Timeline for What is this VBA malware code trying to do?
Current License: CC BY-SA 4.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 23, 2018 at 5:54 | comment | added | Mojtaba Tajik | The code is obfuscated and encrypted. you can run it inside an sandbox like Sandboxie or in VM or run it in online VBA interpreters like rextester.com/l/vb | |
| Sep 21, 2018 at 14:48 | vote | accept | Steven Woods | ||
| Sep 21, 2018 at 14:18 | comment | added | halfer |
It looks like it relies on global vars too - kRRCNwn is not defined inside the func, but it is used at the start.
|
|
| Sep 21, 2018 at 14:16 | comment | added | halfer |
Sure, but once BfXNd() is running, I can't see it do anything other than create strings using string manipulation funcs. It'd need to do some eval in order to do something malicious. As Terry suggests, maybe you'd need to peek at one of the long values, such as kRRCNwn, in a safe environment.
|
|
| Sep 21, 2018 at 14:07 | comment | added | Terry Carmen | @halfer : Yeah, it's definitely missing an eval. Somewhere, something is calling BfXNd(). | |
| Sep 21, 2018 at 13:56 | answer | added | Terry Carmen | timeline score: 1 | |
| Sep 21, 2018 at 13:29 | comment | added | halfer | As far as I can tell, what you have there are just string operations, so this part is probably harmless. Try running it in a VM (that you can destroy or roll back afterwards). Was there an "eval" piece of code elsewhere to actually run something? | |
| Sep 21, 2018 at 13:27 | history | edited | halfer | CC BY-SA 4.0 |
Trim chat
|
| Sep 21, 2018 at 13:10 | review | First posts | |||
| Sep 21, 2018 at 13:21 | |||||
| Sep 21, 2018 at 13:05 | history | asked | Steven Woods | CC BY-SA 4.0 |