PDA

View Full Version : [SOLVED] Extracted Malicious Code from a Macro



josekreif
04-06-2016, 01:09 PM
I'm not even sure if I am allowed to discuss this

I work computer IT / Programming.

When one of our clients got some malicious emails with a microsoft word and macro, I thought it would be fun and educational to look inside.

Using a virtual system, and a script to break the macro password, I can view the macro.

However, it's gibberish. What?

I will not post the full code, since posing malware is probably illegal.

Here is a sample

15859

SamT
04-06-2016, 03:21 PM
You can user Ctrl+h to replace a string with another throughout the Project.

So replace the name of that first sub with something that makes at least a little sense like "FirstSuspectMacro" everywhere in the Project.

When you see a line like
"dfhduehgkdyu (space) djdueiognhdheu (Comma Space) dfjfieyufh
that is a call to another Sub with two parameters.Replace the Sub (Macro) name with a meaningful name. Ex "SecondSuspectMacro."

Replace parameter String with names Like "FirstSuspectSubParameter1" and "FirstSuspectSubParameter2" You might not know what the purpose of the Parameter is, but you can relate to where they are used.

Note that this may just be an attempt to protect some valid code with obfuscation.

josekreif
04-07-2016, 05:04 AM
You can user Ctrl+h to replace a string with another throughout the Project.

So replace the name of that first sub with something that makes at least a little sense like "FirstSuspectMacro" everywhere in the Project.

When you see a line like
"dfhduehgkdyu (space) djdueiognhdheu (Comma Space) dfjfieyufh
that is a call to another Sub with two parameters.Replace the Sub (Macro) name with a meaningful name. Ex "SecondSuspectMacro."

Replace parameter String with names Like "FirstSuspectSubParameter1" and "FirstSuspectSubParameter2" You might not know what the purpose of the Parameter is, but you can relate to where they are used.

Note that this may just be an attempt to protect some valid code with obfuscation.

You gots some good ideas.


I wonder why these virus writers would hide the source code? Anyone stupid enough to fall for their emails and run the macro, won't know or care to check the source.

Here is what their stupid little scam looks like.

[EMAIL]
15866

[DOCUMENT]
15867

Aussiebear
05-24-2016, 03:00 AM
There are people out there who simply pray on others, knowing that mostly others simply don't know any better. Those people need us to help protect them. So when you see something, speak up and tell the scammers to move on.