2 smb

$ smbclient -L //10.10.10.125
Enter WORKGROUP\kashz's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Reports         Disk

$ smbclient //10.10.10.125/Reports
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jan 28 15:23:48 2019
  ..                                  D        0  Mon Jan 28 15:23:48 2019
  Currency Volume Report.xlsm         A    12229  Sun Jan 27 14:21:34 2019

                6469119 blocks of size 4096. 1589842 blocks available

$ file "Currency Volume Report.xlsm"
Currency Volume Report.xlsm: Microsoft Excel 2007+

# share is not writable

.xlsm macro extract

Using

zeltser.com/analyzing-malicious-documents/
decalage2/oletools
- python3 -m pip install oletools

$ olevba "Currency Volume Report.xlsm"
olevba 0.60 on Python 3.9.7 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency Volume Report.xlsm
Type: OpenXML
WARNING  For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

' macro to pull data for client volume reports
'
' further testing required

Private Sub Connect()

Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset

Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
conn.ConnectionTimeout = 10
conn.Open

If conn.State = adStateOpen Then

  ' MsgBox "connection successful"

  'Set rs = conn.Execute("SELECT * @@version;")
  Set rs = conn.Execute("SELECT * FROM volume;")
  Sheets(1).Range("A1").CopyFromRecordset rs
  rs.Close

End If

End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open                |May open a file                              |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

Previous3 mssql Next1 recon

Last updated 4 years ago

$ olevba "Currency Volume Report.xlsm" olevba 0.60 on Python 3.9.7 - http://decalage.info/python/oletools =============================================================================== FILE: Currency Volume Report.xlsm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisWorkbook.cls in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' macro to pull data for client volume reports ' ' further testing required Private Sub Connect() Dim conn As ADODB.Connection Dim rs As ADODB.Recordset Set conn = New ADODB.Connection conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6" conn.ConnectionTimeout = 10 conn.Open If conn.State = adStateOpen Then ' MsgBox "connection successful" 'Set rs = conn.Execute("SELECT * @@version;") Set rs = conn.Execute("SELECT * FROM volume;") Sheets(1).Range("A1").CopyFromRecordset rs rs.Close End If End Sub ------------------------------------------------------------------------------- VBA MACRO Sheet1.cls in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |Suspicious|Open |May open a file | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+