112227933a4448d557766527732889a9954aac3bb8bcc53ddd3ee8b11e122f533d544355572661777e6880b990caa59bb6dcc0add3eeee311cc22e733c8444e55ca666d773888e79964aa84bb9fcc78ddb1ee4811b22221331844e3552b661a772c88cb9935aaa8bbe6cc3adda1ee4d1135227b33b944db55d0665d77ef88dc99d6aab5bb8bcc9cdd38ee9e118a22df3307448d55f1666277df882299ceaa9abbadcce6ddf8eeac119c22f03364443f558b66ea773f88f999abaa68bbeecc7edd37ee9c111022e633b8445d556966d677ff88ae99f3aa36bb7fcc2add24ee9611a9229f335544a455e8668e77e7883d9922aa01bb89cc0ddda7eeaa11f1228d3399446b558166df77df8859997eaa22bb37cc2add95eec11108224f333544dc553b66aa778c887299c6aa0fbbb5ccbbdd8eeefb118c2261334844d75530664677c08860993aaab2bbb7cc11dd88ee1711bb228
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Auto_Open           |Runs when the Excel Workbook is opened       |
|AutoExec  |Workbook_Open       |Runs when the Excel Workbook is opened       |
|Suspicious|Environ             |May read system environment variables        |
|Suspicious|Open                |May open a file                              |
|Suspicious|Write               |May write to a file (if combined with Open)  |
|Suspicious|Put                 |May write to a file (if combined with Open)  |
|Suspicious|Binary              |May read or write a binary file (if combined |
|          |                    |with Open)                                   |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|Lib                 |May run code from a DLL                      |
|Suspicious|Chr                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Xor                 |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
|IOC       |wininet.dll         |Executable file name                         |
|IOC       |winmm.dll           |Executable file name                         |
|Suspicious|VBA Stomping        |VBA Stomping was detected: the VBA source    |
|          |                    |code and P-code are different, this may have |
|          |                    |been used to hide malicious code             |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues