Consulting

Results 1 to 4 of 4

Thread: Extracted Malicious Code from a Macro

  1. #1

    Extracted Malicious Code from a Macro

    I'm not even sure if I am allowed to discuss this

    I work computer IT / Programming.

    When one of our clients got some malicious emails with a microsoft word and macro, I thought it would be fun and educational to look inside.

    Using a virtual system, and a script to break the macro password, I can view the macro.

    However, it's gibberish. What?

    I will not post the full code, since posing malware is probably illegal.

    Here is a sample

    Click image for larger version. 

Name:	sample2.jpg 
Views:	183 
Size:	19.6 KB 
ID:	15859

  2. #2
    Moderator VBAX Wizard SamT's Avatar
    Joined
    Oct 2006
    Location
    Near Columbia
    Posts
    6,840
    Location
    You can user Ctrl+h to replace a string with another throughout the Project.

    So replace the name of that first sub with something that makes at least a little sense like "FirstSuspectMacro" everywhere in the Project.

    When you see a line like
    "dfhduehgkdyu (space) djdueiognhdheu (Comma Space) dfjfieyufh
    that is a call to another Sub with two parameters.Replace the Sub (Macro) name with a meaningful name. Ex "SecondSuspectMacro."

    Replace parameter String with names Like "FirstSuspectSubParameter1" and "FirstSuspectSubParameter2" You might not know what the purpose of the Parameter is, but you can relate to where they are used.

    Note that this may just be an attempt to protect some valid code with obfuscation.
    Please take the time to read the Forum FAQ

  3. #3
    Quote Originally Posted by SamT View Post
    You can user Ctrl+h to replace a string with another throughout the Project.

    So replace the name of that first sub with something that makes at least a little sense like "FirstSuspectMacro" everywhere in the Project.

    When you see a line like
    "dfhduehgkdyu (space) djdueiognhdheu (Comma Space) dfjfieyufh
    that is a call to another Sub with two parameters.Replace the Sub (Macro) name with a meaningful name. Ex "SecondSuspectMacro."

    Replace parameter String with names Like "FirstSuspectSubParameter1" and "FirstSuspectSubParameter2" You might not know what the purpose of the Parameter is, but you can relate to where they are used.

    Note that this may just be an attempt to protect some valid code with obfuscation.
    You gots some good ideas.


    I wonder why these virus writers would hide the source code? Anyone stupid enough to fall for their emails and run the macro, won't know or care to check the source.

    Here is what their stupid little scam looks like.

    [EMAIL]
    Click image for larger version. 

Name:	sc1.PNG 
Views:	140 
Size:	6.3 KB 
ID:	15866

    [DOCUMENT]
    Click image for larger version. 

Name:	sc2.jpg 
Views:	148 
Size:	11.9 KB 
ID:	15867

  4. #4
    Moderator VBAX Guru Aussiebear's Avatar
    Joined
    Dec 2005
    Location
    Queensland
    Posts
    3,806
    Location
    There are people out there who simply pray on others, knowing that mostly others simply don't know any better. Those people need us to help protect them. So when you see something, speak up and tell the scammers to move on.
    Remember To Do the Following....
    Use tags when posting code to the thread,
    Mark your thread as Solved if satisfied by using the Thread Tools options.
    If posting the same issue to another forum please show the link

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •